diff --git a/.github/local/needrestart b/.github/local/needrestart deleted file mode 100644 index 33b23e014..000000000 --- a/.github/local/needrestart +++ /dev/null @@ -1,2 +0,0 @@ - - /var/lib/waagent/** r, diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 75fa5c051..bcb817338 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -9,21 +9,25 @@ jobs: - name: Check out repository code uses: actions/checkout@v4 + - name: Install linter dependencies + run: | + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH + - name: Run basic profile linter check run: | - make check + just check build: runs-on: ${{ matrix.os }} needs: check strategy: matrix: - os: - - ubuntu-24.04 - - ubuntu-22.04 - mode: - - default - - full-system-policy + include: + - os: ubuntu-24.04 + mode: default + - os: ubuntu-24.04 + mode: full-system-policy steps: - name: Check out repository code uses: actions/checkout@v4 @@ -34,12 +38,19 @@ jobs: sudo apt-get install -y \ devscripts debhelper config-package-dev \ auditd apparmor-profiles apparmor-utils + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real - name: Build the apparmor.d package run: | if [[ ${{ matrix.mode }} == full-system-policy ]]; then - echo -e "\noverride_dh_auto_build:\n\tmake full" >> debian/rules + sed -e "s/just complain/just fsp-complain/" -i debian/rules + fi + if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then + # Test with Re-attach disconnected path + sed -e 's;// builder.Register("attach");builder.Register("attach");' -i pkg/prebuild/cli/cli.go + sed -e '/@{att}/d' -i apparmor.d/tunables/multiarch.d/system fi bash dists/build.sh dpkg @@ -48,13 +59,10 @@ jobs: - name: Reload AppArmor run: | - sudo systemctl restart apparmor.service || true - sudo systemctl status apparmor.service - - - name: Ensure compatibility with some AppArmor userspace tools - if: matrix.os != 'ubuntu-24.04' - run: | - sudo aa-enforce /etc/apparmor.d/aa-notify + if ! sudo systemctl restart apparmor.service; then + sudo journalctl -xeu apparmor.service + exit 1 + fi - name: Show AppArmor log and rules run: | @@ -75,6 +83,7 @@ jobs: tests: runs-on: ubuntu-24.04 needs: build + if: github.ref == 'refs/heads/dev' steps: - name: Check out repository code uses: actions/checkout@v4 @@ -94,12 +103,15 @@ jobs: sudo apt-get install -y \ apparmor-profiles apparmor-utils \ bats bats-support - sudo install -Dm0644 .github/local/needrestart /etc/apparmor.d/local/needrestart + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH - name: Install apparmor.d run: | sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true sudo systemctl restart apparmor.service + sudo systemctl daemon-reload + systemctl --user daemon-reload - name: Restart some services to ensure they are confined run: | @@ -118,16 +130,18 @@ jobs: for service in "${services[@]}"; do sudo systemctl restart "$service" || systemctl status "$service.service" || true done + systemctl restart --user dbus || systemctl status --user "dbus.service" || true sudo ps auxZ | grep -v '\[.*\]' sudo aa-log -s --raw - name: Install integration dependencies run: | - bash tests/requirements.sh + just init + find /usr/sbin/ -type f - - name: Run the bats integration tests + - name: Run the integration tests run: | - make bats + just integration - name: Show final AppArmor logs if: always() diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 960dd2884..80dc69c7b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -24,13 +24,13 @@ bash: script: - shellcheck --shell=bash PKGBUILD dists/build.sh dists/docker.sh tests/check.sh - tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh + tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh golangci-lint: stage: lint image: golangci/golangci-lint script: - - golangci-lint run --exclude-dirs pkg/paths + - golangci-lint run packer: stage: lint @@ -54,7 +54,6 @@ tests: image: golang coverage: '/Coverage: \d+.\d+/' script: - - apt update && apt install -y rsync - cp tests/journalctl /usr/bin/journalctl - chmod 755 /usr/bin/journalctl - mkdir -p /var/log/audit/ @@ -67,7 +66,7 @@ check: stage: test image: registry.gitlab.com/roddhjav/builders/archlinux script: - - make check + - just check # Package Build # ------------- @@ -85,13 +84,12 @@ archlinux: debian: stage: build - image: registry.gitlab.com/roddhjav/builders/debian + image: registry.gitlab.com/roddhjav/builders/debian:trixie script: - sudo chown -R build:build /builds/ - git config --global --add safe.directory $CI_PROJECT_DIR - mkdir -p "$PKGDEST" - - sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync - - sudo apt-get install -y -t bookworm-backports golang-go + - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl - bash dists/build.sh dpkg artifacts: expire_in: 1 day @@ -100,12 +98,13 @@ debian: ubuntu: stage: build - image: registry.gitlab.com/roddhjav/builders/ubuntu + image: registry.gitlab.com/roddhjav/builders/ubuntu:24.04 + variables: + GOFLAGS: "-buildvcs=false" script: - - sudo chown -R ubuntu:ubuntu /builds/ - git config --global --add safe.directory $CI_PROJECT_DIR - mkdir -p "$PKGDEST" - - sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync golang-go + - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl - bash dists/build.sh dpkg artifacts: expire_in: 1 day @@ -117,14 +116,14 @@ whonix: variables: DISTRIBUTION: whonix before_script: - - echo "\noverride_dh_auto_build:\n\tmake full" >> debian/rules + - sed -e "s/just complain/just fsp-complain/" -i debian/rules opensuse: stage: build image: registry.gitlab.com/roddhjav/builders/opensuse script: - mkdir -p "$PKGDEST" - - sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles + - sudo zypper install -y distribution-release golang-packaging apparmor-profiles - bash dists/build.sh rpm artifacts: expire_in: 1 day @@ -147,7 +146,7 @@ preprocess-archlinux: preprocess-debian: stage: preprocess - image: debian + image: debian:trixie dependencies: - debian script: @@ -167,7 +166,7 @@ preprocess-ubuntu: - dpkg --install $PKGDEST/* - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null -preprocess-whonix: +.preprocess-whonix: extends: preprocess-debian dependencies: - whonix diff --git a/.golangci.yaml b/.golangci.yaml index 7718ccda2..6861d253d 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -1,5 +1,15 @@ --- -linters-settings: - staticcheck: - checks: ["all", "-SA1019" ] +version: "2" +linters: + settings: + staticcheck: + checks: + - all + - -SA1019 + - -ST1000 + exclusions: + paths: + - pkg/paths + - tests/cmd/ + diff --git a/Justfile b/Justfile new file mode 100644 index 000000000..ffed74ef5 --- /dev/null +++ b/Justfile @@ -0,0 +1,392 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Usage: `just` +# See https://apparmor.pujol.io/development/ for more information. + +# Build setings +destdir := "/" +build := ".build" +pkgdest := `pwd` / ".pkg" +pkgname := "apparmor.d" + +# Admin username +username := "user" + +# Default admin password +password := "user" + +# Disk size of the VM to build +disk_size := "40G" + +# Virtual machine CPU +vcpus := "6" + +# Virtual machine RAM +ram := "4096" + +# Path to the ssh key +ssh_keyname := "id_ed25519" +ssh_privatekey := home_dir() / ".ssh/" + ssh_keyname +ssh_publickey := ssh_privatekey + ".pub" + +# Where the VM are stored +vm := home_dir() / ".vm" + +# Where the VM images are stored +base_dir := home_dir() / ".libvirt/base" + +# Where the packer temporary output is stored +output_dir := base_dir / "packer" + +# SSH options +sshopt := "-i " + ssh_privatekey + " -o IdentitiesOnly=yes -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" + +# Libvirt connection address +c := "--connect=qemu:///system" + +# VM prefix +prefix := "aa-" + +[doc('Show this help message')] +help: + @just --list --unsorted + @printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information." + +[group('build')] +[doc('Build the go programs')] +build: + @go build -o {{build}}/ ./cmd/aa-log + @go build -o {{build}}/ ./cmd/prebuild + +[group('build')] +[doc('Prebuild the profiles in enforced mode')] +enforce: build + @./{{build}}/prebuild + +[group('build')] +[doc('Prebuild the profiles in complain mode')] +complain: build + @./{{build}}/prebuild --complain + +[group('build')] +[doc('Prebuild the profiles in FSP mode')] +fsp: build + @./{{build}}/prebuild --full + +[group('build')] +[doc('Prebuild the profiles in FSP mode (complain)')] +fsp-complain: build + @./{{build}}/prebuild --complain --full + +[group('build')] +[doc('Prebuild the profiles in FSP mode (debug)')] +fsp-debug: build + @./{{build}}/prebuild --complain --full --debug + +[group('install')] +[doc('Install prebuild profiles')] +install: + #!/usr/bin/env bash + set -eu -o pipefail + install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log + mapfile -t share < <(find "{{build}}/share" -type f -not -name "*.md" -printf "%P\n") + for file in "${share[@]}"; do + install -Dm0644 "{{build}}/share/$file" "{{destdir}}/usr/share/$file" + done + mapfile -t aa < <(find "{{build}}/apparmor.d" -type f -printf "%P\n") + for file in "${aa[@]}"; do + install -Dm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" + done + mapfile -t links < <(find "{{build}}/apparmor.d" -type l -printf "%P\n") + for file in "${links[@]}"; do + mkdir -p "{{destdir}}/etc/apparmor.d/disable" + cp -d "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" + done + for file in "{{build}}/systemd/system/"*; do + service="$(basename "$file")" + install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/system/$service.d/apparmor.conf" + done + for file in "{{build}}/systemd/user/"*; do + service="$(basename "$file")" + install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf" + done + +[group('install')] +[doc('Locally install prebuild profiles')] +local +names: + #!/usr/bin/env bash + set -eu -o pipefail + install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log + mapfile -t abs < <(find "{{build}}/apparmor.d/abstractions" -type f -printf "%P\n") + for file in "${abs[@]}"; do + install -Dm0644 "{{build}}/apparmor.d/abstractions/$file" "{{destdir}}/etc/apparmor.d/abstractions/$file" + done; + mapfile -t tunables < <(find "{{build}}/apparmor.d/tunables" -type f -printf "%P\n") + for file in "${tunables[@]}"; do + install -Dm0644 "{{build}}/apparmor.d/tunables/$file" "{{destdir}}/etc/apparmor.d/tunables/$file" + done; + echo "Warning: profile dependencies fallback to unconfined." + for file in {{names}}; do + grep -Ei 'rPx|rpx' "{{build}}/apparmor.d/$file" || true + sed -i -e "s/rPx/rPUx/g" "{{build}}/apparmor.d/$file" + install -Dvm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" + done; + systemctl restart apparmor || sudo journalctl -xeu apparmor.service + +[group('install')] +[doc('Prebuild, install, and load a dev profile')] +dev name: + go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}` + sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}} + sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service + +[group('packages')] +[doc('Build & install apparmor.d on Arch based systems')] +pkg: + @makepkg --syncdeps --install --cleanbuild --force --noconfirm + +[group('packages')] +[doc('Build & install apparmor.d on Debian based systems')] +dpkg: + @bash dists/build.sh dpkg + @sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb + +[group('packages')] +[doc('Build & install apparmor.d on OpenSUSE based systems')] +rpm: + @bash dists/build.sh rpm + @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm + +[group('tests')] +[doc('Run the unit tests')] +tests: + @go test ./cmd/... -v -cover -coverprofile=coverage.out + @go test ./pkg/... -v -cover -coverprofile=coverage.out + @go tool cover -func=coverage.out + +[group('linter')] +[doc('Run the linters')] +lint: + golangci-lint run + packer fmt tests/packer/ + packer validate --syntax-only tests/packer/ + shellcheck --shell=bash \ + PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \ + tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \ + debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm + +[group('linter')] +[doc('Run style checks on the profiles')] +check: + @bash tests/check.sh + +[group('docs')] +[doc('Generate the man pages')] +man: + @pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md + +[group('docs')] +[doc('Build the documentation')] +docs: + @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict + +[group('docs')] +[doc('Serve the documentation')] +serve: + @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve + +[doc('Remove all build artifacts')] +clean: + @rm -rf \ + debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ + {{pkgdest}}/{{pkgname}}* {{build}} coverage.out + +[group('packages')] +[doc('Build the package in a clean OCI container')] +package dist: + #!/usr/bin/env bash + set -eu -o pipefail + dist="{{dist}}" + version="" + if [[ $dist =~ ubuntu([0-9]+) ]]; then + version="${BASH_REMATCH[1]}.04" + dist="ubuntu" + elif [[ $dist == debian* ]]; then + version="trixie" + dist="debian" + fi + bash dists/docker.sh $dist $version + +[group('vm')] +[doc('Build the VM image')] +img dist flavor: (package dist) + @mkdir -p {{base_dir}} + packer build -force \ + -var dist={{dist}} \ + -var flavor={{flavor}} \ + -var prefix={{prefix}} \ + -var username={{username}} \ + -var password={{password}} \ + -var ssh_publickey={{ssh_publickey}} \ + -var disk_size={{disk_size}} \ + -var cpus={{vcpus}} \ + -var ram={{ram}} \ + -var base_dir={{base_dir}} \ + -var output_dir={{output_dir}} \ + tests/packer/ + +[group('vm')] +[doc('Create the machine')] +create dist flavor: + @cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 + @virt-install {{c}} \ + --import \ + --name {{prefix}}{{dist}}-{{flavor}} \ + --vcpus {{vcpus}} \ + --ram {{ram}} \ + --machine q35 \ + {{ if dist == "archlinux" { "" } else { "--boot uefi" } }} \ + --memorybacking source.type=memfd,access.mode=shared \ + --disk path={{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \ + --filesystem "`pwd`,0a31bc478ef8e2461a4b1cc10a24cc4",accessmode=passthrough,driver.type=virtiofs \ + --os-variant "`just get_osinfo {{dist}}`" \ + --graphics spice \ + --audio id=1,type=spice \ + --sound model=ich9 \ + --noautoconsole + +[group('vm')] +[doc('Start a machine')] +up dist flavor: + @virsh {{c}} start {{prefix}}{{dist}}-{{flavor}} + +[group('vm')] +[doc('Stops the machine')] +halt dist flavor: + @virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}} + +[group('vm')] +[doc('Reboot the machine')] +reboot dist flavor: + @virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}} + +[group('vm')] +[doc('Destroy the machine')] +destroy dist flavor: + @virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true + @virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram + @rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 + +[group('vm')] +[doc('Connect to the machine')] +ssh dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` + +[group('vm')] +[doc('Mount the shared directory on the machine')] +mount dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4' + +[group('vm')] +[doc('Unmout the shared directory on the machine')] +umount dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true' + +[group('vm')] +[doc('List the machines')] +list: + @printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State" + @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' + +[group('vm')] +[doc('List the VM images')] +images: + #!/usr/bin/env bash + set -eu -o pipefail + ls -lh {{base_dir}} | awk ' + BEGIN { + printf("{{BOLD}}%-18s %-10s %-5s %s{{NORMAL}}\n", "Distribution", "Flavor", "Size", "Date") + } + { + if ($9 ~ /^{{prefix}}.*\.qcow2$/) { + split($9, arr, "-|\\.") + printf("%-18s %-10s %-5s %s %s %s\n", arr[2], arr[3], $5, $6, $7, $8) + } + } + ' + +[group('vm')] +[doc('List the VM images that can be created')] +available: + #!/usr/bin/env bash + set -eu -o pipefail + ls -lh tests/cloud-init | awk ' + BEGIN { + printf("{{BOLD}}%-18s %s{{NORMAL}}\n", "Distribution", "Flavor") + } + { + if ($9 ~ /^.*\.user-data.yml$/) { + split($9, arr, "-|\\.") + printf("%-18s %s\n", arr[1], arr[2]) + } + } + ' + +[group('tests')] +[doc('Install dependencies for the integration tests')] +init: + @bash tests/requirements.sh + +[group('tests')] +[doc('Run the integration tests')] +integration: + bats --recursive --timing --print-output-on-failure tests/integration + +[group('tests')] +[doc('Install dependencies for the integration tests (machine)')] +tests-init dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init + +[group('tests')] +[doc('Synchronize the integration tests (machine)')] +tests-sync dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/ + +[group('tests')] +[doc('Re-synchronize the integration tests (machine)')] +tests-resync dist flavor: (mount dist flavor) \ + (tests-sync dist flavor) \ + (umount dist flavor) + +[group('tests')] +[doc('Run the integration tests (machine)')] +tests-run dist flavor name="": (tests-resync dist flavor) + ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + bats --recursive --pretty --timing --print-output-on-failure \ + /home/{{username}}/Projects/tests/integration/{{name}} + +[private] +get_ip dist flavor: + @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ + head -1 | \ + grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' + +[private] +get_osinfo dist: + #!/usr/bin/env python3 + osinfo = { + "archlinux": "archlinux", + "debian12": "debian12", + "debian13": "debian13", + "ubuntu22": "ubuntu22.04", + "ubuntu24": "ubuntu24.04", + "ubuntu25": "ubuntu25.04", + "opensuse": "opensusetumbleweed", + } + print(osinfo.get("{{dist}}", "{{dist}}")) diff --git a/Makefile b/Makefile deleted file mode 100644 index 911bd4027..000000000 --- a/Makefile +++ /dev/null @@ -1,134 +0,0 @@ -#!/usr/bin/make -f -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -DESTDIR ?= / -BUILD ?= .build -PKGDEST ?= ${PWD}/.pkg -PKGNAME := apparmor.d -PROFILES = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*))) - -.PHONY: all -all: build - @./${BUILD}/prebuild --complain - -.PHONY: build -build: - @go build -o ${BUILD}/ ./cmd/aa-log - @go build -o ${BUILD}/ ./cmd/prebuild - -.PHONY: enforce -enforce: build - @./${BUILD}/prebuild - -.PHONY: full -full: build - @./${BUILD}/prebuild --complain --full - -.PHONY: install -install: - @install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log - @for file in $(shell find "${BUILD}/share" -type f -not -name "*.md" -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/share/$${file}" "${DESTDIR}/usr/share/$${file}"; \ - done; - @for file in $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ - done; - @for file in $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n"); do \ - mkdir -p "${DESTDIR}/etc/apparmor.d/disable"; \ - cp -d "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ - done; - @for file in ${BUILD}/systemd/system/*; do \ - service="$$(basename "$$file")"; \ - install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/system/$${service}.d/apparmor.conf"; \ - done; - @for file in ${BUILD}/systemd/user/*; do \ - service="$$(basename "$$file")"; \ - install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \ - done - - -.PHONY: $(PROFILES) -$(PROFILES): - @install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log - @for file in $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \ - done; - @for file in $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \ - done; - @echo "Warning: profile dependencies fallback to unconfined." - @for file in ${@}; do \ - grep 'rPx' "${BUILD}/apparmor.d/$${file}"; \ - sed -i -e "s/rPx/rPUx/g" "${BUILD}/apparmor.d/$${file}"; \ - install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ - done; - @systemctl restart apparmor || sudo journalctl -xeu apparmor.service - -.PHONY: dev -name ?= -dev: - @go run ./cmd/prebuild --complain --file $(shell find apparmor.d -iname ${name}) - @sudo install -Dm644 ${BUILD}/apparmor.d/${name} /etc/apparmor.d/${name} - @sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service - -.PHONY: package -dist ?= archlinux -package: - @bash dists/docker.sh ${dist} - -.PHONY: pkg -pkg: - @makepkg --syncdeps --install --cleanbuild --force --noconfirm - -.PHONY: dpkg -dpkg: - @bash dists/build.sh dpkg - @sudo dpkg -i ${PKGDEST}/${PKGNAME}_*.deb - -.PHONY: rpm -rpm: - @bash dists/build.sh rpm - @sudo rpm -ivh --force ${PKGDEST}/${PKGNAME}-*.rpm - -.PHONY: tests -tests: - @go test ./cmd/... -v -cover -coverprofile=coverage.out - @go test ./pkg/... -v -cover -coverprofile=coverage.out - @go tool cover -func=coverage.out - -.PHONY: lint -lint: - @golangci-lint run - @make --directory=tests lint - @shellcheck --shell=bash \ - PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \ - tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \ - debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm - -.PHONY: check -check: - @bash tests/check.sh - -.PHONY: bats -bats: - @bats --timing --print-output-on-failure tests/bats/ - -.PHONY: manual -manual: - @pandoc -t man -s -o root/usr/share/man/man8/aa-log.8 root/usr/share/man/man8/aa-log.md - -.PHONY: docs -docs: - @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict - -.PHONY: serve -serve: - @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve - -.PHONY: clean -clean: - @rm -rf \ - debian/.debhelper debian/debhelper* debian/*.debhelper debian/${PKGNAME} \ - .pkg/${PKGNAME}* ${BUILD} coverage.out diff --git a/PKGBUILD b/PKGBUILD index 5bac14835..dfbb46735 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -7,11 +7,11 @@ pkgname=apparmor.d pkgver=0.001 pkgrel=1 pkgdesc="Full set of apparmor profiles" -arch=("x86_64") -url="https://github.com/roddhjav/$pkgname" -license=('GPL2') -depends=('apparmor') -makedepends=('go' 'git' 'rsync') +arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') +url="https://github.com/roddhjav/apparmor.d" +license=('GPL-2.0-only') +depends=('apparmor>=4.1.0' 'apparmor<5.0.0') +makedepends=('go' 'git' 'rsync' 'just') conflicts=("$pkgname-git") pkgver() { @@ -30,10 +30,11 @@ build() { export CGO_CXXFLAGS="${CXXFLAGS}" export CGO_LDFLAGS="${LDFLAGS}" export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw" - make DISTRIBUTION=arch + export DISTRIBUTION=arch + just complain } package() { cd "$srcdir/$pkgname" - make install DESTDIR="$pkgdir" + just destdir="$pkgdir" install } diff --git a/README.md b/README.md index 7aed183da..c1c7726c5 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # apparmor.d -[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link] +[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link] [![][play]][play-link] **Full set of AppArmor profiles** @@ -35,8 +35,11 @@ * Gnome (GDM) * KDE (SDDM) * XFCE (Lightdm) *(work in progress)* -- Fully tested *(work in progress)* +- [Fully tested](https://apparmor.pujol.io/development/tests/) +**Demo** + +You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/ > This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments. @@ -59,6 +62,10 @@ Building the largest set of AppArmor profiles: - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* +Lessons learned while making an AppArmor Play machine: + +- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))* + ## Installation Please see [apparmor.pujol.io/install](https://apparmor.pujol.io/install) @@ -93,6 +100,8 @@ and thus has the same license (GPL2). [goreportcard]: https://goreportcard.com/report/github.com/roddhjav/apparmor.d [matrix]: https://img.shields.io/badge/Matrix-%23apparmor.d-blue?style=flat-square&logo=matrix [matrix-link]: https://matrix.to/#/#apparmor.d:matrix.org +[play]: https://img.shields.io/badge/Live_Demo-play.pujol.io-blue?style=flat-square +[play-link]: https://play.pujol.io [android_model]: https://arxiv.org/pdf/1904.05572 [clipos]: https://clip-os.org/en/ diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 4c506da69..9330d2223 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -4,7 +4,6 @@ abi , - # The unix socket to use to connect to the display unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), @@ -13,6 +12,7 @@ /usr/share/X11/{,**} r, /usr/share/xsessions/{,*.desktop} r, # Available Xsessions + /usr/share/xkeyboard-config-2/{,**} r, /etc/X11/cursors/{,**} r, diff --git a/apparmor.d/abstractions/ansible b/apparmor.d/abstractions/ansible new file mode 100644 index 000000000..579783096 --- /dev/null +++ b/apparmor.d/abstractions/ansible @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + owner @{HOME}/.ansible/tmp/ansible-tmp-*/* rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index 5d2f74363..7f7e2a673 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -5,13 +5,11 @@ abi , - @{bin}/** PUx, - /usr/local/{s,}bin/** PUx, + include - @{bin}/ r, - / r, - /usr/ r, - /usr/local/{s,}bin/ r, + @{bin}/** PUx, + @{sbin}/** PUx, + /usr/local/{s,}bin/** PUx, include if exists diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 800de5106..3f35d5882 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -5,6 +5,8 @@ abi , + include + @{bin}/** PUx, /opt/*/** PUx, /usr/share/** PUx, @@ -18,13 +20,7 @@ @{thunderbird_path} Px, @{offices_path} PUx, - @{bin}/ r, - / r, - /usr/ r, - /usr/local/bin/ r, - - @{user_bin_dirs}/ r, - @{user_bin_dirs}/** PUx, + @{user_bin_dirs}/** PUx, include if exists diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index d257797eb..e0c8d3d59 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -18,6 +18,7 @@ # Labeled programs @{archive_viewers_path} PUx, + @{backup_path} PUx, @{browsers_path} Px, @{document_viewers_path} PUx, @{emails_path} PUx, @@ -25,6 +26,7 @@ @{help_path} Px, @{image_viewers_path} PUx, @{offices_path} PUx, + @{terminal_path} Px, @{text_editors_path} PUx, # Others @@ -33,17 +35,19 @@ @{bin}/discord{,-ptb} Px, @{bin}/draw.io PUx, @{bin}/dropbox Px, + @{bin}/ebook-edit PUx, @{bin}/element-desktop Px, @{bin}/extension-manager Px, @{bin}/filezilla Px, @{bin}/flameshot Px, - @{bin}/gimp* PUx, - @{bin}/gnome-calculator PUx, + @{bin}/gimp{,-3.0} Px, + @{bin}/gnome-calculator Px, @{bin}/gnome-disk-image-mounter Px, @{bin}/gnome-disks Px, + @{bin}/gnome-session-quit Px, @{bin}/gnome-software Px, @{bin}/gwenview PUx, - @{bin}/kgx Px, + @{bin}/keepassxc Px, @{bin}/qbittorrent Px, @{bin}/qpdfview Px, @{bin}/smplayer Px, @@ -51,15 +55,12 @@ @{bin}/telegram-desktop Px, @{bin}/transmission-gtk Px, @{bin}/viewnior PUx, - @{bin}/vlc PUx, + @{bin}/vlc Px, @{bin}/xbrlapi Px, #aa:only opensuse @{lib}/YaST2/** PUx, - # Backup - @{lib}/deja-dup/deja-dup-monitor PUx, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 666387d0a..a971ca5a0 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -37,7 +37,7 @@ include include include - include + include include include include @@ -78,7 +78,7 @@ @{lib_dirs}/chrome-sandbox rPx, # Desktop integration - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/xdg-desktop-menu rPx, @{bin}/xdg-email rPx, @{bin}/xdg-icon-resource rPx, @@ -86,16 +86,11 @@ @{bin}/xdg-open rPx -> child-open, @{bin}/xdg-settings rPx, - # Installing/removing extensions & applications - @{bin}/{,e}grep rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/mkdir rix, - @{bin}/mktemp rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/touch rix, + # Installing/removing extensions, applications, and stacked xdg menus + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{coreutils_path} ix, # For storing passwords externally @{bin}/keepassxc-proxy rix, # as a temporary solution - see issue #128 @@ -129,9 +124,10 @@ owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, owner @{user_config_dirs}/gtk-3.0/servers r, owner @{user_share_dirs}/.@{domain}.@{rand6} rw, - owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, + owner @{user_share_dirs}/icons/hicolor/.xdg-icon-resource-dummy w, owner @{config_dirs}/ rw, owner @{config_dirs}/** rwk, @@ -141,7 +137,7 @@ owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r, + owner @{user_config_dirs}/menus/applications-merged/*.menu rw, # For importing data (bookmarks, cookies, etc) from Firefox # owner @{HOME}/.mozilla/firefox/profiles.ini r, @@ -159,6 +155,7 @@ owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, owner @{tmp}/scoped_dir@{rand6}/{,**} rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{tmp}/tmp.@{rand6} rw, owner @{tmp}/tmp.@{rand6}/ rw, owner @{tmp}/tmp.@{rand6}/** rwk, @@ -202,6 +199,7 @@ owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index 3992fb7b0..2bd14077b 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -10,10 +10,10 @@ include @{sh_path} rix, - @{bin}/nvim mix, + @{bin}/nvim mrix, @{bin}/sensible-editor mr, - @{bin}/vim{,.*} mrix, - @{bin}/which{,.debianutils} ix, + @{bin}/vim{,.*} mrix, + @{bin}/which{,.debianutils} rix, /usr/share/nvim/{,**} r, /usr/share/terminfo/** r, @@ -25,6 +25,7 @@ owner @{HOME}/.selected_editor r, owner @{HOME}/.viminf@{c}{,.tmp} rw, + owner @{HOME}/.vim/{after/,}spell/{,**} rw, owner @{HOME}/.vimrc r, owner @{HOME}/ r, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 87865197e..85922664b 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -21,12 +21,14 @@ include include include + include + include include include include include include - include + include include include include @@ -64,7 +66,7 @@ @{lib_dirs}/plugin-container rPx, # Desktop integration - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/@{name}/{,**} r, /usr/share/doc/{,**} r, @@ -98,6 +100,8 @@ owner @{tmp}/@{name}/* rwk, owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/* rwk, + owner @{tmp}/remote-settings-startup-bundle- rw, + owner @{tmp}/remote-settings-startup-bundle-.tmp rw, owner @{tmp}/Temp-@{uuid}/ rw, owner @{tmp}/Temp-@{uuid}/* rwk, owner @{tmp}/tmp-*.xpi rw, @@ -124,8 +128,10 @@ @{sys}/devices/**/uevent r, @{sys}/devices/power/events/energy-* r, @{sys}/devices/power/type r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_sku r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, @{PROC}/@{pid}/net/arp r, diff --git a/apparmor.d/abstractions/app/fusermount b/apparmor.d/abstractions/app/fusermount new file mode 100644 index 000000000..a394e2528 --- /dev/null +++ b/apparmor.d/abstractions/app/fusermount @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Minimal set of rules for fusermount subprofiles. Path to mount/unmount should +# be defined in the calling profile. + + abi , + + include + include + + capability dac_override, + capability dac_read_search, + capability sys_admin, # To mount anything + + @{bin}/fusermount{,3} mr, + + @{bin}/mount rix, + @{bin}/umount rix, + + @{etc_ro}/fuse{,3}.conf r, + + @{run}/mount/utab r, + @{run}/mount/utab.* rwk, + + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/mounts r, + + /dev/fuse rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index 25a0c0c38..b6beeb7f6 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -7,13 +7,7 @@ include - @{bin}/depmod mr, - @{bin}/insmod mr, - @{bin}/kmod mr, - @{bin}/lsmod mr, - @{bin}/modinfo mr, - @{bin}/modprobe mr, - @{bin}/rmmod mr, + @{bin}/kmod mr, @{lib}/modprobe.d/ r, @{lib}/modprobe.d/*.conf r, diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 256eb5a6d..9d0da2199 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -3,19 +3,46 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Full set of rules for child-open-* profiles. +# Full set of rules for desktop generic open-* used in child-open-* profiles. abi , include - @{open_path} mrix, + # We cannot use `@{open_path} mrix,` here because it includes: + # @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop + # And `@{multiarch}` has a wildcard that cannot be merged and that will generate + # "has merged rule with conflicting x modifiers" error when used with other + # wilcard over PUx transition. + @{bin}/exo-open mrix, + @{bin}/xdg-open mrix, + @{bin}/gio mrix, + @{bin}/kde-open mrix, + @{bin}/gio-launch-desktop mrix, + @{lib}/gio-launch-desktop mrix, - @{sh_path} r, @{bin}/env rix, + @{sh_path} r, /dev/tty rw, + # if @{DE} == kde + + include + include + include + include + include + + /etc/xdg/menus/ r, + + owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + + @{PROC}/sys/kernel/random/boot_id r, + + # fi + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/pager b/apparmor.d/abstractions/app/pager new file mode 100644 index 000000000..1557b78ef --- /dev/null +++ b/apparmor.d/abstractions/app/pager @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Minimal set of rules for pagers. + + abi , + + include + + capability dac_override, + capability dac_read_search, + + signal receive set=(stop, cont, term, kill), + + @{bin}/ r, + @{pager_path} mrix, + + @{system_share_dirs}/terminfo/{,**} r, + /usr/share/file/misc/** r, + /usr/share/nvim/{,**} r, + + @{HOME}/.lesshst r, + + owner @{HOME}/ r, + owner @{HOME}/.lesshs* rw, + owner @{HOME}/.terminfo/@{int}/* r, + owner @{user_cache_dirs}/lesshs* rw, + owner @{user_state_dirs}/ r, + owner @{user_state_dirs}/lesshs* rw, + + /dev/tty@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index 211c2710d..d6b7ba8a7 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -21,6 +21,7 @@ @{PROC}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/stat r, @{PROC}/sys/kernel/osrelease r, @{PROC}/uptime r, diff --git a/apparmor.d/abstractions/app/pkexec b/apparmor.d/abstractions/app/pkexec index 65d34ec6a..87b3ea842 100644 --- a/apparmor.d/abstractions/app/pkexec +++ b/apparmor.d/abstractions/app/pkexec @@ -30,6 +30,8 @@ /etc/shells r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/loginuid r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 4c7de6ba5..1c47490cd 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -3,7 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Minimal set of rules for sudo. Interactive sudo need more rules. +# Minimal set of rules for sudo. abi , @@ -24,10 +24,10 @@ network netlink raw, # PAM - unix bind type=stream addr=@@{udbus}/bus/sudo/system, + unix type=stream addr=@@{udbus}/bus/sudo/system, - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus (send receive) bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd.Manager diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl index 8489bb275..b707add4d 100644 --- a/apparmor.d/abstractions/app/systemctl +++ b/apparmor.d/abstractions/app/systemctl @@ -11,9 +11,12 @@ ptrace read peer=@{p_systemd}, unix bind type=stream addr=@@{udbus}/bus/systemctl/, + unix bind type=stream addr=@@{udbus}/bus/systemctl/system, @{bin}/systemctl mr, + @{att}/@{run}/systemd/private rw, + owner @{run}/systemd/private rw, @{PROC}/1/cgroup r, diff --git a/apparmor.d/abstractions/app/udevadm b/apparmor.d/abstractions/app/udevadm index e8414d026..d659143d6 100644 --- a/apparmor.d/abstractions/app/udevadm +++ b/apparmor.d/abstractions/app/udevadm @@ -11,7 +11,8 @@ /etc/udev/udev.conf r, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/** r, diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 9a53d1548..e394c5b99 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -3,15 +3,19 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no - # Do not use it manually, it is automatically included in profiles when it is required. + # Do not use it manually, It automatically replaces the base abstraction in a + # profile with the attach_disconnected flag set and the re-attached path enabled. abi , + include + @{att}/@{run}/systemd/journal/dev-log w, @{att}/@{run}/systemd/journal/socket w, + @{att}/@{run}/systemd/journal/stdout rw, - deny /apparmor/.null rw, - deny @{att}/apparmor/.null rw, + /apparmor/.null rw, + @{att}/apparmor/.null rw, include if exists diff --git a/apparmor.d/abstractions/attached/consoles b/apparmor.d/abstractions/attached/consoles index bf76e4a43..f306c2273 100644 --- a/apparmor.d/abstractions/attached/consoles +++ b/apparmor.d/abstractions/attached/consoles @@ -3,10 +3,26 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no + # Do not use it manually, It automatically replaces the consoles abstraction in a + # profile with the attach_disconnected flag set and the re-attached path enabled. + abi , - @{att}/dev/tty@{int} rw, - owner @{att}/dev/pts/@{int} rw, + # There are the common ways to refer to consoles + /dev/console rw, + /dev/tty rw, + /dev/tty@{u8} rw, + @{att}/dev/tty rw, + @{att}/dev/tty@{u8} rw, + + # These entries are a bit unfortunate; /dev/tty will always be + # associated with the controlling terminal by the kernel, but if a + # program uses the /dev/pts/ interface, it actually has access to + # -all- xterm, sshd, etc, terminals on the system. + /dev/pts/ r, + owner /dev/pts/@{u16} rw, + @{att}/pts/ r, + owner @{att}/dev/pts/@{u16} rw, include if exists diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index 166229a09..826191309 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -21,6 +21,7 @@ /etc/openal/alsoft.conf r, /etc/pipewire/client{,-rt}.conf r, /etc/pipewire/client{,-rt}.conf.d/{,**} r, + /etc/pipewire/jack.conf.d/{,**} r, /etc/pulse/client.conf r, /etc/pulse/client.conf.d/{,**} r, /etc/wildmidi/wildmidi.cfg r, diff --git a/apparmor.d/abstractions/authentication.d/complete b/apparmor.d/abstractions/authentication.d/complete index ef54e6e78..a4ed65e8c 100644 --- a/apparmor.d/abstractions/authentication.d/complete +++ b/apparmor.d/abstractions/authentication.d/complete @@ -3,9 +3,10 @@ # SPDX-License-Identifier: GPL-2.0-only @{bin}/pam-tmpdir-helper rPx, + @{lib}/pam-tmpdir/pam-tmpdir-helper rPx, #aa:only abi3 - @{bin}/unix_chkpwd rPx, + @{sbin}/unix_chkpwd rPx, #aa:only whonix @{lib}/security-misc/pam-abort-on-locked-password rPx, diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict new file mode 100644 index 000000000..818a4937f --- /dev/null +++ b/apparmor.d/abstractions/base-strict @@ -0,0 +1,131 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + # Do not use it manually, It automatically replaces the base abstraction in + # profiles when the re-attached mode is enabled. + + # For now, it is only a restructuring of the base abstraction with awareness + # of the apparmor.d architecture. + + abi , + + include + include + include + include + + # Allow us to signal ourselves + signal peer=@{profile_name}, + + # Checking for PID existence is quite common so add it by default for now + signal (receive, send) set=exists, + + #aa:exclude RBAC + # Allow unconfined processes to send us signals by default + signal receive peer=unconfined, + + # Systemd: allow to receive any signal from the systemd profiles stack + signal receive peer=@{p_systemd}, + signal receive peer=@{p_systemd_user}, + + # Htop like programs can send any signal to any process + signal receive peer=btop, + signal receive peer=htop, + signal receive peer=top, + signal receive set=(cont,term,kill,stop) peer=gnome-system-monitor, + + # Allow to receive termination signal from manager such as sudo, login, shutdown or systemd + signal receive peer=su, + signal receive peer=sudo, + signal receive set=(cont,term,kill,stop) peer=gnome-shell, + signal receive set=(cont,term,kill,stop) peer=login, + signal receive set=(cont,term,kill,stop) peer=openbox, + signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, + signal receive set=(cont,term,kill,stop) peer=xinit, + + # Allow other processes to read our /proc entries, futexes, perf tracing and + # kcmp for now (they will need 'read' in the first place). Administrators can + # override with: + # deny ptrace readby ... + ptrace readby, + + # Allow other processes to trace us by default (they will need 'trace' in + # the first place). Administrators can override with: + # deny ptrace tracedby ... + ptrace tracedby, + + # Allow us to ptrace read ourselves + ptrace read peer=@{profile_name}, + + # Allow us to create and use abstract and anonymous sockets + unix peer=(label=@{profile_name}), + + # Allow unconfined processes to us via unix sockets + unix receive peer=(label=unconfined), + + # Allow communication to children profiles + signal peer=@{profile_name}//*, + unix type=stream peer=(label=@{profile_name}//*), + + # Allow us to create abstract and anonymous sockets + unix create, + + # Allow us to getattr, getopt, setop and shutdown on unix sockets + unix (getattr, getopt, setopt, shutdown), + + # Allow all programs to use common libraries + @{lib}/** r, + @{lib}/**.so* m, + @{lib}/@{multiarch}/**.so* m, + @{lib}/@{multiarch}/** r, + + # Some applications will display license information + /usr/share/common-licenses/** r, + + # Allow access to the uuidd daemon (this daemon is a thin wrapper around + # time and getrandom()/{,u}random and, when available, runs under an + # unprivilged, dedicated user). + @{run}/uuidd/request r, + + # Transparent hugepage support + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + # Systemd's equivalent of /dev/log + @{run}/systemd/journal/dev-log w, + + # Systemd native journal API (see sd_journal_print(4)) + @{run}/systemd/journal/socket w, + + # Nested containers and anything using systemd-cat need this. 'r' shouldn't + # be required but applications fail without it. journald doesn't leak + # anything when reading so this is ok. + @{run}/systemd/journal/stdout rw, + + # Allow determining the highest valid capability of the running kernel + @{PROC}/sys/kernel/cap_last_cap r, + + # Controls how core dump files are named + @{PROC}/sys/kernel/core_pattern r, + + # Sometimes used to determine kernel/user interfaces to use + @{PROC}/sys/kernel/version r, + + # Harmless and frequently used + /dev/null rw, + /dev/random r, + /dev/urandom r, + /dev/zero rw, + + # The __canary_death_handler function writes a time-stamped log + # message to /dev/log for logging by syslogd. So, /dev/log, timezones, + # and localisations of date should be available EVERYWHERE, so + # StackGuard, FormatGuard, etc., alerts can be properly logged. + /dev/log w, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 3b5ecaf41..ad3945eb9 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -3,14 +3,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + # Systemd: allow to receive any signal from the systemd profiles stack + signal receive peer=@{p_systemd}, + signal receive peer=@{p_systemd_user}, + # Allow to receive some signals from new well-known profiles signal (receive) peer=btop, signal (receive) peer=htop, + signal (receive) peer=pkill, signal (receive) peer=sudo, signal (receive) peer=top, signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, - signal (receive) set=(cont,term) peer=@{p_systemd_user}, - signal (receive) set=(cont,term) peer=@{p_systemd}, signal (receive) set=(hup term) peer=login, signal (receive) set=(hup) peer=xinit, signal (receive) set=(term,kill) peer=gnome-shell, @@ -18,17 +21,11 @@ signal (receive) set=(term,kill) peer=openbox, signal (receive) set=(term,kill) peer=su, - ptrace (readby) peer=systemd-coredump, + ptrace (readby) peer=@{p_systemd_coredump}, @{etc_rw}/localtime r, /etc/locale.conf r, - # mesa 24.2 introduced a shader disk cache which opens quite a lot of fd. - # They are not closed and get inherited by child programs. Denying it can cause - # crash, so we are allowing it globally while the issue is beeing fixed in mesa. - owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rw, - owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rw, - @{sys}/devices/system/cpu/possible r, @{PROC}/sys/kernel/core_pattern r, diff --git a/apparmor.d/abstractions/bash-strict b/apparmor.d/abstractions/bash-strict index 9ea35f8c2..cd4a7c8a7 100644 --- a/apparmor.d/abstractions/bash-strict +++ b/apparmor.d/abstractions/bash-strict @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when an interactive shell is started. +# This abstraction is only required when .bashrc is loaded (e.g. interactive shell). # Classic shell scripts do not need it. abi , diff --git a/apparmor.d/abstractions/bus-accessibility b/apparmor.d/abstractions/bus-accessibility index eba12457f..70850b2ba 100644 --- a/apparmor.d/abstractions/bus-accessibility +++ b/apparmor.d/abstractions/bus-accessibility @@ -9,11 +9,6 @@ member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), - dbus send bus=accessibility path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), - owner @{run}/user/@{uid}/at-spi/ rw, owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/at-spi/bus_@{int} rw, diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index 95325d7d3..a1226d8e7 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -4,20 +4,13 @@ abi , - unix (bind, listen) type=stream addr="@/tmp/dbus-*", - unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*", - unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-*"), + unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/session, - dbus send bus=session path=/org/freedesktop/DBus + dbus send bus=session path=/org/freedesktop/{dbus,DBus} interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/abstractions/bus-system b/apparmor.d/abstractions/bus-system index 870443002..d05c018c7 100644 --- a/apparmor.d/abstractions/bus-system +++ b/apparmor.d/abstractions/bus-system @@ -4,17 +4,15 @@ abi , + unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/system, + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - - @{run}/dbus/system_bus_socket rw, + @{run}/dbus/system_bus_socket rw, + @{att}/@{run}/dbus/system_bus_socket rw, include if exists diff --git a/apparmor.d/abstractions/bus/ca.desrt.dconf.Writer b/apparmor.d/abstractions/bus/ca.desrt.dconf.Writer new file mode 100644 index 000000000..9bad3655d --- /dev/null +++ b/apparmor.d/abstractions/bus/ca.desrt.dconf.Writer @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member=Change + peer=(name=ca.desrt.dconf), # no peer's labels + + dbus receive bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member=Notify + peer=(name=@{busname}, label=dconf-service), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/com.canonical.dbusmenu b/apparmor.d/abstractions/bus/com.canonical.dbusmenu index c5f74a6de..61ce81111 100644 --- a/apparmor.d/abstractions/bus/com.canonical.dbusmenu +++ b/apparmor.d/abstractions/bus/com.canonical.dbusmenu @@ -4,6 +4,10 @@ abi , + dbus send bus=session path=/com/canonical/unity/launcherentry/** + interface=com.canonical.dbusmenu + member={GetGroupProperties,GetLayout} + peer=(name=@{busname}, label=nautilus), include if exists diff --git a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 index 4b7d6c89d..7989ea4c5 100644 --- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 @@ -4,14 +4,11 @@ abi , - dbus send bus=system path=/fi/w1/wpa_supplicant1 - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name="@{busname}", label=wpa-supplicant), + #aa:dbus common bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=org.freedesktop.DBus.Properties - member={GetAll,Set} + member=Set peer=(name="@{busname}", label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1 @@ -39,16 +36,6 @@ member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged} peer=(name="@{busname}", label=wpa-supplicant), - dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name="@{busname}", label=wpa-supplicant), - - dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}/BSSs/@{int} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name="@{busname}", label=wpa-supplicant), - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles index 4da873247..7e7560992 100644 --- a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles +++ b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles @@ -4,10 +4,7 @@ abi , - dbus send bus=system path=/net/hadess/PowerProfiles - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=power-profiles-daemon), + #aa:dbus common bus=system name=net.hadess.PowerProfiles label="@{p_power_profiles_daemon}" include if exists diff --git a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl index 7f68d2d06..df65417da 100644 --- a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl +++ b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl @@ -4,10 +4,7 @@ abi , - dbus send bus=system path=/net/hadess/SwitcherooControl - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=switcheroo-control), + #aa:dbus common bus=system name=net.hadess.SwitcherooControl label=switcheroo-control include if exists diff --git a/apparmor.d/abstractions/bus/net.reactivated.Fprint b/apparmor.d/abstractions/bus/net.reactivated.Fprint index 41735f1be..0241fc889 100644 --- a/apparmor.d/abstractions/bus/net.reactivated.Fprint +++ b/apparmor.d/abstractions/bus/net.reactivated.Fprint @@ -4,10 +4,12 @@ abi , + #aa:dbus common bus=system name=net.reactivated.Fprint label="@{p_fprintd}" + dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} - peer=(name="@{busname}", label=fprintd), + peer=(name="@{busname}", label="@{p_fprintd}"), dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager @@ -17,7 +19,7 @@ dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} - peer=(name=net.reactivated.Fprint, label=fprintd), + peer=(name=net.reactivated.Fprint, label="@{p_fprintd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index bb31a079c..2677d2f61 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -9,33 +9,38 @@ dbus receive bus=accessibility path=/org/a11y/atspi/registry interface=org.a11y.atspi.Registry member=EventListenerDeregistered - peer=(name="@{busname}", label=at-spi2-registryd), + peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), dbus send bus=accessibility path=/org/a11y/atspi/registry interface=org.a11y.atspi.Registry member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller interface=org.a11y.atspi.DeviceEventController member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.freedesktop.DBus.Properties member=Set - peer=(name="@{busname}", label=at-spi2-registryd), + peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.a11y.atspi.Socket member=Embed - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), # Session bus + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label="@{p_dbus_accessibility}"), + dbus send bus=session path=/org/a11y/bus interface=org.a11y.Bus - member=GetAddress + member=Get peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), dbus send bus=session path=/org/a11y/bus diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/org.bluez index 7b709ab9b..461ad9f94 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -4,45 +4,37 @@ abi , + #aa:dbus common bus=system name=org.bluez label="@{p_bluetoothd}" + dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved - peer=(name="{@{busname},org.bluez}", label=bluetoothd), - - dbus receive bus=system path=/org/bluez/hci@{int}{,/**} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="{@{busname},org.bluez}", label=bluetoothd), + member={InterfacesAdded,InterfacesRemoved} + peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{@{busname},org.bluez}", label=bluetoothd), + peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez interface=org.bluez.AgentManager@{int} member={RegisterAgent,RequestDefaultAgent,UnregisterAgent} - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez interface=org.bluez.ProfileManager@{int} member=RegisterProfile - peer=(name=org.bluez, label=bluetoothd), - - dbus send bus=system path=/org/bluez/hci@{int} - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name="{@{busname},org.bluez}", label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.BatteryProviderManager@{int} member=RegisterProfile - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.Media@{int} member=RegisterApplication - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts index f2048c80e..d15288d46 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts +++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts @@ -4,30 +4,27 @@ abi , + #aa:dbus common bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member={FindUserByName,ListCachedUsers} - peer=(name="@{busname}", label=accounts-daemon), - - dbus send bus=system path=/org/freedesktop/Accounts{,/User@{uid}} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=*Changed - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member=UserAdded - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.DBus.Properties member=*Changed - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index ccf5b30a9..aa48e69b1 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -4,25 +4,42 @@ abi , + #aa:dbus common bus=system name=org.freedesktop.Avahi label="@{p_avahi_daemon}" + dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi), dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server member={GetAPIVersion,GetState,Service*New} - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member=Free - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member={ItemNew,AllForNow,CacheExhausted} - peer=(name="@{busname}", label=avahi-daemon), + peer=(name="@{busname}", label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=StateChanged + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Found + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index 205557ad5..3a63d95dc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -4,25 +4,22 @@ abi , + #aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}" + dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=GetDevices - peer=(name="@{busname}", label=colord), - - dbus send bus=system path=/org/freedesktop/ColorManager{,/**} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=colord), + peer=(name="@{busname}", label="@{p_colord}"), dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=CreateDevice - peer=(name="@{busname}", label=colord), + peer=(name="@{busname}", label="@{p_colord}"), dbus receive bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={DeviceAdded,DeviceRemoved} - peer=(name="@{busname}", label=colord), + peer=(name="@{busname}", label="@{p_colord}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 index 101e493ab..76095edaf 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 @@ -4,15 +4,7 @@ abi , - dbus send bus=session path=/org/freedesktop/FileManager1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=nautilus), - - dbus receive bus=session path=/org/freedesktop/FileManager1 - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="@{busname}", label=nautilus), + #aa:dbus common bus=session name=org.freedesktop.FileManager1 label=nautilus include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 index 17ea4e45a..9957c7b67 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 @@ -4,35 +4,26 @@ abi , - dbus send bus=system path=/org/freedesktop/GeoClue2/Manager - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=geoclue), - + #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" dbus send bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=org.freedesktop.DBus, label=geoclue), + peer=(name=org.freedesktop.DBus, label="@{p_geoclue}"), dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name="@{busname}", label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name="@{busname}", label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.GeoClue2.Manager member=AddAgent - peer=(name="@{busname}", label=geoclue), - - dbus receive bus=system path=/org/freedesktop/GeoClue2/Manager - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="@{busname}", label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 index 5c514d54c..4f53ba497 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 @@ -4,20 +4,17 @@ abi , - dbus send bus=system path=/org/freedesktop/ModemManager1 - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=org.freedesktop.ModemManager1, label=ModemManager), + #aa:dbus common bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="@{busname}", label=ModemManager), + peer=(name=org.freedesktop.ModemManager1, label="@{p_ModemManager}"), dbus send bus=system path=/org/freedesktop/ModemManager1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=ModemManager), + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name="@{busname}", label="@{p_ModemManager}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index af2b6d2b9..a22a235fb 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -4,14 +4,11 @@ abi , + #aa:dbus common bus=system name=org.freedesktop.NetworkManager label=NetworkManager + dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), - - dbus send bus=system path=/org/freedesktop/NetworkManager{,/**} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} + member={GetManagedObjects,InterfacesRemoved} peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager @@ -29,19 +26,9 @@ member=GetSettings peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), - dbus send bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), - dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), - - dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged + member={InterfacesAdded,InterfacesRemoved} peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager @@ -64,6 +51,11 @@ member=Updated peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} + interface=org.freedesktop.NetworkManager.Connection.Active + member=StateChanged + peer=(name=@{busname}, label=NetworkManager), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/org.freedesktop.Notifications index eee09ffad..6962bf7ec 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications +++ b/apparmor.d/abstractions/bus/org.freedesktop.Notifications @@ -4,10 +4,7 @@ abi , - dbus send bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=gjs-console), + #aa:dbus common bus=session name=org.freedesktop.Notifications label=gjs-console dbus send bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.DBus.Properties @@ -16,7 +13,7 @@ dbus receive bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.DBus.Properties - member={GetAll,NotificationClosed,CloseNotification} + member={NotificationClosed,CloseNotification} peer=(name="@{busname}", label=gjs-console), dbus receive bus=session path=/org/freedesktop/Notifications diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit index b65bc1ef5..f6cde2030 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit +++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit @@ -4,15 +4,8 @@ abi , - dbus send bus=system path=/org/freedesktop/PackageKit - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=packagekitd), + #aa:dbus common bus=system name=org.freedesktop.PackageKit label=packagekitd - dbus send bus=system path=/org/freedesktop/PackageKit - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.freedesktop.PackageKit, label=packagekitd), dbus send bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -21,7 +14,7 @@ dbus send bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.PackageKit member=StateHasChanged - peer=(name=org.freedesktop.PackageKit, label=packagekitd), + peer=(name=org.freedesktop.PackageKit), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index ab9e373ab..9dfab7481 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -4,35 +4,27 @@ abi , + #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" + dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=Changed - peer=(name="@{busname}", label=polkitd), - - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=polkitd), + peer=(name="@{busname}", label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1, label=polkitd), + peer=(name=org.freedesktop.PolicyKit1, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization - peer=(name="@{busname}", label=polkitd), + peer=(name="@{busname}", label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization peer=(name=org.freedesktop.PolicyKit1), - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="@{busname}", label=polkitd), - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index ff2906932..f66fdb20a 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -2,32 +2,25 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow setting realtime priorities. + abi , + #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label="@{p_rtkit_daemon}" dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.freedesktop.RealtimeKit1), dbus send bus=system path=/org/freedesktop/RealtimeKit1 - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="@{busname}", label=rtkit-daemon), + interface=org.freedesktop.RealtimeKit1 + member={MakeThreadHighPriority,MakeThreadRealtime} + peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 - member=MakeThread* - peer=(name="@{busname}", label=rtkit-daemon), - - dbus send bus=system path=/org/freedesktop/RealtimeKit1 - interface=org.freedesktop.RealtimeKit1 - member=MakeThread* - peer=(name=org.freedesktop.RealtimeKit1), - - dbus send bus=system path=/org/freedesktop/RealtimeKit1 - interface=org.freedesktop.RealtimeKit1 - member=MakeThread* - peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon), + member={MakeThreadHighPriorityWithPID,MakeThreadRealtimeWithPID} + peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files index 48fa7e394..c55736c1e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files +++ b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files @@ -7,12 +7,12 @@ dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), + peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"), dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.Tracker3.Endpoint member=Query - peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), + peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 index 30abb2199..c97e83d71 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 @@ -4,16 +4,13 @@ abi , + #aa:dbus common bus=system name=org.freedesktop.UDisks2 label=udisksd + dbus send bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), - dbus send bus=system path=/org/freedesktop/UDisks2/** - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), - dbus send bus=system path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -29,16 +26,6 @@ member=Introspect peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), - dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), - - dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/* - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), - dbus receive bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=InterfacesAdded @@ -49,11 +36,6 @@ member=Completed peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), - dbus receive bus=system path=/org/freedesktop/UDisks2/block_devices/* - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index 369448079..d82fbdef0 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -4,44 +4,22 @@ abi , + #aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), - - dbus send bus=system path=/org/freedesktop/UPower{,/**} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), - dbus send bus=system path=/org/freedesktop/UPower{,/**} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name=org.freedesktop.UPower, label=upowerd), + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.DBus.Properties member=GetDisplayDevice - peer=(name=org.freedesktop.UPower, label=upowerd), - - dbus send bus=system path=/org/freedesktop/UPower/devices/* - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), - - dbus send bus=system path=/org/freedesktop/UPower{,/**} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), + peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), dbus receive bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower - member=DeviceAdded - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), - - dbus receive bus=system path=/org/freedesktop/UPower/devices/* - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), + member={DeviceAdded,DeviceRemoved} + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles new file mode 100644 index 000000000..45e88b103 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor index f6019eedb..0f371f79b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor +++ b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor @@ -4,15 +4,7 @@ abi , - dbus send bus=session path=/org/freedesktop/background/monitor - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=xdg-desktop-portal), - - dbus receive bus=session path=/org/freedesktop/background/monitor - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="@{busname}", label=xdg-desktop-portal), + #aa:dbus common bus=session name=org.freedesktop.background.Monitor label=xdg-desktop-portal include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index 7dcb187f1..0a8d86be1 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -4,21 +4,12 @@ abi , + #aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed), - - dbus send bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} + member=Get peer=(name=org.freedesktop.hostname1), - dbus receive bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed), - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore index c4e4a5fbf..22886c8a5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore +++ b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore @@ -4,16 +4,18 @@ abi , - dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=xdg-permission-store), + #aa:dbus common bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore interface=org.freedesktop.impl.portal.PermissionStore member=Lookup peer=(name="@{busname}", label=xdg-permission-store), + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.impl.portal.PermissionStore + member=Lookup + peer=(name=org.freedesktop.impl.portal.PermissionStore, label=xdg-permission-store), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/org.freedesktop.locale1 index 50218ced3..1348c8a39 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1 @@ -4,10 +4,7 @@ abi , - dbus send bus=system path=/org/freedesktop/locale1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=systemd-localed), + #aa:dbus common bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" dbus send bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index 77271fe23..ad368ed98 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -4,35 +4,22 @@ abi , - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), - - dbus receive bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager - member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareFor*} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + member={SessionNew,SessionRemoved,UserNew,UserRemoved,SeatNew,PrepareFor*} + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member=PauseDeviceComplete - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session index 4affc3d22..f60c69301 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session @@ -4,40 +4,22 @@ abi , + #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession - peer=(name="@{busname}", label=systemd-logind), - - dbus send bus=system path=/org/freedesktop/login1{,session/*,seat/*} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), - - dbus send bus=system path=/org/freedesktop/login1/session/* - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="@{busname}", label=systemd-logind), + peer=(name="@{busname}", label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), - - dbus send bus=system path=/org/freedesktop/login1/seat/* - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), - - dbus receive bus=system path=/org/freedesktop/login1/session/* - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="@{busname}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus receive bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={PauseDevice,Unlock} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.network1 b/apparmor.d/abstractions/bus/org.freedesktop.network1 index 56460a52b..7583a3e9d 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.network1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.network1 @@ -4,10 +4,7 @@ abi , - dbus send bus=system path=/org/freedesktop/network1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.network1, label=systemd-networkd), + #aa:dbus common bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 1561491cc..5e5967a1a 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -4,9 +4,11 @@ abi , + #aa:dbus common bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties - member={Get,GetAll,Read} + member=Read peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal), dbus send bus=session path=/org/freedesktop/portal/desktop @@ -29,6 +31,11 @@ member={Read,ReadAll} peer=(name="@{busname}", label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.host.portal.Registry + member=Register + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 index 7714a871b..e2c4b3886 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 @@ -4,10 +4,12 @@ abi , + #aa:dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + dbus send bus=system path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager member={SetLink*,ResolveHostname} - peer=(name="{@{busname},org.freedesktop.resolve1}", label=systemd-resolved), + peer=(name="{@{busname},org.freedesktop.resolve1}", label="@{p_systemd_resolved}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.secrets b/apparmor.d/abstractions/bus/org.freedesktop.secrets index 0b169a04e..a2389a68a 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.secrets +++ b/apparmor.d/abstractions/bus/org.freedesktop.secrets @@ -4,10 +4,7 @@ abi , - dbus send bus=session path=/org/freedesktop/secrets{,/**} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=gnome-keyring-daemon), + #aa:dbus common bus=session name=org.freedesktop.secrets label=gnome-keyring-daemon dbus send bus=session path=/org/freedesktop/secrets interface=org.freedesktop.Secret.Service @@ -24,11 +21,6 @@ member=ItemCreated peer=(name="@{busname}", label=gnome-keyring-daemon), - dbus receive bus=session path=/org/freedesktop/secrets/collection/login - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="@{busname}", label=gnome-keyring-daemon), - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 41b08a80b..4fb1764bc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -4,14 +4,16 @@ abi , - dbus send bus=system path=/org/freedesktop/systemd1{,/**} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + #aa:dbus common bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager - member={GetUnit,StartUnit,StartTransientUnit} + member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit} + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=ListUnitsByPatterns peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), dbus send bus=session path=/org/freedesktop/systemd1 diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session index 97db8023f..577cc3ed9 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session @@ -4,15 +4,7 @@ abi , - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name=org.freedesktop.systemd1), - - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"), + #aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 index 443d35eed..8f6118355 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 @@ -4,21 +4,7 @@ abi , - dbus send bus=system path=/org/freedesktop/timedate1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.timedate1, label=systemd-timedated), - - # FIXME: should be under the systemd-timedated label - dbus send bus=system path=/org/freedesktop/timedate1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.timedate1, label=unconfined), - - dbus send bus=system path=/org/freedesktop/timedate1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=systemd-timedated), + #aa:dbus common bus=system name=org.freedesktop.timedate1 label="@{p_systemd_timedated}" include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 index 120330ac1..6bfa6114b 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 @@ -4,15 +4,12 @@ abi , - dbus send bus=session path=/org/gnome/ArchiveManager1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=file-roller), + #aa:dbus common bus=session name=org.gnome.ArchiveManager1 label="@{p_file_roller}" dbus send bus=session path=/org/gnome/ArchiveManager1 interface=org.gnome.ArchiveManager1 member=GetSupportedTypes - peer=(name="@{busname}", label=file-roller), + peer=(name="@{busname}", label="@{p_file_roller}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.DisplayManager b/apparmor.d/abstractions/bus/org.gnome.DisplayManager index 107868836..741631f4b 100644 --- a/apparmor.d/abstractions/bus/org.gnome.DisplayManager +++ b/apparmor.d/abstractions/bus/org.gnome.DisplayManager @@ -4,6 +4,8 @@ abi , + #aa:dbus common bus=system name=org.gnome.DisplayManager label=gdm + dbus send bus=system path=/org/gnome/DisplayManager/Manager interface=org.gnome.DisplayManager.Manager member=RegisterDisplay diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig index 605e90311..f275850cd 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig @@ -4,6 +4,8 @@ abi , + #aa:dbus common bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member={GetResources,GetCrtcGamma} @@ -14,16 +16,6 @@ member=GetCurrentState peer=(name="{@{busname},org.gnome.Mutter.DisplayConfig}", label=gnome-shell), - dbus send bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name="@{busname}", label=gnome-shell), - - dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="@{busname}", label=gnome-shell), - dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member=MonitorsChanged diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor index 68769f2c9..3eb301f18 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor @@ -4,6 +4,8 @@ abi , + #aa:dbus common bus=session name=org.gnome.Mutter.IdleMonitor label=gnome-shell + dbus send bus=session path=/org/gnome/Mutter/IdleMonitor interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects diff --git a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 index 185937e70..178139a8d 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 +++ b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 @@ -4,20 +4,7 @@ abi , - dbus send bus=session path=/org/gnome/Nautilus/FileOperations2 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=nautilus), - - dbus send bus=session path=/org/gnome/Nautilus/FileOperations2 - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="@{busname}", label=nautilus), - - dbus receive bus=session path=/org/gnome/Nautilus/FileOperations2 - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="@{busname}", label=nautilus), + #aa:dbus common bus=session name=org.gnome.Nautilus.FileOperations2 label=nautilus include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver index ba13aa7d2..46d1a1006 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver +++ b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver @@ -4,10 +4,7 @@ abi , - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=gjs-console), + #aa:dbus common bus=session name=org.gnome.ScreenSaver label=gjs-console dbus send bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/org.gnome.SessionManager index c683eddac..0683a98fb 100644 --- a/apparmor.d/abstractions/bus/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/org.gnome.SessionManager @@ -6,6 +6,8 @@ abi , + #aa:dbus common bus=session name=org.gnome.SessionManager label=gnome-session-binary + dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={RegisterClient,IsSessionRunning} @@ -21,16 +23,6 @@ member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} peer=(name="@{busname}", label=gnome-session-binary), - dbus send bus=session path=/org/gnome/SessionManager - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="@{busname}", label=gnome-session-binary), - dbus send bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.gnome.SessionManager.ClientPrivate member=EndSessionResponse @@ -41,26 +33,11 @@ member={CancelEndSession,QueryEndSession,EndSession,Stop} peer=(name="@{busname}", label=gnome-session-binary), - dbus send bus=session path=/org/gnome/SessionManager/Client@{int} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="@{busname}", label=gnome-session-binary), - dbus receive bus=session path=/org/gnome/SessionManager/Presence interface=org.gnome.SessionManager.Presence member=StatusChanged peer=(name="@{busname}", label=gnome-session-binary), - dbus send bus=session path=/org/gnome/SessionManager - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.gnome.SessionManager, label=gnome-session-binary), - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect index efe53af62..b53acf610 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect @@ -4,15 +4,7 @@ abi , - dbus send bus=session path=/org/gnome/Shell/Introspect - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=gnome-shell), - - dbus send bus=session path=/org/gnome/Shell/Introspect - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.gnome.Shell.Introspect, label=gnome-shell), + #aa:dbus common bus=session name=org.gnome.Shell.Introspect label=gnome-shell dbus send bus=session path=/org/gnome/Shell/Introspect interface=org.gnome.Shell.Introspect @@ -24,11 +16,6 @@ member={RunningApplicationsChanged,WindowsChanged} peer=(name="@{busname}", label=gnome-shell), - dbus receive bus=session path=/org/gnome/Shell/Introspect - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="@{busname}", label=gnome-shell), - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 new file mode 100644 index 000000000..baa96cc78 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell + + include if exists + +# vim:syntax=apparmor + diff --git a/apparmor.d/abstractions/bus/org.gtk.Notifications b/apparmor.d/abstractions/bus/org.gtk.Notifications new file mode 100644 index 000000000..b9229f204 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gtk.Notifications @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.gtk.Notifications label=gnome-shell + + dbus send bus=session path=/org/gtk/Notifications + interface=org.gtk.Notifications + member=RemoveNotification + peer=(name=org.gtk.Notifications, label=gnome-shell), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon index e813f5c4f..66910007b 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon @@ -9,6 +9,11 @@ member={GetConnection,ListMonitorImplementations,ListMountableInfo} peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata index 80daa4927..ce6e60082 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata @@ -4,9 +4,15 @@ abi , + #aa:dbus common bus=system name=org.gtk.vfs.Metadata path=/org/gtk/vfs/metadata label=gvfsd-metadata dbus send bus=session path=/org/gtk/vfs/metadata interface=org.freedesktop.DBus.Properties member=GetAll + peer=(name=@{busname}, label=gvfsd-metadata), + + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member={Set,Move,GetTreeFromDevice,Remove} peer=(name="@{busname}", label=gvfsd-metadata), dbus receive bus=session path=/org/gtk/vfs/metadata diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker index 1c80ca6ea..d88afd0ee 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker @@ -9,6 +9,11 @@ member=ListMountableInfo peer=(name="@{busname}", label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=LookupMount + peer=(name="@{busname}", label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=ListMounts2 diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher index 5217a50f5..d9ca82881 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher @@ -4,21 +4,13 @@ abi , - dbus send bus=session path=/StatusNotifierWatcher - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), + #aa:dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell dbus send bus=session path=/StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher member=RegisterStatusNotifierItem peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell), - dbus send bus=session path=/StatusNotifierWatcher - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player new file mode 100644 index 000000000..d8581be07 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa-dbus common bus=session name=org.mpris.MediaPlayer2.Player label=unconfined + + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}), + + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.Player + member=Seeked + peer=(name=@{busname}), + + dbus send bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=@{busname}), + + dbus send bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/own-accessibility b/apparmor.d/abstractions/bus/own-accessibility new file mode 100644 index 000000000..cd8e42e52 --- /dev/null +++ b/apparmor.d/abstractions/bus/own-accessibility @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. + +# Allow owning a name on DBus public bus + + abi , + + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), + + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/own-session b/apparmor.d/abstractions/bus/own-session new file mode 100644 index 000000000..91515adb0 --- /dev/null +++ b/apparmor.d/abstractions/bus/own-session @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. + +# Allow owning a name on DBus public bus + + abi , + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/own-system b/apparmor.d/abstractions/bus/own-system new file mode 100644 index 000000000..d48931f4f --- /dev/null +++ b/apparmor.d/abstractions/bus/own-system @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. + +# Allow owning a name on DBus public bus + + abi , + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index f2201bd64..74c82f92a 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -27,6 +27,7 @@ include include include + include include include @@ -34,18 +35,13 @@ dbus bus=session, dbus bus=system, - /usr/cache/** r, - /usr/local/{,**} r, + /usr/** r, /usr/share/** rk, /etc/{,**} r, - / r, /.* r, - /*/ r, - @{bin}/ r, @{lib}/ r, - /usr/local/bin/ r, owner /_@{int}_/ w, owner /@{uuid}/ w, owner /var/cache/ldconfig/{,**} rw, @@ -58,14 +54,16 @@ @{MOUNTS}/** rwl, owner @{HOME}/ r, owner @{HOME}/.var/app/** rmix, - owner @{HOME}/** rwlk -> @{HOME}/**, + owner @{HOME}/** rwmlk -> @{HOME}/**, owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, + owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too-wide owner @{user_games_dirs}/** rmix, - owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, + #aa:lint ignore=too-wide owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, + owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, + owner /var/tmp/etilqs_@{sqlhex} rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @@ -81,6 +79,7 @@ @{sys}/bus/ r, @{sys}/bus/*/devices/ r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/class/*/ r, @{sys}/devices/** r, @@ -125,6 +124,7 @@ owner @{PROC}/@{pid}/fd/@{int} rw, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/io r, + owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index 65bc2837f..f4630475d 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -47,6 +47,7 @@ @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, @{PROC}/sys/user/max_user_namespaces r, + @{PROC}/sys/kernel/seccomp/actions_avail r, owner @{PROC}/@{pid}/fd/ r, @{att}/@{PROC}/sys/user/max_user_namespaces rw, diff --git a/apparmor.d/abstractions/common/debconf b/apparmor.d/abstractions/common/debconf new file mode 100644 index 000000000..1d9a6d145 --- /dev/null +++ b/apparmor.d/abstractions/common/debconf @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + include + include + include + + @{sh_path} rix, + @{bin}/locale ix, + @{bin}/whiptail Px, + + /usr/share/debconf/frontend rix, + /usr/share/debconf/confmodule r, + + /etc/debconf.conf r, + + /var/ r, + /var/cache/ r, + /var/cache/debconf/ r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 8134f8681..6216ec939 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -75,6 +75,7 @@ @{PROC}/ r, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, owner @{PROC}/@{pid}/cgroup r, @@ -88,7 +89,6 @@ owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/status r, owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 3b4a982f1..6b97b014c 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -6,9 +6,9 @@ # wine, proton, game launchers should use this abstraction. # This abstraction uses the following tunables: -# - @{XDG_GAMESSTUDIO_DIR} for game studio and game engines specific directories +# - @{XDG_GAMESSTUDIO_DIR}/ for game studio and game engines specific directories # (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d") -# - @{user_games_dirs} for user specific game directories (eg: steam storage dir) +# - @{user_games_dirs}/ for user specific game directories (eg: steam storage dir) abi , diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index ccb5de8b3..056f6581b 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -32,6 +32,7 @@ owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/abstractions/common/systemd b/apparmor.d/abstractions/common/systemd index df138bf6c..f4a10076e 100644 --- a/apparmor.d/abstractions/common/systemd +++ b/apparmor.d/abstractions/common/systemd @@ -8,6 +8,7 @@ ptrace read peer=@{p_systemd}, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, + @{sys}/fs/cgroup/system.slice/@{profile_name}.service/ r, @{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw, @{PROC}/1/cgroup r, diff --git a/apparmor.d/abstractions/consoles.d/complete b/apparmor.d/abstractions/consoles.d/complete new file mode 100644 index 000000000..b8b7ad90f --- /dev/null +++ b/apparmor.d/abstractions/consoles.d/complete @@ -0,0 +1,8 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + # There are the common ways to refer to consoles + /dev/tty@{u8} rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/crypto.d/complete b/apparmor.d/abstractions/crypto.d/complete index a163af66d..8fb84d261 100644 --- a/apparmor.d/abstractions/crypto.d/complete +++ b/apparmor.d/abstractions/crypto.d/complete @@ -4,7 +4,15 @@ include + # FIPS-140-2 versions of some crypto libraries need to access their + # associated integrity verification file, or they will abort. + @{lib}/.lib*.so*.hmac r, + @{lib}/@{multiarch}/.lib*.so*.hmac r, + @{etc_ro}/gnutls/config r, @{etc_ro}/gnutls/pkcs11.conf r, + # Used to determine if Linux is running in FIPS mode + @{PROC}/sys/crypto/fips_enabled r, + # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dbus-accessibility-strict.d/complete b/apparmor.d/abstractions/dbus-accessibility-strict.d/complete new file mode 100644 index 000000000..f71f7d869 --- /dev/null +++ b/apparmor.d/abstractions/dbus-accessibility-strict.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + include + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dbus-session-strict.d/complete b/apparmor.d/abstractions/dbus-session-strict.d/complete new file mode 100644 index 000000000..8d82bd277 --- /dev/null +++ b/apparmor.d/abstractions/dbus-session-strict.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + include + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dbus-strict.d/complete b/apparmor.d/abstractions/dbus-strict.d/complete new file mode 100644 index 000000000..d35c7822a --- /dev/null +++ b/apparmor.d/abstractions/dbus-strict.d/complete @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + @{run}/dbus/system_bus_socket rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dconf-write b/apparmor.d/abstractions/dconf-write index e84ffcb2e..72a943527 100644 --- a/apparmor.d/abstractions/dconf-write +++ b/apparmor.d/abstractions/dconf-write @@ -8,8 +8,9 @@ abi , include + include - owner @{user_config_dirs}/glib-2.0/settings/keyfile w, + owner @{user_config_dirs}/glib-2.0/settings/keyfile w, # When GSETTINGS_BACKEND=keyfile owner @{run}/user/@{uid}/dconf/ w, owner @{run}/user/@{uid}/dconf/user w, diff --git a/apparmor.d/abstractions/dconf.d/complete b/apparmor.d/abstractions/dconf.d/complete index ed8fa33e6..1796c7ca0 100644 --- a/apparmor.d/abstractions/dconf.d/complete +++ b/apparmor.d/abstractions/dconf.d/complete @@ -2,19 +2,9 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=session path=/ca/desrt/dconf/Writer/user - interface=ca.desrt.dconf.Writer - member=Change - peer=(name=ca.desrt.dconf), # no peer's labels - - dbus receive bus=session path=/ca/desrt/dconf/Writer/user - interface=ca.desrt.dconf.Writer - member=Notify - peer=(name=:*, label=dconf-service), - /usr/share/dconf/profile/gdm r, - owner @{user_config_dirs}/glib-2.0/settings/keyfile r, + owner @{user_config_dirs}/glib-2.0/settings/keyfile r, # When GSETTINGS_BACKEND=keyfile owner @{run}/user/@{uid}/dconf/ r, diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 743dfaf2d..73e533992 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -22,7 +22,7 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), /usr/{local/,}share/ r, /usr/{local/,}share/glib-@{version}/schemas/** r, @@ -52,7 +52,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read index 6bd0c8015..836a5f3c7 100644 --- a/apparmor.d/abstractions/devices-usb-read +++ b/apparmor.d/abstractions/devices-usb-read @@ -20,9 +20,9 @@ @{sys}/devices/**/usb@{int}/{,**} r, # Udev data about usb devices (~equal to content of lsusb -v) - @{run}/udev/data/+usb:* r, - @{run}/udev/data/c16[6,7]:@{int} r, # USB modems - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/c16[6,7]:@{int} r, # USB modems + @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters include if exists diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 62e24b70d..e33ec2c3f 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -44,6 +44,12 @@ @{sys}/devices/virtual/block/loop@{int}/ r, @{sys}/devices/virtual/block/loop@{int}/** r, + # Xen PVH devices + @{sys}/devices/vbd-@{int}/block/** r, + + # Channel subsystem for IBM Z + @{sys}/devices/css@{int}/** r, + # LUKS/LVM (device-mapper) devices /dev/dm-@{int} rk, /dev/mapper/{,*} r, @@ -75,6 +81,11 @@ # CD-ROM /dev/sr@{int} rk, + # MD RAID devices + /dev/md@{int} rk, + @{sys}/devices/virtual/block/md@{int}/ r, + @{sys}/devices/virtual/block/md@{int}/** r, + # Lookup block device by major:minor numbers # See: https://apparmor.pujol.io/development/internal/#udev-rules @@ -85,17 +96,18 @@ @{run}/udev/data/b2:@{int} r, # for /dev/fd* @{run}/udev/data/b7:@{int} r, # for /dev/loop* @{run}/udev/data/b8:@{int} r, # for /dev/sd* + @{run}/udev/data/b9:@{int} r, # for /dev/md* @{run}/udev/data/b11:@{int} r, # for /dev/sr* @{run}/udev/data/b43:@{int} r, # for /dev/nbd* @{run}/udev/data/b179:@{int} r, # for /dev/mmcblk* @{run}/udev/data/b230:@{int} r, # for /dev/zvol* - @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254 - @{run}/udev/data/b25[0-4]:@{int} r, + @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 + @{run}/udev/data/b25[0-4]:@{int} r, # to 254 @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/+usb:* r, # for disk over usb hub + @{run}/udev/data/+usb:* r, # Identifies all USB devices include if exists diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index ce0a05dd5..a52518042 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -41,6 +41,9 @@ # CD-ROM /dev/sr@{int} w, + # MD RAID devices + /dev/md@{int} w, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/fish b/apparmor.d/abstractions/fish index 2ae6ab93d..65f97f9f2 100644 --- a/apparmor.d/abstractions/fish +++ b/apparmor.d/abstractions/fish @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when an interactive shell is started. +# This abstraction is only required when zshrc is loaded (e.g. interactive shell). # Classic shell scripts do not need it. abi , diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index 4724c694a..220883c29 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -16,7 +16,7 @@ /opt/*/**.{desktop,png} r, /etc/gnome/defaults.list r, - /etc/xfce4/defaults.list r, + /etc/xfce4/defaults.list r, /var/lib/snapd/desktop/applications/{,**} r, /var/lib/snapd/desktop/icons/{,**} r, diff --git a/apparmor.d/abstractions/glibc b/apparmor.d/abstractions/glibc new file mode 100644 index 000000000..aa6e14416 --- /dev/null +++ b/apparmor.d/abstractions/glibc @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # Used by Glibc when binding to ephemeral ports + @{etc_ro}/bindresvport.blacklist r, + + # Depending on which Glibc routine uses this file, base may not be the + # best place -- but many profiles require it, and it is quite harmless. + @{PROC}/sys/kernel/ngroups_max r, + + # Glibc's sysconf(3) routine to determine free memory, etc + @{sys}/devices/system/cpu/ r, + @{sys}/devices/system/cpu/online r, + @{sys}/devices/system/cpu/possible r, + @{PROC}/cpuinfo r, + @{PROC}/meminfo r, + @{PROC}/stat r, + + # Glibc's *printf protections read the maps file + @{PROC}/@{pid}/auxv r, + @{PROC}/@{pid}/maps r, + @{PROC}/@{pid}/status r, + + # Glibc statvfs + @{PROC}/filesystems r, + + # Glibc malloc (man 5 proc) + @{PROC}/sys/vm/overcommit_memory r, + + # Recent glibc uses /dev/full in preference to /dev/null for programs + # that don't have open fds at exec() + /dev/full rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 9862ca5e7..fadaedcbf 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -14,7 +14,7 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 90f705ac7..3dece8578 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -6,8 +6,8 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + member=Introspect + peer=(name=@{busname}, label=gnome-shell), /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 1cf8869c4..5a14b6f7a 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -32,11 +32,11 @@ # If one is blocked the next is used instead. # The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec flag. owner @{run}/user/@{uid}/orcexec.@{rand6} mrw, - #owner /tmp/orcexec.* mrw, + owner @{tmp}/orcexec.@{rand6} mrw, #owner @{HOME}/orcexec.* mrw, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c189:@{int} r, # For USB serial converters @@ -52,14 +52,19 @@ @{sys}/devices/@{pci}/config r, @{sys}/devices/@{pci}/descriptors r, @{sys}/devices/@{pci}/devnum r, + @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/@{pci}/speed r, @{sys}/devices/@{pci}/uevent r, @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/system/node/node@{int}/meminfo r, + @{PROC}/devices r, + /dev/ r, /dev/bus/usb/ r, /dev/dri/ r, + /dev/nvidia-uvm rw, include if exists diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index ac702a70f..99cf70d97 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -2,32 +2,23 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=session + dbus receive bus=session interface=org.gtk.Actions - member=DescribeAll - peer=(name=:*), - dbus send bus=session - interface=org.gtk.Actions - member=DescribeAll - peer=(label=gnome-shell), + member={Activate,DescribeAll,SetState} + peer=(name=@{busname}), - dbus receive bus=session + dbus send bus=session interface=org.gtk.Actions - member=Changed - peer=(name=:*), - dbus receive bus=session - interface=org.gtk.Actions - member=Changed - peer=(label=gnome-shell), + member=Changed, dbus send bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gsd-xsettings), + peer=(name=@{busname}, label=gsd-xsettings), dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=gsd-xsettings), + peer=(name=@{busname}, label=gsd-xsettings), @{lib}/{,@{multiarch}/}gtk*/** mr, diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index 33d034b5a..3ecd8c36d 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -8,6 +8,7 @@ type=stream peer=(addr="@/tmp/ibus/dbus-????????"), + #aa:lint ignore=tunables # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{user_cache_dirs}) # This should use this, but due to LP: #1856738 we cannot #unix (connect, receive, send) @@ -16,11 +17,15 @@ unix (connect, receive, send) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????"), - unix (connect, send, receive, accept, bind, listen) type=stream addr="@/home/*/.cache/ibus/dbus-????????", + dbus receive bus=session path=/org/freedesktop/IBus + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=@{busname}, label=ibus-daemon), + owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-open5.d/complete b/apparmor.d/abstractions/kde-open5.d/complete index 37038b129..adeb9a4bb 100644 --- a/apparmor.d/abstractions/kde-open5.d/complete +++ b/apparmor.d/abstractions/kde-open5.d/complete @@ -6,6 +6,6 @@ owner @{user_config_dirs}/menus/{,**} r, - owner @{run}/user/@{uid}/kioclient*.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 282ae1974..56aa88798 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -6,6 +6,7 @@ include include + include include include include @@ -27,7 +28,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, @@ -40,6 +41,8 @@ owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/trashrc r, + owner @{user_share_dirs}/#@{int} rw, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/ld b/apparmor.d/abstractions/ld new file mode 100644 index 000000000..21ac745e2 --- /dev/null +++ b/apparmor.d/abstractions/ld @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + # ld.so.cache and ld are used to load shared libraries. + # As such, they can be used everywhere + + abi , + + /opt/*-linux-uclibc/lib/ld-uClibc*so* mr, + + @{etc_ro}/ld.so.cache mr, + @{etc_ro}/ld.so.conf r, + @{etc_ro}/ld.so.conf.d/ r, + @{etc_ro}/ld.so.conf.d/*.conf r, + @{etc_ro}/ld.so.preload r, + @{etc_ro}/ld-musl-*.path r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/locale b/apparmor.d/abstractions/locale new file mode 100644 index 000000000..873c303f5 --- /dev/null +++ b/apparmor.d/abstractions/locale @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{etc_ro}/locale.alias r, + @{etc_ro}/locale.conf r, + @{etc_ro}/locale/** r, + @{etc_ro}/localtime r, + @{etc_rw}/localtime r, + + /usr/share/**/locale/** r, + /usr/share/locale-bundle/** r, + /usr/share/locale-langpack/** r, + /usr/share/locale/ r, + /usr/share/locale/** r, + /usr/share/X11/locale/** r, + /usr/share/zoneinfo{,-icu}/ r, + /usr/share/zoneinfo{,-icu}/** r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/login b/apparmor.d/abstractions/mapping/login new file mode 100644 index 000000000..7ccc2d678 --- /dev/null +++ b/apparmor.d/abstractions/mapping/login @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for login based hat mapping. + + abi , + + include + include + include + include + + capability audit_write, + capability chown, + capability fowner, + capability setgid, + capability setuid, + capability fsetid, + + deny capability net_admin, + + network netlink raw, + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=ReleaseSession + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + + @{etc_ro}/security/group.conf r, + @{etc_ro}/security/limits.conf r, + @{etc_ro}/security/limits.d/{,*} r, + @{etc_ro}/security/pam_env.conf r, + + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, + @{etc_ro}/security/capability.conf r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/shadow b/apparmor.d/abstractions/mapping/shadow new file mode 100644 index 000000000..5bf542c17 --- /dev/null +++ b/apparmor.d/abstractions/mapping/shadow @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for shadow based hat mapping. + + abi , + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/sshd b/apparmor.d/abstractions/mapping/sshd new file mode 100644 index 000000000..0f7512710 --- /dev/null +++ b/apparmor.d/abstractions/mapping/sshd @@ -0,0 +1,58 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for sshd based hat mapping. Similar to sshd-session + + abi , + + include + include + include + include + include + + capability audit_write, + capability chown, + capability dac_read_search, + capability fowner, + capability fsetid, + capability kill, + capability setgid, + capability setuid, + capability sys_resource, + + # sshd doesn't require net_admin. libpam-systemd tries to + # use it if available to set the send/receive buffers size, + # but will fall back to a non-privileged version if it fails. + deny capability net_admin, + + network inet stream, + network inet6 stream, + network netlink raw, + + signal receive set=exists peer=@{p_systemd_journald}, + signal receive set=hup peer=@{p_systemd}, + + unix bind type=stream addr=@@{udbus}/bus/sshd-session/system, + unix bind type=stream addr=@@{udbus}/bus/sshd/system, + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + + /etc/motd r, + /etc/locale.conf r, + + @{run}/motd.dynamic rw, + @{run}/motd.dynamic.new rw, + + @{PROC}/1/limits r, + + /dev/ptmx rw, + /dev/pts/@{int} k, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/sudo b/apparmor.d/abstractions/mapping/sudo new file mode 100644 index 000000000..3347a91af --- /dev/null +++ b/apparmor.d/abstractions/mapping/sudo @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for su/sudo based hat mapping. + + abi , + + capability audit_write, + capability setgid, + capability setuid, + + network netlink raw, + + @{etc_ro}/login.defs r, + /etc/passwd r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index a19166367..1d718c0b1 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -2,6 +2,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + # Fallback location when @{user_cache_dirs} is not available + /var/cache/mesa_shader_cache_db/ rw, + /var/cache/mesa_shader_cache_db/index rw, + /var/cache/mesa_shader_cache_db/marker rw, + /var/cache/mesa_shader_cache_db/part@{int}/ rw, + /var/cache/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk, + /var/cache/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk, + /var/cache/mesa_shader_cache/ rw, + /var/cache/mesa_shader_cache/@{hex2}/ rw, + /var/cache/mesa_shader_cache/@{hex2}/@{hex38} rw, + /var/cache/mesa_shader_cache/@{hex2}/@{hex38}.tmp rwk, + /var/cache/mesa_shader_cache/index rw, + /var/cache/mesa_shader_cache/marker rw, + # Extra Mesa rules for desktop environments owner @{desktop_cache_dirs}/ w, owner @{desktop_cache_dirs}/mesa_shader_cache_db/ rw, diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index 6069ddd9a..c3aa8e805 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -6,27 +6,34 @@ @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, + /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so.* mr, + /usr/share/nvidia/nvidia-application-profiles-* r, /etc/nvidia/nvidia-application-profiles-* r, /etc/vdpau_wrapper.cfg r, - owner @{HOME}/.cache/nvidia/ w, - owner @{HOME}/.cache/nvidia/GLCache/ rw, - owner @{HOME}/.cache/nvidia/GLCache/** rwk, + owner @{HOME}/.nv/ w, owner @{HOME}/.nv/ComputeCache/ w, owner @{HOME}/.nv/ComputeCache/** rw, owner @{HOME}/.nv/ComputeCache/index rwk, owner @{HOME}/.nv/nvidia-application-profiles-* r, + @{user_cache_dirs}/nvidia/GLCache/@{hex32}/ rw, + owner @{user_cache_dirs}/nvidia/ w, + owner @{user_cache_dirs}/nvidia/GLCache/ rw, + owner @{user_cache_dirs}/nvidia/GLCache/** rwk, + @{sys}/devices/system/memory/block_size_bytes r, @{sys}/module/nvidia/version r, @{PROC}/driver/nvidia/params r, + @{PROC}/modules r, @{PROC}/sys/vm/max_map_count r, @{PROC}/sys/vm/mmap_min_addr r, - @{PROC}/modules r, + @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/task/@{tid}/comm r, /dev/char/195:@{int} w, # Nvidia graphics devices /dev/nvidia-modeset rw, diff --git a/apparmor.d/abstractions/openssl.d/complete b/apparmor.d/abstractions/openssl.d/complete new file mode 100644 index 000000000..600a030e5 --- /dev/null +++ b/apparmor.d/abstractions/openssl.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + /usr/share/ssl/ r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/path b/apparmor.d/abstractions/path new file mode 100644 index 000000000..dee241b29 --- /dev/null +++ b/apparmor.d/abstractions/path @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Common directories in $PATH, used by launchers and interactive shells. + + abi , + + @{bin}/ r, + @{bin}/*/ r, + @{sbin}/ r, + @{sbin}/*/ r, + + / r, + /usr/ r, + /usr/local/bin/ r, + /usr/local/sbin/ r, + + @{user_bin_dirs}/ r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/perl.d/complete b/apparmor.d/abstractions/perl.d/complete new file mode 100644 index 000000000..0031356a1 --- /dev/null +++ b/apparmor.d/abstractions/perl.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + @{bin}/perl rix, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete index 9f8d13eb5..e372c312c 100644 --- a/apparmor.d/abstractions/python.d/complete +++ b/apparmor.d/abstractions/python.d/complete @@ -4,7 +4,7 @@ # SPDX-License-Identifier: GPL-2.0-only @{bin}/ r, - @{python_path} r, + @{python_path} rm, owner @{user_lib_dirs}/@{python_name}/ r, owner @{user_lib_dirs}/@{python_name}/**.{egg,py,pyi,pth} r, diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write index 5e64fc66f..e3b559418 100644 --- a/apparmor.d/abstractions/thumbnails-cache-write +++ b/apparmor.d/abstractions/thumbnails-cache-write @@ -10,7 +10,7 @@ owner @{user_cache_dirs}/thumbnails/ w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png wl, - owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png.@{rand6} w, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png.@{rand6} wl, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int} w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/*.png w, diff --git a/apparmor.d/abstractions/user-read-strict b/apparmor.d/abstractions/user-read-strict index f7eb186b5..9626bb0bc 100644 --- a/apparmor.d/abstractions/user-read-strict +++ b/apparmor.d/abstractions/user-read-strict @@ -8,6 +8,7 @@ abi , owner @{HOME}/ r, + owner @{HOME}/[^.]* rk, owner @{MOUNTS}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} rk, diff --git a/apparmor.d/abstractions/user-write-strict b/apparmor.d/abstractions/user-write-strict index 026825b27..88d52203e 100644 --- a/apparmor.d/abstractions/user-write-strict +++ b/apparmor.d/abstractions/user-write-strict @@ -8,6 +8,7 @@ abi , owner @{HOME}/ r, + owner @{HOME}/[^.]* wl, owner @{MOUNTS}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} wl, diff --git a/apparmor.d/abstractions/vulkan.d/complete b/apparmor.d/abstractions/vulkan.d/complete index 8e5b68c08..67f83516e 100644 --- a/apparmor.d/abstractions/vulkan.d/complete +++ b/apparmor.d/abstractions/vulkan.d/complete @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only /etc/glvnd/egl_vendor.d/{,*.json} r, diff --git a/apparmor.d/abstractions/webkit b/apparmor.d/abstractions/webkit index c4410d026..c9a275250 100644 --- a/apparmor.d/abstractions/webkit +++ b/apparmor.d/abstractions/webkit @@ -2,13 +2,13 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Minimal set of rules for webkit UI. +# Minimal set of rules for webkit GTK UI. abi , mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, - @{bin}/xdg-dbus-proxy rix, + @{bin}/xdg-dbus-proxy rix, # TODO: stack me @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, @@ -26,6 +26,8 @@ owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, + @{sys}/firmware/acpi/pm_profile r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine index 139b03450..28d15cf76 100644 --- a/apparmor.d/abstractions/wine +++ b/apparmor.d/abstractions/wine @@ -11,6 +11,7 @@ owner @{tmp}/.wine-@{uid}/ rw, owner @{tmp}/.wine-@{uid}/** rwk, + owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, owner /dev/shm/wine-@{hex6}-fsync rw, owner /dev/shm/wine-@{hex6}@{h}-fsync rw, diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index a22895c91..7c734a45b 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -3,31 +3,48 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when an interactive shell is started. +# This abstraction is only required when zshrc is loaded (e.g. interactive shell). # Classic shell scripts do not need it. abi , @{lib}/@{multiarch}/zsh/@{int}/zsh/*.so mr, - /usr/share/zsh/{,**} r, /usr/local/share/zsh/{,**} r, + /usr/share/oh-my-zsh/{,**} r, + /usr/share/zsh-theme-*/{,**} r, + /usr/share/zsh/{,**} r, /etc/zsh/* r, - owner @{HOME}/.zshrc r, - owner @{HOME}/.zshenv r, + owner @{HOME}/.zcompdump-* rw, owner @{HOME}/.zsh_history rw, owner @{HOME}/.zsh_history.LOCK rwk, + owner @{HOME}/.zsh_history.new rw, + owner @{HOME}/.zshenv r, + owner @{HOME}/.zshrc r, owner @{HOME}/.oh-my-zsh/{,**} r, owner @{HOME}/.oh-my-zsh/log/update.lock/ w, - owner @{HOME}/.zcompdump-* rw, + owner @{user_cache_dirs}/oh-my-zsh/{,**} r, + owner @{user_cache_dirs}/p10k-@{user}/{,**} rw, + owner @{user_cache_dirs}/p10k-dump-@{user}.zsh{,.*} rw, + owner @{user_cache_dirs}/p10k-instant-prompt-@{user}.zsh{,.*} rw, owner @{user_config_dirs}/zsh/.zcompdump-* rw, owner @{user_config_dirs}/zsh/{,**} r, + owner @{user_share_dirs}/zsh/history rw, + owner @{user_share_dirs}/zsh/history.LOCK rwk, + owner @{user_share_dirs}/zsh/history.new rw, + + owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo rw, + owner @{tmp}/gitstatus.POWERLEVEL9K.*.lock rwk, + + @{PROC}/version r, + owner @{PROC}/@{pid}/loginuid r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap deleted file mode 100644 index 0a4b9efdf..000000000 --- a/apparmor.d/groups/_full/bwrap +++ /dev/null @@ -1,56 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for bwrap. - -abi , - -include - -@{exec_path} = @{bin}/bwrap -profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) { - include - include - include - include - include - - capability dac_override, - capability dac_read_search, - capability sys_resource, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - - ptrace peer=bwrap//&bwrap-app, - - signal peer=bwrap//&bwrap-app, - signal (receive) set=(kill), - - @{bin}/** rm, - @{lib}/** rm, - /opt/*/** rm, - /usr/share/*/* rm, - - @{bin}/** Px -> bwrap//&bwrap-app, - @{bin}/xdg-dbus-proxy Px -> bwrap//&xdg-dbus-proxy, - # @{lib}/** Px -> bwrap//&bwrap-app, - /opt/*/** Px -> bwrap//&bwrap-app, - /usr/share/*/* Px -> bwrap//&bwrap-app, - - /usr/.ref rk, - - /bindfile@{rand6} rw, - - owner /var/cache/ w, - - owner @{run}/ld-so-cache-dir/* rw, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/bwrap-app b/apparmor.d/groups/_full/bwrap-app deleted file mode 100644 index b6d45478a..000000000 --- a/apparmor.d/groups/_full/bwrap-app +++ /dev/null @@ -1,36 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for user sandboxed application - -abi , - -include - -profile bwrap-app flags=(attach_disconnected,mediate_deleted) { - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - ptrace peer=bwrap//&bwrap-app, - - signal peer=bwrap//&bwrap-app, - - @{bin}/** rmix, - @{lib}/** rmix, - /opt/*/** rmix, - /usr/share/*/* rmix, - - owner /var/cache/ w, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default deleted file mode 100644 index acdfc0bff..000000000 --- a/apparmor.d/groups/_full/default +++ /dev/null @@ -1,122 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for unconfined programs - -abi , - -include - -@{exec_path} = /** -profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { - include - include - include - include - include - include - include - include - include - include - include - include - include - - capability dac_override, - capability dac_read_search, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink dgram, - network netlink raw, - - signal receive set=hup, - - @{bin}/bwrap rPx -> bwrap, - @{bin}/pipewire-pulse rPx -> systemd//&pipewire-pulse, - @{bin}/pulseaudio rPx -> systemd//&pulseaudio, - @{bin}/su rPx -> default-sudo, - @{bin}/sudo rPx -> default-sudo, - @{bin}/systemctl rix, - @{coreutils_path} rix, - @{shells_path} rix, - - @{pager_path} rPx -> child-pager, - -# @{open_path} rPx -> child-open, - - audit @{bin}/** Pix, - audit @{lib}/** Pix, - audit /opt/*/** Pix, - audit /usr/share/*/* Pix, - - @{bin}/{,**} r, - @{lib}/{,**} r, - /usr/share/** r, - - /etc/xdg/** r, - - # Full access to user's data - / r, - /*/ r, - @{MOUNTDIRS}/ r, - @{MOUNTS}/ r, - @{MOUNTS}/** rwl, - owner @{HOME}/{,**} rwlk, - owner @{run}/user/@{uid}/{,**} rw, - owner @{tmp}/{,**} rwk, - owner @{run}/user/@{uid}/{,**} rwlk, - - @{run}/motd.dynamic.new rw, - - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/bus/pci/devices/ r, - @{sys}/class/ r, - @{sys}/class/drm/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/input/ r, - @{sys}/class/power_supply/ r, - @{sys}/devices/**/input@{int}/ r, - @{sys}/devices/**/input@{int}/capabilities/* r, - @{sys}/devices/**/input/input@{int}/ r, - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/firmware/acpi/pm_profile r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, - - @{PROC}/cmdline r, - @{PROC}/sys/kernel/seccomp/actions_avail r, - @{PROC}/zoneinfo r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/gid_map w, - owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/mem r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pids}/cmdline r, - owner @{PROC}/@{pids}/environ r, - owner @{PROC}/@{pids}/task/ r, - - /dev/ r, - /dev/ptmx rwk, - /dev/tty rwk, - owner /dev/tty@{int} rw, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/default-sudo b/apparmor.d/groups/_full/default-sudo deleted file mode 100644 index 609191970..000000000 --- a/apparmor.d/groups/_full/default-sudo +++ /dev/null @@ -1,42 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -profile default-sudo { - include - include - - capability chown, - capability mknod, - capability sys_ptrace, - - network inet dgram, - network inet6 dgram, - - ptrace (read), - - @{bin}/su mr, - - @{bin}/** Px, - @{lib}/** Px, - /opt/*/** Px, - - /var/db/sudo/lectured/ r, - /var/lib/extrausers/shadow r, - /var/lib/sudo/lectured/ r, - owner /var/db/sudo/lectured/@{uid} rw, - owner /var/lib/sudo/lectured/* rw, - - owner @{HOME}/.sudo_as_admin_successful rw, - - @{run}/ r, - @{run}/systemd/sessions/* r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd new file mode 100644 index 000000000..13864f2dd --- /dev/null +++ b/apparmor.d/groups/_full/sd @@ -0,0 +1,255 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd is a profile for SystemD-executor run as root, it is used to run all services +# files and to encapsulate stacked services profiles (hence the short name). +# It aims at reducing the size of the systemd profile. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd.d directory + +abi , + +include + +@{exec_path} = @{bin}/systemd-executor +profile sd flags=(attach_disconnected,mediate_deleted,complain) { + include + include + include + include + include + include + include + include + + userns, + + capability audit_control, + capability audit_write, + capability bpf, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability kill, + capability linux_immutable, + capability mknod, + capability net_admin, + capability net_bind_service, + capability net_raw, + capability perfmon, + capability setfcap, + capability setgid, + capability setpcap, + capability setuid, + capability sys_admin, + capability sys_nice, + capability sys_ptrace, + capability sys_rawio, + capability sys_resource, + capability sys_time, + capability sys_tty_config, + capability syslog, + + network alg seqpacket, + network bluetooth, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 raw, + network inet6 stream, + network netlink raw, + network packet dgram, + network packet raw, + network qipcrtr dgram, + + mount -> @{run}/systemd/mount-rootfs/{,**}, + mount -> @{run}/systemd/namespace-@{rand6}/{,**}, + mount options=(rw move) /dev/shm/ -> @{run}/credentials/*/, + mount options=(rw rshared) -> /, + mount options=(rw rslave) -> /, + mount options=(rw rslave) -> /dev/, + mount options=(rw slave) -> @{run}/systemd/incoming/, + mount fstype=tmpfs options=(rw nodev noexec nosuid nosymfollow) tmpfs -> /dev/shm/, + mount fstype=tmpfs options=(rw nodev strictatime) tmpfs -> @{run}/systemd/unit-private-tmp/, + + remount /dev/shm/, + remount @{run}/systemd/mount-rootfs/{,**}, + + umount /, + umount /dev/shm/, + umount @{run}/systemd/mount-rootfs/{,**}, + umount @{run}/systemd/namespace-@{rand6}/{,**}, + + pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, + + change_profile, + + mqueue (read getattr) type=posix /, + + signal peer=sd//&*, + signal receive peer=@{p_systemd}, + signal send, + + ptrace read, + + unix type=dgram peer=(label=@{p_systemd}), + unix type=dgram peer=(label=systemd-timesyncd), + unix type=stream, + + dbus bus=system, + + @{exec_path} mr, + + @{bin}/** mPx, + @{sbin}/** mPx, + @{lib}/** Px, + /etc/cron.*/* Px, + /etc/init.d/* Px, + /etc/update-motd.d/* Px, + /usr/share/*/** Px, + + # Systemd user: systemd --user + @{lib}/systemd/systemd px -> systemd-user, + + # Mount operations from services and systemd + @{bin}/mount Px -> sd-mount, + @{bin}/umount Px -> sd-umount, + + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + + # Unit services + @{bin}/kill Cx -> kill, + + # Used by very basic services, ideally should be replaced by a unit profiles + @{sh_path} ix, + @{bin}/false ix, + @{bin}/true ix, + + # Required due to stacked profiles + @{bin}/find ix, + @{bin}/gzip ix, + @{bin}/install ix, + @{bin}/readlink ix, + @{lib}/colord-sane ix, + @{lib}/systemd/systemd-nsresourcework ix, + @{lib}/systemd/systemd-userwork ix, + @{sbin}/grpck ix, + @{sbin}/pwck ix, + + / r, + @{att}/ r, + @{bin}/{,**} r, + @{lib}/{,**} r, + @{sbin}/{,*} r, + /usr/local/{,**} r, + /usr/share/** r, + /etc/*/ w, + /etc/** rk, + /home/ r, + + @{efi}/ r, + @{efi}/** rw, + + @{att}/var/lib/systemd/*/ r, + + /var/cache/*/ rw, + /var/cache/*/** rwk, + /var/lib/*/ rw, + /var/lib/*/** rwk, + /var/lib/systemd/*/ r, + /var/log/ r, + /var/log/** rw, + /var/log/journal/** rwl -> /var/log/journal/**, + + @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, + + @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, + @{att}/@{run}/systemd/notify rw, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Home rw, + @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, + + @{run}/ rw, + @{run}/* rw, + @{run}/*/ rw, + @{run}/*/* rw, + @{run}/systemd/{,**} rw, + owner @{run}/*/** rw, + + @{run}/udev/**/ r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + + @{sys}/** r, + @{sys}/fs/bpf/systemd/{,**} w, + @{sys}/firmware/efi/efivars/** w, + @{sys}/fs/cgroup/{,**} w, + + @{PROC}/@{pid}/attr/apparmor/exec w, + @{PROC}/@{pid}/attr/current r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/gid_map w, + @{PROC}/@{pid}/limits r, + @{PROC}/@{pid}/loginuid rw, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/oom_score_adj rw, + @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/setgroups r, + @{PROC}/@{pid}/setgroups w, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/uid_map r, + @{PROC}/@{pid}/uid_map w, + @{PROC}/cmdline r, + @{PROC}/interrupts r, + @{PROC}/irq/@{int}/node r, + @{PROC}/irq/@{int}/smp_affinity r, + @{PROC}/kmsg r, + @{PROC}/modules r, + @{PROC}/pressure/* r, + @{PROC}/swaps r, + @{PROC}/sys/** r, + @{PROC}/sys/kernel/random/write_wakeup_threshold w, + @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/sysvipc/* r, + @{PROC}/version_signature r, + + /dev/** rwk, + + profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { + include + include + + include if exists + include if exists + } + + profile kill flags=(attach_disconnected,mediate_deleted,complain) { + include + + signal send, + + @{bin}/kill mr, + + include if exists + } + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/sd-mount b/apparmor.d/groups/_full/sd-mount new file mode 100644 index 000000000..1572a8f6d --- /dev/null +++ b/apparmor.d/groups/_full/sd-mount @@ -0,0 +1,71 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd-mount is a subprofile of sd responsible to handle mounting operation. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd-mount.d directory + +abi , + +include + +@{exec_path} = @{bin}/mount +profile sd-mount flags=(complain) { + include + include + + capability dac_read_search, + capability sys_admin, + + mount -> @{efi}/, + mount -> @{HOME}/{,**}, + mount -> @{HOMEDIRS}/, + mount -> @{MOUNTDIRS}/, + mount -> @{MOUNTS}/{,**}, + mount fstype=binfmt_misc options=(rw nodev noexec nosuid) binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/, + mount fstype=configfs options=(rw nodev noexec nosuid) configfs -> @{sys}/kernel/config/, + mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/, + mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/, + mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, + mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, + mount fstype=squashfs options=(ro nodev) /dev/loop@{int} -> /snap/*/@{int}/, + mount fstype=tmpfs options=(rw nodev noexec nosuid) tmpfs -> @{run}/lock/, + mount fstype=tmpfs options=(rw nodev nosuid strictatime) tmpfs -> /tmp/, + mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, + + mount options=(rw move) -> @{efi}, + mount options=(rw move) -> @{HOME}/{,**}, + mount options=(rw move) -> @{HOMEDIRS}/, + mount options=(rw move) -> @{MOUNTDIRS}/, + mount options=(rw move) -> @{MOUNTS}/{,**}, + mount options=(rw move) -> @{sys}/fs/fuse/connections/, + mount options=(rw move) -> @{sys}/kernel/config/, + mount options=(rw move) -> @{sys}/kernel/debug/, + mount options=(rw move) -> @{sys}/kernel/tracing/, + mount options=(rw move) -> /dev/hugepages/, + mount options=(rw move) -> /dev/mqueue/, + mount options=(rw move) -> /tmp/, + + @{exec_path} mr, + + /var/lib/snapd/snaps/*.snap r, + + @{run}/ r, + owner @{run}/mount/ rw, + owner @{run}/mount/utab{,.*} rwk, + + @{PROC}/@{pid}/mountinfo r, + + /dev/loop-control rw, + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/sd-umount b/apparmor.d/groups/_full/sd-umount new file mode 100644 index 000000000..e5d67f0a9 --- /dev/null +++ b/apparmor.d/groups/_full/sd-umount @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd-umount is a subprofile of sd responsible to handle unmounting operation. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd-umount.d directory + +abi , + +include + +@{exec_path} = @{bin}/umount +profile sd-umount flags=(complain) { + include + + capability sys_admin, + + umount @{efi}, + + @{exec_path} mr, + + @{PROC}/@{pid}/mountinfo r, + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu new file mode 100644 index 000000000..f9c50b65f --- /dev/null +++ b/apparmor.d/groups/_full/sdu @@ -0,0 +1,141 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd-user profile. + +# sdu is a profile for SystemD-executor run as User, it is used to run all services +# files and to encapsulate stacked services profiles (hence the short name). +# It aims at reducing the size of the systemd-user profile. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sdu.d directory + +abi , + +include + +@{exec_path} = @{bin}/systemd-executor +profile sdu flags=(attach_disconnected,mediate_deleted) { + include + include + include + include + include + include + include + + network netlink raw, + + change_profile, + + ptrace read, + + unix type=dgram peer=(label=@{p_systemd_user}), + + dbus bus=session, + + @{exec_path} mr, + + @{bin}/** mPx, + @{sbin}/** mPx, + @{lib}/** Px, + /etc/cron.*/* Px, + /opt/*/** Px, + /usr/share/*/** Px, + + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + + # Shell based user unit services + @{sh_path} Cx -> shell, + + # Dbus needs to be started without environment scrubbing + @{bin}/dbus-broker px -> dbus-session, + @{bin}/dbus-broker-launch px -> dbus-session, + @{bin}/dbus-daemon px -> dbus-session, + @{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session, + + / r, + @{bin}/* r, + @{sbin}/* r, + /usr/share/** r, + + owner @{desktop_local_dirs}/ w, + owner @{desktop_local_dirs}/state/ w, + owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, + + owner @{run}/user/@{uid}/pipewire-@{int} rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, + owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, + owner @{run}/user/@{uid}/pulse/pid rw, + + owner @{user_state_dirs}/wireplumber/ rw, + owner @{user_state_dirs}/wireplumber/stream-properties rw, + owner @{user_state_dirs}/wireplumber/stream-properties.@{rand6} rw, + + @{run}/systemd/users/@{uid} r, + @{run}/systemd/users/@{int} r, + + @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) + @{run}/udev/data/c81:@{int} r, # For video4linux + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{sys}/bus/ r, + @{sys}/bus/media/devices/ r, + @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, + @{sys}/devices/**/device:*/{,**/}path r, + @{sys}/devices/**/sound/**/pcm_class r, + @{sys}/devices/**/sound/**/uevent r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/sound/seq/uevent r, + @{sys}/devices/virtual/sound/timer/uevent r, + + @{sys}/module/apparmor/parameters/enabled r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, + + @{PROC}/pressure/* r, + @{PROC}/sys/fs/nr_open r, + owner @{PROC}/@{pid}/attr/apparmor/exec w, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_score_adj rw, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/kmsg w, + + deny capability net_admin, + + profile shell flags=(attach_disconnected,mediate_deleted,complain) { + include + + @{sh_path} mr, + @{bin}/systemctl Px -> sdu//systemctl, + + include if exists + } + + profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { + include + include + + owner @{run}/user/@{uid}/systemd/private rw, + + deny capability net_admin, + + include if exists + include if exists + } + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 9f611cf3d..d1ee8fd1f 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -11,24 +11,47 @@ # Distributions and other programs can add rules in the usr/systemd.d directory -# TODO: rework this to get a controlled environment: (cf security model) +# Overall architecture of the systemd profiles: +# systemd # PID 1, entrypoint, requires "Early policy" +# ├── systemd # To restart itself +# ├── systemd-generators-* # Systemd system and environment generators +# └── sd # Internal service starter and config handler, handles all services +# ├── Px or px, # Any service with profile +# ├── Px -> # Any service without profile defined in the unit file (see systemd/full/systemd) +# ├── &* # Stacked service as defined in the unit file (see systemd/full/systemd) +# ├── sd-mount # Handles all mounts from services +# ├── sd//systemctl # Internal system systemctl +# └── systemd-user # Profile for 'systemd --user' +# ├── systemd-user # To restart itself +# ├── systemd-user-generators-* # Systemd user and environment generators +# └── sdu # Handles all user services +# ├── Px or px, # Any user service with profile +# ├── Px -> # Any user service without profile defined in the unit file (see systemd/full/systemd) +# ├── &* # Stacked user service as defined in the unit file (see systemd/full/systemd) +# └── sdu//systemctl # Internal user systemctl + +# Advantages: +# - Differentiate systemd (PID 1) and `system --user` +# - Keep `systemd` and systemd-user as mininal as possible, and transition to less privileged profiles. +# - Allow the executor profiles to handled stacked profiles. +# - Most additions need to be done in the `sd`/`sdu` profile, not in `systemd`/`systemd-user`. +# - Dedicated `sd-mount` profile for most mount from the unit services. + + +# TODO: rework this to get a controlled environment: # - No global allow anymore: in high security environments, we must manage the list # of program/service that can be started by systemd and ensure that they are all # listed and confined. Programs not listed will not be able to start. # - Outside common systemd service, the list may have to be automatically # generated at install time, in `/etc/apparmor.d/usr/systemd.d/exec` -# - Stop disabling nnp flags in systemd dropin files. -# - Each systemd services in `systemd-service` (when the service is more complex than foo.service -> Exec=/usr/bin/foo) -# need they own profile, profile name configured as a dropin unit file. -# - When this is done: the fallback profile as root will not be needed. abi , include -profile systemd flags=(attach_disconnected,mediate_deleted) { +@{exec_path} = @{lib}/systemd/systemd +profile systemd flags=(attach_disconnected,mediate_deleted,complain) { include - include include include include @@ -43,16 +66,13 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { capability dac_read_search, capability fowner, capability fsetid, - capability mknod, + capability kill, capability net_admin, + capability net_bind_service, capability perfmon, - capability setfcap, - capability setgid, capability setpcap, - capability setuid, capability sys_admin, - capability sys_chroot, - capability sys_nice, + capability sys_boot, capability sys_ptrace, capability sys_resource, capability sys_tty_config, @@ -62,194 +82,124 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { network inet6 dgram, network inet6 stream, network netlink raw, + network vsock stream, mount fstype=autofs systemd-1 -> @{PROC}/sys/fs/binfmt_misc/, - mount fstype=autofs systemd-1 -> /efi/, - mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, - mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/, - mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/, - mount fstype=tmpfs tmpfs -> /dev/shm/, + mount fstype=autofs systemd-1 -> @{efi}/, mount fstype=tmpfs tmpfs -> /tmp/, - mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/, - mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, - mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, - mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, - mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**, - mount options=(rw bind) @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/, - mount options=(rw move) -> @{sys}/fs/fuse/connections/, - mount options=(rw move) -> @{sys}/kernel/config/, - mount options=(rw move) -> @{sys}/kernel/debug/, - mount options=(rw move) -> @{sys}/kernel/tracing/, - mount options=(rw move) -> /dev/hugepages/, - mount options=(rw move) -> /dev/mqueue/, - mount options=(rw move) -> /efi/, - mount options=(rw move) -> /tmp/, - mount options=(rw move) @{run}/systemd/namespace-@{rand6}/{,**} -> @{run}/systemd/mount-rootfs/{,**}, - mount options=(rw rbind) -> @{run}/systemd/mount-rootfs/{,**}, - mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**}, - mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, - mount options=(rw rslave) -> /dev/, - mount options=(rw slave) -> @{run}/systemd/incoming/, remount @{HOME}/{,**}, remount @{HOMEDIRS}/, remount @{MOUNTDIRS}/, remount @{MOUNTS}/{,**}, - remount @{run}/systemd/mount-rootfs/{,**}, - remount @{run}/systemd/unit-root/{,**}, - remount /, remount /snap/{,**}, - remount options=(ro noexec noatime bind) /var/snap/{,**}, - remount options=(ro nosuid bind) /dev/, - remount options=(ro nosuid nodev bind) /dev/hugepages/, - remount options=(ro nosuid nodev bind) /var/, - remount options=(ro nosuid nodev noexec bind) /boot/, - remount options=(ro nosuid nodev noexec bind) /dev/mqueue/, - remount options=(ro nosuid nodev noexec bind) /efi/, - remount options=(ro nosuid noexec bind) /dev/pts/, + remount options=(ro bind nodev noexec nosuid) /dev/mqueue/, + remount options=(ro bind nodev nosuid) /dev/hugepages/, + remount options=(ro bind noexec nosuid) /dev/pts/, + remount options=(ro bind nosuid) /dev/, + remount options=(ro bind) @{efi}/, + remount options=(ro bind) /, - umount /, - umount /dev/shm/, umount @{PROC}/sys/fs/binfmt_misc/, - umount @{run}/systemd/mount-rootfs/{,**}, - umount @{run}/systemd/namespace-@{rand6}/{,**}, - umount @{run}/systemd/unit-root/{,**}, + umount @{run}/credentials/*/, - pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, - pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/, + mqueue (read getattr) type=posix /, - change_profile, - - signal (receive) set=(rtmin+23) peer=plymouthd, - signal (receive) set=(term, hup, cont), - signal (send), + signal send, ptrace (read, readby), - unix (send) type=dgram, - - unix (receive) type=dgram addr=none peer=(label=systemd-timesyncd, addr=none), - unix (send, receive, connect) type=stream addr=none peer=(label=plymouthd, addr=@/org/freedesktop/plymouthd), + unix type=dgram, + unix type=stream, #aa:dbus own bus=system name=org.freedesktop.systemd1 - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=GetConnectionUnixUser - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + @{exec_path} mrix, + @{sh_path} mr, - @{bin}/** Px, - @{lib}/** Px, - /etc/cron.*/* Px, - /etc/init.d/* Px, - /usr/share/*/** Px, + # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor mPx -> sd, - # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) - @{lib}/systemd/systemd-executor ix, - - # Systemd user: systemd --user - @{lib}/systemd/systemd px -> systemd-user, - - # Unit services using systemctl - @{bin}/systemctl Cx -> systemctl, - - # Unit services - @{bin}/mount ix, - - # Shell based systemd unit services - @{bin}/ldconfig Px -> systemd-service, - @{bin}/mandb Px -> systemd-service, - @{bin}/savelog Px -> systemd-service, - @{coreutils_path} Px -> systemd-service, - @{sh_path} Px -> systemd-service, - - # Systemd profiles that need be stacked - #aa:stack systemd-networkd systemd-oomd systemd-resolved systemd-timesyncd - @{lib}/systemd/systemd-networkd Px -> systemd//&systemd-networkd, - @{lib}/systemd/systemd-oomd Px -> systemd//&systemd-oomd, - @{lib}/systemd/systemd-resolved Px -> systemd//&systemd-resolved, - @{lib}/systemd/systemd-timesyncd Px -> systemd//&systemd-timesyncd, - - @{lib}/ r, - / r, - /*/ r, - /boot/efi/ r, - /snap/*/@{int}/ r, - /var/cache/*/ r, - /var/lib/*/ r, - /var/tmp/ r, + # Systemd system generators. Profiles must exist + @{lib}/netplan/generate mPx, + @{lib}/systemd/system-environment-generators/* mPx, + @{lib}/systemd/system-generators/* mPx, + @{etc_ro}/environment r, + @{etc_ro}/environment.d/{,**} r, + /etc/acpi/events/{,**} r, /etc/binfmt.d/{,**} r, /etc/conf.d/{,**} r, - /etc/credstore.encrypted/{,**} r, - /etc/credstore/{,**} r, - /etc/environment r, - /etc/environment.d/{,**} r, + /etc/default/{,**} r, /etc/machine-id r, /etc/modules-load.d/{,**} r, + /etc/networkd-dispatcher/{,**} r, /etc/systemd/{,**} r, + /etc/systemd/system/** w, /etc/udev/hwdb.d/{,**} r, - /var/lib/systemd/{,**} rw, + #aa:only pacman + # It is unclear why this is needed here and not in sd + /etc/pacman.d/gnupg/S.dirmngr w, + /etc/pacman.d/gnupg/S.gpg-agent w, + /etc/pacman.d/gnupg/S.gpg-agent.browser w, + /etc/pacman.d/gnupg/S.gpg-agent.extra w, + /etc/pacman.d/gnupg/S.gpg-agent.ssh w, + /etc/pacman.d/gnupg/S.keyboxd w, + + @{efi}/ r, + /snap/*/@{int}/ r, + + /tmp/ r, + /var/tmp/ r, + owner /tmp/systemd-private-*/{,**} rw, owner /var/tmp/systemd-private-*/{,**} rw, - /tmp/namespace-dev-@{rand6}/{,**} rw, - /tmp/systemd-private-*/{,**} rw, + @{att}/@{run}/systemd/journal/dev-log r, + @{att}/@{run}/systemd/journal/socket r, + @{att}/@{run}/systemd/notify r, @{run}/ rw, + @{run}/* rw, @{run}/*/ rw, @{run}/*/* rw, - @{run}/auditd.pid r, @{run}/credentials/{,**} rw, - @{run}/initctl rw, @{run}/systemd/{,**} rw, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, - - @{run}/udev/data/+module:configfs r, - @{run}/udev/data/+module:fuse r, + @{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{run}/udev/tags/systemd/ r, + @{sys}/**/uevent r, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/power_supply/ r, - @{sys}/class/sound/ r, - @{sys}/devices/@{pci}/** r, - @{sys}/devices/**/net/** r, - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/console/active r, + @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/fuse/connections/ r, @{sys}/fs/pstore/ r, @{sys}/kernel/**/ r, - @{sys}/module/**/uevent r, @{sys}/module/apparmor/parameters/enabled r, + @{sys}/module/vt/parameters/default_utf8 r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/coredump_filter r, - @{PROC}/@{pid}/environ r, @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/gid_map rw, - @{PROC}/@{pid}/loginuid rw, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/setgroups rw, @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/uid_map rw, @{PROC}/cmdline r, @{PROC}/devices r, @{PROC}/pressure/* r, @@ -257,30 +207,33 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/fs/binfmt_misc/ r, @{PROC}/sys/fs/nr_open r, @{PROC}/sys/kernel/* r, - @{PROC}/sysvipc/{shm,sem,msg} r, - owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/oom_score_adj rw, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sysvipc/msg r, + @{PROC}/sysvipc/sem r, + @{PROC}/sysvipc/shm r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/1/coredump_filter r, + owner @{PROC}/1/fdinfo/@{int} r, + owner @{PROC}/1/gid_map r, + owner @{PROC}/1/oom_score_adj rw, + owner @{PROC}/1/setgroups r, + owner @{PROC}/1/uid_map r, /dev/autofs r, + /dev/dri/card@{int} rw, + /dev/initctl w, + /dev/input/ r, /dev/kmsg w, + /dev/tty rw, + /dev/tty@{int} rw, owner /dev/console rwk, - owner /dev/dri/card@{int} rw, owner /dev/hugepages/ rw, - owner /dev/initctl rw, owner /dev/input/event@{int} rw, owner /dev/mqueue/ rw, owner /dev/rfkill rw, - owner /dev/shm/ rw, + owner /dev/shm/ r, owner /dev/ttyS@{int} rwk, - profile systemctl { - include - include - - include if exists - include if exists - } - include if exists include if exists } diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service deleted file mode 100644 index e6c4a4b7b..000000000 --- a/apparmor.d/groups/_full/systemd-service +++ /dev/null @@ -1,72 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Profile for generic systemd unit services. Only used by tiny systemd services -# that start a shell or use context specific programs. - -# It does not specify an attachment path because it is intended to be used only -# via "Px -> systemd-service" exec transitions from the systemd profile. - -abi , - -include - -profile systemd-service flags=(attach_disconnected) { - include - include - include - - capability chown, - capability fsetid, - - @{bin}/ldconfig rix, - @{bin}/savelog rix, - @{bin}/systemctl rix, - @{bin}/gzip rix, - @{coreutils_path} rix, - @{sh_path} rmix, - - # ifup@.service - @{bin}/ifup rPx, - - # shadow.service - @{bin}/pwck rPx, - @{bin}/grpck rPx, - - @{bin}/grub-editenv rPx, - @{bin}/ibus-daemon rPx, - - @{bin}/* r, - @{lib}/ r, - - /var/cache/ldconfig/{,**} rw, - - /boot/grub/grubenv rw, - /boot/grub/ w, - - /var/log/ r, - /var/log/dmesg rw, - /var/log/dmesg.* rwl -> /var/log/dmesg, - - # man-db.service - /usr/{,local/}share/man/{,**} r, - /etc/manpath.config r, - /var/cache/man/{,**} rwk, - - # snapd.system-shutdown.service - @{run}/initramfs/shutdown rw, - @{run}/initramfs/ rw, - - # cockpit.socket - @{run}/cockpit/@{rand8} rw, - @{run}/cockpit/motd w, - - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 919c53457..b3d751be1 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -11,14 +11,12 @@ # Distributions and other programs can add rules in the usr/systemd-user.d directory -# TODO: rework this to get a controlled environment. cf comments in systemd profile. - abi , include @{exec_path} = @{lib}/systemd/systemd -profile systemd-user flags=(attach_disconnected,mediate_deleted) { +profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { include include include @@ -27,91 +25,61 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { network netlink raw, - signal send set=(term, cont, kill), - signal receive set=hup peer=@{p_systemd}, + signal send, - ptrace read peer=@{p_systemd}, + ptrace read, + + unix type=dgram peer=(label=@{p_sdu}), unix bind type=stream addr=@@{udbus}/bus/systemd/bus-system, unix bind type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus own bus=session name=org.freedesktop.systemd1 - @{exec_path} mr, + @{exec_path} mrix, - @{bin}/** Px, - @{lib}/** Px, - /etc/cron.*/* Px, - /opt/*/** Px, - /usr/share/*/** Px, + # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor mPx -> sdu, - # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) - @{lib}/systemd/systemd-executor ix, - - # Unit services using systemctl - @{bin}/systemctl Cx -> systemctl, - - # Shell based ystemd unit services - @{coreutils_path} Px -> systemd-user-service, - @{sh_path} Px -> systemd-user-service, - - # Dbus needs to be started without environment scrubbing - @{bin}/dbus-broker px -> dbus-session, - @{bin}/dbus-broker-launch px -> dbus-session, - @{bin}/dbus-daemon px -> dbus-session, - @{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session, - - # Audio profiles need to be stacked - #aa:stack pipewire pipewire-media-session pipewire-pulse pulseaudio wireplumber - @{bin}/pipewire Px -> systemd-user//&pipewire, - @{bin}/pipewire-media-session Px -> systemd-user//&pipewire-media-session, - @{bin}/pipewire-pulse Px -> systemd-user//&pipewire-pulse, - @{bin}/pulseaudio Px -> systemd-user//&pulseaudio, - @{bin}/wireplumber Px -> systemd-user//&wireplumber, - - /usr/ r, - /usr/share/defaults/**.conf r, + # Systemd user generators. Profiles must exist + @{lib}/systemd/user-environment-generators/* Px, + @{lib}/systemd/user-generators/* Px, + @{etc_ro}/environment r, /etc/systemd/user.conf r, /etc/systemd/user.conf.d/{,**} r, /etc/systemd/user/{,**} r, - / r, - - owner @{HOME}/.local/ w, - owner @{user_config_dirs}/systemd/user/{,**} rw, - @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/ rw, owner @{run}/user/@{uid}/** rwkl, @{run}/mount/utab r, @{run}/systemd/notify w, + @{run}/systemd/oom/io.systemd.ManagedOOM rw, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, - @{run}/udev/data/+module:configfs r, - @{run}/udev/data/+module:fuse r, - @{run}/udev/data/b254:@{int} r, # for /dev/zram* + @{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features + @{run}/udev/data/c116:@{int} r, # for ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{run}/udev/tags/systemd/ r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/**/uevent r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r, - @{sys}/module/apparmor/parameters/enabled r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/stat r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/stat r, @{PROC}/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, @@ -120,27 +88,25 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/threads-max r, - owner @{PROC}/@{pid}/coredump_filter r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/gid_map r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pids}/fd/ r, - owner @{PROC}/@{pids}/oom_score_adj rw, - /dev/tty rw, - - profile systemctl { - include - include - - include if exists - include if exists - } + deny capability bpf, + deny capability dac_override, + deny capability dac_read_search, + deny capability mknod, + deny capability net_admin, + deny capability perfmon, + deny capability sys_admin, + deny capability sys_boot, + deny capability sys_resource, include if exists include if exists diff --git a/apparmor.d/groups/_full/systemd-user-service b/apparmor.d/groups/_full/systemd-user-service deleted file mode 100644 index d65846f82..000000000 --- a/apparmor.d/groups/_full/systemd-user-service +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Profile for generic systemd unit services. Only used by tiny systemd services -# that start a shell or use context specific programs. - -# It does not specify an attachment path because it is intended to be used only -# via "Px -> systemd-user-service" exec transitions from the systemd-user profile. - -abi , - -include - -profile systemd-user-service flags=(complain) { - include - include - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/akonadi/akonadi_akonotes_resource b/apparmor.d/groups/akonadi/akonadi_akonotes_resource index f0145d670..0471cd8f4 100644 --- a/apparmor.d/groups/akonadi/akonadi_akonotes_resource +++ b/apparmor.d/groups/akonadi/akonadi_akonotes_resource @@ -15,7 +15,7 @@ profile akonadi_akonotes_resource @{exec_path} { @{exec_path} mr, - owner @{user_config_dirs}/akonadi_akonotes_resource_[0-9]rc r, + owner @{user_config_dirs}/akonadi_akonotes_resource_@{int}rc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, diff --git a/apparmor.d/groups/akonadi/akonadi_contacts_resource b/apparmor.d/groups/akonadi/akonadi_contacts_resource index c3e5dc716..58c7443fc 100644 --- a/apparmor.d/groups/akonadi/akonadi_contacts_resource +++ b/apparmor.d/groups/akonadi/akonadi_contacts_resource @@ -17,7 +17,7 @@ profile akonadi_contacts_resource @{exec_path} { /usr/share/akonadi/plugins/serializer/{,*.desktop} r, - owner @{user_config_dirs}/akonadi_contacts_resource_[0-9]rc r, + owner @{user_config_dirs}/akonadi_contacts_resource_@{int}rc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, diff --git a/apparmor.d/groups/akonadi/akonadi_ical_resource b/apparmor.d/groups/akonadi/akonadi_ical_resource index 5f37f797c..2a5c95729 100644 --- a/apparmor.d/groups/akonadi/akonadi_ical_resource +++ b/apparmor.d/groups/akonadi/akonadi_ical_resource @@ -15,9 +15,9 @@ profile akonadi_ical_resource @{exec_path} { @{exec_path} mr, - owner @{user_cache_dirs}/akonadi_ical_resource_[0-9]/{,*} rwl, + owner @{user_cache_dirs}/akonadi_ical_resource_@{int}/{,*} rwl, - owner @{user_config_dirs}/akonadi_ical_resource_[0-9]rc rwl, + owner @{user_config_dirs}/akonadi_ical_resource_@{int}rc rwl, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, diff --git a/apparmor.d/groups/akonadi/akonadi_maildir_resource b/apparmor.d/groups/akonadi/akonadi_maildir_resource index fc518e4f7..be9621437 100644 --- a/apparmor.d/groups/akonadi/akonadi_maildir_resource +++ b/apparmor.d/groups/akonadi/akonadi_maildir_resource @@ -19,11 +19,11 @@ profile akonadi_maildir_resource @{exec_path} { owner @{user_mail_dirs}/{,**} rw, - owner @{user_config_dirs}/akonadi_maildir_resource_[0-9]rc r, + owner @{user_config_dirs}/akonadi_maildir_resource_@{int}rc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, - owner @{user_share_dirs}/akonadi_maildir_resource_[0-9]/{,**} rw, + owner @{user_share_dirs}/akonadi_maildir_resource_@{int}/{,**} rw, owner @{user_share_dirs}/akonadi/{,**} rwk, owner @{user_share_dirs}/local-mail*/{,**} rw, diff --git a/apparmor.d/profiles-a-f/aa-enabled b/apparmor.d/groups/apparmor/aa-enabled similarity index 100% rename from apparmor.d/profiles-a-f/aa-enabled rename to apparmor.d/groups/apparmor/aa-enabled diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/groups/apparmor/aa-enforce similarity index 85% rename from apparmor.d/profiles-a-f/aa-enforce rename to apparmor.d/groups/apparmor/aa-enforce index da4d63460..1743fd9d0 100644 --- a/apparmor.d/profiles-a-f/aa-enforce +++ b/apparmor.d/groups/apparmor/aa-enforce @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-enforce @{bin}/aa-complain @{bin}/aa-audit @{bin}/aa-disable +@{exec_path} = @{sbin}/aa-enforce @{sbin}/aa-complain @{sbin}/aa-audit @{sbin}/aa-disable profile aa-enforce @{exec_path} { include include @@ -16,8 +16,8 @@ profile aa-enforce @{exec_path} { @{exec_path} mr, - @{bin}/ r, - @{bin}/apparmor_parser rPx, + @{sbin}/ r, + @{sbin}/apparmor_parser rPx, /usr/share/terminfo/** r, diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/groups/apparmor/aa-log similarity index 56% rename from apparmor.d/profiles-a-f/aa-log rename to apparmor.d/groups/apparmor/aa-log index 39c42d435..1a3e0aeff 100644 --- a/apparmor.d/profiles-a-f/aa-log +++ b/apparmor.d/groups/apparmor/aa-log @@ -16,21 +16,32 @@ profile aa-log @{exec_path} { @{exec_path} mr, - @{bin}/journalctl rix, - - /etc/machine-id r, - /var/lib/dbus/machine-id r, + @{bin}/journalctl rCx -> journalctl, /var/log/audit/* r, /var/log/syslog* r, - /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex32}/{,*} r, - - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - /dev/tty@{int} rw, + profile journalctl { + include + include + + capability sys_resource, + + @{bin}/journalctl mr, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/{,*} r, + + @{PROC}/sys/kernel/random/boot_id r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify new file mode 100644 index 000000000..7cb64af80 --- /dev/null +++ b/apparmor.d/groups/apparmor/aa-notify @@ -0,0 +1,112 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/aa-notify +profile aa-notify @{exec_path} { + include + include + include + include + include + include + include + + capability setgid, + capability setuid, + capability sys_ptrace, + + ptrace read, + + @{exec_path} mr, + + @{bin}/gtk-launch ix, + @{bin}/pkexec Cx -> pkexec, + @{bin}/xdg-mime Px, + @{open_path} Cx -> open, + + @{bin}/ r, + + /usr/share/apparmor/** r, + /usr/share/terminfo/** r, + + @{etc_ro}/inputrc r, + @{etc_ro}/inputrc.keys r, + /etc/apparmor.d/{,**} r, + /etc/apparmor/*.conf r, + + /var/log/audit/audit.log r, + + owner @{HOME}/.inputrc r, + owner @{HOME}/.terminfo/@{int}/dumb r, + + owner @{tmp}/@{word8} rw, + owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/cmdline r, + + profile open { + include + include + + @{editor_ui_path} rPx -> aa-notify//editor, + + include if exists + } + + profile editor { + include + include + include + include + include + + @{editor_ui_path} rix, + @{open_path} rPx -> child-open-help, + + /etc/apparmor.d/{,**} r, + + owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, + + owner @{PROC}/@{pid}/mountinfo r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists + } + + profile pkexec { + include + include + include + + ptrace read peer=aa-notify, + + @{sbin}/apparmor_parser Px, + @{lib}/@{python_name}/site-packages/apparmor/update_profile.py ix, + + /usr/share/apparmor/** r, + /usr/share/terminfo/** r, + + @{etc_ro}/inputrc r, + @{etc_ro}/inputrc.keys r, + + /etc/apparmor.d/ r, + /etc/apparmor.d/** rw, + /etc/apparmor/* r, + + @{PROC}/@{pid}/mounts r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aa-status b/apparmor.d/groups/apparmor/aa-status similarity index 81% rename from apparmor.d/profiles-a-f/aa-status rename to apparmor.d/groups/apparmor/aa-status index a48dc693c..9badb78c1 100644 --- a/apparmor.d/profiles-a-f/aa-status +++ b/apparmor.d/groups/apparmor/aa-status @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-status @{bin}/apparmor_status +@{exec_path} = @{sbin}/aa-status @{sbin}/apparmor_status profile aa-status @{exec_path} { include include @@ -22,8 +22,8 @@ profile aa-status @{exec_path} { @{sys}/module/apparmor/parameters/enabled r, @{PROC}/ r, - @{PROC}/@{pids}/attr/apparmor/current r, - @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pid}/attr/apparmor/current r, + @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/mounts r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-a-f/aa-teardown b/apparmor.d/groups/apparmor/aa-teardown similarity index 93% rename from apparmor.d/profiles-a-f/aa-teardown rename to apparmor.d/groups/apparmor/aa-teardown index b625ad8c6..059766181 100644 --- a/apparmor.d/profiles-a-f/aa-teardown +++ b/apparmor.d/groups/apparmor/aa-teardown @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-teardown +@{exec_path} = @{sbin}/aa-teardown profile aa-teardown @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/aa-unconfined b/apparmor.d/groups/apparmor/aa-unconfined similarity index 94% rename from apparmor.d/profiles-a-f/aa-unconfined rename to apparmor.d/groups/apparmor/aa-unconfined index 08c401270..68729b7fe 100644 --- a/apparmor.d/profiles-a-f/aa-unconfined +++ b/apparmor.d/groups/apparmor/aa-unconfined @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-unconfined +@{exec_path} = @{sbin}/aa-unconfined profile aa-unconfined @{exec_path} flags=(attach_disconnected) { include include @@ -21,7 +21,7 @@ profile aa-unconfined @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/netstat Px, - @{bin}/ss Px, + @{sbin}/ss Px, /usr/share/terminfo/** r, diff --git a/apparmor.d/profiles-a-f/apparmor.systemd b/apparmor.d/groups/apparmor/apparmor.systemd similarity index 88% rename from apparmor.d/profiles-a-f/apparmor.systemd rename to apparmor.d/groups/apparmor/apparmor.systemd index 75394f5de..cb862ff48 100644 --- a/apparmor.d/profiles-a-f/apparmor.systemd +++ b/apparmor.d/groups/apparmor/apparmor.systemd @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/apparmor/apparmor.systemd -profile apparmor.systemd @{exec_path} flags=(complain) { +profile apparmor.systemd @{exec_path} { include include include @@ -19,14 +19,14 @@ profile apparmor.systemd @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/{,e}grep rix, - @{bin}/aa-status rPx, - @{bin}/apparmor_parser rPx, + @{sbin}/aa-status rPx, + @{sbin}/apparmor_parser rPx, @{bin}/getconf rix, @{bin}/ls rix, @{bin}/sed rix, @{bin}/cat rix, @{bin}/sort rix, - @{bin}/sysctl rix, + @{sbin}/sysctl rix, @{bin}/systemd-detect-virt rPx, @{bin}/xargs rix, diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser similarity index 95% rename from apparmor.d/profiles-a-f/apparmor_parser rename to apparmor.d/groups/apparmor/apparmor_parser index dc15d48b9..0a9f9fcaf 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/groups/apparmor/apparmor_parser @@ -8,7 +8,7 @@ include @{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib} -@{exec_path} = @{bin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser +@{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser profile apparmor_parser @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 369dd3bbd..9bdabb1c2 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -7,13 +7,12 @@ abi , include -@{exec_path} = @{bin}/apt @{bin}/apt-get @{bin}/aptd +@{exec_path} = @{bin}/apt @{bin}/apt-get @{sbin}/aptd profile apt @{exec_path} flags=(attach_disconnected) { include include include include - include include include include @@ -37,15 +36,21 @@ profile apt @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/apt-get/system, unix bind type=stream addr=@@{udbus}/bus/apt/system, + unix type=stream peer=(label=@{p_snap}), unix (send, receive) type=stream peer=(label=apt-esm-json-hook), unix (send, receive) type=stream peer=(label=snapd), #aa:dbus own bus=system name=org.debian.apt - dbus send bus=system path=/org/freedesktop/DBus/Bus - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + #aa:dbus talk bus=system name=org.freedesktop.PackageKit label=packagekitd + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.freedesktop.PackageKit), + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.PackageKit + member=StateHasChanged + peer=(name=org.freedesktop.PackageKit), dbus send bus=system interface=org.freedesktop.DBus.Introspectable @@ -53,15 +58,16 @@ profile apt @{exec_path} flags=(attach_disconnected) { peer=(name="{:*,org.freedesktop.DBus}"), @{exec_path} mr, + @{python_path} mr, @{bin}/ r, @{sh_path} rix, @{bin}/{,e}grep rix, + @{bin}/cat rix, @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/id rix, - @{bin}/ischroot rix, @{bin}/test rix, @{bin}/touch rix, @@ -74,14 +80,15 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/df rPx, @{bin}/dmesg rPx, @{bin}/dpkg rPx, - @{bin}/dpkg-preconfigure rPx, @{bin}/dpkg-source rcx -> dpkg-source, @{bin}/etckeeper rPx, + @{bin}/ischroot rPx, @{bin}/localepurge rPx, @{bin}/ps rPx, - @{bin}/snap rPUx, - @{bin}/systemctl rCx -> systemctl, + @{bin}/snap rPx, + @{bin}/systemctl rCx -> systemctl, @{bin}/update-command-not-found rPx, + @{sbin}/dpkg-preconfigure rPx, @{lib}/cnf-update-db rPx, @{lib}/needrestart/apt-pinvoke rPx, @{lib}/zsys-system-autosnapshot rPx, @@ -130,6 +137,9 @@ profile apt @{exec_path} flags=(attach_disconnected) { /var/lib/update-notifier/dpkg-run-stamp rw, /var/log/apt/{,**} rw, + /var/log/ubuntu-advantage-apt-hook.log w, + + @{efi}/ r, # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, @@ -163,18 +173,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { profile pager { include - include - - capability dac_read_search, - - @{bin}/ r, - @{sh_path} rix, - @{pager_path} rmix, - @{bin}/which{,.debianutils} rix, - - /root/ r, # For shell pwd - - owner @{HOME}/.less* rw, + include owner @{tmp}/apt-changelog-*/ r, owner @{tmp}/apt-changelog-*/*.changelog r, @@ -188,7 +187,6 @@ profile apt @{exec_path} flags=(attach_disconnected) { include @{bin}/dpkg-source mr, - @{bin}/perl r, @{bin}/bunzip2 rix, @{bin}/chmod rix, diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index 2e41b10bf..beb563f31 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/apt-extracttemplates +@{exec_path} = @{bin}/apt-extracttemplates @{lib}/apt/apt-extracttemplates profile apt-extracttemplates @{exec_path} { include include diff --git a/apparmor.d/groups/apt/apt-file b/apparmor.d/groups/apt/apt-file index 7ee51cfed..bc140acd1 100644 --- a/apparmor.d/groups/apt/apt-file +++ b/apparmor.d/groups/apt/apt-file @@ -14,7 +14,6 @@ profile apt-file @{exec_path} { include @{exec_path} r, - @{bin}/perl r, @{bin}/fgrep rix, @{bin}/{,e}grep rix, diff --git a/apparmor.d/groups/apt/apt-listbugs b/apparmor.d/groups/apt/apt-listbugs index 403573a9d..a60457ec8 100644 --- a/apparmor.d/groups/apt/apt-listbugs +++ b/apparmor.d/groups/apt/apt-listbugs @@ -23,7 +23,7 @@ profile apt-listbugs @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/ruby[0-9].@{int} rix, + @{bin}/ruby@{int}.@{int} rix, @{sh_path} rix, @{bin}/logname rix, @@ -34,7 +34,7 @@ profile apt-listbugs @{exec_path} { # shared object file): ignored. @{bin}/dpkg-query rpx, - /usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r, + /usr/local/lib/site_ruby/@{d}.@{d}.@{d}/**.rb r, /usr/share/rubygems-integration/*/specifications/ r, /usr/share/rubygems-integration/*/specifications/*.gemspec rwk, @@ -53,7 +53,7 @@ profile apt-listbugs @{exec_path} { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/apt/apt-listbugs-migratepins b/apparmor.d/groups/apt/apt-listbugs-migratepins index 6a261aab9..d7089b76a 100644 --- a/apparmor.d/groups/apt/apt-listbugs-migratepins +++ b/apparmor.d/groups/apt/apt-listbugs-migratepins @@ -14,7 +14,7 @@ profile apt-listbugs-migratepins @{exec_path} { include @{exec_path} r, - @{bin}/ruby[0-9].@{int} rix, + @{bin}/ruby@{int}.@{int} rix, /usr/share/rubygems-integration/*/specifications/ r, /usr/share/rubygems-integration/*/specifications/*.gemspec rwk, diff --git a/apparmor.d/groups/apt/apt-listbugs-prefclean b/apparmor.d/groups/apt/apt-listbugs-prefclean index 4e0fea86f..7dc4ea09e 100644 --- a/apparmor.d/groups/apt/apt-listbugs-prefclean +++ b/apparmor.d/groups/apt/apt-listbugs-prefclean @@ -14,7 +14,7 @@ profile apt-listbugs-prefclean @{exec_path} { include @{exec_path} r, - @{bin}/ruby[0-9].@{int} rix, + @{bin}/ruby@{int}.@{int} rix, @{bin}/date rix, @{bin}/cat rix, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 89cf63067..0ee42f5a4 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -14,10 +14,10 @@ profile apt-listchanges @{exec_path} { include include - #capability sys_tty_config, + capability dac_read_search, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, @@ -26,11 +26,11 @@ profile apt-listchanges @{exec_path} { # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-deb rpx, - # - @{pager_path} rCx -> pager, - # Send results using email - @{bin}/exim4 rPx, + @{bin}/dpkg-deb px, + + @{pager_path} Cx -> pager, + @{bin}/dpkg Px -> child-dpkg, + @{sbin}/exim4 Px, # Send results using email /usr/share/apt-listchanges/{,**} r, @@ -50,51 +50,17 @@ profile apt-listchanges @{exec_path} { /var/cache/apt/archives/ r, - owner @{PROC}/@{pid}/fd/ r, - /tmp/ r, - owner @{tmp}/* rw, - owner @{tmp}/apt-listchanges*/ rw, - owner @{tmp}/apt-listchanges*/**/ rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.Debian*.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/NEWS.Debian.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/changelog_to_file rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/*-local/debian/changelog rw, - - # The following is needed when apt-listchanges uses debcconf GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - owner @{PROC}/@{pid}/mounts r, - @{HOME}/.Xauthority r, + owner @{tmp}/@{word8} rw, + owner @{tmp}/apt-listchanges@{word8}/ rw, + owner @{tmp}/apt-listchanges@{word8}/** rw, + owner @{PROC}/@{pid}/fd/ r, profile pager { include - include + include - capability dac_read_search, - #capability sys_tty_config, - - @{pager_path} mrix, - - @{bin}/ r, - @{sh_path} rix, - @{bin}/which{,.debianutils} rix, - - owner @{HOME}/.less* rw, - - # For shell pwd - /root/ r, - - /tmp/ r, owner @{tmp}/apt-listchanges-tmp*.txt r, include if exists diff --git a/apparmor.d/groups/apt/apt-methods-cdrom b/apparmor.d/groups/apt/apt-methods-cdrom index 9cf47e758..96ce36a72 100644 --- a/apparmor.d/groups/apt/apt-methods-cdrom +++ b/apparmor.d/groups/apt/apt-methods-cdrom @@ -19,10 +19,10 @@ profile apt-methods-cdrom @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-copy b/apparmor.d/groups/apt/apt-methods-copy index 6d906bf80..e2878e108 100644 --- a/apparmor.d/groups/apt/apt-methods-copy +++ b/apparmor.d/groups/apt/apt-methods-copy @@ -20,10 +20,10 @@ profile apt-methods-copy @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-file b/apparmor.d/groups/apt/apt-methods-file index 3c2489a32..781f9714e 100644 --- a/apparmor.d/groups/apt/apt-methods-file +++ b/apparmor.d/groups/apt/apt-methods-file @@ -20,11 +20,11 @@ profile apt-methods-file @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-ftp b/apparmor.d/groups/apt/apt-methods-ftp index 47c679ea1..e753b4cf8 100644 --- a/apparmor.d/groups/apt/apt-methods-ftp +++ b/apparmor.d/groups/apt/apt-methods-ftp @@ -19,10 +19,10 @@ profile apt-methods-ftp @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index 4b2a15773..5f3654f6e 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -20,11 +20,12 @@ profile apt-methods-gpgv @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=role_*, + signal receive peer=synaptic, @{exec_path} mr, @@ -84,6 +85,7 @@ profile apt-methods-gpgv @{exec_path} { owner @{tmp}/apt-key-gpghome.*/ rw, owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, owner @{tmp}/apt.{conf,sig,data}.* rw, + owner @{tmp}/apt.@{rand6}.gpg rw, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 0638120ba..61be160dc 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/apt/methods/http{,s} -profile apt-methods-http @{exec_path} { +profile apt-methods-http @{exec_path} flags=(attach_disconnected) { include include include @@ -23,14 +23,16 @@ profile apt-methods-http @{exec_path} { network inet6 stream, network netlink raw, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, - signal (receive) peer=ubuntu-advantage, - signal (receive) peer=unattended-upgrade, - signal (receive) peer=update-manager, + signal receive peer=@{p_apt_news}, + signal receive peer=@{p_packagekitd}, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=role_*, + signal receive peer=synaptic, + signal receive peer=ubuntu-advantage, + signal receive peer=unattended-upgrade, + signal receive peer=update-manager, ptrace (read), @@ -69,7 +71,8 @@ profile apt-methods-http @{exec_path} { owner @{tmp}/aptitude-root.*/aptitude-download-* rw, owner @{tmp}/apt-changelog-*/*.changelog rw, - @{run}/ubuntu-advantage/aptnews.json rw, + @{run}/ubuntu-advantage/aptnews.json rw, + owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw, @{PROC}/1/cgroup r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/apt/apt-methods-mirror b/apparmor.d/groups/apt/apt-methods-mirror index d8e3adce3..025a1c01b 100644 --- a/apparmor.d/groups/apt/apt-methods-mirror +++ b/apparmor.d/groups/apt/apt-methods-mirror @@ -20,11 +20,11 @@ profile apt-methods-mirror @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-rred b/apparmor.d/groups/apt/apt-methods-rred index 85da35efc..1aadac2ec 100644 --- a/apparmor.d/groups/apt/apt-methods-rred +++ b/apparmor.d/groups/apt/apt-methods-rred @@ -20,11 +20,11 @@ profile apt-methods-rred @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, - signal (receive) set=(int) peer=packagekitd, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, + signal receive set=(int) peer=@{p_packagekitd}, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-rsh b/apparmor.d/groups/apt/apt-methods-rsh index 95d70b31f..1b76551b9 100644 --- a/apparmor.d/groups/apt/apt-methods-rsh +++ b/apparmor.d/groups/apt/apt-methods-rsh @@ -19,10 +19,10 @@ profile apt-methods-rsh @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-sqv b/apparmor.d/groups/apt/apt-methods-sqv new file mode 100644 index 000000000..0dcd7da0d --- /dev/null +++ b/apparmor.d/groups/apt/apt-methods-sqv @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/apt/methods/sqv +profile apt-methods-sqv @{exec_path} { + include + include + include + + # To handle the _apt user + capability setgid, + capability setuid, + + signal receive set=int peer=apt, + signal receive set=int peer=packagekitd, + + @{exec_path} mr, + + @{bin}/sqv ix, + + /usr/share/apt/default-sequoia.config r, + /usr/share/keyrings/debian-archive-keyring.gpg r, + /usr/share/keyrings/debian-archive-keyring.pgp r, + + owner /var/lib/apt/lists/{,**} r, + + owner /tmp/apt.data.@{rand6} rw, + owner /tmp/apt.sig.@{rand6} rw, + owner /tmp/apt.sqverr.@{rand6} rw, + owner /tmp/apt.sqvout.@{rand6} rw, + + @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/apt-methods-store b/apparmor.d/groups/apt/apt-methods-store index 4c414f07c..a6875a432 100644 --- a/apparmor.d/groups/apt/apt-methods-store +++ b/apparmor.d/groups/apt/apt-methods-store @@ -20,11 +20,12 @@ profile apt-methods-store @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=role_*, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-show-versions b/apparmor.d/groups/apt/apt-show-versions index 7885afca4..16dc584b3 100644 --- a/apparmor.d/groups/apt/apt-show-versions +++ b/apparmor.d/groups/apt/apt-show-versions @@ -10,12 +10,11 @@ include @{exec_path} = @{bin}/apt-show-versions profile apt-show-versions @{exec_path} { include + include include include - include @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index 04907876e..4f0d4e36b 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -25,7 +25,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/env rix, @{bin}/find rix, @{bin}/flock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gzip rix, @{bin}/ls rix, @{bin}/mv rix, @@ -37,7 +37,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/touch rix, @{bin}/uniq rix, @{bin}/wc rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/xargs rix, @{bin}/apt-config rPx, diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index 972123a06..9254be27d 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -75,7 +75,7 @@ profile aptitude @{exec_path} flags=(complain) { @{bin}/apt-listbugs rPx, @{bin}/apt-listchanges rPx, @{bin}/apt-show-versions rPx, - @{bin}/dpkg-preconfigure rPx, + @{sbin}/dpkg-preconfigure rPx, @{bin}/debtags rPx, @{bin}/localepurge rPx, @{bin}/appstreamcli rPx, @@ -112,8 +112,8 @@ profile aptitude @{exec_path} flags=(complain) { owner @{tmp}/aptitudebug.*/** rwk, /var/lib/apt-xapian-index/index r, - /var/cache/apt-xapian-index/index.[0-9]/*.glass r, - /var/cache/apt-xapian-index/index.[0-9]/iamglass r, + /var/cache/apt-xapian-index/index.@{int}/*.glass r, + /var/cache/apt-xapian-index/index.@{int}/iamglass r, /var/lib/dpkg/** r, /var/lib/dpkg/lock{,-frontend} rwk, @@ -169,20 +169,10 @@ profile aptitude @{exec_path} flags=(complain) { profile pager { include - include + include - @{bin}/ r, - @{editor_path} mrix, - @{sh_path} rix, - - @{bin}/which{,.debianutils} rix, - - owner @{HOME}/.less* rw, owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, - # For shell pwd - /root/ r, - include if exists } diff --git a/apparmor.d/groups/apt/aptitude-changelog-parser b/apparmor.d/groups/apt/aptitude-changelog-parser index 91a47110a..cde501bd5 100644 --- a/apparmor.d/groups/apt/aptitude-changelog-parser +++ b/apparmor.d/groups/apt/aptitude-changelog-parser @@ -13,7 +13,6 @@ profile aptitude-changelog-parser @{exec_path} { include @{exec_path} r, - @{bin}/perl r, /etc/dpkg/origins/debian r, diff --git a/apparmor.d/groups/apt/aptitude-create-state-bundle b/apparmor.d/groups/apt/aptitude-create-state-bundle index c700e325f..a2f5e2050 100644 --- a/apparmor.d/groups/apt/aptitude-create-state-bundle +++ b/apparmor.d/groups/apt/aptitude-create-state-bundle @@ -16,7 +16,7 @@ profile aptitude-create-state-bundle @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/tar rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index e6c0fdee6..b42649d7c 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -17,15 +17,16 @@ profile command-not-found @{exec_path} { include include + capability dac_read_search, + @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/snap rPUx, - - @{lib}/python3/dist-packages/CommandNotFound/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, + @{bin}/lsb_release rPx, + @{bin}/snap rPx, @{lib}/ r, + @{lib}/@{python_name}/dist-packages/CommandNotFound/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int}@{int} w, /usr/share/command-not-found/{,**} r, diff --git a/apparmor.d/groups/apt/deb-systemd-helper b/apparmor.d/groups/apt/deb-systemd-helper new file mode 100644 index 000000000..d6e89f9a0 --- /dev/null +++ b/apparmor.d/groups/apt/deb-systemd-helper @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/deb-systemd-helper +profile deb-systemd-helper @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{bin}/systemctl rCx -> systemctl, + + /etc/systemd/system/{,**} rw, + /etc/systemd/user/{,**} rw, + + /var/lib/systemd/deb-systemd-helper-enabled/{,**} rw, + /var/lib/systemd/deb-systemd-helper-masked/{,**} rw, + /var/lib/systemd/deb-systemd-user-helper-enabled/{,**} rw, + + profile systemctl { + include + include + + capability net_admin, + + /etc/ r, + /etc/systemd/ r, + /etc/systemd/system/ r, + /etc/systemd/system/* rw, + /etc/systemd/system/*.wants/ rw, + /etc/systemd/system/*.wants/* rw, + /etc/systemd/user/ r, + /etc/systemd/user/*.wants/ rw, + /etc/systemd/user/*.wants/* rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke new file mode 100644 index 000000000..d2e9e9260 --- /dev/null +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/deb-systemd-invoke +profile deb-systemd-invoke @{exec_path} { + include + include + include + + capability net_admin, + capability sys_resource, + + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/systemctl rix, #aa:lint ignore=transition + @{bin}/systemd-tty-ask-password-agent Px, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/debconf-apt-progress b/apparmor.d/groups/apt/debconf-apt-progress index 4ddcca5ca..1d88c829b 100644 --- a/apparmor.d/groups/apt/debconf-apt-progress +++ b/apparmor.d/groups/apt/debconf-apt-progress @@ -10,45 +10,12 @@ include @{exec_path} = @{bin}/debconf-apt-progress profile debconf-apt-progress @{exec_path} flags=(complain) { include - include + include @{exec_path} r, - @{bin}/perl r, @{bin}/apt-get rPx, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, - - - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - @{bin}/perl r, - - @{bin}/debconf-apt-progress rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - /etc/shadow r, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/apt/debconf-escape b/apparmor.d/groups/apt/debconf-escape new file mode 100644 index 000000000..c64401bb0 --- /dev/null +++ b/apparmor.d/groups/apt/debconf-escape @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/debconf-escape +profile debconf-escape @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend new file mode 100644 index 000000000..4660755d6 --- /dev/null +++ b/apparmor.d/groups/apt/debconf-frontend @@ -0,0 +1,72 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/debconf/frontend +profile debconf-frontend @{exec_path} flags=(complain) { + include + include + include + include + include + include + + capability dac_read_search, + + @{exec_path} r, + + @{bin}/hostname ix, + @{bin}/lsb_release Px, + @{bin}/stty ix, + @{sbin}/update-secureboot-policy Px, + + # debconf apps + @{bin}/adequate Px, + @{bin}/debconf-apt-progress Px, + @{bin}/linux-check-removal Px, + @{bin}/ucf Px, + @{sbin}/aspell-autobuildhash Px, + @{sbin}/pam-auth-update Px, + @{lib}/tasksel/tasksel-debconf Px -> tasksel, + /usr/share/debian-security-support/check-support-status.hook Px, + + # Grub + @{lib}/grub/grub-multi-install Px, + /usr/share/grub/grub-check-signatures Px, + + # Package maintainer's scripts + /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, + /var/lib/dpkg/info/*.control r, + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px -> dpkg-scripts, + + # DKMS scipts + @{lib}/dkms/common.postinst rPUx, + @{lib}/dkms/dkms-* rPUx, + @{lib}/dkms/dkms_* rPUx, + + /usr/share/debconf/{,**} r, + + /etc/inputrc r, + /etc/shadow r, + + owner /var/cache/debconf/* rwk, + + owner @{tmp}/file* w, + owner @{tmp}/tmp.@{rand10} rw, + owner @{tmp}/updateppds.@{rand6} rw, + + @{HOME}/.Xauthority r, + + @{run}/user/@{uid}/pk-debconf-socket rw, + + owner @{PROC}/@{pid}/mounts r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/debconf-show b/apparmor.d/groups/apt/debconf-show index b00cecd1b..ed9cf9094 100644 --- a/apparmor.d/groups/apt/debconf-show +++ b/apparmor.d/groups/apt/debconf-show @@ -14,7 +14,6 @@ profile debconf-show @{exec_path} { include @{exec_path} r, - @{bin}/perl r, @{bin}/locale rix, diff --git a/apparmor.d/groups/apt/debsecan b/apparmor.d/groups/apt/debsecan index ee29b4923..c67b1dfb5 100644 --- a/apparmor.d/groups/apt/debsecan +++ b/apparmor.d/groups/apt/debsecan @@ -21,13 +21,13 @@ profile debsecan @{exec_path} { network inet6 stream, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, # Send results using email - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, diff --git a/apparmor.d/groups/apt/debsign b/apparmor.d/groups/apt/debsign index 68d0d4184..635076069 100644 --- a/apparmor.d/groups/apt/debsign +++ b/apparmor.d/groups/apt/debsign @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/debsign profile debsign @{exec_path} { include + include @{exec_path} r, @@ -27,7 +28,6 @@ profile debsign @{exec_path} { @{bin}/md5sum rix, @{bin}/mktemp rix, @{bin}/mv rix, - @{bin}/perl rix, @{bin}/rm rix, @{bin}/sed rix, @{bin}/sha{1,256,512}sum rix, diff --git a/apparmor.d/groups/apt/debsums b/apparmor.d/groups/apt/debsums index 01e9ac152..8c0087770 100644 --- a/apparmor.d/groups/apt/debsums +++ b/apparmor.d/groups/apt/debsums @@ -12,28 +12,20 @@ profile debsums @{exec_path} { include include - # Needed to read files owned by other users than root. capability dac_read_search, @{exec_path} r, @{sh_path} rix, - @{bin}/{m,g,}awk rix, + @{bin}/{m,g,}awk ix, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-query rpx, + @{bin}/dpkg-query px, # - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/dpkg-divert rPx -> child-dpkg-divert, - - /etc/dpkg/dpkg.cfg.d/{,*} r, - /etc/dpkg/dpkg.cfg r, - - /etc/locale.nopurge r, - - /var/lib/dpkg/info/* r, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/dpkg-divert Px -> child-dpkg-divert, # For shell pwd / r, @@ -45,7 +37,7 @@ profile debsums @{exec_path} { /etc/{,**} r, /var/lib/{,**} r, /opt/{,**} r, - /boot/{,**} r, + @{efi}/{,**} r, /lib*/{,**} r, include if exists diff --git a/apparmor.d/groups/apt/debtags b/apparmor.d/groups/apt/debtags index 8bda4efff..3e3fd2ab9 100644 --- a/apparmor.d/groups/apt/debtags +++ b/apparmor.d/groups/apt/debtags @@ -17,7 +17,7 @@ profile debtags @{exec_path} { #capability sys_tty_config, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index dd87414bf..2c1ac1ce5 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -21,43 +21,33 @@ profile dpkg @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/cat rix, - @{bin}/rm rix, + @{sh_path} rix, + @{bin}/cat ix, + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/rm ix, - @{bin}/deb-systemd-helper rix, - @{bin}/deb-systemd-invoke rix, - @{bin}/dpkg-deb rpx, - @{bin}/dpkg-query rpx, - @{bin}/dpkg-split rPx, - @{bin}/systemctl rCx -> systemctl, - @{lib}/needrestart/dpkg-status rPx, - /usr/share/debian-security-support/check-support-status.hook rPx, - - @{pager_path} rPx -> child-pager, + @{bin}/dpkg-deb px, + @{bin}/dpkg-query px, + @{bin}/dpkg-split px, + @{bin}/systemctl Cx -> systemctl, + @{lib}/needrestart/dpkg-status Px, + @{pager_path} Px -> child-pager, + /usr/share/debian-security-support/check-support-status.hook Px, # Package maintainer's scripts - # Move it to a child profile once more transitions will be available - /var/lib/dpkg/info/*.{config,templates} rPUx, - /var/lib/dpkg/info/*.{preinst,postinst} rPUx, - /var/lib/dpkg/info/*.{prerm,postrm} rPUx, - /var/lib/dpkg/tmp.ci/{config,templates} rPUx, - /var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx, - /var/lib/dpkg/tmp.ci/{prerm,postrm} rPUx, - #/var/lib/dpkg/info/*.{config,templates} rCx -> scripts, - #/var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts, - #/var/lib/dpkg/info/*.{prerm,postrm} rCx -> scripts, - #/var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts, - #/var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts, - #/var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts, + /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, + /var/lib/dpkg/info/*.control r, + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, # For shell pwd /root/ r, + #aa:lint ignore=too-wide # Install/update packages / r, /*{,/} rw, - /boot/** rwl -> /boot/**, + @{efi}/** rwl -> @{efi}/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, diff --git a/apparmor.d/groups/apt/dpkg-architecture b/apparmor.d/groups/apt/dpkg-architecture index a58257271..b1a23f222 100644 --- a/apparmor.d/groups/apt/dpkg-architecture +++ b/apparmor.d/groups/apt/dpkg-architecture @@ -16,10 +16,9 @@ profile dpkg-architecture @{exec_path} { capability dac_read_search, @{exec_path} r, - /usr/bin/perl r, - @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{lib}/llvm-[0-9]*/bin/clang rix, + @{bin}/{,@{multiarch}-}gcc-[0-9]* ix, + @{lib}/llvm-[0-9]*/bin/clang ix, @{bin}/ccache rCx -> ccache, @{bin}/dpkg rPx -> child-dpkg, @@ -28,9 +27,7 @@ profile dpkg-architecture @{exec_path} { /etc/debian_version r, - # file_inherit - owner @{tmp}/* rw, - + audit owner @{tmp}/* rw, profile ccache { include diff --git a/apparmor.d/groups/apt/dpkg-buildflags b/apparmor.d/groups/apt/dpkg-buildflags index e7558acdf..467d0d50e 100644 --- a/apparmor.d/groups/apt/dpkg-buildflags +++ b/apparmor.d/groups/apt/dpkg-buildflags @@ -13,7 +13,6 @@ profile dpkg-buildflags @{exec_path} flags=(complain) { include @{exec_path} r, - @{bin}/perl r, /etc/dpkg/origins/debian r, diff --git a/apparmor.d/groups/apt/dpkg-checkbuilddeps b/apparmor.d/groups/apt/dpkg-checkbuilddeps index e7542aadd..6f54d3967 100644 --- a/apparmor.d/groups/apt/dpkg-checkbuilddeps +++ b/apparmor.d/groups/apt/dpkg-checkbuilddeps @@ -13,7 +13,6 @@ profile dpkg-checkbuilddeps @{exec_path} flags=(complain) { include @{exec_path} r, - @{bin}/perl r, /etc/dpkg/origins/debian r, diff --git a/apparmor.d/groups/apt/dpkg-db-backup b/apparmor.d/groups/apt/dpkg-db-backup new file mode 100644 index 000000000..d83bdbb45 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-db-backup @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/dpkg/dpkg-db-backup +profile dpkg-db-backup @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/cmp rix, + @{bin}/cp rix, + @{bin}/date rix, + @{bin}/dirname rix, + @{bin}/gzip rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/savelog rix, + @{bin}/tar rix, + @{bin}/touch rix, + + /usr/share/dpkg/{,**} r, + + /var/lib/dpkg/ r, + /var/lib/dpkg/alternatives/{,*} r, + /var/lib/dpkg/diversions r, + /var/lib/dpkg/statoverride r, + + /var/backups/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-divert b/apparmor.d/groups/apt/dpkg-divert index 6712b8b7c..e2d386804 100644 --- a/apparmor.d/groups/apt/dpkg-divert +++ b/apparmor.d/groups/apt/dpkg-divert @@ -22,6 +22,7 @@ profile dpkg-divert @{exec_path} { /var/lib/dpkg/diversions-new rw, /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, + #aa:lint ignore=too-wide /etc/** rw, include if exists diff --git a/apparmor.d/groups/apt/dpkg-genbuildinfo b/apparmor.d/groups/apt/dpkg-genbuildinfo index 4e22ecf19..b9853ca32 100644 --- a/apparmor.d/groups/apt/dpkg-genbuildinfo +++ b/apparmor.d/groups/apt/dpkg-genbuildinfo @@ -17,7 +17,6 @@ profile dpkg-genbuildinfo @{exec_path} { @{exec_path} r, - @{bin}/perl r, /usr/local/bin/ r, /usr/local/etc/ r, /usr/local/include/ r, diff --git a/apparmor.d/groups/apt/dpkg-genchanges b/apparmor.d/groups/apt/dpkg-genchanges index 73be1b913..7c7ad1681 100644 --- a/apparmor.d/groups/apt/dpkg-genchanges +++ b/apparmor.d/groups/apt/dpkg-genchanges @@ -14,7 +14,6 @@ profile dpkg-genchanges @{exec_path} flags=(complain) { include @{exec_path} r, - @{bin}/perl r, /etc/dpkg/origins/debian r, diff --git a/apparmor.d/groups/apt/dpkg-maintscript-helper b/apparmor.d/groups/apt/dpkg-maintscript-helper new file mode 100644 index 000000000..dfb881e32 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-maintscript-helper @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/dpkg-maintscript-helper +profile dpkg-maintscript-helper @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/dpkg rCx -> dpkg, + + /usr/share/dpkg/sh/* r, + + profile dpkg { + include + include + include + + capability dac_read_search, + + @{bin}/dpkg mr, + @{bin}/dpkg-query rpx, + + /etc/dpkg/dpkg.cfg r, + /etc/dpkg/dpkg.cfg.d/{,*} r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index cf957ab4f..2e32af979 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -7,43 +7,60 @@ abi , include -@{exec_path} = @{bin}/dpkg-preconfigure +@{exec_path} = @{sbin}/dpkg-preconfigure profile dpkg-preconfigure @{exec_path} { include include - include include + include + include - #capability sys_tty_config, + capability dac_read_search, @{exec_path} r, - @{bin}/perl r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,g,m}awk rix, - @{bin}/cat rix, - @{bin}/dialog rix, - @{bin}/expr rix, - @{bin}/locale rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/stty rix, - @{bin}/tr rix, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{,g,m}awk ix, + @{bin}/cat ix, + @{bin}/debconf-escape Px, + @{bin}/dialog ix, + @{bin}/expr ix, + @{bin}/find ix, + @{bin}/head ix, + @{bin}/locale ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/sed ix, + @{bin}/sort ix, + @{bin}/stty ix, + @{bin}/tr ix, + @{bin}/uniq ix, + @{bin}/which{,.debianutils} rix, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/apt-extracttemplates rPx, - @{bin}/whiptail rPx, + @{bin}/apt-extracttemplates Px, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/findmnt Px, + @{bin}/whiptail Px, + @{lib}/apt/apt-extracttemplates Px, /usr/share/debconf/confmodule r, + /usr/share/dictionaries-common/{,*} r, + /etc/cloud/cloud.cfg.d/90_dpkg.cfg r, /etc/debconf.conf r, /etc/default/grub r, + /etc/default/mdadm r, /etc/inputrc r, + /etc/locale.gen r, + /etc/mdadm/mdadm.conf r, /etc/shadow r, + /etc/ssh/sshd_config r, + /etc/X11/Xwrapper.config r, - owner @{tmp}/*.template.* rw, - owner @{tmp}/*.config.* rwPUx, + /var/lib/locales/supported.d/{,*} r, + + /var/cache/debconf/tmp.ci/ w, /var/lib/dbus/machine-id r, owner /var/cache/debconf/ rw, @@ -53,24 +70,17 @@ profile dpkg-preconfigure @{exec_path} { owner /var/cache/debconf/tmp.ci/*.config.@{rand6} w, owner /var/cache/debconf/tmp.ci/*.passwords.@{rand6} w, owner /var/cache/debconf/tmp.ci/*.template.@{rand6} w, + owner /var/cache/dictionaries-common/flag-wordlist-new w, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + owner @{tmp}/*.template.* rw, + owner @{tmp}/*.config.* rwPUx, + @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, @{run}/user/@{uid}/pk-debconf-socket rw, owner @{PROC}/@{pid}/fd/ r, - # The following is needed when dpkg-preconfigure uses debcconf GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - @{HOME}/.Xauthority r, - owner @{PROC}/@{pid}/mounts r, - include if exists } diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor new file mode 100644 index 000000000..38a068ac0 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -0,0 +1,67 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/apparmor* +profile dpkg-script-apparmor @{exec_path} { + include + include + + capability dac_read_search, + + @{exec_path} mrix, + + @{bin}/{,e}grep ix, + + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg-divert ix, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/apparmor_parser Px, + + /usr/share/apparmor.d/** rw, + + /etc/apparmor.d/** rw, + + /var/lib/dpkg/diversions rw, + /var/lib/dpkg/diversions-new rw, + /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, + + /var/lib/dpkg/info/*.list r, + /var/lib/dpkg/info/format r, + /var/lib/dpkg/status r, + /var/lib/dpkg/triggers/File r, + /var/lib/dpkg/triggers/Unincorp r, + /var/lib/dpkg/updates/ r, + /var/lib/dpkg/updates/@{int} r, + + profile systemctl { + include + include + + capability net_admin, + capability sys_resource, + capability dac_override, + capability dac_read_search, + + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + @{bin}/systemd-tty-ask-password-agent rix, + + @{run}/user/@{uid}/systemd/ask-password/ rw, + @{run}/user/@{uid}/systemd/ask-password-block/{,*} rw, + + owner @{run}/systemd/ask-password/ rw, + owner @{run}/systemd/ask-password-block/{,*} rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-kmod b/apparmor.d/groups/apt/dpkg-script-kmod new file mode 100644 index 000000000..f900bba17 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-kmod @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/kmod* +profile dpkg-script-kmod @{exec_path} { + include + + @{exec_path} mrix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux new file mode 100644 index 000000000..b294b928b --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -0,0 +1,54 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/linux* +profile dpkg-script-linux @{exec_path} { + include + include + + @{exec_path} mrix, + + @{bin}/cat ix, + @{bin}/mkdir ix, + @{bin}/rm ix, + @{bin}/run-parts ix, + @{bin}/stty ix, + + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg-maintscript-helper Px, + @{bin}/dpkg-trigger Px, + @{bin}/kmod Px, + @{bin}/linux-check-removal Px, + @{bin}/linux-update-symlinks Px, + @{bin}/systemctl Cx -> systemctl, + + /usr/share/{update,reboot}-notifier/notify-reboot-required Px, + /etc/kernel/{,header_}postinst.d/* Px, + /etc/kernel/postrm.d/* Px, + /etc/kernel/preinst.d/* Px, + /etc/kernel/prerm.d/* Px, + + /etc/kernel/*.d/ r, + + @{lib}/linux/triggers/* w, + @{lib}/modules/*/.fresh-install w, + + profile systemctl { + include + include + + capability net_admin, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd new file mode 100644 index 000000000..6c76e6f70 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -0,0 +1,77 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/systemd* +profile dpkg-script-systemd @{exec_path} { + include + include + + capability dac_read_search, + + @{exec_path} mrix, + + @{coreutils_path} rix, + @{bin}/bootctl Px, + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg Cx -> dpkg, + @{bin}/dpkg-divert Px, + @{bin}/dpkg-maintscript-helper Px, + @{bin}/journalctl Px, + @{bin}/kernel-install mrPx, + @{bin}/systemctl Cx -> systemctl, + @{bin}/systemd-machine-id-setup Px, + @{bin}/systemd-sysusers Px, + @{bin}/systemd-tmpfiles Px, + @{lib}/systemd/systemd-sysctl Px, + @{sbin}/pam-auth-update Px, + + /etc/systemd/system/*.wants/ rw, + /etc/systemd/system/*.wants/* rw, + + /etc/pam.d/sed@{rand6} rw, + /etc/pam.d/common-password rw, + + @{efi}/ r, + + /var/lib/systemd/{,*} rw, + /var/log/journal/ rw, + + profile dpkg { + include + include + include + + capability dac_read_search, + + @{bin}/dpkg mr, + + /etc/dpkg/dpkg.cfg r, + /etc/dpkg/dpkg.cfg.d/{,*} r, + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + capability sys_resource, + + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + @{bin}/systemd-tty-ask-password-agent Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts new file mode 100644 index 000000000..da5da33a1 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -0,0 +1,178 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/** +profile dpkg-scripts @{exec_path} { + include + include + include + include + + capability chown, + capability dac_read_search, + capability fowner, + capability fsetid, + capability setgid, + capability setuid, + + @{exec_path} mrix, + + # Common program found in maintainer scripts + @{sh_path} rix, + @{coreutils_path} rix, + @{python_path} rix, + @{bin}/run-parts rix, + + @{bin}/envsubst ix, + @{bin}/file ix, + @{bin}/getent ix, + @{bin}/gzip ix, + @{bin}/helpztags ix, + @{bin}/setpriv ix, + @{bin}/tput ix, + @{bin}/zcat ix, + @{lib}/ubuntu-advantage/cloud-id-shim.sh ix, + @{lib}/ubuntu-advantage/postinst-migrations.sh ix, + + @{bin}/dbus-send Cx -> bus, + @{bin}/kmod Cx -> kmod, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/invoke-rc.d Cx -> rc, + @{sbin}/ldconfig Cx -> ldconfig, + @{sbin}/ldconfig.real Cx -> ldconfig, + @{sbin}/update-rc.d Cx -> rc, + + # Maintainer scripts can legitimately start/restart anything + # PU is only used as a safety fallback. + @{bin}/** PUx, + @{sbin}/** PUx, + @{lib}/** PUx, + /etc/** PUx, + /usr/share/** PUx, + + #aa:lint ignore=too-wide + # Maintainer's scripts can update a lot of files + / r, + /*/ r, + @{bin}/ r, + @{bin}/* w, + @{lib}/ r, + @{lib}/** w, + /opt/*/** rw, + + #aa:lint ignore=too-wide + /etc/ r, + /etc/** rw, + /usr/share/*/{,**} rw, + /usr/local/share/*/{,**} rw, + /var/** rw, + @{run}/** rw, + @{efi}/grub/* rw, + + /tmp/grub.@{rand10} rw, + /tmp/sed@{rand6} rw, + /tmp/tmp.@{rand10} rw, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, + + profile bus { + include + include + include + + capability dac_read_search, + + dbus send bus=system path=/ + interface=org.freedesktop.DBus + member=ReloadConfig + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + include if exists + } + + profile kmod { + include + include + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + capability sys_resource, + + @{bin}/systemd-tty-ask-password-agent Px, + @{pager_path} Px -> child-pager, + + /etc/machine-id r, + + /var/lib/systemd/catalog/database r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + + @{run}/utmp rk, + + include if exists + } + + profile rc { + include + include + include + + @{sbin}/update-rc.d mr, + @{sbin}/invoke-rc.d mr, + + @{coreutils_path} rix, + @{sh_path} rix, + @{bin}/systemctl rPx -> dpkg-scripts//systemctl, + + /etc/ r, + /etc/init.d/* r, + /etc/rc@{c}.d/ r, + /etc/rc@{c}.d/* rw, + /etc/rc@{int}.d/ r, + /etc/rc@{int}.d/* rw, + + include if exists + } + + profile ldconfig { + include + include + + @{sh_path} rix, + @{sbin}/ldconfig mrix, + @{sbin}/ldconfig.real rix, + + @{lib}/ r, + /usr/local/ r, + /usr/local/lib/ r, + + owner /var/cache/ldconfig/aux-cache* rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-statoverride b/apparmor.d/groups/apt/dpkg-statoverride new file mode 100644 index 000000000..804e1675b --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-statoverride @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/dpkg-statoverride +profile dpkg-statoverride @{exec_path} flags=(complain) { + include + include + include + + @{exec_path} mr, + + /var/lib/dpkg/statoverride r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-vendor b/apparmor.d/groups/apt/dpkg-vendor index aee717257..70d2199f2 100644 --- a/apparmor.d/groups/apt/dpkg-vendor +++ b/apparmor.d/groups/apt/dpkg-vendor @@ -13,7 +13,6 @@ profile dpkg-vendor @{exec_path} { include @{exec_path} r, - /usr/bin/perl r, /etc/dpkg/origins/* r, diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index 5c46246a2..2a2063d8e 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -26,12 +26,12 @@ profile querybts @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, @{bin}/stty rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{open_path} rPx -> child-open-browsers, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index 8681e46d8..e58c9d8b3 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -28,9 +28,9 @@ profile reportbug @{exec_path} { @{exec_path} r, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/selinuxenabled rix, @{sh_path} rix, @{bin}/aa-enabled rix, @@ -40,14 +40,14 @@ profile reportbug @{exec_path} { @{bin}/stty rix, /usr/share/reportbug/handle_bugscript rix, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, @{bin}/apt-cache rPx, @{bin}/debconf-show rPx, @{bin}/debsums rPx, @{bin}/dlocate rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg-query rpx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{pager_path} rPx -> child-pager, @{bin}/systemctl rCx -> systemctl, @{lib}/firefox/firefox rPUx, # App allowed to open @@ -57,7 +57,7 @@ profile reportbug @{exec_path} { @{bin}/run-parts rCx -> run-parts, @{open_path} rPx -> child-open, - @{lib}/python3/dist-packages/pylocales/locales.db rk, + @{lib}/@{python_name}/dist-packages/pylocales/locales.db rk, /usr/share/bug/*/{control,presubj} r, diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index 4189c7170..36e299a0c 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -45,9 +45,9 @@ profile synaptic @{exec_path} { @{bin}/deborphan rPx, @{bin}/debtags rPx, @{bin}/dpkg rPx, - @{bin}/dpkg-preconfigure rPx, + @{sbin}/dpkg-preconfigure rPx, @{bin}/localepurge rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/ps rPx, @{bin}/software-properties-gtk rPx, @@ -77,8 +77,8 @@ profile synaptic @{exec_path} { /var/cache/apt/ r, /var/cache/apt/** rwk, - /var/cache/apt-xapian-index/index.[0-9]/*.glass r, - /var/cache/apt-xapian-index/index.[0-9]/iamglass r, + /var/cache/apt-xapian-index/index.@{int}/*.glass r, + /var/cache/apt-xapian-index/index.@{int}/iamglass r, /var/lib/apt-xapian-index/index r, /var/lib/dpkg/** r, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index d0fdad4b7..0d4d2ee33 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -10,13 +10,14 @@ include @{exec_path} = @{bin}/unattended-upgrade profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include - include include include include include + include include include + include include capability chown, @@ -29,9 +30,11 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_nice, + network inet dgram, + network inet6 dgram, network netlink raw, - signal (send) peer=apt-methods-http, + signal send peer=apt-methods-http, unix type=stream addr=@@{udbus}/bus/unattended-upgr/system, @@ -40,32 +43,39 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{sh_path} rix, - @{bin}/echo rix, - @{bin}/gdbus rix, - @{bin}/ischroot rix, - @{bin}/python3.@{int} rix, - @{bin}/test rix, - @{bin}/touch rix, - @{bin}/uname rix, + @{python_path} rix, + @{bin}/echo ix, + @{bin}/gdbus ix, + @{bin}/md5sum ix, + @{bin}/tar ix, + @{bin}/test ix, + @{bin}/touch ix, + @{bin}/uname ix, - @{bin}/apt-listchanges rPx, - @{bin}/dpkg rPx, - @{bin}/dpkg-preconfigure rPx, - @{bin}/etckeeper rPx, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/on_ac_power rPx, - @{bin}/sendmail rPUx, - @{lib}/apt/methods/http{,s} rPx, - @{lib}/needrestart/apt-pinvoke rPx, - @{lib}/update-notifier/update-motd-updates-available rPx, - @{lib}/zsys-system-autosnapshot rPx, + @{bin}/dpkg-deb px, + @{bin}/apt-listchanges Px, + @{bin}/dpkg Px, + @{bin}/dpkg-divert Px, + @{bin}/etckeeper Px, + @{bin}/ischroot Px, + @{bin}/lsb_release Px, + @{sbin}/dpkg-preconfigure Px, + @{sbin}/on_ac_power Px, + @{sbin}/sendmail Px, + @{lib}/apt/methods/http{,s} Px, + @{lib}/needrestart/apt-pinvoke Px, + @{lib}/update-notifier/update-motd-updates-available Px, + @{lib}/zsys-system-autosnapshot Px, /usr/share/distro-info/* r, + @{etc_ro}/login.defs r, + @{etc_ro}/security/capability.conf r, + /etc/apport/report-ignore/{,**} r, /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, - /etc/default/grub.d/* r, + /etc/default/{,**} r, /etc/dpkg/origins/{,debian,ubuntu} r, /etc/fwupd/{,**} r, /etc/grub.d/* r, @@ -79,14 +89,19 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd/{,**} r, /etc/profile.d/* r, - /etc/security/capability.conf r, + /etc/ssh/moduli r, + /etc/ssh/ssh_config r, + /etc/ufw/{,**} r, /etc/update-manager/{,**} r, - /etc/update-motd.d/* r, - /etc/vmware-tools/* r, + /etc/update-motd.d/{,**} r, + /etc/vim/{,**} r, + /etc/vmware-tools/{,**} r, /var/log/unattended-upgrades/{,**} rw, + /var/crash/*.crash w, /var/lib/apt/periodic/unattended-upgrades-stamp w, + /var/lib/dpkg/info/{,*} r, /var/lib/dpkg/lock rwk, /var/lib/dpkg/lock-frontend rwk, /var/lib/dpkg/updates/ r, @@ -107,6 +122,9 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { owner @{tmp}/apt-dpkg-install-*/{,*} rw, + @{PROC}/@{pid}/attr/current r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/environ r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index cd35bb5ae..1fb667fae 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -12,15 +12,19 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include include include + include include include @{exec_path} mr, - @{bin}/ischroot rix, + @{bin}/ischroot Px, + + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/**.pyc w, + @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, /usr/share/unattended-upgrades/{,*} r, - /etc/apt/apt.conf.d/{,*} r, owner /var/log/unattended-upgrades/*.log* rw, diff --git a/apparmor.d/groups/apt/update-apt-xapian-index b/apparmor.d/groups/apt/update-apt-xapian-index index 15af33d88..f829ab3ff 100644 --- a/apparmor.d/groups/apt/update-apt-xapian-index +++ b/apparmor.d/groups/apt/update-apt-xapian-index @@ -10,17 +10,21 @@ include @{exec_path} = @{bin}/update-apt-xapian-index profile update-apt-xapian-index @{exec_path} { include + include include include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, - @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg Px -> child-dpkg, /usr/share/apt-xapian-index/{,**} r, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + /var/cache/apt-xapian-index/ rw, /var/cache/apt-xapian-index/** rwk, @@ -30,15 +34,9 @@ profile update-apt-xapian-index @{exec_path} { /var/cache/apt/ r, /var/cache/apt/** rwk, - owner @{PROC}/@{pid}/fd/ r, - /var/lib/debtags/package-tags r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # file_inherit - owner /dev/tty@{int} rw, + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse index 47c22d72d..3ac729baa 100644 --- a/apparmor.d/groups/avahi/avahi-browse +++ b/apparmor.d/groups/avahi/avahi-browse @@ -17,7 +17,7 @@ profile avahi-browse @{exec_path} { dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} interface=org.freedesktop.Avahi.ServiceTypeBrowser member={ItemNew,AllForNow,CacheExhausted} - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), @{exec_path} mr, diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve index ff2cae183..1a66b4726 100644 --- a/apparmor.d/groups/avahi/avahi-resolve +++ b/apparmor.d/groups/avahi/avahi-resolve @@ -17,12 +17,12 @@ profile avahi-resolve @{exec_path} { dbus send bus=system path=/Client@{int}/AddressResolver@{int} interface=org.freedesktop.Avahi.AddressResolver member={Free,HostNameResolverNew} - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus receive bus=system path=/Client@{int}/AddressResolver@{int} interface=org.freedesktop.Avahi.AddressResolver member={Failure,Found} - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/groups/bluetooth/blueman similarity index 97% rename from apparmor.d/profiles-a-f/blueman rename to apparmor.d/groups/bluetooth/blueman index 08a553c1d..469fb24a0 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/groups/bluetooth/blueman @@ -11,6 +11,7 @@ include profile blueman @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/profiles-a-f/blueman-mechanism b/apparmor.d/groups/bluetooth/blueman-mechanism similarity index 89% rename from apparmor.d/profiles-a-f/blueman-mechanism rename to apparmor.d/groups/bluetooth/blueman-mechanism index aae5d53cd..ffdda336e 100644 --- a/apparmor.d/profiles-a-f/blueman-mechanism +++ b/apparmor.d/groups/bluetooth/blueman-mechanism @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/blueman-mechanism @{lib}/blueman/blueman-mechanism profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { include + include include include @@ -35,9 +36,9 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { /dev/rfkill rw, # For network AP - #@{bin}/ip rix, - #@{bin}/xtables-nft-multi rix, - #@{bin}/dnsmasq rPx, + #@{sbin}/ip rix, + #@{sbin}/xtables-nft-multi rix, + #@{sbin}/dnsmasq rPx, #@{bin}/dhclient rPx, # @{PROC}/sys/net/ipv4/ip_forward w, # @{PROC}/sys/net/ipv4/conf/ r, diff --git a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher b/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher similarity index 86% rename from apparmor.d/profiles-a-f/blueman-rfcomm-watcher rename to apparmor.d/groups/bluetooth/blueman-rfcomm-watcher index 516f14bdd..2d52a6e01 100644 --- a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher +++ b/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{lib}/blueman-rfcomm-watcher +@{exec_path} = @{lib}/blueman-rfcomm-watcher @{lib}/blueman/blueman-rfcomm-watcher profile blueman-rfcomm-watcher @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/bluemoon b/apparmor.d/groups/bluetooth/bluemoon similarity index 100% rename from apparmor.d/profiles-a-f/bluemoon rename to apparmor.d/groups/bluetooth/bluemoon diff --git a/apparmor.d/profiles-a-f/bluetoothctl b/apparmor.d/groups/bluetooth/bluetoothctl similarity index 75% rename from apparmor.d/profiles-a-f/bluetoothctl rename to apparmor.d/groups/bluetooth/bluetoothctl index 01565b4ff..0b075581b 100644 --- a/apparmor.d/profiles-a-f/bluetoothctl +++ b/apparmor.d/groups/bluetooth/bluetoothctl @@ -10,9 +10,17 @@ include @{exec_path} = @{bin}/bluetoothctl profile bluetoothctl @{exec_path} { include + include + include + + network bluetooth raw, + + #aa:dbus talk bus=system name=org.bluez label="@{p_bluetoothd}" @{exec_path} mr, + /usr/share/terminfo/** r, + /etc/inputrc r, owner @{user_cache_dirs}/ rw, diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd similarity index 75% rename from apparmor.d/profiles-a-f/bluetoothd rename to apparmor.d/groups/bluetooth/bluetoothd index ee7efdcfd..2800a4124 100644 --- a/apparmor.d/profiles-a-f/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -25,20 +25,15 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.bluez - dbus receive bus=system path=/ + dbus send bus=system path=/{,MediaEndpoint} interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label="{brave,NetworkManager,pulseaudio,upowerd}"), - - dbus send bus=system path=/MediaEndpoint - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=pulseaudio), + peer=(name=@{busname}), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved - peer=(name=org.freedesktop.DBus, label="{jwupd,NetworkManager,pulseaudio,upowerd}"), + member={InterfacesRemoved,InterfacesAdded} + peer=(name=org.freedesktop.DBus), @{exec_path} mr, @@ -50,7 +45,8 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{run}/sdp rw, owner @{run}/systemd/notify w, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{sys}/devices/@{pci}/rfkill@{int}/name r, @{sys}/devices/@{pci}/**/{uevent,name} r, diff --git a/apparmor.d/profiles-m-r/obex-folder-listing b/apparmor.d/groups/bluetooth/obex-folder-listing similarity index 100% rename from apparmor.d/profiles-m-r/obex-folder-listing rename to apparmor.d/groups/bluetooth/obex-folder-listing diff --git a/apparmor.d/profiles-m-r/obexautofs b/apparmor.d/groups/bluetooth/obexautofs similarity index 87% rename from apparmor.d/profiles-m-r/obexautofs rename to apparmor.d/groups/bluetooth/obexautofs index e50fadddf..980349086 100644 --- a/apparmor.d/profiles-m-r/obexautofs +++ b/apparmor.d/groups/bluetooth/obexautofs @@ -36,20 +36,13 @@ profile obexautofs @{exec_path} { profile fusermount { include - include - - capability sys_admin, + include mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/, mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/*/, - @{bin}/fusermount{,3} mr, - - /etc/fuse.conf r, - - @{PROC}/@{pid}/mounts r, - - /dev/fuse rw, + umount @{HOME}/*/, + umount @{HOME}/*/*/, include if exists } diff --git a/apparmor.d/profiles-m-r/obexctl b/apparmor.d/groups/bluetooth/obexctl similarity index 100% rename from apparmor.d/profiles-m-r/obexctl rename to apparmor.d/groups/bluetooth/obexctl diff --git a/apparmor.d/profiles-m-r/obexd b/apparmor.d/groups/bluetooth/obexd similarity index 91% rename from apparmor.d/profiles-m-r/obexd rename to apparmor.d/groups/bluetooth/obexd index 3da9b4f5d..efb5f42e4 100644 --- a/apparmor.d/profiles-m-r/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -22,7 +22,7 @@ profile obexd @{exec_path} { dbus receive bus=system path=/org/bluez/obex/@{uuid} interface=org.bluez.Profile1 member=Release - peer=(name=:*, label=bluetoothd), + peer=(name=:*, label="@{p_bluetoothd}"), @{exec_path} mr, @@ -31,6 +31,8 @@ profile obexd @{exec_path} { owner @{HOME}/bluetooth/* rw, + @{run}/systemd/users/@{uid} r, + include if exists } diff --git a/apparmor.d/profiles-m-r/obexfs b/apparmor.d/groups/bluetooth/obexfs similarity index 82% rename from apparmor.d/profiles-m-r/obexfs rename to apparmor.d/groups/bluetooth/obexfs index 5a9d0dfbf..e486349d3 100644 --- a/apparmor.d/profiles-m-r/obexfs +++ b/apparmor.d/groups/bluetooth/obexfs @@ -27,26 +27,17 @@ profile obexfs @{exec_path} { /dev/fuse rw, - profile fusermount { include - include - - # To mount anything: - capability sys_admin, + include network bluetooth stream, - @{bin}/fusermount{,3} mr, - - /etc/fuse.conf r, - - /dev/fuse rw, - mount fstype={fuse,fuse.obexfs} -> @{HOME}/*/, mount fstype={fuse,fuse.obexfs} -> @{HOME}/*/*/, - @{PROC}/@{pid}/mounts r, + umount @{HOME}/*/, + umount @{HOME}/*/*/, include if exists } diff --git a/apparmor.d/profiles-m-r/obexpush-atd b/apparmor.d/groups/bluetooth/obexpush-atd similarity index 100% rename from apparmor.d/profiles-m-r/obexpush-atd rename to apparmor.d/groups/bluetooth/obexpush-atd diff --git a/apparmor.d/profiles-m-r/obexpushd b/apparmor.d/groups/bluetooth/obexpushd similarity index 100% rename from apparmor.d/profiles-m-r/obexpushd rename to apparmor.d/groups/bluetooth/obexpushd diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index cc3d18b58..0decb0d4b 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -14,11 +14,13 @@ include @{cache_dirs} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} @{exec_path} = @{lib_dirs}/@{name} -profile brave @{exec_path} { +profile brave @{exec_path} flags=(attach_disconnected) { include include - unix (send, receive) type=stream peer=(label=brave-crashpad-handler), + unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler), + + signal receive peer=brave//&brave-crashpad-handler, #aa:dbus own bus=session name=org.mpris.MediaPlayer2.brave path=/org/mpris/MediaPlayer2 diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index b08a6b00f..86b293e8d 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -37,16 +37,20 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { /usr/share/enchant*/{,**} r, + owner @{HOME}/.ephy-download-@{rand6} rw, + owner @{HOME}/.ephy-web-app-icon-@{rand6} rw, + owner @{user_config_dirs}/glib-2.0/ w, owner @{user_config_dirs}/glib-2.0/settings/ w, + owner @{user_share_dirs}/org.gnome.Epiphany.WebApp_@{hex}/{,**} rw, + owner @{tmp}/ContentRuleList@{rand6} rw, owner @{tmp}/epiphany-*-@{rand6}/{,**} rw, owner @{tmp}/Serialized@{rand9} rw, owner @{tmp}/WebKit-Media-@{rand6} rw, @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/firmware/acpi/pm_profile r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Epiphany-@{int}.scope/memory.* r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 27eb0d54d..fe8507219 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -7,8 +7,8 @@ abi , include -@{name} = firefox{,.sh,-esr,-bin} -@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{name} = firefox{,-esr,-bin} +@{lib_dirs} = @{lib}/firefox{,-esr,-beta,-devedition,-nightly} /opt/@{name} @{config_dirs} = @{HOME}/.mozilla/ @{cache_dirs} = @{user_cache_dirs}/mozilla/ @@ -26,8 +26,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, - @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, + @{lib_dirs}/crashhelper rPx -> firefox//&firefox-crashhelper, + @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, + @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, @@ -38,6 +39,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{bin}/gnome-software rPx, @{bin}/kreadconfig{,5} rPx, @{bin}/plasma-browser-integration-host rPx, + @{bin}/speech-dispatcher rPx, @{bin}/update-mime-database rPx, @{lib}/gvfsd-metadata rPx, @{lib}/mozilla/kmozillahelper rPUx, @@ -59,9 +61,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, owner @{tmp}/.xfsm-ICE-@{rand6} rw, - owner @{tmp}/@{rand6}.tmp r, - owner @{tmp}/@{rand8}.txt w, - owner @{tmp}/* w, # file downloads (to anywhere) + owner @{tmp}/@{rand8}.* rw, # file downloads (to anywhere) + owner @{tmp}/@{uuid}.zip{,.tmp} rw, owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk, owner @{tmp}/mozilla* rw, owner @{tmp}/mozilla*/ rw, diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper new file mode 100644 index 000000000..55af7c2e2 --- /dev/null +++ b/apparmor.d/groups/browsers/firefox-crashhelper @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = firefox{,.sh,-esr,-bin} +@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{config_dirs} = @{HOME}/.mozilla/ +@{cache_dirs} = @{user_cache_dirs}/mozilla/ + +@{exec_path} = @{lib_dirs}/crashhelper +profile firefox-crashhelper @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + owner "@{config_dirs}/firefox/Crash Reports/" rw, + owner "@{config_dirs}/firefox/Crash Reports/crash_helper_server.log" rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 1c418eef4..8feccaa93 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -28,22 +28,23 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - @{exec_path} mr, + @{exec_path} mrix, @{bin}/curl rix, @{bin}/mv rix, @{lib_dirs}/minidump-analyzer rPx, - @{bin}/mv rix, - owner "@{config_dirs}/firefox/Crash Reports/{,**}" rw, owner @{config_dirs}/firefox/*.*/crashes/{,**} rw, owner @{config_dirs}/firefox/*.*/crashes/events/@{uuid} rw, owner @{config_dirs}/firefox/*.*/extensions/*.xpi r, owner @{config_dirs}/firefox/*.*/minidumps/{,**} rw, owner @{config_dirs}/firefox/*.*/minidumps//@{uuid}.{dmp,extra} r, + owner @{config_dirs}/firefox/*.*/prefs.js r, + owner @{config_dirs}/firefox/*.*/storage-sync-v2.sqlite-shm r, owner @{config_dirs}/firefox/*.*/storage/default/* r, + owner @{config_dirs}/firefox/Profile*/*.sqlite-shm r, owner @{cache_dirs}/firefox/*.*/** r, @@ -54,10 +55,14 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, /dev/dri/card@{int} rw, /dev/dri/renderD128 rw, + /dev/nvidia@{int} r, + /dev/nvidiactl r, # Silencer deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index efcad72f8..8e86ee126 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -44,7 +44,7 @@ profile firefox-kmozillahelper @{exec_path} { owner @{run}/user/@{uid}/kmozillahelper@{rand6}.@{int}.kioworker.socket wl, owner @{run}/user/@{uid}/xauth_@{rand6} rl, - @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/groups/browsers/opera-crashreporter b/apparmor.d/groups/browsers/opera-crashreporter index 01661215a..eb67ede59 100644 --- a/apparmor.d/groups/browsers/opera-crashreporter +++ b/apparmor.d/groups/browsers/opera-crashreporter @@ -17,7 +17,7 @@ profile opera-crashreporter @{exec_path} { include include include - include + include include ptrace (trace, read) peer=opera, diff --git a/apparmor.d/groups/browsers/torbrowser-launcher b/apparmor.d/groups/browsers/torbrowser-launcher index 0f6273107..4969a14c3 100644 --- a/apparmor.d/groups/browsers/torbrowser-launcher +++ b/apparmor.d/groups/browsers/torbrowser-launcher @@ -32,7 +32,7 @@ profile torbrowser-launcher @{exec_path} flags=(attach_disconnected) { @{bin}/gpg{,2} Cx -> gpg, @{bin}/gpgconf Cx -> gpg, @{bin}/gpgsm Cx -> gpg, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/sed ix, @{bin}/tail ix, diff --git a/apparmor.d/groups/browsers/torbrowser-start b/apparmor.d/groups/browsers/torbrowser-start index 58bb31ac8..ce6a3678c 100644 --- a/apparmor.d/groups/browsers/torbrowser-start +++ b/apparmor.d/groups/browsers/torbrowser-start @@ -22,7 +22,7 @@ profile torbrowser-start @{exec_path} { @{bin}/expr ix, @{bin}/file ix, @{bin}/getconf ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/id ix, @{bin}/ln ix, @{bin}/mkdir ix, diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index 9838ba40b..26311b575 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -10,7 +10,7 @@ include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi2-registryd profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index e8f0328a2..ee787e4e1 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -26,6 +26,8 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup kill) peer=dbus-session, signal (receive) set=(term hup kill) peer=gdm{,-session-worker}, + unix type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0), + #aa:dbus own bus=accessibility name=org.freedesktop.DBus #aa:dbus own bus=session name=org.a11y.{B,b}us dbus receive bus=accessibility path=/org/freedesktop/DBus @@ -74,6 +76,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj r, diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 014f7afd4..cc6b33f61 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -30,7 +30,7 @@ profile dbus-session flags=(attach_disconnected) { signal (send) set=(term hup kill) peer=dconf-service, signal (send) set=(term hup kill) peer=xdg-*, - #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{d,D}Bus} + #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} dbus receive bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello @@ -74,8 +74,9 @@ profile dbus-session flags=(attach_disconnected) { @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/oom_score_adj r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_score_adj r, /dev/ptmx rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 0296a262f..4dec1d407 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -16,7 +16,7 @@ include profile dbus-system flags=(attach_disconnected) { include include - include + include include include @@ -31,7 +31,7 @@ profile dbus-system flags=(attach_disconnected) { network bluetooth stream, network bluetooth seqpacket, - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} dbus receive bus=system path=/org/freedesktop/DBus @@ -39,9 +39,15 @@ profile dbus-system flags=(attach_disconnected) { member=Hello peer=(name=@{busname}), + dbus receive bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Activator + member=ActivationFailure + peer=(name=@{busname}, label="@{p_systemd}"), + @{exec_path} mrix, @{bin}/** PUx, + @{sbin}/** PUx, @{lib}/** PUx, /usr/share/*/** PUx, @@ -63,6 +69,7 @@ profile dbus-system flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, + @{run}/systemd/notify w, @{run}/systemd/users/@{int} r, @@ -78,6 +85,7 @@ profile dbus-system flags=(attach_disconnected) { @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj rw, diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index dca91e5f2..3fdab031b 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -55,6 +55,7 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/fd/ r, + owner @{att}/dev/tty@{int} rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 8746e3795..817d63175 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -11,13 +11,12 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include include include + include include include - signal (receive) set=term peer=ibus-daemon, - - unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), - unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon), + signal receive set=kill peer=@{p_systemd_user}, + signal receive set=term peer=ibus-daemon, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index f9f9870f8..e900fc3f5 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-engine-simple profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/groups/bus/ibus-engine-table b/apparmor.d/groups/bus/ibus-engine-table index 5182b0dca..abe0d22c0 100644 --- a/apparmor.d/groups/bus/ibus-engine-table +++ b/apparmor.d/groups/bus/ibus-engine-table @@ -14,7 +14,7 @@ profile ibus-engine-table @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, /usr/share/ibus-table/engine/{,**} r, /usr/share/ibus-table/tables/ r, diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 5d96f359e..53edb4b00 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -27,6 +27,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, + owner @{att}/dev/tty@{int} rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 39d5ecccb..698eeedb6 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-x11 profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/profiles-a-f/filecap b/apparmor.d/groups/cap/filecap similarity index 100% rename from apparmor.d/profiles-a-f/filecap rename to apparmor.d/groups/cap/filecap diff --git a/apparmor.d/profiles-m-r/netcap b/apparmor.d/groups/cap/netcap similarity index 100% rename from apparmor.d/profiles-m-r/netcap rename to apparmor.d/groups/cap/netcap diff --git a/apparmor.d/profiles-m-r/pscap b/apparmor.d/groups/cap/pscap similarity index 100% rename from apparmor.d/profiles-m-r/pscap rename to apparmor.d/groups/cap/pscap diff --git a/apparmor.d/groups/children/child-dpkg b/apparmor.d/groups/children/child-dpkg index 24df581f9..0a97bacd2 100644 --- a/apparmor.d/groups/children/child-dpkg +++ b/apparmor.d/groups/children/child-dpkg @@ -14,7 +14,7 @@ abi , include @{exec_path} = @{bin}/dpkg -profile child-dpkg { +profile child-dpkg flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/children/child-dpkg-divert b/apparmor.d/groups/children/child-dpkg-divert index 6ea41a9e8..ddfff5fc2 100644 --- a/apparmor.d/groups/children/child-dpkg-divert +++ b/apparmor.d/groups/children/child-dpkg-divert @@ -22,6 +22,7 @@ profile child-dpkg-divert { /var/lib/dpkg/arch r, /var/lib/dpkg/status r, /var/lib/dpkg/updates/ r, + /var/lib/dpkg/updates/@{int} r, /var/lib/dpkg/triggers/File r, /var/lib/dpkg/triggers/Unincorp r, /var/lib/dpkg/diversions r, diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 8681e91f4..61191fe9d 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -19,7 +19,6 @@ include @{exec_path} = @{bin}/nvidia-modprobe profile child-modprobe-nvidia flags=(attach_disconnected) { include - include include capability chown, @@ -35,8 +34,6 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/config r, - @{PROC}/sys/kernel/modprobe r, - @{PROC}/devices r, @{PROC}/driver/nvidia/capabilities/mig/config r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index 6804326aa..84b1d1ea1 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -19,7 +19,7 @@ abi , include -profile child-open flags=(attach_disconnected) { +profile child-open flags=(attach_disconnected,mediate_deleted) { include include include diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any index ea21f8487..446627e85 100644 --- a/apparmor.d/groups/children/child-open-any +++ b/apparmor.d/groups/children/child-open-any @@ -11,13 +11,10 @@ abi , include -profile child-open-any flags=(attach_disconnected) { +profile child-open-any flags=(attach_disconnected,mediate_deleted) { include - include - - @{open_path} mr, - - @{sh_path} r, + include + include @{bin}/** PUx, @{lib}/** PUx, @@ -26,14 +23,6 @@ profile child-open-any flags=(attach_disconnected) { /usr/local/bin/** PUx, /usr/share/** PUx, - @{bin}/ r, - @{user_bin_dirs}/ r, - / r, - /usr/ r, - /usr/local/bin/ r, - - /dev/tty rw, - include if exists include if exists } diff --git a/apparmor.d/groups/children/child-open-browsers b/apparmor.d/groups/children/child-open-browsers index 6873ea2fc..473276bff 100644 --- a/apparmor.d/groups/children/child-open-browsers +++ b/apparmor.d/groups/children/child-open-browsers @@ -15,7 +15,7 @@ abi , include -profile child-open-browsers flags=(attach_disconnected) { +profile child-open-browsers flags=(attach_disconnected,mediate_deleted) { include include diff --git a/apparmor.d/groups/children/child-open-editor b/apparmor.d/groups/children/child-open-editor new file mode 100644 index 000000000..16d3dc868 --- /dev/null +++ b/apparmor.d/groups/children/child-open-editor @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This profile is designed to be used in a child profile to limit what +# confined application can invoke via open helper. + +# This version of child-open only allow to open text editor. + +# Note: This profile does not specify an attachment path because it is +# intended to be used only via "Px -> child-open-browsers" exec transitions +# from other profiles. + +abi , + +include + +profile child-open-editor flags=(attach_disconnected,mediate_deleted) { + include + include + + @{editor_ui_path} PUx, + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/child-open-help b/apparmor.d/groups/children/child-open-help index d70cd920a..1150d16d3 100644 --- a/apparmor.d/groups/children/child-open-help +++ b/apparmor.d/groups/children/child-open-help @@ -6,7 +6,7 @@ abi , include -profile child-open-help { +profile child-open-help flags=(attach_disconnected,mediate_deleted) { include include diff --git a/apparmor.d/groups/children/child-open-strict b/apparmor.d/groups/children/child-open-strict index 98bbdcdb9..7faf52185 100644 --- a/apparmor.d/groups/children/child-open-strict +++ b/apparmor.d/groups/children/child-open-strict @@ -11,7 +11,7 @@ abi , include -profile child-open-strict { +profile child-open-strict flags=(attach_disconnected,mediate_deleted) { include include diff --git a/apparmor.d/groups/children/child-pager b/apparmor.d/groups/children/child-pager index e904f96dd..8e60bce47 100644 --- a/apparmor.d/groups/children/child-pager +++ b/apparmor.d/groups/children/child-pager @@ -15,30 +15,7 @@ include profile child-pager flags=(attach_disconnected) { include - include - - capability dac_override, - capability dac_read_search, - - signal (receive) set=(stop, cont, term, kill), - - @{bin}/ r, - @{pager_path} mr, - - @{system_share_dirs}/terminfo/{,**} r, - /usr/share/file/misc/** r, - /usr/share/nvim/{,**} r, - - @{HOME}/.lesshst r, - - owner @{HOME}/ r, - owner @{HOME}/.lesshs* rw, - owner @{HOME}/.terminfo/@{int}/* r, - owner @{user_cache_dirs}/lesshs* rw, - owner @{user_state_dirs}/ r, - owner @{user_state_dirs}/lesshs* rw, - - /dev/tty@{int} rw, + include include if exists } diff --git a/apparmor.d/groups/children/user_confined b/apparmor.d/groups/children/user_confined deleted file mode 100644 index c4d3c9fed..000000000 --- a/apparmor.d/groups/children/user_confined +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow confined users to read, write, lock and link to their own files -# anywhere, and execute from some places. - -abi , - -include - -profile user_confined flags=(complain) { - include - include - include - include - - deny capability sys_ptrace, - - @{bin}/** Pixmr, - - owner /** rwkl, - owner @{HOMEDIRS}/bin/** ixmr, - owner @{user_bin_dirs}/** ixmr, - - @{PROC}/** r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/user_default b/apparmor.d/groups/children/user_default deleted file mode 100644 index 2853a8deb..000000000 --- a/apparmor.d/groups/children/user_default +++ /dev/null @@ -1,32 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# By default, allow users to read, lock and link to their own files anywhere, -# but only write to files in their home directory. Only allow limited execution -# of files. - -abi , - -include - -profile user_default flags=(complain) { - include - include - include - include - - deny capability sys_ptrace, - - @{bin}/** Pixmr, - - owner /** rkl, - owner @{HOMEDIRS}/ w, - owner @{HOMEDIRS}/** w, - - @{PROC}/** r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/user_unconfined b/apparmor.d/groups/children/user_unconfined deleted file mode 100644 index db410d6a2..000000000 --- a/apparmor.d/groups/children/user_unconfined +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -profile user_unconfined flags=(attach_disconnected,mediate_deleted) { - capability, - network, - mount, - remount, - umount, - pivot_root, - ptrace, - signal, - dbus, - unix, - file, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/anacron b/apparmor.d/groups/cron/anacron similarity index 85% rename from apparmor.d/profiles-a-f/anacron rename to apparmor.d/groups/cron/anacron index 3e7c9d092..3756c1d03 100644 --- a/apparmor.d/profiles-a-f/anacron +++ b/apparmor.d/groups/cron/anacron @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/anacron +@{exec_path} = @{sbin}/anacron profile anacron @{exec_path} { include include @@ -17,7 +17,7 @@ profile anacron @{exec_path} { @{sh_path} rix, @{bin}/run-parts rCx -> run-parts, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, / r, /etc/anacrontab r, @@ -26,7 +26,8 @@ profile anacron @{exec_path} { @{HOME}/ r, - /tmp/file* rw, + @{tmp}/file@{rand6} rw, + /tmp/anacron-@{rand6} rw, profile run-parts { include @@ -38,6 +39,7 @@ profile anacron @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/file@{rand6} rw, + /tmp/anacron-@{rand6} rw, include if exists } diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 25549a39c..e91f9b419 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/cron +@{exec_path} = @{sbin}/cron profile cron @{exec_path} flags=(attach_disconnected) { include include @@ -25,22 +25,14 @@ profile cron @{exec_path} flags=(attach_disconnected) { network netlink raw, - ptrace (read) peer=unconfined, - - unix bind type=stream addr=@@{udbus}/bus/cron/system, - @{exec_path} mr, - @{sh_path} rix, - @{bin}/nice rix, - @{bin}/ionice rix, - @{bin}/exim4 rPx, - @{bin}/run-parts rCx -> run-parts, # could even be rix, as long as we are not - # using the run-parts profile we are good - - @{lib}/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx, - @{lib}/sysstat/debian-sa1 rPUx, - /usr/share/rsync/scripts/rrsync rPUx, + @{sh_path} rix, + @{sbin}/exim4 rPx, + @{bin}/ionice rix, + @{bin}/nice rix, + @{bin}/run-parts rCx -> run-parts, + @{lib}/sysstat/debian-sa1 rPx, /etc/cron.d/{,*} r, /etc/crontab r, diff --git a/apparmor.d/groups/cron/cron-anacron b/apparmor.d/groups/cron/cron-anacron index 15d1b9737..91c531618 100644 --- a/apparmor.d/groups/cron/cron-anacron +++ b/apparmor.d/groups/cron/cron-anacron @@ -12,7 +12,7 @@ profile cron-anacron @{exec_path} { @{exec_path} r, - @{bin}/anacron rPx, + @{sbin}/anacron rPx, @{sh_path} rix, @{bin}/cat rix, @{bin}/date rix, diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt index 29294fa53..0d5d5a081 100644 --- a/apparmor.d/groups/cron/cron-apt +++ b/apparmor.d/groups/cron/cron-apt @@ -46,7 +46,7 @@ profile cron-apt @{exec_path} { @{bin}/apt-get rPx, @{bin}/apt-file rPx, @{bin}/aptitude{,-curses} rPx, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, /usr/share/cron-apt/{,*} r, diff --git a/apparmor.d/groups/cron/cron-apt-compat b/apparmor.d/groups/cron/cron-apt-compat index 2aaa6b142..fcf5e4430 100644 --- a/apparmor.d/groups/cron/cron-apt-compat +++ b/apparmor.d/groups/cron/cron-apt-compat @@ -14,7 +14,7 @@ profile cron-apt-compat @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, @{bin}/apt-config rPx, @{lib}/apt/apt.systemd.daily rPx, diff --git a/apparmor.d/groups/cron/cron-apt-xapian-index b/apparmor.d/groups/cron/cron-apt-xapian-index index 2c3f90a9a..15f93efec 100644 --- a/apparmor.d/groups/cron/cron-apt-xapian-index +++ b/apparmor.d/groups/cron/cron-apt-xapian-index @@ -14,15 +14,14 @@ profile cron-apt-xapian-index @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/{,e}grep rix, - @{bin}/nice rix, @{bin}/ionice rix, @{bin}/ r, @{bin}/update-apt-xapian-index rPx, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, # For shell pwd / r, diff --git a/apparmor.d/groups/cron/cron-aptitude b/apparmor.d/groups/cron/cron-aptitude index 76657dc94..82b33e8ab 100644 --- a/apparmor.d/groups/cron/cron-aptitude +++ b/apparmor.d/groups/cron/cron-aptitude @@ -17,7 +17,7 @@ profile cron-aptitude @{exec_path} { @{bin}/cp rix, @{bin}/date rix, @{bin}/basename rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/dirname rix, @{bin}/rm rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/cron/cron-cracklib b/apparmor.d/groups/cron/cron-cracklib index ede030682..9399b6ed4 100644 --- a/apparmor.d/groups/cron/cron-cracklib +++ b/apparmor.d/groups/cron/cron-cracklib @@ -15,7 +15,7 @@ profile cron-cracklib @{exec_path} { @{sh_path} rix, @{bin}/logger rix, - @{bin}/update-cracklib rPx, + @{sbin}/update-cracklib rPx, /etc/cracklib/cracklib.conf r, diff --git a/apparmor.d/groups/cron/cron-debtags b/apparmor.d/groups/cron/cron-debtags index 3e6c182a7..ea9086948 100644 --- a/apparmor.d/groups/cron/cron-debtags +++ b/apparmor.d/groups/cron/cron-debtags @@ -12,9 +12,9 @@ profile cron-debtags @{exec_path} { include @{exec_path} r, - @{sh_path} rix, - /usr/bin/debtags rPx, + @{sh_path} rix, + @{bin}/debtags rPx, include if exists } diff --git a/apparmor.d/groups/cron/cron-exim4-base b/apparmor.d/groups/cron/cron-exim4-base index 42f2f0823..784dfae19 100644 --- a/apparmor.d/groups/cron/cron-exim4-base +++ b/apparmor.d/groups/cron/cron-exim4-base @@ -34,13 +34,13 @@ profile cron-exim4-base @{exec_path} { @{bin}/hostname rix, @{bin}/xargs rix, @{bin}/find rix, - @{bin}/eximstats rix, + @{sbin}/eximstats rix, - @{bin}/exim4 rPx, - @{bin}/exim_tidydb rix, + @{sbin}/exim4 rPx, + @{sbin}/exim_tidydb rix, - @{bin}/start-stop-daemon rix, - @{bin}/runuser rix, + @{sbin}/start-stop-daemon rix, + @{sbin}/runuser rix, /etc/default/exim4 r, diff --git a/apparmor.d/groups/cron/cron-ipset-autoban-save b/apparmor.d/groups/cron/cron-ipset-autoban-save index 601368446..8b5891eed 100644 --- a/apparmor.d/groups/cron/cron-ipset-autoban-save +++ b/apparmor.d/groups/cron/cron-ipset-autoban-save @@ -15,7 +15,7 @@ profile cron-ipset-autoban-save @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/ipset rix, + @{sbin}/ipset rix, /etc/peerblock/autoban rw, diff --git a/apparmor.d/groups/cron/cron-logrotate b/apparmor.d/groups/cron/cron-logrotate index abe3542f6..36044b2f3 100644 --- a/apparmor.d/groups/cron/cron-logrotate +++ b/apparmor.d/groups/cron/cron-logrotate @@ -14,7 +14,7 @@ profile cron-logrotate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/logrotate rPx, + @{sbin}/logrotate rPx, @{bin}/logger rix, diff --git a/apparmor.d/groups/cron/cron-man-db b/apparmor.d/groups/cron/cron-man-db index 8629f7be2..709f843e8 100644 --- a/apparmor.d/groups/cron/cron-man-db +++ b/apparmor.d/groups/cron/cron-man-db @@ -20,7 +20,7 @@ profile cron-man-db @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, - @{bin}/start-stop-daemon rix, + @{sbin}/start-stop-daemon rix, @{bin}/xargs rix, @{bin}/find rix, diff --git a/apparmor.d/groups/cron/cron-mlocate b/apparmor.d/groups/cron/cron-mlocate index 852e85141..f91956bcd 100644 --- a/apparmor.d/groups/cron/cron-mlocate +++ b/apparmor.d/groups/cron/cron-mlocate @@ -15,7 +15,7 @@ profile cron-mlocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, @@ -23,7 +23,7 @@ profile cron-mlocate @{exec_path} { @{bin}/nice rix, @{bin}/updatedb.mlocate rPx, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, @{run}/mlocate.daily.lock rwk, diff --git a/apparmor.d/groups/cron/cron-ntp b/apparmor.d/groups/cron/cron-ntp index 17ab7f745..7221cc6e1 100644 --- a/apparmor.d/groups/cron/cron-ntp +++ b/apparmor.d/groups/cron/cron-ntp @@ -14,7 +14,7 @@ profile cron-ntp @{exec_path} { @{sh_path} rix, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/sed rix, include if exists diff --git a/apparmor.d/groups/cron/cron-plocate b/apparmor.d/groups/cron/cron-plocate index 7080658c3..7f52d1a14 100644 --- a/apparmor.d/groups/cron/cron-plocate +++ b/apparmor.d/groups/cron/cron-plocate @@ -15,7 +15,7 @@ profile cron-plocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, @@ -23,7 +23,7 @@ profile cron-plocate @{exec_path} { @{bin}/nice rix, @{bin}/updatedb.plocate rPx, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, @{run}/plocate.daily.lock rwk, diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index dd50a7494..44d3a546f 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -18,7 +18,7 @@ profile cron-popularity-contest @{exec_path} { @{bin}/cat rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @@ -29,11 +29,11 @@ profile cron-popularity-contest @{exec_path} { # To send reports via TOR @{bin}/torify rix, @{bin}/torsocks rix, - @{bin}/getcap rix, + @{sbin}/getcap rix, /usr/share/popularity-contest/popcon-upload rCx -> popcon-upload, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/runuser rCx -> runuser, + @{sbin}/runuser rCx -> runuser, @{bin}/savelog rCx -> savelog, /usr/share/popularity-contest/ r, @@ -74,7 +74,7 @@ profile cron-popularity-contest @{exec_path} { @{bin}/mv rix, @{bin}/rm rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{sh_path} rix, /var/log/ r, @@ -93,7 +93,7 @@ profile cron-popularity-contest @{exec_path} { include include - @{bin}/runuser mr, + @{sbin}/runuser mr, @{sh_path} rix, @{bin}/popularity-contest rPx, @@ -141,7 +141,6 @@ profile cron-popularity-contest @{exec_path} { network inet6 stream, network netlink raw, - @{bin}/perl r, @{bin}/gzip rix, /usr/share/popularity-contest/popcon-upload r, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index ccc948b01..d240454f5 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -28,10 +28,10 @@ profile crontab @{exec_path} { @{sh_path} rix, @{editor_path} rCx -> editor, + @{etc_ro}/environment r, + @{etc_ro}/security/*.conf r, /etc/cron.{allow,deny} r, - /etc/environment r, /etc/pam.d/* r, - /etc/security/*.conf r, /var/spool/cron/ r, /var/spool/cron/** rw, diff --git a/apparmor.d/profiles-a-f/cups-backend-beh b/apparmor.d/groups/cups/cups-backend-beh similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-beh rename to apparmor.d/groups/cups/cups-backend-beh index e2dbc1b51..1e9fe5b78 100644 --- a/apparmor.d/profiles-a-f/cups-backend-beh +++ b/apparmor.d/groups/cups/cups-backend-beh @@ -13,6 +13,7 @@ profile cups-backend-beh @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-bluetooth b/apparmor.d/groups/cups/cups-backend-bluetooth similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-bluetooth rename to apparmor.d/groups/cups/cups-backend-bluetooth index ada4926ce..78ffbac77 100644 --- a/apparmor.d/profiles-a-f/cups-backend-bluetooth +++ b/apparmor.d/groups/cups/cups-backend-bluetooth @@ -13,6 +13,7 @@ profile cups-backend-bluetooth @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-brf b/apparmor.d/groups/cups/cups-backend-brf similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-brf rename to apparmor.d/groups/cups/cups-backend-brf index 27e98efc3..6d50b284f 100644 --- a/apparmor.d/profiles-a-f/cups-backend-brf +++ b/apparmor.d/groups/cups/cups-backend-brf @@ -15,6 +15,7 @@ profile cups-backend-brf @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-dnssd b/apparmor.d/groups/cups/cups-backend-dnssd similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-dnssd rename to apparmor.d/groups/cups/cups-backend-dnssd index f45b99216..1009a0ef2 100644 --- a/apparmor.d/profiles-a-f/cups-backend-dnssd +++ b/apparmor.d/groups/cups/cups-backend-dnssd @@ -14,6 +14,7 @@ profile cups-backend-dnssd @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-hp b/apparmor.d/groups/cups/cups-backend-hp similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-hp rename to apparmor.d/groups/cups/cups-backend-hp index 636121553..cd9af3d7f 100644 --- a/apparmor.d/profiles-a-f/cups-backend-hp +++ b/apparmor.d/groups/cups/cups-backend-hp @@ -13,6 +13,7 @@ profile cups-backend-hp @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-implicitclass b/apparmor.d/groups/cups/cups-backend-implicitclass similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-implicitclass rename to apparmor.d/groups/cups/cups-backend-implicitclass index ba85c62fa..c71295f83 100644 --- a/apparmor.d/profiles-a-f/cups-backend-implicitclass +++ b/apparmor.d/groups/cups/cups-backend-implicitclass @@ -13,6 +13,7 @@ profile cups-backend-implicitclass @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-ipp b/apparmor.d/groups/cups/cups-backend-ipp similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-ipp rename to apparmor.d/groups/cups/cups-backend-ipp index b473ecaa3..8d61f4072 100644 --- a/apparmor.d/profiles-a-f/cups-backend-ipp +++ b/apparmor.d/groups/cups/cups-backend-ipp @@ -13,6 +13,7 @@ profile cups-backend-ipp @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-lpd b/apparmor.d/groups/cups/cups-backend-lpd similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-lpd rename to apparmor.d/groups/cups/cups-backend-lpd index af2901be0..89b62b569 100644 --- a/apparmor.d/profiles-a-f/cups-backend-lpd +++ b/apparmor.d/groups/cups/cups-backend-lpd @@ -13,6 +13,7 @@ profile cups-backend-lpd @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-mdns b/apparmor.d/groups/cups/cups-backend-mdns similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-mdns rename to apparmor.d/groups/cups/cups-backend-mdns index 0b9cce0da..9e5dfbe0f 100644 --- a/apparmor.d/profiles-a-f/cups-backend-mdns +++ b/apparmor.d/groups/cups/cups-backend-mdns @@ -13,6 +13,7 @@ profile cups-backend-mdns @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-parallel b/apparmor.d/groups/cups/cups-backend-parallel similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-parallel rename to apparmor.d/groups/cups/cups-backend-parallel index a985e5042..b4340b2ed 100644 --- a/apparmor.d/profiles-a-f/cups-backend-parallel +++ b/apparmor.d/groups/cups/cups-backend-parallel @@ -13,6 +13,7 @@ profile cups-backend-parallel @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-pdf b/apparmor.d/groups/cups/cups-backend-pdf similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-pdf rename to apparmor.d/groups/cups/cups-backend-pdf index 7782ecb11..6f658b064 100644 --- a/apparmor.d/profiles-a-f/cups-backend-pdf +++ b/apparmor.d/groups/cups/cups-backend-pdf @@ -14,9 +14,10 @@ profile cups-backend-pdf @{exec_path} { include capability chown, + capability dac_override, + capability dac_read_search, capability setgid, capability setuid, - capability dac_override, unix peer=(label=cupsd), @@ -30,10 +31,11 @@ profile cups-backend-pdf @{exec_path} { /usr/share/ghostscript/{,**} r, - /etc/papersize r, /etc/cups/ r, /etc/cups/cups-pdf.conf r, /etc/cups/ppd/*.ppd r, + /etc/papersize r, + /etc/paperspecs r, /var/log/cups/cups-pdf*_log w, /var/spool/cups-pdf/{,**} rw, diff --git a/apparmor.d/profiles-a-f/cups-backend-serial b/apparmor.d/groups/cups/cups-backend-serial similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-serial rename to apparmor.d/groups/cups/cups-backend-serial index 3959a091d..26811ab59 100644 --- a/apparmor.d/profiles-a-f/cups-backend-serial +++ b/apparmor.d/groups/cups/cups-backend-serial @@ -13,6 +13,7 @@ profile cups-backend-serial @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, /dev/ttyS@{int} w, diff --git a/apparmor.d/profiles-a-f/cups-backend-snmp b/apparmor.d/groups/cups/cups-backend-snmp similarity index 96% rename from apparmor.d/profiles-a-f/cups-backend-snmp rename to apparmor.d/groups/cups/cups-backend-snmp index 5badd529a..816f6c25b 100644 --- a/apparmor.d/profiles-a-f/cups-backend-snmp +++ b/apparmor.d/groups/cups/cups-backend-snmp @@ -19,6 +19,7 @@ profile cups-backend-snmp @{exec_path} { /etc/cups/snmp.conf r, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-socket b/apparmor.d/groups/cups/cups-backend-socket similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-socket rename to apparmor.d/groups/cups/cups-backend-socket index 3efcf183b..f8f36a056 100644 --- a/apparmor.d/profiles-a-f/cups-backend-socket +++ b/apparmor.d/groups/cups/cups-backend-socket @@ -13,6 +13,7 @@ profile cups-backend-socket @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-usb b/apparmor.d/groups/cups/cups-backend-usb similarity index 96% rename from apparmor.d/profiles-a-f/cups-backend-usb rename to apparmor.d/groups/cups/cups-backend-usb index fa21e0204..7d9dbd237 100644 --- a/apparmor.d/profiles-a-f/cups-backend-usb +++ b/apparmor.d/groups/cups/cups-backend-usb @@ -21,6 +21,7 @@ profile cups-backend-usb @{exec_path} { /etc/cups/ppd/*.ppd r, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-browsed b/apparmor.d/groups/cups/cups-browsed similarity index 78% rename from apparmor.d/profiles-a-f/cups-browsed rename to apparmor.d/groups/cups/cups-browsed index 41d22ed9b..9498f245a 100644 --- a/apparmor.d/profiles-a-f/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/cups-browsed +@{exec_path} = @{sbin}/cups-browsed profile cups-browsed @{exec_path} { include include @@ -16,9 +16,9 @@ profile cups-browsed @{exec_path} { include include - capability net_admin, +# capability net_admin, capability net_bind_service, - capability sys_nice, +# capability sys_nice, network inet dgram, network inet6 dgram, @@ -29,15 +29,22 @@ profile cups-browsed @{exec_path} { dbus receive bus=system path=/ interface=org.freedesktop.Avahi.Server member=StateChanged - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=CheckPermissions peer=(name=:*, label=NetworkManager), + dbus receive bus=system path=/org/cups/cupsd/Notifier + interface=org.cups.cupsd.Notifier + member=PrinterDeleted + peer=(name=@{busname}, label=cups-notifier-dbus), + @{exec_path} mr, + @{bin}/ippfind rPx, + /usr/share/cups/locale/{,**} r, /etc/cups/{,**} r, diff --git a/apparmor.d/profiles-a-f/cups-notifier-dbus b/apparmor.d/groups/cups/cups-notifier-dbus similarity index 92% rename from apparmor.d/profiles-a-f/cups-notifier-dbus rename to apparmor.d/groups/cups/cups-notifier-dbus index 6e3b38490..fa31b726d 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-dbus +++ b/apparmor.d/groups/cups/cups-notifier-dbus @@ -16,6 +16,8 @@ profile cups-notifier-dbus @{exec_path} { signal (receive) set=(term) peer=cupsd, + #aa:dbus own bus=system name=org.cups.cupsd.Notifier + @{exec_path} mr, owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw, diff --git a/apparmor.d/profiles-a-f/cups-notifier-mailto b/apparmor.d/groups/cups/cups-notifier-mailto similarity index 100% rename from apparmor.d/profiles-a-f/cups-notifier-mailto rename to apparmor.d/groups/cups/cups-notifier-mailto diff --git a/apparmor.d/profiles-a-f/cups-notifier-rss b/apparmor.d/groups/cups/cups-notifier-rss similarity index 100% rename from apparmor.d/profiles-a-f/cups-notifier-rss rename to apparmor.d/groups/cups/cups-notifier-rss diff --git a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism b/apparmor.d/groups/cups/cups-pk-helper-mechanism similarity index 96% rename from apparmor.d/profiles-a-f/cups-pk-helper-mechanism rename to apparmor.d/groups/cups/cups-pk-helper-mechanism index 89d55c2f1..89d517631 100644 --- a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism +++ b/apparmor.d/groups/cups/cups-pk-helper-mechanism @@ -26,7 +26,7 @@ profile cups-pk-helper-mechanism @{exec_path} { /etc/cups/ppd/*.ppd r, - owner @{tmp}/[a-z0-9]* rw, + owner @{tmp}/@{int} rw, @{run}/cups/cups.sock rw, diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/groups/cups/cupsd similarity index 81% rename from apparmor.d/profiles-a-f/cupsd rename to apparmor.d/groups/cups/cupsd index f65fc8349..acae9b7a1 100644 --- a/apparmor.d/profiles-a-f/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/cupsd +@{exec_path} = @{sbin}/cupsd profile cupsd @{exec_path} flags=(attach_disconnected) { include include @@ -29,7 +29,9 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { capability setuid, capability wake_alarm, + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network appletalk dgram, @@ -44,20 +46,29 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=cups-notifier-dbus, + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=DeleteDevice + peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=FindDeviceById + peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), + @{exec_path} mr, @{sh_path} rix, @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cp rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gs rix, @{bin}/gsc rix, @{bin}/hostname rix, @{bin}/ippfind rix, @{bin}/mktemp rix, @{bin}/printenv rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/rm rix, @{bin}/sed rix, @{bin}/smbspool rPx, @@ -90,6 +101,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{run}/cups/{,**} rw, @{run}/systemd/notify w, + @{run}/avahi-daemon/socket rw, @{sys}/module/apparmor/parameters/enabled r, diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm index 04accbbf0..e0e0bd794 100644 --- a/apparmor.d/groups/display-manager/lightdm +++ b/apparmor.d/groups/display-manager/lightdm @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/lightdm profile lightdm @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -36,15 +37,21 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=xfce-session, signal (send) set=(term) peer=xorg, + #aa:dbus own bus=system name=org.freedesktop.DisplayManager + @{exec_path} mrix, - @{bin}/rm rix, + @{sh_path} rix, + @{bin}/{,e,f}grep rix, + @{bin}/df rix, + @{bin}/rm rix, @{bin}/lightdm-*-greeter rPUx, @{bin}/startx rPx, @{bin}/Xorg rPx, @{bin}/plymouth rPx, @{bin}/gnome-keyring-daemon rPx, + @{bin}/lightdm-session rPx, @{lib}/security-misc/* rPx, #aa:only whonix @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, @@ -56,11 +63,11 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xgreeters/{,**} r, + @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/{,*} r, /etc/default/locale r, - /etc/environment r, /etc/lightdm/{,**} r, /etc/machine-id r, - /etc/security/limits.d/{,*} r, /etc/shells r, /var/cache/lightdm/dmrc/*.dmrc* rw, @@ -81,6 +88,7 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r, + owner @{PROC}/@{pid}/mountinfo r, /dev/tty@{int} r, diff --git a/apparmor.d/groups/display-manager/lightdm-session b/apparmor.d/groups/display-manager/lightdm-session new file mode 100644 index 000000000..ea7d62be2 --- /dev/null +++ b/apparmor.d/groups/display-manager/lightdm-session @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lightdm-session +profile lightdm-session @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/im-launch rPx, + + @{sh_path} rix, + @{bin}/mktemp rix, + @{bin}/expr rix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession index 445531691..361a30b26 100644 --- a/apparmor.d/groups/display-manager/x11-xsession +++ b/apparmor.d/groups/display-manager/x11-xsession @@ -34,7 +34,7 @@ profile x11-xsession @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index cfdaeed3f..d110fb83b 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -20,12 +20,12 @@ profile xdm-xsession @{exec_path} { @{bin}/basename rix, @{bin}/cat rix, - @{bin}/checkproc rix, + @{sbin}/checkproc rix, @{bin}/dirname rix, @{bin}/fortune rPUx, @{bin}/gpg-agent rPx, @{bin}/gpg-connect-agent rPx, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, @{bin}/manpath rix, @{bin}/readlink rix, diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/groups/filesystem/btrfs similarity index 98% rename from apparmor.d/profiles-a-f/btrfs rename to apparmor.d/groups/filesystem/btrfs index 82742fd4a..40149588d 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/groups/filesystem/btrfs @@ -25,8 +25,8 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { / r, /.snapshots/ r, - /boot/ r, - /boot/**/ r, + @{efi}/ r, + @{efi}/**/ r, /home/ r, /opt/ r, /root/ r, diff --git a/apparmor.d/profiles-a-f/btrfs-convert b/apparmor.d/groups/filesystem/btrfs-convert similarity index 92% rename from apparmor.d/profiles-a-f/btrfs-convert rename to apparmor.d/groups/filesystem/btrfs-convert index 2dccbf1fd..22715c857 100644 --- a/apparmor.d/profiles-a-f/btrfs-convert +++ b/apparmor.d/groups/filesystem/btrfs-convert @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfs-convert +@{exec_path} = @{sbin}/btrfs-convert profile btrfs-convert @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/btrfs-find-root b/apparmor.d/groups/filesystem/btrfs-find-root similarity index 92% rename from apparmor.d/profiles-a-f/btrfs-find-root rename to apparmor.d/groups/filesystem/btrfs-find-root index eef4b6823..cec2bbb61 100644 --- a/apparmor.d/profiles-a-f/btrfs-find-root +++ b/apparmor.d/groups/filesystem/btrfs-find-root @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfs-find-root +@{exec_path} = @{sbin}/btrfs-find-root profile btrfs-find-root @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/btrfs-image b/apparmor.d/groups/filesystem/btrfs-image similarity index 93% rename from apparmor.d/profiles-a-f/btrfs-image rename to apparmor.d/groups/filesystem/btrfs-image index 6f18ac095..48be7c381 100644 --- a/apparmor.d/profiles-a-f/btrfs-image +++ b/apparmor.d/groups/filesystem/btrfs-image @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfs-image +@{exec_path} = @{sbin}/btrfs-image profile btrfs-image @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/btrfs-map-logical b/apparmor.d/groups/filesystem/btrfs-map-logical similarity index 100% rename from apparmor.d/profiles-a-f/btrfs-map-logical rename to apparmor.d/groups/filesystem/btrfs-map-logical diff --git a/apparmor.d/profiles-a-f/btrfs-select-super b/apparmor.d/groups/filesystem/btrfs-select-super similarity index 100% rename from apparmor.d/profiles-a-f/btrfs-select-super rename to apparmor.d/groups/filesystem/btrfs-select-super diff --git a/apparmor.d/profiles-a-f/btrfstune b/apparmor.d/groups/filesystem/btrfstune similarity index 94% rename from apparmor.d/profiles-a-f/btrfstune rename to apparmor.d/groups/filesystem/btrfstune index f8fa4a047..24a8ef46e 100644 --- a/apparmor.d/profiles-a-f/btrfstune +++ b/apparmor.d/groups/filesystem/btrfstune @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfstune +@{exec_path} = @{sbin}/btrfstune profile btrfstune @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/fsck.btrfs b/apparmor.d/groups/filesystem/fsck.btrfs similarity index 92% rename from apparmor.d/profiles-a-f/fsck.btrfs rename to apparmor.d/groups/filesystem/fsck.btrfs index f8ac9419d..512265788 100644 --- a/apparmor.d/profiles-a-f/fsck.btrfs +++ b/apparmor.d/groups/filesystem/fsck.btrfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fsck.btrfs +@{exec_path} = @{sbin}/fsck.btrfs profile fsck.btrfs @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/fsck.fat b/apparmor.d/groups/filesystem/fsck.fat similarity index 87% rename from apparmor.d/profiles-a-f/fsck.fat rename to apparmor.d/groups/filesystem/fsck.fat index fd944532f..0e7df947d 100644 --- a/apparmor.d/profiles-a-f/fsck.fat +++ b/apparmor.d/groups/filesystem/fsck.fat @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fsck.fat @{bin}/fsck.msdos @{bin}/fsck.vfat @{bin}/dosfsck +@{exec_path} = @{sbin}/fsck.fat @{sbin}/fsck.msdos @{sbin}/fsck.vfat @{sbin}/dosfsck profile fsck.fat @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/groups/filesystem/lvm similarity index 91% rename from apparmor.d/profiles-g-l/lvm rename to apparmor.d/groups/filesystem/lvm index cff4ce186..ad4645bff 100644 --- a/apparmor.d/profiles-g-l/lvm +++ b/apparmor.d/groups/filesystem/lvm @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/lvm +@{exec_path} = @{sbin}/lvm profile lvm @{exec_path} flags=(attach_disconnected) { include include @@ -23,12 +23,14 @@ profile lvm @{exec_path} flags=(attach_disconnected) { ptrace (read), + mqueue getattr type=posix /, mqueue r type=posix /, @{exec_path} rm, @{etc_rw}/lvm/** rwkl, /etc/multipath.conf r, + /etc/multipath/* r, @{run}/lock/ rw, @{run}/lock/lvm/ rw, @@ -47,6 +49,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) { /dev/**/ r, /dev/mapper/control rw, + /dev/root r, include if exists } diff --git a/apparmor.d/profiles-g-l/lvmconfig b/apparmor.d/groups/filesystem/lvmconfig similarity index 91% rename from apparmor.d/profiles-g-l/lvmconfig rename to apparmor.d/groups/filesystem/lvmconfig index 5e5a0d1dd..39224c22f 100644 --- a/apparmor.d/profiles-g-l/lvmconfig +++ b/apparmor.d/groups/filesystem/lvmconfig @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/lvmconfig +@{exec_path} = @{sbin}/lvmconfig profile lvmconfig @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/lvmdump b/apparmor.d/groups/filesystem/lvmdump similarity index 92% rename from apparmor.d/profiles-g-l/lvmdump rename to apparmor.d/groups/filesystem/lvmdump index 6a443fc57..5e90ffeee 100644 --- a/apparmor.d/profiles-g-l/lvmdump +++ b/apparmor.d/groups/filesystem/lvmdump @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/lvmdump +@{exec_path} = @{sbin}/lvmdump profile lvmdump @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/lvmpolld b/apparmor.d/groups/filesystem/lvmpolld similarity index 88% rename from apparmor.d/profiles-g-l/lvmpolld rename to apparmor.d/groups/filesystem/lvmpolld index fdc3bad3f..cce01b0d0 100644 --- a/apparmor.d/profiles-g-l/lvmpolld +++ b/apparmor.d/groups/filesystem/lvmpolld @@ -6,14 +6,14 @@ abi , include -@{exec_path} = @{bin}/lvmpolld +@{exec_path} = @{sbin}/lvmpolld profile lvmpolld @{exec_path} { include include include @{exec_path} rm, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/umount rPx, @{run}/lvmpolld.pid rwk, diff --git a/apparmor.d/profiles-m-r/mke2fs b/apparmor.d/groups/filesystem/mke2fs similarity index 81% rename from apparmor.d/profiles-m-r/mke2fs rename to apparmor.d/groups/filesystem/mke2fs index acf88197f..90df8ecb1 100644 --- a/apparmor.d/profiles-m-r/mke2fs +++ b/apparmor.d/groups/filesystem/mke2fs @@ -7,9 +7,10 @@ abi , include -@{exec_path} = @{bin}/mke2fs @{bin}/mkfs.ext2 @{bin}/mkfs.ext3 @{bin}/mkfs.ext4 +@{exec_path} = @{sbin}/mke2fs @{sbin}/mkfs.ext2 @{sbin}/mkfs.ext3 @{sbin}/mkfs.ext4 profile mke2fs @{exec_path} { include + include include include @@ -19,7 +20,7 @@ profile mke2fs @{exec_path} { # To check for badblocks @{sh_path} rix, - @{bin}/badblocks rPx, + @{sbin}/badblocks rPx, /usr/share/file/misc/magic.mgc r, @@ -34,6 +35,8 @@ profile mke2fs @{exec_path} { owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, + owner @{tmp}/.guestfs-@{uid}/appliance.d.@{rand8}/@{user} rw, + @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/mkfs-btrfs b/apparmor.d/groups/filesystem/mkfs-btrfs similarity index 94% rename from apparmor.d/profiles-m-r/mkfs-btrfs rename to apparmor.d/groups/filesystem/mkfs-btrfs index 1e6c95838..54c83e559 100644 --- a/apparmor.d/profiles-m-r/mkfs-btrfs +++ b/apparmor.d/groups/filesystem/mkfs-btrfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/mkfs.btrfs +@{exec_path} = @{sbin}/mkfs.btrfs profile mkfs-btrfs @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/mkfs-fat b/apparmor.d/groups/filesystem/mkfs-fat similarity index 100% rename from apparmor.d/profiles-m-r/mkfs-fat rename to apparmor.d/groups/filesystem/mkfs-fat diff --git a/apparmor.d/profiles-m-r/mkntfs b/apparmor.d/groups/filesystem/mkntfs similarity index 100% rename from apparmor.d/profiles-m-r/mkntfs rename to apparmor.d/groups/filesystem/mkntfs diff --git a/apparmor.d/profiles-m-r/mkswap b/apparmor.d/groups/filesystem/mkswap similarity index 94% rename from apparmor.d/profiles-m-r/mkswap rename to apparmor.d/groups/filesystem/mkswap index 4a818cd58..fa30030f3 100644 --- a/apparmor.d/profiles-m-r/mkswap +++ b/apparmor.d/groups/filesystem/mkswap @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/mkswap +@{exec_path} = @{sbin}/mkswap profile mkswap @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/groups/filesystem/mount similarity index 100% rename from apparmor.d/profiles-m-r/mount rename to apparmor.d/groups/filesystem/mount diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/groups/filesystem/mount-cifs similarity index 69% rename from apparmor.d/profiles-m-r/mount-cifs rename to apparmor.d/groups/filesystem/mount-cifs index 78651ba23..a6c8d01e3 100644 --- a/apparmor.d/profiles-m-r/mount-cifs +++ b/apparmor.d/groups/filesystem/mount-cifs @@ -7,42 +7,52 @@ abi , include -@{exec_path} = @{bin}/mount.cifs +@{exec_path} = @{sbin}/mount.cifs profile mount-cifs @{exec_path} flags=(complain) { include + include include - # To mount anything. capability sys_admin, - - # (#FIXME#) capability setpcap, + capability dac_read_search, + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink raw, + mount fstype=cifs -> @{HOME}/*/, + mount fstype=cifs -> @{HOME}/*/*/, + mount fstype=cifs -> @{MOUNTDIRS}/, + mount fstype=cifs -> @{MOUNTS}/, + mount fstype=cifs -> @{MOUNTS}/*/, + mount fstype=cifs -> @{MOUNTS}/*/*/, + + umount @{HOME}/*/, + umount @{HOME}/*/*/, + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, + umount @{MOUNTS}/*/, + umount @{MOUNTS}/*/*/, + @{exec_path} mr, @{bin}/systemd-ask-password rPUx, /etc/fstab r, + /etc/sync-credentials r, owner @{HOME}/.smbcredentials r, # Mount points + @{HOME}/*/ r, + @{HOME}/*/*/ r, @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @{MOUNTS}/*/ r, - - # Allow to mount smb/cifs disks only under the /media/ dirs - mount fstype=cifs -> @{MOUNTDIRS}/, - mount fstype=cifs -> @{MOUNTS}/, - mount fstype=cifs -> @{MOUNTS}/*/, - - umount @{MOUNTDIRS}/, - umount @{MOUNTS}/, - umount @{MOUNTS}/*/, + @{MOUNTS}/*/*/ r, include if exists } diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/groups/filesystem/mount-nfs similarity index 96% rename from apparmor.d/profiles-m-r/mount-nfs rename to apparmor.d/groups/filesystem/mount-nfs index 26f3e2d57..f670b62d7 100644 --- a/apparmor.d/profiles-m-r/mount-nfs +++ b/apparmor.d/groups/filesystem/mount-nfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/mount.nfs +@{exec_path} = @{sbin}/mount.nfs profile mount-nfs @{exec_path} flags=(complain) { include include @@ -42,7 +42,7 @@ profile mount-nfs @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/flock rix, - @{bin}/start-statd rix, + @{sbin}/start-statd rix, @{bin}/systemctl rCx -> systemctl, /etc/fstab r, diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/groups/filesystem/mount-zfs similarity index 100% rename from apparmor.d/profiles-m-r/mount-zfs rename to apparmor.d/groups/filesystem/mount-zfs diff --git a/apparmor.d/profiles-m-r/mtools b/apparmor.d/groups/filesystem/mtools similarity index 100% rename from apparmor.d/profiles-m-r/mtools rename to apparmor.d/groups/filesystem/mtools diff --git a/apparmor.d/profiles-m-r/nfsdcld b/apparmor.d/groups/filesystem/nfsdcld similarity index 94% rename from apparmor.d/profiles-m-r/nfsdcld rename to apparmor.d/groups/filesystem/nfsdcld index be122a3cb..23ecc576e 100644 --- a/apparmor.d/profiles-m-r/nfsdcld +++ b/apparmor.d/groups/filesystem/nfsdcld @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/nfsdcld +@{exec_path} = @{sbin}/nfsdcld profile nfsdcld @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/ntfs-3g b/apparmor.d/groups/filesystem/ntfs-3g similarity index 100% rename from apparmor.d/profiles-m-r/ntfs-3g rename to apparmor.d/groups/filesystem/ntfs-3g diff --git a/apparmor.d/profiles-m-r/ntfs-3g-probe b/apparmor.d/groups/filesystem/ntfs-3g-probe similarity index 100% rename from apparmor.d/profiles-m-r/ntfs-3g-probe rename to apparmor.d/groups/filesystem/ntfs-3g-probe diff --git a/apparmor.d/profiles-m-r/ntfscat b/apparmor.d/groups/filesystem/ntfscat similarity index 100% rename from apparmor.d/profiles-m-r/ntfscat rename to apparmor.d/groups/filesystem/ntfscat diff --git a/apparmor.d/profiles-m-r/ntfsclone b/apparmor.d/groups/filesystem/ntfsclone similarity index 95% rename from apparmor.d/profiles-m-r/ntfsclone rename to apparmor.d/groups/filesystem/ntfsclone index c239e81af..c6443bf7a 100644 --- a/apparmor.d/profiles-m-r/ntfsclone +++ b/apparmor.d/groups/filesystem/ntfsclone @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfsclone +@{exec_path} = @{sbin}/ntfsclone profile ntfsclone @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfscluster b/apparmor.d/groups/filesystem/ntfscluster similarity index 100% rename from apparmor.d/profiles-m-r/ntfscluster rename to apparmor.d/groups/filesystem/ntfscluster diff --git a/apparmor.d/profiles-m-r/ntfscmp b/apparmor.d/groups/filesystem/ntfscmp similarity index 100% rename from apparmor.d/profiles-m-r/ntfscmp rename to apparmor.d/groups/filesystem/ntfscmp diff --git a/apparmor.d/profiles-m-r/ntfscp b/apparmor.d/groups/filesystem/ntfscp similarity index 96% rename from apparmor.d/profiles-m-r/ntfscp rename to apparmor.d/groups/filesystem/ntfscp index 2e36046ba..f3bc38b6a 100644 --- a/apparmor.d/profiles-m-r/ntfscp +++ b/apparmor.d/groups/filesystem/ntfscp @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfscp +@{exec_path} = @{sbin}/ntfscp profile ntfscp @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfsdecrypt b/apparmor.d/groups/filesystem/ntfsdecrypt similarity index 100% rename from apparmor.d/profiles-m-r/ntfsdecrypt rename to apparmor.d/groups/filesystem/ntfsdecrypt diff --git a/apparmor.d/profiles-m-r/ntfsfallocate b/apparmor.d/groups/filesystem/ntfsfallocate similarity index 100% rename from apparmor.d/profiles-m-r/ntfsfallocate rename to apparmor.d/groups/filesystem/ntfsfallocate diff --git a/apparmor.d/profiles-m-r/ntfsfix b/apparmor.d/groups/filesystem/ntfsfix similarity index 100% rename from apparmor.d/profiles-m-r/ntfsfix rename to apparmor.d/groups/filesystem/ntfsfix diff --git a/apparmor.d/profiles-m-r/ntfsinfo b/apparmor.d/groups/filesystem/ntfsinfo similarity index 100% rename from apparmor.d/profiles-m-r/ntfsinfo rename to apparmor.d/groups/filesystem/ntfsinfo diff --git a/apparmor.d/profiles-m-r/ntfslabel b/apparmor.d/groups/filesystem/ntfslabel similarity index 93% rename from apparmor.d/profiles-m-r/ntfslabel rename to apparmor.d/groups/filesystem/ntfslabel index 471aefaa1..5d4089a44 100644 --- a/apparmor.d/profiles-m-r/ntfslabel +++ b/apparmor.d/groups/filesystem/ntfslabel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfslabel +@{exec_path} = @{sbin}/ntfslabel profile ntfslabel @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfsls b/apparmor.d/groups/filesystem/ntfsls similarity index 100% rename from apparmor.d/profiles-m-r/ntfsls rename to apparmor.d/groups/filesystem/ntfsls diff --git a/apparmor.d/profiles-m-r/ntfsmove b/apparmor.d/groups/filesystem/ntfsmove similarity index 100% rename from apparmor.d/profiles-m-r/ntfsmove rename to apparmor.d/groups/filesystem/ntfsmove diff --git a/apparmor.d/profiles-m-r/ntfsrecover b/apparmor.d/groups/filesystem/ntfsrecover similarity index 100% rename from apparmor.d/profiles-m-r/ntfsrecover rename to apparmor.d/groups/filesystem/ntfsrecover diff --git a/apparmor.d/profiles-m-r/ntfsresize b/apparmor.d/groups/filesystem/ntfsresize similarity index 93% rename from apparmor.d/profiles-m-r/ntfsresize rename to apparmor.d/groups/filesystem/ntfsresize index 5c7d5c835..3eac37d70 100644 --- a/apparmor.d/profiles-m-r/ntfsresize +++ b/apparmor.d/groups/filesystem/ntfsresize @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfsresize +@{exec_path} = @{sbin}/ntfsresize profile ntfsresize @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfssecaudit b/apparmor.d/groups/filesystem/ntfssecaudit similarity index 100% rename from apparmor.d/profiles-m-r/ntfssecaudit rename to apparmor.d/groups/filesystem/ntfssecaudit diff --git a/apparmor.d/profiles-m-r/ntfstruncate b/apparmor.d/groups/filesystem/ntfstruncate similarity index 100% rename from apparmor.d/profiles-m-r/ntfstruncate rename to apparmor.d/groups/filesystem/ntfstruncate diff --git a/apparmor.d/profiles-m-r/ntfsundelete b/apparmor.d/groups/filesystem/ntfsundelete similarity index 94% rename from apparmor.d/profiles-m-r/ntfsundelete rename to apparmor.d/groups/filesystem/ntfsundelete index 4d96d1dbd..9f68cba7a 100644 --- a/apparmor.d/profiles-m-r/ntfsundelete +++ b/apparmor.d/groups/filesystem/ntfsundelete @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfsundelete +@{exec_path} = @{sbin}/ntfsundelete profile ntfsundelete @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfsusermap b/apparmor.d/groups/filesystem/ntfsusermap similarity index 100% rename from apparmor.d/profiles-m-r/ntfsusermap rename to apparmor.d/groups/filesystem/ntfsusermap diff --git a/apparmor.d/profiles-m-r/ntfswipe b/apparmor.d/groups/filesystem/ntfswipe similarity index 100% rename from apparmor.d/profiles-m-r/ntfswipe rename to apparmor.d/groups/filesystem/ntfswipe diff --git a/apparmor.d/profiles-s-z/udiskie b/apparmor.d/groups/filesystem/udiskie similarity index 80% rename from apparmor.d/profiles-s-z/udiskie rename to apparmor.d/groups/filesystem/udiskie index 014955032..53b726c23 100644 --- a/apparmor.d/profiles-s-z/udiskie +++ b/apparmor.d/groups/filesystem/udiskie @@ -11,19 +11,15 @@ include profile udiskie @{exec_path} { include include - include - include + include include - include - include + include include - include include - include - include + include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{open_path} rPx -> child-open, diff --git a/apparmor.d/profiles-s-z/udiskie-info b/apparmor.d/groups/filesystem/udiskie-info similarity index 92% rename from apparmor.d/profiles-s-z/udiskie-info rename to apparmor.d/groups/filesystem/udiskie-info index 855c5b54c..b59b91472 100644 --- a/apparmor.d/profiles-s-z/udiskie-info +++ b/apparmor.d/groups/filesystem/udiskie-info @@ -13,9 +13,10 @@ profile udiskie-info @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, - /usr/bin/ r, + @{bin}/ r, + @{sbin}/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/profiles-s-z/udiskie-mount b/apparmor.d/groups/filesystem/udiskie-mount similarity index 92% rename from apparmor.d/profiles-s-z/udiskie-mount rename to apparmor.d/groups/filesystem/udiskie-mount index a57a6091f..3ec9e422a 100644 --- a/apparmor.d/profiles-s-z/udiskie-mount +++ b/apparmor.d/groups/filesystem/udiskie-mount @@ -13,9 +13,10 @@ profile udiskie-mount @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, - /usr/bin/ r, + @{bin}/ r, + @{sbin}/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/profiles-s-z/udiskie-umount b/apparmor.d/groups/filesystem/udiskie-umount similarity index 92% rename from apparmor.d/profiles-s-z/udiskie-umount rename to apparmor.d/groups/filesystem/udiskie-umount index 8fe075f94..01271bdc6 100644 --- a/apparmor.d/profiles-s-z/udiskie-umount +++ b/apparmor.d/groups/filesystem/udiskie-umount @@ -13,9 +13,10 @@ profile udiskie-umount @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, - /usr/bin/ r, + @{bin}/ r, + @{sbin}/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/profiles-s-z/udisksctl b/apparmor.d/groups/filesystem/udisksctl similarity index 100% rename from apparmor.d/profiles-s-z/udisksctl rename to apparmor.d/groups/filesystem/udisksctl diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/groups/filesystem/udisksd similarity index 79% rename from apparmor.d/profiles-s-z/udisksd rename to apparmor.d/groups/filesystem/udisksd index 909112a70..91d4a8569 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -19,6 +19,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability fowner, capability fsetid, + capability ipc_lock, capability net_admin, capability setgid, capability setuid, @@ -48,7 +49,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { mount options=(rw move) -> @{MOUNTS}/, mount options=(rw move) -> @{MOUNTS}/*/, - mount fstype=vfat -> /boot/efi/, + mount fstype=vfat -> @{efi}/, # Allow mounting on temporary mount point mount -> @{run}/udisks2/temp-mount-*/, @@ -58,37 +59,32 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount @{run}/udisks2/temp-mount-*/, - umount /boot/efi/, + umount @{efi}/, umount /media/cdrom@{int}/, signal receive set=int peer=@{p_systemd}, #aa:dbus own bus=system name=org.freedesktop.UDisks2 - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" @{exec_path} mr, @{sh_path} rix, @{bin}/umount rix, - @{bin}/dmidecode rPx, - @{bin}/dumpe2fs rPx, + @{sbin}/dmidecode rPx, + @{sbin}/dumpe2fs rPx, @{bin}/eject rPx, - @{bin}/fsck.fat rPx, - @{bin}/lvm rPUx, - @{bin}/mke2fs rPx, - @{bin}/mkfs.* rPx, + @{sbin}/fsck.fat rPx, + @{sbin}/lvm rPUx, + @{sbin}/mke2fs rPx, + @{sbin}/mkfs.* rPx, @{bin}/mount.exfat-fuse rPUx, @{bin}/ntfs-3g rPx, @{bin}/ntfsfix rPx, - @{bin}/sfdisk rPx, - @{bin}/sgdisk rPx, + @{sbin}/sfdisk rPx, + @{sbin}/sgdisk rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-escape rPx, @{bin}/xfs_* rPUx, @@ -116,23 +112,24 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{run}/cryptsetup/ r, @{run}/cryptsetup/L* rwk, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+scsi:* r, - @{run}/udev/data/+vmbus:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI + @{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices) @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/bus/scsi/devices/ r, @{sys}/class/ r, @{sys}/class/nvme-subsystem/ r, @{sys}/class/nvme/ r, - @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w, - @{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw, - @{sys}/devices/@{pci}/uevent r, + @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}@{int}/{,**/}uevent w, + @{sys}/devices/@{pci}/{ata,usb,mmc}@{int}/{,**/}remove rw, + @{sys}/devices/@{pci}/uevent rw, @{sys}/devices/**/net/*/ r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/bdi/**/read_ahead_kb r, diff --git a/apparmor.d/profiles-s-z/umount.udisks2 b/apparmor.d/groups/filesystem/umount.udisks2 similarity index 91% rename from apparmor.d/profiles-s-z/umount.udisks2 rename to apparmor.d/groups/filesystem/umount.udisks2 index 4e842c7fb..752a1d5d3 100644 --- a/apparmor.d/profiles-s-z/umount.udisks2 +++ b/apparmor.d/groups/filesystem/umount.udisks2 @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/umount.udisks2 +@{exec_path} = @{sbin}/umount.udisks2 profile umount.udisks2 @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-a-f/firewall-applet b/apparmor.d/groups/firewall/firewall-applet similarity index 95% rename from apparmor.d/profiles-a-f/firewall-applet rename to apparmor.d/groups/firewall/firewall-applet index 17fca1462..280bd9d04 100644 --- a/apparmor.d/profiles-a-f/firewall-applet +++ b/apparmor.d/groups/firewall/firewall-applet @@ -17,7 +17,7 @@ profile firewall-applet @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-a-f/firewall-config b/apparmor.d/groups/firewall/firewall-config similarity index 100% rename from apparmor.d/profiles-a-f/firewall-config rename to apparmor.d/groups/firewall/firewall-config diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/groups/firewall/firewalld similarity index 64% rename from apparmor.d/profiles-a-f/firewalld rename to apparmor.d/groups/firewall/firewalld index 142b25cde..57a0baa20 100644 --- a/apparmor.d/profiles-a-f/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -6,10 +6,9 @@ abi , include -@{exec_path} = @{bin}/firewalld +@{exec_path} = @{sbin}/firewalld profile firewalld @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -21,7 +20,6 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { capability net_admin, capability net_raw, capability setpcap, - capability sys_module, network inet raw, network inet6 raw, @@ -30,19 +28,20 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.fedoraproject.FirewallD1 @{exec_path} mr, + @{python_path} r, @{bin}/ r, - @{bin}/alts rix, - @{bin}/ebtables-legacy rix, - @{bin}/ebtables-legacy-restore rix, - @{bin}/false rix, - @{bin}/ipset rix, - @{bin}/kmod rix, - @{bin}/modprobe rix, - @{bin}/xtables-legacy-multi rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/ r, + @{bin}/alts ix, + @{bin}/false ix, + @{bin}/kmod Cx -> kmod, + @{bin}/ebtables-legacy ix, + @{bin}/ebtables-legacy-restore ix, + @{sbin}/ipset ix, + @{sbin}/xtables-legacy-multi ix, + @{sbin}/xtables-nft-multi mix, - /usr/local/lib/python3.@{int}/dist-packages/ r, + /usr/local/lib/@{python_name}/dist-packages/ r, /usr/share/iproute2/{,**} r, /usr/share/libalternatives/{,**} r, @@ -56,18 +55,25 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { /var/log/firewalld rw, @{run}/firewalld/{,*} rw, - @{run}/modprobe.d/{,*.conf} r, @{run}/xtables.lock rwk, - @{sys}/module/compression r, - @{sys}/module/*/initstate r, - - @{PROC}/sys/kernel/modprobe r, @{PROC}/sys/net/ipv{4,6}/ip_forward rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pids}/net/ip_tables_names r, + profile kmod flags=(attach_disconnected) { + include + include + + capability sys_module, + + @{sys}/module/compression r, + @{sys}/module/nf_*/initstate r, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/nft b/apparmor.d/groups/firewall/nft similarity index 96% rename from apparmor.d/profiles-m-r/nft rename to apparmor.d/groups/firewall/nft index 292b22043..2392829c8 100644 --- a/apparmor.d/profiles-m-r/nft +++ b/apparmor.d/groups/firewall/nft @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/nft +@{exec_path} = @{sbin}/nft profile nft @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/ufw b/apparmor.d/groups/firewall/ufw similarity index 55% rename from apparmor.d/profiles-s-z/ufw rename to apparmor.d/groups/firewall/ufw index b7e5f0c79..39517ee6c 100644 --- a/apparmor.d/profiles-s-z/ufw +++ b/apparmor.d/groups/firewall/ufw @@ -7,10 +7,10 @@ abi , include -@{exec_path} = @{bin}/ufw +@{exec_path} = @{sbin}/ufw profile ufw @{exec_path} flags=(attach_disconnected) { include - include + include include include @@ -29,14 +29,15 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/ r, - @{bin}/cat ix, - @{bin}/env r, - @{bin}/python3.@{int} ix, - @{bin}/sysctl ix, - @{bin}/xtables-legacy-multi ix, - @{bin}/xtables-nft-multi ix, - @{lib}/ufw/ufw-init ix, + @{python_path} rix, + @{sbin}/ r, + @{bin}/cat rix, + @{bin}/env r, + @{bin}/kmod rCx -> kmod, + @{lib}/ufw/ufw-init rPx, + @{sbin}/sysctl rCx -> sysctl, + @{sbin}/xtables-legacy-multi rix, + @{sbin}/xtables-nft-multi rix, /etc/default/ufw rw, /etc/ufw/ rw, @@ -56,6 +57,33 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/net/ipv{4,6}/** rw, @{PROC}/sys/kernel/modprobe r, + profile kmod flags=(attach_disconnected) { + include + include + + capability sys_module, + + @{sys}/module/compression r, + @{sys}/module/*/initstate r, + + include if exists + } + + profile sysctl { + include + include + + capability net_admin, + + @{sbin}/sysctl mr, + + /etc/ufw/sysctl.conf r, + + @{PROC}/sys/net/ipv{4,6}/** rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init new file mode 100644 index 000000000..aae80b87d --- /dev/null +++ b/apparmor.d/groups/firewall/ufw-init @@ -0,0 +1,55 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ufw/ufw-init +profile ufw-init @{exec_path} { + include + include + + capability dac_read_search, + capability net_admin, + + network inet dgram, + network inet raw, + network inet6 dgram, + network inet6 raw, + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/echo rix, + @{sbin}/sysctl rCx -> sysctl, + @{sbin}/xtables-legacy-multi rix, + @{sbin}/xtables-nft-multi rix, + + /etc/default/ufw r, + /etc/ufw/* r, + + @{PROC}/@{pid}/net/ip_tables_names r, + # @{PROC}/sys/net/ipv{4,6}/** rw, + + profile sysctl { + include + include + + capability net_admin, + + @{sbin}/sysctl mr, + + /etc/ufw/sysctl.conf r, + + @{PROC}/sys/net/ipv{4,6}/** rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/groups/flatpak/flatpak similarity index 71% rename from apparmor.d/profiles-a-f/flatpak rename to apparmor.d/groups/flatpak/flatpak index bc21a583f..c34ae962f 100644 --- a/apparmor.d/profiles-a-f/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -9,9 +9,12 @@ include @{exec_path} = @{bin}/flatpak profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) { include + include include include - include + include + include + include include include include @@ -37,6 +40,15 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain signal send peer=flatpak-app, + #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" + + dbus send bus=session path=/org/freedesktop/portal/documents + interface=org.freedesktop.portal.Documents + member=GetMountPoint + peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"), + @{exec_path} mr, @{bin}/bwrap rPx -> flatpak-app, @@ -46,6 +58,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{bin}/gpgsm rCx -> gpg, @{lib}/revokefs-fuse rix, + @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + @{lib}/polkit-agent-helper-[0-9] rPx, + /usr/share/flatpak/{,**} r, /etc/flatpak/{,**} r, @@ -57,7 +72,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain /var/tmp/#@{int} rw, /var/tmp/flatpak-cache-@{rand6}/{,**/} r, - owner /var/tmp/flatpak-cache-@{rand6}/{,**} rwk, + owner /var/tmp/flatpak-cache-@{rand6}/ rw, + owner /var/tmp/flatpak-cache-@{rand6}/** rwlk -> /var/tmp/flatpak-cache-@{rand6}/**, owner @{HOME}/.var/ w, owner @{HOME}/.var/app/{,**} rw, @@ -75,13 +91,18 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{user_share_dirs}/flatpak/{,**} r, owner @{user_share_dirs}/ r, - owner @{user_share_dirs}/flatpak/{,**} rwl, + owner @{user_share_dirs}/flatpak/ rw, + owner @{user_share_dirs}/flatpak/** rwlk, owner @{tmp}/#@{int} rw, owner @{tmp}/ostree-gpg-@{rand6}/{,**} rw, + owner @{tmp}/remote-summary-sig.@{rand6} rw, + owner @{tmp}/remote-summary.@{rand6} rw, owner /dev/shm/flatpak*/{,**} rw, - @{run}/.userns r, + @{run}/.userns r, + @{att}/@{run}/.userns r, + @{run}/user/@{uid}/.dbus-proxy/ w, @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/.dbus-proxy/* rw, @@ -110,36 +131,30 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain capability dac_read_search, - @{bin}/gpg{,2} mr, - @{bin}/gpgconf mr, - @{bin}/gpgsm mr, + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, + @{bin}/gpg-agent rix, @{HOME}/@{XDG_GPG_DIR}/*.conf r, owner @{tmp}/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, + owner @{PROC}/@{pid}/fd/ r, + include if exists } profile fusermount { include - include - include + include - capability sys_admin, + capability setuid, mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, - @{bin}/fusermount{,3} mr, - - /etc/fuse.conf r, - - @{PROC}/@{pids}/mounts r, - - /dev/fuse rw, - include if exists } diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app similarity index 96% rename from apparmor.d/profiles-a-f/flatpak-app rename to apparmor.d/groups/flatpak/flatpak-app index e332f50ca..a816e58b8 100644 --- a/apparmor.d/profiles-a-f/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -41,12 +41,12 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix stream, - ptrace (read), + ptrace read, ptrace trace peer=flatpak-app, signal receive peer=flatpak, signal receive set=(int term) peer=flatpak-portal, - signal receive set=(int) peer=flatpak-session-helper, + signal receive set=(int term) peer=flatpak-session-helper, @{bin}/** rmix, @{lib}/** rmix, @@ -57,6 +57,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/*/**/@{bin}/** rmix, /var/lib/flatpak/app/*/**/@{lib}/** rmix, + @{run}/flatpak/app/*/.org.chromium.Chromium.@{rand6} rm, @{run}/flatpak/app/*/**so* rm, @{run}/parent/@{bin}/** rmix, @{run}/parent/@{lib}/** rmix, @@ -81,7 +82,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/exports/** rw, - /var/tmp/etilqs_@{hex16} rw, @{run}/.userns r, @{run}/parent/** r, diff --git a/apparmor.d/profiles-a-f/flatpak-oci-authenticator b/apparmor.d/groups/flatpak/flatpak-oci-authenticator similarity index 100% rename from apparmor.d/profiles-a-f/flatpak-oci-authenticator rename to apparmor.d/groups/flatpak/flatpak-oci-authenticator diff --git a/apparmor.d/profiles-a-f/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal similarity index 100% rename from apparmor.d/profiles-a-f/flatpak-portal rename to apparmor.d/groups/flatpak/flatpak-portal diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/groups/flatpak/flatpak-session-helper similarity index 100% rename from apparmor.d/profiles-a-f/flatpak-session-helper rename to apparmor.d/groups/flatpak/flatpak-session-helper diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper similarity index 88% rename from apparmor.d/profiles-a-f/flatpak-system-helper rename to apparmor.d/groups/flatpak/flatpak-system-helper index 2268de064..1381a1483 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -9,12 +9,15 @@ include @{exec_path} = @{lib}/flatpak-system-helper profile flatpak-system-helper @{exec_path} { include + include + include include include include capability chown, capability dac_override, + capability dac_read_search, capability fowner, capability net_admin, capability setgid, @@ -22,7 +25,7 @@ profile flatpak-system-helper @{exec_path} { capability sys_nice, capability sys_ptrace, - ptrace (read), + ptrace read, #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper @@ -37,8 +40,9 @@ profile flatpak-system-helper @{exec_path} { /etc/flatpak/{,**} r, /etc/machine-id r, - /usr/share/mime/mime.cache r, + /usr/share/flatpak/remotes.d/{,**} r, /usr/share/flatpak/triggers/ r, + /usr/share/mime/mime.cache r, /var/lib/flatpak/{,**} rwkl, /var/tmp/flatpak-cache-*/{,**} rw, @@ -47,6 +51,9 @@ profile flatpak-system-helper @{exec_path} { owner /{var/,}tmp/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, + @{tmp}/remote-summary-sig.@{rand6} r, + @{tmp}/remote-summary.@{rand6} r, + @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, diff --git a/apparmor.d/profiles-a-f/flatpak-validate-icon b/apparmor.d/groups/flatpak/flatpak-validate-icon similarity index 100% rename from apparmor.d/profiles-a-f/flatpak-validate-icon rename to apparmor.d/groups/flatpak/flatpak-validate-icon diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 42758585f..85e277198 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -25,20 +25,15 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.Accounts - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - @{exec_path} mr, - @{bin}/adduser rPx, + @{sbin}/adduser rPx, @{bin}/cat rix, @{bin}/chage rPx, @{bin}/passwd rPx, - @{bin}/chpasswd rPx, - @{bin}/userdel rPx, - @{bin}/usermod rPx, + @{sbin}/chpasswd rPx, + @{sbin}/userdel rPx, + @{sbin}/usermod rPx, @{bin}/locale rPUx, /usr/share/language-tools/language-validate rPx, diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/groups/freedesktop/boltd similarity index 91% rename from apparmor.d/profiles-a-f/boltd rename to apparmor.d/groups/freedesktop/boltd index b70b72088..5b72f8427 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/groups/freedesktop/boltd @@ -25,8 +25,9 @@ profile boltd @{exec_path} flags=(attach_disconnected) { owner @{run}/boltd/{,**} rw, - @{run}/systemd/notify rw, - @{run}/udev/data/+thunderbolt:* r, + @{att}/@{run}/systemd/notify w, + + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. @{sys}/bus/ r, @{sys}/bus/thunderbolt/devices/ r, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 26a07d8aa..ee2cdf42e 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -22,12 +22,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.ColorManager - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - @{exec_path} mrix, + @{lib}/colord-sane ix, /etc/machine-id r, /etc/sane.d/{,**} r, @@ -49,8 +45,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { owner /var/lib/snmp/mibs/{iana,ietf}/ r, owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, - @{att}/@{desktop_share_dirs}/icc/edid-*.icc r, - @{att}/@{user_share_dirs}/icc/edid-*.icc r, + @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index 790f03be3..da950506a 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -10,7 +10,7 @@ include @{exec_path} = @{lib}/{,dconf/}dconf-service profile dconf-service @{exec_path} flags=(attach_disconnected) { include - include + include include include diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 4492c7598..6332f49e2 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent profile geoclue @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -27,11 +27,6 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.GeoClue2 - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/freedesktop/iio-sensor-proxy b/apparmor.d/groups/freedesktop/iio-sensor-proxy index d7122bdbb..1201e1277 100644 --- a/apparmor.d/groups/freedesktop/iio-sensor-proxy +++ b/apparmor.d/groups/freedesktop/iio-sensor-proxy @@ -18,7 +18,7 @@ profile iio-sensor-proxy @{exec_path} { @{exec_path} mr, - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # For /dev/input/* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/freedesktop/pacat b/apparmor.d/groups/freedesktop/pacat new file mode 100644 index 000000000..8329b7924 --- /dev/null +++ b/apparmor.d/groups/freedesktop/pacat @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pacat +profile pacat @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + owner @{user_music_dirs}/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index e2b1b22d9..ad4eb57c5 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -25,11 +25,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.pulseaudio.Server - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index fa1e44d00..af6f30e9c 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -23,11 +23,6 @@ profile pipewire-media-session @{exec_path} { network bluetooth stream, network netlink raw, - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=GetConnectionUnixProcessID - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index 530fa97db..fddbe02f7 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -11,15 +11,18 @@ include profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { include include + include + include include capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, @{bin}/pactl rix, + @{bin}/pipewire mr, /usr/share/pipewire/{,**} r, @@ -38,6 +41,9 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/module/apparmor/parameters/enabled r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/pkla-admin-identities b/apparmor.d/groups/freedesktop/pkla-admin-identities new file mode 100644 index 000000000..778dd131c --- /dev/null +++ b/apparmor.d/groups/freedesktop/pkla-admin-identities @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pkla-admin-identities +profile pkla-admin-identities @{exec_path} { + include + include + + @{exec_path} mr, + + /etc/polkit-1/localauthority.conf.d/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pkla-check-authorization b/apparmor.d/groups/freedesktop/pkla-check-authorization new file mode 100644 index 000000000..ff5b72f71 --- /dev/null +++ b/apparmor.d/groups/freedesktop/pkla-check-authorization @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pkla-check-authorization +profile pkla-check-authorization @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme index bd5a34dcd..da13572e5 100644 --- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme +++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/plymouth-set-default-theme +@{exec_path} = @{sbin}/plymouth-set-default-theme profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) { include include @@ -15,7 +15,7 @@ profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/plymouth rPx, /usr/share/plymouth/{,**} r, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 8e5933073..0a2390661 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -6,12 +6,13 @@ abi , include -@{exec_path} = @{bin}/plymouthd +@{exec_path} = @{sbin}/plymouthd profile plymouthd @{exec_path} { include include include include + include capability checkpoint_restore, capability dac_override, diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent index 94bc7ece6..f1ca0fd31 100644 --- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent @@ -12,11 +12,20 @@ include @{exec_path} += @{lib}/polkit-gnome/polkit-gnome-authentication-agent-1 profile polkit-gnome-authentication-agent @{exec_path} { include + include + include + include + include include include + signal (send) set=(term) peer=polkit-agent-helper, + @{exec_path} mr, + @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + @{lib}/polkit-agent-helper-[0-9] rPx, + @{PROC}/@{pid}/cgroup r, include if exists diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 804020b7b..05e4c3ec2 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -50,12 +50,12 @@ profile pulseaudio @{exec_path} { dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} interface=org.freedesktop.Avahi.ServiceResolver member=Found - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member=ItemRemove - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager @@ -65,7 +65,7 @@ profile pulseaudio @{exec_path} { dbus send bus=system path=/Client@{int}/ServiceResolver@{int} interface=org.freedesktop.Avahi.ServiceResolver member={Found,Free} - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), @{exec_path} mrix, @@ -82,9 +82,9 @@ profile pulseaudio @{exec_path} { owner @{desktop_cache_dirs}/gstreamer-1.0/ rw, owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{desktop_config_dirs}/dconf/user r, - owner @{desktop_config_dirs}/pulse/{,**} rw, - owner @{desktop_config_dirs}/pulse/cookie k, + owner @{desktop_config_dirs}/dconf/user r, + owner @{desktop_config_dirs}/pulse/{,**} rw, + owner @{desktop_config_dirs}/pulse/cookie k, owner @{HOME}/.pulse/{,**} rw, owner @{user_config_dirs}/ w, diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index ebf0ad6a3..90be74ecf 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/update-desktop-database profile update-desktop-database @{exec_path} flags=(attach_disconnected) { include - include + include include include @@ -25,6 +25,8 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) { @{system_share_dirs}/applications/.mimeinfo.cache.* rw, @{system_share_dirs}/applications/mimeinfo.cache w, + /usr/share/byobu/desktop/* r, + /var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw, /var/lib/snapd/desktop/applications/mimeinfo.cache w, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 931b47509..0f6f9abeb 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -13,7 +13,7 @@ profile upower @{exec_path} { include include - #aa:dbus own bus=system name=org.freedesktop.UPower label=upowerd + #aa:dbus own bus=system name=org.freedesktop.UPower label="@{p_upowerd}" @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index f832d285e..d58385831 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -13,6 +13,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { include include include + include include network netlink raw, @@ -27,15 +28,15 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { /var/lib/upower/ r, /var/lib/upower/history-*.dat{,.*} rw, - @{run}/udev/data/ r, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/ r, # Lists all udev data files + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for serial mice - @{run}/udev/data/+power_supply* r, + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @@ -56,6 +57,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/power_supply/**/* r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/misc/uhid/*/input/input@{int}/name r, /dev/input/event* r, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/groups/freedesktop/wireplumber similarity index 83% rename from apparmor.d/profiles-s-z/wireplumber rename to apparmor.d/groups/freedesktop/wireplumber index 87b4e27ca..25569cd68 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -9,10 +9,11 @@ include @{exec_path} = @{bin}/wireplumber profile wireplumber @{exec_path} { include - include include include include + include + include include include include @@ -24,7 +25,7 @@ profile wireplumber @{exec_path} { network bluetooth stream, network netlink raw, - #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio0 + #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio@{int} dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -50,6 +51,11 @@ profile wireplumber @{exec_path} { owner @{user_config_dirs}/wireplumber/{,**} r, owner @{run}/user/@{uid}/pipewire-@{int} rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, + + /dev/shm/lttng-ust-wait-@{int} rw, + owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, + owner /dev/shm/lttng-ust-wait-@{int}-@{int} rw, @{run}/systemd/users/@{uid} r, @@ -70,9 +76,14 @@ profile wireplumber @{exec_path} { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{PROC}/1/cgroup r, + @{PROC}/1/cmdline r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, + /dev/udmabuf rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/wmname b/apparmor.d/groups/freedesktop/wmname new file mode 100644 index 000000000..1d2c7aa23 --- /dev/null +++ b/apparmor.d/groups/freedesktop/wmname @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/wmname +profile wmname @{exec_path} { + include + include + + @{exec_path} mr, + owner @{HOME}/.Xauthority r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index e51f21e1e..c6efaf360 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/xdg-dbus-proxy profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -28,6 +28,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + owner @{att}/@{HOME}/.var/app/** r, owner @{HOME}/.var/app/*/.local/share/*/logs/* rw, owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-icon b/apparmor.d/groups/freedesktop/xdg-desktop-icon index ba699bdbd..a6200a2b2 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-icon +++ b/apparmor.d/groups/freedesktop/xdg-desktop-icon @@ -39,6 +39,7 @@ profile xdg-desktop-icon @{exec_path} { include include include + include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 57b17b655..bc975e4ea 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -10,7 +10,6 @@ include profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include - include include include include @@ -18,7 +17,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include + include + include include + include include include include @@ -38,17 +40,16 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime member=MakeThread* - peer=(name=:*), + peer=(name=@{busname}), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.host.portal.Registry + member=Register + peer=(name=@{busname}), #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -77,11 +78,14 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/user-dirs.dirs r, + # The portal can receive any user file as it is a file chooser for UI app. + owner @{HOME}/** r, @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/xdg-desktop-portal/* r, + owner @{user_share_dirs}/xdg-desktop-portal/{,**} rw, - owner @{tmp}/icon* rw, + owner @{tmp}/icon@{rand6} rw, owner @{run}/user/@{uid}/.flatpak/{,*/*} r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 17d26e3b1..6ee4cab6d 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -17,6 +17,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -27,14 +28,30 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { network unix stream, - signal (receive) set=term peer=gdm, - signal (receive) set=(hup term) peer=gdm-session-worker, + signal receive set=term peer=gdm, + signal receive set=(hup term) peer=gdm-session-worker, #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.Settings.GlobalShortcutsProvider label=gnome-control-center-global-shortcuts-provider #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Background + member=RunningApplicationsChanged + peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), + + dbus send bus=session path=/org/gtk/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, / r, @@ -58,12 +75,16 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, + owner @{tmp}/gtkprint_ppd_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} r, + owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw, @{run}/mount/utab r, owner @{PROC}/@{pid}/ r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index ff398f25e..fc11b0700 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -32,8 +32,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { signal receive set=term peer=gdm, signal receive set=hup peer=gdm-session-worker, - unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), - #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gtk dbus receive bus=session path=/org/freedesktop/portal/desktop @@ -49,20 +47,18 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gnome-shell), - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, /usr/share/gdm/greeter-dconf-defaults r, - / r, + / r, + owner @{att}/ r, owner /var/lib/xkb/server-@{int}.xkm rw, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, owner @{gdm_config_dirs}/dconf/user r, + owner /var/lib/gdm3/greeter-dconf-defaults r, owner @{tmp}/runtime-*/xauth_@{rand6} r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index 309248e18..8c1c1686f 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -10,10 +10,12 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}xdg-desktop-portal-kde profile xdg-desktop-portal-kde @{exec_path} { include + include include include include include + include network inet dgram, network inet6 dgram, @@ -21,18 +23,28 @@ profile xdg-desktop-portal-kde @{exec_path} { network inet6 stream, network netlink raw, + signal send set=term peer=kioworker, + @{exec_path} mr, #aa:exec kioworker + /usr/share/plasma/look-and-feel/** r, + + owner @{HOME}/ r, + owner @{desktop_config_dirs}/user-dirs.dirs r, + owner @{user_cache_dirs}/xdg-desktop-portal-kde/{,**} rw, + owner @{user_config_dirs}/autostart/org.kde.*.desktop r, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk, owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rw, + owner @{PROC}/@{pid}/mountinfo r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon b/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon new file mode 100644 index 000000000..2c6c37538 --- /dev/null +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/xdg-desktop-portal-validate-icon +profile xdg-desktop-portal-validate-icon @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability dac_override, + + @{exec_path} mrix, + + @{bin}/bwrap ix, + + owner @{tmp}/icon@{rand6} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 3c60c1cf6..93cac619e 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/xdg-document-portal profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include include capability sys_admin, @@ -38,8 +39,9 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/flatpak rPUx, + @{bin}/flatpak rPx, @{bin}/fusermount{,3} rCx -> fusermount, + @{bin}/snap rPx, / r, owner @{att}/ r, @@ -63,10 +65,12 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { profile fusermount flags=(attach_disconnected) { include - include + include + include - capability sys_admin, capability dac_read_search, + capability dac_override, + capability setuid, mount options=(rw, rprivate) -> /, mount options=(rw, rbind) @{run}/user/@{uid}/ -> /, @@ -76,17 +80,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { unix (send receive) type=stream peer=(label=xdg-document-portal), - @{bin}/fusermount{,3} mr, - - /etc/fuse{,3}.conf r, - owner @{run}/user/@{uid}/doc/ rw, - @{PROC}/@{pids}/mounts r, - - /dev/fuse rw, - @{att}/dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 08cfc840c..3b15d9688 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/xdg-permission-store profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { include - include + include include include @@ -43,10 +43,11 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/flatpak/db/background rw, - owner @{user_share_dirs}/flatpak/db/desktop-used-apps r, + owner @{user_share_dirs}/flatpak/db/desktop-used-apps rw, owner @{user_share_dirs}/flatpak/db/devices rw, owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/notifications rw, + owner @{user_share_dirs}/flatpak/db/screencast r, include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver index c142d137d..dd7d17118 100644 --- a/apparmor.d/groups/freedesktop/xdg-screensaver +++ b/apparmor.d/groups/freedesktop/xdg-screensaver @@ -12,6 +12,7 @@ profile xdg-screensaver @{exec_path} flags=(complain) { include include include + include @{exec_path} r, @@ -27,7 +28,6 @@ profile xdg-screensaver @{exec_path} flags=(complain) { @{bin}/lockfile ix, @{bin}/mktemp ix, @{bin}/mv ix, - @{bin}/perl ix, @{bin}/readlink ix, @{bin}/realpath ix, @{bin}/rm ix, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 8892bd1ce..b2ae65450 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -9,14 +9,22 @@ include @{exec_path} = @{bin}/xdg-user-dirs-gtk-update profile xdg-user-dirs-gtk-update @{exec_path} { include - include + include + include + include + include + include @{exec_path} mr, + @{bin}/xdg-user-dirs-update Px, + owner @{user_config_dirs}/gtk-3.0/bookmarks* rw, owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, + owner @{tmp}/dirs-@{rand6} rw, + include if exists } diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index dde1fe8c1..325d444f5 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/xkbcomp profile xkbcomp @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 0f23d583c..c14af6d6e 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -45,6 +45,11 @@ profile xorg @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/login1/session/* + interface=org.freedesktop.login1.Session + member=ReleaseControl + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + @{exec_path} mrix, @{sh_path} rix, @@ -87,17 +92,17 @@ profile xorg @{exec_path} flags=(attach_disconnected) { owner @{tmp}/server-* rwk, owner @{tmp}/serverauth.* r, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi* r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad? @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @@ -116,6 +121,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, @{sys}/devices/@{pci}/backlight/**/brightness rw, @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/resource@{int} rw, @{sys}/devices/**/{uevent,name,id,config} r, @{sys}/devices/**/hid r, @{sys}/devices/**/power_supply/**/{type,online} r, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 05fb5a6fa..9b329e06a 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/Xwayland +@{exec_path} = @{bin}/Xwayland profile xwayland @{exec_path} flags=(attach_disconnected) { include include @@ -29,6 +29,11 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { /usr/share/fonts/{,**} r, /usr/share/ghostscript/fonts/{,**} r, + / r, + + owner @{desktop_cache_dirs}/nvidia/GLCache/ rw, + owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, + owner @{tmp}/server-@{int}.xkm rwk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, owner @{run}/user/@{uid}/server-@{int}.xkm rw, diff --git a/apparmor.d/groups/gnome-extension/batteryhealthchargingctl b/apparmor.d/groups/gnome-extension/batteryhealthchargingctl new file mode 100644 index 000000000..4b1f7a138 --- /dev/null +++ b/apparmor.d/groups/gnome-extension/batteryhealthchargingctl @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/batteryhealthchargingctl{,-@{user}} +@{exec_path} += /usr/local/bin/batteryhealthchargingctl{,-@{user}} +profile batteryhealthchargingctl @{exec_path} { + include + include + + capability dac_read_search, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/env rix, + @{bin}/cmp rix, + @{bin}/cut rix, + @{bin}/pkaction rix, + @{bin}/sed rix, + @{bin}/sort rix, + + /etc/polkit-1/rules.d/*.batteryhealthcharging.setthreshold-@{user}.rules r, + + @{user_share_dirs}/gnome-shell/extensions/Battery-Health-Charging@maniacx.github.com/resources/** r, + + @{sys}/class/power_supply/ r, + @{sys}/devices/**/power_supply/BAT@{int}/charge_control_end_threshold w, + @{sys}/devices/**/power_supply/BAT@{int}/charge_control_start_threshold w, + @{sys}/devices/**/power_supply/BAT@{int}/charge_types rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/decibels b/apparmor.d/groups/gnome/decibels new file mode 100644 index 000000000..2bb38dfd5 --- /dev/null +++ b/apparmor.d/groups/gnome/decibels @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/decibels @{bin}/org.gnome.Decibels +profile decibels @{exec_path} { + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/gjs-console rix, + + @{open_path} rPx -> child-open-help, + + /usr/share/org.gnome.Decibels/{,**} r, + + owner @{user_music_dirs}/{,**} r, + owner @{user_pictures_dirs}/{,**} r, + owner @{user_torrents_dirs}/{,**} r, + owner @{user_videos_dirs}/{,**} r, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index b7fc6a5b0..af7fa51b0 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -15,12 +15,18 @@ profile deja-dup-monitor @{exec_path} { include include include + include include network netlink raw, #aa:dbus own bus=session name=org.gnome.DejaDup.Monitor - #aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup + #aa:dbus talk bus=session name=org.gnome.DejaDup interface+=org.gtk.Actions label=deja-dup + + dbus send bus=session path=/org/gnome/DejaDup + interface=org.gtk.Actions + member=Activate + peer=(name=org.gnome.DejaDup), dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties @@ -29,6 +35,9 @@ profile deja-dup-monitor @{exec_path} { @{exec_path} mr, + @{bin}/chrt rix, + @{bin}/ionice rix, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /var/tmp/ r, diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index 88ec63ea7..2168382e0 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -29,10 +29,12 @@ profile epiphany-search-provider @{exec_path} { @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, owner @{user_cache_dirs}/epiphany/{,**} rwk, + owner @{user_config_dirs}/epiphany/{,**} rw, owner @{user_share_dirs}/epiphany/{,**} rwk, + owner @{tmp}/ContentRuleList-@{rand6} rw, owner @{tmp}/ContentRuleList@{rand6} rw, - owner @{tmp}/Serialized* rw, + owner @{tmp}/SerializedNFA-@{rand6} rw, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/firmware/acpi/pm_profile r, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index f856a06d2..fba734ad4 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -57,11 +57,6 @@ profile evolution-calendar-factory @{exec_path} { member=Complete peer=(name=org.freedesktop.DBus, label=gnome-calendar), - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member=Move - peer=(name=:*, label=gvfsd-metadata), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -76,8 +71,8 @@ profile evolution-calendar-factory @{exec_path} { owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, owner @{user_share_dirs}/evolution/calendar/{,**} rwk, - owner @{user_share_dirs}/evolution/tasks/system/ w, - owner @{user_share_dirs}/evolution/tasks/system/tasks.ics* rw, + owner @{user_share_dirs}/evolution/memos/system/{,**} rw, + owner @{user_share_dirs}/evolution/tasks/system/{,**} rw, owner @{user_share_dirs}/gvfs-metadata/{,*} r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 379ea5bef..a5a1bd414 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -10,6 +10,7 @@ include profile evolution-source-registry @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gnome/gcr-prompter b/apparmor.d/groups/gnome/gcr-prompter index a1e323c87..6bcbd1cc0 100644 --- a/apparmor.d/groups/gnome/gcr-prompter +++ b/apparmor.d/groups/gnome/gcr-prompter @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gcr-prompter profile gcr-prompter @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 6bafb132b..435d055fa 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/gdm{3,} +@{exec_path} = @{sbin}/gdm @{sbin}/gdm3 profile gdm @{exec_path} flags=(attach_disconnected) { include include @@ -34,13 +34,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.gnome.DisplayManager - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" @{exec_path} mr, @@ -50,7 +45,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{bin}/plymouth rPx, @{bin}/prime-switch rPUx, @{bin}/sleep rix, - @{bin}/systemd-cat rPx, + @{bin}/systemd-cat rix, @{lib}/{,gdm/}gdm-session-worker rPx, /etc/gdm{3,}/PrimeOff/Default rix, @@ -92,7 +87,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/virtual/tty/tty@{int}/active r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cgroup.events r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cgroup.events r, @{PROC}/@{pid}/cgroup r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index dc11e8169..d48b9eff6 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -18,13 +18,15 @@ profile gdm-generate-config @{exec_path} { capability setgid, capability setuid, + ptrace read, + @{exec_path} mr, @{sh_path} rix, @{bin}/dconf rix, @{bin}/install rix, - @{bin}/pgrep rix, - @{bin}/pkill rix, + @{bin}/pgrep rCx -> &pgrep, + @{bin}/pkill rCx -> &pgrep, @{bin}/setpriv rix, @{bin}/setsid rix, @@ -32,8 +34,7 @@ profile gdm-generate-config @{exec_path} { /usr/share/gdm{3,}/{,**} r, /var/lib/ r, - @{GDM_HOME}/ r, - owner @{GDM_HOME}/ rw, + @{GDM_HOME}/ rw, owner @{GDM_HOME}/greeter-dconf-defaults rw, owner @{GDM_HOME}/greeter-dconf-defaults.@{rand6} rw, @@ -44,8 +45,18 @@ profile gdm-generate-config @{exec_path} { @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/stat r, + @{PROC}/tty/drivers r, @{PROC}/uptime r, + profile pgrep { + include + include + + @{bin}/pkill mr, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gnome/gdm-prime-defaut b/apparmor.d/groups/gnome/gdm-prime-defaut index 189e166f2..eea0ee3b3 100644 --- a/apparmor.d/groups/gnome/gdm-prime-defaut +++ b/apparmor.d/groups/gnome/gdm-prime-defaut @@ -12,6 +12,9 @@ profile gdm-prime-defaut @{exec_path} flags=(complain) { @{exec_path} mr, + @{sh_path} r, + @{bin}/prime-offload ix, + include if exists } diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 59e6df788..3bab1b134 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -31,30 +31,31 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { network netlink raw, network unix stream, - signal (receive) set=term peer=gdm, - signal (send) set=(hup term) peer=gdm-session, - signal (send) set=hup peer=at-spi*, - signal (send) set=hup peer=dbus-accessibility, - signal (send) set=hup peer=dbus-session, - signal (send) set=hup peer=dconf-service, - signal (send) set=hup peer=gjs-console, - signal (send) set=hup peer=gnome-*, - signal (send) set=hup peer=gsd-*, - signal (send) set=hup peer=ibus-*, - signal (send) set=hup peer=mutter-x11-frames, - signal (send) set=hup peer=tracker-miner, - signal (send) set=hup peer=xdg-*, - signal (send) set=hup peer=xorg, - signal (send) set=hup peer=xwayland, + signal receive set=term peer=gdm, + signal send set=(hup term) peer=gdm-session, + signal send set=hup peer=at-spi*, + signal send set=hup peer=dbus-accessibility, + signal send set=hup peer=dbus-session, + signal send set=hup peer=dconf-service, + signal send set=hup peer=gjs-console, + signal send set=hup peer=gnome-*, + signal send set=hup peer=gsd-*, + signal send set=hup peer=ibus-*, + signal send set=hup peer=mutter-x11-frames, + signal send set=hup peer=tracker-miner, + signal send set=hup peer=xdg-*, + signal send set=hup peer=xorg, + signal send set=hup peer=xwayland, - unix (bind) type=stream addr=@@{udbus}/bus/gdm-session-wor/system, + unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system, - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={*Session,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mrix, @@ -98,6 +99,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /.fscrypt/protectors/ r, owner /.fscrypt/protectors/@{hex16} r, + #aa:lint ignore=tunables /home/ r, /home/.fscrypt/policies/ r, owner /home/.fscrypt/policies/@{hex32} r, @@ -107,6 +109,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/ w, + @{run}/cockpit/active.issue r, @{run}/cockpit/inactive.motd r, owner @{run}/systemd/seats/seat@{int} r, owner @{run}/user/@{uid}/keyring/control rw, diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 5e013012e..a3d285e94 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -18,6 +18,9 @@ include profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 20d5e48d5..fdaa4e825 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -14,12 +14,13 @@ include @{exec_path} = @{bin}/gjs-console profile gjs-console @{exec_path} flags=(attach_disconnected) { include - include + include include include include include include + include include include include @@ -28,7 +29,9 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (receive) set=(term hup) peer=gdm*, + unix type=stream peer=(label=gnome-shell), + + signal receive set=(term hup) peer=gdm*, #aa:dbus own bus=session name=org.freedesktop.Notifications #aa:dbus own bus=session name=org.gnome.ScreenSaver @@ -82,6 +85,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, /dev/ r, diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index 41ebab653..2462c2071 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -32,8 +32,9 @@ profile gnome-boxes @{exec_path} { @{open_path} rPx -> child-open, - @{bin}/virtqemud rPUx, + @{bin}/qemu-img rix, @{bin}/virsh rCx -> virsh, + @{bin}/virtqemud rPUx, /usr/share/osinfo/{,**} r, /usr/share/gnome-boxes/{,**} r, @@ -63,6 +64,8 @@ profile gnome-boxes @{exec_path} { @{run}/mount/utab r, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.gnome.Boxes.slice/*/memory.* r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, @@ -70,6 +73,10 @@ profile gnome-boxes @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + + /dev/media@{int} rw, + /dev/video@{int} rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/gnome-browser-connector-host b/apparmor.d/groups/gnome/gnome-browser-connector-host index d31811152..95af09ed6 100644 --- a/apparmor.d/groups/gnome/gnome-browser-connector-host +++ b/apparmor.d/groups/gnome/gnome-browser-connector-host @@ -15,9 +15,9 @@ profile gnome-browser-connector-host @{exec_path} { @{exec_path} mr, @{bin}/env rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, - @{lib}/python3.@{int}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, + @{lib}/@{python_name}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index 2eaacdefb..8400f03c1 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -17,12 +17,14 @@ profile gnome-calculator-search-provider @{exec_path} { signal (send) set=kill peer=unconfined, - #aa:dbus own bus=session name=org.gnome.Calculator.SearchProvider interface=org.gnome.Shell.SearchProvider2 + #aa:dbus own bus=session name=org.gnome.Calculator.SearchProvider interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mrix, @{bin}/* rPUx, + owner @{user_cache_dirs}/gnome-calculator/* r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 97309c1a7..235c0ce9e 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -14,6 +14,7 @@ profile gnome-calendar @{exec_path} { include include include + include include include include @@ -22,6 +23,7 @@ profile gnome-calendar @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.Calendar + #aa-dbus own bus=session name=org.gnome.Calendar.SearchProvider interface+=org.gnome.Shell.SearchProvider2 #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory @@ -30,7 +32,7 @@ profile gnome-calendar @{exec_path} { #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color - #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label=geoclue + #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 9ae8a7b8a..9af2b7d5f 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -11,11 +11,13 @@ profile gnome-characters @{exec_path} { include include include + include include include include - #aa:dbus own bus=session name=org.gnome.Characters interface=org.gnome.Shell.SearchProvider2 + #aa:dbus own bus=session name=org.gnome.Characters + #aa-dbus talk bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell @{exec_path} mr, @@ -27,8 +29,6 @@ profile gnome-characters @{exec_path} { /usr/share/xml/iso-codes/{,**} r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index fd6ded04f..bdffedb72 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -10,7 +10,7 @@ include profile gnome-clocks @{exec_path} { include include - include + include include include include @@ -19,7 +19,8 @@ profile gnome-clocks @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gnome.clocks + #aa:dbus own bus=session name=org.gnome.clocks interface+=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.clocks.SearchProvider interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 91f49c219..41b62df09 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -32,27 +32,42 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal (send) set=(kill) peer=unconfined, - signal (send) set=(kill) peer=passwd, - - unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), + signal send set=kill peer=unconfined, + signal send set=kill peer=passwd, #aa:dbus own bus=session name=org.gnome.Settings + #aa:dbus own bus=session name=org.bluez.obex.Agent1 + #aa:dbus talk bus=session name=org.bluez.obex label=obexd + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Power label=gsd-power + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell - #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed + #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences + #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control + #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}" + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager - #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd + #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} @{exec_path} mr, @{bin}/@{shells} rUx, @{bin}/gcm-viewer rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, @{bin}/sed rix, @{bin}/tecla rPx, @@ -60,11 +75,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{bin}/bwrap rCx -> bwrap, @{bin}/gkbd-keyboard-display rPx, @{bin}/gnome-software rPx, - @{bin}/openvpn rPx, + @{sbin}/openvpn rPx, @{bin}/passwd rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/software-properties-gtk rPx, - @{bin}/usermod rPx, + @{sbin}/usermod rPx, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/cups/backend/snmp rPx, @{lib}/gnome-control-center-goa-helper rPx, @@ -90,10 +105,10 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/wallpapers/{,**} r, /usr/share/xml/iso-codes/{,**} r, + @{etc_ro}/security/pwquality.conf r, + @{etc_ro}/security/pwquality.conf.d/{,**} r, /etc/machine-info r, /etc/rygel.conf r, - /etc/security/pwquality.conf r, - /etc/security/pwquality.conf.d/{,**} r, /etc/fstab r, /etc/machine-id r, @@ -111,6 +126,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_cache_dirs}/gnome-control-center/{,**} rw, + owner @{user_cache_dirs}/thumbnails/fail/gnome-thumbnail-factory/@{hex32}.png.@{rand6} rw, owner @{user_config_dirs}/background rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw, @@ -143,7 +159,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/bus/ r, @{sys}/class/ r, @@ -193,6 +209,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { profile pkexec { include include + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 3dfd1bf03..51c8f5107 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -10,11 +10,13 @@ include profile gnome-control-center-search-provider @{exec_path} { include include + include + include include include include - #aa:dbus own bus=session name=org.gnome.Settings.SearchProvider + #aa:dbus own bus=session name=org.gnome.Settings.SearchProvider interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index 436d82443..8c637920b 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -27,6 +27,9 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { owner @{tmp}/gnome-desktop-thumbnailer.png w, owner @{tmp}/gsf-thumbnailer-@{rand6} rw, + owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, + owner /dev/shm/lttng-ust-wait-@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 068469606..695be9f0d 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -32,8 +32,8 @@ profile gnome-extension-ding @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gnome-shell), - #aa:dbus own bus=session name=com.rastersoft.ding interface=org.gtk.Actions - #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface=org.gtk.Actions + #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions + #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface+=org.gtk.Actions dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable @@ -47,11 +47,6 @@ profile gnome-extension-ding @{exec_path} { interface=org.freedesktop.DBus* peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member=Set - peer=(name=:*, label=gvfsd-metadata), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 4c4b00c5d..3cf92d613 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -9,18 +9,26 @@ include @{share_dirs} = /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io @{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io -@{exec_path} = @{share_dirs}/service/daemon.js +@{exec_path} = @{share_dirs}/service/daemon.js @{share_dirs}/gsconnect-preferences profile gnome-extension-gsconnect @{exec_path} { include include include include include + include + include + include + include + include + include + include include include include include include + include network inet dgram, network inet6 dgram, @@ -28,6 +36,9 @@ profile gnome-extension-gsconnect @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect + + dbus eavesdrop bus=session, @{exec_path} mr, @{sh_path} rix, @@ -36,8 +47,9 @@ profile gnome-extension-gsconnect @{exec_path} { @{bin}/openssl rix, @{bin}/ssh-add rix, - @{bin}/ssh-keygen rPx, - @{bin}/xdg-screensaver rPx, + @{bin}/dconf rPx, + @{bin}/ssh-keygen rPx, + @{bin}/xdg-screensaver rPx, @{lib}/gio/modules/*.so* rm, @{lib}/girepository-1.0/* r, @@ -53,15 +65,20 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{user_config_dirs}/mimeapps.list w, owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, - owner @{run}/user/@{uid}/gsconnect/ w, + owner @{HOME}/.mozilla/firefox/firefox-mpris/@{word}.png r, + + owner @{tmp}/.org.chromium.Chromium.@{rand6} r, + + owner @{run}/user/@{uid}/gsconnect/{,**} rw, @{sys}/devices/virtual/dmi/id/chassis_type r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index f1e229b59..0a65c95f2 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -22,7 +22,6 @@ profile gnome-extensions-app @{exec_path} { /usr/share/terminfo/** r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/task/@{tid}/stat r, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-firmware b/apparmor.d/groups/gnome/gnome-firmware index af44afbec..706c16e87 100644 --- a/apparmor.d/groups/gnome/gnome-firmware +++ b/apparmor.d/groups/gnome/gnome-firmware @@ -20,8 +20,8 @@ profile gnome-firmware @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/ + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index d27ccb8bb..40b8bc9b5 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -29,7 +29,12 @@ profile gnome-initial-setup @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.gnome.InitialSetup interface=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.InitialSetup interface+=org.gtk.Actions + + dbus send bus=system path=/com/canonical/UbuntuAdvantage/Manager + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=com.canonical.UbuntuAdvantage), @{exec_path} mr, @@ -41,13 +46,14 @@ profile gnome-initial-setup @{exec_path} { @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, + @{lib}/@{multiarch}/ld-linux-*.so* rix, /usr/share/dconf/profile/gdm r, /usr/share/gnome-initial-setup/{,**} r, /usr/share/xml/iso-codes/{,**} r, - /etc/security/pwquality.conf r, - /etc/security/pwquality.conf.d/{,**} r, + @{etc_ro}/security/pwquality.conf r, + @{etc_ro}/security/pwquality.conf.d/{,**} r, /etc/timezone r, /etc/gdm{,3}/custom.conf r, @@ -73,6 +79,10 @@ profile gnome-initial-setup @{exec_path} { @{run}/systemd/sessions/@{int} r, @{run}/systemd/users/@{uid} r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/gnome-initial-setup-first-login.service/memory.* r, @{sys}/devices/virtual/dmi/id/bios_vendor r, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index d0b84c1be..6752f54d4 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/gnome-keyring-daemon profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -24,6 +24,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.keyring #aa:dbus own bus=session name=org.freedesktop.{S,s}ecret{,s} + #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -33,7 +34,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-maps b/apparmor.d/groups/gnome/gnome-maps index 294d6229a..705857391 100644 --- a/apparmor.d/groups/gnome/gnome-maps +++ b/apparmor.d/groups/gnome/gnome-maps @@ -45,7 +45,6 @@ profile gnome-maps @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 82be211fc..511a48987 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -33,8 +33,8 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/env r, - @{bin}/python3.@{int} rix, - @{lib}/python3.@{int}/site-packages/gnomemusic/__pycache__/{,**} rw, + @{python_path} rix, + @{lib}/@{python_name}/site-packages/gnomemusic/__pycache__/{,**} rw, /usr/share/grilo-plugins/grl-lua-factory/{,*} r, /usr/share/org.gnome.Music/{,**} r, @@ -51,8 +51,8 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, - owner /var/tmp/etilqs_@{hex15} rw, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 19e448b1b..c3631ddb7 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -15,11 +15,15 @@ profile gnome-remote-desktop-daemon @{exec_path} { include include include + include + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, + network netlink raw, - #aa:dbus own bus=session name=org.gnome.RemoteDesktop + #aa:dbus own bus=system name=org.gnome.RemoteDesktop #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 798868271..1f29958d1 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -20,7 +20,7 @@ profile gnome-session @{exec_path} { @{bin}/find rix, @{bin}/gettext rix, @{bin}/gettext.sh r, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/head rix, @{bin}/id rix, @{bin}/locale rix, @@ -28,11 +28,12 @@ profile gnome-session @{exec_path} { @{bin}/manpath rix, @{bin}/readlink rix, @{bin}/realpath rix, + @{bin}/run-parts rix, @{bin}/sed rix, @{bin}/tput rix, @{bin}/tr rix, @{bin}/tty rix, - @{bin}/uname rPx, + @{bin}/uname rix, @{bin}/xargs rix, @{bin}/dpkg-query rpx, @@ -58,6 +59,8 @@ profile gnome-session @{exec_path} { /etc/X11/xinit/xinputrc r, /etc/X11/Xsession.d/*im-config_launch r, + owner @{HOME}/ r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index babd12c3d..8b0ea6307 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -32,11 +32,11 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=gsd-*, #aa:dbus own bus=session name=org.gnome.SessionManager - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment} + member=UpdateActivationEnvironment peer=(name=org.freedesktop.DBus label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/systemd1 @@ -60,6 +60,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter/autostart/{,*.desktop} r, /usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/sessions/*.session r, + /usr/share/gnome-shell/extensions/ r, /usr/share/gnome-shell/extensions/*/metadata.json r, /usr/share/gnome/autostart/{,*.desktop} r, @@ -69,6 +70,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user rw, owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, + owner @{gdm_config_dirs}/user-dirs.dirs r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_share_dirs}/applications/{,**} r, @@ -102,7 +104,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { profile open flags=(attach_disconnected) { include - include + include include @{bin}/env rix, diff --git a/apparmor.d/groups/gnome/gnome-session-check b/apparmor.d/groups/gnome/gnome-session-check new file mode 100644 index 000000000..44755aef2 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-session-check @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/gnome-session-check-* +profile gnome-session-check @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{lib}/gnome-session-check-accelerated-gl-helper ix, + @{lib}/gnome-session-check-accelerated-gles-helper ix, + + /usr/share/gnome-session/hardware-compatibility r, + + @{PROC}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 462733874..d4c8b1ba2 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -13,6 +13,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include @@ -55,16 +56,14 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix stream, - ptrace (read), - ptrace (readby) peer=pipewire, + ptrace read, - signal (receive) set=(term, hup) peer=gdm*, - signal (send), + signal receive set=(term, hup) peer=gdm*, + signal send, unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), unix (send,receive) type=stream addr=none peer=(label=xkbcomp), unix (send,receive) type=stream addr=none peer=(label=xwayland), - unix (send,receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon), # Owned by gnome-shell @@ -75,6 +74,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=com.canonical.{U,u}nity #aa:dbus own bus=session name=com.rastersoft.dingextension #aa:dbus own bus=session name=org.ayatana.NotificationItem + #aa:dbus own bus=session name=org.freedesktop.a11y.Manager #aa:dbus own bus=session name=org.gtk.Actions path=/** #aa:dbus own bus=session name=org.gtk.MountOperationHandler #aa:dbus own bus=session name=org.gtk.Notifications @@ -82,14 +82,18 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Talk with gnome-shell - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding + #aa:dbus talk bus=session name=org.gnome.* label=gnome-* + #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label="*" + #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console - #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @@ -98,35 +102,29 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=RegisterAuthenticationAgent - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent interface=org.freedesktop.PolicyKit1.AuthenticationAgent member=BeginAuthentication - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager interface=org.freedesktop.NetworkManager.AgentManager member={RegisterWithCapabilities,Unregister} peer=(name=:*, label=NetworkManager), - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - # Session bus - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/gnome/** + peer=(name=org.gnome.*), + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/ interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetNameOwner,ListNames} + member={GetNameOwner,ListNames} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=accessibility path=/org/a11y/atspi/accessible/root @@ -163,24 +161,25 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { member=Introspect peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=session path=/org/gnome/*/SearchProvider - interface=org.gnome.Shell.SearchProvider2 - peer=(name=@{busname}), - @{exec_path} mr, @{bin}/unzip rix, + @{bin}/flatpak rPx, @{bin}/gjs-console rPx, @{bin}/glib-compile-schemas rPx, @{bin}/ibus-daemon rPx, - @{bin}/Xwayland rPx, + @{bin}/sensors rPx, @{bin}/tecla rPx, + @{bin}/Xwayland rPx, + @{bin}/nvidia-smi rPx, # FIXME; for extension only + @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/mutter-x11-frames rPx, #aa:exec polkit-agent-helper @{sh_path} rCx -> shell, + @{bin}/pkexec rCx -> pkexec, @{lib}/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, @@ -188,8 +187,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/gnome-shell/extensions/*/** rPUx, /opt/**/share/icons/{,**} r, - /snap/*/@{uid}/**.png r, - /usr/share/**.{png,jpg,svg} r, + /snap/*/@{uid}/**.@{image_ext} r, + /usr/share/**.@{image_ext} r, /usr/share/**/icons/{,**} r, /usr/share/backgrounds/{,**} r, /usr/share/byobu/desktop/byobu* r, @@ -229,6 +228,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw, owner @{gdm_cache_dirs}/libgweather/ r, + owner @{gdm_cache_dirs}/nvidia/GLCache/ rw, + owner @{gdm_cache_dirs}/nvidia/GLCache/** rwk, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/ibus/ rw, owner @{gdm_config_dirs}/ibus/bus/ rw, @@ -236,30 +237,38 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_config_dirs}/pulse/ rw, owner @{gdm_config_dirs}/pulse/client.conf r, owner @{gdm_config_dirs}/pulse/cookie rwk, + owner @{gdm_local_dirs}/ w, + owner @{gdm_share_dirs}/ w, owner @{gdm_share_dirs}/applications/{,**} r, owner @{gdm_share_dirs}/gnome-shell/{,**} rw, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{gdm_share_dirs}/icc/.goutputstream-@{rand6} rw, + owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, + owner @{HOME}/.mozilla/native-messaging-hosts/ rw, + owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, - owner @{HOME}/.var/app/**.{png,jpg,svg} r, + owner @{HOME}/.var/app/**.@{image_ext} r, owner @{HOME}/.var/app/**/ r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, - owner @{user_games_dirs}/**.{png,jpg,svg} r, - owner @{user_music_dirs}/**.{png,jpg,svg} r, + owner @{user_games_dirs}/**.@{image_ext} r, + owner @{user_music_dirs}/**.@{image_ext} r, owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw, + owner @{user_config_dirs}/**/NativeMessagingHosts/ rw, + owner @{user_config_dirs}/**/NativeMessagingHosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{user_config_dirs}/background r, owner @{user_config_dirs}/ibus/ w, owner @{user_config_dirs}/monitors.xml{,~} rwl, owner @{user_config_dirs}/tiling-assistant/{,**} rw, owner @{user_share_dirs}/backgrounds/{,**} rw, + owner @{user_share_dirs}/dbus-1/services/ r, + owner @{user_share_dirs}/dbus-1/services/org.gnome.Shell.*.service{,.@{rand6}} rw, owner @{user_share_dirs}/desktop-directories/{,**} r, owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, @@ -267,7 +276,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, + owner @{user_share_dirs}/icons/**/org.gnome.Shell.*.svg{,.@{rand6}} w, + owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, @@ -304,19 +315,19 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/tags/seat/ r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+dmi:id r, # for motherboard info - @{run}/udev/data/+acpi* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard - @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/uevent r, @{sys}/bus/ r, @@ -377,12 +388,14 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability sys_ptrace, - ptrace (read), + ptrace read, @{sh_path} mr, - @{bin}/pmap rix, - @{bin}/grep rix, + @{bin}/cat rix, + @{bin}/{,e}grep rix, + @{bin}/kmod rPx -> gnome-shell//lsmod, + @{bin}/pmap rix, @{sys}/devices/system/node/ r, @@ -395,6 +408,29 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include if exists } + profile lsmod flags=(attach_disconnected,mediate_deleted) { + include + include + + @{sys}/module/{,**} r, + + include if exists + } + + profile pkexec { + include + include + + ptrace read peer=gnome-shell, + + @{bin}/pkexec mr, + + /usr/local/bin/batteryhealthchargingctl{,-@{user}} rPx, + @{bin}/batteryhealthchargingctl{,-@{user}} rPx, + + include if exists + } + profile open flags=(attach_disconnected,mediate_deleted,complain) { include include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index a75cfee63..c10261c02 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/gnome-software profile gnome-software @{exec_path} { include - include + include include - include - include include include include @@ -39,6 +37,7 @@ profile gnome-software @{exec_path} { /usr/share/app-info/{,**} r, /usr/share/appdata/{,**} r, + /usr/share/flatpak/remotes.d/ r, /usr/share/metainfo/{,**} r, /usr/share/swcatalog/{,**} r, /usr/share/xml/iso-codes/{,**} r, @@ -70,15 +69,11 @@ profile gnome-software @{exec_path} { /var/tmp/flatpak-cache-*/** rwkl, /var/tmp/#@{int} rw, - / r, - owner @{HOME}/.var/app/{,**} rw, owner @{user_download_dirs}/*.flatpakref r, owner @{user_cache_dirs}/flatpak/{,**} rwl, - owner @{user_cache_dirs}/gnome-software/ rw, - owner @{user_cache_dirs}/gnome-software/** rwlk -> @{user_cache_dirs}/gnome-software/**, owner @{user_config_dirs}/flatpak/{,**} r, owner @{user_config_dirs}/pulse/*.conf r, @@ -93,7 +88,6 @@ profile gnome-software @{exec_path} { owner @{user_share_dirs}/flatpak/overrides/* r, owner @{user_share_dirs}/flatpak/repo/ rw, owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, - owner @{user_share_dirs}/gnome-software/{,**} rw, owner @{tmp}/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, @@ -122,10 +116,7 @@ profile gnome-software @{exec_path} { @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fdinfo/@{int} r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/fuse rw, @@ -163,21 +154,13 @@ profile gnome-software @{exec_path} { profile fusermount { include - include + include - capability sys_admin, + capability setuid, mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, - @{bin}/fusermount{,3} mr, - - /etc/fuse.conf r, - - @{PROC}/@{pids}/mounts r, - - /dev/fuse rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 92cbd369e..a3d039dea 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -9,10 +9,7 @@ include @{exec_path} = @{bin}/gnome-system-monitor profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include - include - include - include - include + include include capability sys_ptrace, @@ -35,8 +32,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{bin}/sed rix, @{bin}/tr rix, - /usr/share/gnome-system-monitor/{,**} r, - /usr/share/firefox-esr/browser/chrome/icons/default/*.png r, + /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, / r, @@ -78,8 +74,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/diskstats r, @{PROC}/vmstat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index d96c20c36..cda4568c1 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -19,13 +19,13 @@ profile gnome-terminal-server @{exec_path} { include include - signal (send) set=(hup) peer=htop, - signal (send) set=(term hup kill) peer=unconfined, + signal send set=(hup) peer=htop, + signal send set=(term hup kill) peer=unconfined, - ptrace (read) peer=htop, - ptrace (read) peer=unconfined, + ptrace read peer=htop, + ptrace read peer=unconfined, - #aa:dbus own bus=session name=org.gnome.Terminal interface=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.Terminal interface+=org.gtk.Actions dbus receive bus=session path=/org/gnome/Terminal/SearchProvider interface=org.gnome.Shell.SearchProvider2 @@ -38,15 +38,17 @@ profile gnome-terminal-server @{exec_path} { @{exec_path} mr, + @{lib}/gnome-terminal-preferences ix, + # The shell is not confined on purpose. - @{bin}/@{shells} rUx, + @{bin}/@{shells} Ux, # Some CLI program can be launched directly from Gnome Shell - @{bin}/htop rPx, - @{bin}/micro rPUx, - @{bin}/nvtop rPx, + @{bin}/htop Px, + @{bin}/micro PUx, + @{bin}/nvtop Px, - @{open_path} rPx -> child-open, + @{open_path} Px -> child-open, /etc/shells r, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 22823753b..c399eadc7 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -15,6 +15,7 @@ profile gnome-text-editor @{exec_path} { include include + #aa:dbus own bus=session name=org.gnome.TextEditor #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index d104e75c6..96e83b846 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -21,18 +21,18 @@ profile gnome-tweaks @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/env r, @{bin}/ps rPx, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{open_path} rPx -> child-open-help, - @{lib}/python3.@{int}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w, + @{lib}/@{python_name}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w, /etc/xdg/autostart/{,**} r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_config_dirs}/autostart/ rw, - owner @{user_config_dirs}/autostart/*.desktop r, + owner @{user_config_dirs}/autostart/*.desktop rw, owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw, owner @{user_share_dirs}/backgrounds/{,**} r, owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, diff --git a/apparmor.d/groups/gnome/gnome-weather b/apparmor.d/groups/gnome/gnome-weather index c73ff0a19..fe2bf69b2 100644 --- a/apparmor.d/groups/gnome/gnome-weather +++ b/apparmor.d/groups/gnome/gnome-weather @@ -31,7 +31,6 @@ profile gnome-weather @{exec_path} { @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, deny owner @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index cfbaa6269..5f05c21da 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/gsd-a11y-settings profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 6ff47dcd1..1b12a68cd 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/gsd-color profile gsd-color @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -28,7 +28,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Color - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties @@ -45,10 +45,10 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-*.icc rw, + owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{user_share_dirs}/icc/ rw, - owner @{user_share_dirs}/icc/edid-*.icc rw, + owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, include if exists } diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 984f7c189..0190ad9b3 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/gsd-datetime profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index 6e8ae0d90..00ca93f19 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -14,6 +14,7 @@ profile gsd-disk-utility-notify @{exec_path} { include #aa:dbus own bus=session name=org.gnome.Disks.NotificationMonitor + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 288c29af8..b8da39a4d 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -10,10 +10,11 @@ include profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include - include include + include include include + include include include include @@ -23,10 +24,10 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Housekeeping - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=Subscribe + peer=(name=org.freedesktop.systemd1), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 87560b6f9..cbb8ccf71 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/gsd-keyboard profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index d9b0e5e27..2a2ea034f 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/gsd-media-keys profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -38,7 +38,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=PowerOff - peer=(name=:*, label=systemd-logind), + peer=(name=:*, label="@{p_systemd_logind}"), dbus send bus=session path=/ interface=org.freedesktop.DBus @@ -79,7 +79,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # For /dev/bus/usb/** - @{sys}/devices/**/usb[0-9]/{,**} r, + @{sys}/devices/**/usb@{int}/{,**} r, @{sys}/devices/@{pci}/sound/**/uevent r, @{sys}/devices/platform/**/uevent r, @{sys}/devices/virtual/**/uevent r, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 97b31d6c5..2fa0b0b1f 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gsd-power profile gsd-power @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -20,11 +19,13 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include include include include include + include include include include @@ -42,7 +43,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight interface=org.freedesktop.UPower.KbdBacklight member=GetBrightness - peer=(name=:*, label=upowerd), + peer=(name=:*, label="@{p_upowerd}"), dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties @@ -57,9 +58,9 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, - @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 2c8319bd8..f8d4280a0 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/gsd-print-notifications profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -28,10 +28,15 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { # dbus receive bus=system path=/org/cups/cupsd/Notifier # interface=org.cups.cupsd.Notifier, + dbus receive bus=system path=/org/cups/cupsd/Notifier + interface=org.cups.cupsd.Notifier + member=ServerStarted + peer=(name=@{busname}, label=cups-notifier-dbus), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{lib}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index 9e67c8c72..b85a40f04 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/gsd-printer profile gsd-printer @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 1fd4157ec..5f1c13d9d 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/gsd-rfkill profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index 1ac54d0fe..546a252d7 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/gsd-screensaver-proxy profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include - include + include include include diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 871e10abc..45b3ea1b9 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/gsd-sharing profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index f93f0313b..bdacbfd00 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/gsd-smartcard profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 8c5e7891a..871203e6c 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -9,14 +9,14 @@ include @{exec_path} = @{lib}/gsd-sound profile gsd-sound @{exec_path} flags=(attach_disconnected) { include - include + include include include include include include - signal (receive) set=(term, hup) peer=gdm*, + signal receive set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Sound diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index f9c4ffb33..484dda29d 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/gsd-wacom profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index c7478292c..abf30bc40 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -17,6 +17,7 @@ profile gsd-xsettings @{exec_path} { include include include + include include include include @@ -33,17 +34,15 @@ profile gsd-xsettings @{exec_path} { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.XSettings #aa:dbus own bus=session name=org.gtk.Settings + #aa:dbus talk bus=session name=org.gnome.Mutter.X11 label=gnome-shell + dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=SetInputSources - peer=(name=:*, label=accounts-daemon), - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=GetId - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + peer=(name=:*, label="@{p_accounts_daemon}"), @{exec_path} mr, + @{sh_path} mr, @{bin}/cat rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index c9177de5c..a32a3d8c3 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -17,7 +17,7 @@ profile kgx @{exec_path} { capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, @@ -25,14 +25,14 @@ profile kgx @{exec_path} { @{bin}/@{shells} rUx, # Some CLI program can be launched directly from Gnome Shell - @{bin}/btop rPUx, - @{bin}/htop rPx, - @{bin}/micro rPUx, - @{bin}/nvtop rPx, - @{bin}/nvtop rPx, - @{bin}/vim rUx, + @{bin}/btop PUx, + @{bin}/htop Px, + @{bin}/micro PUx, + @{bin}/nvtop Px, + @{bin}/nvtop Px, + @{bin}/vim Ux, - @{open_path} rPx -> child-open-help, + @{open_path} Px -> child-open-help, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch new file mode 100644 index 000000000..88e2bf327 --- /dev/null +++ b/apparmor.d/groups/gnome/localsearch @@ -0,0 +1,79 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/localsearch @{lib}/localsearch-3 +profile localsearch @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + + network netlink raw, + + #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files + #aa:dbus own bus=session name=org.freedesktop.LocalSearch3 + + dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=@{busname}, label=nautilus), + dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.Tracker3.Endpoint + member=Query + peer=(name=@{busname}, label=nautilus), + + @{exec_path} mr, + + @{lib}/localsearch-extractor-3 ix, # nnp + + /usr/share/localsearch3/{,**} r, + /usr/share/osinfo/{,**} r, + /usr/share/poppler/{,**} r, + + # Allow to search user files + owner @{HOME}/ r, + owner @{HOME}/{,**} r, + owner @{MOUNTS}/{,**} r, + owner @{tmp}/*/{,**} r, + + owner @{user_cache_dirs}/tracker3/ rw, + owner @{user_cache_dirs}/tracker3/files/ rw, + owner @{user_cache_dirs}/tracker3/files/** rwk, + + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, + + @{run}/mount/utab r, + + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{PROC}/sys/fs/fanotify/max_user_marks r, + @{PROC}/sys/fs/inotify/max_user_watches r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/media@{int} rw, + /dev/video@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/localsearch-control b/apparmor.d/groups/gnome/localsearch-control new file mode 100644 index 000000000..354f85009 --- /dev/null +++ b/apparmor.d/groups/gnome/localsearch-control @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/localsearch-control-3 +profile localsearch-control @{exec_path} { + include + include + + #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files.Control + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/localsearch-writeback b/apparmor.d/groups/gnome/localsearch-writeback new file mode 100644 index 000000000..7d50726c0 --- /dev/null +++ b/apparmor.d/groups/gnome/localsearch-writeback @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/localsearch-writeback-3 +profile localsearch-writeback @{exec_path} { + include + include + + #aa:dbus own bus=session name=org.freedesktop.LocalSearch3.Writeback + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 75835395a..d89d4d6f9 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -9,18 +9,29 @@ include @{exec_path} = @{bin}/loupe profile loupe @{exec_path} flags=(attach_disconnected) { include + include + include + include include include include include + include include include include + unix type=stream peer=(label=loupe//bwrap), + signal send set=kill peer=loupe//bwrap, #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=@{p_systemd_hostnamed}), + @{exec_path} mr, @{bin}/bwrap rCx -> bwrap, @@ -32,7 +43,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/glycin/{,**} rw, - @{run}/mount/utab r, + @{run}/mount/utab r, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @@ -42,6 +54,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny @{user_share_dirs}/gvfs-metadata/* r, @@ -50,7 +63,9 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=(kill) peer=loupe, + unix type=stream peer=(label=loupe), + + signal receive set=kill peer=loupe, @{bin}/bwrap mr, @{lib}/glycin-loaders/*/glycin-* rix, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 8a48b97a2..2ad89fe0a 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -9,11 +9,12 @@ include @{exec_path} = @{lib}/mutter-x11-frames profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include - include + include include include include include + include include include include @@ -28,7 +29,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rw, owner @{gdm_config_dirs}/dconf/user r, @{sys}/devices/@{pci}/boot_vga r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 890e5b34e..fc9b923d8 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -28,17 +28,26 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { mqueue r type=posix /, - #aa:dbus own bus=session name=org.gnome.Nautilus interface=org.gtk.{Application,Actions} - #aa:dbus own bus=session name=org.freedesktop.FileManager1 + unix type=stream peer=(label=gnome-shell), + #aa:dbus own bus=session name=org.freedesktop.FileManager1 + #aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}" + #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + + #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + dbus send bus=session path=/org/gnome/Mutter/ServiceChannel + interface=org.gnome.Mutter.ServiceChannel + member=OpenWaylandServiceConnection + peer=(name=@{busname}, label=gnome-shell), dbus (send, receive) bus=session path=/org/gtk/Application/CommandLine interface=org.gtk.private.CommandLine member=Print - peer=(name=:*, label=nautilus), + peer=(name=@{busname}, label=nautilus), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus @@ -72,6 +81,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /var/cache/fontconfig/ rw, + #aa:lint ignore=too-wide # Full access to user's data / r, /*/ r, @@ -88,7 +98,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{tmp}/** rw, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, @@ -108,6 +118,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index cdc563e07..f084e7b12 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -39,12 +39,11 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{sys}/devices/system/node/node@{int}/cpumap r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, @{PROC}/1/cgroup r, - @{PROC}/devices r, @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, @@ -54,7 +53,6 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/@{tid}/stat r, /dev/media@{int} r, - /dev/nvidia-uvm rw, include if exists } diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers new file mode 100644 index 000000000..27000b93a --- /dev/null +++ b/apparmor.d/groups/gnome/papers @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/papers +profile papers @{exec_path} { + include + include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + @{exec_path} mr, + + @{open_path} Cx -> open, + + /usr/share/poppler/{,**} r, + + owner @{user_share_dirs}/gvfs-metadata/{,*} r, + + owner @{tmp}/.goutputstream-@{rand6} rw, + owner @{tmp}/papers-@{int}/{,**} rw, + owner @{tmp}/gtkprint_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} rw, + + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + + profile open { + include + include + + @{browsers_path} Px, + @{help_path} Px, + @{bin}/papers Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis new file mode 100644 index 000000000..a6f7e5b63 --- /dev/null +++ b/apparmor.d/groups/gnome/ptyxis @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ptyxis +profile ptyxis @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{lib}/ptyxis-agent Px, + @{open_path} Px -> child-open-help, + + /etc/shells r, + + owner @{user_cache_dirs}/org.gnome.Ptyxis/ rw, + owner @{user_cache_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_cache_dirs}/org.gnome.Ptyxis/**, + + owner @{user_config_dirs}/org.gnome.Ptyxis/ rw, + owner @{user_config_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_config_dirs}/org.gnome.Ptyxis/**, + + owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, + owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, + + owner /tmp/#@{int} w, + + /dev/ptmx rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent new file mode 100644 index 000000000..ce60a26c3 --- /dev/null +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -0,0 +1,46 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ptyxis-agent +profile ptyxis-agent @{exec_path} { + include + include + include + include + + signal send set=hup peer=unconfined, + + ptrace read, + + @{exec_path} mr, + + @{bin}/podman Px, + @{bin}/systemd-run Cx -> shell, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + @{PROC}/@{pid}/cmdline r, + + /dev/ptmx rw, + + profile shell { + include + include + + signal send, + + @{bin}/systemd-run mr, + @{bin}/@{shells} Ux, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 921f6aa30..2f190dfab 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -16,12 +16,13 @@ profile seahorse @{exec_path} { include include include + include include include include include - #aa:dbus own bus=session name=org.gnome.seahorse.Application + #aa:dbus own bus=session name=org.gnome.seahorse.Application interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index d519dca6e..aeb46f6c0 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -9,15 +9,22 @@ include @{exec_path} = @{bin}/session-migration profile session-migration @{exec_path} { include + include + include + include @{exec_path} mr, - @{sh_path} rix, - @{bin}/gsettings rPx, - /usr/share/session-migration/scripts/*.sh rix, + @{sh_path} rix, + @{python_path} rix, + @{bin}/dconf rPx, + @{bin}/gsettings rPx, + /usr/share/session-migration/scripts/* rix, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/session-migration/{,**} r, + owner @{gdm_share_dirs}/ w, owner @{gdm_share_dirs}/session_migration-* rw, owner @{user_share_dirs}/session_migration-* rw, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 02237d932..e8612f7b6 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -28,12 +28,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Extract - #aa:dbus talk bus=session name=org.freedesktop.Tracker3 label=tracker-miner interface=org.freedesktop.DBus.Peer - - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member={GetTreeFromDevice,Remove} - peer=(name=:*, label=gvfsd-metadata), + #aa:dbus talk bus=session name=org.freedesktop.Tracker3 label=tracker-miner interface+=org.freedesktop.DBus.Peer @{exec_path} mr, @@ -75,6 +70,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index e10d81bb2..d35f6467f 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -63,10 +63,8 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ r, - owner /var/tmp/etilqs_@{hex15} rw, - owner /var/tmp/etilqs_@{hex16} rw, - owner @{tmp}/etilqs_@{hex15} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, # Allow to search user files owner @{HOME}/{,**} r, diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index f0dd3b46c..058b9697a 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -10,11 +10,13 @@ include profile yelp @{exec_path} { include include + include include network netlink raw, - #aa:dbus own bus=session name=org.gnome.Yelp + #aa:dbus own bus=accessibility name=org.gnome.Yelp + #aa:dbus own bus=session name=org.gnome.Yelp interface+=org.gtk.Actions @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 247c6e4ac..6a01796ff 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -29,13 +29,13 @@ profile gpg @{exec_path} { @{lib}/{,gnupg/}scdaemon rPx, /usr/share/terminfo/** r, + /usr/share/pacman/keyrings/** r, #aa:only pacman /etc/inputrc r, #aa:only pacman - /etc/pacman.d/gnupg/gpg.conf r, - /etc/pacman.d/gnupg/pubring.gpg r, - /etc/pacman.d/gnupg/trustdb.gpg r, + /etc/pacman.d/gnupg/ rw, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, #aa:only apt owner /etc/apt/keyrings/ rw, @@ -69,6 +69,7 @@ profile gpg @{exec_path} { owner /tmp/@{int}@{int} rw, owner @{run}/user/@{uid}/gnupg/d.*/ rw, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm index bfa71cf53..2ef1a9d4a 100644 --- a/apparmor.d/groups/gpg/gpgsm +++ b/apparmor.d/groups/gpg/gpgsm @@ -23,11 +23,11 @@ profile gpgsm @{exec_path} { /etc/gcrypt/hwf.deny r, - deny /usr/bin/.gnupg/ w, + owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, + deny @{bin}/.gnupg/ w, include if exists } diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index 5d2cafd95..729455f7f 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -25,7 +25,7 @@ profile scdaemon @{exec_path} { owner /etc/pacman.d/gnupg/S.scdaemon rw, owner @{HOME}/@{XDG_GPG_DIR}/scdaemon.conf r, - owner @{HOME}/@{XDG_GPG_DIR}common.conf r, + owner @{HOME}/@{XDG_GPG_DIR}/common.conf r, owner @{HOME}/@{XDG_GPG_DIR}/reader_@{int}.status rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index 1a1110091..f09ba540d 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -9,20 +9,17 @@ include @{exec_path} = /usr/share/grub/grub-check-signatures profile grub-check-signatures @{exec_path} { include - include + include @{exec_path} mr, - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}//mktemp rix, - @{bin}//od rix, + @{bin}/{m,g,}awk ix, + @{bin}/mktemp ix, + @{bin}/od ix, - /usr/share/debconf/frontend rPx, + owner @{tmp}/tmp.@{rand10}/ rw, - /usr/share/debconf/confmodule r, - - owner @{tmp}/tmp.*/ rw, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, include if exists } diff --git a/apparmor.d/groups/grub/grub-editenv b/apparmor.d/groups/grub/grub-editenv index 6bdc7362a..29f9bf8f7 100644 --- a/apparmor.d/groups/grub/grub-editenv +++ b/apparmor.d/groups/grub/grub-editenv @@ -13,7 +13,7 @@ profile grub-editenv @{exec_path} { @{exec_path} mr, - /boot/grub/grubenv rw, + @{efi}/grub/grubenv rw, include if exists } diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index 83e30cbf6..e3ed75334 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/grub-install +@{exec_path} = @{sbin}/grub-install profile grub-install @{exec_path} flags=(complain) { include include @@ -19,26 +19,34 @@ profile grub-install @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/efibootmgr rix, + @{sbin}/efibootmgr rix, @{bin}/kmod rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/udevadm rPx, /usr/share/grub/{,**} r, + /usr/share/locale-langpack/{,**} r, /etc/default/grub.d/{,**} r, /etc/default/grub r, - /boot/efi/EFI/ubuntu/* w, - /boot/efi/EFI/BOOT/{,**} rw, - /boot/EFI/*/grubx*.efi rw, - /boot/grub/{,**} rw, + @{efi}/ r, + @{efi}/EFI/ r, + @{efi}/EFI/*/grubx*.efi rw, + @{efi}/EFI/BOOT/{,**} rw, + @{efi}/EFI/ubuntu/* w, + @{efi}/grub/{,**} rw, + @{sys}/devices/**/hid r, + @{sys}/devices/**/path r, + @{sys}/devices/**/uid r, + @{sys}/firmware/efi/ r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootCurrent-@{uuid} r, - @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, + @{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw, @{sys}/firmware/efi/efivars/Timeout-@{uuid} r, + @{sys}/firmware/efi/fw_platform_size r, @{sys}/firmware/efi/w_platform_size r, @{PROC}/devices r, diff --git a/apparmor.d/groups/grub/grub-macbless b/apparmor.d/groups/grub/grub-macbless index c2571ea73..17e71a25c 100644 --- a/apparmor.d/groups/grub/grub-macbless +++ b/apparmor.d/groups/grub/grub-macbless @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/grub-macbless +@{exec_path} = @{sbin}/grub-macbless profile grub-macbless @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 2a60d69c5..c081d53c3 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/grub-mkconfig +@{exec_path} = @{sbin}/grub-mkconfig @{sbin}/grub2-mkconfig profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { include include @@ -21,25 +21,25 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/{e,f,}grep rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, - @{bin}/btrfs rPx, + @{sbin}/btrfs rPx, @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cut rix, @{bin}/date rix, @{bin}/dirname rix, - @{bin}/dmsetup rPUx, + @{sbin}/dmsetup rPUx, @{bin}/dpkg rPx, @{bin}/find rix, @{bin}/findmnt rPx, @{bin}/gettext rix, @{bin}/grub-editenv rPx, @{bin}/grub-mkrelpath rPx, - @{bin}/grub-probe rPx, + @{sbin}/grub-probe rPx, @{bin}/grub-script-check rPx, @{bin}/head rix, @{bin}/id rPx, @{bin}/ls rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/mktemp rix, @{bin}/mount rPx, @{bin}/mountpoint rix, @@ -56,7 +56,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, @{bin}/umount rPx, @{bin}/uname rix, - @{bin}/which{.debianutils,} rix, + @{bin}/which{,.debianutils} rix, @{bin}/zfs rPx, @{bin}/zpool rPx, /etc/grub.d/{,**} rix, @@ -65,6 +65,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{lib}/grub/grub-sort-version rPx, @{lib}/libostree/grub[0-9]-@{int}_ostree rix, + /usr/share/desktop-base/*/grub/* r, /usr/share/grub/{,**} r, /usr/share/terminfo/** r, @@ -80,8 +81,8 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { /.zfs/snapshot/*/etc/fstab r, /.zfs/snapshot/*/etc/machine-id r, - /boot/{,**} r, - /boot/grub/{,**} rw, + @{efi}/{,**} r, + @{efi}/grub/{,**} rw, /tmp/grub-*.@{rand10}/{,**} rw, diff --git a/apparmor.d/groups/grub/grub-mkdevicemap b/apparmor.d/groups/grub/grub-mkdevicemap index 533f9780b..ca9f3ad3c 100644 --- a/apparmor.d/groups/grub/grub-mkdevicemap +++ b/apparmor.d/groups/grub/grub-mkdevicemap @@ -6,13 +6,20 @@ abi , include -@{exec_path} = @{bin}/grub-mkdevicemap +@{exec_path} = @{sbin}/grub-mkdevicemap profile grub-mkdevicemap @{exec_path} { include include + include + + capability sys_admin, @{exec_path} mr, + @{PROC}/devices r, + + /dev/mapper/control rw, + include if exists } diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath index a60a6aaba..789f68287 100644 --- a/apparmor.d/groups/grub/grub-mkrelpath +++ b/apparmor.d/groups/grub/grub-mkrelpath @@ -21,8 +21,8 @@ profile grub-mkrelpath @{exec_path} { / r, /usr/share/grub/* r, - /boot/ r, - /boot/grub/themes/{,**} r, + @{efi}/ r, + @{efi}/grub/themes/{,**} r, /tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r, /tmp/grub-btrfs.*/@/.snapshots/@{int}/snapshot/boot/ r, diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index 94c4c7e2b..d900ec2f6 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -13,7 +13,7 @@ profile grub-multi-install @{exec_path} { @{exec_path} mr, - @{bin}/grub-install rPx, + @{sbin}/grub-install rPx, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/cat rix, @@ -24,12 +24,12 @@ profile grub-multi-install @{exec_path} { @{bin}/sort rix, @{bin}/touch rix, @{bin}/udevadm rPx, - /usr/share/debconf/frontend rPx, + /usr/share/debconf/frontend rix, - /usr/lib/terminfo/x/xterm-256color r, + @{lib}/terminfo/x/xterm-256color r, /usr/share/debconf/confmodule r, - /boot/grub/grub.cfg rw, + @{efi}/grub/grub.cfg rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 80d517deb..017083eaf 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/grub-probe +@{exec_path} = @{sbin}/grub-probe profile grub-probe @{exec_path} { include include @@ -19,39 +19,22 @@ profile grub-probe @{exec_path} { @{exec_path} mr, /{usr/,}{local/,}{s,}bin/zpool rPx, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/lvm rPx, + @{bin}/lsb_release rPx, + @{sbin}/lvm rPx, @{bin}/udevadm rPx, /usr/share/grub/* r, / r, - /boot/ r, - /boot/grub/themes/{,**} r, + @{efi}/ r, + @{efi}/grub/ r, + @{efi}/grub/themes/{,**} r, @{PROC}/@{pids}/mountinfo r, @{PROC}/devices r, - /dev/*vg*/ r, - /dev/bsg/ r, - /dev/bus/ r, - /dev/bus/usb/ r, - /dev/bus/usb/@{int}/ r, - /dev/char/ r, - /dev/cpu/ r, - /dev/cpu/@{int}/ r, - /dev/dma_heap/ r, - /dev/dri/ r, - /dev/dri/by-path/ r, - /dev/hugepages/ r, - /dev/input/ r, - /dev/input/by-id/ r, - /dev/input/by-path/ r, - /dev/mapper/control rw, - /dev/mqueue/ r, - /dev/shm/ r, - /dev/snd/ r, - /dev/snd/by-path/ r, + /dev/**/ r, + /dev/mapper/control w, include if exists } diff --git a/apparmor.d/groups/grub/grub-reboot b/apparmor.d/groups/grub/grub-reboot index 7d94a22af..310b416bf 100644 --- a/apparmor.d/groups/grub/grub-reboot +++ b/apparmor.d/groups/grub/grub-reboot @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/grub-reboot +@{exec_path} = @{sbin}/grub-reboot profile grub-reboot @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-script-check b/apparmor.d/groups/grub/grub-script-check index 93b344cf8..9961a778e 100644 --- a/apparmor.d/groups/grub/grub-script-check +++ b/apparmor.d/groups/grub/grub-script-check @@ -13,7 +13,7 @@ profile grub-script-check @{exec_path} { @{exec_path} mr, - /boot/grub/grub* rw, + @{efi}/grub/grub* rw, include if exists } diff --git a/apparmor.d/groups/grub/grub-set-default b/apparmor.d/groups/grub/grub-set-default index 11c78024b..9e3c96464 100644 --- a/apparmor.d/groups/grub/grub-set-default +++ b/apparmor.d/groups/grub/grub-set-default @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/grub-set-default +@{exec_path} = @{sbin}/grub-set-default profile grub-set-default @{exec_path} { include include diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index 03df05295..d4460a3cf 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/update-grub{2,} +@{exec_path} = @{sbin}/update-grub profile update-grub @{exec_path} { include include @@ -14,8 +14,9 @@ profile update-grub @{exec_path} { capability dac_read_search, @{exec_path} mr, - @{sh_path} rix, - @{bin}/grub-mkconfig rPx, + + @{sh_path} rix, + @{sbin}/grub-mkconfig rPx, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index c1058c158..7f50d8b45 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -12,7 +12,7 @@ profile gvfs-afc-volume-monitor @{exec_path} { include include - #aa:dbus own bus=session name=org.gtk.vfs.AfcVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.AfcVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 1b5f74ae3..3f2fb0138 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -12,7 +12,7 @@ profile gvfs-goa-volume-monitor @{exec_path} { include include - #aa:dbus own bus=session name=org.gtk.vfs.GoaVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.GoaVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index f2b534635..dd03254b1 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -16,7 +16,7 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index d71b71523..6fbbc6092 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -15,7 +15,7 @@ profile gvfs-mtp-volume-monitor @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gtk.vfs.MTPVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.MTPVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index ccbe15fd1..4ed214b71 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -29,7 +29,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { ptrace (read), - #aa:dbus own bus=session name=org.gtk.vfs.UDisks2VolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.UDisks2VolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd dbus receive bus=session diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index c5c4dc3c1..c124c5855 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -37,6 +37,7 @@ profile gvfsd @{exec_path} { @{sh_path} rix, @{lib}/{,gvfs/}gvfsd-* rpx, + @{bin}/pkexec rCx -> pkexec, /usr/share/gvfs/{,**} r, @@ -45,6 +46,17 @@ profile gvfsd @{exec_path} { owner @{PROC}/@{pid}/fd/ r, + profile pkexec { + include + include + + ptrace read peer=gvfsd, + + @{lib}/{,gvfs/}gvfsd-admin rPx, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 7a1584d48..4f845f316 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -10,9 +10,27 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-admin profile gvfsd-admin @{exec_path} { include + include + + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setuid, @{exec_path} mr, + /usr/share/mime/mime.cache r, + + @{MOUNTS}/{,**} rw, + + @{run}/mount/utab r, + @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/stat r, + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index e756c8440..6eebca738 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-computer profile gvfsd-computer @{exec_path} { include + include + + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label=gvfs-afc-volume-monitor @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 2f3b8d8f2..6c61dbba4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -13,15 +13,10 @@ profile gvfsd-dnssd @{exec_path} { include include include + include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker label=gvfsd - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=:*, label=gvfsd-network), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable @@ -33,6 +28,16 @@ profile gvfsd-dnssd @{exec_path} { member=Spawned peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member={MountLocation,LookupMount,RegisterMount} + peer=(name="@{busname}", label=gvfsd), + + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 375040ec3..2695a1bf7 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -40,25 +40,15 @@ profile gvfsd-fuse @{exec_path} { profile fusermount { include - include + include - capability dac_read_search, - capability sys_admin, # To mount anything + capability setuid, mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, umount @{run}/user/@{uid}/**/, unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse), - @{bin}/fusermount{,3} mr, - - /etc/fuse{,3}.conf r, - /etc/machine-id r, - - @{PROC}/@{pid}/mounts r, - - /dev/fuse rw, - include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 2fe0a1e2b..5812c8a6e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -23,7 +23,13 @@ profile gvfsd-http @{exec_path} { network inet6 dgram, network netlink raw, + unix type=stream peer=(label=gnome-shell), + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 87851fc16..cd64d81ad 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,6 +11,8 @@ include profile gvfsd-network @{exec_path} { include include + include + include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} @@ -18,27 +20,17 @@ profile gvfsd-network @{exec_path} { dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member={MountLocation,LookupMount,RegisterMount} - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=:*, label=gvfsd-dnssd), - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=:*, label=gnome-control-center), + peer=(name="@{busname}", label=gvfsd), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 03586b291..042b66a68 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -23,21 +23,21 @@ profile gvfsd-recent @{exec_path} { dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=RegisterMount - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), @{exec_path} mr, # Full access to user's data - owner @{HOME}/{,**} rw, # FIXME: ? - owner @{MOUNTS}/{,**} rw, + owner @{HOME}/{,**} r, + owner @{MOUNTS}/{,**} r, owner @{HOME}/.zshenv r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index cabee57c2..157af621c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -19,6 +19,7 @@ profile gvfsd-sftp @{exec_path} { @{bin}/ssh rPx, owner @{run}/user/@{uid}/gvfsd-sftp/ rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} w, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index f285a3c15..59d778133 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -26,12 +26,12 @@ profile gvfsd-smb-browse @{exec_path} { dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 683d271a8..e13f870c7 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,6 +11,7 @@ include profile gvfsd-trash @{exec_path} { include include + include include include include @@ -21,30 +22,25 @@ profile gvfsd-trash @{exec_path} { #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=:*, label="{gnome-shell,nautilus}"), - dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=RegisterMount - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index f971b5f6a..209971ac2 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -9,9 +9,28 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-wsdd profile gvfsd-wsdd @{exec_path} { include + include + include + include + include network netlink raw, + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name="@{busname}", label=gvfsd), + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name="@{busname}", label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name="@{busname}", label=gvfsd), + @{exec_path} mr, @{bin}/env r, @@ -19,6 +38,7 @@ profile gvfsd-wsdd @{exec_path} { @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + owner @{run}/user/@{uid}/gvfsd/wsdd rw, include if exists } diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 68356741d..8c8c32da0 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -14,6 +14,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_ptrace, @@ -31,6 +32,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/hyprland/{,**} rw, owner @{user_config_dirs}/hypr/** r, owner @{user_share_dirs}/hyprpm/** mr, + owner @{user_share_dirs}/hyprland/** rw, owner @{run}/user/@{uid}/gamescope-* rw, owner @{run}/user/@{uid}/.hyprpaper_* rw, @@ -40,15 +42,15 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/@{int} r, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:id r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* diff --git a/apparmor.d/groups/hyprland/hyprlock b/apparmor.d/groups/hyprland/hyprlock index b17c0c66a..fab1c2a2e 100644 --- a/apparmor.d/groups/hyprland/hyprlock +++ b/apparmor.d/groups/hyprland/hyprlock @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/hyprlock -profile hyprlock @{exec_path} { +profile hyprlock @{exec_path} flags=(attach_disconnected) { include include include @@ -19,7 +19,7 @@ profile hyprlock @{exec_path} { @{exec_path} mr, - /etc/security/faillock.conf r, + @{etc_ro}/security/faillock.conf r, /etc/shells r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker index 78375c8b2..a46d53f4c 100644 --- a/apparmor.d/groups/hyprland/hyprpicker +++ b/apparmor.d/groups/hyprland/hyprpicker @@ -17,6 +17,7 @@ profile hyprpicker @{exec_path} { owner @{run}/user/@{uid}/.hyprpicker* rw, owner /dev/shm/wlroots-@{rand6} r, + owner /dev/shm/@{uuid} r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/hyprland/hyprpm b/apparmor.d/groups/hyprland/hyprpm index 3a5878808..149128b1e 100644 --- a/apparmor.d/groups/hyprland/hyprpm +++ b/apparmor.d/groups/hyprland/hyprpm @@ -11,7 +11,6 @@ profile hyprpm @{exec_path} { include include include - include network inet dgram, network inet stream, diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 197f90f88..3ec36976d 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -41,7 +41,7 @@ profile DiscoverNotifier @{exec_path} { /var/cache/swcatalog/cache/ w, /var/cache/swcatalog/xml/{,**} r, - owner @{user_cache_dirs}/appstream/ r, + owner @{user_cache_dirs}/appstream/ rw, owner @{user_cache_dirs}/appstream/** rw, owner @{user_cache_dirs}/flatpak/{,**} rw, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 9a2f4c961..29447e22a 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -42,29 +42,10 @@ profile baloo @{exec_path} { owner @{user_share_dirs}/baloo/{,**} rwk, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+dmi:* r, # For motherboard info - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+sound:card@{int} r, # for sound card + @{run}/mount/utab r, - @{run}/udev/data/c1:@{int} r, # For RAM disk - @{run}/udev/data/c4:@{int} r, # For TTY devices - @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices - @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features - @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* - @{run}/udev/data/c89:@{int} r, # For I2C bus interface - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c202:@{int} r, # CPU model-specific registers - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index e3fca1f8f..702288a1f 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -28,33 +28,8 @@ profile baloorunner @{exec_path} { /tmp/ r, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+dmi* r, # for motherboard info - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+sound:card@{int} r, # for sound card - - @{run}/udev/data/c1:@{int} r, # For RAM disk - @{run}/udev/data/c4:@{int} r, # For TTY devices - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices - @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters - @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* - @{run}/udev/data/c89:@{int} r, # For I2C bus interface - @{run}/udev/data/c202:@{int} r, # CPU model-specific registers - @{run}/udev/data/c203:@{int} r, # CPU CPUID information - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 8465da560..5d51f8c4d 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -21,6 +21,7 @@ profile dolphin @{exec_path} { include include include + include network netlink raw, @@ -28,8 +29,11 @@ profile dolphin @{exec_path} { @{exec_path} mr, + @{lib}/libheif/ r, + @{lib}/libheif/*.so* mr, + @{bin}/ldd rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{lib}/{,@{multiarch}/}utempter/utempter rPx, @{thunderbird_path} rPx, @@ -40,8 +44,10 @@ profile dolphin @{exec_path} { /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, /usr/share/misc/termcap r, + /usr/share/thumbnailers/{,**} r, /etc/fstab r, + /etc/exports r, /etc/machine-id r, /etc/xdg/arkrc r, /etc/xdg/dolphinrc r, @@ -62,7 +68,7 @@ profile dolphin @{exec_path} { owner @{tmp}/{,**} rw, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, @@ -71,14 +77,17 @@ profile dolphin @{exec_path} { owner @{user_share_dirs}/dolphin/ rw, owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int}, owner @{user_share_dirs}/recently-used.xbel{,.*} rwlk, + owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/dolphinrc rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc.lock rwk, owner @{user_config_dirs}/kde.org/#@{int} rw, - owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int}, owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk, + owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int}, + owner @{user_config_dirs}/knfsshare.{,.@{rand6}} rwk, + owner @{user_config_dirs}/knfsshare.lock rwk, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/#@{int} rw, @@ -89,14 +98,22 @@ profile dolphin @{exec_path} { owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int}, + owner @{tmp}/dolphin.@{rand6}{,.lock} rwlk, + @{run}/issue r, @{run}/mount/utab r, owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{sys}/bus/ r, @{sys}/bus/*/devices/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/uevent r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi index 961c18cfe..e04180ff4 100644 --- a/apparmor.d/groups/kde/drkonqi +++ b/apparmor.d/groups/kde/drkonqi @@ -23,18 +23,36 @@ profile drkonqi @{exec_path} { @{exec_path} mr, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/plasmashell r, + @{bin}/lsb_release rPx, /usr/share/drkonqi/{,**} r, + /etc/machine-id r, + + / r, + owner @{user_cache_dirs}/drkonqi/ rw, owner @{user_cache_dirs}/drkonqi/** rwlk -> @{user_cache_dirs}/drkonqi/**, owner @{user_cache_dirs}/kcrash-metadata/* w, + owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/drkonqirc r, + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/remote/ r, + /dev/tty r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + include if exists } diff --git a/apparmor.d/groups/kde/drkonqi-coredump-processor b/apparmor.d/groups/kde/drkonqi-coredump-processor index e07a6c1d4..359352383 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-processor +++ b/apparmor.d/groups/kde/drkonqi-coredump-processor @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}drkonqi-coredump-processor profile drkonqi-coredump-processor @{exec_path} { include + include include capability dac_override, @@ -24,9 +25,9 @@ profile drkonqi-coredump-processor @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal r, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/system@*.journal* r, /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@*.journal* r, /{run,var}/log/journal/remote/ r, include if exists diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index 661090bc1..a45652c7b 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -25,6 +25,7 @@ profile kalendarac @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akonadi-firstrunrc r, + owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, owner @{user_config_dirs}/emaildefaults r, owner @{user_config_dirs}/emailidentities r, diff --git a/apparmor.d/groups/kde/kauth-chargethresholdhelper b/apparmor.d/groups/kde/kauth-chargethresholdhelper index 44a6d0239..8ed8bf82e 100644 --- a/apparmor.d/groups/kde/kauth-chargethresholdhelper +++ b/apparmor.d/groups/kde/kauth-chargethresholdhelper @@ -16,7 +16,6 @@ profile kauth-chargethresholdhelper @{exec_path} { /usr/share/icu/@{int}.@{int}/*.dat r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/power_supply/** r, @{sys}/devices/**/power_supply/** r, include if exists diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index 6483fe39f..cf0caffeb 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -22,7 +22,7 @@ profile kauth-kded-smart-helper @{exec_path} { @{exec_path} mr, - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper index 5ae1f5f12..afecd8d53 100644 --- a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper +++ b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper @@ -13,7 +13,7 @@ profile kauth-kinfocenter-dmidecode-helper @{exec_path} { @{exec_path} mr, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, include if exists } diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 93378bf76..e11de6a48 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -26,6 +26,8 @@ profile kcminit @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/gtkrc-2.0{,.@{rand6}} rwl, owner @{user_config_dirs}/gtkrc{,.@{rand6}} rwl, + owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl, + owner @{user_config_dirs}/kcminputrc.lock rwk, owner @{user_config_dirs}/kgammarc r, owner @{user_config_dirs}/touchpadrc r, owner @{user_config_dirs}/touchpadxlibinputrc r, diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index e152325ed..ee42fef98 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -25,21 +25,22 @@ profile kconf_update @{exec_path} { @{sh_path} rix, @{bin}/{,p}grep rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/qtpaths rix, @{bin}/sed rix, @{bin}/qtchooser rPx, @{lib}/kconf_update_bin/* rix, @{lib}/@{multiarch}/kconf_update_bin/* rix, + @{lib}/qt6/bin/qtpaths rix, /usr/share/kconf_update/*.py rix, /usr/share/kconf_update/*.sh rix, /usr/share/kconf_update/{,**} r, /usr/share/kglobalaccel/org.kde.krunner.desktop r, - /etc/xdg/konsolerc r, - /etc/xdg/ui/ui_standards.rc r, + /etc/xdg/*rc r, + /etc/xdg/ui/*rc r, /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index d37b53ddd..45c382855 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -24,9 +24,10 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sh_path} rix, @{bin}/find rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kcminit rPx, @{bin}/sed rix, + @{bin}/uname rPx, @{bin}/xargs rix, @{lib}/drkonqi rPx, @@ -45,10 +46,13 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk, owner @{user_config_dirs}/powermanagementprofilesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + + @{run}/mount/utab r, owner @{run}/user/@{uid}kcrash_@{int} rw, + @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** + @{sys}/bus/ r, @{sys}/bus/i2c/devices/ r, @{sys}/class/ r, @@ -59,19 +63,22 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness r, @{sys}/devices/@{pci}/card@{int}/*/dpms r, @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness r, + @{sys}/devices/@{pci}/drm/card@{int}/**/*_id r, @{sys}/devices/@{pci}/drm/card@{int}/**/dev r, + @{sys}/devices/@{pci}/drm/card@{int}/**/name r, @{sys}/devices/@{pci}/drm/card@{int}/*/dpms r, @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r, @{sys}/devices/@{pci}/drm/card@{int}/*/status r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, - @{sys}/devices/@{pci}/i2c-@{int}/**/dev r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/**/dev r, @{sys}/devices/**/ r, - @{sys}/devices/i2c-@{int}/name r, - @{sys}/devices/platform/**/i2c-@{int}/**/name r, - @{sys}/devices/platform/*/i2c-@{int}/name r, + @{sys}/devices/i2c-*/name r, + @{sys}/devices/platform/**/i2c-*/**/name r, + @{sys}/devices/platform/*/i2c-*/name r, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, /dev/i2c-@{int} rwk, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 0ff08d02f..c9fa538df 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -54,7 +54,8 @@ profile kded @{exec_path} { @{bin}/kcminit rPx, @{bin}/pgrep rCx -> pgrep, @{bin}/plasma-welcome rPUx, - @{bin}/python3.@{int} rix, + @{python_path} rix, + @{bin}/flatpak rPx, @{bin}/setxkbmap rix, @{bin}/xmodmap rPUx, @{bin}/xrdb rPx, @@ -87,6 +88,12 @@ profile kded @{exec_path} { owner @{HOME}/ r, owner @{HOME}/.gtkrc-2.0 rw, + owner @{HOME}/.var/ w, + owner @{HOME}/.var/app/ w, + owner @{HOME}/.var/app/org.mozilla.firefox/**/ w, + owner @{HOME}/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/org.kde.plasma.browser_integration.json w, + owner @{HOME}/.var/app/org.mozilla.firefox/plasma-browser-integration-host w, + @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasmashell/ rw, owner @{user_cache_dirs}/plasmashell/** rwlk -> @{user_cache_dirs}/plasmashell/**, @@ -120,7 +127,7 @@ profile kded @{exec_path} { owner @{user_share_dirs}/user-places.xbel r, owner @{user_state_dirs}/#@{int} rw, - owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk, + owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk -> @{user_state_dirs}/#@{int}, @{run}/mount/utab r, @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index f6a7ba95a..cf9646051 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kiod{5,6} profile kiod @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 37dd3eeae..a5f867378 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -26,10 +26,11 @@ profile kioworker @{exec_path} { network netlink raw, network netlink dgram, - signal (receive) set=term peer=dolphin, - signal (receive) set=term peer=firefox-kmozillahelper, - signal (receive) set=term peer=plasma-discover, - signal (receive) set=term peer=plasmashell, + signal receive set=term peer=dolphin, + signal receive set=term peer=firefox-kmozillahelper, + signal receive set=term peer=plasma-discover, + signal receive set=term peer=plasmashell, + signal receive set=term peer=xdg-desktop-portal-kde, @{exec_path} mr, @@ -37,10 +38,11 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, + @{bin}/gs rix, #aa:exec kio_http_cache_cleaner - /usr/share/kio_desktop/directory.desktop r, + /usr/share/kio_desktop/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes{5,6}/*.desktop r, /usr/share/remoteview/* r, @@ -54,6 +56,8 @@ profile kioworker @{exec_path} { /*/ r, @{bin}/ r, @{bin}/* r, + @{sbin}/ r, + @{sbin}/* r, @{lib}/ r, @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @@ -63,7 +67,7 @@ profile kioworker @{exec_path} { owner @{tmp}/{,**} rw, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /etc/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, @@ -91,6 +95,7 @@ profile kioworker @{exec_path} { owner @{run}/user/@{uid}/kio_*.socket rwl -> @{run}/user/@{uid}/#@{int}, owner @{run}/user/@{uid}/kioworker*.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 17ed13f27..8f9ff48dd 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -74,8 +74,11 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/#@{int} rw, owner @{tmp}/konsole.@{rand6} rw, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/stat r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/** rw, + + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/cgroup r, /dev/ptmx rw, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 79e2b4c59..dd3a6b42b 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -29,8 +29,6 @@ profile kscreenlocker_greet @{exec_path} { signal (receive) set=(usr1, term) peer=ksmserver, signal (send) peer=kcheckpass, - unix (send,receive) type=stream peer=(label="ksmserver",addr=none), - dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -41,7 +39,7 @@ profile kscreenlocker_greet @{exec_path} { @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, - @{bin}/unix_chkpwd rPx, + @{sbin}/unix_chkpwd rPx, @{lib}/@{multiarch}/libexec/kcheckpass rPx, /usr/share/plasma/** r, @@ -51,12 +49,13 @@ profile kscreenlocker_greet @{exec_path} { /usr/share/xsessions/{,*.desktop} r, /usr/share/hunspell/* r, - /{usr/,}etc/environment r, - /{usr/,}etc/login.defs r, - /{usr/,}etc/login.defs.d/ r, - /{usr/,}etc/security/*.conf r, + @{etc_ro}/environment r, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, + @{etc_ro}/security/*.conf r, /etc/fstab r, /etc/machine-id r, + /etc/os-release r, /etc/pam.d/* r, /etc/shells r, /etc/xdg/kscreenlockerrc r, @@ -100,9 +99,11 @@ profile kscreenlocker_greet @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, + @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/loginuid r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 61cd67246..eb53bc078 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -20,8 +20,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace (read) peer=kbuildsycoca5, - unix (send, receive) type=stream peer=(label="kscreenlocker_greet",addr=none), - @{exec_path} mr, @{bin}/rm rix, diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index 01fe51783..67e56c3c6 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -53,7 +53,6 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/dev/i915/perf_stream_paranoid r, owner @{PROC}/@{pid}/exe r, - owner @{PROC}/@{pid}/status r, include if exists } diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index be59fe842..13f1216a5 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -14,11 +14,14 @@ profile ksplashqml @{exec_path} { include include + ptrace read peer=startplasma, + @{exec_path} mr, @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, + /usr/share/color-schemes/* r, /usr/share/plasma/** r, /etc/machine-id r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 24d86bec6..afaac3bd0 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -30,6 +30,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{exec_path} mr, /etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi, + /etc/xdg/Xwayland-session.d/00-pulseaudio-x11 Cx -> pulseaudio, #aa:exec kscreenlocker_greet /usr/share/color-schemes/*.colors r, @@ -44,11 +45,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /usr/share/plasma/desktoptheme/** r, /etc/pipewire/client.conf.d/ r, - /etc/xdg/kscreenlockerrc r, - /etc/xdg/menus/{,applications.menu} r, - /etc/xdg/menus/applications-merged/ r, - /etc/xdg/plasmarc r, - /etc/xdg/Xwayland-session.d/{,*} r, + /etc/xdg/** r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -92,7 +89,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, - owner @{user_config_dirs}/menus/{,applications-merged/} r, + owner @{user_config_dirs}/menus/** r, owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/session/* r, @@ -113,14 +110,15 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{run}/udev/data/+acpi:* r, # for ACPI + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:* r, # for motherboard info - @{run}/udev/data/+hid:* r, # for HID subsystem + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+serio:* r, # for touchpad @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb:* r, + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @@ -137,6 +135,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { profile at-spi { include + include @{sh_path} r, @{bin}/busctl rix, @@ -151,6 +150,20 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { include if exists } + profile pulseaudio { + include + include + + @{sh_path} rix, + @{bin}/pactl Px, + + /etc/xdg/Xwayland-session.d/00-pulseaudio-x11 r, + + owner @{HOME}/ r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index fe1c5d8da..7618a10d4 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -94,7 +94,7 @@ profile okular @{exec_path} { include @{bin}/gpg{,2} mr, - @{bin}/gpgcon mr, + @{bin}/gpgconf mr, @{bin}/gpgsm mr, owner @{HOME}/@{XDG_GPG_DIR}/*.conf r, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 0d8a5d8cb..07fbc8e14 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -39,9 +39,9 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { network netlink dgram, network netlink raw, - ptrace (read), + ptrace read, - signal (send), + signal send, @{exec_path} mr, @@ -72,6 +72,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /usr/share/metainfo/{,**} r, /usr/share/plasma/{,**} r, /usr/share/plasma5support/** r, + /usr/share/qalculate/{,**} r, /usr/share/rider/{,**} r, /usr/share/solid/actions/{,**} r, /usr/share/swcatalog/{,**} r, @@ -93,6 +94,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{MOUNTS}/ r, @{HOME}/ r, + owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, owner @{HOME}/.var/app/**.{png,jpg,svg} r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, @@ -137,6 +139,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/kcookiejarrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kdiff3fileitemactionrc r, + owner @{user_config_dirs}/kiorc r, owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/klaunchrc r, owner @{user_config_dirs}/klipperrc r, @@ -156,7 +159,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, owner @{user_share_dirs}/kio/servicemenus/{,**} r, - owner @{user_share_dirs}/klipper/{,*} rwl, + owner @{user_share_dirs}/klipper/{,**} rwlk, owner @{user_share_dirs}/konsole/ r, owner @{user_share_dirs}/kpeople/persondb rwk, owner @{user_share_dirs}/kpeoplevcard/ r, @@ -170,6 +173,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/plasma_icons/*.desktop r, owner @{user_share_dirs}/plasma/{,**} r, owner @{user_share_dirs}/plasmashell/** rwkl -> @{user_share_dirs}/plasmashell/**, + owner @{user_share_dirs}/qalculate/{,**} r, owner @{user_share_dirs}/user-places.xbel{,*} rwl, owner @{user_share_dirs}/wallpapers/{,**} rw, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 8e491bb2b..143df5c9e 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -58,7 +58,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=systemd-logind), + peer=(name=:*, label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Introspectable @@ -70,13 +70,13 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib}/@{multiarch}/sddm/sddm-helper rix, @{lib}/plasma-dbus-run-session-if-needed rix, @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed rix, - @{lib}/sddm/sddm-helper rix, - @{lib}/sddm/sddm-helper-start-wayland rix, - @{lib}/sddm/sddm-helper-start-x11user rix, + @{lib}/{,sddm/}sddm-helper rix, + @{lib}/{,sddm/}sddm-helper-start-wayland rix, + @{lib}/{,sddm/}sddm-helper-start-x11user rix, @{shells_path} rix, @{bin}/cat rix, - @{bin}/checkproc rix, + @{sbin}/checkproc rix, @{bin}/disable-paste rix, @{bin}/locale rix, @{bin}/manpath rix, @@ -94,10 +94,11 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/dbus-update-activation-environment rPx -> dbus-session, @{bin}/flatpak rPx, @{bin}/gnome-keyring-daemon rPx, + @{bin}/Hyprland rPx, @{bin}/kwalletd{5,6} rPx, @{bin}/kwin_wayland rPx, - @{bin}/sddm-greeter{,-qt6} rPx, @{bin}/labwc rPx, + @{bin}/sddm-greeter{,-qt6} rPx, @{bin}/startlxqt rPx, @{bin}/startlxqtwayland rPx, @{bin}/startplasma-wayland rPx, @@ -113,7 +114,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{etc_ro}/sddm/Xsession rPx, @{etc_ro}/X11/xdm/Xsession rPx, - /usr/etc/X11/xdm/Xsetup rix, + @{etc_ro}/X11/xdm/Xsetup rix, /usr/share/sddm/scripts/wayland-session rix, /usr/share/sddm/scripts/Xsession rix, /usr/share/sddm/scripts/Xsetup rix, @@ -128,9 +129,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/X11/xinit/xinitrc.d/{,*} r, - /{usr/,}etc/environment r, - /{usr/,}etc/security/limits.d/{,*.conf} r, - /{usr/,}etc/X11/Xmodmap r, + @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/{,*.conf} r, + @{etc_ro}/X11/Xmodmap r, /etc/debuginfod/{,*} r, /etc/manpath.config r, /etc/default/locale r, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index b5cceee95..f27f3dc3c 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -40,7 +40,7 @@ profile sddm-xsession @{exec_path} { @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which{,.*} rix, + @{bin}/which{,.debianutils} rix, @{bin}/zsh rix, @{bin}/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 773122f57..004b89d57 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -21,7 +21,7 @@ profile startplasma @{exec_path} { @{sh_path} rix, @{bin}/env rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kapplymousetheme rPUx, @{bin}/kdeinit5_shutdown rPUx, @{bin}/ksplashqml rPUx, @@ -40,6 +40,7 @@ profile startplasma @{exec_path} { /etc/machine-id r, /etc/xdg/menus/{,**} r, /etc/xdg/plasma-workspace/env/{,*} r, + /etc/xdg/plasmarc r, /var/lib/flatpak/exports/share/mime/ r, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 969a82f6c..6cb93163c 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -21,6 +21,8 @@ profile xembedsniproxy @{exec_path} { owner @{tmp}/xauth_@{rand6} r, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + @{run}/user/@{uid}/xauth_@{rand6} rl, include if exists diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel index 650a7e402..f817be69d 100644 --- a/apparmor.d/groups/lxqt/lxqt-panel +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -63,7 +63,8 @@ profile lxqt-panel @{exec_path} { owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/pulse/{,**} rwk, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/class/i2c-adapter/ r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt index 06967e694..a708e2336 100644 --- a/apparmor.d/groups/lxqt/startlxqt +++ b/apparmor.d/groups/lxqt/startlxqt @@ -54,8 +54,6 @@ profile startlxqt @{exec_path} { owner @{run}/user/@{uid}/ r, - owner @{PROC}/@{pid}/maps r, - /dev/tty rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index b92ad8e68..8220516bf 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/ModemManager +@{exec_path} = @{sbin}/ModemManager profile ModemManager @{exec_path} flags=(attach_disconnected) { include include @@ -14,7 +14,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { include include include - include + include capability net_admin, @@ -25,18 +25,18 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+pnp:* r, - @{run}/udev/data/+serial*:* r, - @{run}/udev/data/+usb:* r, - @{run}/udev/data/+vmbus:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+pnp:* r, # For Plug and Play devices (legacy hardware, sound cards, etc.) + @{run}/udev/data/+serial*:* r, # For serial devices (modems, serial ports, etc.) + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices) @{run}/udev/data/c16[6,7]:@{int} r, # USB modems @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @@ -47,7 +47,6 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/tty/ r, @{sys}/class/wwan/ r, - @{sys}/devices/@{pci}/revision r, @{sys}/devices/**/net/*/ r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/tty/*/ r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index de3a180bb..f7c0dd084 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/NetworkManager +@{exec_path} = @{sbin}/NetworkManager profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include @@ -43,9 +43,10 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.NetworkManager + #aa:dbus talk bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher @@ -59,32 +60,27 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved - peer=(name=:*, label=bluetoothd), + peer=(name=:*, label="@{p_bluetoothd}"), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=bluetoothd), + peer=(name=:*, label="@{p_bluetoothd}"), dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded - peer=(name=org.freedesktop.DBus, label=nm-online), - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + member={InterfacesAdded,InterfacesRemoved} + peer=(name=org.freedesktop.DBus), @{exec_path} mr, @{sh_path} rix, - @{bin}/nft rix, + @{sbin}/nft rix, - @{bin}/dnsmasq rPx, + @{sbin}/dnsmasq rPx, @{bin}/kmod rPx, @{bin}/netconfig rPUx, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, @{bin}/systemctl rCx -> systemctl, @{lib}/{,NetworkManager/}nm-daemon-helper rPx, @{lib}/{,NetworkManager/}nm-dhcp-helper rPx, @@ -108,6 +104,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /etc/network/interfaces.d/{,*} r, /etc/NetworkManager/{,**} r, /etc/NetworkManager/system-connections/{,**} w, + @{etc_rw}/netplan/90-NM-@{uuid}.yaml w, @{etc_rw}/resolv.conf rw, @{etc_rw}/resolv.conf.[0-9A-Z]* rw, @@ -128,9 +125,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{run}/nscd/db* rwl, @{run}/systemd/users/@{uid} r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/@{pci}/net/*/{,**} r, @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r, diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index c1b5d04c5..7bcd9efba 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/dhcpcd +@{exec_path} = @{sbin}/dhcpcd profile dhcpcd @{exec_path} flags=(attach_disconnected) { include include @@ -35,11 +35,13 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{bin}/chmod rix, @{bin}/cmp rix, @{bin}/mkdir rix, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, @{bin}/rm rix, @{bin}/sed rix, @{lib}/dhcpcd/dhcpcd-run-hooks rix, + /usr/share/dhcpcd/{,**} r, + /etc/dhcpcd.conf r, /etc/resolv.conf rw, @@ -47,7 +49,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{run}/dhcpcd/** rwk, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/@{pci}/uevent r, @{sys}/devices/virtual/dmi/id/product_uuid r, diff --git a/apparmor.d/groups/network/iwd b/apparmor.d/groups/network/iwd index 50827e77e..13edaaf16 100644 --- a/apparmor.d/groups/network/iwd +++ b/apparmor.d/groups/network/iwd @@ -21,21 +21,27 @@ profile iwd @{exec_path} { network netlink raw, network netlink dgram, network alg seqpacket, + network packet dgram, @{exec_path} mr, + @{sbin}/resolvconf rPx, /etc/iwd/{,**} r, /var/lib/iwd/{,**} rw, - @{sys}/devices/@{pci}/ieee80211/phy[0-9]/* r, + @{sys}/devices/@{pci}/ieee80211/phy@{int}/* r, @{sys}/devices/@{pci}/modalias r, @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/arp_* rw, @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/drop_* rw, @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/ndisc_* rw, + @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/accept_ra rw, + @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/optimistic_dad rw, @{PROC}/sys/net/ipv{4,6}/conf/wlp*/arp_* rw, @{PROC}/sys/net/ipv{4,6}/conf/wlp*/drop_* rw, @{PROC}/sys/net/ipv{4,6}/conf/wlp*/ndisc_* rw, + @{PROC}/sys/net/ipv{4,6}/conf/wlp*/accept_ra rw, + @{PROC}/sys/net/ipv{4,6}/conf/wlp*/optimistic_dad rw, /dev/rfkill rw, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index ee98720b6..735154b7e 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -10,6 +10,7 @@ include @{exec_path} += /opt/Mullvad*/resources/mullvad-daemon profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { include + include include capability dac_override, @@ -29,7 +30,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { network netlink raw, network netlink dgram, - mount fstype=cgroup -> /sys/fs/cgroup/net_cls/, + mount fstype=cgroup -> @{sys}/fs/cgroup/net_cls/, @{exec_path} mr, @@ -39,7 +40,8 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { "/opt/Mullvad VPN/resources/*.so*" mr, "/opt/Mullvad VPN/resources/*" r, - /etc/mullvad-vpn/{,*} r, + /etc/mullvad-vpn/ rw, + /etc/mullvad-vpn/* r, /etc/mullvad-vpn/@{uuid} rw, /etc/mullvad-vpn/*.json rw, @{etc_rw}/resolv.conf rw, @@ -49,16 +51,20 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { owner /var/log/mullvad-vpn/{,*} rw, owner /var/log/private/mullvad-vpn/*.log rw, + owner @{tmp}/@{uuid} rw, + owner @{tmp}/talpid-openvpn-@{uuid} rw, + @{run}/NetworkManager/resolv.conf r, owner @{run}/mullvad-vpn rw, @{sys}/fs/cgroup/net_cls/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, + @{sys}/fs/cgroup/system.slice/cpu.max r, + @{sys}/fs/cgroup/system.slice/mullvad-daemon.service/cpu.max r, - owner @{tmp}/@{uuid} rw, - owner @{tmp}/talpid-openvpn-@{uuid} rw, - + @{PROC}/@{pid}/cgroup r, + @{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw, @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 6075f14b2..ae9b4cb7f 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -14,6 +14,9 @@ include @{exec_path} = @{lib_dirs}/mullvad-gui profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include + include + include + include include network inet stream, @@ -34,6 +37,8 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/mullvad-vpn rw, + /dev/tty rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/network/netplan b/apparmor.d/groups/network/netplan new file mode 100644 index 000000000..5855131a8 --- /dev/null +++ b/apparmor.d/groups/network/netplan @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/netplan/netplan.script +profile netplan @{exec_path} flags=(attach_disconnected) { + include + include + include + + @{exec_path} mr, + + @{lib}/netplan/generate rPx, + @{bin}/udevadm rCx -> udevadm, + @{bin}/systemctl rCx -> systemctl, + + /usr/share/netplan/{,**} r, + + @{run}/netplan/ r, + + profile udevadm { + include + include + + capability net_admin, + + @{att}/@{run}/udev/control rw, + + @{run}/udev/rules.d/90-netplan.rules rw, + @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw, + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan-generate similarity index 55% rename from apparmor.d/groups/network/netplan.script rename to apparmor.d/groups/network/netplan-generate index 989f2ee09..74ed20aaf 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan-generate @@ -1,63 +1,58 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /usr/share/netplan/netplan.script -profile netplan.script @{exec_path} flags=(attach_disconnected) { +@{exec_path} = @{lib}/netplan/generate +profile netplan-generate @{exec_path} flags=(attach_disconnected) { include + include include - include + + capability chown, network netlink raw, @{exec_path} mr, - @{lib}/netplan/generate rix, - @{bin}/udevadm rCx -> udevadm, @{bin}/systemctl rCx -> systemctl, - /usr/share/netplan/{,**} r, - /etc/netplan/{,*} r, - @{run}/netplan/ r, - - @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf{,.@{rand6}} rw, + @{run}/NetworkManager/ rw, + @{run}/NetworkManager/conf.d/ rw, + @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf rw, + @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf.@{rand6} rw, @{run}/NetworkManager/system-connections/ rw, - @{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw, + @{run}/NetworkManager/system-connections/* rw, - @{run}/systemd/network/ r, + @{run}/systemd/generator/multi-user.target.wants/ w, + @{run}/systemd/generator/multi-user.target.wants/systemd-networkd.service w, + @{run}/systemd/generator/netplan.stamp w, + @{run}/systemd/generator/network-online.target.wants/ w, + @{run}/systemd/generator/network-online.target.wants/systemd-networkd-wait-online.service w, + @{run}/systemd/network/ rw, @{run}/systemd/network/@{int}-netplan{,-*}.{network,link}{,.@{rand6}} rw, @{run}/systemd/system/ r, @{run}/systemd/system/netplan-* rw, - @{run}/systemd/system/systemd-networkd-wait-online.service.d/ r, + @{run}/systemd/system/systemd-networkd-wait-online.service.d/ rw, @{run}/systemd/system/systemd-networkd-wait-online.service.d/@{int}-netplan.conf{,.@{rand6}} rw, @{run}/systemd/system/systemd-networkd.service.wants/ rw, @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw, + @{run}/udev/rules.d/ rw, + @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw, + + @{run}/netplan/ r, + @{run}/udev/rules.d/ r, @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw, @{sys}/devices/**/net/*/address r, - profile udevadm { - include - include - - capability net_admin, - - @{att}/@{run}/udev/control rw, - - @{run}/udev/rules.d/90-netplan.rules rw, - @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw, - - include if exists - } - profile systemctl { include include @@ -66,10 +61,10 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/private rw, - include if exists + include if exists } - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index 45fbf76aa..8b4d53b1c 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -16,12 +16,12 @@ profile networkd-dispatcher @{exec_path} { dbus receive bus=system path=/org/freedesktop/network1{,/link/*} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=systemd-networkd), + peer=(name=:*, label="@{p_systemd_networkd}"), @{exec_path} mr, @{bin}/ r, - @{bin}/chronyc rPx, + @{bin}/chronyc rPUx, @{bin}/ls rix, @{bin}/networkctl rPx, @{bin}/sed rix, diff --git a/apparmor.d/groups/network/nm-dhcp-helper b/apparmor.d/groups/network/nm-dhcp-helper index 5e93bdbf5..3e232154e 100644 --- a/apparmor.d/groups/network/nm-dhcp-helper +++ b/apparmor.d/groups/network/nm-dhcp-helper @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/{,NetworkManager/}nm-dhcp-helper profile nm-dhcp-helper @{exec_path} { include - include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 40984f7fa..029a5e39a 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -26,7 +26,12 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} + interface=org.freedesktop.NetworkManager.Settings.Connection + member=GetSettings + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, @@ -36,22 +41,22 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{bin}/chown rix, @{bin}/chronyc rPUx, @{bin}/date rix, - @{bin}/gawk rix, - @{bin}/grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/{,e}grep rix, @{bin}/id rix, - @{bin}/invoke-rc.d rCx -> invoke-rc, + @{sbin}/invoke-rc.d rCx -> invoke-rc, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/netconfig rPUx, @{bin}/nmcli rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-cat rPx, + @{bin}/systemd-cat rix, @{bin}/tr rix, /usr/share/tlp/tlp-readconfs rPUx, @@ -101,7 +106,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { profile invoke-rc { include - @{bin}/invoke-rc.d rm, + @{sbin}/invoke-rc.d rm, @{sh_path} rix, @{bin}/basename rix, @{bin}/ls rix, diff --git a/apparmor.d/groups/network/nm-openvpn-service b/apparmor.d/groups/network/nm-openvpn-service index 675c14679..943386f61 100644 --- a/apparmor.d/groups/network/nm-openvpn-service +++ b/apparmor.d/groups/network/nm-openvpn-service @@ -20,7 +20,7 @@ profile nm-openvpn-service @{exec_path} { @{sh_path} rix, @{bin}/kmod rPx, - @{bin}/openvpn rPx, + @{sbin}/openvpn rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index 43a9d0dca..6065a12da 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -25,7 +25,7 @@ profile nmcli @{exec_path} { owner @{HOME}/.cert/nm-openvpn/*.pem rw, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/@{pci}/net/*/{,**} r, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 532c65f78..a6ff1a939 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -22,7 +22,7 @@ abi , include -@{exec_path} = @{bin}/openvpn +@{exec_path} = @{sbin}/openvpn profile openvpn @{exec_path} flags=(attach_disconnected) { include include @@ -85,10 +85,10 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/ip rix, @{bin}/which{,.debianutils} rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, /etc/iproute2/rt_tables r, - /etc/iproute2/rt_tables.d/ r, + /etc/iproute2/rt_tables.d/{,*} r, include if exists } @@ -111,7 +111,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/env rix, @{bin}/ip rix, - @{bin}/nft rix, + @{sbin}/nft rix, @{bin}/sed rix, /etc/iproute2/rt_realms r, diff --git a/apparmor.d/groups/network/rpcbind b/apparmor.d/groups/network/rpcbind index f9dcac8d1..1d81292fd 100644 --- a/apparmor.d/groups/network/rpcbind +++ b/apparmor.d/groups/network/rpcbind @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/rpcbind +@{exec_path} = @{sbin}/rpcbind profile rpcbind @{exec_path} flags=(complain) { include diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index ac29b0b28..8162dff1e 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -31,13 +31,13 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { ptrace (read), - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" @{exec_path} mr, @{bin}/ip rix, @{bin}/resolvectl rPx, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/network/wg b/apparmor.d/groups/network/wg index 781a52f7a..0b0315e33 100644 --- a/apparmor.d/groups/network/wg +++ b/apparmor.d/groups/network/wg @@ -7,8 +7,9 @@ abi , include @{exec_path} = @{bin}/wg -profile wg @{exec_path} { +profile wg @{exec_path} flags=(attach_disconnected) { include + include capability net_admin, capability net_bind_service, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index c7ea6b1bd..c89a12a47 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -7,8 +7,10 @@ abi , include @{exec_path} = @{bin}/wg-quick -profile wg-quick @{exec_path} { +profile wg-quick @{exec_path} flags=(attach_disconnected) { include + include + include capability dac_read_search, capability net_admin, @@ -20,31 +22,39 @@ profile wg-quick @{exec_path} { @{sh_path} rix, @{bin}/cat rix, @{bin}/ip rPx, - @{bin}/nft rix, + @{bin}/mv rix, + @{sbin}/nft rix, @{bin}/readlink rix, - @{bin}/resolvconf rPx, - @{bin}/resolvectl rPUx, + @{sbin}/resolvconf rPx, + @{bin}/resolvectl rPx, + @{bin}/rm rix, @{bin}/sort rix, @{bin}/stat rix, - @{bin}/sysctl rix, + @{bin}/sync rix, + @{sbin}/sysctl rCx -> sysctl, @{bin}/wg rPx, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, /usr/share/terminfo/** r, /etc/iproute2/group r, /etc/iproute2/rt_realms r, /etc/resolvconf/interface-order r, - /etc/wireguard/*.conf r, + /etc/wireguard/{,**} rw, @{sys}/module/wireguard r, - @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w, + @{PROC}/@{pid}/net/ip_tables_names r, - /dev/tty rw, + profile sysctl flags=(attach_disconnected) { + include - # Force the use as root - deny @{bin}/sudo x, + @{sbin}/sysctl mr, + + @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w, + + include if exists + } include if exists } diff --git a/apparmor.d/groups/pacman/archlinux-java b/apparmor.d/groups/pacman/archlinux-java index fe83e168d..38cd95d0a 100644 --- a/apparmor.d/groups/pacman/archlinux-java +++ b/apparmor.d/groups/pacman/archlinux-java @@ -14,8 +14,8 @@ profile archlinux-java @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/basename rix, - @{bin}/bash rix, @{bin}/dirname rix, @{bin}/find rix, @{bin}/id rix, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index a7a7bf225..df9af9fef 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -30,7 +30,7 @@ profile aurpublish @{exec_path} { @{bin}/gettext rix, @{bin}/git rPx, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/makepkg rix, @{bin}/mkdir rix, @{bin}/mktemp rix, diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index d5abc07db..583d0b9c0 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -11,6 +11,7 @@ profile makepkg @{exec_path} { include include include + include include include include @@ -28,14 +29,20 @@ profile makepkg @{exec_path} { file, - @{bin}/gpg{,2} Cx -> gpg, - @{bin}/gpgconf Cx -> gpg, - @{bin}/gpgsm Cx -> gpg, - @{bin}/sudo Cx -> sudo, + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/gpgconf Cx -> gpg, + @{bin}/gpgsm Cx -> gpg, + @{bin}/sudo Cx -> sudo, + + deny capability sys_ptrace, + deny ptrace read, profile gpg { include include + include + + network netlink raw, @{bin}/gpg{,2} mr, @{bin}/gpgconf mr, @@ -66,8 +73,8 @@ profile makepkg @{exec_path} { owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } @@ -80,8 +87,9 @@ profile makepkg @{exec_path} { ptrace read, - signal send set=winch peer=pacman, - signal send set=winch peer=pacman//systemctl, + signal send set=(term winch) peer=pacman, + signal send set=(term winch) peer=pacman//systemctl, + signal send set=(term winch) peer=systemd-tty-ask-password-agent, @{bin}/pacman Px, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index ed91f6c9c..165b42c02 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -28,11 +28,11 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/bsdtar rix, @{bin}/fc-match rix, @{bin}/findmnt rPx, - @{bin}/fsck rix, + @{sbin}/fsck rix, @{bin}/getent rix, @{bin}/gzip rix, @{bin}/hexdump rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/ldd rix, @{bin}/loadkeys rix, @{bin}/objcopy rix, @@ -42,13 +42,11 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/zcat rix, @{bin}/zstd rix, - @{bin}/{depmod,insmod} rPx, - @{bin}/{kmod,lsmod} rPx, - @{bin}/{modinfo,rmmod} rPx, - @{bin}/modprobe rPx, + @{bin}/kmod rPx, @{bin}/plymouth rPx, - @{bin}/plymouth-set-default-theme rPx, + @{sbin}/plymouth-set-default-theme rPx, @{bin}/sbctl rPx, + @{bin}/sync rPx, @{lib}/initcpio/busybox rix, @{lib}/initcpio/post/** rix, @@ -61,7 +59,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/mkinitcpio.conf r, /etc/mkinitcpio.conf.d/{,**} r, /etc/mkinitcpio.d/{,**} r, - /etc/modprobe.d/{,*} r, + /etc/modprobe.d/{,**} r, /etc/os-release r, /etc/plymouth/plymouthd.conf r, /etc/vconsole.conf r, @@ -83,10 +81,11 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Manage /boot / r, - /boot/ r, - /{boot,efi}/EFI/{,**} rw, - /boot/initramfs-*.img* rw, - /boot/vmlinuz-* r, + @{efi}/ r, + @{efi}/@{hex32}/{,**} rw, + @{efi}/EFI/{,**} rw, + @{efi}/initramfs-*.img* rw, + @{efi}/vmlinuz-* r, /usr/share/systemd/bootctl/** r, diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index f537afdb3..8331951e7 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -16,8 +16,8 @@ profile paccache @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/bash rix, @{bin}/cat rix, @{bin}/gettext rix, @{bin}/gpg{,2} rix, @@ -36,6 +36,7 @@ profile paccache @{exec_path} flags=(attach_disconnected) { /etc/pacman.conf r, /etc/pacman.d/{,**} r, + /etc/pacman.d/gnupg/** rwlk -> /etc/pacman.d/gnupg/**, /var/cache/pacman/pkg/{,*} rw, /var/lib/pacman/{,**} r, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index 64a813bf4..497386125 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -38,7 +38,7 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { # packages files / r, - /boot/{,**} r, + @{efi}/{,**} r, /etc/{,**} rw, /opt/{,**} r, /srv/{,**} r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 8215e3f6a..427ac0141 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -12,6 +12,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include include include + include include capability audit_write, @@ -26,6 +27,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability setfcap, capability setgid, capability setuid, + capability sys_admin, capability sys_chroot, capability sys_ptrace, capability sys_resource, @@ -40,7 +42,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { ptrace read, signal send, - signal receive set=winch peer=makepkg//sudo, + signal receive set=(term winch) peer=makepkg//sudo, @{exec_path} mrix, @@ -65,43 +67,44 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gdk-pixbuf-query-loaders rPx, @{bin}/getent rix, @{bin}/gettext rix, - @{bin}/ghc-pkg-@{version} rix, + @{bin}/ghc-pkg-@{version} rPx, @{bin}/gio-querymodules rPx, @{bin}/glib-compile-schemas rPx, - @{bin}/groupadd rPx, - @{bin}/gtk-query-immodules-{2,3}.0 rPx, + @{sbin}/groupadd rPx, + @{bin}/gtk-query-immodules-* rPx, @{bin}/gtk{,4}-update-icon-cache rPx, - @{bin}/iconvconfig rix, + @{sbin}/iconvconfig rix, @{bin}/install-catalog rPx, @{bin}/install-info rPx, - @{bin}/iscsi-iname rix, + @{sbin}/iscsi-iname rix, @{bin}/journalctl rPx, @{bin}/killall rix, - @{bin}/ldconfig rix, - @{bin}/locale-gen rPx, + @{sbin}/ldconfig rix, + @{sbin}/locale-gen rPx, + @{bin}/limine-install rPUx, @{bin}/mkinitcpio rPx, - @{bin}/needrestart rPx, + @{sbin}/needrestart rPx, @{bin}/pacdiff rPx, @{bin}/pacman-key rPx, - @{bin}/perl rix, @{bin}/pkgfile rPUx, @{bin}/pkill rix, @{bin}/rsync rix, @{bin}/sbctl rPx, - @{bin}/setcap rix, + @{sbin}/setcap rix, @{bin}/setfacl rix, - @{bin}/sysctl rPx, + @{sbin}/sysctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-* rPx, @{bin}/tput rix, @{bin}/update-ca-trust rPx, @{bin}/update-desktop-database rPx, - @{bin}/update-grub rPx, + @{sbin}/update-grub rPx, @{bin}/update-mime-database rPx, @{bin}/vercmp rix, + @{bin}/which{,.debianutils} rix, @{bin}/xmlcatalog rix, @{lib}/systemd/systemd-* rPx, - @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rix, + @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rPx, @{lib}/vlc/vlc-cache-gen rPx, /opt/Mullvad*/resources/mullvad-setup rPx, /usr/share/code-features/patch.py rPx, @@ -109,10 +112,14 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /usr/share/libalpm/scripts/* rPUx, /usr/share/texmf-dist/scripts/texlive/mktexlsr rPUx, + # For shell pwd, keept as it can annoy users to see error in pacman output + /**/ r, + # Install/update packages + #aa:lint ignore=too-wide / r, /*{,/} rw, - /boot/** rwl -> /boot/**, + @{efi}/** rwl -> @{efi}/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, @@ -134,8 +141,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/stat r, - @{PROC}/1/environ r, @{PROC}/sys/kernel/osrelease r, @{PROC}/tty/drivers r, @{PROC}/uptime r, @@ -145,11 +152,6 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /dev/tty@{int} rw, owner /dev/pts/@{int} rw, - # Silencer, - deny @{HOME}/ r, - deny @{HOME}/**/ r, - deny /tmp/ r, - profile gpg { include include @@ -186,7 +188,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include if exists } - profile systemctl { + profile systemctl flags=(attach_disconnected) { include include @@ -195,9 +197,11 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability sys_resource, signal send set=cont peer=child-pager, - signal receive set=winch peer=makepkg//sudo, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + signal receive set=(term winch) peer=makepkg//sudo, @{pager_path} rPx -> child-pager, + @{bin}/systemd-tty-ask-password-agent rPx, /etc/machine-id r, diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index 3a6bbd7fe..ee23781f4 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/share/code-{features,marketplace}/patch.py +@{exec_path} = /usr/share/code-{features,marketplace}{,-insiders}/patch.py profile pacman-hook-code @{exec_path} { include include @@ -16,12 +16,12 @@ profile pacman-hook-code @{exec_path} { @{exec_path} mr, @{bin}/env r, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{lib}/code/product.json rw, - /usr/share/code-{features,marketplace}/{,*} r, - /usr/share/code-{features,marketplace}/cache.json rw, + /usr/share/code-{features,marketplace}{,-insiders}/{,*} r, + /usr/share/code-{features,marketplace}{,-insiders}/cache.json rw, include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-dconf b/apparmor.d/groups/pacman/pacman-hook-dconf index b5a330d75..c49eb08e9 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dconf +++ b/apparmor.d/groups/pacman/pacman-hook-dconf @@ -14,7 +14,7 @@ profile pacman-hook-dconf @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/rm rix, @{bin}/dconf rPx, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index 45336a100..0dae14351 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -14,14 +14,13 @@ profile pacman-hook-depmod @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/basename rix, - @{bin}/bash rix, - @{bin}/depmod rPx, @{bin}/kmod rPx, @{bin}/rm rix, @{bin}/rmdir rix, - /usr/lib/modules/*/{,**} rw, + @{lib}/modules/*/{,**} rw, /dev/tty rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms index a039db414..a8a54c151 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dkms +++ b/apparmor.d/groups/pacman/pacman-hook-dkms @@ -19,7 +19,7 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/dkms rPx, + @{sbin}/dkms rPx, @{bin}/kmod rPx, @{bin}/nproc rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-fontconfig b/apparmor.d/groups/pacman/pacman-hook-fontconfig index de0d33e16..3b29e01ea 100644 --- a/apparmor.d/groups/pacman/pacman-hook-fontconfig +++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig @@ -14,7 +14,7 @@ profile pacman-hook-fontconfig @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/ln rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-gio b/apparmor.d/groups/pacman/pacman-hook-gio index 5aa612a3c..17218158e 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gio +++ b/apparmor.d/groups/pacman/pacman-hook-gio @@ -14,14 +14,14 @@ profile pacman-hook-gio @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/rmdir rix, @{bin}/gio-querymodules rPx, @{lib}/gio/modules/giomodule.cache{,.[0-9A-Z]*} rw, @{lib}/gtk-{3,4}.0/**/*/ rw, - /usr/lib/gio/modules/ rw, + @{lib}/gio/modules/ rw, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk b/apparmor.d/groups/pacman/pacman-hook-gtk index ce7b931ca..e6aa28627 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk +++ b/apparmor.d/groups/pacman/pacman-hook-gtk @@ -14,7 +14,7 @@ profile pacman-hook-gtk @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/rm rix, @{bin}/rmdir rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index a9bf40360..48ce25ab2 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -16,7 +16,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/cmp rix, @{bin}/compgen rix, @{bin}/env rix, @@ -36,11 +36,11 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/mkinitcpio.d/*.preset{,.pacsave} rw, / r, - /boot/ r, - /{boot,efi}/EFI/boot/boot*.efi rw, - /boot/initramfs-*-fallback.img rw, - /boot/initramfs-*.img rw, - /boot/vmlinuz-* rw, + @{efi}/ r, + @{efi}/EFI/boot/boot*.efi rw, + @{efi}/initramfs-*-fallback.img rw, + @{efi}/initramfs-*.img rw, + @{efi}/vmlinuz-* rw, /dev/tty rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove index 7c0006153..6378ca991 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove @@ -15,7 +15,7 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/cmp rix, @{bin}/mv rix, @{bin}/rm rix, @@ -24,9 +24,9 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { /usr/share/mkinitcpio/*.preset r, /etc/mkinitcpio.d/*.preset rw, - /boot/vmlinuz-* rw, - /boot/initramfs-*.img rw, - /boot/initramfs-*-fallback.img rw, + @{efi}/vmlinuz-* rw, + @{efi}/initramfs-*.img rw, + @{efi}/initramfs-*-fallback.img rw, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-perl b/apparmor.d/groups/pacman/pacman-hook-perl index 1254f97e2..aa2be8b09 100644 --- a/apparmor.d/groups/pacman/pacman-hook-perl +++ b/apparmor.d/groups/pacman/pacman-hook-perl @@ -9,19 +9,18 @@ include @{exec_path} = /usr/share/libalpm/scripts/detect-old-perl-modules.sh profile pacman-hook-perl @{exec_path} { include + include capability dac_read_search, capability mknod, @{exec_path} mr, - @{bin}/perl rix, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/find rix, @{bin}/pacman rPx, @{bin}/sed rix, - - @{lib}/perl@{int}/{,**} r, + @{bin}/wc rix, /dev/tty rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 2c32024a2..0878385c5 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -44,6 +44,11 @@ profile pacman-hook-systemd @{exec_path} { include capability net_admin, + capability sys_resource, + + signal send set=(cont, term) peer=systemd-tty-ask-password-agent, + + @{bin}/systemd-tty-ask-password-agent Px, include if exists } diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 287bc026a..1e1204c27 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -16,15 +16,15 @@ profile pacman-key @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, - @{bin}/bash rix, @{bin}/chmod rix, @{bin}/gettext rix, - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/grep rix, + @{bin}/gpg{,2} rCx -> &gpg, + @{bin}/{,e}grep rix, @{bin}/ngettext rix, - @{bin}/pacman-conf rPx, + @{bin}/pacman-conf rPx -> &pacman-conf, @{bin}/touch rix, @{bin}/tput rix, @{bin}/vercmp rix, @@ -34,7 +34,8 @@ profile pacman-key @{exec_path} { /usr/share/pacman/keyrings/{,*} r, /usr/share/terminfo/** r, - /etc/pacman.d/gnupg/* rw, + /etc/pacman.d/gnupg/ rw, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, /dev/tty rw, @@ -59,7 +60,7 @@ profile pacman-key @{exec_path} { /etc/pacman.d/gnupg/ rw, /etc/pacman.d/gnupg/** rwkl, - @{HOME}/.gnupg/gpg.conf r, + @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay index 52c2de345..42932cc2e 100644 --- a/apparmor.d/groups/pacman/yay +++ b/apparmor.d/groups/pacman/yay @@ -25,6 +25,7 @@ profile yay @{exec_path} { @{bin}/git Cx -> git, @{bin}/gpg{,2} Cx -> gpg, @{bin}/makepkg Px, + @{bin}/pacman Px, @{bin}/pacman-conf Px, @{bin}/sudo Cx -> sudo, diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/groups/polkit/pkexec similarity index 94% rename from apparmor.d/profiles-m-r/pkexec rename to apparmor.d/groups/polkit/pkexec index c7bfbcefa..8c6d868da 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/groups/polkit/pkexec @@ -21,13 +21,13 @@ profile pkexec @{exec_path} { @{exec_path} mr, @{bin}/* PUx, + @{sbin}/* PUx, @{lib}/** PUx, /opt/*/** PUx, /usr/share/** PUx, /etc/default/locale r, - @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/groups/polkit/pkttyagent similarity index 95% rename from apparmor.d/profiles-m-r/pkttyagent rename to apparmor.d/groups/polkit/pkttyagent index de0eeef33..436447aef 100644 --- a/apparmor.d/profiles-m-r/pkttyagent +++ b/apparmor.d/groups/polkit/pkttyagent @@ -18,8 +18,8 @@ profile pkttyagent @{exec_path} { capability sys_nice, capability audit_write, - ptrace (read), - signal (send,receive), + ptrace read, + signal (send, receive), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper similarity index 78% rename from apparmor.d/groups/freedesktop/polkit-agent-helper rename to apparmor.d/groups/polkit/polkit-agent-helper index 7f5ecd107..5799ced5b 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -25,20 +25,22 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (receive) set=(term, kill) peer=gnome-shell, - signal (receive) set=(term, kill) peer=pkexec, - signal (receive) set=(term, kill) peer=pkttyagent, - signal (receive) set=(term, kill) peer=polkit-*-authentication-agent, + signal receive set=(term kill) peer=gnome-shell, + signal receive set=(term kill) peer=pkexec, + signal receive set=(term kill) peer=pkttyagent, + signal receive set=(term kill) peer=polkit-*-authentication-agent, + + unix bind type=stream addr=@@{udbus}/bus/polkit-agent-he/system, dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=AuthenticationAgentResponse2 - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/polkit/polkitd similarity index 81% rename from apparmor.d/groups/freedesktop/polkitd rename to apparmor.d/groups/polkit/polkitd index 5e3d3ee78..4dc1380c0 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -7,10 +7,11 @@ abi , include -@{exec_path} = @{lib}/{,polkit-1/}polkitd +@{exec_path} = @{lib}/polkitd @{lib}/polkit-1/polkitd profile polkitd @{exec_path} flags=(attach_disconnected) { include include + include include capability setgid, @@ -19,18 +20,14 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { capability sys_ptrace, audit capability net_admin, - ptrace (read), + ptrace read, #aa:dbus own bus=system name=org.freedesktop.PolicyKit1 - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - @{exec_path} mr, - @{bin}/pkla-check-authorization rPUx, + @{bin}/pkla-check-authorization rPx, + @{bin}/pkla-admin-identities rPx, /etc/machine-id r, @@ -53,7 +50,9 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { /var/lib/polkit{,-1}/localauthority/{,**} r, owner /var/lib/polkit{,-1}/.cache/ rw, + @{att}/@{run}/systemd/notify w, @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Home rw, @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, @{run}/systemd/sessions/* r, @@ -70,9 +69,6 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fdinfo/@{int} r, - # Silencer - deny /.cache/ rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/snap-bootstrap b/apparmor.d/groups/procps/free similarity index 52% rename from apparmor.d/profiles-s-z/snap-bootstrap rename to apparmor.d/groups/procps/free index 95cc306fc..56075ae1c 100644 --- a/apparmor.d/profiles-s-z/snap-bootstrap +++ b/apparmor.d/groups/procps/free @@ -1,18 +1,19 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = @{lib}/snapd/snap-bootstrap -profile snap-bootstrap @{exec_path} { +@{exec_path} = @{bin}/free +profile free @{exec_path} { include + include @{exec_path} mr, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/groups/procps/htop similarity index 94% rename from apparmor.d/profiles-g-l/htop rename to apparmor.d/groups/procps/htop index 08b58ebd2..d59fde5e5 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/groups/procps/htop @@ -20,14 +20,15 @@ profile htop @{exec_path} { network netlink raw, - signal (send), - signal (receive) set=(hup) peer=gnome-terminal-server, + signal send, + signal receive set=hup peer=gnome-terminal-server, - ptrace (read), + ptrace read, @{exec_path} mr, @{bin}/lsof rix, + @{bin}/strace rix, /usr/share/terminfo/** r, @@ -38,7 +39,51 @@ profile htop @{exec_path} { owner @{user_config_dirs}/htop/ rw, owner @{user_config_dirs}/htop/* rw, - owner @{PROC}/@{pid}/smaps_rollup r, + @{sys}/bus/dax/devices/ r, + @{sys}/bus/i2c/devices/ r, + @{sys}/bus/soc/devices/ r, + @{sys}/class/hwmon/ r, + @{sys}/class/i2c-adapter/ r, + @{sys}/class/power_supply/ r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + @{sys}/devices/**/hwmon@{int}/ r, + @{sys}/devices/**/hwmon@{int}/{name,temp*} r, + @{sys}/devices/**/hwmon@{int}/**/ r, + @{sys}/devices/**/hwmon@{int}/**/{name,temp*} r, + @{sys}/devices/**/hwmon/ r, + @{sys}/devices/**/hwmon/{name,temp*} r, + @{sys}/devices/**/hwmon/**/ r, + @{sys}/devices/**/hwmon/**/{name,temp*} r, + @{sys}/devices/**/power_supply/**/{uevent,type,online} r, + @{sys}/devices/*/name r, + @{sys}/devices/i2c-*/name r, + @{sys}/devices/platform/*/i2c-*/name r, + @{sys}/devices/system/cpu/cpu@{int}/** r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_{cur,min,max}_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, + @{sys}/devices/system/node/node@{int}/cpumap r, + @{sys}/devices/system/node/node@{int}/hugepages/ r, + @{sys}/devices/system/node/node@{int}/hugepages/hugepages-*/nr_hugepages r, + @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/system/node/online r, + @{sys}/devices/virtual/block/zram@{int}/{disksize,mm_stat} r, + @{sys}/devices/virtual/dmi/id/ r, + @{sys}/devices/virtual/dmi/id/bios_date r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/bios_version r, + @{sys}/devices/virtual/dmi/id/chassis_asset_tag r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/devices/virtual/dmi/id/chassis_vendor r, + @{sys}/devices/virtual/dmi/id/chassis_version r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r, + @{sys}/fs/cgroup/cgroup.controllers r, + @{sys}/fs/cgroup/cpuset.cpus.effective r, + @{sys}/fs/cgroup/cpuset.mems.effective r, + @{sys}/kernel/mm/hugepages/ r, + @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, @{PROC}/ r, @{PROC}/diskstats r, @@ -83,54 +128,9 @@ profile htop @{exec_path} { @{PROC}/@{pids}/task/@{tid}/status r, @{PROC}/@{pids}/task/@{tid}/wchan r, - @{sys}/bus/dax/devices/ r, - @{sys}/bus/i2c/devices/ r, - @{sys}/bus/soc/devices/ r, - @{sys}/class/hwmon/ r, - @{sys}/class/i2c-adapter/ r, - @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, - @{sys}/devices/**/hwmon@{int}/ r, - @{sys}/devices/**/hwmon@{int}/{name,temp*} r, - @{sys}/devices/**/hwmon@{int}/**/ r, - @{sys}/devices/**/hwmon@{int}/**/{name,temp*} r, - @{sys}/devices/**/hwmon/ r, - @{sys}/devices/**/hwmon/{name,temp*} r, - @{sys}/devices/**/hwmon/**/ r, - @{sys}/devices/**/hwmon/**/{name,temp*} r, - @{sys}/devices/**/power_supply/**/{uevent,type,online} r, - @{sys}/devices/*/name r, - @{sys}/devices/i2c-@{int}/name r, - @{sys}/devices/platform/*/i2c-@{int}/name r, - @{sys}/devices/system/cpu/cpu@{int}/** r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_{cur,min,max}_freq r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, - @{sys}/devices/system/node/node@{int}/cpumap r, - @{sys}/devices/system/node/node@{int}/hugepages/ r, - @{sys}/devices/system/node/node@{int}/hugepages/hugepages-*/nr_hugepages r, - @{sys}/devices/system/node/node@{int}/meminfo r, - @{sys}/devices/system/node/online r, - @{sys}/devices/virtual/block/zram@{int}/{disksize,mm_stat} r, - @{sys}/devices/virtual/dmi/id/ r, - @{sys}/devices/virtual/dmi/id/bios_date r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/bios_version r, - @{sys}/devices/virtual/dmi/id/chassis_asset_tag r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/devices/virtual/dmi/id/chassis_vendor r, - @{sys}/devices/virtual/dmi/id/chassis_version r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r, - @{sys}/fs/cgroup/cgroup.controllers r, - @{sys}/fs/cgroup/cpuset.cpus.effective r, - @{sys}/fs/cgroup/cpuset.mems.effective r, - @{sys}/kernel/mm/hugepages/ r, - @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, - @{PROC}/cmdline r, owner @{PROC}/@{pid}/cpuset r, + owner @{PROC}/@{pid}/smaps_rollup r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/procps/pgrep b/apparmor.d/groups/procps/pgrep new file mode 100644 index 000000000..950aeb99e --- /dev/null +++ b/apparmor.d/groups/procps/pgrep @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pgrep +profile pgrep @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{PROC}/tty/drivers r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snapd-core-fixup b/apparmor.d/groups/procps/pidof similarity index 51% rename from apparmor.d/profiles-s-z/snapd-core-fixup rename to apparmor.d/groups/procps/pidof index 0e33aaea0..3413eb6c3 100644 --- a/apparmor.d/profiles-s-z/snapd-core-fixup +++ b/apparmor.d/groups/procps/pidof @@ -1,18 +1,18 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = @{lib}/snapd/snapd.core-fixup.sh -profile snapd-core-fixup @{exec_path} { +@{exec_path} = @{bin}/pidof +profile pidof @{exec_path} { include @{exec_path} mr, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ps b/apparmor.d/groups/procps/ps similarity index 100% rename from apparmor.d/profiles-m-r/ps rename to apparmor.d/groups/procps/ps diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/groups/procps/sysctl similarity index 92% rename from apparmor.d/profiles-s-z/sysctl rename to apparmor.d/groups/procps/sysctl index 849aeb687..9275c7054 100644 --- a/apparmor.d/profiles-s-z/sysctl +++ b/apparmor.d/groups/procps/sysctl @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/sysctl +@{exec_path} = @{sbin}/sysctl profile sysctl @{exec_path} { include include @@ -22,7 +22,9 @@ profile sysctl @{exec_path} { /etc/sysctl.conf r, /etc/sysctl.d/{,**} r, - /usr/lib/sysctl.d/{,**} r, + @{lib}/sysctl.d/{,**} r, + + /etc/ufw/sysctl.conf r, # Add support for ufw @{PROC}/sys/ r, @{PROC}/sys/** rw, @@ -31,8 +33,6 @@ profile sysctl @{exec_path} { deny network inet6 stream, deny network inet stream, - /etc/ufw/sysctl.conf r, # Add support for ufw - include if exists } diff --git a/apparmor.d/profiles-s-z/top b/apparmor.d/groups/procps/top similarity index 100% rename from apparmor.d/profiles-s-z/top rename to apparmor.d/groups/procps/top diff --git a/apparmor.d/profiles-s-z/uptime b/apparmor.d/groups/procps/uptime similarity index 93% rename from apparmor.d/profiles-s-z/uptime rename to apparmor.d/groups/procps/uptime index 904ebe415..3da204a38 100644 --- a/apparmor.d/profiles-s-z/uptime +++ b/apparmor.d/groups/procps/uptime @@ -15,6 +15,8 @@ profile uptime @{exec_path} { @{exec_path} mr, + @{run}/systemd/sessions/@{int} r, + @{PROC}/uptime r, @{PROC}/loadavg r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/procps/vmstat b/apparmor.d/groups/procps/vmstat new file mode 100644 index 000000000..1276222a2 --- /dev/null +++ b/apparmor.d/groups/procps/vmstat @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/vmstat +profile vmstat @{exec_path} { + include + include + + @{exec_path} mr, + + @{sys}/block/ r, + @{sys}/devices/system/node/ r, + + @{PROC}/diskstats r, + @{PROC}/slabinfo r, + @{PROC}/uptime r, + @{PROC}/vmstat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/w b/apparmor.d/groups/procps/w similarity index 97% rename from apparmor.d/profiles-s-z/w rename to apparmor.d/groups/procps/w index b23a7bc23..2445034e9 100644 --- a/apparmor.d/profiles-s-z/w +++ b/apparmor.d/groups/procps/w @@ -16,7 +16,7 @@ profile w @{exec_path} { capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/chage b/apparmor.d/groups/shadow/chage similarity index 97% rename from apparmor.d/profiles-a-f/chage rename to apparmor.d/groups/shadow/chage index a89e204a8..43f34a703 100644 --- a/apparmor.d/profiles-a-f/chage +++ b/apparmor.d/groups/shadow/chage @@ -20,7 +20,7 @@ profile chage @{exec_path} { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow} rw, /etc/{passwd,shadow}.@{pid} w, diff --git a/apparmor.d/profiles-a-f/chpasswd b/apparmor.d/groups/shadow/chpasswd similarity index 74% rename from apparmor.d/profiles-a-f/chpasswd rename to apparmor.d/groups/shadow/chpasswd index fb8438cc1..5e84f31b4 100644 --- a/apparmor.d/profiles-a-f/chpasswd +++ b/apparmor.d/groups/shadow/chpasswd @@ -6,20 +6,26 @@ abi , include -@{exec_path} = @{bin}/chpasswd +@{exec_path} = @{sbin}/chpasswd profile chpasswd @{exec_path} { include + include include include + capability audit_write, capability chown, capability fsetid, + capability net_admin, capability setuid, + network netlink raw, + @{exec_path} mr, + @{etc_ro}/login.defs r, + /etc/.pwd.lock wk, - /etc/login.defs r, /etc/passwd rw, /etc/passwd.@{int} w, /etc/passwd.lock l -> /etc/passwd.@{int}, @@ -31,6 +37,11 @@ profile chpasswd @{exec_path} { /etc/shadow.lock w, /etc/shadow+ rw, + /etc/pam.d/* r, + /etc/security/pwquality.conf r, + + @{PROC}/@{pid}/loginuid r, + include if exists } diff --git a/apparmor.d/profiles-g-l/gpasswd b/apparmor.d/groups/shadow/gpasswd similarity index 97% rename from apparmor.d/profiles-g-l/gpasswd rename to apparmor.d/groups/shadow/gpasswd index 8afdff8db..ab2d21860 100644 --- a/apparmor.d/profiles-g-l/gpasswd +++ b/apparmor.d/groups/shadow/gpasswd @@ -29,7 +29,7 @@ profile gpasswd @{exec_path} { owner @{PROC}/@{pid}/loginuid r, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}.@{pid} w, diff --git a/apparmor.d/profiles-g-l/groupadd b/apparmor.d/groups/shadow/groupadd similarity index 94% rename from apparmor.d/profiles-g-l/groupadd rename to apparmor.d/groups/shadow/groupadd index 9450974a1..2d135007a 100644 --- a/apparmor.d/profiles-g-l/groupadd +++ b/apparmor.d/groups/shadow/groupadd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/groupadd +@{exec_path} = @{sbin}/groupadd profile groupadd @{exec_path} { include include @@ -22,7 +22,7 @@ profile groupadd @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}- w, diff --git a/apparmor.d/profiles-g-l/groupdel b/apparmor.d/groups/shadow/groupdel similarity index 94% rename from apparmor.d/profiles-g-l/groupdel rename to apparmor.d/groups/shadow/groupdel index 99b7fddaa..8f8b28239 100644 --- a/apparmor.d/profiles-g-l/groupdel +++ b/apparmor.d/groups/shadow/groupdel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/groupdel +@{exec_path} = @{sbin}/groupdel profile groupdel @{exec_path} { include include @@ -25,7 +25,7 @@ profile groupdel @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}.@{pid} w, diff --git a/apparmor.d/profiles-g-l/groupmod b/apparmor.d/groups/shadow/groupmod similarity index 95% rename from apparmor.d/profiles-g-l/groupmod rename to apparmor.d/groups/shadow/groupmod index 4b9b0446a..34bf046cd 100644 --- a/apparmor.d/profiles-g-l/groupmod +++ b/apparmor.d/groups/shadow/groupmod @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/groupmod +@{exec_path} = @{sbin}/groupmod profile groupmod @{exec_path} { include include @@ -24,7 +24,7 @@ profile groupmod @{exec_path} { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,gshadow,group} rw, /etc/{passwd,gshadow,group}.@{pid} w, diff --git a/apparmor.d/profiles-g-l/grpck b/apparmor.d/groups/shadow/grpck similarity index 94% rename from apparmor.d/profiles-g-l/grpck rename to apparmor.d/groups/shadow/grpck index 5fad8960c..1e47307e4 100644 --- a/apparmor.d/profiles-g-l/grpck +++ b/apparmor.d/groups/shadow/grpck @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/grpck +@{exec_path} = @{sbin}/grpck profile grpck @{exec_path} flags=(attach_disconnected) { include include @@ -18,7 +18,7 @@ profile grpck @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{gshadow,group} rw, /etc/{gshadow,group}.@{pid} rw, diff --git a/apparmor.d/profiles-g-l/lastlog b/apparmor.d/groups/shadow/lastlog similarity index 95% rename from apparmor.d/profiles-g-l/lastlog rename to apparmor.d/groups/shadow/lastlog index 392aba362..0cb62819f 100644 --- a/apparmor.d/profiles-g-l/lastlog +++ b/apparmor.d/groups/shadow/lastlog @@ -17,8 +17,9 @@ profile lastlog @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + /var/log/lastlog r, - /etc/login.defs r, include if exists } diff --git a/apparmor.d/profiles-m-r/newgidmap b/apparmor.d/groups/shadow/newgidmap similarity index 91% rename from apparmor.d/profiles-m-r/newgidmap rename to apparmor.d/groups/shadow/newgidmap index 4a7196fc2..6fa555504 100644 --- a/apparmor.d/profiles-m-r/newgidmap +++ b/apparmor.d/groups/shadow/newgidmap @@ -18,6 +18,8 @@ profile newgidmap @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, /etc/subgid r, @{PROC}/@{pids}/ r, diff --git a/apparmor.d/profiles-m-r/newuidmap b/apparmor.d/groups/shadow/newuidmap similarity index 91% rename from apparmor.d/profiles-m-r/newuidmap rename to apparmor.d/groups/shadow/newuidmap index 549eb06ef..6a53bf5c1 100644 --- a/apparmor.d/profiles-m-r/newuidmap +++ b/apparmor.d/groups/shadow/newuidmap @@ -18,6 +18,8 @@ profile newuidmap @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, /etc/subuid r, @{PROC}/@{pids}/ r, diff --git a/apparmor.d/profiles-m-r/passwd b/apparmor.d/groups/shadow/passwd similarity index 100% rename from apparmor.d/profiles-m-r/passwd rename to apparmor.d/groups/shadow/passwd diff --git a/apparmor.d/profiles-m-r/pwck b/apparmor.d/groups/shadow/pwck similarity index 91% rename from apparmor.d/profiles-m-r/pwck rename to apparmor.d/groups/shadow/pwck index 0c9e1ac0a..456a15af4 100644 --- a/apparmor.d/profiles-m-r/pwck +++ b/apparmor.d/groups/shadow/pwck @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/pwck +@{exec_path} = @{sbin}/pwck profile pwck @{exec_path} flags=(attach_disconnected) { include include @@ -16,7 +16,8 @@ profile pwck @{exec_path} flags=(attach_disconnected) { @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, + /etc/.pwd.lock wk, /etc/passwd rw, /etc/passwd.@{int} rw, diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/groups/shadow/useradd similarity index 95% rename from apparmor.d/profiles-s-z/useradd rename to apparmor.d/groups/shadow/useradd index d27a34207..b10487cf2 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/groups/shadow/useradd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/useradd +@{exec_path} = @{sbin}/useradd profile useradd @{exec_path} { include include @@ -25,12 +25,12 @@ profile useradd @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - @{bin}/usermod rPx, + @{sbin}/usermod rPx, @{bin}/pam_tally2 rCx -> pam_tally2, /etc/default/useradd r, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid}- w, diff --git a/apparmor.d/profiles-s-z/userdel b/apparmor.d/groups/shadow/userdel similarity index 96% rename from apparmor.d/profiles-s-z/userdel rename to apparmor.d/groups/shadow/userdel index 05df64874..589c726d0 100644 --- a/apparmor.d/profiles-s-z/userdel +++ b/apparmor.d/groups/shadow/userdel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/userdel +@{exec_path} = @{sbin}/userdel profile userdel @{exec_path} flags=(attach_disconnected) { include include @@ -26,7 +26,7 @@ profile userdel @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w, diff --git a/apparmor.d/profiles-s-z/usermod b/apparmor.d/groups/shadow/usermod similarity index 96% rename from apparmor.d/profiles-s-z/usermod rename to apparmor.d/groups/shadow/usermod index c0f8f0e45..b59260a25 100644 --- a/apparmor.d/profiles-s-z/usermod +++ b/apparmor.d/groups/shadow/usermod @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/usermod +@{exec_path} = @{sbin}/usermod profile usermod @{exec_path} flags=(attach_disconnected) { include include @@ -28,7 +28,7 @@ profile usermod @{exec_path} flags=(attach_disconnected) { @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/subuid r, /etc/{passwd,shadow,gshadow,group} rw, diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/groups/snap/snap similarity index 84% rename from apparmor.d/profiles-s-z/snap rename to apparmor.d/groups/snap/snap index aa1f6b2b8..425d5cd66 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/groups/snap/snap @@ -10,7 +10,7 @@ include @{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{bin_dirs}/snap -profile snap @{exec_path} { +profile snap @{exec_path} flags=(attach_disconnected) { include include include @@ -24,6 +24,8 @@ profile snap @{exec_path} { network netlink raw, + ptrace read peer=snap.*, + unix (send, receive) type=stream peer=(label=apt), mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/, @@ -32,13 +34,20 @@ profile snap @{exec_path} { #aa:dbus own bus=session name=io.snapcraft.SessionAgent #aa:dbus own bus=session name=io.snapcraft.Settings + #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.snap-store #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" dbus send bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.portal.Documents member=GetMountPoint peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mrix, @{bin}/mount rix, @@ -73,15 +82,17 @@ profile snap @{exec_path} { @{run}/mount/utab r, @{run}/snapd.socket rw, + @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/kernel/security/apparmor/features/{,**} r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/cgroups r, @{PROC}/cmdline r, @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/version r, + owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/mounts r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-s-z/snap-device-helper b/apparmor.d/groups/snap/snap-device-helper similarity index 100% rename from apparmor.d/profiles-s-z/snap-device-helper rename to apparmor.d/groups/snap/snap-device-helper diff --git a/apparmor.d/profiles-s-z/snap-discard-ns b/apparmor.d/groups/snap/snap-discard-ns similarity index 96% rename from apparmor.d/profiles-s-z/snap-discard-ns rename to apparmor.d/groups/snap/snap-discard-ns index f1f6f9d67..38396f3eb 100644 --- a/apparmor.d/profiles-s-z/snap-discard-ns +++ b/apparmor.d/groups/snap/snap-discard-ns @@ -20,6 +20,7 @@ profile snap-discard-ns @{exec_path} { umount @{run}/snapd/ns/*.mnt, @{exec_path} mr, + @{lib_dirs}/**.so* mr, / r, @{run}/ r, diff --git a/apparmor.d/profiles-s-z/snap-failure b/apparmor.d/groups/snap/snap-failure similarity index 96% rename from apparmor.d/profiles-s-z/snap-failure rename to apparmor.d/groups/snap/snap-failure index a4f89f558..edc9845e8 100644 --- a/apparmor.d/profiles-s-z/snap-failure +++ b/apparmor.d/groups/snap/snap-failure @@ -13,6 +13,7 @@ profile snap-failure @{exec_path} { include @{exec_path} mr, + @{lib_dirs}/**.so* mr, @{bin}/systemctl rCx -> systemctl, @{lib_dirs}/snapd/snapd rPx, diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/groups/snap/snap-seccomp similarity index 99% rename from apparmor.d/profiles-s-z/snap-seccomp rename to apparmor.d/groups/snap/snap-seccomp index e7660f7b8..7857bcc6a 100644 --- a/apparmor.d/profiles-s-z/snap-seccomp +++ b/apparmor.d/groups/snap/snap-seccomp @@ -19,7 +19,6 @@ profile snap-seccomp @{exec_path} { network netlink raw, @{exec_path} mr, - @{lib_dirs}/**.so* mr, @{bin}/getent rix, diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns similarity index 85% rename from apparmor.d/profiles-s-z/snap-update-ns rename to apparmor.d/groups/snap/snap-update-ns index 3ce5bfdd4..5d7c18d59 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -18,18 +18,20 @@ profile snap-update-ns @{exec_path} { network netlink raw, - mount -> /boot/, + mount -> @{efi}/, mount -> /snap/**, mount -> /tmp/.snap/**, mount -> /usr/**, mount -> /var/lib/dhcp/, - umount /snap/**, - umount /var/lib/dhcp/, umount @{lib}/@{multiarch}/webkit2gtk-@{version}/, + umount /snap/**, + umount /tmp/.snap/**, umount /usr/share/xml/iso-codes/, + umount /var/lib/dhcp/, @{exec_path} mr, + @{lib_dirs}/**.so* mr, @{lib}/@{multiarch}/webkit2gtk-@{version}/ w, /usr/share/xml/iso-codes/ w, @@ -38,10 +40,17 @@ profile snap-update-ns @{exec_path} { / r, /tmp/ r, + /usr/ r, + /usr/local/ r, + /usr/local/share/ r, + /usr/local/share/doc/ rw, + /usr/local/share/fonts/ rw, owner /snap/{,**} rw, owner /var/ rw, + owner /var/lib/ rw, + owner /var/lib/snapd/ rw, owner /var/snap/ rw, owner /var/snap/**/ rw, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/groups/snap/snapd similarity index 70% rename from apparmor.d/profiles-s-z/snapd rename to apparmor.d/groups/snap/snapd index 250005f55..0f975b3b0 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/groups/snap/snapd @@ -47,41 +47,45 @@ profile snapd @{exec_path} { umount /tmp/syscheck-mountpoint-@{int}/, umount /snap/*/*/, - ptrace (read) peer=snap, - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, + ptrace read peer=snap{,.*}, - unix (bind) type=stream addr=@@{udbus}/bus/systemctl/, + signal send set=kill peer=snapd//journalctl, dbus send bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager member={SetWallMessage,ScheduleShutdown} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + + dbus send bus=system path=/org/freedesktop/timedate1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.timedate1), @{exec_path} mrix, - @{bin}/adduser rPx, - @{bin}/groupadd rPx, - @{bin}/hostnamectl rPx, - @{bin}/ssh-keygen rPx, - @{bin}/useradd rPx, - @{sh_path} rix, - @{bin}/apparmor_parser rPx, + @{sbin}/adduser rPx, + @{sbin}/apparmor_parser rPx, @{bin}/cp rix, @{bin}/getent rix, + @{sbin}/groupadd rPx, @{bin}/gzip rix, - @{bin}/journalctl rPx, + @{bin}/hostnamectl rPx, + @{bin}/journalctl rCx -> journalctl, @{bin}/kmod rPx, @{bin}/mount rix, - @{bin}/runuser rCx -> runuser, + @{sbin}/runuser rCx -> runuser, + @{bin}/ssh-keygen rPx, @{bin}/sync rix, - @{bin}/systemctl rix, + @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/tar rix, @{bin}/udevadm rPx, @{bin}/umount rix, @{bin}/unsquashfs rix, @{bin}/update-desktop-database rPx, + @{sbin}/useradd rPx, @{bin_dirs}/fc-cache-* mr, @{bin_dirs}/snap rPUx, @@ -98,17 +102,18 @@ profile snapd @{exec_path} { /usr/share/dbus-1/services/*snap* r, /usr/share/polkit-1/actions/{,**/} r, + @{etc_ro}/environment r, /etc/apparmor.d/*snapd.snap* r, /etc/dbus-1/system.d/{,**/} r, - /etc/environment r, /etc/fstab r, /etc/mime.types r, /etc/modprobe.d/{,**/} r, /etc/modules-load.d/{,**/} r, /etc/modules-load.d/*snap* rw, + /etc/polkit-1/rules.d/{,**/} r, /etc/systemd/system/{,**/} r, /etc/systemd/system/snap* rw, - /etc/systemd/user/{,**/} r, + /etc/systemd/user/{,**/} rw, /etc/systemd/user/**/*snap* rw, /etc/systemd/user/*snap* rw, /etc/udev/rules.d/{,*snap*} rw, @@ -128,8 +133,8 @@ profile snapd @{exec_path} { /tmp/syscheck-mountpoint-@{int}/{,**} rw, /tmp/syscheck-squashfs-@{int} rw, - /boot/ r, - /boot/grub/grubenv r, + @{efi}/ r, + @{efi}/grub/grubenv r, / r, /home/ r, @@ -146,6 +151,7 @@ profile snapd @{exec_path} { @{run}/user/@{uid}/snapd-session-agent.socket rw, @{run}/user/snap.*/{,**} rw, + @{run}/mount/utab.act rk, @{run}/snapd*.socket rw, @{run}/snapd/{,**} rw, @{run}/snapd/lock/*.lock rwk, @@ -153,17 +159,15 @@ profile snapd @{exec_path} { @{run}/systemd/private rw, @{sys}/fs/cgroup/{,*/} r, - @{sys}/fs/cgroup/system.slice/{,**/} r, - @{sys}/fs/cgroup/user.slice/ r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r, + @{sys}/fs/cgroup/*.slice/ r, + @{sys}/fs/cgroup/*.slice/{,**/} r, + @{sys}/fs/cgroup/*.slice/**/cgroup.procs r, + @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/kernel/kexec_loaded r, @{sys}/kernel/security/apparmor/.notify r, @{sys}/kernel/security/apparmor/features/{,**} r, @{sys}/kernel/security/apparmor/profiles r, - @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r, - @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/stat r, @@ -176,10 +180,54 @@ profile snapd @{exec_path} { /dev/loop-control rw, + profile systemctl { + include + include + + capability net_admin, + capability sys_resource, + + network netlink raw, + + /etc/systemd/system/{,**/} r, + /etc/systemd/system/snap* rw, + /etc/systemd/user/{,**/} rw, + /etc/systemd/user/**/*snap* rw, + /etc/systemd/user/*snap* rw, + + @{run}/systemd/notify rw, + + include if exists + } + + profile journalctl { + include + include + + capability net_admin, + capability sys_resource, + + network netlink raw, + + signal receive set=kill peer=snapd, + + @{bin}/journalctl mr, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/{,*} r, + + @{run}/systemd/notify w, + + include if exists + } + profile runuser { include - @{bin}/runuser mr, + @{sbin}/runuser mr, include if exists } diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener b/apparmor.d/groups/snap/snapd-aa-prompt-listener similarity index 95% rename from apparmor.d/profiles-s-z/snapd-aa-prompt-listener rename to apparmor.d/groups/snap/snapd-aa-prompt-listener index 5620fc975..7b9adced7 100644 --- a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener +++ b/apparmor.d/groups/snap/snapd-aa-prompt-listener @@ -13,6 +13,7 @@ profile snapd-aa-prompt-listener @{exec_path} { include @{exec_path} mrix, + @{lib_dirs}/**.so* mr, @{lib_dirs}/snapd/info r, diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-ui b/apparmor.d/groups/snap/snapd-aa-prompt-ui similarity index 95% rename from apparmor.d/profiles-s-z/snapd-aa-prompt-ui rename to apparmor.d/groups/snap/snapd-aa-prompt-ui index 14354cfb9..0d26f42d3 100644 --- a/apparmor.d/profiles-s-z/snapd-aa-prompt-ui +++ b/apparmor.d/groups/snap/snapd-aa-prompt-ui @@ -13,6 +13,7 @@ profile snapd-aa-prompt-ui @{exec_path} { include @{exec_path} mrix, + @{lib_dirs}/**.so* mr, @{lib_dirs}/snapd/info r, diff --git a/apparmor.d/profiles-s-z/snapd-apparmor b/apparmor.d/groups/snap/snapd-apparmor similarity index 94% rename from apparmor.d/profiles-s-z/snapd-apparmor rename to apparmor.d/groups/snap/snapd-apparmor index 6d873982b..63251a976 100644 --- a/apparmor.d/profiles-s-z/snapd-apparmor +++ b/apparmor.d/groups/snap/snapd-apparmor @@ -15,7 +15,7 @@ profile snapd-apparmor @{exec_path} { @{exec_path} mrix, @{bin}/systemd-detect-virt rPx, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, @{lib_dirs}/** mr, @{lib_dirs}/snapd/apparmor_parser rPx -> apparmor_parser, diff --git a/apparmor.d/groups/ssh/sftp-server b/apparmor.d/groups/ssh/sftp-server index 3deddb092..a0fc3e2f8 100644 --- a/apparmor.d/groups/ssh/sftp-server +++ b/apparmor.d/groups/ssh/sftp-server @@ -6,8 +6,7 @@ abi , include -@{exec_path} = @{lib}/openssh/sftp-server -@{exec_path} += @{lib}/ssh/sftp-server +@{exec_path} = @{lib}/{openssh,ssh}/sftp-server profile sftp-server @{exec_path} { include include diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 69f594f7a..43fbddc63 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -11,21 +11,23 @@ include profile ssh @{exec_path} { include include + include include - signal (receive) set=(term) peer=gnome-keyring-daemon, - network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, network netlink raw, + signal receive set=term peer=gnome-keyring-daemon, + signal send set=hup peer=unconfined, + @{exec_path} mrix, @{bin}/@{shells} rUx, - @{lib}/ssh/ssh-sk-helper rPx -> ssh-sk-helper, + @{lib}/{,ssh/}ssh-sk-helper rix, @{etc_ro}/ssh/ssh_config r, @{etc_ro}/ssh/ssh_config.d/{,*} r, @@ -42,13 +44,23 @@ profile ssh @{exec_path} { owner @{user_projects_dirs}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/config r, - owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, + audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, owner @{run}/user/@{uid}/keyring/ssh rw, + @{sys}/ r, + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/hidraw/ r, + @{sys}/class/hidraw/hidraw@{int} r, + owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/fd/ r, + /dev/hidraw@{int} rwk, + include if exists } diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 72d6618e6..f6732b1cf 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -19,6 +19,7 @@ profile ssh-agent @{exec_path} { @{sh_path} rix, @{bin}/gpg-agent rPx, + @{bin}/im-launch rPx, owner @{HOME}/@{XDG_SSH_DIR}/ rw, owner @{HOME}/@{XDG_SSH_DIR}/* r, diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch index c9f0c6373..86bd0866f 100644 --- a/apparmor.d/groups/ssh/ssh-agent-launch +++ b/apparmor.d/groups/ssh/ssh-agent-launch @@ -15,7 +15,7 @@ profile ssh-agent-launch @{exec_path} { @{sh_path} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/getopt rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ssh-agent rPx, /etc/X11/Xsession.options r, diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index 14cbd3c87..397ffdcd6 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -8,7 +8,6 @@ abi , include @{exec_path} = @{bin}/ssh-keygen - profile ssh-keygen @{exec_path} { include include diff --git a/apparmor.d/groups/ssh/ssh-sk-helper b/apparmor.d/groups/ssh/ssh-sk-helper index d913e2a2d..ff9de97c3 100644 --- a/apparmor.d/groups/ssh/ssh-sk-helper +++ b/apparmor.d/groups/ssh/ssh-sk-helper @@ -6,9 +6,10 @@ abi , include -@{exec_path} = @{lib}/ssh/ssh-sk-helper +@{exec_path} = @{lib}/{,ssh/}ssh-sk-helper profile ssh-sk-helper flags=(complain) { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index b4ecc068e..63f2c1370 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -15,7 +15,7 @@ abi , include -@{exec_path} = @{bin}/sshd +@{exec_path} = @{sbin}/sshd profile sshd @{exec_path} flags=(attach_disconnected) { include include @@ -25,12 +25,14 @@ profile sshd @{exec_path} flags=(attach_disconnected) { include include include + include #aa:only RBAC capability audit_write, capability chown, - capability dac_read_search, capability dac_override, + capability dac_read_search, capability fowner, + capability fsetid, capability kill, capability net_bind_service, capability setgid, @@ -49,25 +51,31 @@ profile sshd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal (receive) set=(hup) peer=@{p_systemd}, + unix type=stream peer=(label=sshd-session), - ptrace (read,trace) peer=@{p_systemd}, + signal receive set=hup peer=@{p_systemd}, - unix (bind) type=stream addr=@@{udbus}/bus/sshd/system, + ptrace (read trace) peer=@{p_systemd}, dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + + dbus send bus=system path=/org/freedesktop/home1 + interface=org.freedesktop.home1.Manager + member=GetUserRecordByName + peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"), @{exec_path} mrix, - @{bin}/@{shells} rUx, - @{bin}/false rix, - @{bin}/nologin rPx, - @{bin}/passwd rPx, - @{lib}/openssh/sftp-server rPx, - @{lib}/ssh/sshd-session rix, + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{bin}/false ix, + @{sbin}/nologin Px, + @{bin}/passwd Px, + @{lib}/{openssh,ssh}/sftp-server Px, + @{lib}/{openssh,ssh}/sshd-auth Px, + @{lib}/{openssh,ssh}/sshd-session Px, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, @@ -94,7 +102,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, - owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, + @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, owner @{user_cache_dirs}/{,motd*} rw, @{att}/@{run}/systemd/sessions/@{int}.ref rw, @@ -107,7 +115,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{run}/sshd{,.init}.pid wl, @{sys}/fs/cgroup/*/user/*/@{int}/ rw, - @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw, + @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-@{word}.scope/ rw, @{PROC}/@{pids}/fd/ r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/ssh/sshd-auth b/apparmor.d/groups/ssh/sshd-auth new file mode 100644 index 000000000..c1601b813 --- /dev/null +++ b/apparmor.d/groups/ssh/sshd-auth @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/{openssh,ssh}/sshd-auth +profile sshd-auth @{exec_path} { + include + include + + capability setgid, + capability setuid, + capability sys_chroot, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + @{sbin}/sshd.hmac r, + + /etc/gss/mech.d/{,*} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session new file mode 100644 index 000000000..5f09af5cc --- /dev/null +++ b/apparmor.d/groups/ssh/sshd-session @@ -0,0 +1,90 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/{openssh,ssh}/sshd-session +profile sshd-session @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include #aa:only RBAC + + capability audit_write, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability kill, + capability setgid, + capability setuid, + capability sys_chroot, + capability sys_resource, + + # sshd doesn't require net_admin. libpam-systemd tries to + # use it if available to set the send/receive buffers size, + # but will fall back to a non-privileged version if it fails. + deny capability net_admin, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + unix type=stream peer=(label=sshd), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + + dbus send bus=system path=/org/freedesktop/home1 + interface=org.freedesktop.home1.Manager + member=GetUserRecordByName + peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"), + + @{exec_path} mr, + + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{lib}/{openssh,ssh}/sshd-auth Px, + + @{etc_rw}/motd r, + @{etc_rw}/motd.d/{,**} r, + /etc/machine-id r, + /etc/motd r, + + /var/lib/lastlog/ r, + /var/lib/lastlog/lastlog2.db rwk, + /var/lib/lastlog/lastlog2.db-journal rw, + + /var/lib/wtmpdb/ w, + + owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, + + owner @{user_cache_dirs}/{,motd*} rw, + + @{att}/@{run}/systemd/sessions/@{int}.ref w, + + @{run}/motd.d/{,*} r, + @{run}/motd.dynamic rw, + @{run}/motd.dynamic.new rw, + + @{PROC}/1/limits r, + owner @{PROC}/@{pid}/loginuid rw, + owner @{PROC}/@{pid}/uid_map r, + + /dev/ptmx rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs index a367b0f7a..12e7d8930 100644 --- a/apparmor.d/groups/ssh/sshfs +++ b/apparmor.d/groups/ssh/sshfs @@ -13,6 +13,10 @@ profile sshfs @{exec_path} flags=(complain) { mount fstype=fuse.sshfs -> @{HOME}/*/, mount fstype=fuse.sshfs -> @{HOME}/*/*/, + mount fstype=fuse.sshfs -> @{MOUNTDIRS}/, + mount fstype=fuse.sshfs -> @{MOUNTS}/, + mount fstype=fuse.sshfs -> @{MOUNTS}/*/, + mount fstype=fuse.sshfs -> @{MOUNTS}/*/*/, unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none), @@ -27,23 +31,24 @@ profile sshfs @{exec_path} flags=(complain) { profile fusermount flags=(complain) { include - include - - capability sys_admin, + include mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/, mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/, + mount fstype={fuse,fuse.sshfs} -> @{MOUNTDIRS}/, + mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/, + mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/, + mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/*/, + + umount @{HOME}/*/, + umount @{HOME}/*/*/, + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, + umount @{MOUNTS}/*/, + umount @{MOUNTS}/*/*/, unix (connect, send, receive) type=stream peer=(label="sshfs",addr=none), - @{bin}/fusermount{,3} mr, - - /etc/fuse.conf r, - - @{PROC}/@{pid}/mounts r, - - /dev/fuse rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/groups/steam/steam similarity index 95% rename from apparmor.d/profiles-s-z/steam rename to apparmor.d/groups/steam/steam index 252c89869..5009b970d 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/groups/steam/steam @@ -21,7 +21,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -67,7 +67,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{open_path} rPx -> child-open, @{bin}/getopt rix, @{bin}/journalctl rPx -> systemctl, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsof rix, @@ -109,6 +109,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix, @{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, + @{runtime_dirs}/pressure-vessel/@{bin}/pv-* rix, @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web, @{runtime_dirs}/run{,.sh} rix, @@ -174,6 +175,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/steam/** rwk, owner @{tmp}/steam@{rand6}/{,**} rw, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, + owner @{tmp}/steam@{rand6} rwk, owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw, owner /dev/shm/fossilize-*-@{int}-@{int} rw, @@ -188,7 +190,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/ r, @{sys}/bus/ r, @@ -275,7 +277,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/getopt rix, @{bin}/gzip rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/localedef rix, @{bin}/readlink rix, @{bin}/true rix, @@ -292,6 +294,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/host/@{lib}/** rix, @{share_dirs}/config/cefdata/WidevineCdm/**/linux_*/libwidevinecdm.so mr, + @{share_dirs}/config/htmlcache/WidevineCdm/**/linux_*/libwidevinecdm.so mr, + @{share_dirs}/linux{32,64}/steamclient.so mr, @{runtime_dirs}/var/tmp-@{rand6}/usr/.ref w, @@ -302,12 +306,15 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib}/ r, /usr/local/lib/ r, /var/tmp/ r, + /home/ r, owner /bindfile@{rand6} rw, owner /var/cache/ldconfig/aux-cache* rw, owner /var/pressure-vessel/ldso/* rw, + owner @{HOME}/ r, + owner @{lib_dirs}/.cef-* wk, owner @{share_dirs}/{,**} r, @@ -317,6 +324,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{share_dirs}/public/** k, @{tmp}/ r, + owner @{tmp}/.com.valvesoftware.Steam.@{rand6} rw, + owner @{tmp}/.com.valvesoftware.Steam.@{rand6}/{,**} rw, owner @{tmp}/#@{int} rw, owner @{tmp}/dumps/ rw, owner @{tmp}/dumps/** rwk, @@ -324,6 +333,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw, + owner /dev/shm/.com.valvesoftware.Steam.@{rand6} rw, owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex6} rw, owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, @@ -345,6 +355,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, + @{PROC}/version r, @{PROC}/@{pid}/stat r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, @@ -360,6 +371,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { /dev/hidraw@{int} rw, /dev/tty rw, + @{att}/dev/dri/renderD128 rw, + include if exists } @@ -370,6 +383,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability dac_override, capability dac_read_search, + capability sys_ptrace, unix receive type=stream, diff --git a/apparmor.d/profiles-s-z/steam-fossilize b/apparmor.d/groups/steam/steam-fossilize similarity index 91% rename from apparmor.d/profiles-s-z/steam-fossilize rename to apparmor.d/groups/steam/steam-fossilize index e3e7f87e2..a5dd65b7c 100644 --- a/apparmor.d/profiles-s-z/steam-fossilize +++ b/apparmor.d/groups/steam/steam-fossilize @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -39,11 +39,13 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/node/node@{int}/cpumap r, - @{PROC}/@{pids}/statm r, + @{PROC}/@{pid}/statm r, @{PROC}/pressure/io r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + deny network inet stream, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/profiles-s-z/steam-game-native b/apparmor.d/groups/steam/steam-game-native similarity index 95% rename from apparmor.d/profiles-s-z/steam-game-native rename to apparmor.d/groups/steam/steam-game-native index ca80801d7..ba06d56a4 100644 --- a/apparmor.d/profiles-s-z/steam-game-native +++ b/apparmor.d/groups/steam/steam-game-native @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/groups/steam/steam-game-proton similarity index 74% rename from apparmor.d/profiles-s-z/steam-game-proton rename to apparmor.d/groups/steam/steam-game-proton index ab82925a5..1b094c2a3 100644 --- a/apparmor.d/profiles-s-z/steam-game-proton +++ b/apparmor.d/groups/steam/steam-game-proton @@ -6,7 +6,8 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime_name} = sniper soldier +@{runtime} = SteamLinuxRuntime_@{runtime_name} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -35,18 +36,24 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { @{exec_path} mr, @{bin}/bwrap mrix, + @{sh_path} rix, + @{bin}/cat rix, + @{bin}/env rix, @{bin}/chmod rix, @{bin}/fc-match rix, @{bin}/getopt rix, @{bin}/gzip rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, + @{bin}/ln rix, @{bin}/localedef rix, - @{bin}/python3.@{int} rix, + @{bin}/mkdir rix, @{bin}/readlink rix, + @{bin}/rm rix, @{bin}/steam-runtime-launcher-interface-@{int} rix, @{bin}/steam-runtime-system-info rix, @{bin}/steam-runtime-urlopen rix, @{bin}/true rix, + @{python_path} rix, @{open_path} rix, @{lib_dirs}/** mr, @@ -54,9 +61,17 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { @{lib}/pressure-vessel/from-host/@{lib}/** rix, @{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, + # TODO stack with steam ? rpx -> steam-game-proton&//steam, + @{runtime_dirs}/run.sh rix, + @{runtime_dirs}/@{arch}@{bin}/steam-runtime-identify-library-abi rix, + @{runtime_dirs}/@{arch}@{bin}/steam-runtime-launcher-interface-@{int} rix, + @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/run.sh rix, + @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/@{arch}@{bin}/steam-runtime-identify-library-abi rix, + @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/@{arch}@{bin}/steam-runtime-launcher-interface-@{int} rix, + @{app_dirs}/** mrix, - @{run}/host/@{bin}/ldconfig rix, + @{run}/host/@{sbin}/ldconfig rix, @{run}/host/@{bin}/localedef rix, @{run}/host/@{lib}/** mr, @@ -72,6 +87,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { owner "@{app_dirs}/Steamworks Shared/runasadmin.vdf" rw, owner @{app_dirs}/@{runtime}/var/tmp-@{rand6}/usr/.ref rwk, + owner @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/* rw, owner @{app_dirs}/Proton*/** rwkl, owner @{share_dirs}/*.dll r, diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/groups/steam/steam-gameoverlayui similarity index 95% rename from apparmor.d/profiles-s-z/steam-gameoverlayui rename to apparmor.d/groups/steam/steam-gameoverlayui index 0cd837135..278b47e98 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/groups/steam/steam-gameoverlayui @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -49,6 +49,8 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { owner @{share_dirs}/resource/{,**} rk, owner @{share_dirs}/userdata/@{int}/{,**} rk, + owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw, + owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, diff --git a/apparmor.d/profiles-s-z/steam-launch b/apparmor.d/groups/steam/steam-launch similarity index 66% rename from apparmor.d/profiles-s-z/steam-launch rename to apparmor.d/groups/steam/steam-launch index 977248c96..321c9c9c5 100644 --- a/apparmor.d/profiles-s-z/steam-launch +++ b/apparmor.d/groups/steam/steam-launch @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -22,23 +22,37 @@ profile steam-launch @{exec_path} { @{exec_path} mr, @{sh_path} rix, + @{bin}/cat rix, @{bin}/cmp rix, @{bin}/cp rix, @{bin}/dirname rix, @{bin}/env rix, @{bin}/id rix, @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/rmdir rix, @{lib}/steam/steam rix, @{lib}/steam/bin_steam.sh rix, @{share_dirs}/steam.sh rPx, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rPx, + @{lib_dirs}/** mr, + + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rPx, + @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/* r, + @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix, /usr/ r, /usr/local/ r, owner @{share_dirs}/bootstrap.tar.xz rw, + owner @{share_dirs}/logs/ r, + owner @{share_dirs}/logs/* rwk, + + owner @{run}/user/@{uid}/srt-fifo.@{rand6}/ rw, + owner @{run}/user/@{uid}/srt-fifo.@{rand6}/fifo rw, + + owner @{PROC}/@{pid}/fd/@{int} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/steam-launcher b/apparmor.d/groups/steam/steam-launcher similarity index 94% rename from apparmor.d/profiles-s-z/steam-launcher rename to apparmor.d/groups/steam/steam-launcher index 0bd8c67d3..e73b30d1a 100644 --- a/apparmor.d/profiles-s-z/steam-launcher +++ b/apparmor.d/groups/steam/steam-launcher @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} diff --git a/apparmor.d/profiles-s-z/steam-runtime b/apparmor.d/groups/steam/steam-runtime similarity index 91% rename from apparmor.d/profiles-s-z/steam-runtime rename to apparmor.d/groups/steam/steam-runtime index 2a3e839ff..543324c0f 100644 --- a/apparmor.d/profiles-s-z/steam-runtime +++ b/apparmor.d/groups/steam/steam-runtime @@ -6,7 +6,8 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime_name} = sniper soldier +@{runtime} = SteamLinuxRuntime_@{runtime_name} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -50,16 +51,17 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { @{lib}/ r, @{lib_dirs}/ r, + owner @{HOME}/ r, owner @{HOME}/.steam/steam.pipe r, owner @{app_dirs}/*/ r, owner @{app_dirs}/config/config.vdf{,.*} rw, owner @{app_dirs}/@{runtime}/** r, owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk, - owner @{app_dirs}/@{runtime}/sniper_platform_*/** rwk, + owner @{app_dirs}/@{runtime}/@{runtime_name}_platform_*/** rwk, owner @{app_dirs}/@{runtime}/var/** rwk, owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/pressure-vessel/**, - owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/sniper_platform_*/**, + owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/@{runtime_name}_platform_*/**, owner @{share_dirs}/config/config.vdf{,.*} rw, owner @{share_dirs}/steamapps/appmanifest_* rw, @@ -78,6 +80,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/stat r, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/steam-runtime-steam-remote b/apparmor.d/groups/steam/steam-runtime-steam-remote similarity index 94% rename from apparmor.d/profiles-s-z/steam-runtime-steam-remote rename to apparmor.d/groups/steam/steam-runtime-steam-remote index 93a93e892..b7d5f2b15 100644 --- a/apparmor.d/profiles-s-z/steam-runtime-steam-remote +++ b/apparmor.d/groups/steam/steam-runtime-steam-remote @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} diff --git a/apparmor.d/profiles-s-z/steamerrorreporter b/apparmor.d/groups/steam/steamerrorreporter similarity index 93% rename from apparmor.d/profiles-s-z/steamerrorreporter rename to apparmor.d/groups/steam/steamerrorreporter index 27fe69be9..d438c604d 100644 --- a/apparmor.d/profiles-s-z/steamerrorreporter +++ b/apparmor.d/groups/steam/steamerrorreporter @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -34,8 +34,6 @@ profile steamerrorreporter @{exec_path} flags=(attach_disconnected) { owner @{tmp}/dumps/ r, owner @{tmp}/dumps/*_log.txt rw, - owner @{PROC}/@{pid}/status r, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-generator-bless-boot b/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-bless-boot rename to apparmor.d/groups/systemd-generators/systemd-generator-bless-boot diff --git a/apparmor.d/groups/systemd/systemd-generator-cloud-init b/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-cloud-init rename to apparmor.d/groups/systemd-generators/systemd-generator-cloud-init diff --git a/apparmor.d/groups/systemd/systemd-generator-cryptsetup b/apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-cryptsetup rename to apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup diff --git a/apparmor.d/groups/systemd/systemd-generator-debug b/apparmor.d/groups/systemd-generators/systemd-generator-debug similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-debug rename to apparmor.d/groups/systemd-generators/systemd-generator-debug diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify similarity index 90% rename from apparmor.d/groups/systemd/systemd-generator-ds-identify rename to apparmor.d/groups/systemd-generators/systemd-generator-ds-identify index 6b42e55ed..daa877efe 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify @@ -12,15 +12,16 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { include include - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, @{exec_path} mr, @{sh_path} rix, - @{bin}/blkid rPx, + @{bin}/{,e}grep rix, @{bin}/systemd-detect-virt rPx, @{bin}/tr rix, @{bin}/uname rix, + @{sbin}/blkid rPx, /etc/cloud/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-arch b/apparmor.d/groups/systemd-generators/systemd-generator-environment-arch similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-environment-arch rename to apparmor.d/groups/systemd-generators/systemd-generator-environment-arch diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-flatpak b/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-environment-flatpak rename to apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak diff --git a/apparmor.d/profiles-s-z/snap-repair b/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd similarity index 53% rename from apparmor.d/profiles-s-z/snap-repair rename to apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd index fe9be759a..b18bd6bd5 100644 --- a/apparmor.d/profiles-s-z/snap-repair +++ b/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd @@ -6,13 +6,13 @@ abi , include -@{exec_path} = @{lib}/snapd/snap-repair -profile snap-repair @{exec_path} { +@{exec_path} = @{lib}/systemd/system-environment-generators/snapd-env-generator +profile systemd-generator-environment-snapd @{exec_path} flags=(attach_disconnected) { include @{exec_path} mr, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery b/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery new file mode 100644 index 000000000..1af9fe22f --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/friendly-recovery +profile systemd-generator-friendly-recovery @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/cat rix, + + @{PROC}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-fstab b/apparmor.d/groups/systemd-generators/systemd-generator-fstab similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-fstab rename to apparmor.d/groups/systemd-generators/systemd-generator-fstab diff --git a/apparmor.d/groups/systemd/systemd-generator-getty b/apparmor.d/groups/systemd-generators/systemd-generator-getty similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-getty rename to apparmor.d/groups/systemd-generators/systemd-generator-getty diff --git a/apparmor.d/groups/systemd/systemd-generator-gpt-auto b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto similarity index 97% rename from apparmor.d/groups/systemd/systemd-generator-gpt-auto rename to apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto index 0d6c09c6b..4bf0092d0 100644 --- a/apparmor.d/groups/systemd/systemd-generator-gpt-auto +++ b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto @@ -17,8 +17,7 @@ profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, / r, - /boot/ r, - /efi/ r, + @{efi}/ r, /etc/fstab r, /usr/ r, diff --git a/apparmor.d/groups/systemd/systemd-generator-hibernate-resume b/apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-hibernate-resume rename to apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-import b/apparmor.d/groups/systemd-generators/systemd-generator-import new file mode 100644 index 000000000..de3753aaf --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-import @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-import-generator +profile systemd-generator-import @{exec_path} flags=(attach_disconnected) { + include + + capability sys_ptrace, + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + / r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-integritysetup b/apparmor.d/groups/systemd-generators/systemd-generator-integritysetup similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-integritysetup rename to apparmor.d/groups/systemd-generators/systemd-generator-integritysetup diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-openvpn b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn new file mode 100644 index 000000000..780c63d56 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/openvpn-generator +profile systemd-generator-openvpn @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/ls ix, + @{bin}/mkdir ix, + + /etc/default/openvpn r, + /etc/openvpn/ r, + + @{run}/systemd/generator/openvpn.service.wants/{,**} w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-ostree b/apparmor.d/groups/systemd-generators/systemd-generator-ostree similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-ostree rename to apparmor.d/groups/systemd-generators/systemd-generator-ostree diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-rc-local b/apparmor.d/groups/systemd-generators/systemd-generator-rc-local new file mode 100644 index 000000000..3e8bec6c5 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-rc-local @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-rc-local-generator +profile systemd-generator-rc-local @{exec_path} flags=(attach_disconnected) { + include + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-run b/apparmor.d/groups/systemd-generators/systemd-generator-run similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-run rename to apparmor.d/groups/systemd-generators/systemd-generator-run diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-snapd b/apparmor.d/groups/systemd-generators/systemd-generator-snapd new file mode 100644 index 000000000..8544a7938 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-snapd @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/snapd-generator +profile systemd-generator-snapd @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + @{PROC}/1/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ssh b/apparmor.d/groups/systemd-generators/systemd-generator-ssh new file mode 100644 index 000000000..0f6aa11d9 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ssh @@ -0,0 +1,52 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-ssh-generator +profile systemd-generator-ssh @{exec_path} flags=(attach_disconnected) { + include + + capability net_admin, + + network vsock stream, + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{sbin}/sshd r, + + @{run}/ r, + @{run}/systemd/ r, + @{run}/systemd/generator/ r, + @{run}/systemd/generator/sockets.target.wants/ rw, + @{run}/systemd/generator/sockets.target.wants/*.socket w, + @{run}/systemd/generator/sshd-*.service w, + @{run}/systemd/generator/sshd-*.socket rw, + @{run}/systemd/system/ r, + @{run}/systemd/transient/ r, + + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/firmware/dmi/entries/*/raw r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + /dev/vsock r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket b/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket new file mode 100644 index 000000000..f08df7d90 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/sshd-socket-generator +profile systemd-generator-sshd-socket @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mr, + + @{etc_ro}/ssh/sshd_config r, + @{etc_ro}/ssh/sshd_config.d/{,*} r, + + @{run}/systemd/generator/ssh.socket.d/{,*} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-system-update b/apparmor.d/groups/systemd-generators/systemd-generator-system-update similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-system-update rename to apparmor.d/groups/systemd-generators/systemd-generator-system-update diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-sysv b/apparmor.d/groups/systemd-generators/systemd-generator-sysv new file mode 100644 index 000000000..fc290fca4 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-sysv @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-sysv-generator +profile systemd-generator-sysv @{exec_path} flags=(attach_disconnected) { + include + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + /etc/init.d/{,**} r, + /etc/rc@{int}.d/{,**} r, + + @{run}/systemd/generator.late/** w, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 new file mode 100644 index 000000000..ee5d924cc --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-tpm2-generator +profile systemd-generator-tpm2 @{exec_path} flags=(attach_disconnected) { + include + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{sys}/class/tpmrm/ r, + @{sys}/devices/**/tpm/tpm@{int}/tpm_version_major r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-user-autostart b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart similarity index 90% rename from apparmor.d/groups/systemd/systemd-generator-user-autostart rename to apparmor.d/groups/systemd-generators/systemd-generator-user-autostart index c42548ef5..8e3ebb6b3 100644 --- a/apparmor.d/groups/systemd/systemd-generator-user-autostart +++ b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/user-generators/systemd-xdg-autostart-generator -profile systemd-generator-user-autostart @{exec_path} { +profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-generator-user-environment b/apparmor.d/groups/systemd-generators/systemd-generator-user-environment similarity index 90% rename from apparmor.d/groups/systemd/systemd-generator-user-environment rename to apparmor.d/groups/systemd-generators/systemd-generator-user-environment index db128405f..27db22078 100644 --- a/apparmor.d/groups/systemd/systemd-generator-user-environment +++ b/apparmor.d/groups/systemd-generators/systemd-generator-user-environment @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/user-environment-generators/* -profile systemd-generator-user-environment @{exec_path} { +profile systemd-generator-user-environment @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-generator-veritysetup b/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-veritysetup rename to apparmor.d/groups/systemd-generators/systemd-generator-veritysetup diff --git a/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service b/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service new file mode 100644 index 000000000..1b585c0cc --- /dev/null +++ b/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /bin/bash -c 'read args <&3; echo "args=$args"; \ +# exec /usr/bin/cloud-init devel hotplug-hook $args; \ +# exit 0' + +abi , + +include + +profile cloud-init-hotplugd.service { + include + + @{sh_path} ix, + @{bin}/cloud-init Px, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/debug-shell.service b/apparmor.d/groups/systemd-service/debug-shell.service new file mode 100644 index 000000000..9f8e235cf --- /dev/null +++ b/apparmor.d/groups/systemd-service/debug-shell.service @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=/usr/bin/bash + +abi , + +include + +profile debug-shell.service { + include + + all, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/dmesg.service b/apparmor.d/groups/systemd-service/dmesg.service new file mode 100644 index 000000000..0a46f6ed9 --- /dev/null +++ b/apparmor.d/groups/systemd-service/dmesg.service @@ -0,0 +1,63 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=-/usr/bin/savelog -m640 -q -p -n -c 5 /var/log/dmesg +# ExecStart=/bin/journalctl --boot 0 --dmesg --output short-monotonic --quiet --no-pager --no-hostname +# ExecStartPost=/bin/chgrp adm /var/log/dmesg +# ExecStartPost=/bin/chmod 0640 /var/log/dmesg + +abi , + +include + +profile dmesg.service flags=(attach_disconnected) { + include + include + + capability chown, + capability fsetid, + capability sys_admin, + + ptrace read peer=@{p_systemd}, + + @{sh_path} r, + @{bin}/basename ix, + @{bin}/chgrp rix, + @{bin}/chmod rix, + @{bin}/chown ix, + @{bin}/date ix, + @{bin}/dirname ix, + @{bin}/gzip ix, + @{bin}/gzip ix, + @{bin}/journalctl r, + @{bin}/ln ix, + @{bin}/mv ix, + @{bin}/rm ix, + @{bin}/savelog rix, + @{bin}/touch ix, + + /etc/machine-id r, + + /var/log/ r, + /var/log/dmesg rw, + /var/log/dmesg.* rwl -> /var/log/dmesg, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* rw, + + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/grub-common.service b/apparmor.d/groups/systemd-service/grub-common.service new file mode 100644 index 000000000..fc4de5edc --- /dev/null +++ b/apparmor.d/groups/systemd-service/grub-common.service @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=/bin/sh -c '[ -s /boot/grub/grubenv ] || rm -f /boot/grub/grubenv; mkdir -p /boot/grub' +# ExecStart=grub-editenv /boot/grub/grubenv unset recordfail +# ExecStartPost=/bin/sh -c 'if grub-editenv /boot/grub/grubenv list | grep -q initrdless_boot_fallback_triggered=1; then echo "grub: GRUB_FORCE_PARTUUID set, initrdless boot paniced, fallback triggered."; fi' + +abi , + +include + +profile grub-common.service { + include + + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/grub-editenv rix, + @{bin}/mkdir ix, + @{bin}/rm ix, + + @{efi}/grub/ w, + @{efi}/grub/grubenv rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/ldconfig.service b/apparmor.d/groups/systemd-service/ldconfig.service new file mode 100644 index 000000000..f7d193e9e --- /dev/null +++ b/apparmor.d/groups/systemd-service/ldconfig.service @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /sbin/ldconfig -X + +abi , + +include + +profile ldconfig.service { + include + + @{lib}/ r, + @{sbin}/ldconfig r, + + /var/cache/ldconfig/aux-cache rw, + /var/cache/ldconfig/aux-cache~ rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/man-db.service b/apparmor.d/groups/systemd-service/man-db.service new file mode 100644 index 000000000..c3bfa7c32 --- /dev/null +++ b/apparmor.d/groups/systemd-service/man-db.service @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=+/usr/bin/install -d -o man -g man -m 0755 /var/cache/man +# ExecStart=/usr/bin/find /var/cache/man -type f -name *.gz -atime +6 -delete +# ExecStart=/usr/bin/mandb --quiet + +abi , + +include + +profile man-db.service flags=(attach_disconnected) { + include + include + + @{bin}/find ix, + @{bin}/install ix, + @{bin}/mandb r, + + /usr/{,local/}share/man/{,**} r, + + /etc/man_db.conf r, + /etc/manpath.config r, + + /usr/share/man/{,**} r, + /usr/local/man/{,**} r, + /usr/local/share/man/{,**} r, + + /usr/{,share/}man/{,**} r, + /usr/local/{,share/}man/{,**} r, + + /usr/share/**/man/man@{u8}/*.@{int}.gz r, + + owner /var/cache/man/ rw, + owner /var/cache/man/** rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/secureboot-db.service b/apparmor.d/groups/systemd-service/secureboot-db.service new file mode 100644 index 000000000..a951747be --- /dev/null +++ b/apparmor.d/groups/systemd-service/secureboot-db.service @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f +# ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose + +abi , + +include + +profile secureboot-db.service flags=(complain) { + include + + @{bin}/chattr ix, + @{bin}/sbkeysync PUx, + + @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, + @{sys}/firmware/efi/efivars/db-@{uuid} rw, + @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/shadow.service b/apparmor.d/groups/systemd-service/shadow.service new file mode 100644 index 000000000..95f780b89 --- /dev/null +++ b/apparmor.d/groups/systemd-service/shadow.service @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile shadow.service flags=(attach_disconnected) { + include + include + + @{sh_path} rix, + @{sbin}/grpck Px -> &grpck, + @{sbin}/pwck Px -> &pwck, + + /etc/machine-id r, + /etc/shadow r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service new file mode 100644 index 000000000..ce819a791 --- /dev/null +++ b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /bin/mount /run -o remount,exec +# /bin/mkdir -p /run/initramfs +# /bin/cp /usr/lib/snapd/system-shutdown /run/initramfs/shutdown + +abi , + +include + +profile snapd.system-shutdown.service { + include + + @{bin}/cp ix, + @{bin}/mkdir ix, + @{bin}/mount ix, + + @{lib}/snapd/system-shutdown r, + + @{run}/initramfs/ rw, + @{run}/initramfs/shutdown rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/system-update-cleanup.service b/apparmor.d/groups/systemd-service/system-update-cleanup.service new file mode 100644 index 000000000..4166cb76c --- /dev/null +++ b/apparmor.d/groups/systemd-service/system-update-cleanup.service @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=rm -fv /system-update /etc/system-update + +abi , + +include + +profile system-update-cleanup.service { + include + + @{bin}/rm ix, + + /etc/system-update w, + /system-update w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/usb_modeswitch.service b/apparmor.d/groups/systemd-service/usb_modeswitch.service new file mode 100644 index 000000000..00a62c933 --- /dev/null +++ b/apparmor.d/groups/systemd-service/usb_modeswitch.service @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile usb_modeswitch.service { + include + + @{sbin}/usb_modeswitch_dispatcher ix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 05655d308..70a91197f 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -7,35 +7,34 @@ abi , include @{exec_path} = @{bin}/bootctl -profile bootctl @{exec_path} { +profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include include + capability linux_immutable, capability mknod, capability net_admin, + capability sys_rawio, + capability sys_resource, - signal (send) peer=child-pager, + signal send peer=child-pager, - ptrace (read) peer=unconfined, + ptrace read peer=unconfined, @{exec_path} mr, @{pager_path} rPx -> child-pager, - /{boot,efi}/ r, - /{boot,efi}/EFI/{,**} r, - /{boot,efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw, - /{boot,efi}/EFI/BOOT/BOOTX64.EFI w, - /{boot,efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw, - /{boot,efi}/EFI/systemd/systemd-boot*.efi w, - /{boot,efi}/loader/.#bootctlrandom-seed@{hex} rw, - /{boot,efi}/loader/.#entries.srel* w, - /{boot,efi}/loader/{,**} r, - /{boot,efi}/loader/entries.srel w, - /{boot,efi}/loader/random-seed w, + @{efi}/ r, + @{efi}/@{hex32}/ rw, + @{efi}/EFI/{,**} rwl, + @{efi}/loader/ rw, + @{efi}/loader/** rwl -> @{efi}/loader/#@{int}, + /etc/kernel/.#entry-token@{hex16} rw, + /etc/kernel/entry-token rw, /etc/machine-id r, /etc/machine-info r, @@ -43,14 +42,15 @@ profile bootctl @{exec_path} { @{sys}/class/tpmrm/ r, + @{sys}/devices/pnp@{int}/**/tpm/tpm@{int}/tpm_version_major r, @{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/AuditMode-@{uuid} r, - @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r, - @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, + @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, + @{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw, @{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, @@ -60,8 +60,8 @@ profile bootctl @{exec_path} { @{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r, - @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} r, - @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, + @{sys}/firmware/efi/efivars/OsIndications-@{uuid} rw, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index 6516a500c..04ed76e72 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/busctl -profile busctl @{exec_path} { +profile busctl @{exec_path} flags=(attach_disconnected) { include include include @@ -20,11 +20,11 @@ profile busctl @{exec_path} { capability net_admin, capability sys_ptrace, - ptrace (read), + ptrace read, - unix (bind) type=stream addr=@@{udbus}/bus/busctl/busctl, + unix bind type=stream addr=@@{udbus}/bus/busctl/busctl, - signal (send) set=(cont) peer=child-pager, + signal send set=cont peer=child-pager, dbus eavesdrop bus=accessibility, dbus eavesdrop bus=session, @@ -34,18 +34,39 @@ profile busctl @{exec_path} { interface=org.freedesktop.DBus.Monitoring member=BecomeMonitor peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionCredentials,ListNames,ListActivatableNames} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Monitoring + member=BecomeMonitor + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionCredentials,ListNames,ListActivatableNames} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + + dbus send bus=system + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + dbus send bus=system + interface=org.freedesktop.DBus.Properties + member={GetAll,Get}, @{exec_path} mr, @{pager_path} rPx -> child-pager, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fdinfo/@{int} r, - owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/attr/current r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/loginuid r, + @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/stat r, include if exists } diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index d81933f5e..d1ee1141c 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -10,6 +10,9 @@ include @{exec_path} = @{bin}/coredumpctl profile coredumpctl @{exec_path} flags=(complain) { include + include + include + include include capability dac_read_search, @@ -31,9 +34,7 @@ profile coredumpctl @{exec_path} flags=(complain) { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/* r, owner @{tmp}/*.coredump w, owner @{tmp}/core.* w, diff --git a/apparmor.d/groups/systemd/homectl b/apparmor.d/groups/systemd/homectl index aaae97d64..3c962e309 100644 --- a/apparmor.d/groups/systemd/homectl +++ b/apparmor.d/groups/systemd/homectl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/homectl -profile homectl @{exec_path} { +profile homectl @{exec_path} flags=(attach_disconnected) { include include include @@ -19,7 +19,7 @@ profile homectl @{exec_path} { signal send peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index 3107d2d8e..6b29e260d 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -15,9 +15,11 @@ profile hostnamectl @{exec_path} { capability net_admin, - unix bind type=stream addr=@@{udbus}/bus/hostnamectl/system, - - #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.hostname1), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index 3c5595345..c852b3756 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -20,19 +20,27 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, - signal (receive) set=(term) peer=cockpit-bridge, - signal (send) peer=child-pager, + network netlink raw, + + signal receive set=kill peer=snapd, + signal receive set=term peer=cockpit-bridge, + signal send peer=child-pager, @{exec_path} mr, @{pager_path} rPx -> child-pager, + @{bin}/* r, + @{sbin}/* r, + /var/lib/dbus/machine-id r, /etc/machine-id r, /var/lib/systemd/catalog/database rw, /var/lib/systemd/catalog/.#database* rw, + /var/log/dmesg w, + /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal* r, @@ -47,6 +55,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { @{run}/host/container-manager r, @{run}/systemd/journal/io.systemd.journal rw, + @{run}/systemd/notify rw, @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index 2cac865a4..0d46dbfed 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -10,15 +10,27 @@ include profile localectl @{exec_path} { include include + include capability net_admin, + signal send set=cont peer=child-pager, + + #aa:dbus talk bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" + dbus send bus=system path=/org/freedesktop/locale1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.locale1), + @{exec_path} mr, @{pager_path} rPx -> child-pager, + @{bin}/pkttyagent rPx, /usr/share/kbd/keymaps/{,**} r, + owner @{PROC}/@{pid}/cgroup r, + include if exists } diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index 5386662c0..f516d16db 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -7,26 +7,46 @@ abi , include @{exec_path} = @{bin}/loginctl -profile loginctl @{exec_path} { +profile loginctl @{exec_path} flags=(attach_disconnected) { include - include include + include include + include + include capability net_admin, capability sys_resource, signal send set=cont peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, @{pager_path} rPx -> child-pager, + @{bin}/ssh rPx, + + /etc/machine-id r, + + @{run}/log/journal/ r, + + /var/lib/systemd/catalog/database r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, + /dev/rfkill r, + include if exists } diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index ce81686ae..a0d1471f9 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -11,6 +11,7 @@ include profile networkctl @{exec_path} flags=(attach_disconnected) { include include + include capability net_admin, capability sys_module, @@ -26,7 +27,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system, - #aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd + #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" dbus send bus=system path=/org/freedesktop/network1{,/**} interface=org.freedesktop.DBus.Properties member=Get @@ -50,17 +51,21 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { /{run,var}/log/journal/@{hex32}/system.journal* r, /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + @{att}/@{run}/systemd/netif/io.systemd.Network rw, + + @{run}/systemd/netif/links/ r, @{run}/systemd/netif/leases/@{int} r, @{run}/systemd/netif/links/@{int} r, @{run}/systemd/netif/state r, @{run}/systemd/notify w, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/**/net/**/uevent r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, + @{PROC}/sys/fs/nr_open r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl new file mode 100644 index 000000000..dd5bdb3d4 --- /dev/null +++ b/apparmor.d/groups/systemd/resolvectl @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/resolvectl +profile resolvectl @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + capability net_admin, + + network inet raw, + network inet6 raw, + network netlink raw, + + signal send set=cont peer=child-pager, + + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + + @{exec_path} mr, + + @{pager_path} rPx -> child-pager, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 039f8dc64..3ae0a7143 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -47,7 +47,8 @@ profile systemd-analyze @{exec_path} { @{run}/systemd/system/ r, @{run}/systemd/transient/ r, @{run}/systemd/userdb/io.systemd.DynamicUser w, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{run}/udev/tags/systemd/ r, @{sys}/devices/**/uevent r, @@ -61,6 +62,7 @@ profile systemd-analyze @{exec_path} { @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r, @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight index f67cb301c..b5a966f37 100644 --- a/apparmor.d/groups/systemd/systemd-backlight +++ b/apparmor.d/groups/systemd/systemd-backlight @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-backlight -profile systemd-backlight @{exec_path} { +profile systemd-backlight @{exec_path} flags=(attach_disconnected) { include include @@ -18,8 +18,8 @@ profile systemd-backlight @{exec_path} { /var/lib/systemd/backlight/*backlight* rw, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+leds:*backlight* r, # For keyboard backlights, mouse LEDs, etc. @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{sys}/bus/ r, diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt index d34bbe4cb..5e3406ea9 100644 --- a/apparmor.d/groups/systemd/systemd-binfmt +++ b/apparmor.d/groups/systemd/systemd-binfmt @@ -16,11 +16,12 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/* r, + @{sbin}/* r, # Config file locations /etc/binfmt.d/{,*.conf} r, @{run}/binfmt.d/{,*.conf} r, - /usr/lib/binfmt.d/{,*.conf} r, + @{lib}/binfmt.d/{,*.conf} r, @{PROC}/sys/fs/binfmt_misc/register w, @{PROC}/sys/fs/binfmt_misc/status w, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 2e841dc51..54f366c2f 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -33,13 +33,21 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{lib}/** r, / r, @{bin}/* r, + @{sbin}/* r, /opt/** r, + /usr/share/*/** r, + @{user_lib_dirs}/** r, /etc/systemd/coredump.conf r, /etc/systemd/coredump.conf.d/{,**} r, + owner @{HOME}/**.so* r, + /var/lib/systemd/coredump/{,**} rwl, + @{att}/@{run}/systemd/coredump rw, + @{run}/systemd/coredump rw, + @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/comm r, diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup index f8950c1fe..fdddebe03 100644 --- a/apparmor.d/groups/systemd/systemd-cryptsetup +++ b/apparmor.d/groups/systemd/systemd-cryptsetup @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/systemd-cryptsetup @{lib}/systemd/systemd-cryptsetup -profile systemd-cryptsetup @{exec_path} { +profile systemd-cryptsetup @{exec_path} flags=(attach_disconnected) { include include include @@ -31,6 +31,8 @@ profile systemd-cryptsetup @{exec_path} { @{sys}/devices/virtual/bdi/*/read_ahead_kb r, @{sys}/fs/ r, + @{run}/systemd/ask-password/ r, + @{PROC}/devices r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 7dc10fd46..0381b93b1 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -31,7 +31,7 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/fsck rPx, + @{sbin}/fsck rPx, @{pager_path} rPx -> child-pager, # Location of file system OS images diff --git a/apparmor.d/groups/systemd/systemd-fsck b/apparmor.d/groups/systemd/systemd-fsck index a7290dc48..4836c9747 100644 --- a/apparmor.d/groups/systemd/systemd-fsck +++ b/apparmor.d/groups/systemd/systemd-fsck @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-fsck -profile systemd-fsck @{exec_path} { +profile systemd-fsck @{exec_path} flags=(attach_disconnected) { include include include @@ -19,9 +19,9 @@ profile systemd-fsck @{exec_path} { @{exec_path} mr, - @{bin}/e2fsck rPx, - @{bin}/fsck rPx, - @{bin}/fsck.* rPx, + @{sbin}/e2fsck rPx, + @{sbin}/fsck rPx, + @{sbin}/fsck.* rPx, owner @{run}/systemd/quotacheck w, owner @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/groups/systemd/systemd-fsckd b/apparmor.d/groups/systemd/systemd-fsckd index 33a433a09..7abde7c90 100644 --- a/apparmor.d/groups/systemd/systemd-fsckd +++ b/apparmor.d/groups/systemd/systemd-fsckd @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-fsckd -profile systemd-fsckd @{exec_path} { +profile systemd-fsckd @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index 205012cd2..c53be3a35 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -14,6 +14,8 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { include include + userns, + capability chown, capability dac_override, capability dac_read_search, @@ -24,6 +26,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { capability setpcap, capability setuid, capability sys_admin, + capability sys_ptrace, capability sys_resource, network inet dgram, @@ -32,19 +35,27 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { network inet6 raw, network netlink raw, - mount options=(rw, rslave) -> @{run}/, - mount /dev/dm-@{int} -> @{run}/systemd/user-home-mount/, + mount -> @{run}/systemd/user-home-mount/, + mount options=(rw private) -> @{run}/systemd/user-home-mount/, + mount options=(rw rslave) -> @{run}/, + + umount @{run}/systemd/user-home-mount/, + + signal (send receive) set=kill peer=systemd-homed//&systemd-homework, + + ptrace read peer=systemd-homed//&systemd-homework, unix bind type=stream addr=@@{udbus}/bus/systemd-homed/system, #aa:dbus own bus=system name=org.freedesktop.home1 + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd @{exec_path} mr, - @{lib}/systemd/systemd-homework rPx, - @{bin}/mkfs.btrfs rPx, - @{bin}/mkfs.fat rPx, - @{bin}/mke2fs rPx, + @{lib}/systemd/systemd-homework rPx -> &systemd-homework, + @{sbin}/mkfs.btrfs rPx, + @{sbin}/mkfs.fat rPx, + @{sbin}/mke2fs rPx, /etc/machine-id r, /etc/systemd/homed.conf r, @@ -74,9 +85,12 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/devices r, @{PROC}/pressure/* r, + @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/uid_map w, /dev/loop-control rwk, diff --git a/apparmor.d/groups/systemd/systemd-homework b/apparmor.d/groups/systemd/systemd-homework index f0fe98a16..b81c196f8 100644 --- a/apparmor.d/groups/systemd/systemd-homework +++ b/apparmor.d/groups/systemd/systemd-homework @@ -7,14 +7,68 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-homework -profile systemd-homework @{exec_path} { +profile systemd-homework @{exec_path} flags=(attach_disconnected) { include - include include + include + include + + userns, + + capability chown, + capability fowner, + capability fsetid, + capability setfcap, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_resource, + + network netlink raw, + + mount options=(rw rslave) -> @{run}/, + mount -> @{run}/systemd/user-home-mount/, + + umount @{run}/systemd/user-home-mount/, + + signal (send receive) set=kill peer=systemd-homed//&systemd-homework, + + ptrace read peer=systemd-homed//&systemd-homework, @{exec_path} mr, + @{sbin}/mkfs.btrfs rPx, + @{sbin}/mkfs.fat rPx, + @{sbin}/mke2fs rPx, + /etc/machine-id r, + /etc/skel/{,**} r, + + /var/cache/systemd/home/{,**} rw, + + @{HOMEDIRS}/ r, + @{HOMEDIRS}/.#homework@{user}.* rw, + @{HOMEDIRS}/@{user}.home rw, + + @{run}/ r, + @{run}/cryptsetup/ r, + @{run}/cryptsetup/* rwk, + @{run}/systemd/user-home-mount/ rw, + @{run}/systemd/user-home-mount/@{user}/{,**} rw, + + @{sys}/fs/ r, + + @{PROC}/devices r, + @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/uid_map w, + + /dev/loop-control rwk, + /dev/loop@{int} rw, + /dev/mapper/control rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index cd77b9826..01d04989b 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -22,11 +22,6 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.hostname1 - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=GetConnectionUnixUser - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - @{exec_path} mr, @{etc_rw}/.#hostname* rw, diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb index 9b6203e92..ae64274c6 100644 --- a/apparmor.d/groups/systemd/systemd-hwdb +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -16,10 +16,10 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{exec_path} mr, @{lib}/udev/#@{int} rwl, - @{lib}/udev/.#hwdb.bin@{hex16} wl -> @{lib}/udev/#@{int}, + @{lib}/udev/.#hwdb.bin{@{hex16},@{rand6}} wl -> @{lib}/udev/#@{int}, @{lib}/udev/hwdb.bin w, - /etc/udev/.#hwdb.bin@{hex16} wl -> /etc/udev/#@{int}, + /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} wl -> /etc/udev/#@{int}, /etc/udev/hwdb.bin w, /etc/udev/hwdb.d/{,*} r, diff --git a/apparmor.d/groups/systemd/systemd-inhibit b/apparmor.d/groups/systemd/systemd-inhibit index 2be38e6ba..ae475ff48 100644 --- a/apparmor.d/groups/systemd/systemd-inhibit +++ b/apparmor.d/groups/systemd/systemd-inhibit @@ -14,7 +14,7 @@ profile systemd-inhibit @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, - signal receive set=term peer=packagekitd, + signal receive set=term peer=@{p_packagekitd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-initctl b/apparmor.d/groups/systemd/systemd-initctl new file mode 100644 index 000000000..05f32a7f6 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-initctl @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-initctl +profile systemd-initctl @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability net_admin, + + unix type=stream addr=@@{udbus}/bus/systemd-initctl/, + + @{exec_path} mr, + + @{run}/initctl rw, + @{run}/systemd/notify rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index cc1f541dd..ad3d96990 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-journald -profile systemd-journald @{exec_path} { +profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -46,20 +46,20 @@ profile systemd-journald @{exec_path} { @{run}/host/container-manager r, @{run}/utmp rk, - @{run}/udev/data/+acpi:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+ieee80211:* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+ieee80211:* r, # For Wi-Fi devices, such as wireless network cards and access points. @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+mdio_bus:* r, - @{run}/udev/data/+pci:* r, - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+scsi:* r, - @{run}/udev/data/+sdio:* r, - @{run}/udev/data/+thunderbolt:* r, - @{run}/udev/data/+usb-serial:* r, - @{run}/udev/data/+usb:* r, - @{run}/udev/data/+virtio:* r, + @{run}/udev/data/+mdio_bus:* r, # For Management Data Input/Output (Ethernet PHY (physical layer) devices) + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI + @{run}/udev/data/+sdio:* r, # For Secure Digital Input Output devices, such as Wi-Fi, Bluetooth cards, GPS and NFC modules. + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. + @{run}/udev/data/+usb-serial:* r, # For USB to serial adapters + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+virtio:* r, # For paravirtualized devices (network interfaces, block devices, console) @{run}/udev/data/b254:@{int} r, # for /dev/zram* @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c1:@{int} r, # For RAM disk diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 205d8a55f..e98bef009 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -14,15 +14,21 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { include include - unix (bind) type=stream addr=@@{udbus}/bus/systemd-localed/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-localed/system, #aa:dbus own bus=system name=org.freedesktop.locale1 + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=Reload + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, /usr/share/kbd/keymaps/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, /usr/share/systemd/*-map r, /usr/share/X11/xkb/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, /etc/.#locale.conf@{hex16} rw, /etc/.#vconsole.conf* rw, @@ -31,8 +37,8 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { /etc/default/locale rw, /etc/locale.conf rw, /etc/vconsole.conf rw, - /etc/X11/xorg.conf.d/ r, - /etc/X11/xorg.conf.d/.#*.confd* rw, + /etc/X11/xorg.conf.d/ rw, + /etc/X11/xorg.conf.d/.#*.conf@{hex} rw, /etc/X11/xorg.conf.d/*.conf rw, @{att}/@{run}/systemd/notify rw, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index f7e0af838..271354633 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -12,11 +12,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { include include include + include include include include include - include capability chown, capability dac_override, @@ -27,9 +27,10 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { network netlink raw, + mqueue getattr type=posix /, mqueue r type=posix /, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-logind/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-logind/system, #aa:dbus own bus=system name=org.freedesktop.login1 @@ -40,11 +41,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(label=ksmserver-logout-greeter), - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - @{exec_path} mr, /etc/machine-id r, @@ -54,13 +50,12 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /etc/systemd/sleep.conf.d/{,**} r, / r, - /boot/{,**} r, - /efi/{,**} r, + @{efi}/{,**} r, /swap.img r, /swap/swapfile r, /swapfile r, - /var/lib/systemd/linger/ r, + /var/lib/systemd/linger/{,@{user}} rw, @{run}/.#nologin* rw, @{run}/credentials/getty@tty@{int}.service/ r, @@ -73,15 +68,15 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/tags/uaccess/ r, @{run}/udev/static_node-tags/uaccess/ r, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+drivers:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+drivers:* r, # For drivers loaded in the system @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+wakeup:* r, + @{run}/udev/data/+wakeup:* r, # For wakeup events (e.g., from sleep or hibernation) @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # For /dev/input/* @@ -95,6 +90,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, @{run}/systemd/inhibit/ rw, @@ -140,11 +136,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/fdinfo/@{int} r, - /dev/dri/card@{int} rw, - /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) - /dev/mqueue/ r, - /dev/tty@{int} rw, - owner /dev/shm/{,**/} rw, + /dev/dri/card@{int} rw, + /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) + /dev/mqueue/ r, + /dev/tty@{int} rw, + /dev/shm/{,**/} rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index 5f60b5676..c791e6375 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -25,11 +25,13 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{att}/ r, / r, /etc/ r, /etc/machine-id rw, /var/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 3a111f7f3..520080082 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -7,9 +7,10 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-machined -profile systemd-machined @{exec_path} { +profile systemd-machined @{exec_path} flags=(attach_disconnected) { include include + include include include @@ -21,6 +22,7 @@ profile systemd-machined @{exec_path} { capability kill, capability mknod, capability setgid, + capability setuid, capability sys_admin, capability sys_chroot, capability sys_ptrace, @@ -31,26 +33,47 @@ profile systemd-machined @{exec_path} { network inet6 dgram, network netlink raw, + signal send set=rtmin+6 peer=systemd-nspawn, + + ptrace read peer=systemd-nspawn, + + unix type=stream addr=@@{udbus}/bus/systemd-machine/system, + #aa:dbus own bus=system name=org.freedesktop.machine1 #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @{exec_path} mr, - /var/lib/machines/{,**} rw, /etc/machine-id r, + / r, + @{att}/ r, + + owner /var/lib/machines/ rw, + owner /var/lib/machines/** rwk, + + owner @{run}/systemd/nspawn/ w, + owner @{run}/systemd/nspawn/locks/ w, + owner @{run}/systemd/nspawn/locks/** rwk, + @{run}/systemd/machine/{,**} rw, @{run}/systemd/machines/{,**} rw, @{run}/systemd/notify w, @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/gid_map r, + @{PROC}/@{pid}/setgroups r, + @{PROC}/@{pid}/uid_map r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, /dev/ptmx rw, /dev/pts/@{int} rw, + /dev/pts/ptmx rw, + /dev/vsock r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-makefs b/apparmor.d/groups/systemd/systemd-makefs index 8556e51d7..74a824411 100644 --- a/apparmor.d/groups/systemd/systemd-makefs +++ b/apparmor.d/groups/systemd/systemd-makefs @@ -17,8 +17,8 @@ profile systemd-makefs @{exec_path} { @{exec_path} mr, - @{bin}/mkfs.* rPx, - @{bin}/mkswap rPx, + @{sbin}/mkfs.* rPx, + @{sbin}/mkswap rPx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load index d3527c22b..3f778244b 100644 --- a/apparmor.d/groups/systemd/systemd-modules-load +++ b/apparmor.d/groups/systemd/systemd-modules-load @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-modules-load -profile systemd-modules-load @{exec_path} { +profile systemd-modules-load @{exec_path} flags=(attach_disconnected) { include include @@ -24,6 +24,9 @@ profile systemd-modules-load @{exec_path} { /etc/modules-load.d/ r, /etc/modules-load.d/*.conf r, + @{run}/modprobe.d/ r, + @{run}/modprobe.d/*.conf r, + @{sys}/devices/@{pci}/config r, @{sys}/module/*/initstate r, @{sys}/module/compression r, diff --git a/apparmor.d/groups/systemd/systemd-network-generator b/apparmor.d/groups/systemd/systemd-network-generator index e22d89629..ceebbc5c2 100644 --- a/apparmor.d/groups/systemd/systemd-network-generator +++ b/apparmor.d/groups/systemd/systemd-network-generator @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-network-generator -profile systemd-network-generator @{exec_path} { +profile systemd-network-generator @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 3eaedfaac..ccb6d9629 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -14,10 +14,12 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { include include + capability bpf, capability net_admin, capability net_bind_service, capability net_broadcast, capability net_raw, + capability sys_admin, network inet dgram, network inet6 dgram, @@ -27,7 +29,9 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { network packet dgram, network packet raw, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network, + unix bind type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network, + + signal receive set=usr2 peer=@{p_systemd}, #aa:dbus own bus=system name=org.freedesktop.network1 @@ -38,39 +42,52 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.hostname1 member=SetHostname - peer=(name=org.freedesktop.hostname1, label=systemd-hostnamed), + peer=(name=org.freedesktop.hostname1, label="@{p_systemd_hostnamed}"), @{exec_path} mr, /var/lib/dbus/machine-id r, /etc/machine-id r, - /etc/systemd/networkd.conf r, + /etc/systemd/network.conf r, /etc/systemd/network/{,**} r, + /etc/systemd/networkd.conf r, + /etc/systemd/networkd.conf.d/{,**} r, /etc/networkd-dispatcher/carrier.d/{,*} r, @{att}/ r, + @{att}/@{run}/systemd/notify rw, + + @{run}/mount/utab r, + @{run}/systemd/resolve/resolv.conf r, owner @{att}/var/lib/systemd/network/ r, + owner /var/lib/systemd/network/ rw, + owner /var/lib/systemd/network/** rwk, + @{run}/systemd/network/ r, @{run}/systemd/network/*.network r, - @{run}/systemd/notify rw, owner @{run}/systemd/netif/** rw, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces + @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/rfkill@{int}/* r, @{sys}/devices/**/net/** r, - @{sys}/devices/@{pci}/ r, @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/fs/cgroup/ r, + @{sys}/kernel/btf/vmlinux r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/pressure/* r, - @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, + @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/version_signature r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-networkd-wait-online b/apparmor.d/groups/systemd/systemd-networkd-wait-online index 0d5e40730..c36b5af39 100644 --- a/apparmor.d/groups/systemd/systemd-networkd-wait-online +++ b/apparmor.d/groups/systemd/systemd-networkd-wait-online @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-networkd-wait-online -profile systemd-networkd-wait-online @{exec_path} flags=(complain) { +profile systemd-networkd-wait-online @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-nsresourced b/apparmor.d/groups/systemd/systemd-nsresourced new file mode 100644 index 000000000..97dcb3b05 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-nsresourced @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-nsresourced +profile systemd-nsresourced @{exec_path} flags=(attach_disconnected) { + include + include + + capability bpf, + capability perfmon, + capability sys_resource, + + signal receive set=usr2 peer=systemd-nsresourced//&systemd-nsresourcework, + + @{exec_path} mr, + + @{lib}/systemd/systemd-nsresourcework ix, # no new privs + + @{run}/systemd/nsresource/ rw, + @{run}/systemd/nsresource/** rw, + + @{sys}/devices/kprobe/type r, + @{sys}/fs/bpf/ r, + @{sys}/fs/bpf/systemd/ rw, + @{sys}/fs/bpf/systemd/userns-restrict/{,**} rw, + @{sys}/fs/cgroup/system.slice/systemd-nsresourced.service/memory.pressure rw, + @{sys}/kernel/btf/vmlinux r, + @{sys}/kernel/security/lsm r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-nsresourcework b/apparmor.d/groups/systemd/systemd-nsresourcework new file mode 100644 index 000000000..5b8d53398 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-nsresourcework @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-nsresourcework +profile systemd-nsresourcework @{exec_path} { + include + + capability sys_resource, + + signal send set=usr2 peer=systemd-nsresourced, + + @{exec_path} mr, + + @{run}/systemd/nsresource/registry/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index d16c67f7d..ce61dba23 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -15,7 +15,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { capability dac_override, capability kill, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom, + unix bind type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom, #aa:dbus own bus=system name=org.freedesktop.oom1 diff --git a/apparmor.d/groups/systemd/systemd-random-seed b/apparmor.d/groups/systemd/systemd-random-seed index be33d39cd..86ea02a0d 100644 --- a/apparmor.d/groups/systemd/systemd-random-seed +++ b/apparmor.d/groups/systemd/systemd-random-seed @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-random-seed -profile systemd-random-seed @{exec_path} { +profile systemd-random-seed @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 8c63a1d5a..96b182e5f 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-remount-fs -profile systemd-remount-fs @{exec_path} { +profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { include include include @@ -17,18 +17,18 @@ profile systemd-remount-fs @{exec_path} { capability sys_resource, mount options=(rw, remount) -> /, - mount options=(rw, remount) -> /proc/, + mount options=(rw, remount) -> @{PROC}/, @{exec_path} mr, @{bin}/mount rix, + /etc/blkid.conf r, /etc/fstab r, @{run}/host/container-manager r, @{run}/mount/utab rw, - @{run}/mount/utab.@{rand6} rw, - @{run}/mount/utab.lock rwk, + @{run}/mount/utab.* rwk, @{sys}/devices/virtual/block/dm-@{int}/dm/name r, diff --git a/apparmor.d/groups/systemd/systemd-resolve b/apparmor.d/groups/systemd/systemd-resolve deleted file mode 100644 index f716aa3af..000000000 --- a/apparmor.d/groups/systemd/systemd-resolve +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/resolvectl -@{exec_path} += @{bin}/systemd-resolve -profile systemd-resolve @{exec_path} { - include - - capability mknod, - capability net_admin, - - network netlink raw, - - @{exec_path} mr, - - @{PROC}/ r, - owner @{PROC}/@{pids}/fd/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index f693cbee4..8f4b5bc57 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -31,11 +31,6 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.resolve1 - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - @{exec_path} mr, /etc/systemd/resolved.conf r, diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index ff9e2d540..bf983ea7a 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-rfkill -profile systemd-rfkill @{exec_path} { +profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { include include @@ -22,7 +22,7 @@ profile systemd-rfkill @{exec_path} { /var/lib/systemd/rfkill/* rw, @{run}/systemd/notify rw, - @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{sys}/devices/**/rfkill@{int}/{uevent,name} r, diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index 34916ecc6..d7c61e336 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-sleep -profile systemd-sleep @{exec_path} { +profile systemd-sleep @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-sleep-grub b/apparmor.d/groups/systemd/systemd-sleep-grub index b2b42bf44..38be5772f 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-grub +++ b/apparmor.d/groups/systemd/systemd-sleep-grub @@ -14,7 +14,7 @@ profile systemd-sleep-grub @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/uname rix, /etc/sysconfig/bootloader r, diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 71008c96d..4cbe61755 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -11,6 +11,7 @@ profile systemd-sleep-hdparm @{exec_path} { include @{exec_path} mr, + @{sh_path} r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-tlp b/apparmor.d/groups/systemd/systemd-sleep-tlp index 60a28d4af..fc9a51067 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-tlp +++ b/apparmor.d/groups/systemd/systemd-sleep-tlp @@ -13,7 +13,7 @@ profile systemd-sleep-tlp @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/tlp rPUx, + @{sbin}/tlp rPUx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-stdio-bridge b/apparmor.d/groups/systemd/systemd-stdio-bridge new file mode 100644 index 000000000..5f3bc2e36 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-stdio-bridge @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/systemd-stdio-bridge +profile systemd-stdio-bridge @{exec_path} flags=(attach_disconnected) { + include + include + include + + signal send set=term peer=@{p_systemd}, + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-sulogin-shell b/apparmor.d/groups/systemd/systemd-sulogin-shell index 094366391..5ccf33219 100644 --- a/apparmor.d/groups/systemd/systemd-sulogin-shell +++ b/apparmor.d/groups/systemd/systemd-sulogin-shell @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-sulogin-shell -profile systemd-sulogin-shell @{exec_path} { +profile systemd-sulogin-shell @{exec_path} flags=(attach_disconnected) { include include @@ -18,7 +18,7 @@ profile systemd-sulogin-shell @{exec_path} { @{exec_path} mr, - @{bin}/sulogin rPx, + @{sbin}/sulogin rPx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl index 454105011..87e0ede5c 100644 --- a/apparmor.d/groups/systemd/systemd-sysctl +++ b/apparmor.d/groups/systemd/systemd-sysctl @@ -25,7 +25,7 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) { @{run}/sysctl.d/{,*.conf} r, /etc/sysctl.conf r, /etc/sysctl.d/{,*.conf} r, - /usr/lib/sysctl.d/{,*.conf} r, + @{lib}/sysctl.d/{,*.conf} r, @{PROC}/sys/** rw, diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index 254faeca0..2d250f63c 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -25,7 +25,7 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { # Config file locations /etc/sysusers.d/{,*.conf} r, @{run}/sysusers.d/{,*.conf} r, - /usr/lib/sysusers.d/{,*.conf} r, + @{lib}/sysusers.d/{,*.conf} r, # Where the users can be created, /home/{,*} rw, diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index e070afe4e..ffed031b5 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -15,7 +15,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { capability sys_time, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-timedat/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-timedat/system, #aa:dbus own bus=system name=org.freedesktop.timedate1 diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index b603b2411..2ac7f09fb 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -22,7 +22,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet6 stream, unix (bind) type=stream addr=@@{udbus}/bus/systemd-timesyn/bus-api-timesync, - unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none), + unix (send, receive) type=dgram addr=none peer=(label=@{p_sd}, addr=none), #aa:dbus own bus=system name=org.freedesktop.timesync1 diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index f591ef9f7..0e1e404ab 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -30,7 +30,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { # Config file locations /etc/tmpfiles.d/{,*.conf} r, @{run}/tmpfiles.d/{,*.conf} r, - /usr/lib/tmpfiles.d/{,*.conf} r, + @{lib}/tmpfiles.d/{,*.conf} r, @{user_config_dirs}/user-tmpfiles.d/{,*.conf} r, @{run}/user/@{uid}/user-tmpfiles.d/{,*.conf} r, @{user_share_dirs}/user-tmpfiles.d/{,*.conf} r, @@ -42,7 +42,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { /etc/{,**} rw, /home/ rw, /opt/{,**} rw, - /run/{,**} rw, + @{run}/{,**} rw, /srv/{,**} rw, /tmp/{,**} rwk, /usr/{,**} rw, @@ -51,7 +51,10 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/{,**} rw, @{sys}/class/net/ r, + @{sys}/devices/system/cpu/cpufreq/ r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor w, @{sys}/devices/system/cpu/microcode/reload w, + @{sys}/module/pcie_aspm/parameters/policy w, @{PROC}/@{pid}/net/unix r, @{PROC}/1/cmdline r, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 3e2129d39..b318bf3dd 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -13,17 +13,28 @@ profile systemd-tty-ask-password-agent @{exec_path} { include capability dac_override, + capability dac_read_search, capability net_admin, capability sys_resource, - signal (receive) set=(term cont) peer=*//systemctl, - signal (receive) set=(term cont) peer=default, - signal (receive) set=(term cont) peer=logrotate, + signal receive set=(term cont winch) peer=@{p_logrotate}, + signal receive set=(term cont winch) peer=*//systemctl, + signal receive set=(term cont winch) peer=deb-systemd-invoke, + signal receive set=(term cont winch) peer=default, + signal receive set=(term cont winch) peer=machinectl, + signal receive set=(term cont winch) peer=makepkg//sudo, + signal receive set=(term cont winch) peer=role_*, + signal receive set=(term cont winch) peer=rpm, @{exec_path} mrix, @{run}/systemd/ask-password-block/{,*} rw, @{run}/systemd/ask-password/{,*} rw, + + @{run}/user/@{uid}/ w, + @{run}/user/@{uid}/systemd/ w, + @{run}/user/@{uid}/systemd/ask-password/ rw, + @{run}/utmp rk, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index b8a0c7e4c..9c993e0d5 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -8,11 +8,12 @@ abi , include @{exec_path} = @{bin}/udevadm @{lib}/systemd/systemd-udevd -profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { +profile systemd-udevd @{exec_path} flags=(attach_disconnected) { include include include include + include capability chown, capability dac_override, @@ -36,50 +37,52 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{exec_path} mrix, - @{sh_path} rix, - @{coreutils_path} rix, - @{pager_path} rPx -> child-pager, - @{bin}/*-print-pci-ids rix, - @{bin}/alsactl rPUx, - @{bin}/ddcutil rPx, - @{bin}/dmsetup rPUx, - @{bin}/ethtool rix, - @{bin}/issue-generator rPx, - @{bin}/kmod rPx, - @{bin}/logger rix, - @{bin}/ls rix, - @{bin}/lvm rPx, - @{bin}/mknod rix, - @{bin}/multipath rPx, - @{bin}/nfsrahead rix, - @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, - @{bin}/perl rix, - @{bin}/setfacl rix, - @{bin}/sg_inq rix, - @{bin}/snap rPUx, - @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-run rix, - @{bin}/unshare rix, + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/logger rix, + @{bin}/ls rix, + @{bin}/mknod rix, + @{bin}/nfsrahead rix, + @{bin}/setfacl rix, + @{bin}/sg_inq rix, + @{bin}/systemd-run rix, # TODO: rCx -> run, + @{bin}/unshare rix, + @{sbin}/ethtool rix, + + @{bin}/ddcutil rPx, + @{bin}/kmod rCx -> kmod, + @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, + @{bin}/snap rPx, + @{bin}/systemctl rCx -> systemctl, + @{bin}/vmmouse_detect rPx, + @{pager_path} rPx -> child-pager, + @{sbin}/alsactl rPx, + @{sbin}/dmsetup rPx, + @{sbin}/issue-generator rPx, + @{sbin}/kdump-config rPx, + @{sbin}/lvm rPx, + @{sbin}/multipath rPx, + @{sbin}/u-d-c-print-pci-ids rPx, @{lib}/crda/* rPUx, @{lib}/gdm-runtime-config rPx, @{lib}/nfsrahead rPUx, - @{lib}/open-iscsi/net-interface-handler rPUx, + @{lib}/open-iscsi/net-interface-handler rPx, @{lib}/pm-utils/power.d/* rPUx, @{lib}/snapd/snap-device-helper rPx, @{lib}/systemd/systemd-* rPx, @{lib}/udev/* rPUx, /usr/share/hplip/config_usb_printer.py rPUx, - /etc/console-setup/*.sh rPUx, - /etc/network/cloud-ifupdown-helper rPUx, + /etc/console-setup/*.sh rPUx, + /etc/network/cloud-ifupdown-helper rPUx, /etc/default/* r, /etc/machine-id r, /etc/nfs.conf rk, /etc/udev/{,**} r, - /etc/udev/.#hwdb.bin* rw, + /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} rw, /etc/udev/hwdb.bin rw, /etc/modprobe.d/ r, @@ -95,6 +98,9 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{run}/systemd/notify rw, @{run}/systemd/seats/seat@{int} r, + @{att}/@{run}/systemd/notify w, + @{att}/@{run}/udev/control rw, + @{run}/udev/ rw, @{run}/udev/** rwk, @@ -115,6 +121,13 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { /dev/ rw, /dev/** rwk, + profile kmod flags=(attach_disconnected,complain) { + include + include + + include if exists + } + profile systemctl flags=(attach_disconnected,complain) { include include @@ -122,8 +135,6 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { capability net_admin, capability sys_ptrace, - # / r, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-update-done b/apparmor.d/groups/systemd/systemd-update-done index c17be7ab2..e7a44d01d 100644 --- a/apparmor.d/groups/systemd/systemd-update-done +++ b/apparmor.d/groups/systemd/systemd-update-done @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-update-done -profile systemd-update-done @{exec_path} { +profile systemd-update-done @{exec_path} flags=(attach_disconnected) { include capability net_admin, diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp index 9d512b495..82025859b 100644 --- a/apparmor.d/groups/systemd/systemd-update-utmp +++ b/apparmor.d/groups/systemd/systemd-update-utmp @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-update-utmp -profile systemd-update-utmp @{exec_path} { +profile systemd-update-utmp @{exec_path} flags=(attach_disconnected) { include include include @@ -17,7 +17,7 @@ profile systemd-update-utmp @{exec_path} { network netlink raw, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-update-/, + unix bind type=stream addr=@@{udbus}/bus/systemd-update-/, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 9c7fe975b..363b9a32d 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-user-runtime-dir -profile systemd-user-runtime-dir @{exec_path} { +profile systemd-user-runtime-dir @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-user-sessions b/apparmor.d/groups/systemd/systemd-user-sessions index 6f16b2f19..8de32dfe2 100644 --- a/apparmor.d/groups/systemd/systemd-user-sessions +++ b/apparmor.d/groups/systemd/systemd-user-sessions @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-user-sessions -profile systemd-user-sessions @{exec_path} { +profile systemd-user-sessions @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index c57327bcb..f9fad3693 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -32,6 +32,8 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) @{att}/@{run}/systemd/notify w, @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Home rw, + @{att}/@{run}/systemd/userdb/io.systemd.Machine rw, @{run}/systemd/userdb/{,**} rw, diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork index 29641fd74..2521c655e 100644 --- a/apparmor.d/groups/systemd/systemd-userwork +++ b/apparmor.d/groups/systemd/systemd-userwork @@ -18,6 +18,7 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/gshadow r, /etc/machine-id r, /etc/shadow r, diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup index 5f28050c1..8c99d606c 100644 --- a/apparmor.d/groups/systemd/systemd-vconsole-setup +++ b/apparmor.d/groups/systemd/systemd-vconsole-setup @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-vconsole-setup -profile systemd-vconsole-setup @{exec_path} { +profile systemd-vconsole-setup @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl index 97625db38..fa7c13297 100644 --- a/apparmor.d/groups/systemd/userdbctl +++ b/apparmor.d/groups/systemd/userdbctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/userdbctl -profile userdbctl @{exec_path} { +profile userdbctl @{exec_path} flags=(attach_disconnected) { include include include @@ -29,6 +29,7 @@ profile userdbctl @{exec_path} { @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/gid_map r, + owner @{PROC}/@{pid}/setgroups r, owner @{PROC}/@{pid}/uid_map r, include if exists diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index f6406811d..473848ef3 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -11,30 +11,33 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { include include - capability sys_module, - @{exec_path} mr, - @{bin}/kmod rix, + @{bin}/kmod rCx, @{bin}/systemd-detect-virt rPx, @{lib}/systemd/systemd-makefs rPx, /etc/systemd/zram-generator.conf r, - /etc/modprobe.d/{,**} r, owner @{run}/systemd/generator/{,*/}var-cache-makepkg.mount rw, owner @{run}/systemd/generator/dev-zram@{int}.swap rw, owner @{run}/systemd/generator/swap.target.wants/{,dev-zram@{int}.swap} rw, owner @{run}/systemd/generator/systemd-zram-setup@zram@{int}.service.d/{,*.conf} rw, - @{sys}/block/zram@{int}/{disksize,reset} rw, - @{sys}/devices/virtual/block/zram@{int}/{disksize,reset,comp_algorithm} rw, - @{sys}/module/compression r, + @{sys}/block/zram@{int}/* rw, + @{sys}/devices/virtual/block/zram@{int}/* rw, @{PROC}/crypto r, owner /dev/pts/@{int} rw, + profile kmod { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 11aad0da3..fbc433c05 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -17,6 +17,7 @@ profile apport @{exec_path} flags=(attach_disconnected) { capability chown, capability dac_read_search, + capability fowner, capability fsetid, capability setgid, capability setuid, @@ -26,33 +27,49 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/gdbus rix, @{bin}/{,e,f}grep rix, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/dpkg-divert rPx -> child-dpkg-divert, + @{bin}/dpkg rPx -> &child-dpkg, + @{bin}/dpkg-divert rPx -> &child-dpkg-divert, + @{bin}/gdbus rix, + @{bin}/md5sum rix, /usr/share/apport/{,**} r, + @{etc_ro}/login.defs r, /etc/apport/report-ignore/{,**} r, - /etc/login.defs r, + /etc/dpkg/dpkg.cfg r, + /etc/dpkg/dpkg.cfg.d/{,**} r, /var/lib/dpkg/info/ r, /var/lib/dpkg/info/*.list r, + /var/lib/dpkg/info/*.md5sums r, /var/crash/ rw, /var/crash/*.@{uid}.crash rw, + owner /var/cache/apt/pkgcache.bin.@{rand6} rw, owner /var/log/apport.log rw, - @{run}/apport.lock rwk, + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + @{run}/apport.lock rwk, + @{run}/log/journal/ r, + + @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/stat r, @{PROC}/sys/fs/suid_dumpable w, @{PROC}/sys/kernel/core_pattern w, @{PROC}/sys/kernel/core_pipe_limit w, owner @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/ubuntu/apport-checkreports b/apparmor.d/groups/ubuntu/apport-checkreports index 665b3eaca..5e39988fd 100644 --- a/apparmor.d/groups/ubuntu/apport-checkreports +++ b/apparmor.d/groups/ubuntu/apport-checkreports @@ -14,15 +14,15 @@ profile apport-checkreports @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/python3.@{int} r, + @{python_path} r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, /usr/share/apport/ r, + @{etc_ro}/login.defs r, /etc/apt/apt.conf.d/{,**} r, /etc/default/apport r, - /etc/login.defs r, /var/crash/ r, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 0121dd46d..4940653a3 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -41,12 +41,12 @@ profile apport-gtk @{exec_path} { @{bin}/dpkg-query rpx, @{bin}/gdb rCx -> gdb, @{bin}/gsettings rPx, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/journalctl rPx, - @{bin}/killall5 rix, + @{sbin}/killall5 rix, @{bin}/kmod rPx, @{bin}/ldd rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/md5sum rix, @{bin}/pkexec rCx -> pkexec, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index 2dcf50743..2edc09970 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -22,7 +22,7 @@ profile apt-esm-json-hook @{exec_path} { /var/lib/ubuntu-advantage/apt-esm/{,**} rw, /var/log/ubuntu-advantage-apt-hook.log w, - @{run}/cloud-init/cloud-id-nocloud r, + @{run}/cloud-init/cloud-id-* r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news new file mode 100644 index 000000000..7f4e8fbe2 --- /dev/null +++ b/apparmor.d/groups/ubuntu/apt_news @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ubuntu-advantage/apt_news.py +profile apt_news @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + capability chown, + capability kill, + capability setgid, + capability setuid, + + signal send set=int peer=apt-methods-*, + + @{exec_path} mr, + + @{lib}/apt/methods/* Px, + + /etc/ubuntu-advantage/uaclient.conf r, + + @{run}/ubuntu-advantage/ rw, + @{run}/ubuntu-advantage/apt-news/{,**} rw, + + owner @{run}/ubuntu-advantage/apt-news/** rw, + + @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index b2fe83f6b..65a19e0e0 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -29,11 +29,11 @@ profile check-new-release-gtk @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx, - @{bin}/ischroot rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/ischroot rPx, + @{bin}/lsb_release rPx, - @{lib}/python3/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, - @{lib}/python3/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, + @{lib}/@{python_name}/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, + @{lib}/@{python_name}/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index c5c31edd3..a80a4f729 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -15,20 +15,14 @@ profile cron-ubuntu-fan @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/fanctl rix, - @{bin}/flock rix, - @{bin}/grep rix, - @{bin}/id rix, + @{sbin}/fanctl rPx, + @{bin}/{,e}grep rix, @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, - @{bin}/touch rix, /etc/network/fan r, - @{run}/ubuntu-fan/ rw, - @{run}/ubuntu-fan/.lock rwk, - include if exists } diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index 86c211f24..2d3eebbc2 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -26,8 +26,8 @@ profile do-release-upgrade @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/ischroot rPx, + @{bin}/lsb_release rPx, /usr/share/distro-info/*.csv r, /usr/share/ubuntu-release-upgrader/{,**} r, diff --git a/apparmor.d/groups/ubuntu/esm_cache b/apparmor.d/groups/ubuntu/esm_cache new file mode 100644 index 000000000..53238564a --- /dev/null +++ b/apparmor.d/groups/ubuntu/esm_cache @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ubuntu-advantage/esm_cache.py +profile esm_cache @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/fanctl b/apparmor.d/groups/ubuntu/fanctl new file mode 100644 index 000000000..ef278da63 --- /dev/null +++ b/apparmor.d/groups/ubuntu/fanctl @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/fanctl +profile fanctl @{exec_path} flags=(attach_disconnected) { + include + + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/flock ix, + @{bin}/id ix, + @{bin}/touch ix, + @{bin}/mkdir ix, + @{bin}/ip ix, + @{bin}/sed ix, + + /etc/network/fan r, + + @{run}/ubuntu-fan/ rw, + @{run}/ubuntu-fan/.lock rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/hwe-support-status b/apparmor.d/groups/ubuntu/hwe-support-status index 3b4280e33..d5ad6e06c 100644 --- a/apparmor.d/groups/ubuntu/hwe-support-status +++ b/apparmor.d/groups/ubuntu/hwe-support-status @@ -15,7 +15,7 @@ profile hwe-support-status @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/distro-info/{,**} r, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index 0023b48cb..91bc4876f 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -15,9 +15,9 @@ profile list-oem-metapackages @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, - @{lib}/python3/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/@{python_name}/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw, /etc/machine-id r, diff --git a/apparmor.d/groups/ubuntu/package-data-downloader b/apparmor.d/groups/ubuntu/package-data-downloader index 0e6641977..37f7f72a5 100644 --- a/apparmor.d/groups/ubuntu/package-data-downloader +++ b/apparmor.d/groups/ubuntu/package-data-downloader @@ -10,9 +10,12 @@ include profile package-data-downloader @{exec_path} { include include + include include include + capability dac_read_search, + @{exec_path} mr, /var/lib/update-notifier/package-data-downloads/{,**} rw, diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index 7398fc404..8cf3ed885 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -17,7 +17,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - mqueue r type=posix /, + mqueue (read,getattr) type=posix /, ptrace (read), diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd index 08a54df0a..b5d7d2885 100644 --- a/apparmor.d/groups/ubuntu/release-upgrade-motd +++ b/apparmor.d/groups/ubuntu/release-upgrade-motd @@ -22,6 +22,8 @@ profile release-upgrade-motd @{exec_path} { /var/lib/ubuntu-release-upgrader/release-upgrade-available rw, + @{run}/motd.dynamic.new w, + /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index 93fd9ffcc..8d55ec0b7 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -27,10 +27,10 @@ profile software-properties-dbus @{exec_path} { @{exec_path} mr, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/env rix, @{bin}/apt-key rPx, # Changing trusted keys - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /etc/apt/apt.conf.d/10periodic w, /etc/apt/sources.list{,.save} rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 4715f570c..bb31d8867 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -28,12 +28,12 @@ profile software-properties-gtk @{exec_path} { @{bin}/ r, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/aplay rPx, @{bin}/apt-key rPx, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/ischroot rPx, + @{bin}/lsb_release rPx, @{bin}/ubuntu-advantage rPx, /usr/share/distro-info/*.csv r, @@ -45,6 +45,7 @@ profile software-properties-gtk @{exec_path} { /usr/share/X11/xkb/{,**} r, /usr/share/xml/iso-codes/{,**} r, /usr/share/software-properties/gtkbuilder/* r, + /usr/share/xkeyboard-config-2/{,**} r, /etc/apport/blacklist.d/{,*} r, /etc/default/apport r, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 58323b8ff..8f673e261 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -24,7 +24,7 @@ profile subiquity-console-conf @{exec_path} { @{sh_path} rix, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/mv rix, @@ -35,10 +35,10 @@ profile subiquity-console-conf @{exec_path} { @{bin}/journalctl rCx -> journalctl, @{bin}/ssh-keygen rPx, - @{bin}/sshd rPx, + @{sbin}/sshd rPx, @{bin}/snap rPUx, - /usr/lib/snapd/snap-recovery-chooser rPUx, - /usr/share/netplan/netplan.script rPUx, # TODO: rPx, + @{lib}/snapd/snap-recovery-chooser rPUx, + /usr/share/netplan/netplan.script rPx, /usr/share/subiquity/{,**} r, /usr/share/subiquity/console-conf-tui rix, @@ -53,13 +53,13 @@ profile subiquity-console-conf @{exec_path} { @{run}/snapd-recovery-chooser-triggered r, @{run}/snapd.socket rw, - @{run}/udev/data/+acpi:* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:* r, # For motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/c1:@{int} r, # For RAM disk @@ -74,7 +74,7 @@ profile subiquity-console-conf @{exec_path} { @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/devices/ r, @{sys}/*/*/ r, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index 7d797bd97..34b697732 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -29,13 +29,12 @@ profile ubuntu-advantage @{exec_path} { @{exec_path} mr, - @{bin}/ischroot rix, - @{bin}/apt rPx, @{bin}/apt-cache rPx, @{bin}/apt-config rPx, @{bin}/apt-get rPx, @{bin}/dpkg rPx -> child-dpkg, + @{bin}/ischroot rPx, @{bin}/ps rPx, @{bin}/snap rPUx, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/ubuntu/ubuntu-fan-net b/apparmor.d/groups/ubuntu/ubuntu-fan-net new file mode 100644 index 000000000..74fe83551 --- /dev/null +++ b/apparmor.d/groups/ubuntu/ubuntu-fan-net @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ubuntu-fan/fan-net +profile ubuntu-fan-net @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} mr, + @{bin}/{m,g,}awk ix, + @{bin}/{,e}grep ix, + @{bin}/networkctl Px, + @{sbin}/fanctl Px, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report index 19273f449..65fa3eaa0 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-report +++ b/apparmor.d/groups/ubuntu/ubuntu-report @@ -21,7 +21,7 @@ profile ubuntu-report @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, - owner @{user_cache_dirs}/ubuntu-report/{,*} r, + owner @{user_cache_dirs}/ubuntu-report/{,*} rw, include if exists } diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 119ac517c..bcdcf108d 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -44,16 +44,16 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/hwe-support-status rPx, - @{bin}/ischroot rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/ischroot rPx, + @{bin}/lsb_release rPx, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, @{bin}/uname rix, @{lib}/apt/methods/http{,s} rPx, - @{lib}/python3/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, - @{lib}/python3/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, - @{lib}/python3/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, + @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, + @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, @@ -63,7 +63,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /etc/ubuntu-advantage/uaclient.conf r, /etc/update-manager/{,**} r, - /boot/ r, + @{efi}/ r, /var/lib/dpkg/info/*.list r, /var/lib/dpkg/updates/ r, diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index 86ac61f41..c244f2902 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -12,19 +12,21 @@ profile update-motd-fsck-at-reboot @{exec_path} { @{exec_path} mr, - @{bin}/dumpe2fs rPx, + @{sbin}/dumpe2fs rPx, @{sh_path} rix, @{bin}/{m,g,}awk rix, @{bin}/cat rix, @{bin}/cut rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/id rix, @{bin}/mount rCx -> mount, @{bin}/stat rix, /var/lib/update-notifier/fsck-at-reboot rw, + @{run}/motd.dynamic.new w, + @{PROC}/uptime r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index b0101504c..88967baf8 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -18,7 +18,7 @@ profile update-motd-updates-available @{exec_path} { @{exec_path} mr, - @{bin}/python3.@{int} r, + @{python_path} r, @{sh_path} rix, @{bin}/apt-config rPx, @@ -26,8 +26,8 @@ profile update-motd-updates-available @{exec_path} { @{bin}/dirname rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/find rix, - @{bin}/ischroot rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/ischroot rPx, + @{bin}/lsb_release rPx, @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 4ffaf60e0..361290980 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -31,11 +31,11 @@ profile update-notifier @{exec_path} { @{sh_path} rix, @{bin}/ionice rix, - @{bin}/ischroot rix, @{bin}/nice rix, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/ischroot rPx, + @{bin}/lsb_release rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, @@ -49,7 +49,7 @@ profile update-notifier @{exec_path} { /usr/share/apport/apport-checkreports rPx, /usr/share/apport/apport-gtk rPx, - @{lib}/python3.@{int}/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, + @{lib}/@{python_name}/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, @@ -85,9 +85,6 @@ profile update-notifier @{exec_path} { profile systemctl { include include - include - - unix (bind) type=stream addr=@@{udbus}/bus/systemctl/system, dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash new file mode 100644 index 000000000..d65c77a08 --- /dev/null +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/update-notifier/update-notifier-crash +profile update-notifier-crash @{exec_path} { + include + include + + @{exec_path} mr, + + @{bin}/{,e}grep ix, + @{bin}/groups Px, + @{bin}/systemctl Cx -> systemctl, + @{bin}/which{,.debianutils} ix, + @{sh_path} mr, + /usr/share/apport/apport-checkreports Px, + + owner @{HOME}/ r, + + profile systemctl { + include + include + + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnitFileState + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lsusb b/apparmor.d/groups/usb/lsusb similarity index 87% rename from apparmor.d/profiles-g-l/lsusb rename to apparmor.d/groups/usb/lsusb index 40e902a87..b5a24940d 100644 --- a/apparmor.d/profiles-g-l/lsusb +++ b/apparmor.d/groups/usb/lsusb @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/lsusb +@{exec_path} = @{bin}/lsusb @{bin}/lsusb.py profile lsusb @{exec_path} { include include @@ -21,6 +21,8 @@ profile lsusb @{exec_path} { /etc/udev/hwdb.bin r, + /dev/bus/usb/@{int}/@{int} w, + include if exists } diff --git a/apparmor.d/profiles-s-z/usb-devices b/apparmor.d/groups/usb/usb-devices similarity index 96% rename from apparmor.d/profiles-s-z/usb-devices rename to apparmor.d/groups/usb/usb-devices index c67b78faf..59ff12feb 100644 --- a/apparmor.d/profiles-s-z/usb-devices +++ b/apparmor.d/groups/usb/usb-devices @@ -22,6 +22,7 @@ profile usb-devices @{exec_path} { @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat rix, + @{bin}/sed rix, @{bin}/cut rix, @{bin}/find rix, @{bin}/readlink rix, diff --git a/apparmor.d/profiles-s-z/usbguard b/apparmor.d/groups/usb/usbguard similarity index 100% rename from apparmor.d/profiles-s-z/usbguard rename to apparmor.d/groups/usb/usbguard diff --git a/apparmor.d/profiles-s-z/usbguard-applet-qt b/apparmor.d/groups/usb/usbguard-applet-qt similarity index 86% rename from apparmor.d/profiles-s-z/usbguard-applet-qt rename to apparmor.d/groups/usb/usbguard-applet-qt index a76398dd9..558b9093c 100644 --- a/apparmor.d/profiles-s-z/usbguard-applet-qt +++ b/apparmor.d/groups/usb/usbguard-applet-qt @@ -10,22 +10,21 @@ include @{exec_path} = @{bin}/usbguard-applet-qt profile usbguard-applet-qt @{exec_path} { include - include - include - include - include - include - include - include - include + include include + include + include include + include # Needed? ptrace (read), @{exec_path} mr, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + owner @{user_config_dirs}/USBGuard/ rw, owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#@{int}, @@ -37,11 +36,6 @@ profile usbguard-applet-qt @{exec_path} { owner @{PROC}/@{pid}/cmdline r, - /usr/share/hwdata/pnp.ids r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - include if exists } diff --git a/apparmor.d/profiles-s-z/usbguard-daemon b/apparmor.d/groups/usb/usbguard-daemon similarity index 100% rename from apparmor.d/profiles-s-z/usbguard-daemon rename to apparmor.d/groups/usb/usbguard-daemon diff --git a/apparmor.d/profiles-s-z/usbguard-dbus b/apparmor.d/groups/usb/usbguard-dbus similarity index 100% rename from apparmor.d/profiles-s-z/usbguard-dbus rename to apparmor.d/groups/usb/usbguard-dbus diff --git a/apparmor.d/profiles-s-z/usbguard-notifier b/apparmor.d/groups/usb/usbguard-notifier similarity index 100% rename from apparmor.d/profiles-s-z/usbguard-notifier rename to apparmor.d/groups/usb/usbguard-notifier diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/groups/utils/agetty similarity index 88% rename from apparmor.d/profiles-a-f/agetty rename to apparmor.d/groups/utils/agetty index 9e6db414e..9ae450196 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/groups/utils/agetty @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/agetty +@{exec_path} = @{sbin}/agetty profile agetty @{exec_path} { include include @@ -20,19 +20,20 @@ profile agetty @{exec_path} { network netlink raw, + signal receive set=hup peer=@{p_systemd}, + @{exec_path} mr, @{bin}/login rPx, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, @{etc_rw}/issue r, /{,usr/}lib/os-release r, /{etc,run,lib,usr/lib}/issue r, /{etc,run,lib,usr/lib}/issue.d/{,*} r, /etc/inittab r, - /etc/login.defs r, - /etc/login.defs.d/{,*} r, /etc/os-release r, - /usr/etc/login.defs r, @{run}/credentials/getty@tty@{int}.service/ r, @{run}/credentials/serial-getty@ttyS@{int}.service/ r, diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/groups/utils/blkid similarity index 97% rename from apparmor.d/profiles-a-f/blkid rename to apparmor.d/groups/utils/blkid index 27207bdb7..3eee035fe 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/groups/utils/blkid @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/blkid +@{exec_path} = @{sbin}/blkid profile blkid @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/blockdev b/apparmor.d/groups/utils/blockdev similarity index 86% rename from apparmor.d/profiles-a-f/blockdev rename to apparmor.d/groups/utils/blockdev index 88059a4c5..0c5e7b17c 100644 --- a/apparmor.d/profiles-a-f/blockdev +++ b/apparmor.d/groups/utils/blockdev @@ -7,10 +7,10 @@ abi , include -@{exec_path} = @{bin}/blockdev +@{exec_path} = @{sbin}/blockdev profile blockdev @{exec_path} { include - include + include capability sys_admin, diff --git a/apparmor.d/profiles-a-f/chfn b/apparmor.d/groups/utils/chfn similarity index 87% rename from apparmor.d/profiles-a-f/chfn rename to apparmor.d/groups/utils/chfn index 7201d1a7a..45b50c7ad 100644 --- a/apparmor.d/profiles-a-f/chfn +++ b/apparmor.d/groups/utils/chfn @@ -10,19 +10,16 @@ include @{exec_path} = @{bin}/chfn profile chfn @{exec_path} { include + include + include include include - include include - # To write records to the kernel auditing log. capability audit_write, - - # To set the right permission to the files in the /etc/ dir. capability chown, capability fsetid, - - # chfn is a SETUID binary + capability net_admin, capability setuid, network netlink raw, diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/groups/utils/chsh similarity index 90% rename from apparmor.d/profiles-a-f/chsh rename to apparmor.d/groups/utils/chsh index bf2b92a98..e3581be31 100644 --- a/apparmor.d/profiles-a-f/chsh +++ b/apparmor.d/groups/utils/chsh @@ -24,9 +24,7 @@ profile chsh @{exec_path} { network netlink raw, - unix type=stream addr=@@{udbus}/bus/chsh/system, - - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/df b/apparmor.d/groups/utils/df similarity index 90% rename from apparmor.d/profiles-a-f/df rename to apparmor.d/groups/utils/df index 1a823e4db..baceace65 100644 --- a/apparmor.d/profiles-a-f/df +++ b/apparmor.d/groups/utils/df @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/df -profile df @{exec_path} { +profile df @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/dmesg b/apparmor.d/groups/utils/dmesg similarity index 92% rename from apparmor.d/profiles-a-f/dmesg rename to apparmor.d/groups/utils/dmesg index 6abc40c37..14ace0dea 100644 --- a/apparmor.d/profiles-a-f/dmesg +++ b/apparmor.d/groups/utils/dmesg @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/dmesg -profile dmesg @{exec_path} { +profile dmesg @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/eject b/apparmor.d/groups/utils/eject similarity index 100% rename from apparmor.d/profiles-a-f/eject rename to apparmor.d/groups/utils/eject diff --git a/apparmor.d/profiles-a-f/findmnt b/apparmor.d/groups/utils/findmnt similarity index 100% rename from apparmor.d/profiles-a-f/findmnt rename to apparmor.d/groups/utils/findmnt diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/groups/utils/fsck similarity index 91% rename from apparmor.d/profiles-a-f/fsck rename to apparmor.d/groups/utils/fsck index 5d0588026..e2537b21c 100644 --- a/apparmor.d/profiles-a-f/fsck +++ b/apparmor.d/groups/utils/fsck @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fsck +@{exec_path} = @{sbin}/fsck profile fsck @{exec_path} flags=(attach_disconnected) { include include @@ -18,15 +18,15 @@ profile fsck @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/e2fsck rPx, - @{bin}/fsck.* rPx, + @{sbin}/e2fsck rPx, + @{sbin}/fsck.* rPx, /etc/fstab r, # When a mount dir is passed to fsck as an argument. @{HOME}/ r, @{MOUNTS}/ r, - /boot/ r, + @{efi}/ r, @{run}/mount/utab r, @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/profiles-a-f/fstrim b/apparmor.d/groups/utils/fstrim similarity index 78% rename from apparmor.d/profiles-a-f/fstrim rename to apparmor.d/groups/utils/fstrim index a55337659..87bd7fad5 100644 --- a/apparmor.d/profiles-a-f/fstrim +++ b/apparmor.d/groups/utils/fstrim @@ -6,8 +6,8 @@ abi , include -@{exec_path} = @{bin}/fstrim -profile fstrim @{exec_path} { +@{exec_path} = @{sbin}/fstrim +profile fstrim @{exec_path} flags=(attach_disconnected) { include include @@ -22,10 +22,11 @@ profile fstrim @{exec_path} { @{MOUNTDIRS}/ r, @{MOUNTS}/ r, / r, - /boot/ r, - /boot/efi/ r, + @{efi}/ r, /var/ r, + @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/groups/utils/hwclock b/apparmor.d/groups/utils/hwclock new file mode 100644 index 000000000..d1433a605 --- /dev/null +++ b/apparmor.d/groups/utils/hwclock @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/hwclock +profile hwclock @{exec_path} { + include + include + + capability audit_write, + capability sys_time, + + network netlink raw, + + @{exec_path} mr, + + /etc/adjtime rw, + + @{sys}/devices/pnp@{int}/*/rtc/rtc@{int}/{,*} r, + + /dev/rtc@{int} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/locale-gen b/apparmor.d/groups/utils/locale-gen similarity index 96% rename from apparmor.d/profiles-g-l/locale-gen rename to apparmor.d/groups/utils/locale-gen index b9254171a..3620018a7 100644 --- a/apparmor.d/profiles-g-l/locale-gen +++ b/apparmor.d/groups/utils/locale-gen @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/locale-gen +@{exec_path} = @{sbin}/locale-gen profile locale-gen @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/groups/utils/login similarity index 80% rename from apparmor.d/profiles-g-l/login rename to apparmor.d/groups/utils/login index 9b32614a9..c35001498 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/groups/utils/login @@ -14,6 +14,7 @@ profile login @{exec_path} flags=(attach_disconnected) { include include include + include #aa:only RBAC capability audit_write, capability chown, @@ -30,28 +31,26 @@ profile login @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (send) set=(hup term), - - unix type=stream addr=@@{udbus}/bus/login/system, + signal send set=(hup term), ptrace read, - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, - @{bin}/@{shells} rUx, + @{shells_path} Ux, #aa:exclude RBAC @{etc_ro}/environment r, + @{etc_ro}/security/group.conf r, + @{etc_ro}/security/limits.conf r, @{etc_ro}/security/limits.d/{,*} r, + @{etc_ro}/security/pam_env.conf r, /etc/default/locale r, /etc/legal r, /etc/machine-id r, /etc/motd r, /etc/motd.d/ r, - /etc/security/group.conf r, - /etc/security/limits.conf r, - /etc/security/pam_env.conf r, /etc/shells r, /var/lib/faillock/@{user} rwk, @@ -59,12 +58,12 @@ profile login @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/motd.legal-displayed rw, + @{att}/@{run}/systemd/sessions/@{int}.ref w, + @{run}/credentials/getty@tty@{int}.service/ r, - @{run}/dbus/system_bus_socket rw, @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, @{run}/motd.dynamic{,.new} rw, - @{run}/systemd/sessions/*.ref rw, @{PROC}/@{pids}/cgroup r, @{PROC}/1/limits r, diff --git a/apparmor.d/profiles-g-l/losetup b/apparmor.d/groups/utils/losetup similarity index 65% rename from apparmor.d/profiles-g-l/losetup rename to apparmor.d/groups/utils/losetup index fd2472dce..9b32074ba 100644 --- a/apparmor.d/profiles-g-l/losetup +++ b/apparmor.d/groups/utils/losetup @@ -6,22 +6,27 @@ abi , include -@{exec_path} = @{bin}/losetup +@{exec_path} = @{sbin}/losetup profile losetup @{exec_path} { include include + include capability dac_override, capability dac_read_search, - unix (receive) type=stream, + unix receive type=stream, @{exec_path} mr, - @{sys}/devices/**/usb[0-9]/{,**} r, + @{user_img_dirs}/** rw, + @{user_vm_dirs}/** rw, + + @{sys}/block/ r, + @{sys}/devices/virtual/block/loop@{int}/{,**} r, /dev/loop-control rw, - /dev/loop[0-9]* rw, + /dev/loop@{int} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/lsblk b/apparmor.d/groups/utils/lsblk similarity index 100% rename from apparmor.d/profiles-g-l/lsblk rename to apparmor.d/groups/utils/lsblk diff --git a/apparmor.d/profiles-g-l/lscpu b/apparmor.d/groups/utils/lscpu similarity index 100% rename from apparmor.d/profiles-g-l/lscpu rename to apparmor.d/groups/utils/lscpu diff --git a/apparmor.d/groups/utils/lsfd b/apparmor.d/groups/utils/lsfd new file mode 100644 index 000000000..96e497ea6 --- /dev/null +++ b/apparmor.d/groups/utils/lsfd @@ -0,0 +1,69 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsfd +profile lsfd @{exec_path} flags=(attach_disconnected) { + include + include + + capability bpf, + capability checkpoint_restore, + capability dac_read_search, + capability net_admin, + capability sys_admin, + capability sys_chroot, + capability sys_ptrace, + capability sys_resource, + capability syslog, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 raw, + network inet6 stream, + network inet6 stream, + network netlink dgram, + network netlink raw, + network packet dgram, + + ptrace read, + ptrace trace, + + mqueue (read create delete getattr) type=posix /.lsfd-mqueue-nodev-test:@{int}, + + @{exec_path} mr, + + / r, + @{att}/ r, + + owner @{att}/.lsfd-mqueue-nodev-test:@{int} rw, + + @{run}/ r, + @{run}/netns/ r, + + @{sys}/kernel/cpu_byteorder r, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/net/* r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/syscall r, + @{PROC}/@{pid}/task/ r, + @{PROC}/devices r, + @{PROC}/misc r, + @{PROC}/partitions r, + @{PROC}/tty/drivers r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lsipc b/apparmor.d/groups/utils/lsipc new file mode 100644 index 000000000..7677a8a03 --- /dev/null +++ b/apparmor.d/groups/utils/lsipc @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsipc +profile lsipc @{exec_path} { + include + include + + @{exec_path} mr, + + @{PROC}/sys/fs/mqueue/msg_max r, + @{PROC}/sys/fs/mqueue/msgsize_max r, + @{PROC}/sys/fs/mqueue/queues_max r, + @{PROC}/sys/kernel/msgmax r, + @{PROC}/sys/kernel/msgmnb r, + @{PROC}/sys/kernel/msgmni r, + @{PROC}/sys/kernel/sem r, + @{PROC}/sys/kernel/shmall r, + @{PROC}/sys/kernel/shmmax r, + @{PROC}/sys/kernel/shmmni r, + @{PROC}/sysvipc/msg r, + @{PROC}/sysvipc/sem r, + @{PROC}/sysvipc/shm r, + + /dev/mqueue/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lslocks b/apparmor.d/groups/utils/lslocks new file mode 100644 index 000000000..44d2e1d01 --- /dev/null +++ b/apparmor.d/groups/utils/lslocks @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lslocks +profile lslocks @{exec_path} flags=(attach_disconnected) { + include + + capability dac_read_search, + capability sys_ptrace, + + ptrace read, + + @{exec_path} mr, + + @{sys}/devices/**/block/** r, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/locks r, + owner @{PROC}/@{pid}/ r, + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lslogins b/apparmor.d/groups/utils/lslogins new file mode 100644 index 000000000..7393b47c0 --- /dev/null +++ b/apparmor.d/groups/utils/lslogins @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lslogins +profile lslogins @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/.pwd.lock w, + /etc/.pwd.lock wk, + /etc/login.defs r, + /etc/shadow r, + + /var/log/lastlog r, + /var/log/wtmp rk, + + @{run}/systemd/userdb/ r, + + @{PROC}/ r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lsns b/apparmor.d/groups/utils/lsns new file mode 100644 index 000000000..7fbf56896 --- /dev/null +++ b/apparmor.d/groups/utils/lsns @@ -0,0 +1,44 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsns +profile lsns @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability net_admin, + capability sys_ptrace, + capability dac_read_search, + + network, + + ptrace read, + ptrace trace, + + @{exec_path} mr, + + @{att}/ r, + + @{run}/*/netns/** r, + @{run}/*/ns/** r, + + @{sys}/devices/**/block/** r, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/groups/utils/lspci similarity index 94% rename from apparmor.d/profiles-g-l/lspci rename to apparmor.d/groups/utils/lspci index b390346bb..e8ba89298 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/groups/utils/lspci @@ -13,11 +13,13 @@ profile lspci @{exec_path} flags=(attach_disconnected) { include include + capability dac_read_search, capability sys_admin, - @{exec_path} mr, + network inet dgram, + network inet6 dgram, - /app/lib/libzypak-preload-host*.so rm, + @{exec_path} mr, /usr/share/hwdata/pci.ids r, /usr/share/misc/pci.ids r, diff --git a/apparmor.d/groups/utils/lsscsi b/apparmor.d/groups/utils/lsscsi new file mode 100644 index 000000000..f0e7b4df2 --- /dev/null +++ b/apparmor.d/groups/utils/lsscsi @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsscsi +profile lsscsi @{exec_path} { + include + include + + @{exec_path} mr, + + / r, + + /dev/ r, + /dev/** r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/newgrp b/apparmor.d/groups/utils/newgrp similarity index 96% rename from apparmor.d/profiles-m-r/newgrp rename to apparmor.d/groups/utils/newgrp index ebd15d4b6..1452f34fc 100644 --- a/apparmor.d/profiles-m-r/newgrp +++ b/apparmor.d/groups/utils/newgrp @@ -23,9 +23,9 @@ profile newgrp @{exec_path} { @{bin}/@{shells} rUx, - /etc/{passwd,group,shadow,gshadow} r, + @{etc_ro}/login.defs r, - /etc/login.defs r, + /etc/{passwd,group,shadow,gshadow} r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/profiles-m-r/nologin b/apparmor.d/groups/utils/nologin similarity index 93% rename from apparmor.d/profiles-m-r/nologin rename to apparmor.d/groups/utils/nologin index 3ee32cf34..795a1aa35 100644 --- a/apparmor.d/profiles-m-r/nologin +++ b/apparmor.d/groups/utils/nologin @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/nologin +@{exec_path} = @{sbin}/nologin profile nologin @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/pstree b/apparmor.d/groups/utils/pstree similarity index 100% rename from apparmor.d/profiles-m-r/pstree rename to apparmor.d/groups/utils/pstree diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/groups/utils/su similarity index 66% rename from apparmor.d/profiles-s-z/su rename to apparmor.d/groups/utils/su index 02a212150..866da3d6a 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/groups/utils/su @@ -12,21 +12,22 @@ profile su @{exec_path} { include include include + include #aa:only RBAC capability chown, # pseudo-terminal - signal (send) set=(term,kill), - signal (receive) set=(int,quit,term), - signal (receive) set=(cont,hup) peer=sudo, - - unix (bind) type=dgram, + signal send set=(term kill), + signal receive set=(int quit term), + signal receive set=(cont hup) peer=sudo, @{exec_path} mr, - @{bin}/@{shells} rUx, - @{bin}/nologin rPx, + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{sbin}/nologin Px, @{etc_ro}/default/su r, + /etc/default/locale r, + /etc/environment r, @{HOME}/.xauth@{rand6} rw, diff --git a/apparmor.d/profiles-s-z/sulogin b/apparmor.d/groups/utils/sulogin similarity index 80% rename from apparmor.d/profiles-s-z/sulogin rename to apparmor.d/groups/utils/sulogin index 556808aeb..2af869dab 100644 --- a/apparmor.d/profiles-s-z/sulogin +++ b/apparmor.d/groups/utils/sulogin @@ -6,12 +6,15 @@ abi , include -@{exec_path} = @{bin}/sulogin +@{exec_path} = @{sbin}/sulogin profile sulogin @{exec_path} { include + include include + capability checkpoint_restore, capability sys_admin, + capability sys_tty_config, @{exec_path} mr, @@ -22,9 +25,6 @@ profile sulogin @{exec_path} { @{PROC}/consoles r, - /dev/ r, - /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/swaplabel b/apparmor.d/groups/utils/swaplabel similarity index 93% rename from apparmor.d/profiles-s-z/swaplabel rename to apparmor.d/groups/utils/swaplabel index 05dc5783a..16abf153d 100644 --- a/apparmor.d/profiles-s-z/swaplabel +++ b/apparmor.d/groups/utils/swaplabel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/swaplabel +@{exec_path} = @{sbin}/swaplabel profile swaplabel @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/swapon b/apparmor.d/groups/utils/swapon similarity index 92% rename from apparmor.d/profiles-s-z/swapon rename to apparmor.d/groups/utils/swapon index 83d2c6a3b..dd4aec8e2 100644 --- a/apparmor.d/profiles-s-z/swapon +++ b/apparmor.d/groups/utils/swapon @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/swapon @{bin}/swapoff +@{exec_path} = @{sbin}/swapon @{sbin}/swapoff profile swapon @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/sync b/apparmor.d/groups/utils/sync similarity index 100% rename from apparmor.d/profiles-s-z/sync rename to apparmor.d/groups/utils/sync diff --git a/apparmor.d/profiles-s-z/umount b/apparmor.d/groups/utils/umount similarity index 100% rename from apparmor.d/profiles-s-z/umount rename to apparmor.d/groups/utils/umount diff --git a/apparmor.d/profiles-s-z/uname b/apparmor.d/groups/utils/uname similarity index 100% rename from apparmor.d/profiles-s-z/uname rename to apparmor.d/groups/utils/uname diff --git a/apparmor.d/profiles-s-z/users b/apparmor.d/groups/utils/users similarity index 100% rename from apparmor.d/profiles-s-z/users rename to apparmor.d/groups/utils/users diff --git a/apparmor.d/profiles-s-z/uuidd b/apparmor.d/groups/utils/uuidd similarity index 79% rename from apparmor.d/profiles-s-z/uuidd rename to apparmor.d/groups/utils/uuidd index 4d75a70ed..52f52b4a2 100644 --- a/apparmor.d/profiles-s-z/uuidd +++ b/apparmor.d/groups/utils/uuidd @@ -6,19 +6,24 @@ abi , include -@{exec_path} = @{bin}/uuidd +@{exec_path} = @{sbin}/uuidd profile uuidd @{exec_path} flags=(attach_disconnected) { include include + capability dac_override, + network inet dgram, @{exec_path} mr, owner /var/lib/libuuid/clock.txt rwk, + owner /var/lib/libuuid/clock-cont.txt rwk, + + @{att}/@{run}/uuidd/request rw, @{run}/uuidd/request rw, - @{att}/@{run}/uuidd/request rw, + @{run}/uuidd/uuidd.pid rwk, include if exists } diff --git a/apparmor.d/profiles-s-z/uuidgen b/apparmor.d/groups/utils/uuidgen similarity index 100% rename from apparmor.d/profiles-s-z/uuidgen rename to apparmor.d/groups/utils/uuidgen diff --git a/apparmor.d/profiles-s-z/whereis b/apparmor.d/groups/utils/whereis similarity index 97% rename from apparmor.d/profiles-s-z/whereis rename to apparmor.d/groups/utils/whereis index 32d4ffa51..36e457998 100644 --- a/apparmor.d/profiles-s-z/whereis +++ b/apparmor.d/groups/utils/whereis @@ -15,6 +15,7 @@ profile whereis @{exec_path} { @{exec_path} mr, @{bin}/{,*/} r, + @{sbin}/{,*/} r, @{lib}/ r, @{lib}/go-*/bin/ r, /usr/{local/,}games/ r, diff --git a/apparmor.d/profiles-s-z/who b/apparmor.d/groups/utils/who similarity index 95% rename from apparmor.d/profiles-s-z/who rename to apparmor.d/groups/utils/who index 3da07f89d..fd49b2bec 100644 --- a/apparmor.d/profiles-s-z/who +++ b/apparmor.d/groups/utils/who @@ -18,6 +18,8 @@ profile who @{exec_path} { @{exec_path} mr, + @{run}/systemd/sessions/* r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/zed/**/data.mdb rw, diff --git a/apparmor.d/groups/systemd/zramctl b/apparmor.d/groups/utils/zramctl similarity index 77% rename from apparmor.d/groups/systemd/zramctl rename to apparmor.d/groups/utils/zramctl index 9dbf23243..29428a96f 100644 --- a/apparmor.d/groups/systemd/zramctl +++ b/apparmor.d/groups/utils/zramctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/zramctl +@{exec_path} = @{sbin}/zramctl profile zramctl @{exec_path} { include include @@ -14,10 +14,12 @@ profile zramctl @{exec_path} { @{exec_path} mr, @{sys}/devices/virtual/block/zram@{int}/ r, - @{sys}/devices/virtual/block/zram@{int}/comp_algorithm r, + @{sys}/devices/virtual/block/zram@{int}/comp_algorithm rw, @{sys}/devices/virtual/block/zram@{int}/disksize r, + @{sys}/devices/virtual/block/zram@{int}/disksize w, @{sys}/devices/virtual/block/zram@{int}/max_comp_streams r, @{sys}/devices/virtual/block/zram@{int}/mm_stat r, + @{sys}/devices/virtual/block/zram@{int}/reset w, @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap index 73ad13cb1..0f2692ecf 100644 --- a/apparmor.d/groups/virt/cni-portmap +++ b/apparmor.d/groups/virt/cni-portmap @@ -15,7 +15,7 @@ profile cni-portmap @{exec_path} { network netlink raw, @{exec_path} mr, - @{bin}/xtables-nft-multi rPx -> cni-xtables-nft, + @{sbin}/xtables-nft-multi rPx -> cni-xtables-nft, @{PROC}/sys/net/ipv{4,6}/conf/cali[0-9a-z]*/route_localnet rw, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 1766cd2fb..b6111750b 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -26,12 +26,12 @@ profile cockpit-bridge @{exec_path} { ptrace read, - signal send set=term peer=cockpit-bridge//sudo, signal send set=term peer=cockpit-pcp, signal send set=term peer=dbus-daemon, signal send set=term peer=journalctl, signal send set=term peer=ssh-agent, signal send set=term peer=unconfined, + signal (send receive) set=term peer=cockpit-bridge//sudo, @{exec_path} mr, @@ -39,12 +39,12 @@ profile cockpit-bridge @{exec_path} { @{bin}/date ix, @{bin}/find ix, @{bin}/ip ix, - @{bin}/python3.@{int} ix, + @{python_path} ix, @{bin}/test ix, @{bin}/file ix, @{bin}/chage Px, - @{bin}/dmidecode Px, + @{sbin}/dmidecode Px, @{bin}/findmnt Px, @{bin}/journalctl Px, @{bin}/last Px, @@ -67,9 +67,9 @@ profile cockpit-bridge @{exec_path} { /usr/share/file/** r, /usr/share/iproute2/* r, + @{etc_ro}/login.defs r, /etc/cockpit/{,**} r, /etc/httpd/conf/mime.types r, - /etc/login.defs r, /etc/machine-id r, /etc/mime.types r, /etc/motd r, @@ -114,7 +114,7 @@ profile cockpit-bridge @{exec_path} { include include - signal (send receive) set=term peer=cockpit-bridge, + signal (send receive) set=(cont hup term) peer=cockpit-bridge, @{bin}/cockpit-bridge Px, @{lib}/cockpit/cockpit-askpass Px, diff --git a/apparmor.d/groups/virt/cockpit-certificate-helper b/apparmor.d/groups/virt/cockpit-certificate-helper index ac9dd5f6f..303fd074c 100644 --- a/apparmor.d/groups/virt/cockpit-certificate-helper +++ b/apparmor.d/groups/virt/cockpit-certificate-helper @@ -21,6 +21,7 @@ profile cockpit-certificate-helper @{exec_path} { @{bin}/openssl rix, @{bin}/rm rix, @{bin}/sscg rix, + @{bin}/sync rix, @{bin}/tr rix, /etc/machine-id r, diff --git a/apparmor.d/groups/virt/cockpit-desktop b/apparmor.d/groups/virt/cockpit-desktop index c2a7455ce..bb1ba03bf 100644 --- a/apparmor.d/groups/virt/cockpit-desktop +++ b/apparmor.d/groups/virt/cockpit-desktop @@ -10,6 +10,8 @@ include profile cockpit-desktop @{exec_path} { include + userns, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 67ecd800e..8eafd25a0 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -36,11 +36,11 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { /etc/motd.d/ r, /etc/shells r, - @{run}/cockpit/active.motd r, - @{run}/cockpit/inactive.motd r, + @{att}/@{run}/systemd/sessions/*.ref rw, + + @{run}/cockpit/* r, @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, - @{run}/systemd/sessions/*.ref rw, @{run}/utmp rwk, /var/log/btmp rw, diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls index 0037b132c..7bf43ed4a 100644 --- a/apparmor.d/groups/virt/cockpit-tls +++ b/apparmor.d/groups/virt/cockpit-tls @@ -17,6 +17,9 @@ profile cockpit-tls @{exec_path} flags=(attach_disconnected) { /etc/cockpit/ws-certs.d/{,**} r, + @{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock r, + @{att}/@{run}/cockpit/wsinstance/https-factory.sock rw, + owner @{run}/cockpit/tls/{,**} rw, include if exists diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws index c78f63a63..8e3478072 100644 --- a/apparmor.d/groups/virt/cockpit-ws +++ b/apparmor.d/groups/virt/cockpit-ws @@ -7,17 +7,22 @@ abi , include @{exec_path} = @{lib}/cockpit/cockpit-ws -profile cockpit-ws @{exec_path} { +profile cockpit-ws @{exec_path} flags=(attach_disconnected) { include + include + include @{exec_path} mr, + @{sh_path} rix, @{lib}/cockpit/cockpit-session rPx, /usr/share/cockpit/{,**} r, /usr/share/pixmaps/{,**} r, /etc/cockpit/ws-certs.d/ r, + @{run}/cockpit/wsinstance/https@@{hex64}.sock r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/virt/cockpit-wsinstance-factory b/apparmor.d/groups/virt/cockpit-wsinstance-factory index b14a1e36f..99db4d614 100644 --- a/apparmor.d/groups/virt/cockpit-wsinstance-factory +++ b/apparmor.d/groups/virt/cockpit-wsinstance-factory @@ -9,6 +9,9 @@ include @{exec_path} = @{lib}/cockpit/cockpit-wsinstance-factory profile cockpit-wsinstance-factory @{exec_path} { include + include + + unix bind type=stream addr=@@{udbus}/bus/cockpit-wsinsta/system, capability net_admin, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 4f73ff985..95d332a45 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -46,7 +46,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, @{bin}/containerd-shim-runc-v2 rPx, @{bin}/kmod rPx, @{bin}/unpigz rPUx, @@ -87,10 +87,8 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{run}/nri/nri.sock rw, @{run}/systemd/notify w, - /tmp/cri-containerd.apparmor.d@{int} rwl, - /tmp/ctd-volume@{int}/{,**} rw, - owner @{tmp}/** rwkl, - owner /var/tmp/** rwkl, + /tmp/cri-containerd.apparmor.d@{int} rwl, + /tmp/ctd-volume@{int}/{,**} rw, @{sys}/fs/cgroup/kubepods/** r, @{sys}/kernel/security/apparmor/profiles r, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index 4c3707493..04b355a48 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -25,12 +25,12 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { signal (send) set=kill peer=cri-containerd.apparmor.d, signal (receive) set=kill peer=containerd, - mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, - umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, + mount -> @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, + umount @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, @{exec_path} mrix, - @{bin}/runc rPUx, + @{sbin}/runc rPx, /tmp/runc-process@{int} rw, /tmp/pty@{int}/ rw, @@ -56,6 +56,8 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/oom_score_adj rw, @{PROC}/sys/net/core/somaxconn r, + @{att}/dev/pts/ptmx rw, + include if exists } diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy index 2861514aa..9a8cbe379 100644 --- a/apparmor.d/groups/virt/docker-proxy +++ b/apparmor.d/groups/virt/docker-proxy @@ -15,8 +15,9 @@ profile docker-proxy @{exec_path} { network inet stream, network inet6 stream, + network netlink raw, - signal (receive) set=int peer=dockerd, + signal receive set=int peer=dockerd, @{exec_path} mr, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 2ea35f7b9..44d9f64a0 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -21,34 +21,32 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { capability kill, capability mknod, capability net_admin, + capability net_bind_service, + capability net_raw, capability setfcap, capability sys_admin, capability sys_chroot, capability sys_ptrace, network inet dgram, + network inet raw, network inet stream, network inet6 dgram, network inet6 stream, network netlink raw, + network packet dgram, mount /tmp/containerd-mount@{int}/, - mount /var/lib/docker/buildkit/**/, - mount /var/lib/docker/overlay2/**/, - mount /var/lib/docker/tmp/buildkit-mount@{int}/, - mount fstype=overlay overlay -> /var/lib/docker/rootfs/overlayfs/@{hex64}/, - mount options=(rw bind) -> /run/docker/netns/*, - mount options=(rw rbind) -> /var/lib/docker/tmp/docker-builder@{int}/, - mount options=(rw rbind) /var/lib/docker/volumes/**/- -> /var/lib/docker/rootfs/overlayfs/**/, + mount /var/lib/docker/**/, + mount options=(rw bind) -> @{run}/docker/netns/*, mount options=(rw rprivate) -> /.pivot_root@{int}/, - mount options=(rw rprivate) -> /var/lib/docker/rootfs/overlayfs/@{hex64}/var/lib/buildkit/, mount options=(rw rslave) -> /, remount /tmp/containerd-mount@{int10}/, remount /var/lib/docker/**/, umount /.pivot_root@{int}/, - umount /run/docker/netns/*, + umount @{run}/docker/netns/*, umount /tmp/containerd-mount@{int}/, umount /var/lib/docker/**/, @@ -66,34 +64,47 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, @{bin}/containerd rPx, - @{bin}/docker-init rix, + @{bin}/docker-init rCx -> init, + @{lib}/docker/docker-init rCx -> init, @{bin}/docker-proxy rPx, - @{bin}/kmod rPx, + @{bin}/git rCx -> git, + @{bin}/kmod rCx -> kmod, @{bin}/ps rPx, - @{bin}/runc rUx, + @{sbin}/runc rUx, + @{bin}/runc rUx, #aa:lint ignore=sbin @{bin}/unpigz rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rCx -> nft, + @{sbin}/xtables-legacy-multi rCx -> nft, # Docker needs full access of the containers it manages. # TODO: should be in a sub profile started with pivot_root, not supported yet. - /{,**} rwl, + /{,**} rwl, #aa:only apt + + @{att}/@{lib}/containerd/** rw, + @{att}/var/lib/docker/{,**} rwk, /etc/docker/{,**} r, @{att}/ r, - owner @{att}/@{lib}/containerd/** rw, owner @{lib}/docker/overlay2/*/work/{,**} rw, owner /var/lib/containerd/** rw, owner /var/lib/docker/{,**} rwk, owner /var/lib/docker/tmp/qemu-check@{int}/check rix, + /tmp/build/ w, + /tmp/containerd-mount@{int}/{,**} rw, + + @{run}/systemd/notify rw, + + @{run}/containerd/containerd.sock rw, + owner @{run}/docker.pid rw, owner @{run}/docker/ rw, owner @{run}/docker/** rwlk, - owner @{run}/docker.pid rw, + @{sys}/devices/virtual/net/** r, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/cpuset.cpus.effective r, @{sys}/fs/cgroup/cpuset.mems.effective r, @@ -103,6 +114,9 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{PROC}/1/cgroup r, @{PROC}/1/environ r, @{PROC}/cmdline r, + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, @{PROC}/sys/kernel/keys/root_maxkeys r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/threads-max r, @@ -116,13 +130,65 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/net/ip_tables_names r, owner @{PROC}/@{pid}/task/@{tid}/mountinfo r, owner @{PROC}/@{pid}/uid_map r, /dev/ r, /dev/**/ r, + profile nft flags=(attach_disconnected) { + include + + capability net_admin, + capability net_raw, + + network inet raw, + network inet6 raw, + network netlink raw, + + @{sbin}/xtables-nft-multi rix, + @{sbin}/xtables-legacy-multi rix, + @{bin}/kmod rPx -> dockerd//kmod, + + @{PROC}/@{pid}/net/ip{,6}_tables_names r, + @{PROC}/sys/kernel/modprobe r, + + @{run}/xtables.lock rwk, + + include if exists + } + + profile kmod { + include + include + + capability sys_module, + + @{run}/xtables.lock r, + + @{sys}/module/compression r, + @{sys}/module/*/initstate r, + + include if exists + } + + profile init flags=(attach_disconnected) { + include + + @{bin}/docker-init mr, + @{lib}/docker/docker-init mr, + + include if exists + } + + profile git flags=(attach_disconnected) { + include + + @{bin}/git mr, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 96e50ba35..2142e28b9 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -62,7 +62,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{bin}/systemd-run rix, @{bin}/{nano,emacs,ed} rPUx, @{bin}/vim{,.basic} rPUx, - @{bin}/xtables-nft-multi rPx -> cni-xtables-nft, + @{sbin}/xtables-nft-multi rPx -> cni-xtables-nft, @{lib}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, /var/lib/rancher/k3s/data/@{hex}/bin/* rix, @@ -159,7 +159,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user-runtime-dir@@{uid}.service/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**/} r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{,**/} r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{,**/} r, @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index 44d24f1ae..303e906c2 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/libvirt-dbus +@{exec_path} = @{sbin}/libvirt-dbus profile libvirt-dbus @{exec_path} { include include @@ -18,7 +18,7 @@ profile libvirt-dbus @{exec_path} { @{exec_path} mr, - @{bin}/libvirtd rPx, + @{sbin}/libvirtd rPx, @{bin}/virtqemud rPx, /usr/share/dbus-1/interfaces/org.libvirt.*.xml r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index db6d5d377..fa3005a65 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -14,11 +14,12 @@ abi , include -@{exec_path} = @{bin}/libvirtd +@{exec_path} = @{sbin}/libvirtd profile libvirtd @{exec_path} flags=(attach_disconnected) { include + include + include include - include include include include @@ -85,6 +86,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper), unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), unix (send, receive) type=stream addr=none peer=(label=unconfined), + unix (send, receive) type=stream addr=none peer=(label=virt-manager), # Allow changing to our UUID-based named profiles change_profile -> libvirt-@{uuid}, @@ -103,26 +105,26 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{lib}/xen-common/bin/xen-toolstack rPUx, @{lib}/xen/bin/* rPUx, - @{bin}/dmidecode rPx, - @{bin}/dnsmasq rPx, - @{bin}/kmod rPx, - @{bin}/lvm rPUx, + @{sbin}/dmidecode rPx, + @{sbin}/dnsmasq rPx, + @{bin}/kmod rCx -> kmod, + @{sbin}/lvm rPUx, @{bin}/mdevctl rPx, @{bin}/swtpm rPx, @{bin}/swtpm_ioctl rPx, @{bin}/swtpm_setup rPx, @{bin}/udevadm rPx, @{bin}/virtiofsd rux, # TODO: WIP - @{bin}/virtlogd rPx, + @{sbin}/virtlogd rPx, @{sh_path} rix, @{bin}/ip rix, - @{bin}/nft rix, + @{sbin}/nft rix, @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper - @{bin}/tc rix, + @{sbin}/tc rix, @{bin}/xmllint rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, @{lib}/libvirt/virt-aa-helper rPx, /etc/libvirt/hooks/** rPUx, @@ -162,35 +164,9 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/notify w, @{run}/utmp rk, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+dmi:* r, # for motherboard info - @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, - @{run}/udev/data/+input:input@{int} r, # For mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+sound:card@{int} r, # For sound card - @{run}/udev/data/+thunderbolt:* r, - @{run}/udev/data/c1:@{int} r, # For RAM disk - @{run}/udev/data/c6:@{int} r, # For parallel printer devices /dev/lp* - @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features - @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c21:@{int} r, # Generic SCSI access - @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* - @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c89:@{int} r, # For I2C bus interface - @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash - @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* - @{run}/udev/data/c108:@{int} r, # For /dev/ppp - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c202:@{int} r, # CPU model-specific registers - @{run}/udev/data/c203:@{int} r, # CPU CPUID information - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/bus/[a-z]*/devices/ r, @{sys}/bus/pci/drivers_probe w, @@ -264,12 +240,19 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /dev/vhost-net rw, # Force the use of virt-aa-helper - audit deny @{bin}/apparmor_parser rwxl, + audit deny @{sbin}/apparmor_parser rwxl, audit deny @{etc_rw}/apparmor.d/libvirt/** wxl, audit deny @{sys}/kernel/security/apparmor/features rwxl, audit deny @{sys}/kernel/security/apparmor/matching rwxl, audit deny @{sys}/kernel/security/apparmor/.* rwxl, + profile kmod { + include + include + + include if exists + } + profile qemu_bridge_helper { include diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper index c10f44922..53afe6012 100644 --- a/apparmor.d/groups/virt/virt-aa-helper +++ b/apparmor.d/groups/virt/virt-aa-helper @@ -19,7 +19,7 @@ profile virt-aa-helper @{exec_path} { @{exec_path} mr, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, /etc/apparmor.d/libvirt/* r, @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw, @@ -45,7 +45,6 @@ profile virt-aa-helper @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/net/psched r, deny @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/status r, # For gl enabled graphics /dev/dri/{,*} r, diff --git a/apparmor.d/groups/virt/virtlockd b/apparmor.d/groups/virt/virtlockd index ea9336cef..ef28e59e9 100644 --- a/apparmor.d/groups/virt/virtlockd +++ b/apparmor.d/groups/virt/virtlockd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/virtlockd +@{exec_path} = @{sbin}/virtlockd profile virtlockd @{exec_path} { include diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd index 44bf06ba0..d362ad108 100644 --- a/apparmor.d/groups/virt/virtlogd +++ b/apparmor.d/groups/virt/virtlogd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/virtlogd +@{exec_path} = @{sbin}/virtlogd profile virtlogd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/virt/virtnetworkd b/apparmor.d/groups/virt/virtnetworkd index 42e13ef64..2d7df07b6 100644 --- a/apparmor.d/groups/virt/virtnetworkd +++ b/apparmor.d/groups/virt/virtnetworkd @@ -18,7 +18,7 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/dnsmasq rPx, + @{sbin}/dnsmasq rPx, /etc/libvirt/*.conf r, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 0b48d63fd..fb593068e 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -44,17 +44,18 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/utmp rk, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. @{run}/udev/data/+dmi:* r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{run}/udev/data/+sound:card@{int} r, # For sound card - @{run}/udev/data/+thunderbolt:* r, + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @@ -70,17 +71,17 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c203:@{int} r, # CPU CPUID information @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/ r, + @{sys}/devices/@{pci}/net/{,**} r, + @{sys}/devices/@{pci}/numa_node r, + @{sys}/devices/@{pci}/resource r, + @{sys}/devices/@{pci}/sriov_totalvfs r, @{sys}/devices/@{pci}/vpd r, @{sys}/devices/**/{class,revision,subsystem_vendor,subsystem_device} r, @{sys}/devices/**/{config,device,vendor} r, @{sys}/devices/**/uevent r, - @{sys}/devices/@{pci}/net/{,**} r, - @{sys}/devices/@{pci}/net/*/{duplex,address,speed,operstate} r, - @{sys}/devices/@{pci}/numa_node r, - @{sys}/devices/@{pci}/sriov_totalvfs r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/{product_name,product_serial,product_uuid,sys_vendor,board_vendor,bios_vendor,bios_date,bios_version,product_version} r, diff --git a/apparmor.d/groups/virt/xtables b/apparmor.d/groups/virt/xtables index 71f75b642..a10b75dde 100644 --- a/apparmor.d/groups/virt/xtables +++ b/apparmor.d/groups/virt/xtables @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/xtables-nft-multi @{bin}/xtables-legacy-multi +@{exec_path} = @{sbin}/xtables-nft-multi @{sbin}/xtables-legacy-multi profile xtables { include include diff --git a/apparmor.d/groups/whonix/anondate b/apparmor.d/groups/whonix/anondate index d39517569..325535cce 100644 --- a/apparmor.d/groups/whonix/anondate +++ b/apparmor.d/groups/whonix/anondate @@ -19,10 +19,10 @@ profile anondate @{exec_path} { @{bin}/cat rix, @{bin}/cp rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/minimum-unixtime-show rix, @{bin}/rm rix, - @{bin}/systemd-cat rPx, + @{bin}/systemd-cat rix, @{bin}/tee rix, @{bin}/timeout rix, @{bin}/tor-circuit-established-check rix, diff --git a/apparmor.d/groups/whonix/pam-info b/apparmor.d/groups/whonix/pam-info index 51053ccee..23ab3aeb4 100644 --- a/apparmor.d/groups/whonix/pam-info +++ b/apparmor.d/groups/whonix/pam-info @@ -14,8 +14,8 @@ profile pam-info @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/faillock rix, - @{bin}/grep rix, + @{sbin}/faillock rix, + @{bin}/{,e}grep rix, @{bin}/str_replace rix, @{bin}/wc rix, @{bin}/whoami rix, diff --git a/apparmor.d/groups/whonix/rads b/apparmor.d/groups/whonix/rads index e76570b34..8bdeb2c13 100644 --- a/apparmor.d/groups/whonix/rads +++ b/apparmor.d/groups/whonix/rads @@ -19,8 +19,8 @@ profile rads @{exec_path} { @{bin}/cat rix, @{bin}/chvt rix, @{bin}/free rix, - @{bin}/gawk rix, - @{bin}/grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/{,e}grep rix, @{bin}/mkdir rix, @{bin}/rm rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/whonix/sdwdate b/apparmor.d/groups/whonix/sdwdate index d34f8087c..1e4850e7a 100644 --- a/apparmor.d/groups/whonix/sdwdate +++ b/apparmor.d/groups/whonix/sdwdate @@ -30,7 +30,7 @@ profile sdwdate @{exec_path} flags=(attach_disconnected) { @{bin}/touch rix, @{lib}/helper-scripts/* rix, @{bin}/url_to_unixtime rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{lib}/helper-scripts/ r, @{lib}/sdwdate/ r, diff --git a/apparmor.d/groups/whonix/sdwdate-gui b/apparmor.d/groups/whonix/sdwdate-gui index 23c0a6df4..84a6fb379 100644 --- a/apparmor.d/groups/whonix/sdwdate-gui +++ b/apparmor.d/groups/whonix/sdwdate-gui @@ -28,7 +28,7 @@ profile sdwdate-gui @{exec_path} { @{lib}/sdwdate-gui/log-viewer rix, @{lib}/helper-scripts/* rix, - @{lib}/python3/dist-packages/sdwdate_gui/__pycache__/ rw, + @{lib}/@{python_name}/dist-packages/sdwdate_gui/__pycache__/ rw, @{lib}/sdwdate-gui/ r, diff --git a/apparmor.d/groups/whonix/systemcheck-canary b/apparmor.d/groups/whonix/systemcheck-canary index 4130d9cd9..17bedc43b 100644 --- a/apparmor.d/groups/whonix/systemcheck-canary +++ b/apparmor.d/groups/whonix/systemcheck-canary @@ -14,7 +14,7 @@ profile systemcheck-canary @{exec_path} { @{exec_path} mr, @{bin}/sleep rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/whoami rix, @{bin}/cat rix, @{bin}/date rix, diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper index fc20ad0fb..c86d91099 100644 --- a/apparmor.d/groups/whonix/torbrowser-wrapper +++ b/apparmor.d/groups/whonix/torbrowser-wrapper @@ -20,7 +20,7 @@ profile torbrowser-wrapper @{exec_path} { @{bin}/basename ix, @{bin}/cp ix, @{bin}/dirname ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/id ix, @{bin}/mkdir ix, @{bin}/mktemp ix, diff --git a/apparmor.d/groups/whonix/whonix-firewalld b/apparmor.d/groups/whonix/whonix-firewalld index 01e1cb418..08322714f 100644 --- a/apparmor.d/groups/whonix/whonix-firewalld +++ b/apparmor.d/groups/whonix/whonix-firewalld @@ -29,7 +29,7 @@ profile whonix-firewalld @{exec_path} { @{bin}/rm rix, @{bin}/touch rix, @{bin}/whonix-*-firewall rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, @{bin}/qubesdb-read rPUx, @{bin}/qubesdb-cmd rPUx, diff --git a/apparmor.d/groups/xfce/startxfce b/apparmor.d/groups/xfce/startxfce index 8d91581cb..110da187b 100644 --- a/apparmor.d/groups/xfce/startxfce +++ b/apparmor.d/groups/xfce/startxfce @@ -19,6 +19,7 @@ profile startxfce @{exec_path} { @{bin}/mkdir rix, @{bin}/id rix, + @{bin}/xdg-user-dirs-update rPx, @{bin}/xfce4-session rPx, @{bin}/xrdb rPx, @{bin}/systemctl rCx -> systemctl, @@ -27,6 +28,8 @@ profile startxfce @{exec_path} { /etc/X11/xinit/xinitrc.d/{,**} r, /etc/xdg/xfce4/{,**} r, + owner @{HOME}/.Xdefaults r, + profile systemctl flags=(attach_disconnected) { include include @@ -36,6 +39,7 @@ profile startxfce @{exec_path} { profile dbus { include + include @{bin}/dbus-update-activation-environment mr, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index d8f04d49c..2fcd83048 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -7,8 +7,10 @@ abi , include @{exec_path} = @{bin}/thunar -profile thunar @{exec_path} { +profile thunar @{exec_path} flags=(attach_disconnected) { include + include + include include include include @@ -17,6 +19,10 @@ profile thunar @{exec_path} { network netlink raw, + #aa:dbus own bus=session name=org.xfce.Thunar + #aa:dbus own bus=session name=org.xfce.FileManager + #aa:dbus own bus=session name=org.freedesktop.FileManager1 + @{exec_path} mr, @{bin}/thunar-volman rPx, @@ -30,6 +36,7 @@ profile thunar @{exec_path} { /etc/fstab r, /etc/timezone r, + /etc/xdg/{,xdg-xubuntu/}Thunar/{,**} r, # Full access to user's data / r, @@ -43,15 +50,20 @@ profile thunar @{exec_path} { owner @{run}/user/@{uid}/{,**} rw, owner @{tmp}/{,**} rw, + @{run}/mount/utab r, + + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + + owner @{PROC}/@{pid}/mountinfo r, + # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, deny /tmp/.*/{,**} rw, - owner @{PROC}/@{pid}/mountinfo r, - profile dbus { include include diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman index 350255834..fc73a14c9 100644 --- a/apparmor.d/groups/xfce/thunar-volman +++ b/apparmor.d/groups/xfce/thunar-volman @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/thunar-volman profile thunar-volman @{exec_path} { include + include + include include include diff --git a/apparmor.d/groups/xfce/tumblerd b/apparmor.d/groups/xfce/tumblerd index 99971abb8..3ba81c688 100644 --- a/apparmor.d/groups/xfce/tumblerd +++ b/apparmor.d/groups/xfce/tumblerd @@ -9,18 +9,30 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}tumbler-1/tumblerd profile tumblerd @{exec_path} { include + include + include + include include include include + #aa:dbus own bus=session name=org.freedesktop.thumbnails.Cache1 + #aa:dbus own bus=session name=org.freedesktop.thumbnails.Manager1 + #aa:dbus own bus=session name=org.freedesktop.thumbnails.Thumbnailer1 + @{exec_path} mr, + @{bin}/gdk-pixbuf-thumbnailer rPx, + /usr/share/backgrounds/xfce/{,**} r, /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/xdg/tumbler/* r, + owner /tmp/tumbler-@{rand6}.png r, + owner /tmp/tumbler-@{rand6}.??? w, + owner @{PROC}/@{pid}/mountinfo r, /dev/ r, diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings index 248d60b7e..9e74d8046 100644 --- a/apparmor.d/groups/xfce/xfce-clipman-settings +++ b/apparmor.d/groups/xfce/xfce-clipman-settings @@ -9,8 +9,12 @@ include @{exec_path} = @{bin}/xfce4-clipman-settings profile xfce-clipman-settings @{exec_path} { include + include + include include + #aa:dbus own bus=session name=org.xfce.clipman.settings + @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/xfce/xfce-notifyd b/apparmor.d/groups/xfce/xfce-notifyd index f5c80e07c..c594b8ed3 100644 --- a/apparmor.d/groups/xfce/xfce-notifyd +++ b/apparmor.d/groups/xfce/xfce-notifyd @@ -10,6 +10,8 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/notifyd/xfce4-notifyd profile xfce-notifyd @{exec_path} { include + include + include include include include @@ -22,6 +24,9 @@ profile xfce-notifyd @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.xfce.Notifyd + #aa:dbus own bus=session name=org.freedesktop.Notifications + @{exec_path} mr, owner @{user_cache_dirs}/xfce4/notifyd/ rw, diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel index 7b192ffc5..b04ed2eb9 100644 --- a/apparmor.d/groups/xfce/xfce-panel +++ b/apparmor.d/groups/xfce/xfce-panel @@ -9,12 +9,22 @@ include @{exec_path} = @{bin}/xfce4-panel @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 profile xfce-panel @{exec_path} { include + include + include + include + include + include include include include include include + ptrace (read) peer=xfce-terminal, + + #aa:dbus own bus=session name=org.xfce.Panel + #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher + @{exec_path} mr, @{bin}/exo-open rix, @@ -26,6 +36,7 @@ profile xfce-panel @{exec_path} { @{bin}/sudo rCx -> root, /usr/share/desktop-directories/{,**} r, + /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, /usr/share/livecheck/** r, /usr/share/xfce4/{,**} r, @@ -33,15 +44,20 @@ profile xfce-panel @{exec_path} { /etc/machine-id r, /etc/timezone r, /etc/xdg/menus/{,**} r, - /etc/xdg/xfce4/{,**} r, + /etc/xdg/{,xdg-xubuntu/}xfce4/{,**} r, owner @{user_cache_dirs}/xfce4/notifyd/icons/ rw, + owner @{user_cache_dirs}/xfce4-indicator-plugin.log w, owner @{user_config_dirs}/xfce4/panel/{,**} rw, + owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} w, + @{PROC}/cmdline r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, + deny @{user_share_dirs}/gvfs-metadata/{,*} r, + profile root { include include diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager index 1c2a0263d..91be9eede 100644 --- a/apparmor.d/groups/xfce/xfce-power-manager +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -9,9 +9,16 @@ include @{exec_path} = @{bin}/xfce4-power-manager profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { include + include + include + include + include include include + #aa:dbus own bus=session name=org.xfce.PowerManager + #aa:dbus own bus=session name=org.freedesktop.PowerManagement + @{exec_path} mr, @{bin}/xfpm-power-backlight-helper rPx, diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver index e486ac6d9..2c0f13bc1 100644 --- a/apparmor.d/groups/xfce/xfce-screensaver +++ b/apparmor.d/groups/xfce/xfce-screensaver @@ -9,11 +9,15 @@ include @{exec_path} = @{bin}/xfce4-screensaver profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { include + include + include include include include include + #aa:dbus own bus=session name=org.xfce.ScreenSaver + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/xfce/xfce-sensors b/apparmor.d/groups/xfce/xfce-sensors index e7ee1080b..c1bd98111 100644 --- a/apparmor.d/groups/xfce/xfce-sensors +++ b/apparmor.d/groups/xfce/xfce-sensors @@ -16,7 +16,7 @@ profile xfce-sensors @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, @{sys}/class/thermal/ r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index 17007122e..beddcce1f 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -9,6 +9,10 @@ include @{exec_path} = @{bin}/xfce4-session profile xfce-session @{exec_path} flags=(attach_disconnected) { include + include + include + include + include include include include @@ -16,6 +20,8 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=lightdm, + #aa:dbus own bus=session name=org.xfce.SessionManager + @{exec_path} mr, @{sh_path} rix, @@ -33,6 +39,7 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { @{lib}/msgcollector/msgdispatcher_xdg_autostart rPx, @{lib}/sdwdate-gui/start-maybe rPx, @{lib}/setup-wizard-dist/setup-dist_check_for_start rPx, + @{lib}/xapps/sn-watcher/xapp-sn-watcher rPUx, /usr/share/kde-power-savings-disable-in-vms/{,**} r, /usr/share/kde-screen-locker-disable-in-vms/{,**} r, @@ -48,11 +55,15 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { /etc/xdg/autostart/*.desktop r, owner @{user_cache_dirs}/sessions/{,**} rw, + owner @{user_config_dirs}/autostart/ r, + owner @{user_config_dirs}/autostart/*.desktop r, owner @{tmp}/.xfsm-ICE-@{rand6} rw, owner @{PROC}/@{pid}/stat r, + @{sys}/class/i2c-adapter/ r, + /dev/tty rw, profile systemctl flags=(attach_disconnected) { diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 342ffd3b4..8d2f06a75 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -9,11 +9,20 @@ include @{exec_path} = @{bin}/xfce4-terminal profile xfce-terminal @{exec_path} { include + include + include + include + include include include + include include include + signal send, + + #aa:dbus own bus=session name=org.xfce.Terminal5 + @{exec_path} mr, @{open_path} rPx -> child-open-help, @@ -26,7 +35,10 @@ profile xfce-terminal @{exec_path} { @{bin}/micro rPUx, @{bin}/nvtop rPx, + @{editor_path} rPUx, + /usr/share/ r, + /usr/share/desktop-base/profiles/xdg-config/ r, /usr/share/xfce4/ r, /usr/share/xfce4/terminal/{,**} r, @@ -34,6 +46,7 @@ profile xfce-terminal @{exec_path} { /etc/xdg/ r, /etc/xdg/xfce4/ r, + owner @{user_config_dirs}/xfce4/ r, owner @{user_config_dirs}/xfce4/terminal/{,**} r, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/groups/xfce/xfconfd b/apparmor.d/groups/xfce/xfconfd index 0ab17ac5c..9cd273544 100644 --- a/apparmor.d/groups/xfce/xfconfd +++ b/apparmor.d/groups/xfce/xfconfd @@ -10,11 +10,14 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/xfconf/xfconfd profile xfconfd @{exec_path} { include + include include + #aa:dbus own bus=session name=org.xfce.Xfconf + @{exec_path} mr, - /etc/xdg/xfce4/xfconf/** r, + /etc/xdg/{,xdg-xubuntu/}xfce4/xfconf/** r, owner @{HOME}/ r, diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop index d19e3de63..ff36e8459 100644 --- a/apparmor.d/groups/xfce/xfdesktop +++ b/apparmor.d/groups/xfce/xfdesktop @@ -10,14 +10,23 @@ include profile xfdesktop @{exec_path} { include include + include + include + include include include include + #aa:dbus own bus=session name=org.xfce.xfdesktop + @{exec_path} mr, @{bin}/xfce4-mime-helper rix, + /etc/xdg/{,xdg-xubuntu/}xfce4/helpers.rc r, + /etc/xdg/menus/{,*.menu} r, + /usr/share/xfce4/helpers/{,*.desktop} r, + /usr/share/desktop-directories/{,*.directory} r, /usr/share/backgrounds/xfce/{,**} r, /etc/fstab r, diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd index 3eec3377f..22db3f80d 100644 --- a/apparmor.d/groups/xfce/xfsettingsd +++ b/apparmor.d/groups/xfce/xfsettingsd @@ -10,8 +10,14 @@ include profile xfsettingsd @{exec_path} { include include + include + include + include + include include + #aa:dbus own bus=session name=org.xfce.SettingsDaemon + @{exec_path} mr, /etc/xdg/autostart/xfsettingsd.desktop r, diff --git a/apparmor.d/groups/xfce/xfwm b/apparmor.d/groups/xfce/xfwm index d7af2ccb9..7ecd2c8fe 100644 --- a/apparmor.d/groups/xfce/xfwm +++ b/apparmor.d/groups/xfce/xfwm @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/xfwm4 profile xfwm @{exec_path} { include + include + include include include include diff --git a/apparmor.d/mappings/login/base b/apparmor.d/mappings/login/base new file mode 100644 index 000000000..f74b90418 --- /dev/null +++ b/apparmor.d/mappings/login/base @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# It is used by login to run pre login scripts (as root) such as the motd. +# After the login, Apparmor libpam will transition to the roles defined in +# other files under + + @{shells_path} rCx -> shell, + + profile shell flags=(attach_disconnected) { + include + include + include + + @{shells_path} rix, + @{bin}/env rix, + @{bin}/run-parts rix, #aa:only apt + + #aa:only apt + /etc/update-motd.d/ r, + /etc/update-motd.d/* rPx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, + + @{run}/motd.dynamic.new rw, #aa:only apt + + include if exists + } + +# vim:syntax=apparmor diff --git a/apparmor.d/mappings/sshd/base b/apparmor.d/mappings/sshd/base new file mode 100644 index 000000000..dd9218d9c --- /dev/null +++ b/apparmor.d/mappings/sshd/base @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# It is used by login to run pre login scripts (as root) such as the motd. +# After the login, Apparmor libpam will transition to the roles defined in +# other files under + + @{shells_path} rCx -> shell, + + profile shell flags=(attach_disconnected) { + include + include + include + + @{shells_path} rix, + @{bin}/env rix, + @{bin}/run-parts rix, #aa:only apt + + #aa:only apt + /etc/update-motd.d/ r, + /etc/update-motd.d/* rPx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, + + @{run}/motd.dynamic.new rw, #aa:only apt + + include if exists + } + +# vim:syntax=apparmor diff --git a/apparmor.d/mappings/sudo/base b/apparmor.d/mappings/sudo/base new file mode 100644 index 000000000..95e395501 --- /dev/null +++ b/apparmor.d/mappings/sudo/base @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# It is used by su/sudo to run pre login scripts (as root) such as the motd. +# After the login, Apparmor libpam will transition to the roles defined in +# other files under + + @{shells_path} rCx -> shell, + + profile shell flags=(attach_disconnected) { + include + include + include + + @{shells_path} rix, + @{bin}/env rix, + @{bin}/run-parts rix, #aa:only apt + + #aa:only apt + /etc/update-motd.d/ r, + /etc/update-motd.d/* rPx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, + + @{run}/motd.dynamic.new rw, #aa:only apt + + include if exists + } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify deleted file mode 100644 index 53c64daf9..000000000 --- a/apparmor.d/profiles-a-f/aa-notify +++ /dev/null @@ -1,49 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/aa-notify -profile aa-notify @{exec_path} { - include - include - include - include - include - - capability setgid, - capability setuid, - capability sys_ptrace, - - ptrace read, - - @{exec_path} mr, - - @{bin}/ r, - - /usr/share/terminfo/** r, - - @{etc_ro}/inputrc r, - @{etc_ro}/inputrc.keys r, - /etc/apparmor.d/{,**} r, - /etc/apparmor/*.conf r, - - /var/log/audit/audit.log r, - - owner @{HOME}/.inputrc r, - owner @{HOME}/.terminfo/@{int}/dumb r, - - owner @{tmp}/@{word8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, - - @{PROC}/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/cmdline r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/acpi b/apparmor.d/profiles-a-f/acpi index 2914180e6..3b42be234 100644 --- a/apparmor.d/profiles-a-f/acpi +++ b/apparmor.d/profiles-a-f/acpi @@ -19,7 +19,6 @@ profile acpi @{exec_path} flags=(complain) { @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/virtual/thermal/{,**} r, - include if exists } diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index 796194146..fd1d0af03 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -13,11 +13,10 @@ profile acpi-powerbtn flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{e,}grep rix, - @{bin}/killall5 rix, + @{sbin}/killall5 rix, @{bin}/pgrep rix, @{bin}/pinky rix, @{bin}/sed rix, - @{bin}/shutdown rix, /etc/acpi/powerbtn.sh rix, @{bin}/dbus-send Cx -> bus, diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index 5bf6c433a..4985bca3a 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/acpid +@{exec_path} = @{sbin}/acpid profile acpid @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index 9103b25b3..039518b51 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/add{user,group} +@{exec_path} = @{sbin}/adduser profile adduser @{exec_path} { include include @@ -24,7 +24,6 @@ profile adduser @{exec_path} { capability sys_admin, # For logger @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, @{bin}/find rix, @@ -34,12 +33,12 @@ profile adduser @{exec_path} { @{bin}/chage rPx, @{bin}/chfn rPx, @{bin}/gpasswd rPx, - @{bin}/groupadd rPx, - @{bin}/groupdel rPx, + @{sbin}/groupadd rPx, + @{sbin}/groupdel rPx, @{bin}/passwd rPx, - @{bin}/useradd rPx, - @{bin}/userdel rPx, - @{bin}/usermod rPx, + @{sbin}/useradd rPx, + @{sbin}/userdel rPx, + @{sbin}/usermod rPx, /etc/{group,passwd,shadow} r, /etc/adduser.conf r, diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index 6f2e1d5c7..7025f9787 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -17,9 +17,8 @@ profile adequate @{exec_path} flags=(complain) { #capability sys_tty_config, @{exec_path} r, - @{bin}/perl r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, # It wants to ldd all binaries/libs in packages. @{bin}/ldd rCx -> ldd, @@ -55,14 +54,12 @@ profile adequate @{exec_path} flags=(complain) { @{bin}/* mr, /usr/games/* mr, - @{lib}{,x}/** mr, @{lib}/@{multiarch}/** mr, /usr/share/** r, /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} mr, @{lib}/@{multiarch}/ld-*.so rix, - @{lib}{,x}32/ld-*.so rix, include if exists } @@ -74,7 +71,6 @@ profile adequate @{exec_path} flags=(complain) { include /usr/share/debconf/frontend r, - @{bin}/perl r, @{bin}/adequate rPx, @@ -92,7 +88,7 @@ profile adequate @{exec_path} flags=(complain) { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index 7ebb3b629..700c6d517 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -7,16 +7,16 @@ abi , include @{exec_path} = @{bin}/alacarte -profile alacarte @{exec_path} { +profile alacarte @{exec_path} flags=(attach_disconnected) { include include include include @{exec_path} mr, - @{bin}/python3.@{int} rix, + @{python_path} rix, - @{lib}/python3.@{int}/site-packages/Alacarte/{,**/}__pycache__/*.cpython-@{int}.*.pyc.@{int} w, + @{lib}/@{python_name}/site-packages/Alacarte/{,**/}__pycache__/*.cpython-@{int}.*.pyc.@{int} w, /usr/share/alacarte/{,**} r, /usr/share/desktop-directories/{,**} r, @@ -30,6 +30,11 @@ profile alacarte @{exec_path} { owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-a-f/alsactl b/apparmor.d/profiles-a-f/alsactl index b2b97a62a..adf0d5cd3 100644 --- a/apparmor.d/profiles-a-f/alsactl +++ b/apparmor.d/profiles-a-f/alsactl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/alsactl +@{exec_path} = @{sbin}/alsactl profile alsactl @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/amule b/apparmor.d/profiles-a-f/amule index b54e62022..ce600200a 100644 --- a/apparmor.d/profiles-a-f/amule +++ b/apparmor.d/profiles-a-f/amule @@ -27,7 +27,7 @@ profile amule @{exec_path} { # @{open_path} rPx -> child-open, @{exec_path} mr, - @{bin}/uname rPx, + @{bin}/uname rix, @{sh_path} rix, @{system_share_dirs}/amule/{,**} r, owner @{HOME}/.aMule/{,**} rwk, diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index b7e4a127b..43ecdb0cd 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -41,7 +41,7 @@ profile anyremote @{exec_path} { @{bin}/tail rix, @{bin}/tr rix, @{bin}/wc rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/convert-im6.q16 rCx -> imagemagic, @{bin}/killall rCx -> killall, @@ -81,8 +81,8 @@ profile anyremote @{exec_path} { /usr/share/anyremote/cfg-data/Icons/common/*.png r, - /usr/share/ImageMagick-[0-9]/*.xml rw, - /etc/ImageMagick-[0-9]/*.xml r, + /usr/share/ImageMagick-@{int}/*.xml rw, + /etc/ImageMagick-@{int}/*.xml r, owner @{HOME}/.anyRemote/*.png rw, owner @{HOME}/.kde/share/apps/amarok/albumcovers/cache/* r, diff --git a/apparmor.d/profiles-a-f/aplay b/apparmor.d/profiles-a-f/aplay index fb4f2cb85..eba042635 100644 --- a/apparmor.d/profiles-a-f/aplay +++ b/apparmor.d/profiles-a-f/aplay @@ -19,6 +19,8 @@ profile aplay @{exec_path} flags=(complain) { owner @{HOME}/.Xauthority r, + /dev/snd/controlC@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index 36ca9555f..f2231479d 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -24,6 +24,7 @@ profile appstreamcli @{exec_path} flags=(complain) { /usr/share/app-info/{,**} r, /usr/share/appdata/ r, + /usr/share/byobu/desktop/{,**} r, /usr/share/gvfs/remote-volume-monitors/{,**} r, /usr/share/metainfo/ r, /usr/share/metainfo/*.{metainfo,appdata}.xml r, diff --git a/apparmor.d/profiles-a-f/arandr b/apparmor.d/profiles-a-f/arandr index e260321e6..77bf1bf96 100644 --- a/apparmor.d/profiles-a-f/arandr +++ b/apparmor.d/profiles-a-f/arandr @@ -19,7 +19,7 @@ profile arandr @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/xrandr rPx, diff --git a/apparmor.d/profiles-a-f/archivemount b/apparmor.d/profiles-a-f/archivemount index 64f25e181..d445df0e2 100644 --- a/apparmor.d/profiles-a-f/archivemount +++ b/apparmor.d/profiles-a-f/archivemount @@ -24,33 +24,19 @@ profile archivemount @{exec_path} { owner @{HOME}/*/ r, owner @{HOME}/*/*/ r, - mount fstype=fuse.archivemount -> @{HOME}/*/, - mount fstype=fuse.archivemount -> @{HOME}/*/*/, - - /dev/fuse rw, - profile fusermount { include - include - - # To mount anything: - capability sys_admin, - - @{bin}/fusermount{,3} mr, + include mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/, mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/*/, - /dev/fuse rw, + umount @{HOME}/*/, + umount @{HOME}/*/*/, - /etc/fuse.conf r, - - owner @{HOME}/ r, /**.{tar,tar.gz,zip} r, /**.{TAR,TAR.GZ,ZIP} r, - @{PROC}/@{pid}/mounts r, - include if exists } diff --git a/apparmor.d/profiles-a-f/aspell b/apparmor.d/profiles-a-f/aspell index 16b5b6f6d..629caca10 100644 --- a/apparmor.d/profiles-a-f/aspell +++ b/apparmor.d/profiles-a-f/aspell @@ -16,7 +16,7 @@ profile aspell @{exec_path} flags=(complain) { /usr/share/aspell/{,*} r, - /usr/lib/aspell/{,*} r, + @{lib}/aspell/{,*} r, /var/lib/aspell/{,*} r, /var/lib/aspell/*.rws rw, diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index 769f15cf0..14feb75df 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -7,14 +7,13 @@ abi , include -@{exec_path} = @{bin}/aspell-autobuildhash +@{exec_path} = @{sbin}/aspell-autobuildhash profile aspell-autobuildhash @{exec_path} flags=(complain) { include include include @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, @{bin}/basename rix, @@ -33,8 +32,8 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { /usr/share/aspell/{,*} r, - /usr/lib/aspell/{,*} r, - /usr/lib/aspell/*.rws rw, + @{lib}/aspell/{,*} r, + @{lib}/aspell/*.rws rw, /var/lib/aspell/ r, /var/lib/aspell/* rw, @@ -47,9 +46,8 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { include /usr/share/debconf/frontend r, - @{bin}/perl r, - @{bin}/aspell-autobuildhash rPx, + @{sbin}/aspell-autobuildhash rPx, @{sh_path} rix, @{bin}/stty rix, @@ -64,7 +62,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index f8d39c8f5..783d210fb 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/atd +@{exec_path} = @{sbin}/atd profile atd @{exec_path} { include include @@ -20,15 +20,15 @@ profile atd @{exec_path} { capability setuid, capability sys_resource, - signal (receive) set=hup peer=at, + signal receive set=hup peer=at, - ptrace (read) peer=unconfined, + ptrace read peer=unconfined, @{exec_path} mr, @{sh_path} rix, - @{bin}/sendmail rPUx, - @{bin}/exim4 rPx, + @{sbin}/sendmail rPUx, + @{sbin}/exim4 rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/ r, diff --git a/apparmor.d/profiles-a-f/atftpd b/apparmor.d/profiles-a-f/atftpd index dc7f2bf36..2444bd128 100644 --- a/apparmor.d/profiles-a-f/atftpd +++ b/apparmor.d/profiles-a-f/atftpd @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/atftpd profile atftpd @{exec_path} { include - include + include # For libwrap (TCP Wrapper) support include @@ -18,6 +18,12 @@ profile atftpd @{exec_path} { capability setgid, capability setuid, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, # FTP dirs (add "w" if you need write permissions and hence upload files) diff --git a/apparmor.d/profiles-a-f/atool b/apparmor.d/profiles-a-f/atool index 99cb0fed6..2782aacc0 100644 --- a/apparmor.d/profiles-a-f/atool +++ b/apparmor.d/profiles-a-f/atool @@ -19,9 +19,9 @@ profile atool @{exec_path} { @{bin}/7z rix, @{bin}/arc rix, @{bin}/arj rix, - @{bin}/bzip2 rix, - @{bin}/bzip2 rix, @{bin}/bzip rix, + @{bin}/bzip2 rix, + @{bin}/bzip2 rix, @{bin}/compress rix, @{bin}/cpio rix, @{bin}/gunzip rix, @@ -30,16 +30,15 @@ profile atool @{exec_path} { @{bin}/jar rix, @{bin}/lha rix, @{bin}/lrunzip rix, + @{bin}/lrz rix, @{bin}/lrzcat rix, @{bin}/lrzip rix, - @{bin}/lrz rix, @{bin}/lrztar rix, @{bin}/lrzuntar rix, @{bin}/lzip rix, @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/lzop rix, - @{lib}/p7zip/7z rix, @{bin}/rar rix, @{bin}/tar rix, @{bin}/unace rix, @@ -48,6 +47,7 @@ profile atool @{exec_path} { @{bin}/unzip rix, @{bin}/xz rix, @{bin}/zip rix, + @{lib}/p7zip/7z rix, /etc/atool.conf r, owner @{HOME}/.atoolrc r, diff --git a/apparmor.d/profiles-a-f/auditctl b/apparmor.d/profiles-a-f/auditctl index d6881f3e7..762273a9f 100644 --- a/apparmor.d/profiles-a-f/auditctl +++ b/apparmor.d/profiles-a-f/auditctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/auditctl +@{exec_path} = @{sbin}/auditctl profile auditctl @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index 92afa1d08..41fb158c0 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/auditd +@{exec_path} = @{sbin}/auditd profile auditd @{exec_path} flags=(attach_disconnected) { include include @@ -27,6 +27,8 @@ profile auditd @{exec_path} flags=(attach_disconnected) { /var/log/audit/{,**} rw, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + owner @{run}/auditd.pid rwl, owner @{run}/auditd.state rw, diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules index 7a515c1ba..5ae84876b 100644 --- a/apparmor.d/profiles-a-f/augenrules +++ b/apparmor.d/profiles-a-f/augenrules @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/augenrules +@{exec_path} = @{sbin}/augenrules profile augenrules @{exec_path} flags=(attach_disconnected) { include include @@ -16,7 +16,7 @@ profile augenrules @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{,e,f}grep rix, @{bin}/{,g,m}awk rix, - @{bin}/auditctl rPx, + @{sbin}/auditctl rPx, @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cmp rix, diff --git a/apparmor.d/profiles-a-f/badblocks b/apparmor.d/profiles-a-f/badblocks index e0f686b90..ff3a710c3 100644 --- a/apparmor.d/profiles-a-f/badblocks +++ b/apparmor.d/profiles-a-f/badblocks @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/badblocks +@{exec_path} = @{sbin}/badblocks profile badblocks @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab index 1f9f14dc1..cd1e7563f 100644 --- a/apparmor.d/profiles-a-f/baobab +++ b/apparmor.d/profiles-a-f/baobab @@ -23,7 +23,7 @@ profile baobab @{exec_path} { / r, /** r, - deny /boot/{,**} r, + deny @{efi}/{,**} r, include if exists } diff --git a/apparmor.d/profiles-a-f/biosdecode b/apparmor.d/profiles-a-f/biosdecode index 8010b380a..87457a129 100644 --- a/apparmor.d/profiles-a-f/biosdecode +++ b/apparmor.d/profiles-a-f/biosdecode @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/biosdecode +@{exec_path} = @{sbin}/biosdecode profile biosdecode @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index c63a8de7c..771560c6b 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -40,7 +40,7 @@ profile birdtray @{exec_path} { owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/**/*.msf r, owner @{user_config_dirs}/ulduzsoft/ rw, - owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*, + owner @{user_config_dirs}/ulduzsoft/* rwkl -> @{user_config_dirs}/ulduzsoft/*, owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int}, diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index ad575351f..83806e753 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -7,18 +7,20 @@ abi , include -@{exec_path} = @{bin}/blkdeactivate +@{exec_path} = @{sbin}/blkdeactivate profile blkdeactivate @{exec_path} flags=(complain) { include include @{exec_path} rm, - @{bin}/dmsetup rPUx, - @{bin}/grep rix, + @{sh_path} rix, + @{sbin}/dmsetup rPUx, + @{bin}/{,e}grep rix, + @{bin}/touch rix, @{bin}/lsblk rPx, - @{bin}/lvm rPx, - @{bin}/multipathd rPx, + @{sbin}/lvm rPx, + @{sbin}/multipathd rPx, @{bin}/sort rix, @{bin}/umount rPx, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index dbf6c228d..6d2683ade 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -27,11 +27,11 @@ profile borg @{exec_path} { @{exec_path} r, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/{,@{multiarch}-}ld.bfd rix, @{bin}/cat rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/uname rix, @{bin}/ccache rCx -> ccache, @@ -95,10 +95,7 @@ profile borg @{exec_path} { profile fusermount { include - include - include - - capability sys_admin, + include mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/, mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/*/, @@ -106,17 +103,9 @@ profile borg @{exec_path} { umount @{MOUNTS}/, umount @{MOUNTS}/*/, - @{bin}/fusermount{,3} mr, - - /etc/fuse.conf r, - @{MOUNTS}/ r, @{MOUNTS}/*/ r, - @{PROC}/@{pids}/mounts r, - - /dev/fuse rw, - include if exists } diff --git a/apparmor.d/profiles-a-f/briar-desktop b/apparmor.d/profiles-a-f/briar-desktop index a0b57a38b..1cfda03d9 100644 --- a/apparmor.d/profiles-a-f/briar-desktop +++ b/apparmor.d/profiles-a-f/briar-desktop @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Roman Beslik +# Copyright (C) 2024-2025 Roman Beslik # SPDX-License-Identifier: GPL-2.0-only abi , @@ -34,6 +34,7 @@ profile briar-desktop @{exec_path} { @{system_share_dirs}/java/briar-desktop.jar r, /etc/java*/{,**} r, + /etc/machine-id r, owner @{HOME}/.briar/desktop/{,**} rw, owner @{HOME}/.briar/desktop/db/db.mv.db k, @@ -57,10 +58,11 @@ profile briar-desktop @{exec_path} { owner @{tmp}/jna@{u64}.tmp mrw, @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{cpu,memory}.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, @{sys}/kernel/mm/{hugepages/,transparent_hugepage/enabled} r, @{PROC}/cgroups r, + @{PROC}/asound/version r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/coredump_filter rw, @@ -78,7 +80,7 @@ profile briar-desktop @{exec_path} { profile jspawnhelper flags=(attach_disconnected) { include - @{bin}/ldconfig ix, + @{sbin}/ldconfig ix, owner @{HOME}/.briar/desktop/tor/tor Px -> briar-desktop-tor, @{system_share_dirs}/java/briar-desktop.jar r, diff --git a/apparmor.d/profiles-a-f/briar-desktop-tor b/apparmor.d/profiles-a-f/briar-desktop-tor index af98f9fc7..ae818d1df 100644 --- a/apparmor.d/profiles-a-f/briar-desktop-tor +++ b/apparmor.d/profiles-a-f/briar-desktop-tor @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Roman Beslik +# Copyright (C) 2024-2025 Roman Beslik # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,11 +13,13 @@ profile briar-desktop-tor { network inet6 stream, network netlink raw, + signal send set=term peer=briar-desktop-tor//lyrebird, signal send set=term peer=briar-desktop-tor//obfs4proxy, signal send set=term peer=briar-desktop-tor//snowflake, owner @{HOME}/.briar/desktop/tor/.tor/{,**} rw, owner @{HOME}/.briar/desktop/tor/.tor/lock k, + owner @{HOME}/.briar/desktop/tor/lyrebird Cx -> lyrebird, owner @{HOME}/.briar/desktop/tor/obfs4proxy Cx -> obfs4proxy, owner @{HOME}/.briar/desktop/tor/snowflake Cx -> snowflake, owner @{HOME}/.briar/desktop/tor/tor r, @@ -27,6 +29,25 @@ profile briar-desktop-tor { include if exists + profile lyrebird { + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + signal receive set=term peer=briar-desktop-tor, + + owner @{HOME}/.briar/desktop/tor/lyrebird mr, + @{PROC}/sys/net/core/somaxconn r, + + include if exists + } + profile obfs4proxy { include diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index 272000f3f..ee7ff958c 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -22,7 +22,7 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.mozilla/firefox/@{rand8}.*/extensions/* r, owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/scriptCache-*.bin r, owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/startupCache.*.little r, - owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google[0-9]/goog-phish-proto-@{int}.vlpset rw, + owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google@{d}/goog-phish-proto-@{int}.vlpset rw, owner @{tmp}/mozilla-temp-@{int} r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index 6d71ed28d..bba3dfedb 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -15,9 +15,10 @@ profile calibre @{exec_path} { include include include - include include + include include + include include include include @@ -35,11 +36,13 @@ profile calibre @{exec_path} { capability sys_ptrace, + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink raw, - unix (send, receive) type=stream peer=(addr=none, label=xorg), + # unix (send, receive) type=stream peer=(addr=none, label=xorg), unix (bind, listen) type=stream addr="@*-calibre-gui.socket", unix (bind) type=stream addr="@calibre-*", @@ -47,9 +50,10 @@ profile calibre @{exec_path} { @{sh_path} rix, @{python_path} rix, + @{bin}/env r, @{bin}/file rix, - @{bin}/ldconfig{,.real} rix, @{bin}/uname rix, + @{sbin}/ldconfig{,.real} rix, @{lib}/{,@{multiarch}/}qt{5,6}{,/libexec/}QtWebEngineProcess rix, @{bin}/pdftoppm rPUx, # (#FIXME#) @@ -61,6 +65,7 @@ profile calibre @{exec_path} { /usr/share/calibre/{,**} r, /etc/fstab r, + /etc/httpd/conf/mime.types r, /etc/inputrc r, /etc/magic r, /etc/mime.types r, @@ -68,10 +73,15 @@ profile calibre @{exec_path} { owner @{HOME}/ r, owner "@{HOME}/Calibre Library/{,**}" rw, owner "@{HOME}/Calibre Library/metadata.db" rwk, - owner @{user_documents_dirs}/{,**} rwl, + owner @{user_books_dirs}/{,**} rwl, + owner @{user_books_dirs}/Calibre/** rwk, + owner @{user_documents_dirs}/{,**} rwl, + owner @{user_documents_dirs}/Calibre/** rwk, owner @{user_torrents_dirs}/{,**} rwl, + owner @{user_torrents_dirs}/Calibre/** rwk, owner @{user_work_dirs}/{,**} rwl, + owner @{user_work_dirs}/Calibre/** rwk, owner @{user_config_dirs}/calibre/ rw, owner @{user_config_dirs}/calibre/** rwk, @@ -82,10 +92,11 @@ profile calibre @{exec_path} { owner @{user_cache_dirs}/calibre/ rw, owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**, - owner @{tmp}/calibre_*_tmp_*/{,**} rw, - owner @{tmp}/calibre-*/{,**} rw, - owner @{tmp}/@{int}-*/ rw, - owner @{tmp}/@{int}-*/** rwl, + owner @{tmp}/@{rand8} rw, + audit owner @{tmp}/@{int}-*/ rw, + audit owner @{tmp}/@{int}-*/** rwl, + audit owner @{tmp}/calibre_@{rand8}_tmp_*/{,**} rw, + audit owner @{tmp}/calibre-@{rand8}/{,**} rw, owner /dev/shm/#@{int} rw, @@ -108,6 +119,7 @@ profile calibre @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, + /dev/tty r, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-a-f/cfdisk b/apparmor.d/profiles-a-f/cfdisk index 9cacb9324..ee8d277f2 100644 --- a/apparmor.d/profiles-a-f/cfdisk +++ b/apparmor.d/profiles-a-f/cfdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/cfdisk +@{exec_path} = @{sbin}/cfdisk profile cfdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/cgdisk b/apparmor.d/profiles-a-f/cgdisk index 0f91c1e85..8f3f11af0 100644 --- a/apparmor.d/profiles-a-f/cgdisk +++ b/apparmor.d/profiles-a-f/cgdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/cgdisk +@{exec_path} = @{sbin}/cgdisk profile cgdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/check-bios-nx b/apparmor.d/profiles-a-f/check-bios-nx index 775e3f640..c44b6eaa5 100644 --- a/apparmor.d/profiles-a-f/check-bios-nx +++ b/apparmor.d/profiles-a-f/check-bios-nx @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/check-bios-nx +@{exec_path} = @{sbin}/check-bios-nx profile check-bios-nx @{exec_path} { include include @@ -25,7 +25,7 @@ profile check-bios-nx @{exec_path} { @{bin}/kmod rCx -> kmod, - @{bin}/rdmsr rPx, + @{sbin}/rdmsr rPx, owner @{PROC}/@{pid}/fd/@{int} rw, diff --git a/apparmor.d/profiles-a-f/check-support-status b/apparmor.d/profiles-a-f/check-support-status index 313fa6c54..07baedfae 100644 --- a/apparmor.d/profiles-a-f/check-support-status +++ b/apparmor.d/profiles-a-f/check-support-status @@ -70,7 +70,6 @@ profile check-support-status @{exec_path} { include @{bin}/debconf-escape r, - @{bin}/perl r, owner @{tmp}/debian-security-support.postinst.*/output r, diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index 5eb0eda0f..8101b3008 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -24,10 +24,10 @@ profile check-support-status-hook @{exec_path} { @{bin}/mktemp rix, @{bin}/rm rix, - @{bin}/adduser rPx, + @{sbin}/adduser rPx, @{bin}/check-support-status rPx, @{bin}/debconf-escape rCx -> debconf-escape, - @{bin}/runuser rCx -> runuser, + @{sbin}/runuser rCx -> runuser, # Think what to do about this (#FIXME#) /usr/share/debconf/frontend rPx, @@ -53,7 +53,6 @@ profile check-support-status-hook @{exec_path} { include @{bin}/debconf-escape r, - @{bin}/perl r, /tmp/ r, owner @{tmp}/debian-security-support.postinst.*/output r, @@ -68,7 +67,6 @@ profile check-support-status-hook @{exec_path} { include /usr/share/debconf/frontend r, - @{bin}/perl r, /usr/share/debian-security-support/ r, /usr/share/debian-security-support/check-support-status.hook rPx, @@ -86,7 +84,7 @@ profile check-support-status-hook @{exec_path} { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, @@ -113,7 +111,7 @@ profile check-support-status-hook @{exec_path} { # To write records to the kernel auditing log. capability audit_write, - @{bin}/runuser mr, + @{sbin}/runuser mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese new file mode 100644 index 000000000..b308439c3 --- /dev/null +++ b/apparmor.d/profiles-a-f/cheese @@ -0,0 +1,54 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/cheese +profile cheese @{exec_path} { + include + include + include + include + include + include + include + include + + network netlink raw, + + @{exec_path} mr, + + @{bin}/bwrap Px -> gnome-desktop-thumbnailers, + @{open_path} rPx -> child-open-help, + + @{system_share_dirs}/gnome-video-effects/{,*.effect} r, + @{system_share_dirs}/ladspa/rdf/{,**} r, + @{system_share_dirs}/thumbnailers/{,*.thumbnailer} r, + + /etc/machine-id r, + + owner @{HOME}/ r, # file save dialog + owner @{user_pictures_dirs}/{,**} rw, + owner @{user_videos_dirs}/{,**} rw, + + owner @{user_cache_dirs}/gnome-desktop-thumbnailer/gstreamer-1.0/ r, + + owner @{tmp}/flatpak-seccomp-@{rand6} rw, + owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, + + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,product_name,sys_vendor} r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/media@{int} rw, + /dev/video@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/chronyd b/apparmor.d/profiles-a-f/chronyd index 155d82f07..e4a986c8a 100644 --- a/apparmor.d/profiles-a-f/chronyd +++ b/apparmor.d/profiles-a-f/chronyd @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/chronyd +@{exec_path} = @{sbin}/chronyd profile chronyd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index 7c5486c50..263bb5794 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -24,14 +24,14 @@ profile claws-mail @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgsm rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/orage rPUx, - @{bin}/exim4 rPUx, + @{sbin}/exim4 rPUx, @{bin}/geany rPUx, /usr/share/publicsuffix/*.dafsa r, diff --git a/apparmor.d/profiles-a-f/cmus b/apparmor.d/profiles-a-f/cmus index c3916890f..750fe9345 100644 --- a/apparmor.d/profiles-a-f/cmus +++ b/apparmor.d/profiles-a-f/cmus @@ -18,6 +18,9 @@ profile cmus @{exec_path} { /etc/machine-id r, + / r, + owner @{HOME}/ r, # For pwd + owner @{user_music_dirs}/{,**} r, owner @{user_config_dirs}/ r, diff --git a/apparmor.d/profiles-a-f/code-extension-git-askpass b/apparmor.d/profiles-a-f/code-extension-git-askpass index 5a31889b9..674432b2e 100644 --- a/apparmor.d/profiles-a-f/code-extension-git-askpass +++ b/apparmor.d/profiles-a-f/code-extension-git-askpass @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh +@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh @{lib}/code/extensions/git/dist/ssh-askpass.sh profile code-extension-git-askpass @{exec_path} { include @@ -23,7 +23,7 @@ profile code-extension-git-askpass @{exec_path} { /usr/share/terminfo/** r, - owner @{tmp}/tmp.* rw, + owner @{tmp}/tmp.@{rand10} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky index 3c059abcf..9e4372e1d 100644 --- a/apparmor.d/profiles-a-f/conky +++ b/apparmor.d/profiles-a-f/conky @@ -104,7 +104,7 @@ profile conky @{exec_path} { deny ptrace (trace, read), # Display the hard disk model name - @{sys}/devices/@{pci}/{usb,ata}[0-9]/**/model r, + @{sys}/devices/@{pci}/{usb,ata}@{int}/**/model r, @{sys}/block/{s,v}d[a-z]/device/model r, # Display the disk write/read speed @{PROC}/diskstats r, diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup index d3aaddf7f..7a11e407f 100644 --- a/apparmor.d/profiles-a-f/console-setup +++ b/apparmor.d/profiles-a-f/console-setup @@ -12,9 +12,11 @@ profile console-setup @{exec_path} { @{exec_path} mr, + @{sh_path} r, @{bin}/uname rPx, @{bin}/mkdir rix, + @{run}/console-setup/ rw, @{run}/console-setup/boot_completed w, include if exists diff --git a/apparmor.d/profiles-a-f/console-setup-cached b/apparmor.d/profiles-a-f/console-setup-cached new file mode 100644 index 000000000..332f05341 --- /dev/null +++ b/apparmor.d/profiles-a-f/console-setup-cached @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/console-setup/cached_setup_font.sh /etc/console-setup/cached_setup_terminal.sh +profile console-setup-cached @{exec_path} { + include + include + + capability sys_tty_config, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/gzip rix, + @{bin}/ls ix, + @{bin}/mkdir ix, + @{bin}/setfont ix, + + /usr/share/consolefonts/{,**} r, + + @{run}/console-setup/ w, + @{run}/console-setup/font-loaded w, + + /dev/ r, + /dev/tty rw, + /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/console-setup-keyboard b/apparmor.d/profiles-a-f/console-setup-keyboard new file mode 100644 index 000000000..1f4045e2e --- /dev/null +++ b/apparmor.d/profiles-a-f/console-setup-keyboard @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/console-setup/keyboard-setup.sh /etc/console-setup/cached_setup_keyboard.sh +profile console-setup-keyboard @{exec_path} { + include + include + + capability sys_tty_config, + + @{exec_path} mrix, + + @{sh_path} rix, + @{bin}/gzip rix, + @{bin}/kbd_mode rix, + @{bin}/loadkeys rix, + + /etc/console-setup/{,**} r, + + /dev/tty@{int} rw, + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/convertall b/apparmor.d/profiles-a-f/convertall index 8c38f85a3..52e80cc54 100644 --- a/apparmor.d/profiles-a-f/convertall +++ b/apparmor.d/profiles-a-f/convertall @@ -20,7 +20,7 @@ profile convertall @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, /usr/share/convertall/{,**} r, /usr/share/doc/convertall/{,*} r, diff --git a/apparmor.d/profiles-a-f/cracklib-packer b/apparmor.d/profiles-a-f/cracklib-packer index cc183f527..4db396fa0 100644 --- a/apparmor.d/profiles-a-f/cracklib-packer +++ b/apparmor.d/profiles-a-f/cracklib-packer @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/cracklib-packer +@{exec_path} = @{sbin}/cracklib-packer profile cracklib-packer @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/crda b/apparmor.d/profiles-a-f/crda index 50d34bad4..d3b6cba6f 100644 --- a/apparmor.d/profiles-a-f/crda +++ b/apparmor.d/profiles-a-f/crda @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/crda +@{exec_path} = @{sbin}/crda profile crda @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/ddclient b/apparmor.d/profiles-a-f/ddclient index c16629d6d..0928f0da4 100644 --- a/apparmor.d/profiles-a-f/ddclient +++ b/apparmor.d/profiles-a-f/ddclient @@ -15,7 +15,6 @@ profile ddclient @{exec_path} { include @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, @{bin}/logger rix, diff --git a/apparmor.d/profiles-a-f/ddcutil b/apparmor.d/profiles-a-f/ddcutil index c752dcbb8..d8cb23a5c 100644 --- a/apparmor.d/profiles-a-f/ddcutil +++ b/apparmor.d/profiles-a-f/ddcutil @@ -21,14 +21,15 @@ profile ddcutil @{exec_path} { @{bin}/find rix, @{bin}/sed rix, @{bin}/xargs rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, / r, owner @{user_cache_dirs}/ddcutil/ rw, owner @{user_cache_dirs}/ddcutil/** rwlk, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/ r, @{sys}/bus/ r, diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 1f2e86579..3f749a24b 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/del{user,group} +@{exec_path} = @{sbin}/deluser profile deluser @{exec_path} { include include @@ -18,20 +18,20 @@ profile deluser @{exec_path} { capability dac_override, @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, @{bin}/crontab rPx, @{bin}/gpasswd rPx, - @{bin}/groupdel rPx, + @{sbin}/groupdel rPx, @{bin}/mount rCx -> mount, - @{bin}/userdel rPx, + @{sbin}/userdel rPx, /etc/adduser.conf r, /etc/deluser.conf r, owner /etc/shadow r, + #aa:lint ignore=too-wide # This is for the "--remove-all-files" flag, which it used to remove all files owned by the user # that's going to be deleted. Basically it scans all the files in the system in each dir and look # for matches. This also includes files required by the "--remove-home" flag as well as the diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index b650498cf..3967512b8 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -10,13 +10,19 @@ include @{exec_path} = @{bin}/dhclient-script profile dhclient-script @{exec_path} { include - include + include include capability net_admin, capability sys_admin, audit capability sys_module, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, @{sh_path} mrix, @@ -36,11 +42,11 @@ profile dhclient-script @{exec_path} { @{bin}/ping rPx, @{bin}/printenv rix, @{bin}/readlink rix, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, - @{bin}/sysctl rix, + @{sbin}/sysctl rix, @{bin}/tr rix, @{bin}/xxd rix, diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 53038a6d7..ddcd99add 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -31,7 +31,7 @@ profile discord @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{lib_dirs}/chrome-sandbox rix, @{lib_dirs}/chrome_crashpad_handler rix, diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index ecf1d1c64..8d5ff99b6 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/dkms +@{exec_path} = @{sbin}/dkms profile dkms @{exec_path} flags=(attach_disconnected) { include include @@ -28,29 +28,39 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{coreutils_path} rix, @{bin}/as rix, @{bin}/bc rix, + @{bin}/clang-@{version} rix, + @{bin}/g++ rix, @{bin}/gcc rix, @{bin}/getconf rix, + @{bin}/hostname rix, @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @{bin}/ld rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/ld.lld rix, + @{bin}/llvm-objcopy rix, + @{bin}/lsb_release rPx, @{bin}/make rix, @{bin}/objcopy rix, @{bin}/pahole rix, @{bin}/readelf rix, @{bin}/rpm rPUx, @{bin}/strip rix, - @{bin}/update-secureboot-policy rPUx, + @{bin}/xz rix, @{bin}/zstd rix, + @{sbin}/update-secureboot-policy rPUx, @{lib}/gcc/@{multiarch}/@{version}/* rix, @{lib}/linux-kbuild-*/scripts/** rix, @{lib}/linux-kbuild-*/tools/objtool/objtool rix, @{lib}/llvm-[0-9]*/bin/clang rix, + @{lib}/modules/*/build/arch/x86/** rix, + @{lib}/modules/*/build/include/** rix, @{lib}/modules/*/build/scripts/** rix, @{lib}/modules/*/build/tools/** rix, + @{lib}/os-release rix, /var/lib/dkms/**/build/* rix, + /var/lib/dkms/vboxhost/*/build/** rw, /var/lib/dkms/**/configure rix, /var/lib/dkms/**/dkms.postbuild rix, @@ -97,6 +107,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, + /dev/pts/@{int} rw, + profile kmod { include include @@ -104,7 +116,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{lib}/modules/*/modules.* rw, /var/lib/dkms/**/module/*.ko* r, - owner /boot/System.map-* r, + owner @{efi}/System.map-* r, owner @{tmp}/tmp.@{rand10} r, diff --git a/apparmor.d/profiles-a-f/dkms-autoinstaller b/apparmor.d/profiles-a-f/dkms-autoinstaller index ffce30921..2d799987f 100644 --- a/apparmor.d/profiles-a-f/dkms-autoinstaller +++ b/apparmor.d/profiles-a-f/dkms-autoinstaller @@ -15,7 +15,7 @@ profile dkms-autoinstaller @{exec_path} { @{exec_path} rm, @{sh_path} rix, - @{bin}/dkms rPx, + @{sbin}/dkms rPx, @{bin}/echo rix, @{bin}/plymouth rix, @{bin}/readlink rix, diff --git a/apparmor.d/profiles-a-f/dlocate b/apparmor.d/profiles-a-f/dlocate index 9f78af639..f7d1e915e 100644 --- a/apparmor.d/profiles-a-f/dlocate +++ b/apparmor.d/profiles-a-f/dlocate @@ -55,7 +55,7 @@ profile dlocate @{exec_path} { @{bin}/md5sum mr, # For the md5 check - /boot/** r, + @{efi}/** r, /usr/** r, include if exists diff --git a/apparmor.d/profiles-a-f/dmeventd b/apparmor.d/profiles-a-f/dmeventd index 0484cf99d..984545508 100644 --- a/apparmor.d/profiles-a-f/dmeventd +++ b/apparmor.d/profiles-a-f/dmeventd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/dmeventd +@{exec_path} = @{sbin}/dmeventd profile dmeventd @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-a-f/dmidecode b/apparmor.d/profiles-a-f/dmidecode index aba455535..680d25992 100644 --- a/apparmor.d/profiles-a-f/dmidecode +++ b/apparmor.d/profiles-a-f/dmidecode @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/dmidecode +@{exec_path} = @{sbin}/dmidecode profile dmidecode @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dmsetup b/apparmor.d/profiles-a-f/dmsetup index d532bb8cf..eb9d1dc19 100644 --- a/apparmor.d/profiles-a-f/dmsetup +++ b/apparmor.d/profiles-a-f/dmsetup @@ -6,9 +6,10 @@ abi , include -@{exec_path} = @{bin}/dmsetup +@{exec_path} = @{sbin}/dmsetup profile dmsetup @{exec_path} { include + include include capability sys_admin, diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install new file mode 100644 index 000000000..6deb06eb6 --- /dev/null +++ b/apparmor.d/profiles-a-f/dracut-install @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/dracut/dracut-install +profile dracut-install @{exec_path} { + include + include + + @{exec_path} mr, + + /etc/modprobe.d/{,**} r, + + @{sys}/devices/platform/{,**/} r, + @{sys}/devices/platform/**/modalias r, + @{sys}/module/compression r, + + @{PROC}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index 065fe92c5..15f86bcf5 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -32,14 +32,14 @@ profile dropbox @{exec_path} { @{bin}/readlink rix, @{bin}/dirname rix, @{bin}/uname rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/python3.@{int} rix, @{lib}/llvm-[0-9]*/bin/clang rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/{,@{multiarch}-}objdump rix, @{open_path} rPx -> child-open-strict, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, owner @{HOME}/ r, owner @{config_dirs}/ rw, @@ -61,7 +61,8 @@ profile dropbox @{exec_path} { # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead owner @{tmp}/dropbox-antifreeze-* rw, owner @{tmp}/#@{int} rw, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/profiles-a-f/dumpcap b/apparmor.d/profiles-a-f/dumpcap index 634aebd02..a1050aa94 100644 --- a/apparmor.d/profiles-a-f/dumpcap +++ b/apparmor.d/profiles-a-f/dumpcap @@ -10,16 +10,14 @@ include @{exec_path} = @{bin}/dumpcap profile dumpcap @{exec_path} { include + include + include include - include - include # To capture packekts capability net_raw, capability net_admin, - signal (receive) peer=wireshark, - network inet dgram, network inet6 dgram, network netlink raw, @@ -27,6 +25,8 @@ profile dumpcap @{exec_path} { network packet raw, network bluetooth raw, + signal (receive) peer=wireshark, + dbus (eavesdrop) bus=session, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index eb3d4d61a..a4184a358 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/dumpe2fs @{bin}/e2mmpstatus +@{exec_path} = @{sbin}/dumpe2fs @{sbin}/e2mmpstatus profile dumpe2fs @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck index be5d26b9f..c120a3590 100644 --- a/apparmor.d/profiles-a-f/e2fsck +++ b/apparmor.d/profiles-a-f/e2fsck @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/e2fsck @{bin}/fsck.ext2 @{bin}/fsck.ext3 @{bin}/fsck.ext4 +@{exec_path} = @{sbin}/e2fsck @{sbin}/fsck.ext2 @{sbin}/fsck.ext3 @{sbin}/fsck.ext4 profile e2fsck @{exec_path} { include include @@ -21,7 +21,7 @@ profile e2fsck @{exec_path} { # To check for badblocks @{sh_path} rix, - @{bin}/badblocks rPx, + @{sbin}/badblocks rPx, /usr/share/file/misc/magic.mgc r, diff --git a/apparmor.d/profiles-a-f/e2image b/apparmor.d/profiles-a-f/e2image index b099f1ccf..c7238f262 100644 --- a/apparmor.d/profiles-a-f/e2image +++ b/apparmor.d/profiles-a-f/e2image @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/e2image +@{exec_path} = @{sbin}/e2image profile e2image @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/e2scrub b/apparmor.d/profiles-a-f/e2scrub new file mode 100644 index 000000000..2e7e88487 --- /dev/null +++ b/apparmor.d/profiles-a-f/e2scrub @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/e2scrub +profile e2scrub @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all index 25fab12c7..e5d13f1de 100644 --- a/apparmor.d/profiles-a-f/e2scrub_all +++ b/apparmor.d/profiles-a-f/e2scrub_all @@ -6,19 +6,20 @@ abi , include -@{exec_path} = @{bin}/e2scrub_all +@{exec_path} = @{sbin}/e2scrub_all profile e2scrub_all @{exec_path} flags=(attach_disconnected) { include include include + capability setuid, capability sys_admin, capability sys_rawio, @{exec_path} mr, - @{sh_path} r, - @{bin}/readlink rix, + @{sh_path} mr, + @{bin}/readlink ix, /etc/e2scrub.conf r, diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index 023d13b47..5c4108094 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -48,6 +48,7 @@ profile etckeeper @{exec_path} { /etc/etckeeper/*.d/* rix, /etc/etckeeper/daily rix, + #aa:lint ignore=too-wide /etc/ rw, /etc/** rwkl -> /etc/**, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 5ae754138..e07c91f3d 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -30,7 +30,7 @@ profile evince @{exec_path} { #aa:dbus own bus=session name=org.gnome.evince - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label="@{p_gsd_media_keys}" #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} rix, @@ -44,13 +44,14 @@ profile evince @{exec_path} { /usr/share/poppler/{,**} r, /usr/share/thumbnailers/{,*} r, - owner @{user_share_dirs}/ r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_config_dirs}/evince/{,*} rw, + owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/*.pdf r, owner @{tmp}/evince-@{int}/{,**} rw, - owner @{tmp}/gtkprint* rw, + owner @{tmp}/gtkprint_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/execute-dcut b/apparmor.d/profiles-a-f/execute-dcut index 41d2324f6..817ba6215 100644 --- a/apparmor.d/profiles-a-f/execute-dcut +++ b/apparmor.d/profiles-a-f/execute-dcut @@ -13,7 +13,7 @@ profile execute-dcut @{exec_path} flags=(complain) { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, include if exists } diff --git a/apparmor.d/profiles-a-f/execute-dput b/apparmor.d/profiles-a-f/execute-dput index 0decde05c..7161c5900 100644 --- a/apparmor.d/profiles-a-f/execute-dput +++ b/apparmor.d/profiles-a-f/execute-dput @@ -15,7 +15,7 @@ profile execute-dput @{exec_path} flags=(complain) { @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/profiles-a-f/exim4 b/apparmor.d/profiles-a-f/exim4 index 98364f0f1..3af283014 100644 --- a/apparmor.d/profiles-a-f/exim4 +++ b/apparmor.d/profiles-a-f/exim4 @@ -7,8 +7,8 @@ abi , include -@{exec_path} = @{bin}/exim4 -profile exim4 @{exec_path} { +@{exec_path} = @{sbin}/exim4 +profile exim4 @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-a-f/exo-compose-mail b/apparmor.d/profiles-a-f/exo-compose-mail index 3e1f92742..e03e35403 100644 --- a/apparmor.d/profiles-a-f/exo-compose-mail +++ b/apparmor.d/profiles-a-f/exo-compose-mail @@ -13,7 +13,6 @@ profile exo-compose-mail @{exec_path} { include @{exec_path} r, - @{bin}/perl r, # Mail clients @{bin}/thunderbird rPx, diff --git a/apparmor.d/profiles-a-f/f3fix b/apparmor.d/profiles-a-f/f3fix index 4d743fbb7..a2cfe43c5 100644 --- a/apparmor.d/profiles-a-f/f3fix +++ b/apparmor.d/profiles-a-f/f3fix @@ -21,7 +21,7 @@ profile f3fix @{exec_path} { @{sh_path} rix, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{bin}/udevadm rCx -> udevadm, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-a-f/fail2ban-client b/apparmor.d/profiles-a-f/fail2ban-client index 7fae1218c..d432bee94 100644 --- a/apparmor.d/profiles-a-f/fail2ban-client +++ b/apparmor.d/profiles-a-f/fail2ban-client @@ -15,7 +15,7 @@ profile fail2ban-client @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, /etc/fail2ban/{,**} r, diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index e858c2d8e..629208bc6 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -20,11 +20,11 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, @{bin}/iptables rix, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, /etc/fail2ban/{,**} r, diff --git a/apparmor.d/profiles-a-f/fatlabel b/apparmor.d/profiles-a-f/fatlabel index c7ac0d399..c8bdedaa3 100644 --- a/apparmor.d/profiles-a-f/fatlabel +++ b/apparmor.d/profiles-a-f/fatlabel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fatlabel +@{exec_path} = @{sbin}/fatlabel profile fatlabel @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/fatresize b/apparmor.d/profiles-a-f/fatresize index e299a109b..6f4c86647 100644 --- a/apparmor.d/profiles-a-f/fatresize +++ b/apparmor.d/profiles-a-f/fatresize @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fatresize +@{exec_path} = @{sbin}/fatresize profile fatresize @{exec_path} { include include @@ -21,7 +21,7 @@ profile fatresize @{exec_path} { @{sh_path} rix, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{bin}/udevadm rCx -> udevadm, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-a-f/fdisk b/apparmor.d/profiles-a-f/fdisk index e6a7aeebf..bab152574 100644 --- a/apparmor.d/profiles-a-f/fdisk +++ b/apparmor.d/profiles-a-f/fdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fdisk +@{exec_path} = @{sbin}/fdisk profile fdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/ffmpeg b/apparmor.d/profiles-a-f/ffmpeg index 6e47ec8cb..8633444d8 100644 --- a/apparmor.d/profiles-a-f/ffmpeg +++ b/apparmor.d/profiles-a-f/ffmpeg @@ -28,6 +28,7 @@ profile ffmpeg @{exec_path} { /var/lib/dbus/machine-id r, owner @{HOME}/.Xauthority r, + owner @{HOME}/.spotdl/** rw, # For spotdl owner @{user_music_dirs}/** rw, owner @{user_videos_dirs}/** rw, @@ -36,7 +37,7 @@ profile ffmpeg @{exec_path} { owner @{tmp}/vidcutter/** rw, # TMP files for apps using ffmpeg @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node[0-9]/meminfo r, + @{sys}/devices/system/node/node@{int}/meminfo r, include if exists } diff --git a/apparmor.d/profiles-a-f/ffplay b/apparmor.d/profiles-a-f/ffplay index 6d3e1972d..4152ed49a 100644 --- a/apparmor.d/profiles-a-f/ffplay +++ b/apparmor.d/profiles-a-f/ffplay @@ -11,10 +11,9 @@ include profile ffplay @{exec_path} { include include - include + include include include - include network inet stream, network inet6 stream, @@ -30,7 +29,7 @@ profile ffplay @{exec_path} { owner @{user_videos_dirs}/** rw, @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node[0-9]/meminfo r, + @{sys}/devices/system/node/node@{int}/meminfo r, include if exists } diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 0c5a18e83..e7bfafaac 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -10,6 +10,7 @@ include profile file-roller @{exec_path} { include include + include include include include @@ -25,19 +26,7 @@ profile file-roller @{exec_path} { @{bin}/rm rix, # Archivers - @{bin}/7z rix, - @{bin}/7zz rix, - @{bin}/ar rix, - @{bin}/bzip2 rix, - @{bin}/cpio rix, - @{bin}/gzip rix, - @{bin}/tar rix, - @{bin}/unrar-nonfree rix, - @{bin}/unzip rix, - @{bin}/xz rix, - @{bin}/zip rix, - @{bin}/zstd rix, - @{lib}/p7zip/7z rix, + @{archive_path} rix, # Full access to user's data @{MOUNTS}/** rw, diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index be734ed50..366c2aed6 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -29,6 +29,7 @@ profile filezilla @{exec_path} { network netlink raw, signal send set=(term, kill) peer=fzsftp, + signal send set=(term, kill) peer=fzputtygen, @{exec_path} mr, @@ -36,7 +37,8 @@ profile filezilla @{exec_path} { @{bin}/uname rix, @{bin}/fzsftp rPx, # When using SFTP protocol - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/fzputtygen rPUx, + @{bin}/lsb_release rPx, /usr/share/filezilla/{,**} r, diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd new file mode 100644 index 000000000..b22730a27 --- /dev/null +++ b/apparmor.d/profiles-a-f/finalrd @@ -0,0 +1,81 @@ + +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/finalrd +profile finalrd @{exec_path} { + include + + capability dac_read_search, + capability sys_admin, + capability sys_chroot, + + remount options=(rw nodev nosuid relatime remount) @{run}/, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/cp ix, + @{bin}/dirname ix, + @{bin}/env ix, + @{bin}/find ix, + @{bin}/{,e}grep ix, + @{bin}/ln ix, + @{bin}/mkdir ix, + @{bin}/mount ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/run-parts ix, + @{bin}/sed ix, + @{bin}/touch ix, + @{sbin}/ldconfig{,.real} ix, + + @{bin}/ldd Cx -> ldd, + @{bin}/systemd-tmpfiles Px, + @{lib}/@{multiarch}/ld-linux-*so* Cx -> ldd, + @{lib}/systemd/systemd-shutdown Px, + /usr/share/finalrd/*.finalrd ix, + + @{bin}/{,*} r, + @{lib}/{,*} r, + @{sbin}/{,*} r, + + /usr/share/finalrd/{,**} r, + /usr/share/initramfs-tools/hook-functions r, + + /etc/fstab r, + /etc/iscsi/initiatorname.iscsi r, + /etc/iscsi/iscsid.conf r, + + / r, + + @{run}/ r, + @{run}/finalrd-libs.conf rw, + @{run}/initramfs/{,**} rw, + @{run}/mount/ r, + @{run}/mount/utab r, + + @{PROC}/@{pid}/mountinfo r, + + profile ldd { + include + include + include + + @{bin}/* mr, + @{sbin}/* mr, + @{lib}/@{multiarch}/ld-linux-*so* mrix, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index a3aba8af1..d8086715a 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -19,11 +19,13 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, + + @{etc_ro}/login.defs r, - /etc/login.defs r, /etc/firejail/firejail.users r, /etc/firejail/firecfg.config r, + /etc/firejail/firecfg.d/{,*} r, /usr/local/bin/ r, /usr/local/bin/* rw, @@ -32,10 +34,14 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { /usr/share/applications/ r, /usr/share/applications/*.desktop r, @{user_share_dirs}/applications/ r, - @{user_share_dirs}/applications/*.desktop rw, - /dev/tty rw, + @{user_config_dirs}/firejail/{,*} r, + + /dev/tty rw, + /dev/tty@{int} rw, + owner /dev/pts/@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index f6380d125..a07976ce9 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -51,7 +51,6 @@ profile foliate @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/smaps r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 182d9013d..1d00dce88 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -32,8 +32,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/class/hidraw/ r, - @{sys}/devices/@{pci}/hidraw/hidraw@{int}/uevent r, - @{sys}/devices/virtual/**/hidraw/hidraw@{int}/uevent r, + @{sys}/devices/**/hidraw/hidraw@{int}/uevent r, include if exists } diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 6dfb84452..40001da68 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -34,6 +34,9 @@ profile fractal @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + + owner @{run}/user/@{uid}/fractal/{,**} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cgroup r, @@ -50,6 +53,8 @@ profile fractal @{exec_path} flags=(attach_disconnected) { @{bin}/bwrap mr, @{lib}/glycin-loaders/*/glycin-* rix, + owner @{run}/user/@{uid}/fractal/.tmp@{rand6} r, + owner @{PROC}/@{pid}/fd/ r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 295cbe760..8250cf8aa 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -22,6 +22,7 @@ profile freetube @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, @@ -38,6 +39,9 @@ profile freetube @{exec_path} flags=(attach_disconnected) { #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> freetube//&xdg-settings, + deny @{sys}/devices/@{pci}/usb@{int}/** r, + deny /dev/ r, + include if exists } diff --git a/apparmor.d/profiles-a-f/fritzing b/apparmor.d/profiles-a-f/fritzing index 18b990bbc..c57323c6a 100644 --- a/apparmor.d/profiles-a-f/fritzing +++ b/apparmor.d/profiles-a-f/fritzing @@ -10,16 +10,13 @@ include @{exec_path} = @{bin}/fritzing{,.real} profile fritzing @{exec_path} { include - include - include - include - include - include - include - include + include include - include + include + include + include include + include network inet dgram, network inet6 dgram, @@ -30,26 +27,25 @@ profile fritzing @{exec_path} { @{exec_path} mrix, + /usr/share/fritzing/{,**} r, + /usr/share/hwdata/pnp.ids r, + + /etc/debian_version r, + /etc/fstab r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + owner @{user_config_dirs}/Fritzing/ rw, owner @{user_config_dirs}/Fritzing/** rwkl -> @{user_config_dirs}/Fritzing/**, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/ rw, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/** rw, - /usr/share/fritzing/{,**} r, + owner @{run}/lock/LCK..ttyACM[0-9]* rwk, - /usr/share/hwdata/pnp.ids r, - - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - - /etc/fstab r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /etc/debian_version r, + @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c166:@{int} r, # for /dev/ttyACM[0-9]* @{sys}/bus/ r, @{sys}/class/ r, @@ -57,15 +53,13 @@ profile fritzing @{exec_path} { @{sys}/devices/**/tty*/uevent r, @{sys}/devices/**/tty/**/uevent r, - @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c166:@{int} r, # for /dev/ttyACM[0-9]* + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, /dev/ttyS@{int} rw, /dev/ttyACM@{int} rw, - owner @{run}/lock/LCK..ttyACM[0-9]* rwk, - include if exists } diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend deleted file mode 100644 index ac8a6a5a8..000000000 --- a/apparmor.d/profiles-a-f/frontend +++ /dev/null @@ -1,130 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /usr/share/debconf/frontend -profile frontend @{exec_path} flags=(complain) { - include - include - include - include - include - include - include - include - - capability dac_read_search, - - @{exec_path} r, - @{bin}/perl r, - - @{sh_path} rix, - @{bin}/hostname rix, - @{bin}/locale rix, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/stty rix, - @{bin}/update-secureboot-policy rPx, - - # debconf apps - @{bin}/adequate rPx, - @{bin}/aspell-autobuildhash rPx, - @{bin}/debconf-apt-progress rPx, - @{bin}/linux-check-removal rPx, - @{bin}/pam-auth-update rPx, - @{bin}/ucf rPx, - @{bin}/whiptail rPx, - @{lib}/tasksel/tasksel-debconf rPx -> tasksel, - /usr/share/debian-security-support/check-support-status.hook rPx, - - # Grub - @{lib}/grub/grub-multi-install rPx, - /usr/share/grub/grub-check-signatures rPx, - - # Run the package maintainer's scripts - # What to do with it? Maintainer scripts can use lots of tools. (#FIXME#) - #/var/lib/dpkg/info/*.{config,templates} rPUx, - #/var/lib/dpkg/info/*.{preinst,postinst} rPUx, - #/var/lib/dpkg/info/*.{prerm,postrm} rPUx, - /var/lib/dpkg/info/*.control r, - #/var/lib/dpkg/tmp.ci/{config,templates} rPUx, - #/var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx, - #/var/lib/dpkg/tmp.ci/{prerm,postrm} rPUx, - /var/lib/dpkg/tmp.ci/control r, - /var/lib/dpkg/info/*.{config,templates} rCx -> scripts, - /var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts, - /var/lib/dpkg/info/*.{prerm,postrm} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts, - - # DKMS scipts - # What to do with it? (#FIXME#) - @{lib}/dkms/common.postinst rPUx, - @{lib}/dkms/dkms-* rPUx, - @{lib}/dkms/dkms_* rPUx, - - /usr/share/debconf/{,**} r, - - /etc/debconf.conf r, - /etc/inputrc r, - /etc/shadow r, - - owner @{tmp}/file* w, - owner /var/cache/debconf/* rwk, - - @{HOME}/.Xauthority r, - - @{run}/user/@{uid}/pk-debconf-socket rw, - - owner @{PROC}/@{pid}/mounts r, - - profile scripts flags=(complain) { - include - include - - capability dac_read_search, - - /var/lib/dpkg/info/*.config r, - /var/lib/dpkg/info/*.{preinst,postinst} r, - /var/lib/dpkg/info/*.{prerm,postrm} r, - /var/lib/dpkg/tmp.ci/config r, - /var/lib/dpkg/tmp.ci/{preinst,postinst} r, - /var/lib/dpkg/tmp.ci/{prerm,postrm} r, - - / r, - - @{bin}/ r, - @{bin}/* rPUx, - - @{lib}/ r, - @{lib}/** rPUx, - - /usr/share/ r, - /usr/share/** rPUx, - - /etc/init.d/ r, - /etc/init.d/* rPUx, - - /etc/ r, - /etc/** rw, - /var/ r, - /var/** rw, - @{sys}/ r, - @{sys}/**/ r, - @{run}/ r, - @{run}/** rw, - /tmp/ r, - owner @{tmp}/** rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fuse-overlayfs b/apparmor.d/profiles-a-f/fuse-overlayfs index da61184a3..91b279d20 100644 --- a/apparmor.d/profiles-a-f/fuse-overlayfs +++ b/apparmor.d/profiles-a-f/fuse-overlayfs @@ -10,14 +10,21 @@ include profile fuse-overlayfs @{exec_path} { include - capability sys_admin, + capability chown, capability dac_override, capability dac_read_search, - capability chown, + capability fowner, + capability setfcap, + capability setuid, + capability sys_admin, + + mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/merged/ -> **, + mount fstype=fuse.overlayfs options=(rw,nodev,noatime) fuse-overlayfs -> @{user_share_dirs}/containers/storage/overlay/**/merged/, @{exec_path} mr, - mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/merged/ -> **, + @{bin}/mount rix, + @{bin}/umount rix, owner @{user_share_dirs}/containers/storage/overlay/{,**} rwl, diff --git a/apparmor.d/profiles-a-f/fuseiso b/apparmor.d/profiles-a-f/fuseiso index ed2bcc936..75d19a0d5 100644 --- a/apparmor.d/profiles-a-f/fuseiso +++ b/apparmor.d/profiles-a-f/fuseiso @@ -36,27 +36,17 @@ profile fuseiso @{exec_path} { profile fusermount { include - include - - # To mount anything: - capability sys_admin, - - capability dac_read_search, + include mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/, mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/*/, mount fstype={fuse,fuse.fuseiso} -> @{user_cache_dirs}/**/, - @{bin}/fusermount{,3} mr, + umount @{HOME}/*/, + umount @{HOME}/*/*/, + umount @{user_cache_dirs}/**/, - /etc/fuse.conf r, - - # Image files to be mounted - owner @{user_img_dirs}/{,**} r, - - @{PROC}/@{pid}/mounts r, - - /dev/fuse rw, + owner @{user_img_dirs}/{,**} r, # Image files to be mounted include if exists } diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index 2bad1d773..3df041e64 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -10,10 +10,7 @@ include @{exec_path} = @{bin}/fusermount{,3} profile fusermount @{exec_path} { include - include - - capability dac_read_search, - capability sys_admin, + include # Be able to mount ISO images mount fstype={fuse,fuse.*} -> @{HOME}/*/, @@ -36,7 +33,6 @@ profile fusermount @{exec_path} { @{exec_path} mr, - /etc/fuse.conf r, /etc/machine-id r, /var/tmp/flatpak-cache-*/*/ r, @@ -51,10 +47,6 @@ profile fusermount @{exec_path} { @{run}/user/@{uid}/doc/ r, - @{PROC}/@{pid}/mounts r, - - /dev/fuse rw, - include if exists } diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index aa95a00d5..7a00455a6 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -14,10 +14,8 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include - include - include include - include + include include include @@ -38,16 +36,14 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { network netlink raw, #aa:dbus own bus=system name=org.freedesktop.fwupd path=/ + #aa:dbus talk bus=system name=org.bluez.GattCharacteristic1 label=bluetoothd + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd + #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - - dbus send bus=system path=/org/freedesktop/UDisks2/Manager - interface=org.freedesktop.UDisks2.Manager - member=GetBlockDevices - peer=(name=:*, label=udisksd), + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded + peer=(name=@{busname}, label=bluetoothd), @{exec_path} mr, @@ -59,7 +55,9 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /usr/share/fwupd/{,**} r, /usr/share/hwdata/* r, + /usr/share/libdrm/*.ids r, /usr/share/mime/mime.cache r, + /usr/share/misc/*.ids r, /etc/fwupd/{,**} rw, /etc/lsb-release r, @@ -69,36 +67,41 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /etc/machine-id r, /var/lib/dbus/machine-id r, - /boot/{,**} r, - /boot/EFI/*/.goutputstream-@{rand6} rw, - /boot/EFI/*/fw/fwupd-*.cap{,.*} rw, - /boot/EFI/*/fwupdx@{int}.efi rw, + @{efi}/{,**} r, + @{efi}/EFI/*/.goutputstream-@{rand6} rw, + @{efi}/EFI/*/fw/fwupd-*.cap{,.*} rw, + @{efi}/EFI/*/fwupdx@{int}.efi rw, @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, + @{MOUNTDIRS}/*/{,@{efi}/} r, + @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, + /var/lib/flatpak/exports/share/mime/mime.cache r, - /var/tmp/etilqs_@{hex16} rw, + /var/tmp/etilqs_@{sqlhex} rw, owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, owner /var/lib/fwupd/ rw, owner /var/lib/fwupd/** rwk, - # In order to get to this file, the attach_disconnected flag has to be set + @{att}/@{user_cache_dirs}/gnome-software/fwupd/{,**} r, owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r, owner @{user_cache_dirs}/gnome-software/fwupd/{,**} r, @{sys}/**/ r, @{sys}/devices/** r, + @{sys}/**/uevent r, @{sys}/firmware/acpi/** r, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, @{sys}/firmware/efi/** r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw, + @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, @{sys}/firmware/efi/efivars/fwupd-* rw, + @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @{sys}/kernel/security/lockdown r, @{sys}/kernel/security/tpm@{int}/binary_bios_measurements r, - @{sys}/**/uevent r, @{sys}/power/mem_sleep r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @@ -107,7 +110,9 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{run}/motd.d/@{int}-fwupd* rw, @{run}/motd.d/fwupd/{,**} rw, @{run}/mount/utab r, - @{run}/udev/data/* r, + + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/mountinfo r, @@ -129,7 +134,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /dev/mei@{int} rw, /dev/mem r, /dev/mtd@{int} rw, - /dev/sd[a-z]* r, /dev/tpm@{int} rw, /dev/tpmrm@{int} rw, /dev/wmi/* r, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index f599bbc1f..5df66e6bd 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -27,18 +27,23 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ + #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/ @{exec_path} mr, @{bin}/dbus-launch Cx -> bus, @{bin}/pkttyagent Px, + /usr/share/terminfo/** r, + + /etc/inputrc r, /etc/machine-id r, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, + owner /var/lib/fwupd/.cache/ w, + @{user_cache_dirs}/dconf/user rw, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 1de493892..561e1af61 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -33,7 +33,7 @@ profile gajim @{exec_path} { @{bin}/ r, @{sh_path} rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/uname rix, # To play sounds @@ -73,7 +73,7 @@ profile gajim @{exec_path} { owner @{user_cache_dirs}/gajim/** rwk, owner @{user_cache_dirs}/farstream/ rw, - owner @{user_cache_dirs}/farstream/codecs.audio.x86_64.cache{,.tmp@{rand6}} rw, + owner @{user_cache_dirs}/farstream/codecs.audio.@{arch}.cache{,.tmp@{rand6}} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, @@ -86,7 +86,7 @@ profile gajim @{exec_path} { # Silencer deny /usr/share/gajim/** w, - deny /usr/lib/python3/dist-packages/** w, + deny @{lib}/@{python_name}/dist-packages/** w, profile ccache { include diff --git a/apparmor.d/profiles-g-l/gamemoded b/apparmor.d/profiles-g-l/gamemoded index 8f5067b77..eb2d3fc1e 100644 --- a/apparmor.d/profiles-g-l/gamemoded +++ b/apparmor.d/profiles-g-l/gamemoded @@ -57,8 +57,8 @@ profile gamemoded @{exec_path} flags=(attach_disconnected) { @{lib}/gamemode/gpuclockctl ix, @{lib}/gamemode/procsysctl ix, - /etc/security/limits.d/ r, - /etc/security/limits.d/@{int}-gamemode.conf r, + @{etc_ro}/security/limits.d/ r, + @{etc_ro}/security/limits.d/@{int}-gamemode.conf r, /etc/shells r, @{sys}/devices/@{pci}/power_dpm_force_performance_level rw, diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote index e9f4d4e30..727bf8cdf 100644 --- a/apparmor.d/profiles-g-l/ganyremote +++ b/apparmor.d/profiles-g-l/ganyremote @@ -22,7 +22,7 @@ profile ganyremote @{exec_path} { network inet6 stream, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, @@ -30,7 +30,7 @@ profile ganyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, diff --git a/apparmor.d/profiles-g-l/gdisk b/apparmor.d/profiles-g-l/gdisk index 1357b03b6..b49e20570 100644 --- a/apparmor.d/profiles-g-l/gdisk +++ b/apparmor.d/profiles-g-l/gdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/gdisk +@{exec_path} = @{sbin}/gdisk profile gdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders index b64c34a4b..04c9a33f2 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders @@ -18,8 +18,10 @@ profile gdk-pixbuf-query-loaders @{exec_path} { @{exec_path} mr, - @{lib}/gdk-pixbuf-[0-9].@{int}/{,*}/loaders.cache.* rw, - @{lib}/gdk-pixbuf-[0-9].@{int}/*/loaders.cache rw, + @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/ w, + @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/loaders.cache w, + @{lib}/gdk-pixbuf-@{version}/{,*}/loaders.cache.* rw, + @{lib}/gdk-pixbuf-@{version}/@{version}/loaders.cache rw, /usr/share/gvfs/remote-volume-monitors/{,**} r, diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer new file mode 100644 index 000000000..d3df6f5f3 --- /dev/null +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gdk-pixbuf-thumbnailer +profile gdk-pixbuf-thumbnailer @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ghc-pkg b/apparmor.d/profiles-g-l/ghc-pkg index df6613042..3ccfdec4a 100644 --- a/apparmor.d/profiles-g-l/ghc-pkg +++ b/apparmor.d/profiles-g-l/ghc-pkg @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/ghc-pkg{,-*} +@{exec_path} = @{bin}/ghc-pkg{,-*} @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} profile ghc-pkg @{exec_path} { include include @@ -26,6 +26,8 @@ profile ghc-pkg @{exec_path} { @{sys}/devices/system/node/ r, + @{PROC}/@{pid}/task/@{tid}/comm rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index a9be29bec..67b625d62 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -11,8 +11,11 @@ profile gimp @{exec_path} { include include include + include include include + include + include include include @@ -23,21 +26,36 @@ profile gimp @{exec_path} { @{exec_path} mr, - @{lib}/gimp/*/plug-ins/** rix, + @{python_path} rix, + @{bin}/env rix, + @{bin}/gimp-debug-tool-3.0 rix, + @{bin}/gimp-script-fu-interpreter-* rix, + @{bin}/gjs-console rix, + @{bin}/lua rix, + @{lib}/gimp/@{version}/extensions/*/* rix, + @{lib}/gimp/*/plug-ins/** rix, @{bin}/xsane-gimp rPx, @{open_path} rPx -> child-open-help, + @{lib}/gimp/@{version}/plug-ins/python-console/__pycache__/{,*} w, + /usr/share/gimp/{,**} r, /usr/share/mypaint-data/{,**} r, + /usr/share/poppler/{,**} r, /usr/share/xml/iso-codes/{,**} r, + /etc/fstab r, /etc/gimp/{,**} r, + owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, + owner @{user_documents_dirs}/{,**} rw, owner @{user_pictures_dirs}/{,**} rw, owner @{user_work_dirs}/{,**} rw, + owner @{user_cache_dirs}//thumbnails/normal/gimp-thumb* rw, owner @{user_cache_dirs}/babl/{,**} rw, owner @{user_cache_dirs}/gegl-*/{,**} r, owner @{user_cache_dirs}/gegl-*/{,**} r, @@ -52,6 +70,19 @@ profile gimp @{exec_path} { owner @{tmp}/gimp/{,**} rw, + @{run}/mount/utab r, + + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + include if exists } diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 71bace3c3..425fe2f14 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -115,6 +115,8 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.git_vtag_tmp@{rand6} r, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists @@ -132,17 +134,20 @@ profile git @{exec_path} flags=(attach_disconnected) { network netlink raw, @{bin}/ssh mr, + @{bin}/ksshaskpass ix, + @{lib}/code/extensions/git/dist/ssh-askpass.sh Px, @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config r, - owner @{HOME}/@{XDG_SSH_DIR}/* r, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_* rwl, owner @{tmp}/git@*:@{int} rwl -> @{tmp}/git@*:@{int}.*, owner @{tmp}/ssh-*/agent.@{int} rw, + owner @{run}/user/@{uid}/keyring/ssh rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index e5cbf1959..579536674 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -6,9 +6,14 @@ abi , include -@{exec_path} = /usr/share/zsh-theme-powerlevel[0-9]*k/gitstatus/usrbin/gitstatusd{,-*} +@{exec_path} = @{user_cache_dirs}/gitstatus/gitstatusd{,-*} +@{exec_path} += /usr/share/zsh-theme-powerlevel{9,10}k/gitstatus/usrbin/gitstatusd{,-*} profile gitstatusd @{exec_path} { include + include + + signal receive set=term peer=*//shell, + signal receive set=term peer=vscode, @{exec_path} mr, @@ -18,6 +23,8 @@ profile gitstatusd @{exec_path} { owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, + owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo r, + # Silencer deny capability dac_read_search, deny capability dac_override, diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas index fcabd84c3..59c56bb12 100644 --- a/apparmor.d/profiles-g-l/glib-compile-schemas +++ b/apparmor.d/profiles-g-l/glib-compile-schemas @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/glib-compile-schemas +@{exec_path} = @{bin}/glib-compile-schemas @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas profile glib-compile-schemas @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index 93e65f0a2..d74945777 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -7,42 +7,36 @@ abi , include -@{exec_path} = @{bin}/gparted -profile gparted @{exec_path} { +@{exec_path} = @{sbin}/gparted +profile gparted @{exec_path} flags=(attach_disconnected) { include + include - ptrace (read), + ptrace read, @{exec_path} r, - @{bin}/ r, + @{bin}/ r, + @{coreutils_path} rix, @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{m,g,}awk rix, - @{bin}/cut rix, - @{bin}/id rix, - @{bin}/ls rix, - @{bin}/mkdir rix, - @{bin}/pidof rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/touch rix, - @{bin}/gpartedbin rPx, + @{sbin}/killall5 rCx -> killall, + @{bin}/systemctl rCx -> systemctl, + @{bin}/udevadm rCx -> udevadm, + + @{bin}/pidof rPx, + @{bin}/pkexec rPx, + @{bin}/ps rPx, + @{bin}/xhost rPx, + + @{sbin}/gpartedbin rPx, @{lib}/gparted/gpartedbin rPx, @{lib}/gpartedbin rPx, @{lib}/{,udisks2/}udisks2-inhibit rix, + @{run}/udev/rules.d/ rw, - @{run}/udev/rules.d/90-udisks-inhibit.rules rw, - - @{bin}/udevadm rCx -> udevadm, - @{bin}/killall5 rCx -> killall, - - @{bin}/ps rPx, - @{bin}/xhost rPx, - @{bin}/pkexec rPx, - @{bin}/systemctl rCx -> systemctl, + @{run}/udev/rules.d/@{int}-*.rules rw, # For shell pwd / r, @@ -57,7 +51,6 @@ profile gparted @{exec_path} { # file_inherit owner /dev/tty@{int} rw, - profile udevadm { include include @@ -78,13 +71,11 @@ profile gparted @{exec_path} { ptrace (read), - @{bin}/killall5 mr, + @{sbin}/killall5 mr, - # The /proc/ dir is needed to avoid the following error: - # /proc: Permission denied - @{PROC}/ r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/cmdline r, + @{PROC}/ r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/cmdline r, include if exists } @@ -93,6 +84,8 @@ profile gparted @{exec_path} { include include + capability net_admin, + include if exists } diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index e56bb5733..35dc03584 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -7,14 +7,16 @@ abi , include -@{exec_path} = @{bin}/gpartedbin @{lib}/{,gparted/}gpartedbin -profile gpartedbin @{exec_path} { +@{exec_path} = @{sbin}/gpartedbin @{lib}/{,gparted/}gpartedbin +profile gpartedbin @{exec_path} flags=(attach_disconnected) { include include include include include + include + capability dac_override, capability dac_read_search, capability ipc_lock, capability sys_admin, @@ -28,43 +30,45 @@ profile gpartedbin @{exec_path} { @{sh_path} rix, - @{bin}/blkid rPx, - @{bin}/dmidecode rPx, - @{bin}/hdparm rPx, + @{sbin}/blkid rPx, + @{sbin}/dmidecode rPx, + @{sbin}/hdparm rPx, @{bin}/kmod rPx, @{bin}/mount rCx -> mount, @{bin}/udevadm rCx -> udevadm, @{bin}/umount rCx -> umount, - @{bin}/btrfs rPx, - @{bin}/btrfstune rPx, - @{bin}/dmraid rPUx, - @{bin}/dmsetup rPUx, - @{bin}/dumpe2fs rPx, - @{bin}/e2fsck rPx, - @{bin}/e2image rPx, - @{bin}/fsck.btrfs rPx, - @{bin}/fsck.fat rPx, - @{bin}/lvm rPUx, - @{bin}/mdadm rPUx, - @{bin}/mke2fs rPx, - @{bin}/mkfs.* rPx, - @{bin}/mkntfs rPx, - @{bin}/mkswap rPx, + @{sbin}/btrfs rPx, + @{sbin}/btrfstune rPx, + @{sbin}/dmraid rPUx, + @{sbin}/dmsetup rPUx, + @{sbin}/dumpe2fs rPx, + @{sbin}/e2fsck rPx, + @{sbin}/e2image rPx, + @{sbin}/fsck.* rPUx, + @{sbin}/lvm rPUx, + @{sbin}/mdadm rPUx, + @{sbin}/mke2fs rPx, + @{sbin}/mkfs.* rPUx, + @{sbin}/mkntfs rPx, + @{sbin}/mkswap rPx, @{bin}/mtools rPx, @{bin}/ntfsinfo rPx, - @{bin}/ntfslabel rPx, - @{bin}/ntfsresize rPx, - @{bin}/resize2fs rPx, - @{bin}/swaplabel rPx, - @{bin}/swapoff rPx, - @{bin}/swapon rPx, - @{bin}/tune2fs rPx, - @{bin}/xfs_io rPUx, + @{sbin}/ntfslabel rPx, + @{sbin}/ntfsresize rPx, + @{sbin}/resize2fs rPx, + @{sbin}/swaplabel rPx, + @{sbin}/swapoff rPx, + @{sbin}/swapon rPx, + @{bin}/tune.* rPUx, + @{sbin}/tune2fs rPx, + @{sbin}/xfs_io rPUx, @{open_path} rPx -> child-open, + /etc/fstab r, + @{HOME}/.Xauthority r, owner @{HOME}/*.htm w, @@ -88,7 +92,7 @@ profile gpartedbin @{exec_path} { mount /dev/{s,v}d[a-z]*@{int} -> /tmp/gparted-*/, - mount /dev/{s,v}d[a-z]*@{int} -> /boot/, + mount /dev/{s,v}d[a-z]*@{int} -> @{efi}/, mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/, mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/*/, @@ -104,7 +108,7 @@ profile gpartedbin @{exec_path} { umount /tmp/gparted-*/, - umount /boot/, + umount @{efi}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index 4088f51fb..cebfc955f 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -22,7 +22,7 @@ profile gpo @{exec_path} { network inet6 stream, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, @@ -36,7 +36,8 @@ profile gpo @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index ec1adabe4..dd7a20eb7 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -24,7 +24,7 @@ profile gpodder @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, @@ -47,7 +47,8 @@ profile gpodder @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-g-l/gpodder-migrate2tres b/apparmor.d/profiles-g-l/gpodder-migrate2tres index 11896a26c..55033d107 100644 --- a/apparmor.d/profiles-g-l/gpodder-migrate2tres +++ b/apparmor.d/profiles-g-l/gpodder-migrate2tres @@ -13,7 +13,7 @@ profile gpodder-migrate2tres @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 8cc49acdf..0ad848c50 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -16,15 +16,16 @@ profile gpu-manager @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/grep rix, + @{sh_path} rix, + @{bin}/{,e}grep rix, /etc/modprobe.d/{,**} r, - /usr/lib/modprobe.d/{,**} r, + @{lib}/modprobe.d/{,**} r, /var/lib/ubuntu-drivers-common/* rw, /var/log/gpu-manager.log w, + /var/log/gpu-manager-switch.log w, @{sys}/devices/@{pci}/boot_vga r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index e2a9ae515..bbdb3da62 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/gsettings profile gsettings @{exec_path} flags=(attach_disconnected) { include - include + include include include diff --git a/apparmor.d/profiles-g-l/gsmartcontrol b/apparmor.d/profiles-g-l/gsmartcontrol index 5d04e33fb..988c547f0 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol +++ b/apparmor.d/profiles-g-l/gsmartcontrol @@ -20,7 +20,7 @@ profile gsmartcontrol @{exec_path} { @{bin}/dbus-launch Cx -> bus, @{bin}/dbus-send Cx -> bus, - @{bin}/smartctl Px, + @{sbin}/smartctl Px, @{bin}/xterm Cx -> terminal, /etc/fstab r, @@ -67,7 +67,7 @@ profile gsmartcontrol @{exec_path} { capability setuid, @{bin}/xterm mr, - @{bin}/update-smart-drivedb rPx, + @{sbin}/update-smart-drivedb rPx, /usr/include/X11/bitmaps/vlines2 r, diff --git a/apparmor.d/profiles-g-l/gsmartcontrol-root b/apparmor.d/profiles-g-l/gsmartcontrol-root index 10c1f445b..4fdb1084b 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol-root +++ b/apparmor.d/profiles-g-l/gsmartcontrol-root @@ -15,7 +15,7 @@ profile gsmartcontrol-root @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/pkexec rCx -> pkexec, diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules index 46aece91a..e6d37db44 100644 --- a/apparmor.d/profiles-g-l/gtk-query-immodules +++ b/apparmor.d/profiles-g-l/gtk-query-immodules @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0 +@{exec_path} = @{bin}/gtk-query-immodules-* @{lib}/@{multiarch}/libgtk-*/gtk-query-immodules-* profile gtk-query-immodules @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index b1a6779ae..b709511e2 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -12,6 +12,8 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { include include + capability fowner, + @{exec_path} mr, @{system_share_dirs}/icons/{,**/} r, diff --git a/apparmor.d/profiles-g-l/gtk-youtube-viewer b/apparmor.d/profiles-g-l/gtk-youtube-viewer index 029e542ee..0b9075bc1 100644 --- a/apparmor.d/profiles-g-l/gtk-youtube-viewer +++ b/apparmor.d/profiles-g-l/gtk-youtube-viewer @@ -25,7 +25,6 @@ profile gtk-youtube-viewer @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index f91887297..5d78a90e3 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -38,15 +38,15 @@ profile hardinfo @{exec_path} { @{bin}/locale rix, @{bin}/make rix, @{bin}/perl rix, - @{bin}/python3.@{int} rix, - @{bin}/route rix, - @{bin}/ruby[0-9].@{int} rix, + @{python_path} rix, + @{sbin}/route rix, + @{bin}/ruby@{int}.@{int} rix, @{bin}/strace rix, @{bin}/tr rix, @{bin}/valgrind{,.bin} rix, @{lib}/@{multiarch}/valgrind/memcheck-*-linux rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{open_path} rPx -> child-open, @{bin}/ccache rCx -> ccache, @{bin}/kmod rCx -> kmod, @@ -58,7 +58,7 @@ profile hardinfo @{exec_path} { @{bin}/netstat rPx, @{bin}/qtchooser rPx, - @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac, + @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/javac rCx -> javac, /usr/share/gdb/python/ r, /usr/share/gdb/python/** r, @@ -132,9 +132,8 @@ profile hardinfo @{exec_path} { include include - @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/* mr, - - @{lib}/jvm/java-[0-9]*-openjdk-amd64/lib/** mr, + @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/* mr, + @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/lib/** mr, /etc/java-[0-9]*-openjdk/** r, diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index 910e9a2f0..527629202 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -9,7 +9,7 @@ abi , include -@{exec_path} = @{bin}/haveged +@{exec_path} = @{sbin}/haveged profile haveged @{exec_path} { include @@ -20,10 +20,9 @@ profile haveged @{exec_path} { @{sys}/devices/system/cpu/cpu@{int}/cache/ r, @{sys}/devices/system/cpu/cpu@{int}/cache/index*/{type,size,level} r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/poolsize r, - @{PROC}/sys/kernel/random/write_wakeup_threshold w, - owner @{PROC}/@{pid}/status r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/poolsize r, + @{PROC}/sys/kernel/random/write_wakeup_threshold w, /dev/random w, diff --git a/apparmor.d/profiles-g-l/hddtemp b/apparmor.d/profiles-g-l/hddtemp index e96a45237..55d2abb5d 100644 --- a/apparmor.d/profiles-g-l/hddtemp +++ b/apparmor.d/profiles-g-l/hddtemp @@ -10,32 +10,20 @@ include @{exec_path} = @{bin}/hddtemp profile hddtemp @{exec_path} { include + include + include - # To remove the following errors: - # /dev/sda: Permission denied + capability sys_admin, capability sys_rawio, - # There's the following error in strace: - # ioctl(3, HDIO_DRIVE_CMD, 0x7ffdfeafc074) = -1 EACCES (Permission denied) - # This should be covered by CAP_SYS_RAWIO instead. - # (see: https://www.kernel.org/doc/Documentation/ioctl/hdio.rst) - # It looks like hddtemp works just fine without it. - deny capability sys_admin, - network inet stream, network inet6 stream, @{exec_path} mr, - # Monitored hard drives - /dev/sd[a-z]* r, - # Database file that allows hddtemp to recognize supported drives /etc/hddtemp.db r, - # Needed when the hddtemp daemon is started in the TCP/IP mode - /etc/gai.conf r, - include if exists } diff --git a/apparmor.d/profiles-g-l/hdparm b/apparmor.d/profiles-g-l/hdparm index a4fa34973..53e520509 100644 --- a/apparmor.d/profiles-g-l/hdparm +++ b/apparmor.d/profiles-g-l/hdparm @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/hdparm +@{exec_path} = @{sbin}/hdparm profile hdparm @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index cb9f8d2d9..ab0cf0cba 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -18,13 +18,15 @@ profile host @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, + network netlink raw, @{exec_path} mr, - owner @{PROC}/@{pids}/task/@{tid}/comm rw, - @{sys}/kernel/mm/transparent_hugepage/enabled r, + @{PROC}/version_signature r, + owner @{PROC}/@{pids}/task/@{tid}/comm rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname index 326d156ef..7e87173cc 100644 --- a/apparmor.d/profiles-g-l/hostname +++ b/apparmor.d/profiles-g-l/hostname @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/{hostname,domainname,ypdomainname,nisdomainname,nisdomainname} -profile hostname @{exec_path} { +profile hostname @{exec_path} flags=(attach_disconnected) { include include include @@ -16,11 +16,14 @@ profile hostname @{exec_path} { capability sys_admin, network inet dgram, + network inet6 dgram, # network ip=127.0.0.1:53, TODO: abi 4.0 network netlink raw, @{exec_path} mr, + owner /dev/tty@{int} rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index 6bb737ca0..ed62f48f1 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -37,10 +37,17 @@ profile hugo @{exec_path} { owner @{user_cache_dirs}/hugo_cache/{,**} rwkl, + owner @{user_config_dirs}/git/*config r, + owner @{user_config_dirs}/go/telemetry/mode r, + owner @{tmp}/hugo_cache/{,**} rwkl, owner @{tmp}/go-codehost-@{int} rw, - @{PROC}/sys/net/core/somaxconn r, + @{sys}/kernel/mm/hugepages/ r, + + @{PROC}/sys/net/core/somaxconn r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index f5c1ecdd6..739073201 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -11,7 +11,6 @@ include profile hw-probe @{exec_path} flags=(attach_disconnected) { include include - include capability sys_admin, @@ -19,13 +18,12 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { network inet6 dgram, @{exec_path} rm, - @{bin}/perl r, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/dd rix, - @{bin}/efibootmgr rix, + @{sbin}/efibootmgr rix, @{bin}/efivar rix, @{bin}/find rix, @{bin}/md5sum rix, @@ -35,35 +33,26 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/tar rix, @{bin}/uname rix, + @{bin}/vulkaninfo rPUx, @{bin}/acpi rPx, @{bin}/amixer rPx, @{bin}/aplay rPx, - @{bin}/biosdecode rPx, @{bin}/cpuid rPx, @{bin}/cpupower rPx, @{bin}/curl rCx -> curl, @{bin}/df rPx, - @{bin}/dkms rPx, @{bin}/dmesg rPx, - @{bin}/dmidecode rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/edid-decode rPx, - @{bin}/ethtool rCx -> netconfig, - @{bin}/fdisk rPx, @{bin}/glxgears rPx, @{bin}/glxinfo rPx, @{bin}/hciconfig rPx, - @{bin}/hdparm rPx, - @{bin}/hwinfo rPx, @{bin}/i2cdetect rPx, - @{bin}/ifconfig rCx -> netconfig, @{bin}/inxi rPx, - @{bin}/iw rCx -> netconfig, - @{bin}/iwconfig rCx -> netconfig, @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, - @{bin}/kmod rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/kmod rCx -> kmod, + @{bin}/lsb_release rPx, @{bin}/lsblk rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, @@ -71,10 +60,8 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/memtester rPx, @{bin}/nmcli rPx, @{bin}/pacman rCx -> pacman, - @{bin}/rfkill rPx, @{bin}/rpm rCx -> rpm, @{bin}/sensors rPx, - @{bin}/smartctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-analyze rPx, @{bin}/udevadm rCx -> udevadm, @@ -84,12 +71,23 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/xdpyinfo rPx, @{bin}/xinput rPx, @{bin}/xrandr rPx, + @{sbin}/biosdecode rPx, + @{sbin}/dkms rPx, + @{sbin}/dmidecode rPx, + @{sbin}/fdisk rPx, + @{sbin}/hdparm rPx, + @{bin}/boltctl rPUx, + @{sbin}/hwinfo rPx, + @{sbin}/rfkill rPx, + @{sbin}/smartctl rPx, /etc/modprobe.d/{,*.conf} r, + @{efi}/EFI/{,**} r, + owner @{HOME}/HW_PROBE/{,**} rw, - audit owner @{tmp}/*/ rw, + owner @{tmp}/@{rand10}/ rw, owner @{tmp}/*/cpu_perf rw, @{sys}/class/drm/ r, @@ -99,19 +97,34 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/* r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/* r, - @{sys}/module/*/ r, - @{sys}/module/*/{coresize,refcnt} r, - @{sys}/module/*/holders/ r, @{PROC}/bus/input/devices r, @{PROC}/cmdline r, @{PROC}/interrupts r, @{PROC}/ioports r, - @{PROC}/modules r, @{PROC}/scsi/scsi r, /dev/{,**} r, + profile kmod { + include + include + + capability syslog, + + @{sys}/module/{,**} r, + + include if exists + } + + profile curl flags=(attach_disconnected) { + include + + @{bin}/curl mr, + + include if exists + } + profile pacman flags=(attach_disconnected) { include include @@ -159,9 +172,12 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{run}/log/ rw, /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, owner @{PROC}/@{pid}/stat r, @@ -192,31 +208,6 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { include if exists } - profile netconfig flags=(attach_disconnected) { - include - - # Not needed - deny capability net_admin, - deny capability net_raw, - - network inet dgram, - network inet6 dgram, - network ipx dgram, - network ax25 dgram, - network appletalk dgram, - network netlink raw, - - @{bin}/iw mr, - @{bin}/ifconfig mr, - @{bin}/iwconfig mr, - @{bin}/ethtool mr, - - owner @{PROC}/@{pid}/net/if_inet6 r, - owner @{PROC}/@{pid}/net/dev r, - - include if exists - } - profile systemctl flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index e7bf2937c..314975208 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/hwinfo +@{exec_path} = @{sbin}/hwinfo profile hwinfo @{exec_path} { include include @@ -27,9 +27,10 @@ profile hwinfo @{exec_path} { @{bin}/kmod rCx -> kmod, @{bin}/udevadm rCx -> udevadm, - @{bin}/acpidump rPUx, + @{sbin}/acpidump rPUx, + @{bin}/lsscsi rPx, - @{bin}/dmraid rPUx, + @{sbin}/dmraid rPUx, /usr/share/hwinfo/{,**} r, @@ -39,7 +40,7 @@ profile hwinfo @{exec_path} { @{sys}/bus/{,**/} r, @{sys}/class/*/ r, - @{sys}/devices/@{pci}/** r, + @{sys}/devices/@{pci}/{,**} r, @{sys}/devices/**/{modalias,uevent} r, @{sys}/devices/**/input/**/dev r, @{sys}/devices/virtual/net/*/{type,carrier,address} r, @@ -70,9 +71,12 @@ profile hwinfo @{exec_path} { include include + capability sys_module, + owner @{tmp}/hwinfo*.txt rw, @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{sys}/module/compression r, include if exists } diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix index be18726a0..ce1ad519b 100644 --- a/apparmor.d/profiles-g-l/hypnotix +++ b/apparmor.d/profiles-g-l/hypnotix @@ -31,10 +31,10 @@ profile hypnotix @{exec_path} { network netlink raw, @{exec_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, @{sh_path} rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/mkdir rix, @{bin}/xdg-screensaver rPx, diff --git a/apparmor.d/profiles-g-l/i2cdetect b/apparmor.d/profiles-g-l/i2cdetect index 5ce4da0bb..f101c56e6 100644 --- a/apparmor.d/profiles-g-l/i2cdetect +++ b/apparmor.d/profiles-g-l/i2cdetect @@ -13,8 +13,13 @@ profile i2cdetect @{exec_path} { @{exec_path} mr, + @{sys}/class/i2c-dev/ r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + owner @{PROC}/@{pid}/mounts r, + /dev/i2c-@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/i3lock-fancy b/apparmor.d/profiles-g-l/i3lock-fancy index 78c5081d6..b192856d2 100644 --- a/apparmor.d/profiles-g-l/i3lock-fancy +++ b/apparmor.d/profiles-g-l/i3lock-fancy @@ -52,8 +52,8 @@ profile i3lock-fancy @{exec_path} { @{bin}/import-im6.q16 mr, @{bin}/scrot mr, - /usr/share/ImageMagick-[0-9]/*.xml r, - /etc/ImageMagick-[0-9]/*.xml r, + /usr/share/ImageMagick-@{int}/*.xml r, + /etc/ImageMagick-@{int}/*.xml r, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-g-l/iceauth b/apparmor.d/profiles-g-l/iceauth index 03c8650dd..d46374984 100644 --- a/apparmor.d/profiles-g-l/iceauth +++ b/apparmor.d/profiles-g-l/iceauth @@ -16,7 +16,7 @@ profile iceauth @{exec_path} { owner @{tmp}/.xfsm-ICE-@{rand6} r, owner @{tmp}/user/@{uid}/.xfsm-ICE-@{rand6} r, - owner @{run}/user/@{uid}/ICEauthority rl -> @{run}/user/@{uid}/ICEauthority-n, + owner @{run}/user/@{uid}/ICEauthority rwl -> @{run}/user/@{uid}/ICEauthority-n, owner @{run}/user/@{uid}/ICEauthority-c w, owner @{run}/user/@{uid}/ICEauthority-l wl -> @{run}/user/@{uid}/ICEauthority-c, owner @{run}/user/@{uid}/ICEauthority-n rw, diff --git a/apparmor.d/profiles-g-l/ifconfig b/apparmor.d/profiles-g-l/ifconfig index 5bebad691..48181e130 100644 --- a/apparmor.d/profiles-g-l/ifconfig +++ b/apparmor.d/profiles-g-l/ifconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ifconfig +@{exec_path} = @{sbin}/ifconfig profile ifconfig @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index aac25b811..3c641f8e1 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -20,7 +20,7 @@ profile ifup @{exec_path} { @{sh_path} rix, @{bin}/ip rix, - @{bin}/route rix, + @{sbin}/route rix, @{bin}/seq rix, @{bin}/sleep rix, @{bin}/wc rix, @@ -32,7 +32,7 @@ profile ifup @{exec_path} { @{bin}/run-parts rCx -> run-parts, @{bin}/kmod rCx -> kmod, - @{bin}/sysctl rCx -> sysctl, + @{sbin}/sysctl rCx -> sysctl, /etc/network/interfaces r, /etc/network/interfaces.d/{,*} r, @@ -110,7 +110,7 @@ profile ifup @{exec_path} { capability net_admin, capability sys_admin, - @{bin}/sysctl mr, + @{sbin}/sysctl mr, @{PROC}/sys/ r, @{PROC}/sys/** r, diff --git a/apparmor.d/profiles-g-l/im-launch b/apparmor.d/profiles-g-l/im-launch index c5c4aa276..04abb7e0c 100644 --- a/apparmor.d/profiles-g-l/im-launch +++ b/apparmor.d/profiles-g-l/im-launch @@ -22,6 +22,7 @@ profile im-launch @{exec_path} { @{bin}/sed rix, @{bin}/sleep rix, @{bin}/startplasma-x11 rPx, + @{bin}/startxfce4 rPx, @{bin}/true rix, @{bin}/uim-toolbar-gtk3 rPUx, @{bin}/uim-xim rPUx, diff --git a/apparmor.d/profiles-g-l/initd-kexec b/apparmor.d/profiles-g-l/initd-kexec index 074b4e735..199483f4f 100644 --- a/apparmor.d/profiles-g-l/initd-kexec +++ b/apparmor.d/profiles-g-l/initd-kexec @@ -19,7 +19,7 @@ profile initd-kexec @{exec_path} { @{bin}/tput rix, @{bin}/echo rix, - @{bin}/kexec rPx, + @{sbin}/kexec rPx, @{bin}/run-parts rCx -> run-parts, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/profiles-g-l/initd-kexec-load b/apparmor.d/profiles-g-l/initd-kexec-load index 1b27d1a4e..522d003f3 100644 --- a/apparmor.d/profiles-g-l/initd-kexec-load +++ b/apparmor.d/profiles-g-l/initd-kexec-load @@ -25,7 +25,7 @@ profile initd-kexec-load @{exec_path} { @{bin}/readlink rix, @{bin}/tput rix, - @{bin}/kexec rPx, + @{sbin}/kexec rPx, @{bin}/run-parts rCx -> run-parts, @{bin}/systemctl rCx -> systemctl, @@ -36,7 +36,7 @@ profile initd-kexec-load @{exec_path} { @{sys}/kernel/kexec_loaded r, - owner /boot/grub/{grub.cfg,grubenv} r, + owner @{efi}/grub/{grub.cfg,grubenv} r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-g-l/install-catalog b/apparmor.d/profiles-g-l/install-catalog index b1a56c41d..6a26d4dea 100644 --- a/apparmor.d/profiles-g-l/install-catalog +++ b/apparmor.d/profiles-g-l/install-catalog @@ -16,7 +16,7 @@ profile install-catalog @{exec_path} { @{sh_path} rix, @{bin}/basename rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sed rix, diff --git a/apparmor.d/profiles-g-l/install-printerdriver b/apparmor.d/profiles-g-l/install-printerdriver index 8ea351857..facd2fa3b 100644 --- a/apparmor.d/profiles-g-l/install-printerdriver +++ b/apparmor.d/profiles-g-l/install-printerdriver @@ -16,7 +16,7 @@ profile install-printerdriver @{exec_path} flags=(complain) { @{exec_path} mrix, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index eafcab799..e80875ca2 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -20,7 +20,6 @@ profile inxi @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/perl r, @{bin}/ r, @{sh_path} rix, @@ -44,11 +43,11 @@ profile inxi @{exec_path} { # shared object file): ignored. @{bin}/dpkg-query rpx, - @{bin}/blockdev rPx, + @{sbin}/blockdev rPx, @{bin}/compton rPx, @{bin}/df rPx, @{bin}/dig rPx, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{bin}/glxinfo rPx, @{bin}/hddtemp rPx, @{bin}/lsblk rPx, @@ -57,7 +56,7 @@ profile inxi @{exec_path} { @{bin}/openbox rPx, @{bin}/ps rPx, @{bin}/sensors rPx, - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, @{bin}/sudo rPx, @{bin}/uptime rPx, @{bin}/who rPx, diff --git a/apparmor.d/profiles-g-l/ioping b/apparmor.d/profiles-g-l/ioping index 1ff3615f1..0cb507e36 100644 --- a/apparmor.d/profiles-g-l/ioping +++ b/apparmor.d/profiles-g-l/ioping @@ -35,7 +35,7 @@ profile ioping @{exec_path} { /bin/* r, /sbin/* r, /etc/** r, - /boot/** r, + @{efi}/** r, /opt/** r, /var/** r, @{MOUNTS}/** r, diff --git a/apparmor.d/profiles-g-l/iotop b/apparmor.d/profiles-g-l/iotop index d85b0244f..8ea787ea6 100644 --- a/apparmor.d/profiles-g-l/iotop +++ b/apparmor.d/profiles-g-l/iotop @@ -21,7 +21,7 @@ profile iotop @{exec_path} { @{bin}/ r, @{bin}/file rix, - @{bin}/python3.@{int} r, + @{python_path} r, /etc/magic r, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index bcb521c01..0a27c4b59 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -20,7 +20,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { network netlink raw, - mount fstype=sysfs -> /sys/, + mount fstype=sysfs -> @{sys}, mount options=(rw bind) / -> @{run}/netns/*, mount options=(rw rbind) @{run}/netns/ -> @{run}/netns/, mount options=(rw, bind) @{att}/ -> @{run}/netns/*, @@ -29,7 +29,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { mount options=(rw, rslave) -> /, umount @{run}/netns/*, - umount /sys/, + umount @{sys}, @{exec_path} mrix, diff --git a/apparmor.d/profiles-g-l/ipcalc b/apparmor.d/profiles-g-l/ipcalc index ff7f1c799..c6dfa762a 100644 --- a/apparmor.d/profiles-g-l/ipcalc +++ b/apparmor.d/profiles-g-l/ipcalc @@ -13,7 +13,6 @@ profile ipcalc @{exec_path} { include @{exec_path} r, - @{bin}/perl r, include if exists } diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance index fec2d7c93..022dc92d5 100644 --- a/apparmor.d/profiles-g-l/irqbalance +++ b/apparmor.d/profiles-g-l/irqbalance @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/irqbalance +@{exec_path} = @{sbin}/irqbalance profile irqbalance @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/profiles-g-l/ischroot b/apparmor.d/profiles-g-l/ischroot new file mode 100644 index 000000000..8c18782f9 --- /dev/null +++ b/apparmor.d/profiles-g-l/ischroot @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ischroot +profile ischroot @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} mr, + + /var/lib/update-notifier/tmp.@{rand10} w, + + @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 8f2d53f76..7783c8005 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/issue-generator +@{exec_path} = @{sbin}/issue-generator profile issue-generator @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/iw b/apparmor.d/profiles-g-l/iw index 8639b8aad..631b0b9d1 100644 --- a/apparmor.d/profiles-g-l/iw +++ b/apparmor.d/profiles-g-l/iw @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/iw +@{exec_path} = @{sbin}/iw profile iw @{exec_path} { include @@ -21,7 +21,7 @@ profile iw @{exec_path} { @{exec_path} mr, - @{sys}/devices/@{pci}/ieee80211/phy[0-9]*/index r, + @{sys}/devices/@{pci}/ieee80211/phy@{int}/index r, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/iwconfig b/apparmor.d/profiles-g-l/iwconfig index 962b4ab23..ec6b9a46b 100644 --- a/apparmor.d/profiles-g-l/iwconfig +++ b/apparmor.d/profiles-g-l/iwconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/iwconfig +@{exec_path} = @{sbin}/iwconfig profile iwconfig @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/iwlist b/apparmor.d/profiles-g-l/iwlist index 298c94688..b89af77b9 100644 --- a/apparmor.d/profiles-g-l/iwlist +++ b/apparmor.d/profiles-g-l/iwlist @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/iwlist +@{exec_path} = @{sbin}/iwlist profile iwlist @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/jmtpfs b/apparmor.d/profiles-g-l/jmtpfs index eb51b1239..618ac14e7 100644 --- a/apparmor.d/profiles-g-l/jmtpfs +++ b/apparmor.d/profiles-g-l/jmtpfs @@ -18,8 +18,7 @@ profile jmtpfs @{exec_path} { @{bin}/fusermount{,3} rCx -> fusermount, - owner @{tmp}/tmp* rw, - owner @{tmp}/#@{int} rw, + /etc/magic r, # Mount points owner @{HOME}/*/ r, @@ -27,36 +26,20 @@ profile jmtpfs @{exec_path} { owner @{user_cache_dirs}/*/mtp{,-@{int}}/ rw, - mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/, - mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/, - mount fstype={fuse,fuse.jmtpfs} -> @{user_cache_dirs}/*/*/, - - /etc/magic r, - - /dev/fuse rw, - + owner @{tmp}/tmp* rw, + owner @{tmp}/#@{int} rw, profile fusermount { include - include - - # To mount anything: - capability sys_admin, - - # - capability dac_read_search, - - @{bin}/fusermount{,3} mr, + include mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/, mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/, mount fstype={fuse,fuse.jmtpfs} -> @{user_cache_dirs}/*/*/, - /etc/fuse.conf r, - - /dev/fuse rw, - - @{PROC}/@{pid}/mounts r, + umount @{HOME}/*/, + umount @{HOME}/*/*/, + umount @{user_cache_dirs}/*/*/, include if exists } diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote index 0e27fa5ae..91eb37c58 100644 --- a/apparmor.d/profiles-g-l/kanyremote +++ b/apparmor.d/profiles-g-l/kanyremote @@ -31,7 +31,7 @@ profile kanyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, @{bin}/head rix, diff --git a/apparmor.d/profiles-g-l/kconfig-hardened-check b/apparmor.d/profiles-g-l/kconfig-hardened-check index 743da77a1..947cfabd1 100644 --- a/apparmor.d/profiles-g-l/kconfig-hardened-check +++ b/apparmor.d/profiles-g-l/kconfig-hardened-check @@ -13,13 +13,13 @@ profile kconfig-hardened-check @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, # The usual kernel config locations - /boot/config-* r, + @{efi}/config-* r, @{PROC}/config.gz r, # This is for kernels, which are built manually diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config new file mode 100644 index 000000000..2bd8ef6b9 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdump-config @@ -0,0 +1,108 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/kdump-config +profile kdump-config @{exec_path} flags=(attach_disconnected) { + include + + capability sys_admin, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cmp ix, + @{bin}/cp ix, + @{bin}/cut ix, + @{bin}/file ix, + @{bin}/find ix, + @{bin}/flock ix, + @{bin}/hexdump ix, + @{bin}/ln ix, + @{bin}/logger ix, + @{bin}/plymouth Px, + @{bin}/readlink ix, + @{bin}/rev ix, + @{bin}/rm ix, + @{bin}/run-parts ix, + @{bin}/sed ix, + @{bin}/systemctl Cx -> systemctl, + @{bin}/uname ix, + @{sbin}/kexec Cx -> kexec, + @{sbin}/sysctl Cx -> sysctl, + + /etc/kernel/postinst.d/kdump-tools rPx, + + /etc/kdump/{,**} r, + /etc/default/kdump-tools r, + /etc/magic r, + + / r, + @{efi}/ r, + + /var/crash/kdump_lock wk, + /var/crash/kexec_cmd w, + /var/lib/kdump/{,**} rw, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + + @{sys}/firmware/efi/efivars/ r, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, + @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, + @{sys}/kernel/kexec_crash_loaded r, + + @{PROC}/cmdline r, + @{PROC}/iomem r, + + profile systemctl flags=(attach_disconnected) { + include + include + + capability net_admin, + capability sys_ptrace, + + include if exists + } + + profile sysctl { + include + + @{sbin}/sysctl mr, + + @{PROC}/sys/kernel/panic_on_oops rw, + + include if exists + } + + profile kexec { + include + + capability sys_admin, + capability sys_boot, + + @{sbin}/kexec mr, + + @{efi}/* r, + + owner /var/lib/kdump/* r, + + @{PROC}/iomem r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kdump-tools-init b/apparmor.d/profiles-g-l/kdump-tools-init new file mode 100644 index 000000000..b5af4dcc9 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdump-tools-init @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/init.d/kdump-tools +profile kdump-tools-init @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + @{sh_path} mr, + + @{bin}/cat ix, + @{bin}/plymouth Px, + @{bin}/run-parts ix, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/kdump-config Px, + + /etc/default/kdump-tools r, + + @{PROC}/cmdline r, + + profile systemctl flags=(attach_disconnected) { + include + include + + capability net_admin, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kdump_mem_estimator b/apparmor.d/profiles-g-l/kdump_mem_estimator new file mode 100644 index 000000000..b80a89343 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdump_mem_estimator @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/kdump-tools/kdump_mem_estimator +profile kdump_mem_estimator @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/cat ix, + @{bin}/mkdir ix, + @{bin}/uname ix, + @{bin}/systemctl Cx -> systemctl, + @{bin}/uname ix, + + owner /var/lib/kdump/mem* w, + + profile systemctl { + include + include + + capability net_admin, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel new file mode 100644 index 000000000..41098ab4b --- /dev/null +++ b/apparmor.d/profiles-g-l/kernel @@ -0,0 +1,76 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/kernel/{,header_}postinst.d/* /etc/kernel/postrm.d/* +@{exec_path} += /etc/kernel/preinst.d/* /etc/kernel/prerm.d/* +profile kernel @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{,m,g}awk rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/cut rix, + @{bin}/dirname rix, + @{bin}/kmod rCx -> kmod, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/rmdir rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/uname rix, + @{bin}/which{,.debianutils} rix, + + @{bin}/apt-config rPx, + @{bin}/bootctl rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/kernel-install rPx, + @{bin}/systemd-detect-virt rPx, + @{bin}/update-alternatives rPx, + @{lib}/dkms/dkms_autoinstaller rPx, + @{sbin}/dkms rPx, + @{sbin}/update-grub rPx, + @{sbin}/update-initramfs rPx, + + @{lib}/modules/*/updates/ w, + @{lib}/modules/*/updates/dkms/ w, + + /etc/kernel/header_postinst.d/* r, + /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, + + # For shell pwd + / r, + @{efi}/ r, + + /etc/apt/apt.conf.d/ r, + /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, + + @{run}/reboot-required w, + @{run}/reboot-required.pkgs rw, + + @{PROC}/devices r, + @{PROC}/cmdline r, + + profile kmod { + include + include + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index 07c058124..dede5da41 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -11,22 +11,20 @@ include profile kernel-install @{exec_path} { include include + include include + capability sys_rawio, + capability sys_resource, + + ptrace read peer=@{p_systemd}, + @{exec_path} r, @{sh_path} rix, - - @{bin}/mountpoint rix, - @{bin}/sort rix, - @{bin}/rm rix, - @{bin}/mkdir rix, - @{bin}/cp rix, - @{bin}/chown rix, - @{bin}/chmod rix, - @{bin}/basename rix, - - @{pager_path} rPx -> child-pager, + @{coreutils_path} rix, @{bin}/kmod rCx -> kmod, + @{bin}/mountpoint rix, + @{pager_path} rPx -> child-pager, @{lib}/kernel/install.d/ r, @{lib}/kernel/install.d/@{int2}-*.install rix, @@ -37,27 +35,39 @@ profile kernel-install @{exec_path} { @{lib}/os-release r, /etc/kernel/cmdline r, /etc/kernel/tries r, + /etc/kernel/entry-token r, /etc/machine-id r, /etc/os-release r, /var/lib/dbus/machine-id r, @{lib}/modules/*/modules.* w, - owner /boot/{vmlinuz,initrd.img}-* r, - owner /boot/[a-f0-9]*/*/ rw, - owner /boot/[a-f0-9]*/*/{linux,initrd} w, - owner /boot/loader/ rw, - owner /boot/loader/entries/ rw, - owner /boot/loader/entries/*.conf w, + / r, + + @{efi}/@{hex32}/** rw, + @{efi}/loader/entries.srel r, + owner @{efi}/{vmlinuz,initrd.img}-* r, + owner @{efi}/loader/ rw, + owner @{efi}/loader/entries/ rw, + owner @{efi}/loader/entries/*.conf w, + + owner /tmp/kernel-install.staging.@{rand6}/{,**} rw, owner @{tmp}/sh-thd.* rw, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/1/environ r, @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, profile kmod { include include + @{lib}/modules/*/modules.* w, + + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump new file mode 100644 index 000000000..50606695a --- /dev/null +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -0,0 +1,58 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/kernel/postinst.d/kdump-tools +profile kernel-postinst-kdump @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/cp rix, + @{bin}/du rix, + @{bin}/find rix, + @{bin}/kmod rCx -> kmod, + @{bin}/ischroot rPx, + @{bin}/linux-version rPx, + @{bin}/mkdir rix, + @{bin}/mktemp rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/sync rix, + @{bin}/cut rix, + @{sbin}/mkinitramfs rPx, + + / r, + + /etc/initramfs-tools/conf.d/{,**} r, + /etc/initramfs-tools/initramfs.conf r, + + owner /var/lib/kdump/** rw, + + owner /tmp/tmp.@{rand10}/ rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + + profile kmod { + include + include + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kerneloops b/apparmor.d/profiles-g-l/kerneloops index 815fa4e38..70c8b9460 100644 --- a/apparmor.d/profiles-g-l/kerneloops +++ b/apparmor.d/profiles-g-l/kerneloops @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/kerneloops +@{exec_path} = @{sbin}/kerneloops profile kerneloops @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet index 8f5e66cbc..758ead716 100644 --- a/apparmor.d/profiles-g-l/kerneloops-applet +++ b/apparmor.d/profiles-g-l/kerneloops-applet @@ -10,8 +10,12 @@ include @{exec_path} = @{bin}/kerneloops-applet profile kerneloops-applet @{exec_path} { include - include + include + include + include + include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/kexec b/apparmor.d/profiles-g-l/kexec index 102b75d83..09c414430 100644 --- a/apparmor.d/profiles-g-l/kexec +++ b/apparmor.d/profiles-g-l/kexec @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/kexec +@{exec_path} = @{sbin}/kexec profile kexec @{exec_path} flags=(complain) { include @@ -15,7 +15,7 @@ profile kexec @{exec_path} flags=(complain) { @{exec_path} mr, - owner /boot/{initrd.img,vmlinuz}-* r, + owner @{efi}/{initrd.img,vmlinuz}-* r, @{sys}/firmware/memmap/ r, @{sys}/firmware/memmap/@{int}/{start,end,type} r, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 08fc10c22..1d67b5678 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/{kmod,lsmod,depmod,insmod,rmmod,modinfo,modprobe} profile kmod @{exec_path} flags=(attach_disconnected) { include - include + include include capability dac_read_search, @@ -28,17 +28,13 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{bin}/basename rix, @{bin}/false rix, @{bin}/id rix, - @{bin}/sysctl rPx, + @{sbin}/sysctl rCx -> sysctl, @{bin}/true rix, - @{lib}/modprobe.d/{,*.conf} r, @{lib}/modules/*/modules.* rw, @{run}/modprobe.d/{,*.conf} r, - /etc/depmod.d/{,**} r, - /etc/modprobe.d/{,*.conf} r, - /tmp/**/*.ko{,.zst} r, /usr/src/*/*.ko r, /var/lib/dkms/**/module/*.ko r, @@ -48,7 +44,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { owner /var/tmp/*modules*/{,**} rw, owner /var/tmp/dracut.*/{,**} rw, - owner /boot/System.map-* r, + owner @{efi}/System.map-* r, owner @{tmp}/mkinitcpio.*/{,**} rw, # For local kernel build @@ -66,14 +62,23 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{sys}/module/{,**} r, - @{PROC}/cmdline r, - @{PROC}/modules r, - /dev/tty@{int} rw, deny @{user_share_dirs}/gvfs-metadata/* r, deny unix (receive) type=stream, + profile sysctl { + include + + @{sbin}/sysctl mr, + + /etc/sysctl.conf r, + /etc/sysctl.d/{,**} r, + @{lib}/sysctl.d/{,**} r, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi index fc6a6ede5..9d6c9d1c2 100644 --- a/apparmor.d/profiles-g-l/kodi +++ b/apparmor.d/profiles-g-l/kodi @@ -30,11 +30,11 @@ profile kodi @{exec_path} { @{bin}/df rix, @{bin}/dirname rix, @{bin}/find rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/mv rix, @{bin}/uname rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/kodi/{,**} r, /usr/share/publicsuffix/* r, @@ -50,7 +50,8 @@ profile kodi @{exec_path} { owner @{HOME}/core w, owner @{HOME}/kodi_crashlog-@{int}_@{int}.log w, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/**/ r, @{sys}/devices/@{pci}/usb@{int}/{bDeviceClass,idProduct,idVendor} r, diff --git a/apparmor.d/profiles-g-l/kvm-ok b/apparmor.d/profiles-g-l/kvm-ok index eb3d1cc80..f62e9ddf9 100644 --- a/apparmor.d/profiles-g-l/kvm-ok +++ b/apparmor.d/profiles-g-l/kvm-ok @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/kvm-ok +@{exec_path} = @{sbin}/kvm-ok profile kvm-ok @{exec_path} { include @@ -20,7 +20,7 @@ profile kvm-ok @{exec_path} { @{bin}/kmod rCx -> kmod, - @{bin}/rdmsr rPx, + @{sbin}/rdmsr rPx, #/proc/cpuinfo r, #/dev/kvm r, diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index ac1b7a8ae..99e3ef3cb 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -45,12 +45,11 @@ profile labwc @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/**/uevent r, - @{run}/udev/data/+acpi:* r, # for ? + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad? @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 52252882d..2370271ec 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/landscape-sysinfo profile landscape-sysinfo @{exec_path} { include + include include include @@ -20,14 +21,19 @@ profile landscape-sysinfo @{exec_path} { network inet6 dgram, network netlink raw, - ptrace (read), + ptrace read, @{exec_path} mr, - @{bin}/who rix, + @{bin}/who rPx, + + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/**.pyc w, + @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, /var/log/landscape/{,**} rw, + @{run}/systemd/sessions/{,*} r, @{run}/utmp rwk, @{sys}/class/hwmon/ r, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index e5c739bd5..056b2d83c 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -9,12 +9,14 @@ include @{exec_path} = /usr/share/landscape/landscape-sysinfo.wrapper profile landscape-sysinfo.wrapper @{exec_path} { include + include capability dac_override, capability fowner, capability fsetid, @{exec_path} mr, + @{python_path} mr, @{sh_path} rix, @{bin}/bc rix, @@ -23,7 +25,7 @@ profile landscape-sysinfo.wrapper @{exec_path} { @{bin}/cut rix, @{bin}/date rix, @{bin}/find rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/landscape-sysinfo rPx, / r, @@ -31,6 +33,8 @@ profile landscape-sysinfo.wrapper @{exec_path} { /var/lib/landscape/landscape-sysinfo.cache rw, + @{run}/motd.dynamic.new w, + @{PROC}/loadavg r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate index bf999b79e..3d7383aef 100644 --- a/apparmor.d/profiles-g-l/language-validate +++ b/apparmor.d/profiles-g-l/language-validate @@ -15,10 +15,9 @@ profile language-validate @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, - /usr/share/locale-langpack/{,*} r, /usr/share/language-tools/{,*} r, include if exists diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 63634d788..4bed50f13 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -11,7 +11,14 @@ include profile libreoffice @{exec_path} { include include + include include + include + include + include + include + include + include include include include @@ -30,14 +37,14 @@ profile libreoffice @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.libreoffice.LibreOfficeIpc0 + #aa:dbus own bus=session name=org.libreoffice interface+=org.gtk.Actions @{exec_path} mr, @{sh_path} rix, @{bin}/basename rix, @{bin}/dirname rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ls rix, @{bin}/paperconf rix, @{bin}/sed rix, @@ -49,11 +56,12 @@ profile libreoffice @{exec_path} { @{bin}/gpgconf rPx, @{bin}/gpgsm rPx, + @{lib}/jvm/java*/bin/java rix, + @{lib}/jvm/java*/lib/** rm, @{lib}/libreoffice/program/javaldx rix, @{lib}/libreoffice/program/oosplash rix, @{lib}/libreoffice/program/soffice.bin rix, - @{lib}/jvm/java*/bin/java rix, - @{lib}/jvm/java*/lib/** rm, + @{lib}/libreoffice/program/xpdfimport rix, @{lib}/libreoffice/{,**} rm, @{lib}/libreoffice/share/uno_packages/cache/stamp.sys w, @@ -67,11 +75,15 @@ profile libreoffice @{exec_path} { /usr/share/mythes/{,**} r, /usr/share/thumbnailers/{,**} r, - /etc/java{,@{version}}-openjdk/{,**} r, + /etc/java{,-}{,@{version}}-openjdk/{,**} r, /etc/libreoffice/{,**} r, /etc/paperspecs r, + /etc/papersize r, /etc/xdg/* r, + /var/tmp/ r, + owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w, + owner @{user_cache_dirs}/libreoffice/{,**} rw, owner @{user_config_dirs}/libreoffice/ rw, owner @{user_config_dirs}/libreoffice/** rwk, @@ -82,7 +94,7 @@ profile libreoffice @{exec_path} { owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/user-places.xbel r, - owner @{tmp}/ r, + @{tmp}/ r, owner @{tmp}/.java_pid@{int}{,.tmp} rw, owner @{tmp}/@{hex} rw, owner @{tmp}/@{rand6} rwk, @@ -90,7 +102,7 @@ profile libreoffice @{exec_path} { owner @{tmp}/*.tmp/{,**} rwk, owner @{tmp}/hsperfdata_@{user}/ rw, owner @{tmp}/hsperfdata_@{user}/@{int} rwk, - owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} w, + owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} rw, owner @{run}/user/@{uid}/#@{int} rw, @@ -99,7 +111,7 @@ profile libreoffice @{exec_path} { @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{cpu,memory}.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker index 8d2fcdcc8..60189d911 100644 --- a/apparmor.d/profiles-g-l/light-locker +++ b/apparmor.d/profiles-g-l/light-locker @@ -11,19 +11,12 @@ include profile light-locker @{exec_path} { include include - include - include - include + include include - include include - include @{exec_path} mr, - @{PROC}/1/cgroup r, - owner @{PROC}/@{pid}/cgroup r, - # when locking the screen and switching/closing sessions @{run}/systemd/sessions/* r, @@ -33,6 +26,9 @@ profile light-locker @{exec_path} { @{sys}/devices/@{pci}/subsystem_vendor r, @{sys}/devices/@{pci}/subsystem_device r, + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index a0c184032..04d2f0330 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -8,46 +8,13 @@ abi , include @{exec_path} = @{bin}/linux-check-removal -profile linux-check-removal @{exec_path} flags=(complain) { +profile linux-check-removal @{exec_path} { include - include - include + include - @{exec_path} r, - @{bin}/perl r, + @{exec_path} rmix, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, - - - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - @{bin}/perl r, - - @{bin}/linux-check-removal rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - owner @{tmp}/file* w, - - /usr/share/debconf/confmodule r, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - include if exists - } + @{bin}/stty rix, include if exists } diff --git a/apparmor.d/profiles-g-l/linux-update-symlinks b/apparmor.d/profiles-g-l/linux-update-symlinks new file mode 100644 index 000000000..b97a0305b --- /dev/null +++ b/apparmor.d/profiles-g-l/linux-update-symlinks @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/linux-update-symlinks +profile linux-update-symlinks @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/kernel-img.conf r, + + @{efi}/ r, + @{efi}/* rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/linux-version b/apparmor.d/profiles-g-l/linux-version index 1a8ffbb0d..c718b6495 100644 --- a/apparmor.d/profiles-g-l/linux-version +++ b/apparmor.d/profiles-g-l/linux-version @@ -14,9 +14,8 @@ profile linux-version @{exec_path} { include @{exec_path} r, - @{bin}/perl r, - /boot/ r, + @{efi}/ r, include if exists } diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index 0e18eab1b..dd653bd61 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -14,7 +14,7 @@ include @{exec_path} = @{bin}/linuxqq @{lib_dirs}/qq profile linuxqq @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -29,7 +29,7 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} r, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{lib_dirs}/chrome_crashpad_handler ix, @{lib_dirs}/resources/app/{,**} m, @{open_path} rPx -> child-open-strict, diff --git a/apparmor.d/profiles-g-l/localsend b/apparmor.d/profiles-g-l/localsend new file mode 100644 index 000000000..ad2e23fc6 --- /dev/null +++ b/apparmor.d/profiles-g-l/localsend @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/localsend +profile localsend @{exec_path} { + include + include + include + include + include + include + +# --system-talk-name=org.freedesktop.NetworkManager +# - --system-talk-name=org.freedesktop.hostname1 +# --talk-name=org.kde.StatusNotifierWatcher + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 7990fb27d..0dee9ed6a 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/logrotate +@{exec_path} = @{sbin}/logrotate profile logrotate @{exec_path} flags=(attach_disconnected) { include include @@ -21,8 +21,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability setgid, capability setuid, - signal (send) set=(hup), - signal (send) set=(term cont) peer=systemd-tty-ask-password-agent, + signal send set=hup, + signal send set=(term cont) peer=systemd-tty-ask-password-agent, @{exec_path} mr, @@ -30,9 +30,9 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gzip rix, - @{bin}/invoke-rc.d rix, + @{sbin}/invoke-rc.d rix, @{bin}/kill rix, @{bin}/ls rix, @{bin}/setfacl rix, @@ -80,6 +80,11 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=KillUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + @{run}/utmp rk, include if exists diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release new file mode 100644 index 000000000..23bada3ec --- /dev/null +++ b/apparmor.d/profiles-g-l/lsb-release @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Note: named "lsb-release" to not conflict with upstreamed "lsb_release" that +# does attach @{bin}/lsb_release. + +abi , + +include + +@{exec_path} = @{bin}/lsb_release +profile lsb-release @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/find rix, + @{bin}/getopt rix, + @{bin}/head rix, + @{bin}/sed rix, + @{bin}/tr rix, + + #aa:only apt + @{bin}/dpkg-query px, + + /etc/ r, + /etc/*-release r, + /etc/lsb-release r, + /etc/lsb-release.d/{,*} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lynx b/apparmor.d/profiles-g-l/lynx index 0fce66a96..a9613e7c1 100644 --- a/apparmor.d/profiles-g-l/lynx +++ b/apparmor.d/profiles-g-l/lynx @@ -33,8 +33,7 @@ profile lynx @{exec_path} { /etc/mailcap r, /etc/mime.types r, - owner @{tmp}/lynxXXXX*/ rw, - owner @{tmp}/lynxXXXX*/*TMP.html{,.gz} rw, + owner @{tmp}/lynxXXXX*/{,**} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks new file mode 100644 index 000000000..14a83ffbb --- /dev/null +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -0,0 +1,89 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/initramfs-tools/hooks/** /etc/initramfs-tools/hooks/** +profile initramfs-hooks @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/fc-cache ix, + @{bin}/ischroot Px, + @{bin}/ldd Cx -> ldd, + @{bin}/plymouth Px, + @{bin}/update-alternatives Px, + @{lib}/dracut/dracut-install Px, + @{lib}/initramfs-tools/bin/busybox ix, + @{lib}/klibc/bin/fstype ix, + @{sbin}/blkid Px, + /usr/share/mdadm/mkconf Px, + + @{bin}/* mr, + @{sbin}/* mr, + @{lib}/ r, + @{lib}/** mr, + + /usr/share/initramfs-tools/{,**} r, + /usr/share/plymouth/{,**} r, + /usr/share/cryptsetup/initramfs/{,**} r, + + /etc/console-setup/{,**} r, + /etc/cryptsetup-initramfs/{,**} r, + /etc/crypttab r, + /etc/default/* r, + /etc/fstab r, + /etc/iscsi/*.iscsi r, + /etc/lvm/{,**} r, + /etc/mdadm/mdadm.conf r, + /etc/systemd/network/{,**} r, + /etc/udev/{,**} r, + + / r, + @{efi}/config-* r, + + /var/tmp/ r, + /var/tmp/modules_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6}/ rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + owner /var/tmp/mkinitramfs-@{rand6} rw, + owner /var/tmp/mkinitramfs-*_@{rand6} rw, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + + @{sys}/firmware/efi/efivars/ r, + + @{PROC}/@{pid}/mounts r, + @{PROC}/cmdline r, + @{PROC}/swaps r, + + profile ldd { + include + include + include + + @{bin}/ldd mr, + @{bin}/* mr, + @{lib}/@{multiarch}/ld-linux-*so* mrix, + @{lib}/ld-linux.so* mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts new file mode 100644 index 000000000..d280c145a --- /dev/null +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -0,0 +1,56 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/initramfs-tools/scripts/** /etc/initramfs-tools/scripts/** +profile initramfs-scripts @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{sbin}/blkid Px, + @{bin}/dd ix, + @{bin}/debconf-escape Px, + @{bin}/ischroot Px, + @{bin}/ldd Cx -> ldd, + @{bin}/plymouth Px, + @{bin}/update-alternatives Px, + @{lib}/dracut/dracut-install Px, + @{lib}/initramfs-tools/bin/busybox Px, + /usr/share/mdadm/mkconf Px, + + /usr/share/initramfs-tools/{,**} r, + + /etc/cryptsetup-initramfs/{,**} r, + /etc/crypttab r, + /etc/default/console-setup r, + /etc/fstab r, + /etc/initramfs-tools/{,**} r, + /etc/mdadm/mdadm.conf r, + /etc/udev/rules.d/{,**} r, + + /var/tmp/modules_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + + profile ldd { + include + include + + @{bin}/ldd mr, + @{lib}/@{multiarch}/ld-linux-*so* mrix, + @{lib}/ld-linux.so* mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index 4826337d0..cd825471d 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/mandb -profile mandb @{exec_path} flags=(complain) { +profile mandb @{exec_path} { include include include @@ -20,9 +20,6 @@ profile mandb @{exec_path} flags=(complain) { /etc/man_db.conf r, /etc/manpath.config r, - /var/cache/man/ r, - /var/cache/man/** rwk, - /usr/share/man/{,**} r, /usr/local/man/{,**} r, /usr/local/share/man/{,**} r, @@ -32,6 +29,9 @@ profile mandb @{exec_path} flags=(complain) { /usr/share/**/man/man@{u8}/*.@{int}.gz r, + owner /var/cache/man/ rw, + owner /var/cache/man/** rwk, + owner @{user_share_dirs}/man/** rwk, include if exists diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm new file mode 100644 index 000000000..15adcb9e6 --- /dev/null +++ b/apparmor.d/profiles-m-r/mdadm @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/mdadm +profile mdadm @{exec_path} { + include + include + include + + capability sys_admin, + + mqueue (read getattr) type=posix /, + + @{exec_path} mr, + + @{run}/initctl r, + + /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, + + @{sys}/bus/pci/drivers/*/ r, + @{sys}/devices/@{pci}/class r, + @{sys}/devices/@{pci}/device r, + @{sys}/devices/@{pci}/vendor r, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/cmdline r, + @{PROC}/kcore r, + @{PROC}/partitions r, + + /dev/**/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf new file mode 100644 index 000000000..120138905 --- /dev/null +++ b/apparmor.d/profiles-m-r/mdadm-mkconf @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/mdadm/mkconf +profile mdadm-mkconf @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/date ix, + @{bin}/cat ix, + @{bin}/sed ix, + @{sbin}/mdadm Px, + + /etc/default/mdadm r, + /etc/mdadm/mdadm.conf r, + + / r, + + /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, + /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index f1b5034e6..906dcf512 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/mdevctl profile mdevctl @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner index 0de151536..808427d85 100644 --- a/apparmor.d/profiles-m-r/metadata-cleaner +++ b/apparmor.d/profiles-m-r/metadata-cleaner @@ -9,23 +9,19 @@ include @{exec_path} = @{bin}/metadata-cleaner profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include - include - include - include + include include include include include @{exec_path} mr, - @{bin}/python3.@{int} rix, + @{python_path} rix, - @{bin}/bwrap rCx -> bwrap, - @{open_path} rPx -> child-open-help, + @{bin}/bwrap Cx -> bwrap, + @{open_path} Px -> child-open-help, - /usr/share/metadata-cleaner/{,**} r, /usr/share/metadata-cleaner/src/metadatacleaner/{,*/}__pycache__/ w, - /usr/share/poppler/{,**} r, /etc/httpd/conf/mime.types r, @@ -38,10 +34,8 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny owner @{user_share_dirs}/gvfs-metadata/* r, deny owner @{user_cache_dirs}/thumbnails/** r, @@ -51,7 +45,7 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=(kill) peer=metadata-cleaner, + signal receive set=(kill) peer=metadata-cleaner, @{bin}/bwrap mr, @{bin}/vendor_perl/exiftool rix, diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index d6823da9b..cf8431c7a 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -13,7 +13,6 @@ profile mimetype @{exec_path} { include @{exec_path} r, - /usr/bin/perl r, /usr/share/mime/**.xml r, /usr/share/mime/globs r, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 6585f6382..42489117e 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/mkinitramfs +@{exec_path} = @{sbin}/mkinitramfs profile mkinitramfs @{exec_path} { include include @@ -19,11 +19,10 @@ profile mkinitramfs @{exec_path} { capability fsetid, @{exec_path} r, - @{sh_path} rix, + @{sh_path} rix, - @{bin}/ r, - @{lib}/ r, - @{lib}64/ r, + @{bin}/ r, + @{lib}/ r, @{bin}/{,e}grep rix, @{bin}/basename rix, @@ -43,37 +42,44 @@ profile mkinitramfs @{exec_path} { @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/readlink rix, + @{bin}/realpath rix, @{bin}/rm rix, @{bin}/rmdir rix, @{bin}/sed rix, @{bin}/sort rix, + @{bin}/stat rix, @{bin}/touch rix, @{bin}/tr rix, @{bin}/tsort rix, + @{bin}/uname rix, @{bin}/uniq rix, @{bin}/xargs rix, @{bin}/xz rix, @{bin}/zstd rix, + @{sbin}/blkid rPx, @{lib}/dracut/dracut-install rix, @{bin}/find rCx -> find, @{bin}/kmod rCx -> kmod, - @{bin}/ldconfig rCx -> ldconfig, + @{sbin}/ldconfig rCx -> ldconfig, @{bin}/ldd rCx -> ldd, + @{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd, @{lib}/ld-linux.so* rCx -> ldd, @{bin}/dpkg rPx -> child-dpkg, @{bin}/linux-version rPx, - # What to do with it? (#FIXME#) - /usr/share/initramfs-tools/hooks/* rPUx, - /usr/share/initramfs-tools/scripts/*/* rPUx, - /etc/initramfs-tools/hooks/* rPUx, - /etc/initramfs-tools/scripts/*/* rPUx, + @{lib}/initramfs-tools/hooks/** rPx, + /etc/initramfs-tools/hooks/** rPx, + /etc/initramfs-tools/scripts/** rPx, + /usr/share/initramfs-tools/hooks/** rPx, + /usr/share/initramfs-tools/scripts/** rPx, /usr/share/initramfs-tools/{,**} r, /etc/initramfs-tools/{,**} r, + /etc/xattr.conf r, + # For shell pwd / r, /etc/ r, @@ -81,23 +87,39 @@ profile mkinitramfs @{exec_path} { /etc/modprobe.d/{,*.conf} r, - /boot/ r, - owner /boot/config-* r, - owner /boot/initrd.img-*.new rw, + @{efi}/ r, + owner @{efi}/config-* r, + owner @{efi}/initrd.img-*.new rw, - /var/tmp/ r, - /var/tmp/modules_@{rand6} rw, - owner /var/tmp/mkinitramfs_@{rand6} rw, - owner /var/tmp/mkinitramfs_@{rand6}/ rw, - owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_*/**, - owner /var/tmp/mkinitramfs-@{rand6} rw, - owner /var/tmp/mkinitramfs-*_@{rand6} rw, + owner /var/lib/kdump/initramfs-tools/** rw, + owner /var/lib/kdump/initrd.* rw, + /var/tmp/ r, + /var/tmp/mkinitramfs_@{rand6}/** w, + /var/tmp/modules_@{rand6} rw, + /var/tmp/mkinitramfs_@{rand6} rw, + /var/tmp/mkinitramfs_@{rand6}/ rw, + /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + /var/tmp/mkinitramfs-@{rand6} rw, + /var/tmp/mkinitramfs-*_@{rand6} rw, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** w, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, + + @{sys}/bus/ r, + @{sys}/bus/*/drivers/ r, @{sys}/devices/platform/ r, @{sys}/devices/platform/**/ r, @{sys}/devices/platform/**/modalias r, @{sys}/module/compression r, + @{sys}/module/firmware_class/parameters/path r, + @{PROC}/@{pid}/mounts r, @{PROC}/cmdline r, @{PROC}/modules r, owner @{PROC}/@{pid}/fd/ r, @@ -108,6 +130,8 @@ profile mkinitramfs @{exec_path} { include @{bin}/ldd mr, + @{lib}/@{multiarch}/ld-linux-*so* mr, + @{lib}/ld-linux.so* mr, @{sh_path} rix, @{bin}/kmod mr, @@ -125,23 +149,13 @@ profile mkinitramfs @{exec_path} { capability sys_chroot, - @{bin}/ldconfig mr, + @{sbin}/ldconfig mr, @{sh_path} rix, - @{bin}/ldconfig.real rix, + @{sbin}/ldconfig.real rix, - owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf r, - owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf.d/{,*.conf} r, - - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/ r, - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/ r, - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/*.so* rw, - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/*.so* rw, - - owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.cache{,~} rw, - - owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/ rw, - owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/aux-cache{,~} rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, include if exists } @@ -171,7 +185,7 @@ profile mkinitramfs @{exec_path} { owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/ r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw, - owner /var/tmp/mkinitramfs_@{rand6}usr/lib/modules/*/updates/{,**} r, + owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/updates/{,**} r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r, diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index 835e1a391..4e0ace19a 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -10,19 +10,15 @@ include @{exec_path} = @{bin}/mkvtoolnix-gui profile mkvtoolnix-gui @{exec_path} { include - include + include include - include - include - include - include + include include - include include include + include include include - include signal (send) set=(term, kill) peer=mkvmerge, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index cd2ddc0e6..90bf73cf3 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -17,9 +17,9 @@ profile modprobed-db @{exec_path} { @{bin}/cat rix, @{bin}/cp rix, @{bin}/cut rix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/getent rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/logname rix, @{bin}/md5sum rix, @{bin}/rm rix, diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index e847db872..6cbef400b 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -10,10 +10,11 @@ include @{exec_path} = @{bin}/monitorix profile monitorix @{exec_path} { include - include - include - include + include include + include + include + include capability net_admin, capability chown, @@ -28,80 +29,76 @@ profile monitorix @{exec_path} { network inet stream, network inet6 stream, - ptrace (read), + ptrace read, - signal (receive) set=(hup) peer=logroate, + signal receive set=(hup) peer=logroate, @{exec_path} mr, @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/df rix, - @{bin}/cat rix, - @{bin}/tail rix, - @{bin}/{m,g,}awk rix, - @{bin}/free rix, - @{bin}/ss rix, - @{bin}/who rix, - @{bin}/lvm rix, - @{bin}/xtables-nft-multi rix, - @{bin}/sensors rix, - @{bin}/getconf rix, - @{bin}/ps rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/cat ix, + @{bin}/df ix, + @{bin}/free ix, + @{bin}/getconf ix, + @{bin}/ps Px, + @{bin}/sensors Px, + @{bin}/tail ix, + @{bin}/who Px, + @{sbin}/lvm Px, + @{sbin}/ss Px, + @{sbin}/xtables-nft-multi ix, - /etc/monitorix/monitorix.conf r, - /etc/monitorix/conf.d/ r, - /etc/monitorix/conf.d/@{int2}-*.conf r, + /var/lib/monitorix/www/cgi/monitorix.cgi ix, + + /etc/monitorix/{,**} r, + + /var/lib/monitorix/ rw, + /var/lib/monitorix/** rwk, /var/log/monitorix w, /var/log/monitorix-* w, - owner @{run}/monitorix.pid w, - - /var/lib/monitorix/*.rrd* rwk, - /var/lib/monitorix/www/** rw, - /var/lib/monitorix/www/cgi/monitorix.cgi rwix, + /srv/http/monitorix/ rw, + /srv/http/monitorix/** rwk, / r, /tmp/ r, - /etc/shadow r, - /dev/tty r, + owner @{run}/monitorix.pid w, @{run}/utmp rk, - @{PROC}/ r, - @{PROC}/swaps r, - @{PROC}/diskstats r, - @{PROC}/loadavg r, - @{PROC}/sys/kernel/random/entropy_avail r, - @{PROC}/uptime r, - @{PROC}/interrupts r, - @{PROC}/sys/fs/dentry-state r, - @{PROC}/sys/fs/file-nr r, - @{PROC}/sys/fs/inode-nr r, - @{PROC}/sys/kernel/osrelease r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/net/dev r, - owner @{PROC}/@{pid}/net/ip_tables_names r, - owner @{PROC}/@{pid}/net/ip6_tables_names r, - @{PROC}/@{pid}/net/udp{,6} r, - @{PROC}/@{pid}/net/tcp{,6} r, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/fdinfo/ r, - @{PROC}/@{pids}/io r, - @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/class/hwmon/ r, @{sys}/devices/**/thermal*/{,**} r, @{sys}/devices/**/hwmon*/{,**} r, - /etc/sensors3.conf r, - /etc/sensors.d/ r, + @{PROC}/ r, + @{PROC}/@{pid}/net/dev r, + @{PROC}/@{pid}/net/tcp{,6} r, + @{PROC}/@{pid}/net/udp{,6} r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/fdinfo/ r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/stat r, + @{PROC}/diskstats r, + @{PROC}/interrupts r, + @{PROC}/loadavg r, + @{PROC}/swaps r, + @{PROC}/sys/fs/dentry-state r, + @{PROC}/sys/fs/file-nr r, + @{PROC}/sys/fs/inode-nr r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/random/entropy_avail r, + @{PROC}/uptime r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/net/ip_tables_names r, + owner @{PROC}/@{pid}/net/ip6_tables_names r, include if exists } diff --git a/apparmor.d/profiles-m-r/motd b/apparmor.d/profiles-m-r/motd new file mode 100644 index 000000000..67f216212 --- /dev/null +++ b/apparmor.d/profiles-m-r/motd @@ -0,0 +1,93 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/update-motd.d/* +profile motd @{exec_path} { + include + + capability net_admin, + + @{exec_path} mr, + @{bin}/ r, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/cloud-id rix, + @{bin}/systemctl rCx -> systemctl, + @{bin}/hostname rPx, + @{bin}/snap rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/systemd-detect-virt rPx, + @{bin}/wget rCx -> wget, + + @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, + @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, + @{lib}/update-notifier/update-motd-reboot-required rix, + /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, + /usr/share/update-notifier/notify-updates-outdated rPx, + + / r, + /etc/cloud/cloud.cfg r, + /etc/cloud/cloud.cfg.d/{,*} r, + /etc/default/motd-news r, + /etc/lsb-release r, + /etc/update-motd.d/* r, + /etc/wgetrc r, + + /var/cache/motd-news rw, + /var/lib/update-notifier/updates-available r, + /var/lib/ubuntu-advantage/messages/motd-esm-announce r, + /var/lib/cloud/instances/nocloud/cloud-config.txt r, + + # /tmp/tmp.@{rand10} rw, + + @{run}/cloud-init/cloud.cfg r, + @{run}/motd.d/{,*} r, + @{run}/motd.dynamic.new rw, + @{run}/reboot-required r, + + @{PROC}/@{pids}/mounts r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + + /dev/tty@{int} rw, + + profile wget { + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{bin}/wget mr, + + /tmp/tmp.@{rand10} rw, + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + + @{run}/systemd/private rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mpsyt b/apparmor.d/profiles-m-r/mpsyt index 9a138ff50..a66fc287f 100644 --- a/apparmor.d/profiles-m-r/mpsyt +++ b/apparmor.d/profiles-m-r/mpsyt @@ -24,10 +24,10 @@ profile mpsyt @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/tset rix, @{bin}/uname rix, diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index b30da1c13..bc20a0f9a 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -13,9 +13,11 @@ profile mullvad-setup @{exec_path} { @{exec_path} mr, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-m-r/multipath b/apparmor.d/profiles-m-r/multipath index 409834fbc..588f4b6b1 100644 --- a/apparmor.d/profiles-m-r/multipath +++ b/apparmor.d/profiles-m-r/multipath @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/multipath +@{exec_path} = @{sbin}/multipath profile multipath @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-m-r/multipathd b/apparmor.d/profiles-m-r/multipathd index 14bb16caf..bbb6a87a6 100644 --- a/apparmor.d/profiles-m-r/multipathd +++ b/apparmor.d/profiles-m-r/multipathd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/multipathd +@{exec_path} = @{sbin}/multipathd profile multipathd @{exec_path} { include include @@ -20,7 +20,8 @@ profile multipathd @{exec_path} { network netlink raw, - unix (send, receive, connect) type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"), + unix type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"), + unix type=stream addr=@/org/kernel/linux/storage/multipathd, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mumble b/apparmor.d/profiles-m-r/mumble index 48ed42d84..a85eb6790 100644 --- a/apparmor.d/profiles-m-r/mumble +++ b/apparmor.d/profiles-m-r/mumble @@ -30,7 +30,7 @@ profile mumble @{exec_path} { @{exec_path} mrix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{browsers_path} rPx, @{open_path} rPx -> child-open, diff --git a/apparmor.d/profiles-m-r/mumble-overlay b/apparmor.d/profiles-m-r/mumble-overlay index 8d17ef3d6..86792860c 100644 --- a/apparmor.d/profiles-m-r/mumble-overlay +++ b/apparmor.d/profiles-m-r/mumble-overlay @@ -16,7 +16,7 @@ profile mumble-overlay @{exec_path} { @{sh_path} rix, @{bin}/file rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/glxgears rPx, diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd index 9d7663ebb..2065dd814 100644 --- a/apparmor.d/profiles-m-r/murmurd +++ b/apparmor.d/profiles-m-r/murmurd @@ -29,7 +29,7 @@ profile murmurd @{exec_path} { @{exec_path} mr, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /etc/mumble-server.ini r, diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index 28006f479..a91aba241 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -115,19 +115,7 @@ profile mutt @{exec_path} { profile pager { include - include - - @{pager_path} mr, - - /usr/share/terminfo/** r, - /usr/share/file/misc/magic.mgc r, - - owner @{HOME}/ r, - owner @{HOME}/.lesshs* rw, - owner @{HOME}/.terminfo/@{int}/* r, - owner @{user_cache_dirs}/lesshs* rw, - owner @{user_state_dirs}/ r, - owner @{user_state_dirs}/lesshs* rw, + include # This is the file that holds the message owner /{var/,}tmp/mutt* rw, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 56f95b589..8c908ddb4 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -6,73 +6,67 @@ abi , include -@{exec_path} = @{bin}/needrestart +@{exec_path} = @{sbin}/needrestart profile needrestart @{exec_path} flags=(attach_disconnected) { include - include - include - include + include include - include capability checkpoint_restore, capability dac_read_search, - capability kill, capability sys_ptrace, - ptrace (read), - - mqueue (r,getattr) type=posix /, + ptrace read, @{exec_path} mrix, - @{bin}/* r, @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, - @{bin}/locale rix, - @{bin}/python3.@{int} rix, - @{bin}/sed rix, @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, - @{bin}/unix_chkpwd rPx, - @{bin}/whiptail rPx, - @{bin}/who rix, + @{bin}/who rPx, @{lib}/needrestart/* rPx, - /usr/share/debconf/frontend rix, + @{python_path} rix, + @{sbin}/unix_chkpwd rPx, - /usr/share/needrestart/{,**} r, - /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, + @{etc_ro}/needrestart/hook.d/* rPx, + @{etc_ro}/needrestart/notify.d/* rPx, + @{etc_ro}/needrestart/restart.d/* rPx, - /etc/debconf.conf r, /etc/init.d/* r, /etc/needrestart/{,**} r, - /etc/needrestart/*.d/* rix, /etc/shadow r, / r, - /boot/ r, - /boot/intel-ucode.img r, - /boot/vmlinuz* r, + @{efi}/ r, + @{efi}/* r, + /opt/*/** r, + @{bin}/* r, + @{lib}/** r, + @{sbin}/** r, + @{att}/@{lib}/** r, + /usr/share/** r, + /var/lib/*/** r, - owner /var/lib/juju/agents/{,**} r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + @{run}/systemd/sessions/* r, - owner @{run}/sshd.pid r, + /tmp/@{word10}/ rw, @{PROC}/ r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/maps r, - @{PROC}/@{pids}/stat r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, /dev/ r, /dev/**/ r, + deny mqueue type=posix /, + profile systemctl { include include @@ -80,7 +74,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { capability sys_resource, capability net_admin, - signal send set=term peer=systemd-tty-ask-password-agent, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent Px, diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke index 5f3912105..b70a49be8 100644 --- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke +++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/needrestart/apt-pinvoke -profile needrestart-apt-pinvoke @{exec_path} { +profile needrestart-apt-pinvoke @{exec_path} flags=(attach_disconnected) { include include include @@ -19,11 +19,13 @@ profile needrestart-apt-pinvoke @{exec_path} { @{sh_path} rix, @{bin}/dbus-send rix, - @{bin}/needrestart rPx, + @{sbin}/needrestart rPx, @{bin}/rm rix, @{run}/needrestart/{,**} rw, + /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart-hook b/apparmor.d/profiles-m-r/needrestart-hook new file mode 100644 index 000000000..c8c9a12c4 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-hook @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{etc_ro}/needrestart/hook.d/* +profile needrestart-hook @{exec_path} { + include + include + include + + @{exec_path} mr, + @{sh_path} rix, + + @{bin}/dpkg-query px, + + /tmp/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 75b150042..3c826cd74 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -12,20 +12,23 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{exec_path} mr, - @{bin}/iucode_tool rix, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/bsdtar rix, @{bin}/cat rix, + @{sbin}/iucode_tool rix, /usr/share/misc/ r, + /usr/share/misc/amd-microcode* r, /usr/share/misc/intel-microcode* r, + /etc/default/amd-microcode r, /etc/default/intel-microcode r, /etc/needrestart/iucode.sh r, - /boot/intel-ucode.img r, - /boot/early_ucode.cpio r, + @{efi}/amd-ucode.img r, + @{efi}/intel-ucode.img r, + @{efi}/early_ucode.cpio r, @{sys}/devices/system/cpu/cpu@{int}/microcode/processor_flags r, diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify new file mode 100644 index 000000000..82465ceb2 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-notify @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{etc_ro}/needrestart/notify.d/* +profile needrestart-notify @{exec_path} { + include + include + + capability dac_read_search, + capability sys_ptrace, + + ptrace read, + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/fold ix, + @{bin}/gettext.sh r, + @{bin}/mail Px, + @{bin}/notify-send Px, + @{bin}/sed ix, + + /etc/needrestart/notify.conf r, + + @{PROC}/@{pid}/environ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-restart b/apparmor.d/profiles-m-r/needrestart-restart new file mode 100644 index 000000000..964ff1a74 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-restart @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{etc_ro}/needrestart/restart.d/* +profile needrestart-restart @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/systemctl Cx -> systemctl, + @{sh_path} r, + + /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version index f7e9d76a1..3828f9228 100644 --- a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -14,13 +14,21 @@ profile needrestart-vmlinuz-get-version @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/bzip2 rix, + @{bin}/{,e}grep rix, + @{bin}/gunzip rix, + @{bin}/gzip rix, + @{bin}/lzop rix, @{bin}/mktemp rix, @{bin}/rm rix, + @{bin}/tail rix, @{bin}/tr rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rPx, + @{bin}/xz rix, - /boot/vmlinuz* r, + @{efi}/amd-ucode.img r, + @{efi}/intel-ucode.img r, + @{efi}/vmlinuz* r, owner @{tmp}/tmp.@{rand10} rw, diff --git a/apparmor.d/profiles-m-r/nemo b/apparmor.d/profiles-m-r/nemo index e3edb99c3..c7c9160d7 100644 --- a/apparmor.d/profiles-m-r/nemo +++ b/apparmor.d/profiles-m-r/nemo @@ -21,7 +21,12 @@ profile nemo @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open, + + @{bin}/gdk-pixbuf-thumbnailer rPx, + /usr/share/nemo/** r, + /usr/share/thumbnailers/{,*.thumbnailer} r, # Full access to user's data / r, diff --git a/apparmor.d/profiles-m-r/netstat b/apparmor.d/profiles-m-r/netstat index e19884997..a23a095e9 100644 --- a/apparmor.d/profiles-m-r/netstat +++ b/apparmor.d/profiles-m-r/netstat @@ -13,12 +13,18 @@ include profile netstat @{exec_path} { include include - include + include capability dac_read_search, capability sys_ptrace, capability syslog, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + ptrace (trace,read), @{exec_path} rmix, diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings index 9e5944bff..771bbb3b6 100644 --- a/apparmor.d/profiles-m-r/nvidia-settings +++ b/apparmor.d/profiles-m-r/nvidia-settings @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/nvidia-settings -profile nvidia-settings @{exec_path} { +profile nvidia-settings @{exec_path} flags=(attach_disconnected) { include include include @@ -21,8 +21,20 @@ profile nvidia-settings @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/config r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/cpumap r, - @{PROC}/devices r, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/config r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 + /dev/nvidia-caps/ rw, + /dev/nvidia-caps/nvidia-cap@{int} r, + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools r, include if exists } diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi index 143808f76..1d6d62e2b 100644 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -21,10 +21,11 @@ profile nvidia-smi @{exec_path} { @{PROC}/driver/nvidia/capabilities/mig/config r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, - /dev/nvidia-caps/nvidia-cap@{int} r, + /dev/nvidia-caps/nvidia-cap@{int} rw, /dev/nvidia-uvm rw, /dev/nvidia-uvm-tools r, diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index e4846d58e..d0553d186 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -43,15 +43,16 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/pcie_bw r, @{sys}/devices/system/node/node@{int}/cpumap r, - @{PROC}/ r, - @{PROC}/@{pids}/ r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/@{pids}/fdinfo/ r, - @{PROC}/@{pids}/fdinfo/@{int} r, - @{PROC}/@{pids}/stat r, - @{PROC}/devices r, - @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/stat r, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/dri/ r, /dev/nvidia-caps/ rw, diff --git a/apparmor.d/profiles-m-r/obamenu b/apparmor.d/profiles-m-r/obamenu index b0c4d88c6..9d9ed2a94 100644 --- a/apparmor.d/profiles-m-r/obamenu +++ b/apparmor.d/profiles-m-r/obamenu @@ -13,7 +13,7 @@ profile obamenu @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/ r, diff --git a/apparmor.d/profiles-m-r/ollama b/apparmor.d/profiles-m-r/ollama index 7b5521802..73447e33e 100644 --- a/apparmor.d/profiles-m-r/ollama +++ b/apparmor.d/profiles-m-r/ollama @@ -38,8 +38,15 @@ profile ollama @{exec_path} flags=(attach_disconnected) { owner @{tmp}/ollama@{int}/{,**} rw, owner @{tmp}/ollama@{int}/runners/{,**} mr, + @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{sys}/devices/@{pci}/drm/card@{int}/*/ r, + @{sys}/devices/@{pci}/mem_info_vram_total r, + @{sys}/devices/@{pci}/mem_info_vram_used r, @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/node/node@{int}/cpumap r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, @{PROC}/devices r, @{PROC}/sys/net/core/somaxconn r, diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index c92d4d849..16ccfd9da 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/on_ac_power +@{exec_path} = @{sbin}/on_ac_power profile on-ac-power @{exec_path} { include @@ -18,6 +18,7 @@ profile on-ac-power @{exec_path} { @{bin}/cat rix, @{sys}/class/power_supply/ r, + @{sys}/class/typec/ r, @{sys}/devices/**/power_supply/**/{online,type} r, @{PROC}/pmu/info r, diff --git a/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler b/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler new file mode 100644 index 000000000..2593b78ac --- /dev/null +++ b/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/open-iscsi/net-interface-handler +profile open-iscsi-net-interface-handler @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + @{sh_path} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox index d136ee08f..899290792 100644 --- a/apparmor.d/profiles-m-r/openbox +++ b/apparmor.d/profiles-m-r/openbox @@ -58,7 +58,7 @@ profile openbox @{exec_path} { @{lib}/@{multiarch}/openbox-xdg-autostart rix, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, # Apps allowed to run @{bin}/* rPUx, @@ -75,7 +75,7 @@ profile openbox @{exec_path} { /etc/xdg/autostart/{,*} r, # Silencer - deny @{lib}/python3/** w, + deny @{lib}/@{python_name}/** w, deny owner @{user_lib_dirs}/python*/site-packages/ r, # file_inherit diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index c058003ff..f9e5b2058 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -15,30 +15,35 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_admin, + mount options=(rprivate, rw) -> /, + mount options=(rw, nosuid, nodev) -> /var/lib/os-prober/mount/, + umount /var/lib/os-prober/mount/, + mqueue (read getattr) type=posix /, + @{exec_path} mrix, @{sh_path} rix, @{bin}/{e,f,}grep rix, - @{bin}/blkid rPx, - @{bin}/btrfs rPx, + @{sbin}/blkid rPx, + @{sbin}/btrfs rPx, @{bin}/cat rix, @{bin}/cut rix, - @{bin}/dmraid rPUx, + @{sbin}/dmraid rPUx, @{bin}/find rix, @{bin}/grub-mount rPx, - @{bin}/grub-probe rPx, + @{sbin}/grub-probe rPx, @{bin}/head rix, @{bin}/kmod rPx, @{bin}/logger rix, @{bin}/ls rix, @{bin}/lsblk rPx, - @{bin}/lvm rPx, + @{sbin}/lvm rPx, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mount rix, - @{bin}/multipath rPx, + @{sbin}/multipath rPx, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/rmdir rix, @@ -46,7 +51,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{bin}/udevadm rPx, @{bin}/umount rix, @{bin}/uname rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib}/newns rix, @{lib}/os-prober/* rix, @{lib}/os-probes/{,**} rix, @@ -58,9 +63,9 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/ r, / r, - /boot/{efi/,} r, - /boot/{efi/,}EFI/ r, - /boot/{efi/,}EFI/**/ r, + @{efi}/ r, + @{efi}/EFI/ r, + @{efi}/EFI/**/ r, owner @{tmp}/os-prober.*/{,**} rw, diff --git a/apparmor.d/profiles-m-r/ouch b/apparmor.d/profiles-m-r/ouch index ef3ea4bee..d0bb4a1ed 100644 --- a/apparmor.d/profiles-m-r/ouch +++ b/apparmor.d/profiles-m-r/ouch @@ -17,11 +17,16 @@ profile ouch @{exec_path} { owner @{HOME}/.tmp@{rand6}/{,**} rw, owner @{HOME}/.tmp-ouch@{rand6}/{,**} rw, + owner /tmp/ w, + owner /tmp/.tmp@{rand6}/{,**} rw, + owner /tmp/.tmp-ouch@{rand6}/{,**} rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 6847476e3..9de9cadf9 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -40,11 +40,6 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.PackageKit - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - @{exec_path} mr, @{bin}/gpg{,2} rCx -> gpg, @@ -56,8 +51,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/gzip rix, - @{bin}/ischroot rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/repo2solv rix, @{bin}/tar rix, @{bin}/test rix, @@ -69,6 +63,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/fc-cache rPx, @{bin}/glib-compile-schemas rPx, @{bin}/install-info rPx, + @{bin}/ischroot rPx, + @{bin}/rpm rPUx, #aa:only opensuse @{bin}/rpmdb2solv rPUx, #aa:only opensuse @{bin}/systemd-inhibit rPx, @{bin}/update-desktop-database rPx, @@ -78,10 +74,11 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile /usr/share/libalpm/scripts/* rPx, + #aa:lint ignore=too-wide # Install/update packages / r, /*{,/} rw, - /boot/** rwl -> /boot/**, + @{efi}/** rwl -> @{efi}/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index e2846f8e6..947fb2f4e 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -7,61 +7,24 @@ abi , include -@{exec_path} = @{bin}/pam-auth-update +@{exec_path} = @{sbin}/pam-auth-update profile pam-auth-update @{exec_path} flags=(complain) { include - include - include + include - @{exec_path} mr, - @{bin}/perl r, + @{exec_path} mrix, - @{bin}/md5sum rix, - @{bin}/cp rix, + @{bin}/cp ix, + @{bin}/md5sum ix, + @{bin}/stty ix, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, - - /etc/pam.d/* rw, - /var/lib/pam/* rw, /usr/share/pam{,-configs}/{,*} r, + /etc/pam.d/* rw, + /etc/shadow r, - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - @{bin}/perl r, - - @{bin}/pam-auth-update rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - # The following is needed when debconf uses GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - owner @{PROC}/@{pid}/mounts r, - @{HOME}/.Xauthority r, - - /etc/shadow r, - - include if exists - } + /var/lib/dpkg/info/libpam-runtime.templates r, + /var/lib/pam/* rw, include if exists } diff --git a/apparmor.d/profiles-m-r/pam-tmpdir-helper b/apparmor.d/profiles-m-r/pam-tmpdir-helper index 510c2abad..fc767e5b3 100644 --- a/apparmor.d/profiles-m-r/pam-tmpdir-helper +++ b/apparmor.d/profiles-m-r/pam-tmpdir-helper @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/pam-tmpdir-helper +@{exec_path} = @{bin}/pam-tmpdir-helper @{lib}/pam-tmpdir/pam-tmpdir-helper profile pam-tmpdir-helper @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/pam/mappings b/apparmor.d/profiles-m-r/pam/mappings deleted file mode 100644 index cbcb539ed..000000000 --- a/apparmor.d/profiles-m-r/pam/mappings +++ /dev/null @@ -1,72 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# See more at: https://gitlab.com/apparmor/apparmor/wikis/Pam_apparmor_example - -# This file contains the mappings from users to roles for the binaries -# confined with AppArmor and configured for use with libpam-apparmor. Users -# without a mapping will not be able to login. -# -# The default hat is a confined user. The hat contains only the permissions -# necessary to transition to the user's login shell. All other permissions have -# been moved into the default_user profile. -^DEFAULT { - include - include - - capability dac_override, - capability setgid, - capability setuid, - - /etc/default/su r, - @{etc_ro}/environment r, - - @{shells_path} rPx -> user_default, - - include if exists -} - -# USER is a confined user. The hat contains only the permissions necessary -# to transition to gray's login shell. All other permissions have been -# moved into the confined_user profile. -^USER { - include - include - - capability dac_override, - capability audit_write, - capability setgid, - capability setuid, - - @{shells_path} rPx -> user_confined, - - /etc/default/su r, - @{etc_ro}/environment r, - - include if exists -} - -# Don't confine members whose primary group is 'admin' who are not specifically -# confined. Systems without this special primary group may want to define an -# unconfined 'root' hat in this manner (depending on site policy). -^root { - include - include - include - - capability dac_override, - capability audit_write, - capability setgid, - capability setuid, - - @{shells_path} rUx, - - /etc/default/su r, - @{etc_ro}/environment r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/parted b/apparmor.d/profiles-m-r/parted index 4a98dbae8..1ae7f5478 100644 --- a/apparmor.d/profiles-m-r/parted +++ b/apparmor.d/profiles-m-r/parted @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/parted +@{exec_path} = @{sbin}/parted profile parted @{exec_path} { include include @@ -22,7 +22,7 @@ profile parted @{exec_path} { @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, /etc/inputrc r, diff --git a/apparmor.d/profiles-m-r/partprobe b/apparmor.d/profiles-m-r/partprobe index 6a0a6c9cf..79e4b0ffb 100644 --- a/apparmor.d/profiles-m-r/partprobe +++ b/apparmor.d/profiles-m-r/partprobe @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/partprobe +@{exec_path} = @{sbin}/partprobe profile partprobe @{exec_path} { include include @@ -23,7 +23,7 @@ profile partprobe @{exec_path} { @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{PROC}/devices r, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index fe06a346d..30f92c964 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -24,7 +24,7 @@ profile pass @{exec_path} { @{bin}/env r, @{bin}/find ix, @{bin}/getopt ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/head ix, @{bin}/mkdir ix, @{bin}/mktemp ix, @@ -40,7 +40,7 @@ profile pass @{exec_path} { @{bin}/tr ix, @{bin}/tree ix, @{bin}/tty ix, - @{bin}/which ix, + @{bin}/which{,.debianutils} rix, @{bin}/git Cx -> git, @{bin}/gpg{2,} Cx -> gpg, @@ -53,7 +53,7 @@ profile pass @{exec_path} { # Pass extensions @{bin}/oathtool ix, # pass-otp - @{bin}/python3.@{int} Px -> pass-import, # pass-import, pass-audit + @{python_path} Px -> pass-import, # pass-import, pass-audit @{bin}/qrencode PUx, # pass-otp @{bin}/tomb PUx, # pass-tomb @@ -146,6 +146,7 @@ profile pass @{exec_path} { owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, owner /dev/shm/pass.@{rand}/* rw, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index 4977bb51a..8d55dd156 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -24,9 +24,9 @@ profile pass-import @{exec_path} { @{bin}/ r, @{bin}/gcc rix, # TODO: Test deny @{bin}/ld rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/pass rPx, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{lib}/gcc/**/collect2 rix, @{lib}/python{2.[4-7],3,3.@{int}}/** w, # TODO: Test deny diff --git a/apparmor.d/profiles-m-r/pcb-gtk b/apparmor.d/profiles-m-r/pcb-gtk index e736299fa..2923f70cd 100644 --- a/apparmor.d/profiles-m-r/pcb-gtk +++ b/apparmor.d/profiles-m-r/pcb-gtk @@ -10,13 +10,9 @@ include @{exec_path} = @{bin}/pcb-gtk profile pcb-gtk @{exec_path} { include - include - include - include + include include - include - include - include + include include include @@ -24,7 +20,7 @@ profile pcb-gtk @{exec_path} { /usr/share/pcb/ListLibraryContents.sh rix, - @{bin}/dash rix, + @{sh_path} rix, @{bin}/cat rix, @{bin}/tr rix, diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index 984b566cf..d5bcc4293 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/pcscd +@{exec_path} = @{sbin}/pcscd profile pcscd @{exec_path} { include include @@ -16,13 +16,13 @@ profile pcscd @{exec_path} { network netlink raw, - ptrace (read) peer=@{p_systemd_user}, - ptrace (read) peer=gsd-smartcard, - ptrace (read) peer=keepassxc, - ptrace (read) peer=pkcs11-register, - ptrace (read) peer=rngd, - ptrace (read) peer=scdaemon, - ptrace (read) peer=veracrypt, + ptrace read peer=@{p_systemd_user}, + ptrace read peer=gsd-smartcard, + ptrace read peer=keepassxc, + ptrace read peer=pkcs11-register, + ptrace read peer=rngd, + ptrace read peer=scdaemon, + ptrace read peer=veracrypt, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof index 5da955cba..76b9942fb 100644 --- a/apparmor.d/profiles-m-r/pidof +++ b/apparmor.d/profiles-m-r/pidof @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/pidof -profile pidof @{exec_path} { +profile pidof @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-m-r/pinentry-gtk b/apparmor.d/profiles-m-r/pinentry-gtk index a0244956d..d07a64a5a 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk +++ b/apparmor.d/profiles-m-r/pinentry-gtk @@ -11,16 +11,12 @@ include profile pinentry-gtk @{exec_path} { include include - include - include include - include + include @{exec_path} mr, - /usr/share/gtk-@{int}.@{int}/{,**} r, - - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, + @{PROC}/@{pid}/cmdline r, owner /dev/tty@{int} r, diff --git a/apparmor.d/profiles-m-r/pokemmo b/apparmor.d/profiles-m-r/pokemmo index 111b157c5..324b08f17 100644 --- a/apparmor.d/profiles-m-r/pokemmo +++ b/apparmor.d/profiles-m-r/pokemmo @@ -37,7 +37,7 @@ profile pokemmo @{exec_path} flags=(attach_disconnected) { @{bin}/java ix, @{bin}/perl ix, - @{bin}/which ix, + @{bin}/which{,.debianutils} ix, @{lib}/jvm/java-@{int}-openjdk/bin/java ix, # Installer diff --git a/apparmor.d/profiles-m-r/pollinate b/apparmor.d/profiles-m-r/pollinate new file mode 100644 index 000000000..5a10cc9e2 --- /dev/null +++ b/apparmor.d/profiles-m-r/pollinate @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pollinate +profile pollinate @{exec_path} { + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/curl rix, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg-query rpx, + @{bin}/hostname rix, + @{bin}/logger rix, + @{bin}/systemd-detect-virt rPx, + @{bin}/xxd rix, + + /etc/cloud/build.info r, + /etc/default/pollinate r, + /etc/lsb-release r, + /etc/pollinate/{,**} r, + + owner /var/cache/pollinate/seeded w, + + owner /tmp/pollinate.@{rand12}/{,**} rw, + + @{PROC}/uptime r, + + /dev/urandom w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/popularity-contest b/apparmor.d/profiles-m-r/popularity-contest index ba9d813c2..0bbd727ae 100644 --- a/apparmor.d/profiles-m-r/popularity-contest +++ b/apparmor.d/profiles-m-r/popularity-contest @@ -21,7 +21,6 @@ profile popularity-contest @{exec_path} { ptrace (read), @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, @{bin}/env rix, @@ -42,7 +41,7 @@ profile popularity-contest @{exec_path} { /var/lib/ r, /var/lib/dpkg/info/{,*.list} r, /var/log/ r, - /var/log/popularity-contest.[0-9]* w, + /var/log/popularity-contest.@{int} w, /var/log/popularity-contest.new w, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index fe4e35724..b8f50ff7c 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -12,6 +12,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include include include + include include capability dac_read_search, @@ -27,12 +28,15 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { /var/lib/power-profiles-daemon/{,**} rw, - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{sys}/bus/ r, @{sys}/bus/platform/devices/ r, @{sys}/class/ r, + @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, @{sys}/devices/**/power_supply/*/scope r, @{sys}/devices/**/uevent r, diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index da0c5f785..45c6766e3 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -12,8 +12,9 @@ abi , include @{exec_path} = @{lib}/protonmail/bridge/bridge -profile protonmail-bridge-core @{exec_path} { +profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { include + include include include @@ -25,7 +26,9 @@ profile protonmail-bridge-core @{exec_path} { @{exec_path} mr, - @{bin}/pass rCx -> pass, + @{bin}/pass Cx -> pass, + + @{lib}/protonmail/bridge/bridge-gui ix, /etc/lsb-release r, /etc/machine-id r, @@ -40,14 +43,13 @@ profile protonmail-bridge-core @{exec_path} { owner "@{user_config_dirs}/autostart/Proton Mail Bridge.desktop" rw, owner @{tmp}/bridge@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/ r, @{PROC}/1/cgroup r, @{PROC}/sys/net/core/somaxconn r, - deny @{bin}/pass x, deny owner @{user_passwordstore_dirs}/** r, profile pass { @@ -70,10 +72,11 @@ profile protonmail-bridge-core @{exec_path} { @{bin}/tail rix, @{bin}/tree rix, @{bin}/tty rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, owner @{user_passwordstore_dirs}/ r, owner @{user_passwordstore_dirs}/.gpg-id r, + owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} rw, owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} rw, deny owner @{user_passwordstore_dirs}/**/ r, diff --git a/apparmor.d/profiles-m-r/ps-mem b/apparmor.d/profiles-m-r/ps-mem index da5753161..08b286b5a 100644 --- a/apparmor.d/profiles-m-r/ps-mem +++ b/apparmor.d/profiles-m-r/ps-mem @@ -17,7 +17,7 @@ profile ps-mem @{exec_path} { ptrace (read), @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 33435fa8d..02bf3bc56 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -34,7 +34,7 @@ profile psi @{exec_path} { @{bin}/aplay rCx -> aplay, @{bin}/gpg{,2} rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, @@ -54,7 +54,7 @@ profile psi @{exec_path} { owner @{user_share_dirs}/psi/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index 32c05e55b..a455df0e9 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -34,7 +34,7 @@ profile psi-plus @{exec_path} { @{bin}/aplay rCx -> aplay, @{bin}/gpg{,2} rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, @@ -54,7 +54,7 @@ profile psi-plus @{exec_path} { owner @{user_share_dirs}/psi+/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile new file mode 100644 index 000000000..c308dcd91 --- /dev/null +++ b/apparmor.d/profiles-m-r/pycompile @@ -0,0 +1,52 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/py{,3}compile @{bin}/py{,3}clean +profile pycompile @{exec_path} flags=(attach_disconnected,complain) { + include + include + include + include + + capability dac_override, + capability dac_read_search, + + @{exec_path} mr, + @{python_path} rix, + + @{bin}/dpkg rCx -> dpkg, + + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/*.pyc w, + @{lib}/@{python_name}/**/__pycache__/*.pyc.* w, + + /usr/share/python3/{,**} r, + + / r, + @{bin}/ r, + + profile dpkg { + include + include + include + + capability dac_read_search, + + @{bin}/dpkg mr, + @{bin}/dpkg-query rpx, + + /etc/dpkg/dpkg.cfg.d/{,*} r, + /etc/dpkg/dpkg.cfg r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index a5fcbb91e..5d9cba087 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -29,7 +29,7 @@ profile qbittorrent @{exec_path} { include include - signal send set=(term, kill) peer=qbittorrent//python3, + signal send set=(term, kill) peer=qbittorrent//python, network inet dgram, network inet6 dgram, @@ -68,7 +68,7 @@ profile qbittorrent @{exec_path} { @{exec_path} mr, @{open_path} rPx -> child-open, - @{bin}/python3.@{int} rCx -> python, # For "search engine" + @{python_path} rCx -> python, # For "search engine" # Allowed apps to open @{bin}/ebook-viewer rPx, @@ -129,9 +129,9 @@ profile qbittorrent @{exec_path} { network inet6 stream, network netlink raw, - @{bin}/python3.@{int} r, + @{python_path} r, - owner @{user_share_dirs}/{,data/}qBittorrent/nova[0-9]/{,**} rw, + owner @{user_share_dirs}/{,data/}qBittorrent/nova@{int}/{,**} rw, owner @{user_torrents_dirs}/** r, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 7e63560ec..5173c50d8 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -6,41 +6,39 @@ abi , include -@{exec_path} = @{bin}/qemu-ga +@{exec_path} = @{sbin}/qemu-ga profile qemu-ga @{exec_path} { include - include - - capability mknod, - capability net_admin, - capability sys_ptrace, - - network inet stream, - network inet6 stream, - network netlink raw, - - ptrace (read) peer=@{p_systemd}, - - unix type=stream addr=@@{udbus}/bus/shutdown/system, - - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind @{exec_path} mr, - @{bin}/systemctl rix, + @{bin}/systemctl Cx -> systemctl, /etc/qemu/qemu-ga.conf r, - owner @{run}/qga.state* rw, + owner @{run}/qga.state rw, + owner @{run}/qga.state.@{rand6} rw, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{PROC}/sys/vm/max_map_count r, - owner @{PROC}/@{pid}/net/dev r, + @{PROC}/sys/vm/max_map_count r, /dev/vport@{int}p@{int} rw, + profile systemctl { + include + include + + capability net_admin, + + unix type=stream addr=@@{udbus}/bus/shutdown/system, + + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index 89395f8b5..d1194abf5 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -47,7 +47,8 @@ profile quiterss @{exec_path} { owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-m-r/rdmsr b/apparmor.d/profiles-m-r/rdmsr index 47dd9beab..81f43b3e6 100644 --- a/apparmor.d/profiles-m-r/rdmsr +++ b/apparmor.d/profiles-m-r/rdmsr @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/rdmsr +@{exec_path} = @{sbin}/rdmsr profile rdmsr @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index f59880046..c2bc95465 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -22,29 +22,37 @@ profile remmina @{exec_path} { include include include + include include include include + include include network inet stream, network inet6 stream, + network inet dgram, + network inet6 dgram, network netlink raw, - #aa:dbus own bus=session name=org.remmina.Remmina + #aa:dbus own bus=session name=org.remmina.Remmina interface+=org.gtk.Actions #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - @{exec_path} r, + @{exec_path} rm, + + @{open_path} rPx -> child-open-browsers, /usr/share/remmina/{,**} r, /usr/share/themes/{,**} r, - /etc/timezone r, + /etc/fstab r, /etc/ssh/ssh_config r, /etc/ssh/ssh_config.d/{,*} r, + /etc/timezone r, - owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, + owner @{HOME}/@{XDG_SSH_DIR}/config r, + owner @{HOME}/@{XDG_SSH_DIR}/known_hosts r, owner @{user_cache_dirs}/org.remmina.Remmina/{,**} rw, owner @{user_cache_dirs}/remmina/{,**} rw, @@ -58,6 +66,9 @@ profile remmina @{exec_path} { owner @{run}/user/@{uid}/keyring/ssh rw, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + include if exists } diff --git a/apparmor.d/profiles-m-r/repo b/apparmor.d/profiles-m-r/repo index a1fd7b3b3..5ad84fb15 100644 --- a/apparmor.d/profiles-m-r/repo +++ b/apparmor.d/profiles-m-r/repo @@ -27,7 +27,7 @@ profile repo @{exec_path} { @{bin}/curl rix, @{bin}/env rix, @{bin}/git rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/uname rix, @{lib}/git{,-core}/git* rix, diff --git a/apparmor.d/profiles-m-r/resize2fs b/apparmor.d/profiles-m-r/resize2fs index 7b28a1d22..38d482326 100644 --- a/apparmor.d/profiles-m-r/resize2fs +++ b/apparmor.d/profiles-m-r/resize2fs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/resize2fs +@{exec_path} = @{sbin}/resize2fs profile resize2fs @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf index c050ce970..8e39c7620 100644 --- a/apparmor.d/profiles-m-r/resolvconf +++ b/apparmor.d/profiles-m-r/resolvconf @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/resolvconf +@{exec_path} = @{sbin}/resolvconf profile resolvconf @{exec_path} { include include @@ -26,7 +26,7 @@ profile resolvconf @{exec_path} { @{bin}/systemctl rCx -> systemctl, @{lib}/resolvconf/list-records rix, - /usr/lib/resolvconf/{,**} r, + @{lib}/resolvconf/{,**} r, @{etc_rw}/resolv.conf.bak rw, @{etc_rw}/resolv.conf rw, diff --git a/apparmor.d/profiles-m-r/rfkill b/apparmor.d/profiles-m-r/rfkill index 041a03e07..c65298b27 100644 --- a/apparmor.d/profiles-m-r/rfkill +++ b/apparmor.d/profiles-m-r/rfkill @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/rfkill +@{exec_path} = @{sbin}/rfkill profile rfkill @{exec_path} { include @@ -15,8 +15,8 @@ profile rfkill @{exec_path} { /dev/rfkill rw, - @{sys}/devices/@{pci}/rfkill[0-9]/{name,type} r, - @{sys}/devices/platform/**/rfkill/rfkill[0-9]/{name,type} r, + @{sys}/devices/@{pci}/rfkill@{int}/{name,type} r, + @{sys}/devices/platform/**/rfkill/rfkill@{int}/{name,type} r, include if exists } diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 8ae73c5d0..ebbf0a5ab 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/rngd +@{exec_path} = @{sbin}/rngd profile rngd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index b4ae4b211..ede981f58 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -7,33 +7,32 @@ abi , include -# Debugging the syslogger can be difficult if it can't write to the file -# that the kernel is logging denials to. In these cases, you can do the -# following: -# watch -n 1 'dmesg | tail -5' - -@{exec_path} = @{bin}/rsyslogd +@{exec_path} = @{sbin}/rsyslogd profile rsyslogd @{exec_path} { include - include + include - capability chown, # For creating new log files and changing their owner/group - capability net_admin, # For remote logs - capability setgid, # For downgrading privileges + capability dac_override, + capability dac_read_search, + capability setgid, capability setuid, capability sys_nice, + capability sys_tty_config, capability syslog, + network inet dgram, + network inet6 dgram, + + signal receive set=hup peer=@{p_systemd}, + @{exec_path} mr, + @{sh_path} mr, @{lib}/@{multiarch}/rsyslog/*.so mr, /etc/rsyslog.conf r, /etc/rsyslog.d/{,**} r, - /etc/CA/*.crt r, - /etc/CA/*.key r, - /var/log/** rw, /var/spool/rsyslog/ r, /var/spool/rsyslog/** rw, diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index d3a88d78a..68837a52d 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -23,11 +23,6 @@ profile rtkit-daemon @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.RealtimeKit1 - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - @{exec_path} mr, # When applying policies to processes diff --git a/apparmor.d/profiles-m-r/rtkitctl b/apparmor.d/profiles-m-r/rtkitctl index 9417c93b1..733573d6b 100644 --- a/apparmor.d/profiles-m-r/rtkitctl +++ b/apparmor.d/profiles-m-r/rtkitctl @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/rtkitctl +@{exec_path} = @{sbin}/rtkitctl profile rtkitctl @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index c20b305e1..e5d44e13a 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -4,12 +4,6 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -# TODO: Rewrite this profile. Most of the rule should be confined directly by the calling profile -# Possible confinement depending of profile architecture: -# - As rix, -# - As rCx -> run-parts, -# - As rPx -> foo-run-parts, - abi , include @@ -25,7 +19,7 @@ profile run-parts @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/anacron rix, + @{sbin}/anacron rix, @{bin}/cat rix, @{bin}/date rix, @{bin}/nice rix, @@ -38,6 +32,7 @@ profile run-parts @{exec_path} { /etc/anacrontab r, /etc/conf.d/snapper{,**} r, /etc/default/* r, + /etc/profile.d/{,**} r, /etc/snapper/configs/root r, # Crontab @@ -112,36 +107,24 @@ profile run-parts @{exec_path} { # Motd /etc/update-motd.d/ r, - /etc/update-motd.d/* rCx -> motd, + /etc/update-motd.d/* rPx, # Kernel - /etc/kernel/header_postinst.d/ r, - /etc/kernel/header_postinst.d/dkms rCx -> kernel, - - /etc/kernel/postinst.d/ r, - /etc/kernel/postinst.d/apt-auto-removal rCx -> kernel, - /etc/kernel/postinst.d/dkms rCx -> kernel, - /etc/kernel/postinst.d/initramfs-tools rCx -> kernel, - /etc/kernel/postinst.d/unattended-upgrades rCx -> kernel, - /etc/kernel/postinst.d/zz-update-grub rCx -> kernel, - /etc/kernel/postinst.d/zz-shim rCx -> kernel, - /etc/kernel/postinst.d/xx-update-initrd-links rCx -> kernel, - + /etc/kernel/{,header_}postinst.d/ r, + /etc/kernel/{,header_}postinst.d/* rPx, /etc/kernel/postrm.d/ r, - /etc/kernel/postrm.d/initramfs-tools rCx -> kernel, - /etc/kernel/postrm.d/zz-update-grub rCx -> kernel, - + /etc/kernel/postrm.d/* rPx, /etc/kernel/preinst.d/ r, - /etc/kernel/preinst.d/intel-microcode rCx -> kernel, - + /etc/kernel/preinst.d/* rPx, /etc/kernel/prerm.d/ r, - /etc/kernel/prerm.d/dkms rCx -> kernel, + /etc/kernel/prerm.d/* rPx, + # Finalrd /usr/share/finalrd/ r, - /usr/share/finalrd/mdadm.finalrd rPUx, - /usr/share/finalrd/open-iscsi.finalrd rPUx, + /usr/share/finalrd/mdadm.finalrd rPUx, + /usr/share/finalrd/open-iscsi.finalrd rPUx, - /usr/share/landscape/landscape-sysinfo.wrapper rPUx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, /root/ r, @@ -151,108 +134,12 @@ profile run-parts @{exec_path} { owner @{tmp}/$anacron@{rand6} rw, owner @{tmp}/file@{rand6} rw, - owner @{sys}/class/power_supply/ r, + owner @{sys}/class/power_supply/ r, + + @{run}/motd.dynamic.new w, /dev/tty@{int} rw, - profile motd { - include - include - - @{sh_path} rix, - @{bin}/{e,}grep rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/find rix, - @{bin}/head rix, - @{bin}/id rix, - @{bin}/sort rix, - @{bin}/tr rix, - @{bin}/uname rix, - - @{bin}/snap rPUx, - @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, - @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, - @{lib}/update-notifier/update-motd-reboot-required rix, - /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, - /usr/share/update-notifier/notify-updates-outdated rPx, - - / r, - /etc/default/motd-news r, - /etc/lsb-release r, - /etc/update-motd.d/* r, - - /var/cache/motd-news rw, - /var/lib/update-notifier/updates-available r, - /var/lib/ubuntu-advantage/messages/motd-esm-announce r, - - @{run}/motd.d/{,*} r, - - @{PROC}/@{pids}/mounts r, - - /dev/tty@{int} rw, - - include if exists - } - - profile kernel { - include - include - include - - capability sys_module, - - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,m,g}awk rix, - @{bin}/cat rix, - @{bin}/chmod rix, - @{bin}/cut rix, - @{bin}/dirname rix, - @{bin}/kmod rix, - @{bin}/mv rix, - @{bin}/rm rix, - @{bin}/rmdir rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/touch rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/which{,.debianutils} rix, - - @{bin}/apt-config rPx, - @{bin}/dkms rPx, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/systemd-detect-virt rPx, - @{bin}/update-alternatives rPx, - @{bin}/update-grub rPUx, - @{bin}/update-initramfs rPx, - @{lib}/dkms/dkms_autoinstaller rPx, - - @{lib}/modules/*/updates/ w, - @{lib}/modules/*/updates/dkms/ w, - - /etc/kernel/header_postinst.d/* r, - /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, - - # For shell pwd - / r, - /boot/ r, - - /etc/apt/apt.conf.d/ r, - /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, - /etc/modprobe.d/ r, - /etc/modprobe.d/*.conf r, - - @{run}/reboot-required w, - @{run}/reboot-required.pkgs rw, - - @{PROC}/devices r, - @{PROC}/cmdline r, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-m-r/runit-helper b/apparmor.d/profiles-m-r/runit-helper new file mode 100644 index 000000000..94b3816c9 --- /dev/null +++ b/apparmor.d/profiles-m-r/runit-helper @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/runit-helper/runit-helper +profile runit-helper @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/mkdir rix, + + @{run}/runit/ rw, + @{run}/runit/supervise/ w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/runuser b/apparmor.d/profiles-m-r/runuser index 9931c07fb..4bd569955 100644 --- a/apparmor.d/profiles-m-r/runuser +++ b/apparmor.d/profiles-m-r/runuser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/runuser +@{exec_path} = @{sbin}/runuser profile runuser @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index 004c29d64..acdad5640 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -36,7 +36,7 @@ profile rustdesk @{exec_path} { @{bin}/ls rix, @{bin}/sudo rCx -> sudo, - @{bin}/python3.@{int} rCx -> python, + @{python_path} rCx -> python, @{sh_path} rCx -> shell, /etc/gdm{,3}/custom.conf r, @@ -64,7 +64,7 @@ profile rustdesk @{exec_path} { include @{bin}/rustdesk rPx, - @{bin}/python3.@{int} rPx -> rustdesk//python, + @{python_path} rPx -> rustdesk//python, include if exists } @@ -76,11 +76,11 @@ profile rustdesk @{exec_path} { capability dac_read_search, capability dac_override, - @{bin}/python3.@{int} r, + @{python_path} r, @{sh_path} rix, @{bin}/chmod rix, - @{bin}/uname rPx, + @{bin}/uname rix, /usr/share/rustdesk/files/pynput_service.py rix, /usr/share/[rR]ust[dD]esk/files/{,**} r, diff --git a/apparmor.d/profiles-s-z/YACReader b/apparmor.d/profiles-s-z/YACReader index de55bf829..3552b6dc0 100644 --- a/apparmor.d/profiles-s-z/YACReader +++ b/apparmor.d/profiles-s-z/YACReader @@ -39,6 +39,8 @@ profile YACReader @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs index dab3593b6..aaf34d49c 100644 --- a/apparmor.d/profiles-s-z/s3fs +++ b/apparmor.d/profiles-s-z/s3fs @@ -38,10 +38,7 @@ profile s3fs @{exec_path} { profile fusermount { include - include - - capability dac_read_search, - capability sys_admin, + include network inet stream, network inet6 stream, @@ -52,19 +49,11 @@ profile s3fs @{exec_path} { umount @{MOUNTS}/, umount @{MOUNTS}/*/, - @{bin}/fusermount{,3} mr, - - /etc/fuse.conf r, - @{MOUNTS}/ r, @{MOUNTS}/*/ r, owner @{tmp}/s3fstmp.* rw, - @{PROC}/@{pids}/mounts r, - - /dev/fuse rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index 4c5d62597..ef007a32c 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -24,6 +24,9 @@ profile sbctl @{exec_path} { /{boot,efi}/EFI/{,**} rw, /{boot,efi}/vmlinuz-linux* rw, @{lib}/fwupd/efi/{,**} rw, + @{lib}/systemd/boot/efi/systemd-boot*.efi.signed rw, + + @{sys}/devices/virtual/dmi/id/* r, @{sys}/firmware/efi/efivars/db-@{uuid} rw, @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @@ -32,6 +35,7 @@ profile sbctl @{exec_path} { @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, /dev/pts/@{int} rw, + /dev/tpmrm@{int} rw, # File Inherit deny network inet stream, diff --git a/apparmor.d/profiles-s-z/secure-time-sync b/apparmor.d/profiles-s-z/secure-time-sync index 51016373d..9c3f6d9df 100644 --- a/apparmor.d/profiles-s-z/secure-time-sync +++ b/apparmor.d/profiles-s-z/secure-time-sync @@ -23,7 +23,7 @@ profile secure-time-sync @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/curl rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/id rPx, @{bin}/sed rix, diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index fd839099e..ca2d43a65 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -18,19 +18,12 @@ profile sensors @{exec_path} { /etc/sensors.d/{,*} r, /etc/sensors3.conf r, + @{sys}/bus/i2c/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/**/hwmon*/{,**/} r, - @{sys}/devices/**/hwmon*/{in[0-9]_label,in[0-9]_min,in[0-9]_max} r, - @{sys}/devices/**/hwmon*/{name,temp*,*_input} r, - @{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r, - @{sys}/devices/**/hwmon/hwmon@{int}/power@{int}_crit r, - @{sys}/devices/**/hwmon/hwmon@{int}/fan@{int}_{label,max,min} r, - @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-@{int}/name r, + @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-*/name r, @{sys}/devices/@{pci}/name r, - @{sys}/devices/platform/**/power_supply/**/hwmon@{int}/curr1_max r, - @{sys}/devices/virtual/hwmon/hwmon@{int}/ r, - @{sys}/devices/virtual/hwmon/hwmon@{int}/{name,temp*} r, + @{sys}/devices/**/hwmon*/{,**} r, # file_inherit deny @{PROC}/@{pid}/net/dev r, diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index e3eca4e22..d21cf6f56 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/sensors-detect +@{exec_path} = @{sbin}/sensors-detect profile sensors-detect @{exec_path} { include include @@ -27,7 +27,7 @@ profile sensors-detect @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/class/i2c-adapter/ r, @{sys}/devices/@{pci}/{class,vendor,device} r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/@{pci}/modalias r, @{sys}/devices/virtual/dmi/id/board_{version,vendor,name} r, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci index 72c9b8a93..019e89e23 100644 --- a/apparmor.d/profiles-s-z/setpci +++ b/apparmor.d/profiles-s-z/setpci @@ -16,6 +16,7 @@ profile setpci @{exec_path} flags=(complain) { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/** r, + @{sys}/devices/@{pci}/config w, include if exists } diff --git a/apparmor.d/profiles-s-z/setvtrgb b/apparmor.d/profiles-s-z/setvtrgb index 6c9a3fe62..7fdfddcbb 100644 --- a/apparmor.d/profiles-s-z/setvtrgb +++ b/apparmor.d/profiles-s-z/setvtrgb @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/setvtrgb +@{exec_path} = @{sbin}/setvtrgb profile setvtrgb @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/sfdisk b/apparmor.d/profiles-s-z/sfdisk index 0009d52cb..05ab2273f 100644 --- a/apparmor.d/profiles-s-z/sfdisk +++ b/apparmor.d/profiles-s-z/sfdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/sfdisk +@{exec_path} = @{sbin}/sfdisk profile sfdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/sgdisk b/apparmor.d/profiles-s-z/sgdisk index ecc6abcdb..4e68816d7 100644 --- a/apparmor.d/profiles-s-z/sgdisk +++ b/apparmor.d/profiles-s-z/sgdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/sgdisk +@{exec_path} = @{sbin}/sgdisk profile sgdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index b905e8f3a..b6a477707 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -20,8 +20,10 @@ profile signal-desktop @{exec_path} { include include include + include include include + include network inet dgram, network inet6 dgram, @@ -44,8 +46,8 @@ profile signal-desktop @{exec_path} { @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.high r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, diff --git a/apparmor.d/profiles-s-z/simple-scan b/apparmor.d/profiles-s-z/simple-scan new file mode 100644 index 000000000..f79b284fb --- /dev/null +++ b/apparmor.d/profiles-s-z/simple-scan @@ -0,0 +1,45 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/simple-scan +profile simple-scan @{exec_path} { + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mr, + + @{open_path} rPx -> child-open-help, + + /usr/share/snmp/{,**} r, + + /etc/sane.d/{,**} r, + + @{sys}/bus/scsi/devices/ r, + @{sys}/devices/virtual/dmi/id/board_name r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/board_version r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + @{PROC}/scsi/scsi r, + + /dev/video@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sing-box b/apparmor.d/profiles-s-z/sing-box index 9f395735e..1890510ae 100644 --- a/apparmor.d/profiles-s-z/sing-box +++ b/apparmor.d/profiles-s-z/sing-box @@ -12,7 +12,6 @@ include profile sing-box @{exec_path} { include include - include capability net_bind_service, diff --git a/apparmor.d/profiles-s-z/smartctl b/apparmor.d/profiles-s-z/smartctl index 4af40c8ab..d025d160b 100644 --- a/apparmor.d/profiles-s-z/smartctl +++ b/apparmor.d/profiles-s-z/smartctl @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/smartctl +@{exec_path} = @{sbin}/smartctl profile smartctl @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd index d0f9c28fd..60a77a782 100644 --- a/apparmor.d/profiles-s-z/smartd +++ b/apparmor.d/profiles-s-z/smartd @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/smartd +@{exec_path} = @{sbin}/smartd profile smartd @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker index e70a5c499..6e5af1288 100644 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -46,7 +46,7 @@ profile spectre-meltdown-checker @{exec_path} { @{bin}/gzip rix, @{bin}/head rix, @{bin}/id rix, - @{bin}/iucode_tool rix, + @{sbin}/iucode_tool rix, @{bin}/kmod rCx -> kmod, @{bin}/lzop rix, @{bin}/mktemp rix, @@ -55,7 +55,7 @@ profile spectre-meltdown-checker @{exec_path} { @{bin}/od rix, @{bin}/perl rix, @{bin}/pgrep rCx -> pgrep, - @{bin}/rdmsr rix, + @{sbin}/rdmsr rix, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/sed rix, @@ -89,8 +89,10 @@ profile spectre-meltdown-checker @{exec_path} { owner /dev/cpu/@{int}/msr rw, owner /dev/kmsg r, - /boot/ r, - /boot/{config,vmlinuz,System.map}-* r, + @{efi}/ r, + @{efi}/config r, + @{efi}/System.map-* r, + @{efi}/vmlinuz-* r, @{sys}/devices/system/cpu/vulnerabilities/* r, @{sys}/module/kvm_intel/parameters/ept r, diff --git a/apparmor.d/profiles-s-z/speech-dispatcher b/apparmor.d/profiles-s-z/speech-dispatcher index 13ed65c09..0267d6889 100644 --- a/apparmor.d/profiles-s-z/speech-dispatcher +++ b/apparmor.d/profiles-s-z/speech-dispatcher @@ -20,15 +20,21 @@ profile speech-dispatcher @{exec_path} { @{exec_path} mr, @{sh_path} ix, + @{lib}/speech-dispatcher-modules/* ix, @{lib}/speech-dispatcher/** r, @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix, /etc/machine-id r, /etc/speech-dispatcher/{,**} r, + owner @{user_config_dirs}/speech-dispatcher/{,**} r, + owner @{run}/user/@{uid}/speech-dispatcher/ rw, owner @{run}/user/@{uid}/speech-dispatcher/** rwk, + owner /dev/shm/sem.@{rand6} rw, + owner /dev/shm/sem.speechd-modules-dummy-@{int} rwl -> /dev/shm/sem.@{rand6}, + include if exists } diff --git a/apparmor.d/profiles-s-z/speedtest b/apparmor.d/profiles-s-z/speedtest index f31818354..7e9728fc9 100644 --- a/apparmor.d/profiles-s-z/speedtest +++ b/apparmor.d/profiles-s-z/speedtest @@ -21,7 +21,7 @@ profile speedtest @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/file rix, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 04837d871..c73f5f678 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/spice-vdagent profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -47,6 +47,8 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/task/@{tid}/comm rw, + /dev/udmabuf rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index bebfbe419..95013d8e0 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/spice-vdagentd +@{exec_path} = @{sbin}/spice-vdagentd profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/spotdl b/apparmor.d/profiles-s-z/spotdl new file mode 100644 index 000000000..be31bb0d0 --- /dev/null +++ b/apparmor.d/profiles-s-z/spotdl @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 tpaau-17DB +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/spotdl +profile spotdl @{exec_path} { + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + @{exec_path} mr, + @{python_path} r, + + @{bin}/ffmpeg rPx, + @{bin}/ffprobe rPx, + + owner @{user_music_dirs}/{,**} rwk, + + owner @{HOME}/.spotdl/** rw, + + owner @{user_cache_dirs}/spotdl/{,**} rw, + owner @{user_config_dirs}/spotdl/{,**} rw, + + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 41219a4f8..1ec4eeea3 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -8,7 +8,7 @@ abi , include @{name} = spotify -@{lib_dirs} = /opt/spotify/ +@{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -16,7 +16,16 @@ include profile spotify @{exec_path} flags=(attach_disconnected) { include include + include + include + include + include + include + include + include + include include + include network inet dgram, network inet6 dgram, @@ -24,10 +33,13 @@ profile spotify @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.spotify + #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell + @{exec_path} mrix, @{sh_path} mr, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{open_path} rPx -> child-open-strict, @@ -35,6 +47,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) { /etc/spotify-adblock/* r, /var/lib/dbus/machine-id r, + owner @{HOME}/.tmp rw, + owner @{user_music_dirs}/{,**} r, owner @{user_config_dirs}/spotify-adblock/* r, @@ -44,16 +58,13 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, - @{PROC}/pressure/* r, @{PROC}/@{pid}/net/unix r, + @{PROC}/pressure/* r, owner @{PROC}/@{pid}/clear_refs w, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/tty rw, - deny @{sys}/bus/ r, - deny @{sys}/bus/*/devices/ r, - deny @{sys}/class/*/ r, - deny @{sys}/devices/@{pci}/usb@{int}/** r, deny @{user_share_dirs}/gvfs-metadata/* r, include if exists diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss index 3b55547be..2ce6b6b4d 100644 --- a/apparmor.d/profiles-s-z/ss +++ b/apparmor.d/profiles-s-z/ss @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/ss +@{exec_path} = @{sbin}/ss profile ss @{exec_path} { include include @@ -24,8 +24,8 @@ profile ss @{exec_path} { /etc/iproute2/{,**} r, - owner @{tmp}/*.ss rw, - owner @{HOME}/*.ss rw, + owner @{tmp}/*.ss rw, + owner @{HOME}/*.ss rw, @{sys}/fs/cgroup/{,**/} r, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 6a337a66b..611c8462d 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -68,9 +68,9 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/.*/s rw, owner @{tmp}/*= w, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, - owner @{tmp}/kdsingleapp-daemonspudguy-strawberry w, - owner @{tmp}/kdsingleapp-daemonspudguy-strawberry.lock rwk, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner @{tmp}/kdsingleapp-*-strawberry w, + owner @{tmp}/kdsingleapp-*-strawberry.lock rwk, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, owner @{tmp}/strawberry-cover-@{rand6}.jpg rwl -> @{tmp}/#@{int}, owner @{tmp}/strawberry*[0-9] w, diff --git a/apparmor.d/profiles-s-z/swtpm b/apparmor.d/profiles-s-z/swtpm index 783e58237..369046b6b 100644 --- a/apparmor.d/profiles-s-z/swtpm +++ b/apparmor.d/profiles-s-z/swtpm @@ -14,11 +14,11 @@ profile swtpm @{exec_path} { @{exec_path} mr, - /var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk, - /var/lib/libvirt/swtpm/@{uuid}/tpm2/*.permall rw, - /var/log/swtpm/libvirt/qemu/*-swtpm.log w, + owner /var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk, + owner /var/lib/libvirt/swtpm/@{uuid}/tpm2/* rw, + /tmp/.swtpm_setup.pidfile.* rw, /tmp/@{int}/.lock rwk, /tmp/@{int}/TMP* rw, diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index 821a3fd63..e275fb764 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -15,7 +15,7 @@ profile syncoid @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/mbuffer rix, @{bin}/perl rix, @{bin}/ps rPx, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index f668f5a00..6ff0fe7e9 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/syncthing profile syncthing @{exec_path} { include + include include include @@ -28,18 +29,21 @@ profile syncthing @{exec_path} { /etc/mime.types r, - owner @{HOME}/ r, - owner @{HOME}/@{XDG_DATA_DIR}/syncthing/{,**} rwk, - owner @{user_config_dirs}/syncthing/{,**} rwk, - owner @{user_state_dirs}/syncthing/{,**} rwk, + @{HOME}/ r, + @{HOME}/** rwk, /home/ r, @{user_sync_dirs}/{,**} rw, @{PROC}/@{pids}/net/route r, + @{PROC}/bus/pci/devices r, + @{PROC}/modules r, + @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/net/core/somaxconn r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/statm r, include if exists } diff --git a/apparmor.d/profiles-s-z/sysstat-sa b/apparmor.d/profiles-s-z/sysstat-sa new file mode 100644 index 000000000..9dcc199bc --- /dev/null +++ b/apparmor.d/profiles-s-z/sysstat-sa @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/sysstat/sa{1,2} @{lib}/sysstat/debian-sa{1,2} +profile sysstat-sa @{exec_path} { + include + include + + @{exec_path} mr, + @{bin}/ r, + + @{sh_path} rix, + @{bin}/date ix, + @{bin}/find ix, + @{bin}/{,e}grep ix, + @{bin}/rm ix, + @{bin}/sar.sysstat ix, + @{bin}/xargs ix, + @{lib}/sysstat/sadc Px, + + /etc/sysstat/sysstat r, + + /var/log/sysstat/ r, + /var/log/sysstat/** rw, + + @{tmp}/#@{int} rw, + + @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc new file mode 100644 index 000000000..7d9143938 --- /dev/null +++ b/apparmor.d/profiles-s-z/sysstat-sadc @@ -0,0 +1,52 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/sysstat/sadc +profile sysstat-sadc @{exec_path} { + include + include + + capability sys_admin, + + @{exec_path} mr, + + /etc/sensors.d/{,**} r, + /etc/sensors3.conf r, + + /var/log/sysstat/{,**} rwk, + + @{sys}/bus/i2c/devices/ r, + @{sys}/class/fc_host/ r, + @{sys}/class/hwmon/ r, + @{sys}/class/i2c-adapter/ r, + @{sys}/devices/@{pci}/net/*/duplex r, + @{sys}/devices/**/hwmon@{int}/ r, + @{sys}/devices/**/name r, + @{sys}/devices/**/net/*/duplex r, + @{sys}/devices/**/net/*/speed r, + @{sys}/devices/virtual/net/*/duplex r, + @{sys}/devices/virtual/net/*/speed r, + + @{PROC}/@{pid}/net/* r, + @{PROC}/diskstats r, + @{PROC}/loadavg r, + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, + @{PROC}/sys/fs/dentry-state r, + @{PROC}/sys/fs/file-nr r, + @{PROC}/sys/fs/inode-state r, + @{PROC}/sys/kernel/pty/nr r, + @{PROC}/tty/driver/serial r, + @{PROC}/uptime r, + @{PROC}/vmstat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index 4db5c6f92..84f6d52d3 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -28,7 +28,7 @@ profile system-config-printer @{exec_path} flags=(complain) { @{exec_path} mrix, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, @{lib}/cups/*/* rPUx, /usr/share/hplip/query.py rPUx, diff --git a/apparmor.d/profiles-s-z/system-config-printer-applet b/apparmor.d/profiles-s-z/system-config-printer-applet index 0197e3c3b..71892b04e 100644 --- a/apparmor.d/profiles-s-z/system-config-printer-applet +++ b/apparmor.d/profiles-s-z/system-config-printer-applet @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/system-config-printer-applet /usr/share/system-config-printer/applet.py profile system-config-printer-applet @{exec_path} { include + include include include @@ -19,7 +20,7 @@ profile system-config-printer-applet @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index bc2779d51..8a33649a0 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -10,75 +10,33 @@ include @{exec_path} = @{bin}/tasksel profile tasksel @{exec_path} flags=(complain) { include - include + include @{exec_path} r, - @{bin}/perl r, - @{sh_path} rix, - @{bin}/tempfile rix, - @{lib}/tasksel/tasksel-debconf rix, - - @{lib}/tasksel/tests/* rCx -> tasksel-tests, - - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, + @{bin}/tempfile ix, + @{lib}/tasksel/tasksel-debconf ix, + @{lib}/tasksel/tests/* Cx -> tasksel-tests, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-query rpx, + @{bin}/dpkg-query px, # - @{bin}/apt-cache rPx, + @{bin}/apt-cache Px, + @{bin}/debconf-apt-progress Px, - @{bin}/debconf-apt-progress rPx, - - /usr/share/tasksel/** r, - - /usr/share/debconf/confmodule r, - - owner @{tmp}/file* w, + /usr/share/tasksel/{,**} r, profile tasksel-tests flags=(complain) { include - @{lib}/tasksel/tests/* r, @{sh_path} rix, + @{lib}/tasksel/tests/* r, include if exists } - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - @{bin}/perl r, - - @{bin}/tasksel rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - owner @{tmp}/file* w, - - /usr/share/debconf/confmodule r, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - /etc/shadow r, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index e5a8f80d9..d71ccf802 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -9,9 +9,11 @@ include @{exec_path} = @{bin}/terminator profile terminator @{exec_path} flags=(attach_disconnected) { include + include include include include + include include include include @@ -30,7 +32,7 @@ profile terminator @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/ r, - @{bin}/python3.@{int} rix, + @{python_path} rix, # The shell is not confined on purpose. @{bin}/@{shells} rUx, diff --git a/apparmor.d/profiles-s-z/texstudio b/apparmor.d/profiles-s-z/texstudio new file mode 100644 index 000000000..52e9e53e6 --- /dev/null +++ b/apparmor.d/profiles-s-z/texstudio @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/texstudio +profile texstudio @{exec_path} { + include + include + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/pdflatex ix, + @{bin}/pdftex ix, + @{bin}/kpsewhich ix, + @{bin}/gsettings ix, + @{bin}/which{,.debianutils} ix, + + /usr/share/texmf-dist/{,**} r, + /usr/share/doc/texstudio/{,**} r, + /usr/share/hunspell/{,**} r, + /usr/share/texstudio/{,**} r, + /usr/share/poppler/{,**} r, + + /etc/texmf/{,**} r, + /etc/machine-id r, + + /var/lib/texmf/{,**} r, + + owner @{user_config_dirs}/texstudio/{,**} rwlk, + owner /tmp/qtsingleapp-TeXstu-** rw, + owner /tmp/qtsingleapp-TeXstu-**-lockfile rwk, + + ## silencer + deny owner /usr/share/hunspell/en_US-large.ign w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tftp b/apparmor.d/profiles-s-z/tftp index 33f6fe6dc..bb0a1c37b 100644 --- a/apparmor.d/profiles-s-z/tftp +++ b/apparmor.d/profiles-s-z/tftp @@ -10,9 +10,15 @@ include @{exec_path} = @{bin}/tftp profile tftp @{exec_path} { include - include + include include + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, include if exists diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index fe30e6da8..b663865e8 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/thermald +@{exec_path} = @{sbin}/thermald profile thermald @{exec_path} flags=(attach_disconnected) { include include @@ -24,8 +24,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { /etc/thermald/{,*} r, owner @{run}/thermald/ rw, - owner @{run}/thermald/thd_preference.conf rw, - owner @{run}/thermald/thd_preference.conf.save w, + owner @{run}/thermald/** rw, owner @{run}/thermald/thermald.pid rwk, @{sys}/class/hwmon/ r, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 9a50dafa0..02046580c 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -37,6 +37,9 @@ profile thunderbird @{exec_path} { # Desktop integration @{open_path} rPx -> child-open, + # Extensions + @{bin}/SysTray-X rPUx, + /usr/share/lightning/{,**} r, owner /var/mail/** rwk, @@ -56,6 +59,7 @@ profile thunderbird @{exec_path} { owner @{tmp}/nsemail{,-@{int}}.eml rw, owner @{tmp}/nsma{,-@{int}} rw, owner @{tmp}/pid-@{pid}/{,**} w, + owner @{tmp}/remote-settings-startup-bundle- rw, /dev/urandom w, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 153ded880..1592d3aee 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -7,49 +7,49 @@ abi , include -@{exec_path} = @{bin}/tlp +@{exec_path} = @{sbin}/tlp profile tlp @{exec_path} flags=(attach_disconnected) { include include - include - include include + include + include + include include include capability dac_read_search, - capability net_admin, capability sys_nice, capability sys_rawio, capability sys_tty_config, network netlink raw, - ptrace read peer=unconfined, - @{exec_path} mr, @{sh_path} rix, @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cp rix, - @{bin}/ethtool rix, + @{sbin}/ethtool rix, @{bin}/flock rix, - @{bin}/grep rix, - @{bin}/hdparm rPx, + @{bin}/{,e}grep rix, + @{sbin}/hdparm rPx, @{bin}/head rix, @{bin}/id rPx, - @{bin}/iw rPx, + @{sbin}/iw rPx, @{bin}/logger rix, @{bin}/mktemp rix, @{bin}/readlink rix, @{bin}/rm rix, + @{bin}/sed rix, @{bin}/sort rix, @{bin}/systemctl rCx -> systemctl, @{bin}/touch rix, @{bin}/tr rix, @{bin}/udevadm rCx -> udevadm, - @{bin}/uname rpx, + @{bin}/uname rix, + @{bin}/timeout rix, /usr/share/tlp/tlp-readconfs rix, / r, @@ -68,11 +68,23 @@ profile tlp @{exec_path} flags=(attach_disconnected) { owner @{run}/tlp/{,**} rw, owner @{run}/tlp/lock_tlp rwk, - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{sys}/bus/pci/devices/ r, + @{sys}/bus/pci/drivers/*/ r, + @{sys}/bus/platform/devices/ r, + @{sys}/class/drm/ r, + @{sys}/class/net/ r, + @{sys}/class/power_supply/ r, + @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/{,**/}power/control w, + @{sys}/devices/@{pci}/**/host@{int}/**/link_power_management_policy w, + @{sys}/devices/@{pci}/class r, + @{sys}/devices/**/net/**/uevent r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/net/**/uevent r, @{sys}/firmware/acpi/platform_profile* rw, @{sys}/firmware/acpi/pm_profile* rw, @{sys}/module/*/parameters/power_save rw, @@ -97,6 +109,8 @@ profile tlp @{exec_path} flags=(attach_disconnected) { include include + @{run}/tlp/lock_tlp rw, # file_inherit + include if exists } diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index 0b35cff02..93e29bcfa 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -27,7 +27,7 @@ profile tomb @{exec_path} { @{exec_path} mr, @{bin}/{,e,f}grep rix, - @{bin}/awk rix, + @{bin}/{m,g,}awk rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/chmod rix, @@ -41,14 +41,13 @@ profile tomb @{exec_path} { @{bin}/env rix, @{bin}/file rix, @{bin}/findmnt rix, - @{bin}/gawk rix, @{bin}/getent rix, @{bin}/gettext rix, @{bin}/hostname rix, @{bin}/id rix, @{bin}/kill rix, @{bin}/locate rix, - @{bin}/losetup rix, + @{sbin}/losetup rix, @{bin}/ls rix, @{bin}/lsof rix, @{bin}/mkdir rix, @@ -66,23 +65,23 @@ profile tomb @{exec_path} { @{bin}/tr rix, @{bin}/zsh rix, - @{bin}/btrfs rPx, - @{bin}/cryptsetup rPUx, + @{sbin}/btrfs rPx, + @{sbin}/cryptsetup rPUx, @{bin}/e2fsc rPUx, - @{bin}/fsck rPx, + @{sbin}/fsck rPx, @{bin}/gpg{,2} rPx, @{bin}/lsblk rPx, - @{bin}/mkfs.* rPUx, + @{sbin}/mkfs.* rPUx, @{bin}/mount rPx, @{bin}/pinentry rPx, @{bin}/pinentry-* rPx, @{bin}/qrencode rPx, - @{bin}/resize2fs rPx, + @{sbin}/resize2fs rPx, @{bin}/tomb-kdb-pbkdf2 rPUx, - @{bin}/tune2fs rPx, + @{sbin}/tune2fs rPx, @{bin}/umount rCx -> umount, @{bin}/updatedb.mlocate rPx, - @{bin}/zramctl rPx, + @{sbin}/zramctl rPx, /usr/share/file/** r, /usr/share/terminfo/** r, diff --git a/apparmor.d/profiles-s-z/torsocks b/apparmor.d/profiles-s-z/torsocks index c7c914387..ad258189c 100644 --- a/apparmor.d/profiles-s-z/torsocks +++ b/apparmor.d/profiles-s-z/torsocks @@ -19,7 +19,7 @@ profile torsocks @{exec_path} { @{sh_path} rix, @{bin}/* rPUx, @{lib}/uwt/uwtexec rPUx, - @{bin}/getcap rix, + @{sbin}/getcap rix, /etc/tor/torsocks.conf r, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index 64ab228ba..fc582cae2 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -14,6 +14,7 @@ profile totem @{exec_path} flags=(attach_disconnected) { include include include + include include network netlink raw, @@ -67,6 +68,10 @@ profile totem @{exec_path} flags=(attach_disconnected) { include capability dac_override, + capability sys_ptrace, + + network inet dgram, + network inet6 dgram, @{bin}/bwrap mr, @{bin}/totem-video-thumbnailer rix, @@ -78,8 +83,11 @@ profile totem @{exec_path} flags=(attach_disconnected) { owner @{tmp}/flatpak-seccomp-@{rand6} rw, owner @{tmp}/gnome-desktop-file-to-thumbnail.* rw, owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, + owner @{tmp}/gnome-desktop-thumbnailer.png rw, @{PROC}/sys/vm/mmap_min_addr r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm w, /dev/ r, diff --git a/apparmor.d/profiles-s-z/tpacpi-bat b/apparmor.d/profiles-s-z/tpacpi-bat index ee4de1e45..b4666bb96 100644 --- a/apparmor.d/profiles-s-z/tpacpi-bat +++ b/apparmor.d/profiles-s-z/tpacpi-bat @@ -13,7 +13,6 @@ profile tpacpi-bat @{exec_path} { include @{exec_path} mr, - @{bin}/perl r, @{sh_path} rix, @{bin}/cat rix, diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index 2a39981df..ad219f1ab 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -59,6 +59,7 @@ profile transmission @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-s-z/u-d-c-print-pci-ids b/apparmor.d/profiles-s-z/u-d-c-print-pci-ids new file mode 100644 index 000000000..2ae7f66ef --- /dev/null +++ b/apparmor.d/profiles-s-z/u-d-c-print-pci-ids @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/u-d-c-print-pci-ids +profile u-d-c-print-pci-ids @{exec_path} { + include + + @{exec_path} mr, + @{sh_path} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf new file mode 100644 index 000000000..47826d336 --- /dev/null +++ b/apparmor.d/profiles-s-z/ucf @@ -0,0 +1,62 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ucf +profile ucf @{exec_path} { + include + include + include + include + + @{exec_path} rix, + @{sh_path} rix, + + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cp rix, + @{bin}/dirname rix, + @{bin}/getopt rix, + @{bin}/id rix, + @{bin}/md5sum rix, + @{bin}/mkdir rix, + @{bin}/mv rix, + @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/seq rix, + @{bin}/stat rix, + @{bin}/tr rix, + @{bin}/which{,.debianutils} rix, + + @{bin}/dpkg-query rpx, + @{bin}/dpkg-divert rPx, + @{pager_path} rCx -> child-pager, + + # For md5sum + /usr/share/** r, + + # For writing new config files + /etc/** rw, #aa:lint ignore=too-wide + + # For shell pwd + / r, + /root/ r, + + owner /var/lib/ucf/** rw, + + owner /tmp/tmp.@{rand10} r, + + deny capability sys_admin, # optional: no audit + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucfq b/apparmor.d/profiles-s-z/ucfq new file mode 100644 index 000000000..b6ca3e7b1 --- /dev/null +++ b/apparmor.d/profiles-s-z/ucfq @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ucfq +profile ucfq @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/md5sum rix, + + /etc/ r, + /etc/default/ r, + /etc/default/grub r, + + /var/lib/ucf/* r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucfr b/apparmor.d/profiles-s-z/ucfr new file mode 100644 index 000000000..4cc149a28 --- /dev/null +++ b/apparmor.d/profiles-s-z/ucfr @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ucfr +profile ucfr @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/dirname ix, + @{bin}/getopt ix, + @{bin}/id ix, + @{bin}/readlink ix, + @{bin}/sed ix, + + /usr/share/ucf/{,**} r, + + /etc/ucf.conf r, + + / r, + + /var/lib/ucf/ r, + /var/lib/ucf/registry r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-ata_id b/apparmor.d/profiles-s-z/udev-ata_id new file mode 100644 index 000000000..f12ed105f --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-ata_id @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/ata_id +profile udev-ata_id @{exec_path} { + include + include + + capability sys_rawio, + + @{exec_path} mr, + + /etc/udev/udev.conf r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-bcache-export-cached b/apparmor.d/profiles-s-z/udev-bcache-export-cached new file mode 100644 index 000000000..e42b10c26 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-bcache-export-cached @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/bcache-export-cached +profile udev-bcache-export-cached @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{sbin}/bcache-super-show rix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-bridge-network-interface b/apparmor.d/profiles-s-z/udev-bridge-network-interface new file mode 100644 index 000000000..7e3ba52f9 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-bridge-network-interface @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/bridge-network-interface +profile udev-bridge-network-interface @{exec_path} { + include + + @{exec_path} mr, + @{sh_path} r, + + /etc/default/bridge-utils r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-cdrom_id b/apparmor.d/profiles-s-z/udev-cdrom_id new file mode 100644 index 000000000..552159867 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-cdrom_id @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/cdrom_id +profile udev-cdrom_id @{exec_path} { + include + + capability sys_rawio, + + @{exec_path} mr, + + /etc/udev/udev.conf r, + + /dev/sr@{int} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id new file mode 100644 index 000000000..76ec27b68 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-fido_id @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/fido_id +profile udev-fido_id @{exec_path} { + include + include + + @{exec_path} mr, + + /etc/udev/udev.conf r, + + @{sys}/devices/@{pci}/report_descriptor r, + @{sys}/devices/virtual/**/report_descriptor r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-hdparm b/apparmor.d/profiles-s-z/udev-hdparm new file mode 100644 index 000000000..bca98163b --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-hdparm @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/hdparm +profile udev-hdparm @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/sed rix, + @{bin}/udevadm rPx, + + /etc/hdparm.conf r, + + @{PROC}/cmdline r, + @{PROC}/mdstat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-probe-bcache b/apparmor.d/profiles-s-z/udev-probe-bcache new file mode 100644 index 000000000..e02e070a8 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-probe-bcache @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/probe-bcache +profile udev-probe-bcache @{exec_path} { + include + include + + capability sys_rawio, + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/unhide-tcp b/apparmor.d/profiles-s-z/unhide-tcp index c4b30b884..8827bca14 100644 --- a/apparmor.d/profiles-s-z/unhide-tcp +++ b/apparmor.d/profiles-s-z/unhide-tcp @@ -22,7 +22,7 @@ profile unhide-tcp @{exec_path} { @{bin}/fuser rix, @{bin}/netstat rix, @{bin}/sed rix, - @{bin}/ss rix, + @{sbin}/ss rix, @{PROC}/@{pids}/net/tcp{,6} r, @{PROC}/@{pids}/net/udp{,6} r, diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 85b99b8ab..7407a9f99 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -7,13 +7,14 @@ abi , include -@{exec_path} = @{bin}/unix_chkpwd +@{exec_path} = @{sbin}/unix_chkpwd profile unix-chkpwd @{exec_path} { include include include capability audit_write, + capability dac_read_search, # To read shadow with 000 permissions. network netlink raw, diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index 6b5607ed1..2d641f994 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -18,25 +18,21 @@ profile unmkinitramfs @{exec_path} { @{exec_path} r, @{sh_path} rix, + @{archive_path} rix, @{bin}/{,e}grep rix, - @{bin}/bzip2 rix, @{bin}/cat rix, - @{bin}/cpio rix, @{bin}/dd rix, @{bin}/getopt rix, - @{bin}/gzip rix, @{bin}/lz4cat rix, @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/rm rix, - @{bin}/xz rix, @{bin}/xzcat rix, - @{bin}/zstd rix, - /boot/ r, - owner /boot/initrd.img-* r, + @{efi}/ r, + owner @{efi}/initrd.img-* r, /tmp/ r, owner @{tmp}/initrd.img-* r, /mnt/ r, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index a83e985d7..8f08b74fa 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -12,6 +12,8 @@ profile update-alternatives @{exec_path} { include include + capability dac_override, + @{exec_path} mr, @{bin}/* w, diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index b87f60ec4..df9c08fe4 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-ca-certificates +@{exec_path} = @{sbin}/update-ca-certificates profile update-ca-certificates @{exec_path} { include include @@ -33,6 +33,7 @@ profile update-ca-certificates @{exec_path} { @{bin}/test rix, @{bin}/trust rix, @{bin}/wc rix, + @{bin}/run-parts rix, @{lib}/ca-certificates/update.d/ r, @{lib}/ca-certificates/update.d/* rix, @@ -45,7 +46,7 @@ profile update-ca-certificates @{exec_path} { /etc/ca-certificates.conf r, /etc/ssl/certs/ca-certificates.crt{,.new} rw, /etc/ssl/certs/*.pem rw, - /etc/ssl/certs/@{hex}.[0-9] rw, + /etc/ssl/certs/@{hex}.@{d} rw, /var/lib/ca-certificates/ rwk, /var/lib/ca-certificates/** rw, diff --git a/apparmor.d/profiles-s-z/update-catalog b/apparmor.d/profiles-s-z/update-catalog new file mode 100644 index 000000000..feac2d3c5 --- /dev/null +++ b/apparmor.d/profiles-s-z/update-catalog @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/update-catalog +profile update-catalog @{exec_path} { + include + include + + @{exec_path} mr, + + /etc/sgml/ r, + /etc/sgml/* r, + + /var/lib/sgml-base/*catalog rw, + /var/lib/sgml-base/*catalog.new rw, + /var/lib/sgml-base/*catalog.old w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-command-not-found b/apparmor.d/profiles-s-z/update-command-not-found index f1bf99bf8..9801f8737 100644 --- a/apparmor.d/profiles-s-z/update-command-not-found +++ b/apparmor.d/profiles-s-z/update-command-not-found @@ -20,7 +20,7 @@ profile update-command-not-found @{exec_path} { @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{lib}/ r, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib index 9bef23a77..8f848b0ad 100644 --- a/apparmor.d/profiles-s-z/update-cracklib +++ b/apparmor.d/profiles-s-z/update-cracklib @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/update-cracklib +@{exec_path} = @{sbin}/update-cracklib profile update-cracklib @{exec_path} { include include @@ -16,12 +16,12 @@ profile update-cracklib @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/cracklib-format rix, - @{bin}/cracklib-packer rPx, + @{sbin}/cracklib-format rix, + @{sbin}/cracklib-packer rPx, @{bin}/env rix, @{bin}/file rix, @{bin}/find rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gzip rix, @{bin}/install rix, @{bin}/install rix, diff --git a/apparmor.d/profiles-s-z/update-dlocatedb b/apparmor.d/profiles-s-z/update-dlocatedb index c0e64f0f9..e9d92e421 100644 --- a/apparmor.d/profiles-s-z/update-dlocatedb +++ b/apparmor.d/profiles-s-z/update-dlocatedb @@ -26,7 +26,7 @@ profile update-dlocatedb @{exec_path} { /usr/share/dlocate/updatedb rCx -> updatedb, @{bin}/dpkg rPx -> child-dpkg, - owner @{PROC}/@{pid}/fd/2 w, + owner @{PROC}/@{pid}/fd/@{int} w, /var/lib/dlocate/dpkg-list w, @@ -39,7 +39,6 @@ profile update-dlocatedb @{exec_path} { include /usr/share/dlocate/updatedb r, - @{bin}/perl r, /etc/default/dlocate r, diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir new file mode 100644 index 000000000..7c835023f --- /dev/null +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/update-info-dir +profile update-info-dir @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/install-info Px, + @{bin}/find ix, + @{bin}/rm ix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index 6948f2812..50f11caea 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-initramfs +@{exec_path} = @{sbin}/update-initramfs profile update-initramfs @{exec_path} { include include @@ -22,17 +22,20 @@ profile update-initramfs @{exec_path} { @{bin}/cat rix, @{bin}/{m,g,}awk rix, @{bin}/getopt rix, - @{bin}/ischroot rix, @{bin}/ln rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sha1sum rix, @{bin}/sync rix, @{bin}/uname rix, + @{bin}/run-parts rix, @{bin}/dpkg-trigger rPx, + @{bin}/ischroot rPx, @{bin}/linux-version rPx, - @{bin}/mkinitramfs rPx, + @{sbin}/mkinitramfs rPx, + + /etc/initramfs/post-update.d/* rPUx, /var/lib/initramfs-tools/* w, @@ -47,9 +50,9 @@ profile update-initramfs @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner /boot/ r, - owner /boot/initrd.img-* rw, - owner /boot/initrd.img-*.dpkg-bak rwl -> /boot/initrd.img-*, + owner @{efi}/ r, + owner @{efi}/initrd.img-* rw, + owner @{efi}/initrd.img-*.dpkg-bak rwl -> @{efi}/initrd.img-*, include if exists } diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids index d2e36ead0..901dae9a0 100644 --- a/apparmor.d/profiles-s-z/update-pciids +++ b/apparmor.d/profiles-s-z/update-pciids @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-pciids +@{exec_path} = @{sbin}/update-pciids profile update-pciids @{exec_path} { include include @@ -24,7 +24,7 @@ profile update-pciids @{exec_path} { @{bin}/chmod rix, @{bin}/echo rix, @{bin}/cat rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/bunzip2 rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index e5ffca44f..31a03ef7b 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -7,28 +7,24 @@ abi , include -@{exec_path} = @{bin}/update-secureboot-policy +@{exec_path} = @{sbin}/update-secureboot-policy profile update-secureboot-policy @{exec_path} { include - include + include @{exec_path} rm, - @{sh_path} rix, - @{bin}/{,m,g}awk rix, - @{bin}/dpkg-trigger rPx, - @{bin}/find rix, - @{bin}/id rix, - @{bin}/od rix, - @{bin}/sort rix, - @{bin}/touch rix, - @{bin}/wc rix, - /usr/share/debconf/frontend rPx, + @{bin}/{,m,g}awk ix, + @{bin}/dpkg-trigger Px, + @{bin}/find ix, + @{bin}/id ix, + @{bin}/od ix, + @{bin}/sort ix, + @{bin}/touch ix, + @{bin}/wc ix, / r, - /usr/share/debconf/confmodule r, - /var/lib/dkms/ r, /var/lib/shim-signed/dkms-list rw, diff --git a/apparmor.d/profiles-s-z/update-shells b/apparmor.d/profiles-s-z/update-shells new file mode 100644 index 000000000..5922c1a14 --- /dev/null +++ b/apparmor.d/profiles-s-z/update-shells @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/update-shells +profile update-shells @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/basename ix, + @{bin}/chmod ix, + @{bin}/chown ix, + @{bin}/dirname ix, + @{bin}/dpkg-realpath rix, + @{bin}/mv ix, + @{bin}/sync ix, + @{bin}/readlink ix, + + /usr/share/debianutils/shells r, + /usr/share/debianutils/shells.d/{,**} r, + /usr/share/dpkg/sh/dpkg-error.sh r, + + /etc/shells r, + /etc/shells.tmp w, + + /var/lib/shells.state r, + /var/lib/shells.state.tmp w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-smart-drivedb b/apparmor.d/profiles-s-z/update-smart-drivedb index 2ce61cebf..70b9bc6e2 100644 --- a/apparmor.d/profiles-s-z/update-smart-drivedb +++ b/apparmor.d/profiles-s-z/update-smart-drivedb @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-smart-drivedb +@{exec_path} = @{sbin}/update-smart-drivedb profile update-smart-drivedb @{exec_path} { include include @@ -28,7 +28,7 @@ profile update-smart-drivedb @{exec_path} { @{bin}/cmp rix, @{bin}/ r, - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/wget rCx -> browse, diff --git a/apparmor.d/profiles-s-z/updatedb-mlocate b/apparmor.d/profiles-s-z/updatedb-mlocate index 7a951b7e7..518a8d7df 100644 --- a/apparmor.d/profiles-s-z/updatedb-mlocate +++ b/apparmor.d/profiles-s-z/updatedb-mlocate @@ -19,13 +19,13 @@ profile updatedb-mlocate @{exec_path} { @{exec_path} mr, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, # For shell pwd / r, - /boot/ r, - /boot/**/ r, + @{efi}/ r, + @{efi}/**/ r, /home/ r, @{HOME}/ r, @@ -47,7 +47,7 @@ profile updatedb-mlocate @{exec_path} { /srv/**/ r, # Silence the noise - deny /efi/ r, + deny @{efi}/ r, deny /hugepages/ r, deny /lost+found/ r, deny /mnt/ r, diff --git a/apparmor.d/profiles-s-z/uupdate b/apparmor.d/profiles-s-z/uupdate index 8858a80f1..88a6cd406 100644 --- a/apparmor.d/profiles-s-z/uupdate +++ b/apparmor.d/profiles-s-z/uupdate @@ -18,7 +18,7 @@ profile uupdate @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/basename rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{,e}grep rix, @{bin}/getopt rix, diff --git a/apparmor.d/profiles-s-z/v2ray b/apparmor.d/profiles-s-z/v2ray index 5a9238355..046151222 100644 --- a/apparmor.d/profiles-s-z/v2ray +++ b/apparmor.d/profiles-s-z/v2ray @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/v2ray profile v2ray @{exec_path} flags=(attach_disconnected) { include - include + include network inet dgram, network inet stream, diff --git a/apparmor.d/profiles-s-z/v4l2-ctl b/apparmor.d/profiles-s-z/v4l2-ctl new file mode 100644 index 000000000..e398049de --- /dev/null +++ b/apparmor.d/profiles-s-z/v4l2-ctl @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/v4l2-ctl +profile v4l2-ctl @{exec_path} { + include + include + include + + @{exec_path} mr, + + /dev/media@{int} rw, + /dev/video@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vcsi b/apparmor.d/profiles-s-z/vcsi index 25f4a979f..eaf6ca24b 100644 --- a/apparmor.d/profiles-s-z/vcsi +++ b/apparmor.d/profiles-s-z/vcsi @@ -16,7 +16,7 @@ profile vcsi @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/ffmpeg rPx, diff --git a/apparmor.d/profiles-s-z/veracrypt b/apparmor.d/profiles-s-z/veracrypt index 6612846cd..b9b92a721 100644 --- a/apparmor.d/profiles-s-z/veracrypt +++ b/apparmor.d/profiles-s-z/veracrypt @@ -29,11 +29,11 @@ profile veracrypt @{exec_path} { @{sh_path} rix, @{open_path} rPx -> child-open-help, - @{bin}/dmsetup rPx, - @{bin}/grep rix, + @{sbin}/dmsetup rPx, + @{bin}/{,e}grep rix, @{bin}/kmod rix, - @{bin}/ldconfig rix, - @{bin}/losetup rCx -> losetup, + @{sbin}/ldconfig rix, + @{sbin}/losetup rCx -> losetup, @{bin}/mount rPx, @{bin}/sudo rix, @{bin}/umount rCx -> umount, @@ -85,7 +85,7 @@ profile veracrypt @{exec_path} { capability sys_rawio, - @{bin}/losetup mr, + @{sbin}/losetup mr, include if exists } diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 283eab051..7cf741dc2 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -25,10 +25,10 @@ profile vidcutter @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/ffmpeg rPx, @{bin}/ffprobe rPx, diff --git a/apparmor.d/profiles-s-z/vipw-vigr b/apparmor.d/profiles-s-z/vipw-vigr index 50ada1d64..396f1e4f8 100644 --- a/apparmor.d/profiles-s-z/vipw-vigr +++ b/apparmor.d/profiles-s-z/vipw-vigr @@ -18,7 +18,7 @@ profile vipw-vigr @{exec_path} { @{sh_path} rix, @{editor_path} rCx -> editor, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow,gshadow,group}{,.edit} rw, /etc/{passwd,shadow,gshadow,group}.@{pid} rw, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 0a67b365b..aed85abe3 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -12,6 +12,10 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include + include + include + include + include include include include @@ -28,18 +32,20 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.virt-manager.virt-manager + @{exec_path} rix, @{sh_path} rix, - @{bin}/python3.@{int} r, - @{lib}/python3.@{int}/site-packages/__pycache__/guestfs.cpython-@{int}.pyc.@{int} w, + @{python_path} rix, + @{lib}/@{python_name}/site-packages/__pycache__/guestfs.cpython-@{int}.pyc.@{int} w, @{bin}/ r, @{bin}/env rix, @{bin}/getfacl rix, @{bin}/setfacl rix, - @{bin}/libvirtd rPx, + @{sbin}/libvirtd rPx, @{bin}/ssh rPx, @{lib}/spice-client-glib-usb-acl-helper rPx, @@ -78,6 +84,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + @{run}/libvirt/libvirt-sock rw, @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @@ -85,7 +92,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/drm/ttm/uevent r, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, @{PROC}/@{pids}/net/route r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-s-z/vsftpd b/apparmor.d/profiles-s-z/vsftpd index 2b6af3561..8fe33af50 100644 --- a/apparmor.d/profiles-s-z/vsftpd +++ b/apparmor.d/profiles-s-z/vsftpd @@ -12,7 +12,7 @@ profile vsftpd @{exec_path} { include include include - include + include include # To be able to listen on ports < 1024 @@ -41,6 +41,12 @@ profile vsftpd @{exec_path} { capability dac_read_search, # If session_support=YES, vsftpd will also try and update utmp and wtmp + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, # To validate allowed users shells diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar index 8499a1ad6..b8d1d5326 100644 --- a/apparmor.d/profiles-s-z/waybar +++ b/apparmor.d/profiles-s-z/waybar @@ -26,11 +26,13 @@ profile waybar @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/waybar/{,**} r, + @{sys}/devices/@{pci}/uevent r, + @{sys}/devices/system/cpu/present r, @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/system/cpu/present r, + @{sys}/devices/virtual/dmi/id/uevent r, @{PROC}/@{pid}/net/dev r, @{PROC}/spl/kstat/zfs/arcstats r, diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat new file mode 100644 index 000000000..5764deb77 --- /dev/null +++ b/apparmor.d/profiles-s-z/wechat @@ -0,0 +1,46 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = wechat +@{lib_dirs} = /opt/wechat/ +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{lib_dirs}/wechat +profile wechat @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + + network netlink raw, + network netlink dgram, + network inet stream, + network inet dgram, + network inet6 dgram, + network inet6 stream, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/ip rix, + @{bin}/lsblk Px, + @{bin}/mkdir rix, + @{bin}/xdg-user-dir rix, + @{lib_dirs}/crashpad_handler ix, + @{open_path} Px -> child-open-strict, + + owner @{HOME}/.xwechat/{,**} rwk, + owner @{user_documents_dirs}/xwechat_files/{,**} rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage new file mode 100755 index 000000000..e7eabe6ec --- /dev/null +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -0,0 +1,84 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = wechat-appimage +@{lib_dirs} = /opt/wechat-appimage/ +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{bin}/wechat @{lib_dirs}/wechat-appimage.Appimage /tmp/.mount_wechat??????/user/bin/wechat +profile wechat-appimage @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + network netlink raw, + network netlink dgram, + network inet stream, + network inet dgram, + network inet6 dgram, + network inet6 stream, + + mount fstype=fuse.wechat-appimage.AppImage options=(ro nodev nosuid) -> @{tmp}/.mount_wechat@{word6}/, + + umount @{tmp}/.mount_wechat@{word6}/, + + @{exec_path} r, + + @{sh_path} rix, + @{bin}/dirname rix, + @{bin}/fusermount{,3} Cx -> fusermount, + @{bin}/{m,g,}awk rix, + @{bin}/lsblk Px, + @{bin}/mkdir rix, + @{bin}/readlink rix, + @{bin}/xdg-user-dir rix, + @{bin}/ip rix, + @{lib_dirs}/wechat-appimage.AppImage ix, + @{open_path} Px -> child-open-strict, + + @{bin}/fusermount{,3} Cx -> fusermount, + @{bin}/dirname rix, + @{bin}/readlink rix, + + @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, + @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, + @{tmp}/.mount_wechat@{word6}/AppRun ix, + + /etc/machine-id r, + + @{HOME}/.xwechat/{,**} rwk, + + owner @{user_documents_dirs}/xwechat_files/{,**} rwk, + + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, + + /dev/fuse rw, + /dev/tty rw, + + profile fusermount { + include + include + + mount fstype=fuse.wechat-appimage.AppImage options=(ro nodev nosuid) -> @{tmp}/.mount_wechat@{word6}/, + + umount @{tmp}/.mount_wechat@{word6}/, + + @{lib_dirs}/wechat-appimage.AppImage r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index 9d563111a..3824f9526 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -14,12 +14,11 @@ include @{exec_path} = @{bin}/wechat-universal @{lib_dirs}/wechat profile wechat-universal @{exec_path} flags=(attach_disconnected) { include - include include - include include + include + include include - include network netlink raw, network netlink dgram, @@ -30,20 +29,21 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{sh_path} rix, - @{lib}/wechat-universal/common.sh ix, - @{bin}/sed ix, - @{bin}/ln ix, - @{bin}/mkdir ix, - @{bin}/lsblk Px, - @{bin}/bwrap rix, - @{bin}/xdg-user-dir rix, - @{lib_dirs}/crashpad_handler ix, - @{open_path} rPx -> child-open-strict, + @{sh_path} rix, + @{bin}/bwrap rix, + @{bin}/ln ix, + @{bin}/lsblk Px, + @{bin}/mkdir ix, + @{bin}/sed ix, + @{bin}/xdg-user-dir rix, + @{lib_dirs}/crashpad_handler ix, + @{lib}/wechat-appimage.AppImage ix, + @{open_path} Px -> child-open-strict, /etc/lsb-release r, + /etc/machine-id r, - owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk, + owner @{user_documents_dirs}/WeChat_Data/{,**} rwk, owner @{HOME}/.xwechat/{,**} rwk, owner @{HOME}/.sys1og.conf rw, diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet index 861908a6b..4f40ef746 100644 --- a/apparmor.d/profiles-s-z/wemeet +++ b/apparmor.d/profiles-s-z/wemeet @@ -11,7 +11,7 @@ include @{exec_path} += /opt/wemeet/bin/QtWebEngineProcess profile wemeet @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/profiles-s-z/whatis b/apparmor.d/profiles-s-z/whatis index 43fa8ff09..3febd0b0b 100644 --- a/apparmor.d/profiles-s-z/whatis +++ b/apparmor.d/profiles-s-z/whatis @@ -13,7 +13,7 @@ profile whatis @{exec_path} { include @{exec_path} mr, - @{bin}/grep rix, + @{bin}/{,e}grep rix, /usr/{,**/}man/{,**/}{,whatis} r, diff --git a/apparmor.d/profiles-s-z/whdd b/apparmor.d/profiles-s-z/whdd index cc4ae2959..41541ea84 100644 --- a/apparmor.d/profiles-s-z/whdd +++ b/apparmor.d/profiles-s-z/whdd @@ -25,7 +25,7 @@ profile whdd @{exec_path} { @{bin}/tr rix, # To read SMART attributes - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, owner @{PROC}/@{pid}/mounts r, @{PROC}/partitions r, diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index 855db3f4b..df049741f 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/which{.debianutils,} +@{exec_path} = @{bin}/which{,.debianutils} profile which @{exec_path} flags=(attach_disconnected) { include include @@ -17,7 +17,9 @@ profile which @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/ r, + @{sbin}/ r, @{bin}/**/ r, + @{sbin}/**/ r, @{lib}/ r, @{lib}/**/ r, /opt/**/bin/ r, diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index a7b98ebee..a42a63312 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/whiptail -profile whiptail @{exec_path} flags=(complain) { +profile whiptail @{exec_path} { include include @@ -16,9 +16,9 @@ profile whiptail @{exec_path} flags=(complain) { @{exec_path} mr, - /etc/newt/palette.* r, + /usr/share/terminfo/** r, - owner @{tmp}/gpm* w, + /etc/newt/palette.* r, include if exists } diff --git a/apparmor.d/profiles-s-z/whois b/apparmor.d/profiles-s-z/whois new file mode 100644 index 000000000..a1549db03 --- /dev/null +++ b/apparmor.d/profiles-s-z/whois @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whois +profile whois @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /etc/whois.conf r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whoopsie b/apparmor.d/profiles-s-z/whoopsie new file mode 100644 index 000000000..0c03f4a76 --- /dev/null +++ b/apparmor.d/profiles-s-z/whoopsie @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whoopsie +profile whoopsie @{exec_path} { + include + include + + capability setgid, + capability setuid, + + @{exec_path} mr, + + /var/crash/ r, + + /var/lib/whoopsie/ rw, + /var/lib/whoopsie/whoopsie-id rw, + /var/lib/whoopsie/whoopsie-id.@{rand6} rw, + + owner @{run}/lock/whoopsie/ rw, + owner @{run}/lock/whoopsie/lock rwk, + + @{sys}/devices/virtual/dmi/id/product_uuid r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whoopsie-preferences b/apparmor.d/profiles-s-z/whoopsie-preferences new file mode 100644 index 000000000..3b720d0da --- /dev/null +++ b/apparmor.d/profiles-s-z/whoopsie-preferences @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whoopsie-preferences +profile whoopsie-preferences @{exec_path} { + include + include + include + + #aa:dbus own bus=system name=com.ubuntu.WhoopsiePreferences + + @{exec_path} mr, + + @{bin}/systemctl Cx -> systemctl, + + /etc/whoopsie w, + /etc/whoopsie.@{rand6} rw, + + profile systemctl { + include + include + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wpa-action b/apparmor.d/profiles-s-z/wpa-action index 136caa781..b6764ba0e 100644 --- a/apparmor.d/profiles-s-z/wpa-action +++ b/apparmor.d/profiles-s-z/wpa-action @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/wpa_action +@{exec_path} = @{sbin}/wpa_action profile wpa-action @{exec_path} { include @@ -17,7 +17,7 @@ profile wpa-action @{exec_path} { @{exec_path} mr, - @{bin}/wpa_cli rPx, + @{sbin}/wpa_cli rPx, @{sh_path} rix, @{bin}/{,e}grep rix, diff --git a/apparmor.d/profiles-s-z/wpa-cli b/apparmor.d/profiles-s-z/wpa-cli index c9987fa01..eb4efeee9 100644 --- a/apparmor.d/profiles-s-z/wpa-cli +++ b/apparmor.d/profiles-s-z/wpa-cli @@ -7,13 +7,13 @@ abi , include -@{exec_path} = @{bin}/wpa_cli +@{exec_path} = @{sbin}/wpa_cli profile wpa-cli @{exec_path} { include @{exec_path} mr, - /{usr/,}{s,}/wpa_action rPx, + @{sbin}/wpa_action rPx, /etc/inputrc r, @@ -21,7 +21,7 @@ profile wpa-cli @{exec_path} { owner @{HOME}/.wpa_cli_history-@{int}.tmp rw, owner @{run}/wpa_supplicant/ r, - owner @{tmp}/wpa_ctrl_@{pid}-[0-9] rw, + owner @{tmp}/wpa_ctrl_@{pid}-@{d} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/wpa-gui b/apparmor.d/profiles-s-z/wpa-gui index fd10713cc..f833c812e 100644 --- a/apparmor.d/profiles-s-z/wpa-gui +++ b/apparmor.d/profiles-s-z/wpa-gui @@ -17,7 +17,7 @@ profile wpa-gui @{exec_path} { @{exec_path} mr, - owner @{tmp}/wpa_ctrl_@{pid}-[0-9] w, + owner @{tmp}/wpa_ctrl_@{pid}-@{d} w, owner /dev/shm/#@{int} rw, @{run}/wpa_supplicant/ r, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index 23f77f840..b20c6f1b4 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/wpa_supplicant +@{exec_path} = @{sbin}/wpa_supplicant profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { include include @@ -42,6 +42,7 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { @{user_config_dirs}/cat_installer/*.pem r, owner @{run}/wpa_supplicant/{,**} rw, + owner @{run}/netplan/* r, @{sys}/devices/@{pci}/ieee*/phy@{int}/name r, diff --git a/apparmor.d/profiles-s-z/wrmsr b/apparmor.d/profiles-s-z/wrmsr index 7de522fc8..6ef05cc0f 100644 --- a/apparmor.d/profiles-s-z/wrmsr +++ b/apparmor.d/profiles-s-z/wrmsr @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/wrmsr +@{exec_path} = @{sbin}/wrmsr profile wrmsr @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 22713e3bf..20575b2a8 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -21,7 +21,7 @@ profile wsdd @{exec_path} { @{exec_path} mr, @{bin}/env r, - @{bin}/python3.@{int} rix, + @{python_path} rix, /etc/machine-id r, diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 003770008..f38a69224 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -28,18 +28,7 @@ profile xarchiver @{exec_path} { @{bin}/cp rix, # Archivers - @{bin}/7z rix, - @{lib}/p7zip/7z rix, - @{bin}/unrar-nonfree rix, - @{bin}/zip rix, - @{bin}/unzip rix, - @{bin}/tar rix, - @{bin}/xz rix, - @{bin}/bzip2 rix, - @{bin}/cpio rix, - @{bin}/gzip rix, - @{bin}/zstd rix, - # For deb packages + @{archive_path} rix, @{bin}/{,@{multiarch}-}ar rix, @{open_path} rPx -> child-open, diff --git a/apparmor.d/profiles-s-z/xbrlapi b/apparmor.d/profiles-s-z/xbrlapi index f40b4fa6b..4ce252e10 100644 --- a/apparmor.d/profiles-s-z/xbrlapi +++ b/apparmor.d/profiles-s-z/xbrlapi @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/xbrlapi profile xbrlapi @{exec_path} flags=(attach_disconnected) { include - include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 0801ac188..9abc02350 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/xinit profile xinit @{exec_path} { include + include include signal (receive) set=(usr1) peer=xorg, @@ -34,7 +35,7 @@ profile xinit @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, /etc/X11/xinit/xinitrc rix, /etc/X11/xinit/xserverrc rix, diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp new file mode 100644 index 000000000..6442fe8b9 --- /dev/null +++ b/apparmor.d/profiles-s-z/xournalpp @@ -0,0 +1,45 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xournalpp +profile xournalpp @{exec_path} { + include + include + include + include + include + include + include + include + + @{exec_path} mr, + + @{open_path} rPx -> child-open-browsers, + + /usr/share/xournalpp/** r, + + /etc/machine-id r, + /etc/pipewire/jack.conf.d/ r, + + owner @{user_config_dirs}/xournalpp/{,**} rw, + owner @{user_cache_dirs}/xournalpp/{,**} rw, + + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/snd/controlC@{int} w, + /dev/snd/pcmC@{rand4} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xray b/apparmor.d/profiles-s-z/xray index 7e86ada2c..79c3104dc 100644 --- a/apparmor.d/profiles-s-z/xray +++ b/apparmor.d/profiles-s-z/xray @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/xray profile xray @{exec_path} flags=(attach_disconnected) { include - include + include network inet dgram, network inet stream, @@ -22,6 +22,7 @@ profile xray @{exec_path} flags=(attach_disconnected) { /etc/xray/{,*} r, /usr/share/xray/**.dat r, + /usr/share/v2ray/**.dat r, @{PROC}/sys/net/core/somaxconn r, diff --git a/apparmor.d/profiles-s-z/xsane-gimp b/apparmor.d/profiles-s-z/xsane-gimp index 41ac0b973..4273e803d 100644 --- a/apparmor.d/profiles-s-z/xsane-gimp +++ b/apparmor.d/profiles-s-z/xsane-gimp @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Roman Beslik +# Copyright (C) 2024-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,27 +11,30 @@ include profile xsane-gimp @{exec_path} { include include - include - - signal (receive) set=(term, kill) peer=gimp, + include network inet dgram, network inet6 dgram, network netlink raw, + signal receive set=(term, kill) peer=gimp, + @{exec_path} mr, + @{system_share_dirs}/gimp/{,**} r, @{system_share_dirs}/sane/xsane/{,**} r, - @{system_share_dirs}/snmp/mibs/{,**} r, # network + @{system_share_dirs}/snmp/mibs/{,**} r, + /etc/sane.d/{,**} r, + owner @{HOME}/.sane/{,**} rw, owner @{tmp}/xsane-*-@{rand6} rw, - @{sys}/devices/@{pci}/{model,type,vendor} r, - @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r, - # SCSI @{sys}/bus/scsi/devices/ r, + @{sys}/devices/@{pci}/{model,type,vendor} r, + @{PROC}/scsi/scsi r, + @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r, include if exists } diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl index 781e24768..d0b1c1988 100644 --- a/apparmor.d/profiles-s-z/youtube-dl +++ b/apparmor.d/profiles-s-z/youtube-dl @@ -13,13 +13,11 @@ profile youtube-dl @{exec_path} { include include include - include - include + include include include include include - include network inet dgram, network inet6 dgram, @@ -30,7 +28,7 @@ profile youtube-dl @{exec_path} { signal (receive) set=(term, kill), @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ffmpeg rPx, @{bin}/ffprobe rPx, @@ -38,7 +36,7 @@ profile youtube-dl @{exec_path} { @{bin}/ r, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/git rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/rtmpdump rix, @{bin}/uname rix, @{lib}/git{,-core}/git rix, diff --git a/apparmor.d/profiles-s-z/youtube-viewer b/apparmor.d/profiles-s-z/youtube-viewer index 46b0c6c06..100ae9985 100644 --- a/apparmor.d/profiles-s-z/youtube-viewer +++ b/apparmor.d/profiles-s-z/youtube-viewer @@ -24,7 +24,6 @@ profile youtube-viewer @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, @{bin}/infocmp rix, diff --git a/apparmor.d/profiles-s-z/yt-dlp b/apparmor.d/profiles-s-z/yt-dlp index 551a8edf4..ffa78eda3 100644 --- a/apparmor.d/profiles-s-z/yt-dlp +++ b/apparmor.d/profiles-s-z/yt-dlp @@ -24,7 +24,7 @@ profile yt-dlp @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/file rix, diff --git a/apparmor.d/profiles-s-z/ytdl b/apparmor.d/profiles-s-z/ytdl index 81ccfc284..a76bf0d89 100644 --- a/apparmor.d/profiles-s-z/ytdl +++ b/apparmor.d/profiles-s-z/ytdl @@ -24,10 +24,10 @@ profile ytdl @{exec_path} { signal (receive) set=(term, kill), @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/uname rix, /etc/mime.types r, diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index bb160a5e5..893cead5b 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -23,7 +23,7 @@ profile zed @{exec_path} { @{bin}/diff rix, @{bin}/expr rix, @{bin}/flock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/hostname rix, @{bin}/logger rix, @{bin}/ls rix, @@ -46,6 +46,7 @@ profile zed @{exec_path} { owner @{tmp}/tmp.* rw, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/module/zfs/parameters/zfs_zevent_len_max rw, diff --git a/apparmor.d/profiles-s-z/zenmap b/apparmor.d/profiles-s-z/zenmap index 59a8d772e..f4dc9fc77 100644 --- a/apparmor.d/profiles-s-z/zenmap +++ b/apparmor.d/profiles-s-z/zenmap @@ -20,7 +20,7 @@ profile zenmap @{exec_path} { signal (send) set=(term, kill) peer=nmap, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/nmap rPx, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 2cb997fd7..e6033d9d2 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -31,6 +31,7 @@ profile zpool @{exec_path} { @{sys}/module/zfs/** r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd index 8ac23a07c..42181500b 100644 --- a/apparmor.d/profiles-s-z/zsysd +++ b/apparmor.d/profiles-s-z/zsysd @@ -20,7 +20,7 @@ profile zsysd @{exec_path} flags=(complain) { /{usr/,}{local/,}{s,}bin/zfs rPx, /{usr/,}{local/,}{s,}bin/zpool rPx, # ALLOWED zsysd exec /usr/sbin/update-grub info="no new privs" comm=zsysd requested_mask=x denied_mask=x error=-1 - @{bin}/update-grub rPx, + @{sbin}/update-grub rPx, /etc/hostid r, /etc/zsys.conf r, diff --git a/apparmor.d/tunables/multiarch.d/base b/apparmor.d/tunables/multiarch.d/base new file mode 100644 index 000000000..9661b1e51 --- /dev/null +++ b/apparmor.d/tunables/multiarch.d/base @@ -0,0 +1,93 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Base variables, upstreamed in apparmor 4.1 + +# Any digit +@{d}=[0-9] + +# Any letter +@{l}=[a-zA-Z] + +# Single alphanumeric character +@{c}=[0-9a-zA-Z] + +# Word character: matches any letter, digit or underscore. +@{w}=[a-zA-Z0-9_] + +# Single hexadecimal character +@{h}=[0-9a-fA-F] + +# Integer up to 10 digits (0-9999999999) +@{int}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},} + +# hexadecimal, alphanumeric and word up to 64 characters +@{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} +@{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},} +@{word}=@{w}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} + +# Unsigned integer over 8 bits (0...255) +@{u8}=[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5] + +# Unsigned integer over 16 bits (0...65,535 5 digits) +@{u16}={@{d},[1-9]@{d},[1-9][@{d}@{d},[1-9]@{d}@{d}@{d},[1-6]@{d}@{d}@{d}@{d}} + +# Unsigned integer over 32 bits (0...4,294,967,295 10 digits) +@{u32}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-4]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} + +# Unsigned integer over 64 bits (0...18,446,744,073,709,551,615 20 digits). +@{u64}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},1@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} + +# Any x digits characters +@{int2}=@{d}@{d} +@{int4}=@{int2}@{int2} +@{int6}=@{int4}@{int2} +@{int8}=@{int4}@{int4} +@{int9}=@{int8}@{d} +@{int10}=@{int8}@{int2} +@{int12}=@{int8}@{int4} +@{int15}=@{int8}@{int4}@{int2}@{d} +@{int16}=@{int8}@{int8} +@{int32}=@{int16}@{int16} +@{int64}=@{int32}@{int32} + +# Any x hexadecimal characters +@{hex2}=@{h}@{h} +@{hex4}=@{hex2}@{hex2} +@{hex6}=@{hex4}@{hex2} +@{hex8}=@{hex4}@{hex4} +@{hex9}=@{hex8}@{h} +@{hex10}=@{hex8}@{hex2} +@{hex12}=@{hex8}@{hex4} +@{hex15}=@{hex8}@{hex4}@{hex2}@{h} +@{hex16}=@{hex8}@{hex8} +@{hex32}=@{hex16}@{hex16} +@{hex38}=@{hex32}@{hex6} +@{hex64}=@{hex32}@{hex32} + +# Any x alphanumeric characters +@{rand2}=@{c}@{c} +@{rand4}=@{rand2}@{rand2} +@{rand6}=@{rand4}@{rand2} +@{rand8}=@{rand4}@{rand4} +@{rand9}=@{rand8}@{c} +@{rand10}=@{rand8}@{rand2} +@{rand12}=@{rand8}@{rand4} +@{rand15}=@{rand8}@{rand4}@{rand2}@{c} +@{rand16}=@{rand8}@{rand8} +@{rand32}=@{rand16}@{rand16} +@{rand64}=@{rand32}@{rand32} + +# Any x word characters +@{word2}=@{w}@{w} +@{word4}=@{word2}@{word2} +@{word6}=@{word4}@{word2} +@{word8}=@{word4}@{word4} +@{word9}=@{word8}@{w} +@{word10}=@{word8}@{word2} +@{word12}=@{word8}@{word4} +@{word15}=@{word8}@{word4}@{word2}@{w} +@{word16}=@{word8}@{word8} +@{word32}=@{word16}@{word16} +@{word64}=@{word32}@{word32} diff --git a/apparmor.d/tunables/multiarch.d/extensions b/apparmor.d/tunables/multiarch.d/extensions index d3d56934e..d7f7450aa 100644 --- a/apparmor.d/tunables/multiarch.d/extensions +++ b/apparmor.d/tunables/multiarch.d/extensions @@ -645,4 +645,7 @@ @{text_ext} += 3[dD][mM] # 3dm @{text_ext} += 3[dD][mM][lL] # 3dml +# Dpkg maintainer's scripts +@{dpkg_script_ext} = config templates preinst postinst prerm postrm + # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 83aec3ce3..cca544370 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -38,8 +38,9 @@ @{open_path} += @{lib}/gio-launch-desktop @{open_path} += @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop -# Editor +# Editors @{editor_path} = @{bin}/@{editor_names} +@{editor_ui_path} = @{bin}/@{editor_ui_names} # Pager @{pager_path} = @{bin}/@{pager_names} @@ -65,4 +66,13 @@ # Help @{help_path} = @{bin}/@{help_names} +# Terminal emulator +@{terminal_path} = @{bin}/@{terminal_names} + +# Backup +@{backup_path} = @{bin}/@{backup_names} @{lib}/deja-dup/deja-dup-monitor + +# Archives +@{archive_path} = @{bin}/@{archive_names} @{lib}/p7zip/7z + # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index 2d1fccb32..6868ae87a 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -8,12 +8,65 @@ # All variables that refer to a profile name should be prefixed with `p_` # Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user` -@{p_systemd}=unconfined +@{p_sd}=unconfined +@{p_sdu}=unconfined @{p_systemd_user}=unconfined +@{p_systemd}=unconfined # Name of the dbus daemon profiles +@{p_dbus_accessibility}=dbus-accessibility +#aa:only apparmor4.1 +@{p_dbus_system}={dbus-system,dbus-system//&unconfined} +@{p_dbus_session}={dbus-session,dbus-session//&unconfined} + +#aa:exclude apparmor4.1 @{p_dbus_system}=dbus-system @{p_dbus_session}=dbus-session -@{p_dbus_accessibility}=dbus-accessibility + +@{p_accounts_daemon}=accounts-daemon +@{p_apt_news}=apt_news +@{p_at_spi2_registryd}=at-spi2-registryd +@{p_avahi_daemon}=avahi-daemon +@{p_bluetoothd}=bluetoothd +@{p_colord}=colord +@{p_e2scrub_all}=e2scrub_all +@{p_e2scrub}=e2scrub +@{p_file_roller}=file-roller +@{p_fprintd}=fprintd +@{p_fwupd}=fwupd +@{p_fwupdmgr}=fwupdmgr +@{p_geoclue}=geoclue +@{p_gnome_shell}=gnome-shell +@{p_gsd_media_keys}=gsd-media-keys +@{p_irqbalance}=irqbalance +@{p_logrotate}=logrotate +@{p_ModemManager}=ModemManager +@{p_nm_priv_helper}=nm-priv-helper +@{p_packagekitd}=packagekitd +@{p_pcscd}=pcscd +@{p_polkitd}=polkitd +@{p_power_profiles_daemon}=power-profiles-daemon +@{p_rsyslogd}=rsyslogd +@{p_rtkit_daemon}=rtkit-daemon +@{p_snap}=snap +@{p_systemd_coredump}=systemd-coredump +@{p_systemd_homed}=systemd-homed +@{p_systemd_hostnamed}=systemd-hostnamed +@{p_systemd_importd}=systemd-importd +@{p_systemd_initctl}=systemd-initctl +@{p_systemd_journal_remote}=systemd-journal-remote +@{p_systemd_journald}=systemd-journald +@{p_systemd_localed}=systemd-localed +@{p_systemd_logind}=systemd-logind +@{p_systemd_networkd}=systemd-networkd +@{p_systemd_oomd}=systemd-oomd +@{p_systemd_resolved}=systemd-resolved +@{p_systemd_rfkill}=systemd-rfkill +@{p_systemd_timedated}=systemd-timedated +@{p_systemd_timesyncd}=systemd-timesyncd +@{p_systemd_userdbd}=systemd-userdbd +@{p_upowerd}=upowerd +@{p_xdg_desktop_portal}=xdg-desktop-portal + # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index e8f523b6a..a7cbaf831 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -22,7 +22,7 @@ @{coreutils} += ln locate logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt @{coreutils} += od paste pathchk pinky pr printenv printf ptx pwd readlink realpath rm rmdir @{coreutils} += runcon sdiff sed seq sha1sum sha224sum sha256sum sha384sum sha512sum shred shuf sleep -@{coreutils} += sort split stat stdbuf stty sum sync tac tail tee test timeout touch tr true +@{coreutils} += sort split stat stdbuf stty sum tac tail tee test timeout touch tr true @{coreutils} += truncate tsort tty uname unexpand uniq unlink updatedb vdir wc who whoami xargs yes # Python interpreters @@ -32,8 +32,9 @@ # Open @{open_names} = exo-open xdg-open gio kde-open gio-launch-desktop -# Editor -@{editor_names} = sensible-editor vim{,.*} nvim nano +# Editors +@{editor_names} = sensible-editor vim{,.*} vim-nox11 nvim nano +@{editor_ui_names} = gnome-text-editor gedit mousepad # Pager @{pager_names} = sensible-pager pager less more nvimpager @@ -75,7 +76,7 @@ @{text_editors_names} = code gedit mousepad gnome-text-editor zeditor zedit zed-cli # Document viewers -@{document_viewers_names} = evince okular *{F,f}oliate YACReader +@{document_viewers_names} = evince papers okular *{F,f}oliate YACReader # Image viewers @{image_viewers_names} = eog loupe ristretto @@ -84,9 +85,18 @@ @{archive_viewers_names} = engrampa file-roller xarchiver # Office suites -@{offices_names} = libreoffice soffice +@{offices_names} = libreoffice soffice wps # Help @{help_names} = yelp +# Terminal emulator +@{terminal_names} = kgx terminator konsole ptyxis + +# Backup +@{backup_names} = deja-dup borg + +# Archives +@{archive_names} = 7z 7zz ar bzip2 cpio gzip lzip rar tar unrar-nonfree unzip xz zip zstd + # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index cc4192d28..359d1b878 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -2,98 +2,6 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Base variables -# -------------- - -# Any digit -@{d}=[0-9] - -# Any letter -@{l}=[a-zA-Z] - -# Single alphanumeric character -@{c}=[0-9a-zA-Z] - -# Word character: matches any letter, digit or underscore. -@{w}=[a-zA-Z0-9_] - -# Single hexadecimal character -@{h}=[0-9a-fA-F] - -# Integer up to 10 digits (0-9999999999) -@{int}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},} - -# hexadecimal, alphanumeric and word up to 64 characters -@{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} -@{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},} -@{word}=@{w}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} - -# Unsigned integer over 8 bits (0...255) -@{u8}=[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5] - -# Unsigned integer over 16 bits (0...65,535 5 digits) -@{u16}={@{d},[1-9]@{d},[1-9][@{d}@{d},[1-9]@{d}@{d}@{d},[1-6]@{d}@{d}@{d}@{d}} - -# Unsigned integer over 32 bits (0...4,294,967,295 10 digits) -@{u32}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-4]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} - -# Unsigned integer over 64 bits (0...18,446,744,073,709,551,615 20 digits). -@{u64}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},1@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} - -# Any x digits characters -@{int2}=@{d}@{d} -@{int4}=@{int2}@{int2} -@{int6}=@{int4}@{int2} -@{int8}=@{int4}@{int4} -@{int9}=@{int8}@{d} -@{int10}=@{int8}@{int2} -@{int12}=@{int8}@{int4} -@{int15}=@{int8}@{int4}@{int2}@{d} -@{int16}=@{int8}@{int8} -@{int32}=@{int16}@{int16} -@{int64}=@{int32}@{int32} - -# Any x hexadecimal characters -@{hex2}=@{h}@{h} -@{hex4}=@{hex2}@{hex2} -@{hex6}=@{hex4}@{hex2} -@{hex8}=@{hex4}@{hex4} -@{hex9}=@{hex8}@{h} -@{hex10}=@{hex8}@{hex2} -@{hex12}=@{hex8}@{hex4} -@{hex15}=@{hex8}@{hex4}@{hex2}@{h} -@{hex16}=@{hex8}@{hex8} -@{hex32}=@{hex16}@{hex16} -@{hex38}=@{hex32}@{hex6} -@{hex64}=@{hex32}@{hex32} - -# Any x alphanumeric characters -@{rand2}=@{c}@{c} -@{rand4}=@{rand2}@{rand2} -@{rand6}=@{rand4}@{rand2} -@{rand8}=@{rand4}@{rand4} -@{rand9}=@{rand8}@{c} -@{rand10}=@{rand8}@{rand2} -@{rand12}=@{rand8}@{rand4} -@{rand15}=@{rand8}@{rand4}@{rand2}@{c} -@{rand16}=@{rand8}@{rand8} -@{rand32}=@{rand16}@{rand16} -@{rand64}=@{rand64}@{rand64} - -# Any x word characters -@{word2}=@{w}@{w} -@{word4}=@{word2}@{word2} -@{word6}=@{word4}@{word2} -@{word8}=@{word4}@{word4} -@{word9}=@{word8}@{w} -@{word10}=@{word8}@{word2} -@{word12}=@{word8}@{word4} -@{word15}=@{word8}@{word4}@{word2}@{w} -@{word16}=@{word8}@{word8} -@{word32}=@{word16}@{word16} -@{word64}=@{word32}@{word32} - - # System Paths # ------------ @@ -106,12 +14,16 @@ @{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/ # Common places for binaries and libraries across distributions -@{bin}=/{,usr/}{,s}bin +@{bin}=/{,usr/}bin +@{sbin}=/{,usr/}sbin #aa:only apt zypper +@{sbin}=/{,usr/}{,s}bin #aa:only pacman @{lib}=/{,usr/}lib{,exec,32,64} # Common places for temporary files @{tmp}=/tmp/ /tmp/user/@{uid}/ +# Common places for EFI +@{efi}=/boot/ /efi/ /boot/efi/ # System Variables # ---------------- @@ -126,7 +38,7 @@ @{udbus}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} # Universally unique identifier -@{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} +@{uuid}=@{hex8}[-_]@{hex4}[-_]@{hex4}[-_]@{hex4}[-_]@{hex12} # Username & group valid characters @{user}=[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} @@ -135,25 +47,31 @@ # Semantic version @{version}=@{u16}{.@{u16},}{.@{u16},}{{-,_}@{rand},} +#aa:only opensuse # OpenSUSE does not have the same multiarch structure -@{multiarch}+=*-suse-linux* #aa:only opensuse +@{multiarch}+=*-suse-linux* # System Internal # --------------- +# SQlite temporary files (hexadecimal from 12 to 16 characters) +@{sqlhex}=@{hex12} @{hex12}@{h} @{hex12}@{hex2} @{hex15} @{hex16} + # Shortcut for PCI device -@{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h} -@{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h} +@{pci_id}=@{hex}:@{hex2}:@{hex2}.@{h} +@{pci_bus}=pci@{hex4}:@{hex2} @{pci}=@{pci_bus}/**/ # Udev data dynamic assignment ranges +# See https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt @{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511 # Attachment path for attach_disconnected.path flag. # Automatically generated and set in profile preamble on ABI4. Disabled on ABI3. @{att}=/ + alias // -> /, # vim:syntax=apparmor diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index 58aee3716..ccd6e9cca 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -15,15 +15,15 @@ import ( "github.com/roddhjav/apparmor.d/pkg/logs" ) -const usage = `aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile] +const usage = `aa-log [-h] [--systemd] [--file file] [--rules | --raw] [--since] [profile] Review AppArmor generated messages in a colorful way. It supports logs from auditd, systemd, syslog as well as dbus session events. It can be given an optional profile name to filter the output with. - Default logs are read from '/var/log/audit/audit.log'. Other files in - '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' + Default logs are read from '/var/log/audit/audit.log'. Other files in + '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' Options: -h, --help Show this help message and exit. @@ -55,7 +55,7 @@ func aaLog(logger string, path string, profile string) error { case "systemd": file, err = logs.GetJournalctlLogs(path, since, !slices.Contains(logs.LogFiles, path)) default: - err = fmt.Errorf("Logger %s not supported.", logger) + err = fmt.Errorf("logger %s not supported", logger) } if err != nil { return err diff --git a/cmd/aa/main.go b/cmd/aa/main.go index 5f7dd6396..5d32e9331 100644 --- a/cmd/aa/main.go +++ b/cmd/aa/main.go @@ -111,7 +111,7 @@ func formatFile(kind kind, profile string) (string, error) { for idx, rules := range rulesByParagraph { aa.IndentationLevel = getIndentationLevel(paragraphs[idx]) rules = rules.Merge().Sort().Format() - profile = strings.Replace(profile, paragraphs[idx], rules.String()+"\n", -1) + profile = strings.ReplaceAll(profile, paragraphs[idx], rules.String()+"\n") } return profile, nil } diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 3f2dd9f43..62685202f 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -5,8 +5,6 @@ package main import ( - "slices" - "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" "github.com/roddhjav/apparmor.d/pkg/prebuild/cli" @@ -18,6 +16,9 @@ func init() { // Define the default ABI prebuild.ABI = 4 + // Define the default version + prebuild.Version = 4.1 + // Define the tasks applied by default prepare.Register( "synchronise", // Initialize a new clean apparmor.d build directory @@ -35,22 +36,32 @@ func init() { "hotfix", // Temporary fix for #74, #80 & #235 ) - // Compatibility with AppArmor 3 + // Matrix of ABI/Apparmor version to integrate with switch prebuild.Distribution { case "arch": case "ubuntu": - if !slices.Contains([]string{"noble"}, prebuild.Release["VERSION_CODENAME"]) { + switch prebuild.Release["VERSION_CODENAME"] { + case "jammy": prebuild.ABI = 3 + prebuild.Version = 3.0 + case "noble": + prebuild.ABI = 4 + prebuild.Version = 4.0 } case "debian": - prebuild.ABI = 3 + switch prebuild.Release["VERSION_CODENAME"] { + case "bullseye", "bookworm": + prebuild.ABI = 3 + prebuild.Version = 3.0 + } case "whonix": prebuild.ABI = 3 + prebuild.Version = 3.0 - // Hide rewrittem Whonix profiles + // Hide rewritten Whonix profiles prebuild.Hide += `/etc/apparmor.d/abstractions/base.d/kicksecure /etc/apparmor.d/home.tor-browser.firefox /etc/apparmor.d/tunables/homsanitycheck @@ -67,5 +78,6 @@ func init() { } func main() { + cli.Configure() cli.Prebuild() } diff --git a/debian/apparmor.d.hide b/debian/apparmor.d.hide index 20725a133..8fc1d019d 100644 --- a/debian/apparmor.d.hide +++ b/debian/apparmor.d.hide @@ -1 +1 @@ -# This file is generated by "make", all edit will be lost. +# This file is generated by "just", all edit will be lost. diff --git a/debian/control b/debian/control index 3d15800b8..56ad928ba 100644 --- a/debian/control +++ b/debian/control @@ -6,19 +6,18 @@ Build-Depends: debhelper (>= 13.4), debhelper-compat (= 13), golang-any, config-package-dev, + just, Homepage: https://github.com/roddhjav/apparmor.d Vcs-Browser: https://github.com/roddhjav/apparmor.d Vcs-Git: https://github.com/roddhjav/apparmor.d.git -Standards-Version: 4.5.0 +Standards-Version: 4.6.0 Rules-Requires-Root: no Package: apparmor.d Architecture: any -Depends: - apparmor-profiles, - ${shlibs:Depends} +Depends: apparmor-profiles Conflicts: apparmor-profiles-extra Provides: apparmor-profiles-extra Description: Full set of AppArmor profiles (~ 1500 profiles) - apparmor.d is a set of over 1500 AppArmor profiles whose aim is to confine - most Linux based applications and processes. + apparmor.d is a set of over 1500 AppArmor profiles whose aim is to confine + most Linux based applications and processes. diff --git a/debian/rules b/debian/rules index a30a693df..d78e652ca 100755 --- a/debian/rules +++ b/debian/rules @@ -9,5 +9,9 @@ # golang/1.19 compresses debug symbols itself. override_dh_dwz: -# do not run 'make check' by default as it can be long for dev package -override_dh_auto_test: +override_dh_auto_build: + just complain + +override_dh_auto_install: + just destdir="${CURDIR}/debian/apparmor.d" install + diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index 339d88036..bf97705a6 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -15,6 +15,7 @@ URL: https://github.com/roddhjav/apparmor.d Source0: %{name}-%{version}.tar.gz Requires: apparmor-profiles BuildRequires: distribution-release +BuildRequires: just BuildRequires: golang-packaging BuildRequires: apparmor-profiles @@ -25,10 +26,10 @@ AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most %autosetup %build -%make_build +just complain %install -%make_install +just destdir="%{buildroot}" install %posttrans rm -f /var/cache/apparmor/* 2>/dev/null diff --git a/dists/build.sh b/dists/build.sh index 523bf8ca4..9b9f9e765 100644 --- a/dists/build.sh +++ b/dists/build.sh @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: make [ dpkg | pkg | rpm ] +# Usage: just [ dpkg | pkg | rpm ] set -eu -o pipefail @@ -20,7 +20,7 @@ main() { ;; dpkg) - dch --newversion="$VERSION-1" --urgency=medium --distribution=stable --controlmaint "Release $VERSION-1" + dch --newversion="$VERSION-1" --urgency=medium --distribution="$(lsb_release -sc)" --controlmaint "Release $VERSION-1" dpkg-buildpackage -b -d --no-sign lintian || true mv ../"${PKGNAME}_${VERSION}-1"_*.deb "$OUTPUT" diff --git a/dists/docker.sh b/dists/docker.sh index 4dd958759..2e581883c 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -3,7 +3,10 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: make package dist= +# Usage: +# just package ubuntu24 +# just package archlinux +# just package opensuse set -eu -o pipefail @@ -14,7 +17,8 @@ readonly VOLUME=/tmp/build readonly BUILDIR=/home/build/tmp readonly OUTDIR=".pkg" readonly OUTPUT="$PWD/$OUTDIR" -readonly COMMAND="$1" +readonly DISTRIBUTION="${1:-}" +readonly RELEASE="${2:-}" VERSION="0.$(git rev-list --count HEAD)" PACKAGER="$(git config user.name) <$(git config user.email)>" readonly VERSION PACKAGER @@ -61,6 +65,7 @@ build_in_docker_makepkg() { --env PKGDEST="$BUILDIR" --env PACKAGER="$PACKAGER" \ --env BUILDDIR=/tmp/build \ "$BASEIMAGE/$dist" + docker exec "$img" sudo pacman -Syu --noconfirm --noprogressbar fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh pkg @@ -68,21 +73,24 @@ build_in_docker_makepkg() { } build_in_docker_dpkg() { - local dist="$1" target="$1" - local img="$PREFIX$dist" + local img dist="$1" target="$1" release="$2" [[ "$dist" == whonix ]] && dist=debian + [[ "$release" == "13" ]] && release=trixie + img="$PREFIX$dist$release" if _exist "$img"; then if ! _is_running "$img"; then _start "$img" fi else - docker pull "$BASEIMAGE/$dist" + docker pull "$BASEIMAGE/$dist:$release" docker run -tid --name "$img" --volume "$VOLUME:$BUILDIR" \ - --env DISTRIBUTION="$target" "$BASEIMAGE/$dist" + --env DISTRIBUTION="$target" "$BASEIMAGE/$dist:$release" docker exec "$img" sudo apt-get update -q - docker exec "$img" sudo apt-get install -y config-package-dev rsync - [[ "$dist" == debian ]] && aptopt=(-t bookworm-backports) + docker exec "$img" sudo apt-get install -y config-package-dev lsb-release libdistro-info-perl + if [[ "$dist" == debian && "$release" == "12" ]]; then + aptopt=(-t bookworm-backports) + fi docker exec "$img" sudo apt-get install -y "${aptopt[@]}" golang-go fi @@ -102,7 +110,7 @@ build_in_docker_rpm() { docker pull "$BASEIMAGE/$dist" docker run -tid --name "$img" --volume "$VOLUME:$BUILDIR" \ "$BASEIMAGE/$dist" - docker exec "$img" sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles + docker exec "$img" sudo zypper install -y distribution-release golang-packaging apparmor-profiles fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh rpm @@ -110,20 +118,19 @@ build_in_docker_rpm() { } main() { - case "$COMMAND" in + case "$DISTRIBUTION" in archlinux) - # build_in_docker_makepkg "$COMMAND" - PKGDEST="$OUTPUT" makepkg -Cf + build_in_docker_makepkg "$DISTRIBUTION" ;; debian | ubuntu | whonix) sync - build_in_docker_dpkg "$COMMAND" + build_in_docker_dpkg "$DISTRIBUTION" "$RELEASE" ;; opensuse) sync - build_in_docker_rpm "$COMMAND" + build_in_docker_rpm "$DISTRIBUTION" ;; *) ;; diff --git a/dists/flags/main.flags b/dists/flags/main.flags index ac4547850..22e9a1447 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -1,15 +1,9 @@ # Common profile flags definition for all distributions # File format: one profile by line using the format: ' ' -bwrap attach_disconnected,mediate_deleted,complain -bwrap-app attach_disconnected,mediate_deleted,complain -default attach_disconnected,mediate_deleted,complain -default-sudo attach_disconnected,complain systemd attach_disconnected,mediate_deleted,complain -systemd-service attach_disconnected,complain systemd-user attach_disconnected,mediate_deleted,complain -aa-notify complain akonadi_akonotes_resource complain akonadi_archivemail_agent complain akonadi_birthdays_resource complain @@ -28,6 +22,7 @@ akonadi_notes_agent complain akonadi_sendlater_agent complain akonadi_unifiedmailbox_agent complain anacron complain +apt-methods-sqv complain at complain atd complain auditctl attach_disconnected,complain @@ -40,12 +35,9 @@ avahi-resolve complain avahi-set-host-name complain baloo complain baloorunner complain -busctl complain calibre complain cc-remote-login-helper complain cctk complain -child-modprobe-nvidia attach_disconnected,complain -child-open attach_disconnected,complain cockpit-askpass complain cockpit-bridge complain cockpit-certificate-ensure attach_disconnected,complain @@ -78,6 +70,10 @@ cups-notifier-rss complain cups-pk-helper-mechanism complain cupsd attach_disconnected,complain ddcutil complain +deb-systemd-helper complain +deb-systemd-invoke complain +debconf-escape complain +decibels complain dino attach_disconnected,complain discord complain discord-chrome-sandbox complain @@ -87,6 +83,14 @@ dmsetup complain dockerd attach_disconnected,complain dolphin complain downloadhelper complain +dpkg-db-backup complain +dpkg-maintscript-helper complain +dpkg-script-apparmor complain +dpkg-script-kmod complain +dpkg-script-linux complain +dpkg-script-systemd complain +dpkg-scripts complain +dracut-install complain drkonqi complain drkonqi-coredump-cleanup complain drkonqi-coredump-processor complain @@ -99,9 +103,9 @@ fail2ban-client attach_disconnected,complain fail2ban-server attach_disconnected,complain fdisk complain filezilla complain +finalrd complain firewall-applet attach_disconnected,complain firewall-config complain -firewalld attach_disconnected,complain flameshot complain flatpak attach_disconnected,mediate_deleted,complain flatpak-app attach_disconnected,mediate_deleted,complain @@ -112,28 +116,20 @@ flatpak-system-helper complain flatpak-validate-icon complain fstrim complain fuse-overlayfs complain -fusermount complain +gdk-pixbuf-thumbnailer complain gdm-generate-config complain gdm-runtime-config complain gdm-session attach_disconnected,complain gdm-xsession complain -gimp complain gmenudbusmenuproxy complain gnome-browser-connector-host complain gnome-control-center attach_disconnected,complain gnome-control-center-goa-helper complain gnome-disk-image-mounter complain -gnome-disks complain gnome-extension-gsconnect complain gnome-extension-manager complain gnome-initial-setup complain -gnome-music attach_disconnected,complain -gnome-photos-thumbnailer complain gnome-remote-desktop-daemon complain -gnome-software complain -gnome-system-monitor attach_disconnected,complain -gnome-terminal-server complain -gnome-tweaks complain grub-bios-setup complain grub-editenv complain grub-file complain @@ -167,8 +163,8 @@ gsettings complain gvfsd-dav complain gvfsd-wsdd complain hostnamectl complain -hyprctl complain -hyprlock complain +hyprctl attach_disconnected,complain +hyprlock attach_disconnected,complain hyprpaper attach_disconnected,complain hyprpicker complain hyprpm complain @@ -178,7 +174,6 @@ im-launch complain install-info complain iwctl complain iwd complain -jitterentropy-rngd complain kaccess complain kactivitymanagerd complain kalendarac complain @@ -193,10 +188,14 @@ kconf_update complain kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain +kdump_mem_estimator complain +kdump-config complain +kdump-tools-init complain,attach_disconnected +kernel complain kernel-install complain +kernel-postinst-kdump complain keyboxd complain kglobalacceld complain -kgx complain kio_http_cache_cleaner complain kiod complain kioworker complain @@ -217,8 +216,14 @@ libreoffice complain libvirt-dbus complain libvirtd attach_disconnected,complain lightdm attach_disconnected,complain +lightdm-session complain +linux-check-removal complain +linux-update-symlinks complain locale-gen complain localectl complain +localsearch complain +localsearch-control complain +localsearch-writeback complain login attach_disconnected,complain loginctl complain low-memory-monitor attach_disconnected,complain @@ -228,14 +233,16 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain -mdevctl complain -metadata-cleaner attach_disconnected,complain -mke2fs complain +mdadm complain +mdadm-mkconf complain ModemManager attach_disconnected,complain mount attach_disconnected,complain multipath attach_disconnected,complain multipathd complain -netplan.script attach_disconnected,complain +needrestart-hook complain +needrestart-notify complain +needrestart-restart complain +netplan attach_disconnected,complain networkctl attach_disconnected,complain networkd-dispatcher complain nm-online complain @@ -247,9 +254,10 @@ nvidia-persistenced complain ollama attach_disconnected,complain os-prober attach_disconnected,complain pam_kwallet_init complain -pam-tmpdir-helper complain +papers complain passimd attach_disconnected,complain -pidof complain +pkla-admin-identities complain +pkla-check-authorization complain pkttyagent complain plank complain plasma_waitforname complain @@ -260,6 +268,10 @@ plymouth complain plymouth-set-default-theme attach_disconnected,complain plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted +pollinate complain +ptyxis complain +ptyxis-agent complain +pycompile complain qdbus complain remmina complain run-parts complain @@ -274,18 +286,16 @@ signal-desktop-chrome-sandbox complain sing-box complain slirp4netns attach_disconnected,complain snap complain -snap-bootstrap complain snap-device-helper complain snap-discard-ns complain snap-failure complain -snap-repair complain snap-seccomp complain snap-update-ns complain snapd complain snapd-apparmor complain -snapd-core-fixup complain snapshot complain speech-dispatcher complain +sshd-auth complain ssservice complain startplasma complain startx attach_disconnected,complain @@ -304,12 +314,14 @@ swtpm complain swtpm_ioctl complain swtpm_localca complain swtpm_setup complain +sysstat-sa complain +sysstat-sadc complain systemd-analyze complain systemd-ask-password complain systemd-binfmt attach_disconnected,complain systemd-cgls complain systemd-cgtop complain -systemd-cryptsetup complain +systemd-cryptsetup attach_disconnected,complain systemd-dissect attach_disconnected,complain systemd-escape complain systemd-generator-bless-boot attach_disconnected,complain @@ -319,41 +331,65 @@ systemd-generator-debug attach_disconnected,complain systemd-generator-ds-identify attach_disconnected,complain systemd-generator-environment-arch complain systemd-generator-environment-flatpak complain +systemd-generator-environment-snapd attach_disconnected,complain +systemd-generator-friendly-recover attach_disconnected,complain systemd-generator-fstab attach_disconnected,complain systemd-generator-getty attach_disconnected,complain systemd-generator-gpt-auto attach_disconnected,complain systemd-generator-hibernate-resume attach_disconnected,complain +systemd-generator-import attach_disconnected,complain systemd-generator-integritysetup attach_disconnected,complain +systemd-generator-openvpn attach_disconnected,complain systemd-generator-ostree attach_disconnected,complain +systemd-generator-rc-local attach_disconnected,complain systemd-generator-run attach_disconnected,complain +systemd-generator-snapd attach_disconnected,complain +systemd-generator-ssh attach_disconnected,complain +systemd-generator-sshd-socket attach_disconnected,complain systemd-generator-system-update attach_disconnected,complain -systemd-generator-user-autostart complain -systemd-generator-user-environment complain +systemd-generator-sysv attach_disconnected,complain +systemd-generator-tpm2 attach_disconnected,complain +systemd-generator-user-autostart attach_disconnected,complain +systemd-generator-user-environment attach_disconnected,complain systemd-generator-veritysetup attach_disconnected,complain systemd-homed attach_disconnected,complain systemd-homework complain systemd-inhibit attach_disconnected,complain +systemd-initctl attach_disconnected,complain +systemd-journald attach_disconnected,mediate_deleted systemd-mount complain -systemd-network-generator complain +systemd-network-generator attach_disconnected,complain +systemd-nsresourced attach_disconnected,complain +systemd-nsresourcework complain systemd-portabled complain -systemd-remount-fs complain -systemd-resolve complain systemd-shutdown complain systemd-sleep-tlp complain systemd-socket-proxyd complain systemd-udevd attach_disconnected,complain -systemd-user-sessions complain +systemd-user-sessions attach_disconnected,complain systemd-userwork attach_disconnected,complain systemsettings complain telegram-desktop complain totem attach_disconnected,complain tracker-writeback complain +ucf complain +ucfq complain +ucfr complain +udev-ata_id complain +udev-bcache-export-cached complain +udev-cdrom_id complain udev-dmi-memory-id complain +udev-fido_id complain +udev-hdparm complain +udev-probe-bcache complain udisksctl complain udisksd attach_disconnected,complain ufw complain +update-catalog complain update-grub complain +update-info-dir complain update-secureboot-policy complain +update-shells complain userdbctl complain utempter attach_disconnected,complain veracrypt complain @@ -366,18 +402,21 @@ virtnodedevd attach_disconnected,complain virtsecretd attach_disconnected,complain virtstoraged attach_disconnected,complain waybar attach_disconnected,complain -wg complain +wechat attach_disconnected,complain +wechat-appimage attach_disconnected,complain wg-quick complain +whoopsie complain +whoopsie-preferences complain wsdd complain xdg-dbus-proxy attach_disconnected,complain xdg-desktop-icon complain xdg-desktop-portal-kde complain xdg-desktop-portal-rewrite-launchers complain +xdg-desktop-portal-validate-icon attach_disconnected,complain xdg-user-dirs-gtk-update complain xdm-xsession complain xembedsniproxy complain xfce-session attach_disconnected,complain xsettingsd complain -xwaylandvideobridge complain zpool complain diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index a6d6bcc85..7339702a2 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -1,12 +1,14 @@ apport attach_disconnected,complain apport-checkreports complain apport-gtk complain +apt_news attach_disconnected,complain apt-esm-hook complain apt-esm-json-hook complain apt-helper complain check-new-release-gtk complain do-release-upgrade complain dpkg-genbuildinfo complain +fanctl attach_disconnected,complain hwe-support-status complain list-oem-metapackages complain livepatch-notification complain @@ -18,6 +20,7 @@ software-properties-gtk complain ubuntu-advantage complain ubuntu-advantage-notification complain ubuntu-distro-info complain +ubuntu-fan-net attach_disconnected,complain ubuntu-report complain update-manager attach_disconnected,complain update-motd-fsck-at-reboot complain diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index 917b117f1..0665edf85 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -2,21 +2,13 @@ # File format: one ignore by line, it can be a profile name or a directory to ignore # Contains profiles and configuration for full system confinement, only included -# when built with 'make full' +# when built with 'just fsp' apparmor.d/groups/_full # Provided by other packages man # Work in progress profiles +apparmor.d/groups/steam dunst plasma-discover -steam -steam-fossilize -steam-game-native -steam-game-proton -steam-gameoverlayui -steam-launch -steam-launcher -steam-runtime -steamerrorreporter diff --git a/dists/overwrite b/dists/overwrite index 767c07312..5bc00f9fe 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -1,8 +1,8 @@ -# Apparmor 4.0 ships several profiles that allow userns and are otherwise -# unconfined. This file keeps track of them and allow apparmor.d to replace -# them by our own. +# Apparmor 4.0 and over ships a few profiles that can conflict with apparmor.d +# This file keeps track of them and allow apparmor.d to replace them by our own. # File format: one profile name by line. +# Overwrite unconfined upstream profiles that only allow userns brave chrome chromium @@ -13,13 +13,29 @@ flatpak foliate loupe msedge +mullvad nautilus opera +os-prober plasmashell signal-desktop slirp4netns +steam systemd-coredump thunderbird -transmission -unix-chkpwd virtiofsd + +# Overwrite upstreamed profiles, our local version may be more up to date +unix-chkpwd + +# Overwrite some profiles recently added in apparmor while being already present in apparmor.d for a while +# They can be multiple justification for keeping our profiles here, or or the contrary using upstream ones: +# - Keep ours: If they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile +# - Drop ours: when upstream profiles is better +fusermount3 +lsblk +lsusb +openvpn +remmina +transmission +wg-quick diff --git a/docs/assets/avatar-icon.png b/docs/assets/avatar-icon.png new file mode 100644 index 000000000..80170da1e Binary files /dev/null and b/docs/assets/avatar-icon.png differ diff --git a/docs/configuration.md b/docs/configuration.md index c3017c28d..5e1c7992f 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -32,7 +32,7 @@ The profiles heavily use the **largely extended** [XDG directory variables](#xdg ``` 3. Then restart the AppArmor service to reload the profiles in the kernel: ```sh - sudo systemctl restart apparmor.service + sudo systemctl reload apparmor.service ``` ### Profile Additions @@ -41,7 +41,7 @@ You can extend any profile with your own rules by creating a file in the `/etc/a **Example** -By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behaviour by creating a local profile addition file for `nautilus`: +By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behavior by creating a local profile addition file for `nautilus`: 1. Create the file `/etc/apparmor.d/local/nautilus` and add the following rules in it: ```sh @@ -55,7 +55,7 @@ By default, `nautilus` (and any file browser) only allows access to user files. ``` 2. Then restart the AppArmor service to reload the profiles in the kernel: ```sh - sudo systemctl restart apparmor.service + sudo systemctl reload apparmor.service ``` ### XDG variables @@ -189,7 +189,7 @@ Common mount points are defined in the `@{MOUNTS}` variable. If you mount a disk If you mount a disk on `/ssd/`, add the following to `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d/local`: ```sh -@{MOUNT}+=/ssd/ +@{MOUNTS}+=/ssd/ ``` + -### Chat - -A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org +
+
+
+
+ +

apparmor.d

+

Full set of AppArmor policies

+

apparmor.d is a collection of AppArmor profiles designed to restrict the behavior of Linux applications and processes.

+

Its goal is to confine everything, targeting both desktops and servers across all distributions that support AppArmor.

+ + Get started + + + + Demo Server + + +
+
+
+
diff --git a/docs/install.md b/docs/install.md index 91b0b4ae6..a56599c22 100644 --- a/docs/install.md +++ b/docs/install.md @@ -36,7 +36,8 @@ The following desktop environments are supported: **Build dependency** -* Go >= 1.21 +* Go >= 1.23 +* [just](https://github.com/casey/just) >= 1.40.0 ## Configure AppArmor @@ -84,12 +85,21 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf If you have `devscripts` installed, you can use the one liner: ```sh - make dpkg + just dpkg + ``` + + !!! note + + **Ubuntu 24.04 user will need to:** + + Install [just](https://github.com/casey/just). E.g: + ```sh + pipx install rust-just ``` !!! warning - **Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are different. + **Beware**: do not install a `.deb` made for Debian on Ubuntu as the packages are different. If your distribution is based on Ubuntu, you may want to manually set the target distribution by exporting `DISTRIBUTION=ubuntu`. @@ -110,22 +120,29 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf If you have `devscripts` installed, you can use the one liner: ```sh - make dpkg + just dpkg ``` !!! note - You may need golang from the backports repository to build: + **Debian 12 user will need to:** + 1. Install Golang from the backports repository: ```sh echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list sudo apt update sudo apt install -t bookworm-backports golang-go ``` + 2. Install [just](https://github.com/casey/just) locally, and ignore the dependence. E.g: + ```sh + pipx install rust-just + sed '/just/d' -i debian/control + ``` + !!! warning - **Beware**: do not install a `.deb` made for Ubuntu on Debian, the packages are different. + **Beware**: do not install a `.deb` made for Ubuntu on Debian as the packages are different. If your distribution is based on Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian`. @@ -144,20 +161,20 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed. ```sh - make - sudo make profile-names... + just complain + sudo just local profile-names... ``` !!! warning Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77)) - For instance, `sudo make pass` gives: + For instance, `sudo just local pass` gives: ```sh Warning: profile dependencies fallback to unconfined. @{bin}/wl-{copy,paste} rPx, @{bin}/xclip rPx, - @{bin}/python3.@{int} rPx -> pass-import, # pass-import + @{python_path} rPx -> pass-import, # pass-import @{pager_path} rPx -> child-pager, '.build/apparmor.d/pass' -> '/etc/apparmor.d/pass' ``` diff --git a/docs/overview.md b/docs/overview.md new file mode 100644 index 000000000..20a5a454f --- /dev/null +++ b/docs/overview.md @@ -0,0 +1,52 @@ +--- +title: Overview +--- + +!!! danger "Help Wanted" + + This project is still in its early development. Help is very welcome; see [Development](development/index.md) + +**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes. + +### Purpose + +- Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`, `polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord` +- Confine all Desktop environments +- Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland` +- Confine some *"special"* user applications: web browsers, file managers, etc +- Should not break a normal usage of the confined software + +See the [Concepts](concepts.md)' page for more detail on the architecture. + +### Goals + +- Target both desktops and servers +- Support for all distributions that support AppArmor: + * [:material-arch: Arch Linux](install.md#archlinux) + * [:material-ubuntu: Ubuntu 24.04/22.04](install.md#ubuntu) + * [:material-debian: Debian 12/13](install.md#debian) + * [:simple-suse: openSUSE Tumbleweed](install.md#opensuse) +- Support for all major desktop environments: + - [x] :material-gnome: Gnome (GDM) + - [x] :simple-kde: KDE (SDDM) + - [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)* +- [Fully tested](development/tests.md) + +### Demo + +You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/ + +### Presentations + +Building the largest set of AppArmor profiles: + +- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* +- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* + +Lessons learned while making an AppArmor Play machine: + +- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))* + +### Chat + +A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org diff --git a/docs/usage.md b/docs/usage.md index e73439efc..372762998 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -116,15 +116,15 @@ profile dnsmasq { ### Help ``` -aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile] +aa-log [-h] [--systemd] [--file file] [--rules | --raw] [--since] [profile] - Review AppArmor generated messages in a colorful way. Supports logs from + Review AppArmor generated messages in a colorful way. It supports logs from auditd, systemd, syslog as well as dbus session events. It can be given an optional profile name to filter the output with. - Default logs are read from '/var/log/audit/audit.log'. Other files in - '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' + Default logs are read from '/var/log/audit/audit.log'. Other files in + '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' Options: -h, --help Show this help message and exit. @@ -132,4 +132,5 @@ Options: -s, --systemd Parse systemd logs from journalctl. -r, --rules Convert the log into AppArmor rules. -R, --raw Print the raw log without any formatting. + -S, --since DATE Show entries not older than the specified date. ``` diff --git a/docs/variables.md b/docs/variables.md index 7dc8e5ff6..1bcee8f93 100644 --- a/docs/variables.md +++ b/docs/variables.md @@ -168,7 +168,8 @@ title: Variables References | Home directories | `@{HOME}` | `@{HOMEDIRS}/*/ /root/` | | Root Mountpoints | `@{MOUNTDIRS}` | `/media/ @{run}/media/@{user}/ /mnt/` | | Mountpoints directories | `@{MOUNTS}` | `@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/` | -| Bin | `@{bin}` | `/{usr/,}{s,}bin` | +| Bin | `@{bin}` | `/{usr/,}bin` | +| Sbin | `@{sbin}` | `/{usr/,}sbin` | | Lib | `@{lib}` | `/{usr/,}lib{,exec,32,64}` | | multi-arch library | `@{multiarch}` | `*-linux-gnu*` | | Proc | `@{PROC}` | `/proc/` | diff --git a/go.mod b/go.mod index f98df5c19..3bea9f548 100644 --- a/go.mod +++ b/go.mod @@ -1,3 +1,3 @@ module github.com/roddhjav/apparmor.d -go 1.22 +go 1.23.0 diff --git a/mkdocs.yml b/mkdocs.yml index 9390b3dde..e5244a529 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -15,7 +15,7 @@ repo_url: https://github.com/roddhjav/apparmor.d edit_uri: edit/main/docs/ # Copyright -copyright: Copyright © 2021-2024 Alexandre Pujol +copyright: Copyright © 2021-2025 Alexandre Pujol # Configuration theme: @@ -138,6 +138,7 @@ nav: - Home: - index.md - Getting Started: + - overview.md - concepts.md - install.md - configuration.md @@ -152,6 +153,7 @@ nav: - recovery.md - Development: - development/index.md + - development/roadmap.md - Profiles: - development/workflow.md - development/guidelines.md @@ -160,6 +162,9 @@ nav: - development/directives.md - development/dbus.md - development/recommendations.md + - Packages: + - development/build.md - Tests: - development/tests.md + - development/vm.md - development/integration.md diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index a887d4b98..6119a0c91 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -8,7 +8,7 @@ import ( "github.com/roddhjav/apparmor.d/pkg/paths" ) -// Default Apparmor magic directory: /etc/apparmor.d/. +// MagicRoot is the default Apparmor magic directory: /etc/apparmor.d/. var MagicRoot = paths.New("/etc/apparmor.d") // AppArmorProfileFiles represents a full set of apparmor profiles @@ -33,8 +33,9 @@ func DefaultTunables() *AppArmorProfileFile { return &AppArmorProfileFile{ Preamble: Rules{ &Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true}, - &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true}, + &Variable{Name: "bin", Values: []string{"/{,usr/}bin"}, Define: true}, &Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true}, + &Variable{Name: "dpkg_script_ext", Values: []string{"config", "templates", "preinst", "postinst", "prerm", "postrm"}, Define: true}, &Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true}, &Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true}, &Variable{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}, Define: true}, @@ -48,7 +49,9 @@ func DefaultTunables() *AppArmorProfileFile { &Variable{Name: "user_cache_dirs", Values: []string{"/home/*/.cache"}, Define: true}, &Variable{Name: "user_config_dirs", Values: []string{"/home/*/.config"}, Define: true}, &Variable{Name: "user_share_dirs", Values: []string{"/home/*/.local/share"}, Define: true}, + &Variable{Name: "user", Values: []string{"[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}"}, Define: true}, &Variable{Name: "version", Values: []string{"@{int}{.@{int},}{.@{int},}{-@{rand},}"}, Define: true}, + &Variable{Name: "w", Values: []string{"[a-zA-Z0-9_]"}, Define: true}, }, } } diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index 0cc74d438..172cfc2b5 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -211,7 +211,7 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { &Include{IsMagic: true, Path: "tunables/global"}, &Variable{ Name: "exec_path", Define: true, - Values: []string{"@{bin}/aa-status", "@{bin}/apparmor_status"}, + Values: []string{"@{sbin}/aa-status", "@{sbin}/apparmor_status"}, }, }, Profiles: []*Profile{{ @@ -223,11 +223,11 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { &Include{IfExists: true, IsMagic: true, Path: "local/aa-status"}, &Capability{Names: []string{"dac_read_search"}}, &File{Path: "@{exec_path}", Access: []string{"m", "r"}}, - &File{Path: "@{PROC}/@{pids}/attr/apparmor/current", Access: []string{"r"}}, + &File{Path: "@{PROC}/@{pid}/attr/apparmor/current", Access: []string{"r"}}, &File{Path: "@{PROC}/", Access: []string{"r"}}, &File{Path: "@{sys}/module/apparmor/parameters/enabled", Access: []string{"r"}}, &File{Path: "@{sys}/kernel/security/apparmor/profiles", Access: []string{"r"}}, - &File{Path: "@{PROC}/@{pids}/attr/current", Access: []string{"r"}}, + &File{Path: "@{PROC}/@{pid}/attr/current", Access: []string{"r"}}, &Include{IsMagic: true, Path: "abstractions/consoles"}, &File{Owner: true, Path: "@{PROC}/@{pid}/mounts", Access: []string{"r"}}, &Include{IsMagic: true, Path: "abstractions/base"}, @@ -237,7 +237,7 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { }, }}, }, - want: mustReadProfileFile(intData.Join("profiles-a-f/aa-status")), + want: mustReadProfileFile(intData.Join("groups/apparmor/aa-status")), }, } for _, tt := range tests { diff --git a/pkg/aa/base.go b/pkg/aa/base.go index 609525111..eaf69f71c 100644 --- a/pkg/aa/base.go +++ b/pkg/aa/base.go @@ -104,10 +104,7 @@ type Qualifier struct { } func newQualifierFromLog(log map[string]string) Qualifier { - audit := false - if log["apparmor"] == "AUDIT" { - audit = true - } + audit := log["apparmor"] == "AUDIT" return Qualifier{Audit: audit} } diff --git a/pkg/aa/blocks.go b/pkg/aa/blocks.go index 901fdaae8..d0826dfa2 100644 --- a/pkg/aa/blocks.go +++ b/pkg/aa/blocks.go @@ -27,21 +27,21 @@ func (p *Hat) String() string { return renderTemplate(p.Kind(), p) } -func (r *Hat) Validate() error { +func (p *Hat) Validate() error { return nil } -func (r *Hat) Compare(other Rule) int { +func (p *Hat) Compare(other Rule) int { o, _ := other.(*Hat) - return compare(r.Name, o.Name) + return compare(p.Name, o.Name) } -func (r *Hat) Merge(other Rule) bool { +func (p *Hat) Merge(other Rule) bool { return false // Never merge hat blocks } -func (r *Hat) Lengths() []int { +func (p *Hat) Lengths() []int { return []int{} // No len for hat } -func (r *Hat) setPaddings(max []int) {} // No paddings for hat +func (p *Hat) setPaddings(max []int) {} // No paddings for hat diff --git a/pkg/aa/capability.go b/pkg/aa/capability.go index b1ba27c6a..a55f8bc9b 100644 --- a/pkg/aa/capability.go +++ b/pkg/aa/capability.go @@ -84,8 +84,8 @@ func (r *Capability) Merge(other Rule) bool { func (r *Capability) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("", r.Names), } } diff --git a/pkg/aa/change_profile.go b/pkg/aa/change_profile.go index 769427024..5334b343c 100644 --- a/pkg/aa/change_profile.go +++ b/pkg/aa/change_profile.go @@ -106,8 +106,8 @@ func (r *ChangeProfile) Merge(other Rule) bool { func (r *ChangeProfile) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("", r.ExecMode), length("", r.Exec), length("", r.ProfileName), diff --git a/pkg/aa/dbus.go b/pkg/aa/dbus.go index 79072925f..fa4ec7ec4 100644 --- a/pkg/aa/dbus.go +++ b/pkg/aa/dbus.go @@ -125,7 +125,7 @@ func (r *Dbus) Compare(other Rule) int { func (r *Dbus) Merge(other Rule) bool { o, _ := other.(*Dbus) - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.Bus == o.Bus && r.Name == o.Name && r.Path == o.Path && diff --git a/pkg/aa/file.go b/pkg/aa/file.go index 36c7101a4..091f9436f 100644 --- a/pkg/aa/file.go +++ b/pkg/aa/file.go @@ -168,7 +168,7 @@ func (r *File) Compare(other Rule) int { func (r *File) Merge(other Rule) bool { o, _ := other.(*File) - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.Owner == o.Owner && r.Path == o.Path && r.Target == o.Target { @@ -189,8 +189,8 @@ func (r *File) Lengths() []int { lenPath = length("", r.Path) } return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("owner", r.Owner), lenPath, } @@ -212,7 +212,7 @@ func (r *File) addLine(other Rule) bool { letterJ := getLetterIn(fileAlphabet, other.(*File).Path) groupI, ok1 := fileAlphabetGroups[letterI] groupJ, ok2 := fileAlphabetGroups[letterJ] - return letterI != letterJ && !(ok1 && ok2 && groupI == groupJ) + return letterI != letterJ && (!ok1 || !ok2 || groupI != groupJ) } type Link struct { @@ -314,8 +314,8 @@ func (r *Link) Merge(other Rule) bool { func (r *Link) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("owner", r.Owner), length("subset", r.Subset), length("", r.Path), diff --git a/pkg/aa/io_uring.go b/pkg/aa/io_uring.go index 3346ed4c6..76e9e172d 100644 --- a/pkg/aa/io_uring.go +++ b/pkg/aa/io_uring.go @@ -78,7 +78,7 @@ func (r *IOUring) Compare(other Rule) int { func (r *IOUring) Merge(other Rule) bool { o, _ := other.(*IOUring) - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.Label == o.Label { @@ -91,8 +91,8 @@ func (r *IOUring) Merge(other Rule) bool { func (r *IOUring) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("", r.Access), length("label=", r.Label), } diff --git a/pkg/aa/mount.go b/pkg/aa/mount.go index a9d8dbeaf..72719414d 100644 --- a/pkg/aa/mount.go +++ b/pkg/aa/mount.go @@ -29,7 +29,7 @@ func init() { "ro", "rw", "acl", "async", "atime", "bind", "dev", "diratime", "dirsync", "exec", "iversion", "loud", "mand", "move", "noacl", "noatime", "nodev", "nodiratime", "noexec", "noiversion", "nomand", - "norelatime", "nosuid", "nouser", "private", "rbind", "relatime", + "norelatime", "nosuid", "nosymfollow", "nouser", "private", "rbind", "relatime", "remount", "rprivate", "rshared", "rslave", "runbindable", "shared", "silent", "slave", "strictatime", "suid", "sync", "unbindable", "user", "verbose", @@ -181,7 +181,7 @@ func (r *Mount) Merge(other Rule) bool { o, _ := other.(*Mount) mc := &r.MountConditions - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.Source == o.Source && r.MountPoint == o.MountPoint && @@ -194,10 +194,10 @@ func (r *Mount) Merge(other Rule) bool { func (r *Mount) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), - r.MountConditions.getLenFsType(), - r.MountConditions.getLenOptions(), + r.getLenAudit(), + r.getLenAccess(), + r.getLenFsType(), + r.getLenOptions(), length("", r.Source), length("", r.MountPoint), } @@ -278,7 +278,7 @@ func (r *Umount) Merge(other Rule) bool { o, _ := other.(*Umount) mc := &r.MountConditions - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.MountPoint == o.MountPoint && mc.Merge(o.MountConditions) { @@ -290,10 +290,10 @@ func (r *Umount) Merge(other Rule) bool { func (r *Umount) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), - r.MountConditions.getLenFsType(), - r.MountConditions.getLenOptions(), + r.getLenAudit(), + r.getLenAccess(), + r.getLenFsType(), + r.getLenOptions(), length("", r.MountPoint), } } @@ -374,7 +374,7 @@ func (r *Remount) Merge(other Rule) bool { o, _ := other.(*Remount) mc := &r.MountConditions - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.MountPoint == o.MountPoint && mc.Merge(o.MountConditions) { @@ -386,10 +386,10 @@ func (r *Remount) Merge(other Rule) bool { func (r *Remount) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), - r.MountConditions.getLenFsType(), - r.MountConditions.getLenOptions(), + r.getLenAudit(), + r.getLenAccess(), + r.getLenFsType(), + r.getLenOptions(), length("", r.MountPoint), } } diff --git a/pkg/aa/mqueue.go b/pkg/aa/mqueue.go index 82106ec79..12ae4bd59 100644 --- a/pkg/aa/mqueue.go +++ b/pkg/aa/mqueue.go @@ -112,7 +112,7 @@ func (r *Mqueue) Compare(other Rule) int { func (r *Mqueue) Merge(other Rule) bool { o, _ := other.(*Mqueue) - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.Type == o.Type && r.Label == o.Label && r.Name == o.Name { @@ -125,8 +125,8 @@ func (r *Mqueue) Merge(other Rule) bool { func (r *Mqueue) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("", r.Access), length("type=", r.Type), length("label=", r.Label), diff --git a/pkg/aa/network.go b/pkg/aa/network.go index 69bd01c83..d5a2af70b 100644 --- a/pkg/aa/network.go +++ b/pkg/aa/network.go @@ -147,8 +147,8 @@ func (r *Network) Merge(other Rule) bool { func (r *Network) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("", r.Domain), length("", r.Type), length("", r.Protocol), diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index ef8a7acd9..e01696d74 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -286,10 +286,7 @@ func parseRule(str string) rule { res := make(rule, 0, len(str)/2) tokens := tokenizeRule(str) - inAare := false - if len(tokens) > 0 && (isAARE(tokens[0]) || tokens[0] == tokOWNER) { - inAare = true - } + inAare := len(tokens) > 0 && (isAARE(tokens[0]) || tokens[0] == tokOWNER) for idx, token := range tokens { switch { case token == tokEQUAL, token == tokPLUS+tokEQUAL, token == tokLESS+tokEQUAL: // Variable & Rlimit @@ -514,7 +511,7 @@ func newRules(rules []rule) (Rules, error) { for _, rule := range rules { if len(rule) == 0 { - return nil, fmt.Errorf("Empty rule") + return nil, fmt.Errorf("empty rule") } owner := false @@ -563,7 +560,7 @@ func newRules(rules []rule) (Rules, error) { // return nil, fmt.Errorf("Unknown rule: %s", rule) } } else { - return nil, fmt.Errorf("Unrecognized rule: %s", rule) + return nil, fmt.Errorf("unrecognized rule: %s", rule) } } } @@ -657,7 +654,7 @@ done: return nb, nil } -// Parse apparmor profile rules by paragraphs +// ParseRules parses apparmor profile rules by paragraphs func ParseRules(input string) (ParaRules, []string, error) { paragraphRules := ParaRules{} paragraphs := []string{} diff --git a/pkg/aa/pivot_root.go b/pkg/aa/pivot_root.go index 2341f4458..8632b4490 100644 --- a/pkg/aa/pivot_root.go +++ b/pkg/aa/pivot_root.go @@ -86,8 +86,8 @@ func (r *PivotRoot) Merge(other Rule) bool { func (r *PivotRoot) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("oldroot=", r.OldRoot), length("", r.NewRoot), length("", r.TargetProfile), diff --git a/pkg/aa/preamble.go b/pkg/aa/preamble.go index 4b54954a9..50e7dbef7 100644 --- a/pkg/aa/preamble.go +++ b/pkg/aa/preamble.go @@ -72,10 +72,10 @@ func newAbi(q Qualifier, rule rule) (Rule, error) { } path := rule.Get(0) - switch { - case path[0] == '"': + switch path[0] { + case '"': magic = false - case path[0] == '<': + case '<': magic = true default: return nil, fmt.Errorf("invalid path %s in rule: %s", path, rule) @@ -198,10 +198,10 @@ func newInclude(rule rule) (Rule, error) { } path := r[0] - switch { - case path[0] == '"': + switch path[0] { + case '"': magic = false - case path[0] == '<': + case '<': magic = true default: return nil, fmt.Errorf("invalid path format: %v", path) diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go index 30e8b106f..5d097cad9 100644 --- a/pkg/aa/profile.go +++ b/pkg/aa/profile.go @@ -81,19 +81,19 @@ func (p *Profile) String() string { return renderTemplate(p.Kind(), p) } -func (r *Profile) Validate() error { - if err := validateValues(r.Kind(), tokFLAGS, r.Flags); err != nil { - return fmt.Errorf("profile %s: %w", r.Name, err) +func (p *Profile) Validate() error { + if err := validateValues(p.Kind(), tokFLAGS, p.Flags); err != nil { + return fmt.Errorf("profile %s: %w", p.Name, err) } - return r.Rules.Validate() + return p.Rules.Validate() } -func (r *Profile) Compare(other Rule) int { +func (p *Profile) Compare(other Rule) int { o, _ := other.(*Profile) - if res := compare(r.Name, o.Name); res != 0 { + if res := compare(p.Name, o.Name); res != 0 { return res } - return compare(r.Attachments, o.Attachments) + return compare(p.Attachments, o.Attachments) } func (p *Profile) Merge(other Rule) bool { @@ -103,11 +103,11 @@ func (p *Profile) Merge(other Rule) bool { return false } -func (r *Profile) Lengths() []int { +func (p *Profile) Lengths() []int { return []int{} // No len for profile } -func (r *Profile) setPaddings(max []int) {} // No paddings for profile +func (p *Profile) setPaddings(max []int) {} // No paddings for profile func (p *Profile) Sort() { p.Rules = p.Rules.Sort() @@ -140,10 +140,16 @@ func (p *Profile) GetAttachments() string { var ( newLogMap = map[string]func(log map[string]string) Rule{ // class - "rlimits": newRlimitFromLog, - "namespace": newUsernsFromLog, - "cap": newCapabilityFromLog, - "net": newNetworkFromLog, + "rlimits": newRlimitFromLog, + "namespace": newUsernsFromLog, + "cap": newCapabilityFromLog, + "net": func(log map[string]string) Rule { + if log["family"] == "unix" { + return newUnixFromLog(log) + } else { + return newNetworkFromLog(log) + } + }, "posix_mqueue": newMqueueFromLog, "sysv_mqueue": newMqueueFromLog, "signal": newSignalFromLog, @@ -176,6 +182,7 @@ var ( "open": newFileFromLog, "rename_dest": newFileFromLog, "rename_src": newFileFromLog, + "rmdir": newFileFromLog, "truncate": newFileFromLog, "unlink": newFileFromLog, } @@ -219,7 +226,7 @@ func (p *Profile) AddRule(log map[string]string) { case strings.Contains(log["operation"], "dbus"): p.Rules = append(p.Rules, newDbusFromLog(log)) default: - fmt.Printf("unknown log type: %s\n", log["operation"]) + fmt.Printf("unknown log type: %s:%v\n", log["operation"], log) } } } diff --git a/pkg/aa/ptrace.go b/pkg/aa/ptrace.go index 91547087c..7e0990fe8 100644 --- a/pkg/aa/ptrace.go +++ b/pkg/aa/ptrace.go @@ -80,7 +80,7 @@ func (r *Ptrace) Compare(other Rule) int { func (r *Ptrace) Merge(other Rule) bool { o, _ := other.(*Ptrace) - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.Peer == o.Peer { @@ -93,8 +93,8 @@ func (r *Ptrace) Merge(other Rule) bool { func (r *Ptrace) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("", r.Access), length("peer=", r.Peer), } diff --git a/pkg/aa/resolve.go b/pkg/aa/resolve.go index 6ce768bc0..8dc09b2c6 100644 --- a/pkg/aa/resolve.go +++ b/pkg/aa/resolve.go @@ -80,7 +80,7 @@ func (f *AppArmorProfileFile) resolveValues(input string) ([]string, error) { values := []string{} match := regVariableReference.FindStringSubmatch(input) if len(match) == 0 { - return nil, fmt.Errorf("Invalid variable reference: %s", input) + return nil, fmt.Errorf("invalid variable reference: %s", input) } variable := match[0] @@ -105,7 +105,7 @@ func (f *AppArmorProfileFile) resolveValues(input string) ([]string, error) { } if !found { - return nil, fmt.Errorf("Variable %s not defined", varname) + return nil, fmt.Errorf("variable %s not defined", varname) } return values, nil } @@ -113,7 +113,7 @@ func (f *AppArmorProfileFile) resolveValues(input string) ([]string, error) { // resolveInclude resolves all includes defined in the profile preamble func (f *AppArmorProfileFile) resolveInclude(include *Include) error { if include == nil || include.Path == "" { - return fmt.Errorf("Invalid include: %v", include) + return fmt.Errorf("invalid include: %v", include) } _, isCached := includeCache[include] diff --git a/pkg/aa/resolve_test.go b/pkg/aa/resolve_test.go index 5c9c9026f..1e4a54fe5 100644 --- a/pkg/aa/resolve_test.go +++ b/pkg/aa/resolve_test.go @@ -85,7 +85,7 @@ func TestAppArmorProfileFile_resolveValues(t *testing.T) { { name: "simple", input: "@{bin}/foo", - want: []string{"/{,usr/}{,s}bin/foo"}, + want: []string{"/{,usr/}bin/foo"}, }, { name: "double", diff --git a/pkg/aa/rlimit.go b/pkg/aa/rlimit.go index d7b9a0518..29c617ff1 100644 --- a/pkg/aa/rlimit.go +++ b/pkg/aa/rlimit.go @@ -45,8 +45,8 @@ func newRlimit(q Qualifier, rule rule) (Rule, error) { func newRlimitFromLog(log map[string]string) Rule { return &Rlimit{ Base: newBaseFromLog(log), - Key: log["key"], - Op: log["op"], + Key: log["rlimit"], + Op: "<=", Value: log["value"], } } diff --git a/pkg/aa/signal.go b/pkg/aa/signal.go index c0fa4e1be..319e16584 100644 --- a/pkg/aa/signal.go +++ b/pkg/aa/signal.go @@ -106,7 +106,7 @@ func (r *Signal) Compare(other Rule) int { func (r *Signal) Merge(other Rule) bool { o, _ := other.(*Signal) - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } switch { @@ -124,8 +124,8 @@ func (r *Signal) Merge(other Rule) bool { func (r *Signal) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("", r.Access), length("set=", r.Set), length("peer=", r.Peer), diff --git a/pkg/aa/unix.go b/pkg/aa/unix.go index 3b14c2984..1e8a99298 100644 --- a/pkg/aa/unix.go +++ b/pkg/aa/unix.go @@ -124,7 +124,7 @@ func (r *Unix) Compare(other Rule) int { func (r *Unix) Merge(other Rule) bool { o, _ := other.(*Unix) - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.Type == o.Type && r.Protocol == o.Protocol && r.Address == o.Address && @@ -139,8 +139,8 @@ func (r *Unix) Merge(other Rule) bool { func (r *Unix) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("", r.Access), length("type=", r.Type), length("protocol=", r.Protocol), diff --git a/pkg/aa/util.go b/pkg/aa/util.go index 485478fef..5a7049d69 100644 --- a/pkg/aa/util.go +++ b/pkg/aa/util.go @@ -182,7 +182,7 @@ func toValues(kind Kind, key string, input string) ([]string, error) { continue } if !slices.Contains(req, res[idx]) { - return nil, fmt.Errorf("unrecognized %s: %s", key, res[idx]) + return nil, fmt.Errorf("unrecognized %s for rule %s: %s", key, kind, res[idx]) } } slices.SortFunc(res, func(i, j string) int { diff --git a/pkg/logging/logging.go b/pkg/logging/logging.go index 7f5af2e08..642dc8273 100644 --- a/pkg/logging/logging.go +++ b/pkg/logging/logging.go @@ -81,7 +81,7 @@ func Warning(msg string, a ...interface{}) int { return Print("%s", Warningf(msg, a...)) } -// Fatalf returns a formatted error message +// Error returns a formatted error message func Error(msg string, a ...interface{}) int { return Print("%s", fmt.Sprintf("%s%s%s\n", Indent, errorText, fmt.Sprintf(msg, a...))) } diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index 194e6dc03..2443eaace 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -67,7 +67,8 @@ var ( `/att/[^/@]+`, `@{att}/`, `/usr/lib(32|64|exec)`, `@{lib}`, `/usr/lib`, `@{lib}`, - `/usr/(bin|sbin)`, `@{bin}`, + `/usr/sbin`, `@{sbin}`, + `/usr/bin`, `@{bin}`, `(x86_64|amd64|i386|i686)`, `@{arch}`, `@{arch}-*linux-gnu[^/]?`, `@{multiarch}`, `/usr/etc/`, `@{etc_ro}/`, diff --git a/pkg/logs/logs_test.go b/pkg/logs/logs_test.go index 6ddd5ac9e..376b23f42 100644 --- a/pkg/logs/logs_test.go +++ b/pkg/logs/logs_test.go @@ -81,7 +81,7 @@ func TestAppArmorEvents(t *testing.T) { want: AppArmorLogs{ { "apparmor": "ALLOWED", - "profile": "@{bin}/httpd2-prefork//vhost_foo", + "profile": "@{sbin}/httpd2-prefork//vhost_foo", "operation": "rename_dest", "name": "@{HOME}/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg", "comm": "httpd2-prefork", diff --git a/pkg/paths/paths.go b/pkg/paths/paths.go index feb1e21c4..357b9c2f7 100644 --- a/pkg/paths/paths.go +++ b/pkg/paths/paths.go @@ -388,6 +388,16 @@ func CopyTo(src *Path, dst *Path) error { return nil } +// CopyFS copies the file system fsys into the directory dir, +// creating dir if necessary. It is the exivalent of os.CopyFS with Path. +func (p *Path) CopyFS(dst *Path) error { + err := os.CopyFS(dst.String(), os.DirFS(p.String())) + if err != nil { + return fmt.Errorf("copying %s to %s: %s", p, dst, err) + } + return nil +} + // CopyDirTo recursively copies the directory denoted by the current path to // the destination path. The source directory must exist and the destination // directory must NOT exist (no implicit destination name allowed). @@ -515,7 +525,7 @@ func (p *Path) ReadFileAsLines() ([]string, error) { return nil, err } txt := string(data) - txt = strings.Replace(txt, "\r\n", "\n", -1) + txt = strings.ReplaceAll(txt, "\r\n", "\n") return strings.Split(txt, "\n"), nil } @@ -536,7 +546,7 @@ func (p *Path) MustReadFilteredFileAsLines() []string { panic(err) } txt := string(data) - txt = strings.Replace(txt, "\r\n", "\n", -1) + txt = strings.ReplaceAll(txt, "\r\n", "\n") txt = util.Filter(txt) res := strings.Split(txt, "\n") if slices.Contains(res, "") { @@ -630,7 +640,9 @@ func (p *Path) String() string { func (p *Path) Canonical() *Path { canonical := p.Clone() // https://github.com/golang/go/issues/17084#issuecomment-246645354 - canonical.FollowSymLink() + if err := canonical.FollowSymLink(); err != nil { + return nil + } if absPath, err := canonical.Abs(); err == nil { canonical = absPath } diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index 818edbb76..492e3cc31 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -14,6 +14,8 @@ var ( `abi/4.0`, `abi/3.0`, ` userns,`, ` # userns,`, ` mqueue`, ` # mqueue`, + ` all`, ` # all`, + ` deny mqueue`, ` # deny mqueue`, }) ) diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index 6fd700291..aeafcbf7d 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -5,16 +5,11 @@ package builder import ( - "regexp" "strings" "github.com/roddhjav/apparmor.d/pkg/prebuild" ) -var ( - regProfile = regexp.MustCompile(`profile ([^ ]+)`) -) - type ReAttach struct { prebuild.Base } @@ -23,14 +18,15 @@ func init() { RegisterBuilder(&ReAttach{ Base: prebuild.Base{ Keyword: "attach", - Msg: "Re-attach disconnect path", + Msg: "Re-attach disconnected path", }, }) } // Apply will re-attach the disconnected path // - Add the attach_disconnected.path flag on all frofile with the attach_disconnected flag -// - Add the attached/base abstraction in the profile +// - Replace the base abstraction by attached/base +// - Replace the consoles abstraction by attached/consoles // - For compatibility, non disconnected profile will have the @{att} variable set to / func (b ReAttach) Apply(opt *Option, profile string) (string, error) { var insert string @@ -38,27 +34,25 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { if strings.Contains(profile, "attach_disconnected") { insert = "@{att} = /att/" + opt.Name + "/\n" - profile = strings.Replace(profile, + profile = strings.ReplaceAll(profile, "attach_disconnected", - "attach_disconnected,attach_disconnected.path=@{att}", -1, + "attach_disconnected,attach_disconnected.path=@{att}", + ) + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) + profile = strings.ReplaceAll(profile, + "include ", + "include ", ) - - old := "include if exists " - new := "include \n " + old - profile = strings.Replace(profile, old, new, 1) - - for _, match := range regProfile.FindAllStringSubmatch(profile, -1) { - name := match[1] - if name == opt.Name { - continue - } - old = "include if exists " - new = "include \n " + old - profile = strings.Replace(profile, old, new, 1) - } } else { insert = "@{att} = /\n" + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) } return strings.Replace(profile, origin, insert+origin, 1), nil diff --git a/pkg/prebuild/builder/core.go b/pkg/prebuild/builder/core.go index 93b73d76c..bfc1aa025 100644 --- a/pkg/prebuild/builder/core.go +++ b/pkg/prebuild/builder/core.go @@ -20,13 +20,13 @@ var ( Builders = map[string]Builder{} ) -// Main directive interface +// Builder main directive interface type Builder interface { prebuild.BaseInterface Apply(opt *Option, profile string) (string, error) } -// Builder options +// Option for a builder type Option struct { Name string File *paths.Path diff --git a/pkg/prebuild/builder/core_test.go b/pkg/prebuild/builder/core_test.go index 5a1a39da0..06ceb1d28 100644 --- a/pkg/prebuild/builder/core_test.go +++ b/pkg/prebuild/builder/core_test.go @@ -209,7 +209,7 @@ func TestBuilder_Apply(t *testing.T) { want: ` @{exec_path} = @{bin}/baloo_file @{lib}/{,kf6/}baloo_file @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloo_file - profile baloo /{{,usr/}{,s}bin/baloo_file,{,usr/}lib{,exec,32,64}/{,kf6/}baloo_file,{,usr/}lib{,exec,32,64}/*-linux-gnu*/{,libexec/}baloo_file} { + profile baloo /{{,usr/}bin/baloo_file,{,usr/}lib{,exec,32,64}/{,kf6/}baloo_file,{,usr/}lib{,exec,32,64}/*-linux-gnu*/{,libexec/}baloo_file} { include @{exec_path} mr, diff --git a/pkg/prebuild/builder/userspace.go b/pkg/prebuild/builder/userspace.go index d62cad522..37bb3a978 100644 --- a/pkg/prebuild/builder/userspace.go +++ b/pkg/prebuild/builder/userspace.go @@ -33,14 +33,23 @@ func init() { } func (b Userspace) Apply(opt *Option, profile string) (string, error) { - if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join("abstractions")); ok { - return profile, nil - } - if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join("tunables")); ok { - return profile, nil + for _, dir := range []string{"abstractions", "tunables", "local", "mappings"} { + if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join(dir)); ok { + return profile, nil + } } f := aa.DefaultTunables() + if prebuild.Distribution == "arch" { + f.Preamble = append(f.Preamble, &aa.Variable{ + Name: "sbin", Values: []string{"/{,usr/}{,s}bin"}, Define: true, + }) + } else { + f.Preamble = append(f.Preamble, &aa.Variable{ + Name: "sbin", Values: []string{"/{,usr/}sbin"}, Define: true, + }) + } + if _, err := f.Parse(profile); err != nil { return "", err } @@ -55,7 +64,7 @@ func (b Userspace) Apply(opt *Option, profile string) (string, error) { matches := regAttachments.FindAllString(profile, -1) if len(matches) > 0 { att := f.GetDefaultProfile().GetAttachments() - strheader := strings.Replace(matches[0], tokATTACHMENT, att, -1) + strheader := strings.ReplaceAll(matches[0], tokATTACHMENT, att) return regAttachments.ReplaceAllLiteralString(profile, strheader), nil } return profile, nil diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 2821d52c2..51636f848 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -18,8 +18,9 @@ import ( ) const ( - nilABI uint = 0 - usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4] + nilABI = 0 + nilVer = 0.0 + usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4] [--version V] [--file FILE] Prebuild apparmor.d profiles for a given distribution and apply internal built-in directives. @@ -29,6 +30,7 @@ Options: -c, --complain Set complain flag on all profiles. -e, --enforce Set enforce flag on all profiles. -a, --abi ABI Target apparmor ABI. + -v, --version V Target apparmor version. -f, --full Set AppArmor for full system policy. -F, --file Only prebuild a given file. ` @@ -39,7 +41,8 @@ var ( complain bool enforce bool full bool - abi uint + abi int + version float64 file string ) @@ -52,13 +55,15 @@ func init() { flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.") flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.") flag.BoolVar(&enforce, "enforce", false, "Set enforce flag on all profiles.") - flag.UintVar(&abi, "a", nilABI, "Target apparmor ABI.") - flag.UintVar(&abi, "abi", nilABI, "Target apparmor ABI.") + flag.IntVar(&abi, "a", nilABI, "Target apparmor ABI.") + flag.IntVar(&abi, "abi", nilABI, "Target apparmor ABI.") + flag.Float64Var(&version, "v", nilVer, "Target apparmor version.") + flag.Float64Var(&version, "version", nilVer, "Target apparmor version.") flag.StringVar(&file, "F", "", "Only prebuild a given file.") flag.StringVar(&file, "file", "", "Only prebuild a given file.") } -func Prebuild() { +func Configure() { flag.Usage = func() { fmt.Printf("%s\n%s\n%s\n%s", usage, prebuild.Help("Prepare", prepare.Tasks), @@ -75,6 +80,7 @@ func Prebuild() { if full && paths.New("apparmor.d/groups/_full").Exist() { prepare.Register("fsp") builder.Register("fsp") + prebuild.RBAC = true } else if prebuild.SystemdDir.Exist() { prepare.Register("systemd-early") } @@ -92,19 +98,27 @@ func Prebuild() { case 3: builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0 case 4: - // builder.Register("attach") // Re-attach disconnect path + // builder.Register("attach") // Re-attach disconnected path default: logging.Fatal("Invalid ABI version: %d", prebuild.ABI) } + if version != nilVer { + prebuild.Version = version + } if file != "" { sync, _ := prepare.Tasks["synchronise"].(*prepare.Synchronise) - sync.Path = file + sync.Paths = []string{file} overwrite, _ := prepare.Tasks["overwrite"].(*prepare.Overwrite) - overwrite.OneFile = true + overwrite.Optional = true } +} +func Prebuild() { logging.Step("Building apparmor.d profiles for %s on ABI%d.", prebuild.Distribution, prebuild.ABI) + if prebuild.Version != nilVer { + logging.Success("AppArmor version targeted: %.1f", prebuild.Version) + } if err := Prepare(); err != nil { logging.Fatal("%s", err.Error()) } diff --git a/pkg/prebuild/directive/core.go b/pkg/prebuild/directive/core.go index aadf9294e..cde9470dc 100644 --- a/pkg/prebuild/directive/core.go +++ b/pkg/prebuild/directive/core.go @@ -23,7 +23,7 @@ var ( regDirective = regexp.MustCompile(`(?m).*` + Keyword + `([a-z]*)( .*)?`) ) -// Main directive interface +// Directive main interface type Directive interface { prebuild.BaseInterface Apply(opt *Option, profile string) (string, error) @@ -39,7 +39,7 @@ func Usage() string { return res } -// Directive options +// Option for the directive type Option struct { Name string ArgMap map[string]string @@ -83,7 +83,7 @@ func (o *Option) cleanKeyword(input string) string { return reg.ReplaceAllString(input, "") } -// Check if the directive is inline or if it is a paragraph +// IsInline checks if either the directive is in one line or if it is a paragraph func (o *Option) IsInline() bool { inline := true tmp := strings.Split(o.Raw, Keyword) @@ -106,7 +106,10 @@ func Run(file *paths.Path, profile string) (string, error) { opt := NewOption(file, match) drtv, ok := Directives[opt.Name] if !ok { - return "", fmt.Errorf("Unknown directive '%s' in %s", opt.Name, opt.File) + if opt.Name == "lint" { + continue + } + return "", fmt.Errorf("unknown directive '%s' in %s", opt.Name, opt.File) } profile, err = drtv.Apply(opt, profile) if err != nil { diff --git a/pkg/prebuild/directive/core_test.go b/pkg/prebuild/directive/core_test.go index faf39df4b..229dda630 100644 --- a/pkg/prebuild/directive/core_test.go +++ b/pkg/prebuild/directive/core_test.go @@ -20,7 +20,7 @@ func TestNewOption(t *testing.T) { }{ { name: "dbus", - file: nil, + file: paths.New("dbus"), match: []string{ " #aa:dbus own bus=system name=org.gnome.DisplayManager", "dbus", @@ -34,13 +34,13 @@ func TestNewOption(t *testing.T) { "own": "", }, ArgList: []string{"own", "bus=system", "name=org.gnome.DisplayManager"}, - File: nil, + File: paths.New("dbus"), Raw: " #aa:dbus own bus=system name=org.gnome.DisplayManager", }, }, { name: "only", - file: nil, + file: paths.New("only"), match: []string{ " #aa:only opensuse", "only", @@ -50,7 +50,7 @@ func TestNewOption(t *testing.T) { Name: "only", ArgMap: map[string]string{"opensuse": ""}, ArgList: []string{"opensuse"}, - File: nil, + File: paths.New("only"), Raw: " #aa:only opensuse", }, }, @@ -74,13 +74,13 @@ func TestRun(t *testing.T) { }{ { name: "none", - file: nil, + file: paths.New("dummy"), profile: ` `, want: ` `, }, { name: "present", - file: nil, + file: paths.New("fake-own"), profile: ` #aa:dbus own bus=system name=org.freedesktop.systemd1`, want: dbusOwnSystemd1, }, diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index a1135d675..06fedffb5 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -21,11 +21,6 @@ import ( "github.com/roddhjav/apparmor.d/pkg/prebuild" ) -var defaultInterfaces = []string{ - "org.freedesktop.DBus.Properties", - "org.freedesktop.DBus.ObjectManager", -} - type Dbus struct { prebuild.Base } @@ -38,20 +33,12 @@ func init() { Help: []string{ "own bus= name= [interface=AARE] [path=AARE]", "talk bus= name= label= [interface=AARE] [path=AARE]", + "common bus= name= label=", }, }}, ) } -func setInterfaces(rules map[string]string) []string { - interfaces := []string{rules["name"]} - if _, present := rules["interface"]; present { - interfaces = append(interfaces, rules["interface"]) - } - interfaces = append(interfaces, defaultInterfaces...) - return interfaces -} - func (d Dbus) Apply(opt *Option, profile string) (string, error) { var r aa.Rules @@ -64,6 +51,8 @@ func (d Dbus) Apply(opt *Option, profile string) (string, error) { r = d.own(opt.ArgMap) case "talk": r = d.talk(opt.ArgMap) + case "common": + r = d.common(opt.ArgMap) } aa.IndentationLevel = strings.Count( @@ -72,94 +61,206 @@ func (d Dbus) Apply(opt *Option, profile string) (string, error) { generatedDbus := r.String() lenDbus := len(generatedDbus) generatedDbus = generatedDbus[:lenDbus-1] - profile = strings.Replace(profile, opt.Raw, generatedDbus, -1) + profile = strings.ReplaceAll(profile, opt.Raw, generatedDbus) return profile, nil } func (d Dbus) sanityCheck(opt *Option) (string, error) { if len(opt.ArgList) < 1 { - return "", fmt.Errorf("Unknown dbus action: %s in %s", opt.Name, opt.File) + return "", fmt.Errorf("unknown dbus action: %s in %s", opt.Name, opt.File) } action := opt.ArgList[0] - if action != "own" && action != "talk" { - return "", fmt.Errorf("Unknown dbus action: %s in %s", opt.Name, opt.File) + if action != "own" && action != "talk" && action != "common" { + return "", fmt.Errorf("unknown dbus action: %s in %s", opt.Name, opt.File) } if _, present := opt.ArgMap["name"]; !present { - return "", fmt.Errorf("Missing name for 'dbus: %s' in %s", action, opt.File) + return "", fmt.Errorf("missing name for 'dbus: %s' in %s", action, opt.File) } if _, present := opt.ArgMap["bus"]; !present { - return "", fmt.Errorf("Missing bus for '%s' in %s", opt.ArgMap["name"], opt.File) + return "", fmt.Errorf("missing bus for '%s' in %s", opt.ArgMap["name"], opt.File) } if _, present := opt.ArgMap["label"]; !present && action == "talk" { - return "", fmt.Errorf("Missing label for '%s' in %s", opt.ArgMap["name"], opt.File) + return "", fmt.Errorf("missing label for '%s' in %s", opt.ArgMap["name"], opt.File) } // Set default values if _, present := opt.ArgMap["path"]; !present { - opt.ArgMap["path"] = "/" + strings.Replace(opt.ArgMap["name"], ".", "/", -1) + "{,/**}" + opt.ArgMap["path"] = "/" + strings.ReplaceAll(opt.ArgMap["name"], ".", "/") + "{,/**}" } opt.ArgMap["name"] += "{,.*}" return action, nil } +func getInterfaces(rules map[string]string) []string { + var interfaces []string + if _, present := rules["interface"]; present { + interfaces = []string{rules["interface"]} + } else { + interfaces = []string{rules["name"]} + } + + if _, present := rules["interface+"]; present { + interfaces = append(interfaces, rules["interface+"]) + } + return interfaces +} + func (d Dbus) own(rules map[string]string) aa.Rules { - interfaces := setInterfaces(rules) - res := aa.Rules{} - res = append(res, &aa.Dbus{ - Access: []string{"bind"}, Bus: rules["bus"], Name: rules["name"], - }) - for _, iface := range interfaces { - res = append(res, &aa.Dbus{ - Access: []string{"receive"}, - Bus: rules["bus"], - Path: rules["path"], - Interface: iface, - PeerName: `":1.@{int}"`, - }) + interfaces := getInterfaces(rules) + + res := aa.Rules{ + &aa.Include{ + IsMagic: true, Path: "abstractions/bus/own-" + rules["bus"], + }, + &aa.Dbus{ + Access: []string{"bind"}, Bus: rules["bus"], Name: rules["name"], + }, } + + // Interfaces for _, iface := range interfaces { - res = append(res, &aa.Dbus{ - Access: []string{"send"}, - Bus: rules["bus"], - Path: rules["path"], - Interface: iface, - PeerName: `"{:1.@{int},org.freedesktop.DBus}"`, - }) + res = append(res, + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: iface, + PeerName: `"@{busname}"`, + }, + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: iface, + PeerName: `"{@{busname},org.freedesktop.DBus}"`, + }, + ) } - res = append(res, &aa.Dbus{ - Access: []string{"receive"}, - Bus: rules["bus"], - Path: rules["path"], - Interface: "org.freedesktop.DBus.Introspectable", - Member: "Introspect", - PeerName: `":1.@{int}"`, - }) + + res = append(res, + // DBus.Properties + &aa.Dbus{ + Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Properties", + Member: "{Get,GetAll,Set,PropertiesChanged}", + PeerName: `"{@{busname},org.freedesktop.DBus}"`, + }, + + // DBus.Introspectable + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Introspectable", + Member: "Introspect", + PeerName: `"@{busname}"`, + }, + + // DBus.ObjectManager + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.ObjectManager", + Member: "GetManagedObjects", + PeerName: `"{@{busname},` + rules["name"] + `}"`, + }, + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.ObjectManager", + Member: "{InterfacesAdded,InterfacesRemoved}", + PeerName: `"{@{busname},org.freedesktop.DBus}"`, + }, + ) return res } func (d Dbus) talk(rules map[string]string) aa.Rules { - interfaces := setInterfaces(rules) + interfaces := getInterfaces(rules) res := aa.Rules{} + + // Interfaces for _, iface := range interfaces { res = append(res, &aa.Dbus{ - Access: []string{"send"}, - Bus: rules["bus"], - Path: rules["path"], + Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], Interface: iface, - PeerName: `"{:1.@{int},` + rules["name"] + `}"`, - PeerLabel: rules["label"], + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], }) } - for _, iface := range interfaces { - res = append(res, &aa.Dbus{ - Access: []string{"receive"}, - Bus: rules["bus"], - Path: rules["path"], - Interface: iface, - PeerName: `"{:1.@{int},` + rules["name"] + `}"`, - PeerLabel: rules["label"], - }) + + res = append(res, + // DBus.Properties + &aa.Dbus{ + Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Properties", + Member: "{Get,GetAll,Set,PropertiesChanged}", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + + // DBus.Introspectable + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Introspectable", + Member: "Introspect", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + + // DBus.ObjectManager + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.ObjectManager", + Member: "GetManagedObjects", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.ObjectManager", + Member: "{InterfacesAdded,InterfacesRemoved}", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + ) + return res +} + +func (d Dbus) common(rules map[string]string) aa.Rules { + res := aa.Rules{ + + // DBus.Properties: read all properties from the interface + &aa.Comment{ + Base: aa.Base{ + Comment: " DBus.Properties: read all properties from the interface", + IsLineRule: true, + }, + }, + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Properties", + Member: "{Get,GetAll}", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + nil, + + // DBus.Properties: receive property changed events + &aa.Comment{ + Base: aa.Base{ + Comment: " DBus.Properties: receive property changed events", + IsLineRule: true, + }, + }, + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Properties", + Member: "PropertiesChanged", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + nil, + + // DBus.Introspectable: allow clients to introspect the service + &aa.Comment{ + Base: aa.Base{ + Comment: " DBus.Introspectable: allow clients to introspect the service", + IsLineRule: true, + }, + }, + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Introspectable", + Member: "Introspect", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, } return res } diff --git a/pkg/prebuild/directive/dbus_test.go b/pkg/prebuild/directive/dbus_test.go index 65e55e785..0844fd745 100644 --- a/pkg/prebuild/directive/dbus_test.go +++ b/pkg/prebuild/directive/dbus_test.go @@ -8,29 +8,31 @@ import ( "testing" ) -const dbusOwnSystemd1 = ` dbus bind bus=system name=org.freedesktop.systemd1{,.*}, +const dbusOwnSystemd1 = ` include + + dbus bind bus=system name=org.freedesktop.systemd1{,.*}, dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.systemd1{,.*} - peer=(name=":1.@{int}"), - dbus receive bus=system path=/org/freedesktop/systemd1{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=":1.@{int}"), - dbus receive bus=system path=/org/freedesktop/systemd1{,/**} - interface=org.freedesktop.DBus.ObjectManager - peer=(name=":1.@{int}"), + peer=(name="@{busname}"), dbus send bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.systemd1{,.*} - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=system path=/org/freedesktop/systemd1{,/**} + peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus (send receive) bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.Properties - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=system path=/org/freedesktop/systemd1{,/**} - interface=org.freedesktop.DBus.ObjectManager - peer=(name="{:1.@{int},org.freedesktop.DBus}"), + member={Get,GetAll,Set,PropertiesChanged} + peer=(name="{@{busname},org.freedesktop.DBus}"), dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=":1.@{int}"),` + peer=(name="@{busname}"), + dbus receive bus=system path=/org/freedesktop/systemd1{,/**} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name="{@{busname},org.freedesktop.systemd1{,.*}}"), + dbus send bus=system path=/org/freedesktop/systemd1{,/**} + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(name="{@{busname},org.freedesktop.DBus}"),` func TestDbus_Apply(t *testing.T) { tests := []struct { @@ -61,45 +63,47 @@ func TestDbus_Apply(t *testing.T) { opt: &Option{ Name: "dbus", ArgMap: map[string]string{ - "bus": "session", - "name": "com.rastersoft.dingextension", - "interface": "org.gtk.Actions", - "own": "", + "bus": "session", + "name": "com.rastersoft.ding", + "interface+": "org.gtk.Actions", + "own": "", }, - ArgList: []string{"own", "bus=session", "name=com.rastersoft.dingextension", "interface=org.gtk.Actions"}, + ArgList: []string{"own", "bus=session", "name=com.rastersoft.ding", "interface+=org.gtk.Actions"}, File: nil, - Raw: " #aa:dbus own bus=session name=com.rastersoft.dingextension interface=org.gtk.Actions", + Raw: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", }, - profile: " #aa:dbus own bus=session name=com.rastersoft.dingextension interface=org.gtk.Actions", - want: ` dbus bind bus=session name=com.rastersoft.dingextension{,.*}, - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} - interface=com.rastersoft.dingextension{,.*} - peer=(name=":1.@{int}"), - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} + profile: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", + want: ` include + + dbus bind bus=session name=com.rastersoft.ding{,.*}, + dbus receive bus=session path=/com/rastersoft/ding{,/**} + interface=com.rastersoft.ding{,.*} + peer=(name="@{busname}"), + dbus send bus=session path=/com/rastersoft/ding{,/**} + interface=com.rastersoft.ding{,.*} + peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus receive bus=session path=/com/rastersoft/ding{,/**} interface=org.gtk.Actions - peer=(name=":1.@{int}"), - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=":1.@{int}"), - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} - interface=org.freedesktop.DBus.ObjectManager - peer=(name=":1.@{int}"), - dbus send bus=session path=/com/rastersoft/dingextension{,/**} - interface=com.rastersoft.dingextension{,.*} - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=session path=/com/rastersoft/dingextension{,/**} + peer=(name="@{busname}"), + dbus send bus=session path=/com/rastersoft/ding{,/**} interface=org.gtk.Actions - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=session path=/com/rastersoft/dingextension{,/**} + peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus (send receive) bus=session path=/com/rastersoft/ding{,/**} interface=org.freedesktop.DBus.Properties - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=session path=/com/rastersoft/dingextension{,/**} - interface=org.freedesktop.DBus.ObjectManager - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} + member={Get,GetAll,Set,PropertiesChanged} + peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus receive bus=session path=/com/rastersoft/ding{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=":1.@{int}"),`, + peer=(name="@{busname}"), + dbus receive bus=session path=/com/rastersoft/ding{,/**} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name="{@{busname},com.rastersoft.ding{,.*}}"), + dbus send bus=session path=/com/rastersoft/ding{,/**} + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(name="{@{busname},org.freedesktop.DBus}"),`, }, { name: "talk", @@ -116,24 +120,58 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", }, profile: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", - want: ` dbus send bus=system path=/org/freedesktop/Accounts{,/**} + want: ` dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.Accounts{,.*} - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), - dbus send bus=system path=/org/freedesktop/Accounts{,/**} + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.Properties - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + member={Get,GetAll,Set,PropertiesChanged} + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + dbus send bus=system path=/org/freedesktop/Accounts{,/**} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus send bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.ObjectManager - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), - dbus receive bus=system path=/org/freedesktop/Accounts{,/**} - interface=org.freedesktop.Accounts{,.*} - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), - dbus receive bus=system path=/org/freedesktop/Accounts{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + member=GetManagedObjects + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus receive bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.ObjectManager - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon),`, + member={InterfacesAdded,InterfacesRemoved} + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon),`, + }, + { + name: "common", + opt: &Option{ + Name: "dbus", + ArgMap: map[string]string{ + "bus": "system", + "name": "net.hadess.PowerProfiles", + "label": "power-profiles-daemon", + "talk": "", + }, + ArgList: []string{"common", "bus=system", "name=net.hadess.PowerProfiles", "power-profiles-daemon"}, + File: nil, + Raw: " #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon", + }, + profile: " #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon", + want: ` # DBus.Properties: read all properties from the interface + dbus send bus=system path=/net/hadess/PowerProfiles{,/**} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon), + + # DBus.Properties: receive property changed events + dbus receive bus=system path=/net/hadess/PowerProfiles{,/**} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon), + + # DBus.Introspectable: allow clients to introspect the service + dbus send bus=system path=/net/hadess/PowerProfiles{,/**} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon),`, }, } for _, tt := range tests { diff --git a/pkg/prebuild/directive/exec.go b/pkg/prebuild/directive/exec.go index 5aee73740..b348fb46b 100644 --- a/pkg/prebuild/directive/exec.go +++ b/pkg/prebuild/directive/exec.go @@ -31,7 +31,7 @@ func init() { func (d Exec) Apply(opt *Option, profileRaw string) (string, error) { if len(opt.ArgList) == 0 { - return "", fmt.Errorf("No profile to exec") + return "", fmt.Errorf("no profile to exec") } transition := "Px" transitions := []string{"P", "U", "p", "u", "PU", "pu"} @@ -70,5 +70,5 @@ func (d Exec) Apply(opt *Option, profileRaw string) (string, error) { rules = rules.Sort() new := rules.String() new = new[:len(new)-1] - return strings.Replace(profileRaw, opt.Raw, new, -1), nil + return strings.ReplaceAll(profileRaw, opt.Raw, new), nil } diff --git a/pkg/prebuild/directive/exec_test.go b/pkg/prebuild/directive/exec_test.go index 5581d7f2b..255d9a237 100644 --- a/pkg/prebuild/directive/exec_test.go +++ b/pkg/prebuild/directive/exec_test.go @@ -36,7 +36,7 @@ func TestExec_Apply(t *testing.T) { }, { name: "exec-unconfined", - rootApparmord: paths.New("../../../apparmor.d/groups/freedesktop/"), + rootApparmord: paths.New("../../../apparmor.d/groups/polkit/"), opt: &Option{ Name: "exec", ArgMap: map[string]string{"U": "", "polkit-agent-helper": ""}, diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go index 2fe46e6f2..b6ec56816 100644 --- a/pkg/prebuild/directive/filter.go +++ b/pkg/prebuild/directive/filter.go @@ -39,10 +39,18 @@ func init() { } func filterRuleForUs(opt *Option) bool { + if prebuild.RBAC && slices.Contains(opt.ArgList, "RBAC") { + return true + } + abiStr := fmt.Sprintf("abi%d", prebuild.ABI) if slices.Contains(opt.ArgList, abiStr) { return true } + versionStr := fmt.Sprintf("apparmor%.1f", prebuild.Version) + if slices.Contains(opt.ArgList, versionStr) { + return true + } return slices.Contains(opt.ArgList, prebuild.Distribution) || slices.Contains(opt.ArgList, prebuild.Family) } @@ -55,7 +63,7 @@ func filter(only bool, opt *Option, profile string) (string, error) { } if opt.IsInline() { - profile = strings.Replace(profile, opt.Raw, "", -1) + profile = strings.ReplaceAll(profile, opt.Raw, "") } else { regRemoveParagraph := regexp.MustCompile(`(?s)` + opt.Raw + `\n.*?\n\n`) profile = regRemoveParagraph.ReplaceAllString(profile, "") diff --git a/pkg/prebuild/directive/stack.go b/pkg/prebuild/directive/stack.go index 03dd826e1..a43849228 100644 --- a/pkg/prebuild/directive/stack.go +++ b/pkg/prebuild/directive/stack.go @@ -40,7 +40,7 @@ func init() { func (s Stack) Apply(opt *Option, profile string) (string, error) { if len(opt.ArgList) == 0 { - return "", fmt.Errorf("No profile to stack") + return "", fmt.Errorf("no profile to stack") } t := opt.ArgList[0] if t != "X" { @@ -55,10 +55,13 @@ func (s Stack) Apply(opt *Option, profile string) (string, error) { res := "" for name := range opt.ArgMap { - stackedProfile := prebuild.RootApparmord.Join(name).MustReadFileAsString() + stackedProfile, err := prebuild.RootApparmord.Join(name).ReadFileAsString() + if err != nil { + return "", fmt.Errorf("%s need to stack: %w", name, err) + } m := regRules.FindStringSubmatch(stackedProfile) if len(m) < 2 { - return "", fmt.Errorf("No profile found in %s", name) + return "", fmt.Errorf("no profile found in %s", name) } stackedRules := m[1] stackedRules = regCleanStakedRules.Replace(stackedRules) @@ -68,9 +71,9 @@ func (s Stack) Apply(opt *Option, profile string) (string, error) { // Insert the stacked profile at the end of the current profile, remove the stack directive m := regEndOfRules.FindStringSubmatch(profile) if len(m) <= 1 { - return "", fmt.Errorf("No end of rules found in %s", opt.File) + return "", fmt.Errorf("no end of rules found in %s", opt.File) } - profile = strings.Replace(profile, m[0], res+m[0], -1) - profile = strings.Replace(profile, opt.Raw, "", -1) + profile = strings.ReplaceAll(profile, m[0], res+m[0]) + profile = strings.ReplaceAll(profile, opt.Raw, "") return profile, nil } diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index cd5958b72..37cbc69bc 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -8,7 +8,16 @@ import "github.com/roddhjav/apparmor.d/pkg/paths" var ( // AppArmor ABI version - ABI uint = 0 + ABI = 0 + + // AppArmor version + Version = 4.0 + + // Either or not RBAC is enabled + RBAC = false + + // Pkgname is the name of the package + Pkgname = "apparmor.d" // Root is the root directory for the build (default: .build) Root *paths.Path = paths.New(".build") diff --git a/pkg/prebuild/files.go b/pkg/prebuild/files.go index c14730960..504f05c1c 100644 --- a/pkg/prebuild/files.go +++ b/pkg/prebuild/files.go @@ -10,7 +10,7 @@ import ( "github.com/roddhjav/apparmor.d/pkg/paths" ) -// Default content of debian/apparmor.d.hide. Whonix has special addition. +// Hide is the default content of debian/apparmor.d.hide. Whonix has special addition. var Hide = `# This file is generated by "make", all edit will be lost. /etc/apparmor.d/usr.bin.firefox @@ -55,7 +55,7 @@ type DebianHider struct { path *paths.Path } -// Initialize the file with content from Hide +// Init initializes the file with content from Hide func (d DebianHider) Init() error { return d.path.WriteFile([]byte(Hide)) } diff --git a/pkg/prebuild/os.go b/pkg/prebuild/os.go index 352f4e185..8ef8fb79e 100644 --- a/pkg/prebuild/os.go +++ b/pkg/prebuild/os.go @@ -67,13 +67,13 @@ func getDistribution() string { if id == "ubuntu" { return id } - id_like := Release["ID_LIKE"] + idLike := Release["ID_LIKE"] for main, based := range supportedDists { - if main == id || main == id_like { + if main == id || main == idLike { return main } else if slices.Contains(based, id) { return main - } else if slices.Contains(based, id_like) { + } else if slices.Contains(based, idLike) { return main } } diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index 4b8e11ec5..a6e954485 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -7,7 +7,6 @@ package prepare import ( "fmt" - "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" ) @@ -35,8 +34,8 @@ func (p Configure) Apply() ([]string, error) { return res, err } - if prebuild.ABI == 3 { - if err := paths.CopyTo(prebuild.DistDir.Join("ubuntu"), prebuild.RootApparmord); err != nil { + if prebuild.Version < 3.0 { + if err := prebuild.DistDir.Join("ubuntu").CopyFS(prebuild.RootApparmord); err != nil { return res, err } } @@ -46,14 +45,32 @@ func (p Configure) Apply() ([]string, error) { return res, err } - // Copy Debian specific abstractions - if err := paths.CopyTo(prebuild.DistDir.Join("ubuntu"), prebuild.RootApparmord); err != nil { - return res, err + if prebuild.Version < 4.1 { + // Copy Debian specific abstractions + if err := prebuild.DistDir.Join("ubuntu").CopyFS(prebuild.RootApparmord); err != nil { + return res, err + } } default: return []string{}, fmt.Errorf("%s is not a supported distribution", prebuild.Distribution) } + + if prebuild.Version == 4.1 { + // Remove files upstreamed in 4.1 + remove := []string{ + "abstractions/devices-usb-read", + "abstractions/devices-usb", + "abstractions/nameservice-strict", + "tunables/multiarch.d/base", + "wg", // Upstream version is identical + } + for _, name := range remove { + if err := prebuild.RootApparmord.Join(name).RemoveAll(); err != nil { + return res, err + } + } + } return res, nil } diff --git a/pkg/prebuild/prepare/core.go b/pkg/prebuild/prepare/core.go index d96e21043..74d7778ed 100644 --- a/pkg/prebuild/prepare/core.go +++ b/pkg/prebuild/prepare/core.go @@ -18,7 +18,7 @@ var ( Tasks = map[string]Task{} ) -// Main directive interface +// Task main directive interface type Task interface { prebuild.BaseInterface Apply() ([]string, error) diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go index 1d38ca294..f8d3cb17f 100644 --- a/pkg/prebuild/prepare/fsp.go +++ b/pkg/prebuild/prepare/fsp.go @@ -5,11 +5,60 @@ package prepare import ( - "strings" + "regexp" "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" - "github.com/roddhjav/apparmor.d/pkg/util" +) + +var ( + tunables = map[string]string{ + // Set systemd profiles name + "sd": "sd", + "sdu": "sdu", + "systemd_user": "systemd-user", + "systemd": "systemd", + + // With FSP on apparmor 4.1+, the dbus profiles don't get stacked as they + "dbus_system": "dbus-system", + "dbus_session": "dbus-session", + + // Update name of stacked profiles + "apt_news": "", + "colord": "", + "e2scrub_all": "", + "e2scrub": "", + "fprintd": "", + "fwupd": "", + "fwupdmgr": "", + "geoclue": "", + "irqbalance": "", + "logrotate": "", + "ModemManager": "", + "nm_priv_helper": "", + "pcscd": "", + "polkitd": "", + "power_profiles_daemon": "", + "rsyslogd": "", + "systemd_coredump": "", + "systemd_homed": "", + "systemd_hostnamed": "", + "systemd_importd": "", + "systemd_initctl": "", + "systemd_journal_remote": "", + "systemd_journald": "", + "systemd_localed": "", + "systemd_logind": "", + "systemd_machined": "", + "systemd_networkd": "", + "systemd_oomd": "", + "systemd_resolved": "", + "systemd_rfkill": "", + "systemd_timedated": "", + "systemd_timesyncd": "", + "systemd_userdbd": "", + "upowerd": "", + } ) type FullSystemPolicy struct { @@ -29,30 +78,24 @@ func (p FullSystemPolicy) Apply() ([]string, error) { res := []string{} // Install full system policy profiles - if err := paths.CopyTo(paths.New("apparmor.d/groups/_full/"), prebuild.Root.Join("apparmor.d")); err != nil { + if err := paths.New("apparmor.d/groups/_full/").CopyFS(prebuild.Root.Join("apparmor.d")); err != nil { return res, err } - // Set systemd profile name - path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") + // Set profile name for FSP + path := prebuild.RootApparmord.Join("tunables/multiarch.d/profiles") out, err := path.ReadFileAsString() if err != nil { return res, err } - out = strings.Replace(out, "@{p_systemd}=unconfined", "@{p_systemd}=systemd", -1) - out = strings.Replace(out, "@{p_systemd_user}=unconfined", "@{p_systemd_user}=systemd-user", -1) - if err := path.WriteFile([]byte(out)); err != nil { - return res, err + for varname, profile := range tunables { + pattern := regexp.MustCompile(`(@\{p_` + varname + `}=)([^\s]+)`) + if profile == "" { + out = pattern.ReplaceAllString(out, `@{p_`+varname+`}={$2,sd//&$2,$2//&sd}`) + } else { + out = pattern.ReplaceAllString(out, `@{p_`+varname+`}=`+profile) + } } - - // Fix conflicting x modifiers in abstractions - FIXME: Temporary solution - path = prebuild.RootApparmord.Join("abstractions/gstreamer") - out, err = path.ReadFileAsString() - if err != nil { - return res, err - } - regFixConflictX := util.ToRegexRepl([]string{`.*gst-plugin-scanner.*`, ``}) - out = regFixConflictX.Replace(out) if err := path.WriteFile([]byte(out)); err != nil { return res, err } diff --git a/pkg/prebuild/prepare/overwrite.go b/pkg/prebuild/prepare/overwrite.go index 6f8951161..d974b26e4 100644 --- a/pkg/prebuild/prepare/overwrite.go +++ b/pkg/prebuild/prepare/overwrite.go @@ -11,11 +11,11 @@ import ( "github.com/roddhjav/apparmor.d/pkg/prebuild" ) -const ext = ".apparmor.d" +var ext = "." + prebuild.Pkgname type Overwrite struct { prebuild.Base - OneFile bool + Optional bool } func init() { @@ -24,7 +24,7 @@ func init() { Keyword: "overwrite", Msg: "Overwrite dummy upstream profiles", }, - OneFile: false, + Optional: false, }) } @@ -46,12 +46,13 @@ func (p Overwrite) Apply() ([]string, error) { for _, name := range path.MustReadFilteredFileAsLines() { origin := prebuild.RootApparmord.Join(name) dest := prebuild.RootApparmord.Join(name + ext) - if !dest.Exist() && p.OneFile { + if !dest.Exist() && p.Optional { continue } - if err := origin.Rename(dest); err != nil { - - return res, err + if origin.Exist() { + if err := origin.Rename(dest); err != nil { + return res, err + } } originRel, err := origin.RelFrom(dest) if err != nil { diff --git a/pkg/prebuild/prepare/synchronise.go b/pkg/prebuild/prepare/synchronise.go index b272388c7..b6c2dbf5b 100644 --- a/pkg/prebuild/prepare/synchronise.go +++ b/pkg/prebuild/prepare/synchronise.go @@ -11,7 +11,7 @@ import ( type Synchronise struct { prebuild.Base - Path string + Paths []string // File or directory to sync into the build directory. } func init() { @@ -20,38 +20,39 @@ func init() { Keyword: "synchronise", Msg: "Initialize a new clean apparmor.d build directory", }, - Path: "", + Paths: []string{"apparmor.d", "share"}, }) } func (p Synchronise) Apply() ([]string, error) { res := []string{} - dirs := paths.PathList{prebuild.RootApparmord, prebuild.Root.Join("share"), prebuild.Root.Join("systemd")} - for _, dir := range dirs { - if err := dir.RemoveAll(); err != nil { + if err := prebuild.Root.Join("systemd").RemoveAll(); err != nil { + return res, err + } + if err := prebuild.RootApparmord.RemoveAll(); err != nil { + return res, err + } + + for _, name := range p.Paths { + src := paths.New(name) + dst := prebuild.Root.Join(name) + if err := dst.RemoveAll(); err != nil { return res, err } - } - if p.Path == "" { - for _, name := range []string{"apparmor.d", "share"} { - if err := paths.CopyTo(paths.New(name), prebuild.Root.Join(name)); err != nil { + + if src.IsDir() { + if err := src.CopyFS(dst); err != nil { + return res, err + } + } else { + if err := dst.Parent().MkdirAll(); err != nil { + return res, err + } + if err := src.CopyTo(dst); err != nil { return res, err } } - } else { - file := paths.New(p.Path) - destination, err := file.RelFrom(paths.New("apparmor.d")) - if err != nil { - return res, err - } - destination = prebuild.RootApparmord.JoinPath(destination) - if err := destination.Parent().MkdirAll(); err != nil { - return res, err - } - if err := file.CopyTo(destination); err != nil { - return res, err - } - res = append(res, destination.String()) + res = append(res, dst.String()) } return res, nil } diff --git a/share/man/man8/aa-log.8 b/share/man/man8/aa-log.8 index 42c9a3560..62f40966e 100644 --- a/share/man/man8/aa-log.8 +++ b/share/man/man8/aa-log.8 @@ -1,10 +1,10 @@ -.\" Automatically generated by Pandoc 3.1.9 +.\" Automatically generated by Pandoc 3.1.12.1 .\" -.TH "aa-log" "8" "September 2024" "" "" +.TH "aa\-log" "8" "September 2024" "" "" .SH NAME -aa-log \[em] Review AppArmor generated messages in a colorful way. +aa\-log \[em] Review AppArmor generated messages in a colorful way. .SH SYNOPSIS -\f[B]aa-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] +\f[B]aa\-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] .SH DESCRIPTION Review AppArmor generated messages in a colourful way. Support logs from \f[I]auditd\f[R], \f[I]systemd\f[R], \f[I]syslog\f[R] @@ -13,48 +13,48 @@ as well as \f[I]dbus session\f[R] events. It can be given an optional profile name to filter the output with. .PP It can be used to generate AppArmor rules from the logs and it therefore -an alternative to \f[CR]aa-logprof(8)\f[R]. +an alternative to \f[CR]aa\-logprof(8)\f[R]. The generated rules should be manually reviewed and inserted into the profile. .PP Default logs are read from \f[CR]/var/log/audit/audit.log\f[R]. Other files in \f[CR]/var/log/audit/\f[R] can easily be checked: -\f[B]aa-log -f 1\f[R] parses \f[CR]audit.log.1\f[R] +\f[B]aa\-log \-f 1\f[R] parses \f[CR]audit.log.1\f[R] .SH OPTIONS -\f[B]aa-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] +\f[B]aa\-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] .TP [\f[I]profile\f[R]] Optional profile name to filter the output with. .TP -\f[CR]--file\f[R], \f[CR]-f\f[R] +\f[CR]\-\-file\f[R], \f[CR]\-f\f[R] Set a logfile or a suffix to the default log file. .TP -\f[CR]--systemd\f[R], \f[CR]-s\f[R] +\f[CR]\-\-systemd\f[R], \f[CR]\-s\f[R] Parse systemd logs from journalctl. Provides all AppArmor logs since the last boot. .TP -\f[CR]--rules\f[R], \f[CR]-r\f[R] +\f[CR]\-\-rules\f[R], \f[CR]\-r\f[R] Convert the log into AppArmor rules. .TP -\f[CR]--raw\f[R], \f[CR]-R\f[R] +\f[CR]\-\-raw\f[R], \f[CR]\-R\f[R] Print the raw log without any formatting. Useful for reporting logs. .TP -\f[CR]--help\f[R], \f[CR]-h\f[R] +\f[CR]\-\-help\f[R], \f[CR]\-h\f[R] Print the program usage. .SH USAGE To read the AppArmor log from \f[CR]/var/log/audit/audit.log\f[R]: .IP .EX -aa-log +aa\-log .EE .PP To optionally filter a given profile name: -\f[CR]aa-log \f[R] (your shell will autocomplete the +\f[CR]aa\-log \f[R] (your shell will autocomplete the profile name): .IP .EX -$ aa-log dnsmasq +$ aa\-log dnsmasq DENIED dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r DENIED dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r @@ -63,7 +63,7 @@ DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r To generate AppArmor rule: .IP .EX -$ aa-log -r dnsmasq +$ aa\-log \-r dnsmasq profile dnsmasq { \[at]{PROC}/\[at]{pid}/environ r, \[at]{PROC}/cmdline r, @@ -71,9 +71,9 @@ profile dnsmasq { } .EE .SH SEE ALSO -\f[CR]aa-logprof(8)\f[R], \f[CR]apparmor(7)\f[R], -\f[CR]apparmor.d(5)\f[R], \f[CR]aa-genprof(1)\f[R], -\f[CR]aa-enforce(1)\f[R], \f[CR]aa-complain(1)\f[R], -\f[CR]aa-disable(1)\f[R], and https://apparmor.pujol.io. +\f[CR]aa\-logprof(8)\f[R], \f[CR]apparmor(7)\f[R], +\f[CR]apparmor.d(5)\f[R], \f[CR]aa\-genprof(1)\f[R], +\f[CR]aa\-enforce(1)\f[R], \f[CR]aa\-complain(1)\f[R], +\f[CR]aa\-disable(1)\f[R], and https://apparmor.pujol.io. .SH AUTHORS -aa-log was written by Alexandre Pujol (alexandre\[at]pujol.io). +aa\-log was written by Alexandre Pujol (alexandre\[at]pujol.io). diff --git a/systemd/full/system/ModemManager.service b/systemd/full/system/ModemManager.service index 03d352890..2d1593f19 100644 --- a/systemd/full/system/ModemManager.service +++ b/systemd/full/system/ModemManager.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&ModemManager diff --git a/systemd/full/system/apport-coredump-hook@.service b/systemd/full/system/apport-coredump-hook@.service new file mode 100644 index 000000000..73bbc99d8 --- /dev/null +++ b/systemd/full/system/apport-coredump-hook@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&apport \ No newline at end of file diff --git a/systemd/full/system/apt-news.service b/systemd/full/system/apt-news.service new file mode 100644 index 000000000..d7bf885dd --- /dev/null +++ b/systemd/full/system/apt-news.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&apt_news diff --git a/systemd/full/system/archlinux-keyring-wkd-sync.service b/systemd/full/system/archlinux-keyring-wkd-sync.service index 03d352890..b88768556 100644 --- a/systemd/full/system/archlinux-keyring-wkd-sync.service +++ b/systemd/full/system/archlinux-keyring-wkd-sync.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&archlinux-keyring-wkd-sync diff --git a/systemd/full/system/bluetooth.service b/systemd/full/system/bluetooth.service index 03d352890..5cccff422 100644 --- a/systemd/full/system/bluetooth.service +++ b/systemd/full/system/bluetooth.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&bluetoothd \ No newline at end of file diff --git a/systemd/full/system/cloud-init-hotplugd.service b/systemd/full/system/cloud-init-hotplugd.service new file mode 100644 index 000000000..a2a121fc3 --- /dev/null +++ b/systemd/full/system/cloud-init-hotplugd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&cloud-init-hotplugd.service diff --git a/systemd/full/system/colord.service b/systemd/full/system/colord.service new file mode 100644 index 000000000..9a64fbc26 --- /dev/null +++ b/systemd/full/system/colord.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&colord diff --git a/systemd/full/system/dbus-org.freedesktop.hostname1.service b/systemd/full/system/dbus-org.freedesktop.hostname1.service index 03d352890..6d078aea9 100644 --- a/systemd/full/system/dbus-org.freedesktop.hostname1.service +++ b/systemd/full/system/dbus-org.freedesktop.hostname1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-hostnamed \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.import1.service b/systemd/full/system/dbus-org.freedesktop.import1.service index 03d352890..0ab519541 100644 --- a/systemd/full/system/dbus-org.freedesktop.import1.service +++ b/systemd/full/system/dbus-org.freedesktop.import1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-importd \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.locale1.service b/systemd/full/system/dbus-org.freedesktop.locale1.service index 03d352890..276595080 100644 --- a/systemd/full/system/dbus-org.freedesktop.locale1.service +++ b/systemd/full/system/dbus-org.freedesktop.locale1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-localed \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.login1.service b/systemd/full/system/dbus-org.freedesktop.login1.service index 03d352890..c5728915c 100644 --- a/systemd/full/system/dbus-org.freedesktop.login1.service +++ b/systemd/full/system/dbus-org.freedesktop.login1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-logind \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.machine1.service b/systemd/full/system/dbus-org.freedesktop.machine1.service index 03d352890..315b1b230 100644 --- a/systemd/full/system/dbus-org.freedesktop.machine1.service +++ b/systemd/full/system/dbus-org.freedesktop.machine1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-machined \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.timedate1.service b/systemd/full/system/dbus-org.freedesktop.timedate1.service index 03d352890..ab04c5a45 100644 --- a/systemd/full/system/dbus-org.freedesktop.timedate1.service +++ b/systemd/full/system/dbus-org.freedesktop.timedate1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-timedated \ No newline at end of file diff --git a/systemd/full/system/debug-shell.service b/systemd/full/system/debug-shell.service new file mode 100644 index 000000000..f895f7941 --- /dev/null +++ b/systemd/full/system/debug-shell.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=debug-shell.service \ No newline at end of file diff --git a/systemd/full/system/dmesg.service b/systemd/full/system/dmesg.service new file mode 100644 index 000000000..d4647117b --- /dev/null +++ b/systemd/full/system/dmesg.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=dmesg.service \ No newline at end of file diff --git a/systemd/full/system/e2scrub@.service b/systemd/full/system/e2scrub@.service index 03d352890..7340b7610 100644 --- a/systemd/full/system/e2scrub@.service +++ b/systemd/full/system/e2scrub@.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&e2scrub \ No newline at end of file diff --git a/systemd/full/system/e2scrub_reap.service b/systemd/full/system/e2scrub_reap.service index 03d352890..b903d2f0a 100644 --- a/systemd/full/system/e2scrub_reap.service +++ b/systemd/full/system/e2scrub_reap.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&e2scrub_all \ No newline at end of file diff --git a/systemd/full/system/fprintd.service b/systemd/full/system/fprintd.service index 03d352890..5f1f063fa 100644 --- a/systemd/full/system/fprintd.service +++ b/systemd/full/system/fprintd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&fprintd \ No newline at end of file diff --git a/systemd/full/system/fwupd-refresh.service b/systemd/full/system/fwupd-refresh.service index fa215b3f0..acd28a5a4 100644 --- a/systemd/full/system/fwupd-refresh.service +++ b/systemd/full/system/fwupd-refresh.service @@ -1,4 +1,2 @@ [Service] -ProtectKernelModules=no -RestrictRealtime=no -ProtectKernelModules=no +AppArmorProfile=&fwupdmgr \ No newline at end of file diff --git a/systemd/full/system/fwupd.service b/systemd/full/system/fwupd.service new file mode 100644 index 000000000..5054a73d6 --- /dev/null +++ b/systemd/full/system/fwupd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&fwupd \ No newline at end of file diff --git a/systemd/full/system/geoclue.service b/systemd/full/system/geoclue.service index 4ba897659..2c10e32f5 100644 --- a/systemd/full/system/geoclue.service +++ b/systemd/full/system/geoclue.service @@ -1,6 +1,2 @@ [Service] -NoNewPrivileges=no -MemoryDenyWriteExecute=no -ProtectKernelTunables=no -ProtectKernelModules=no -RestrictRealtime=no +AppArmorProfile=&geoclue \ No newline at end of file diff --git a/systemd/full/system/grub-common.service b/systemd/full/system/grub-common.service new file mode 100644 index 000000000..8520aea76 --- /dev/null +++ b/systemd/full/system/grub-common.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=grub-common.service \ No newline at end of file diff --git a/systemd/full/system/irqbalance.service b/systemd/full/system/irqbalance.service index 03d352890..eab67fa44 100644 --- a/systemd/full/system/irqbalance.service +++ b/systemd/full/system/irqbalance.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&irqbalance \ No newline at end of file diff --git a/systemd/full/system/ldconfig.service b/systemd/full/system/ldconfig.service new file mode 100644 index 000000000..1b2a9c287 --- /dev/null +++ b/systemd/full/system/ldconfig.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=ldconfig.service \ No newline at end of file diff --git a/systemd/full/system/logrotate.service b/systemd/full/system/logrotate.service new file mode 100644 index 000000000..bc984e025 --- /dev/null +++ b/systemd/full/system/logrotate.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&logrotate \ No newline at end of file diff --git a/systemd/full/system/low-memory-monitor.service b/systemd/full/system/low-memory-monitor.service deleted file mode 100644 index dabf76f3a..000000000 --- a/systemd/full/system/low-memory-monitor.service +++ /dev/null @@ -1,3 +0,0 @@ -[Service] -NoNewPrivileges=no - diff --git a/systemd/full/system/man-db.service b/systemd/full/system/man-db.service new file mode 100644 index 000000000..d3a78dd80 --- /dev/null +++ b/systemd/full/system/man-db.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=man-db.service \ No newline at end of file diff --git a/systemd/full/system/nm-priv-helper.service b/systemd/full/system/nm-priv-helper.service index 03d352890..53f99edd0 100644 --- a/systemd/full/system/nm-priv-helper.service +++ b/systemd/full/system/nm-priv-helper.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&nm-priv-helper diff --git a/systemd/full/system/paccache.service b/systemd/full/system/paccache.service deleted file mode 100644 index 03d352890..000000000 --- a/systemd/full/system/paccache.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/passim.service b/systemd/full/system/passim.service deleted file mode 100644 index 03d352890..000000000 --- a/systemd/full/system/passim.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/pcscd.service b/systemd/full/system/pcscd.service new file mode 100644 index 000000000..8d39f3f26 --- /dev/null +++ b/systemd/full/system/pcscd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pcscd diff --git a/systemd/full/system/polkit.service b/systemd/full/system/polkit.service index 03d352890..b21a28baa 100644 --- a/systemd/full/system/polkit.service +++ b/systemd/full/system/polkit.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&polkitd diff --git a/systemd/full/system/power-profiles-daemon.service b/systemd/full/system/power-profiles-daemon.service new file mode 100644 index 000000000..45c5ed93b --- /dev/null +++ b/systemd/full/system/power-profiles-daemon.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&power-profiles-daemon \ No newline at end of file diff --git a/systemd/full/system/reflector.service b/systemd/full/system/reflector.service deleted file mode 100644 index 03d352890..000000000 --- a/systemd/full/system/reflector.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/rngd.service b/systemd/full/system/rngd.service index 03d352890..c52a85d0c 100644 --- a/systemd/full/system/rngd.service +++ b/systemd/full/system/rngd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&rngd diff --git a/systemd/full/system/rsyslog.service b/systemd/full/system/rsyslog.service new file mode 100644 index 000000000..6b49a73f0 --- /dev/null +++ b/systemd/full/system/rsyslog.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&rsyslogd diff --git a/systemd/full/system/secureboot-db.service b/systemd/full/system/secureboot-db.service new file mode 100644 index 000000000..722781b8a --- /dev/null +++ b/systemd/full/system/secureboot-db.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=secureboot-db.service diff --git a/systemd/full/system/shadow.service b/systemd/full/system/shadow.service index dabf76f3a..52d2f644c 100644 --- a/systemd/full/system/shadow.service +++ b/systemd/full/system/shadow.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no - +AppArmorProfile=&shadow.service diff --git a/systemd/full/system/snapd.system-shutdown.service b/systemd/full/system/snapd.system-shutdown.service new file mode 100644 index 000000000..7953d522a --- /dev/null +++ b/systemd/full/system/snapd.system-shutdown.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=snapd.system-shutdown.service \ No newline at end of file diff --git a/systemd/full/system/system-update-cleanup.service b/systemd/full/system/system-update-cleanup.service new file mode 100644 index 000000000..24c914f77 --- /dev/null +++ b/systemd/full/system/system-update-cleanup.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=system-update-cleanup.service \ No newline at end of file diff --git a/systemd/full/system/systemd-coredump@.service b/systemd/full/system/systemd-coredump@.service new file mode 100644 index 000000000..d13624709 --- /dev/null +++ b/systemd/full/system/systemd-coredump@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-coredump diff --git a/systemd/full/system/systemd-homed.service b/systemd/full/system/systemd-homed.service index 03d352890..65d4ae62e 100644 --- a/systemd/full/system/systemd-homed.service +++ b/systemd/full/system/systemd-homed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-homed diff --git a/systemd/full/system/systemd-hostnamed.service b/systemd/full/system/systemd-hostnamed.service index 03d352890..6d078aea9 100644 --- a/systemd/full/system/systemd-hostnamed.service +++ b/systemd/full/system/systemd-hostnamed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-hostnamed \ No newline at end of file diff --git a/systemd/full/system/systemd-initctl.service b/systemd/full/system/systemd-initctl.service new file mode 100644 index 000000000..e44c8767f --- /dev/null +++ b/systemd/full/system/systemd-initctl.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-initctl \ No newline at end of file diff --git a/systemd/full/system/systemd-journal-remote.service b/systemd/full/system/systemd-journal-remote.service new file mode 100644 index 000000000..e08cf75a9 --- /dev/null +++ b/systemd/full/system/systemd-journal-remote.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-journal-remote \ No newline at end of file diff --git a/systemd/full/system/systemd-journald.service b/systemd/full/system/systemd-journald.service index 0316a67c8..48f5a0156 100644 --- a/systemd/full/system/systemd-journald.service +++ b/systemd/full/system/systemd-journald.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-journald \ No newline at end of file diff --git a/systemd/full/system/systemd-journald@.service b/systemd/full/system/systemd-journald@.service index 0316a67c8..48f5a0156 100644 --- a/systemd/full/system/systemd-journald@.service +++ b/systemd/full/system/systemd-journald@.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-journald \ No newline at end of file diff --git a/systemd/full/system/systemd-localed.service b/systemd/full/system/systemd-localed.service index 03d352890..276595080 100644 --- a/systemd/full/system/systemd-localed.service +++ b/systemd/full/system/systemd-localed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-localed \ No newline at end of file diff --git a/systemd/full/system/systemd-logind.service b/systemd/full/system/systemd-logind.service index 0316a67c8..c5728915c 100644 --- a/systemd/full/system/systemd-logind.service +++ b/systemd/full/system/systemd-logind.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-logind \ No newline at end of file diff --git a/systemd/full/system/systemd-machined.service b/systemd/full/system/systemd-machined.service index 03d352890..315b1b230 100644 --- a/systemd/full/system/systemd-machined.service +++ b/systemd/full/system/systemd-machined.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-machined \ No newline at end of file diff --git a/systemd/full/system/systemd-networkd.service b/systemd/full/system/systemd-networkd.service index 03d352890..3f4b60849 100644 --- a/systemd/full/system/systemd-networkd.service +++ b/systemd/full/system/systemd-networkd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-networkd diff --git a/systemd/full/system/systemd-nsresourced.service b/systemd/full/system/systemd-nsresourced.service new file mode 100644 index 000000000..2dc668b80 --- /dev/null +++ b/systemd/full/system/systemd-nsresourced.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-nsresourced diff --git a/systemd/full/system/systemd-oomd.service b/systemd/full/system/systemd-oomd.service new file mode 100644 index 000000000..c384626ee --- /dev/null +++ b/systemd/full/system/systemd-oomd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-oomd diff --git a/systemd/full/system/systemd-resolved.service b/systemd/full/system/systemd-resolved.service index 03d352890..fd36871e4 100644 --- a/systemd/full/system/systemd-resolved.service +++ b/systemd/full/system/systemd-resolved.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-resolved diff --git a/systemd/full/system/systemd-rfkill.service b/systemd/full/system/systemd-rfkill.service new file mode 100644 index 000000000..4abf222d5 --- /dev/null +++ b/systemd/full/system/systemd-rfkill.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-rfkill diff --git a/systemd/full/system/systemd-timedated.service b/systemd/full/system/systemd-timedated.service index 03d352890..78dd0193d 100644 --- a/systemd/full/system/systemd-timedated.service +++ b/systemd/full/system/systemd-timedated.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-timedated diff --git a/systemd/full/system/systemd-timesyncd.service b/systemd/full/system/systemd-timesyncd.service new file mode 100644 index 000000000..0cd6fefbf --- /dev/null +++ b/systemd/full/system/systemd-timesyncd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-timesyncd diff --git a/systemd/full/system/systemd-userdbd.service b/systemd/full/system/systemd-userdbd.service index 03d352890..d3771658d 100644 --- a/systemd/full/system/systemd-userdbd.service +++ b/systemd/full/system/systemd-userdbd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-userdbd diff --git a/systemd/full/system/upower.service b/systemd/full/system/upower.service index 03d352890..082e8f0fa 100644 --- a/systemd/full/system/upower.service +++ b/systemd/full/system/upower.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&upowerd diff --git a/systemd/full/system/usb_modeswitch@.service b/systemd/full/system/usb_modeswitch@.service new file mode 100644 index 000000000..0eca1db25 --- /dev/null +++ b/systemd/full/system/usb_modeswitch@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=usb_modeswitch.service \ No newline at end of file diff --git a/systemd/full/user/filter-chain.service b/systemd/full/user/filter-chain.service new file mode 100644 index 000000000..4dd212f51 --- /dev/null +++ b/systemd/full/user/filter-chain.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire \ No newline at end of file diff --git a/systemd/full/user/pipewire-media-session.service b/systemd/full/user/pipewire-media-session.service deleted file mode 100644 index c392e82fe..000000000 --- a/systemd/full/user/pipewire-media-session.service +++ /dev/null @@ -1,5 +0,0 @@ -[Service] -NoNewPrivileges=no -MemoryDenyWriteExecute=no -LockPersonality=no -RestrictNamespaces=no diff --git a/systemd/full/user/pipewire-pulse.service b/systemd/full/user/pipewire-pulse.service new file mode 100644 index 000000000..1d35a493e --- /dev/null +++ b/systemd/full/user/pipewire-pulse.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire-pulse \ No newline at end of file diff --git a/systemd/full/user/pipewire.service b/systemd/full/user/pipewire.service new file mode 100644 index 000000000..4dd212f51 --- /dev/null +++ b/systemd/full/user/pipewire.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire \ No newline at end of file diff --git a/systemd/full/user/wireplumber.service b/systemd/full/user/wireplumber.service new file mode 100644 index 000000000..c47175f40 --- /dev/null +++ b/systemd/full/user/wireplumber.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&wireplumber \ No newline at end of file diff --git a/systemd/full/user/wireplumber@.service b/systemd/full/user/wireplumber@.service new file mode 100644 index 000000000..c47175f40 --- /dev/null +++ b/systemd/full/user/wireplumber@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&wireplumber \ No newline at end of file diff --git a/tests/Makefile b/tests/Makefile deleted file mode 100644 index 8bf5f6182..000000000 --- a/tests/Makefile +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/make -f -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Usage: -# make archlinux flavor=gnome -# vagrant up arch-gnome -# vagrant ssh archl-gnome - -# Build variables -flavor ?= -disk ?= 10G - -VERSION := 0.$(shell git rev-list --count HEAD) -BASE = archlinux debian ubuntu opensuse fedora - -.PHONY: ${BASE} lint - -$(BASE): - @make --directory=../ package dist=${@} - @packer build -force -var version=${VERSION} \ - -var disk_size=${disk} -var flavor="${flavor}" \ - -only=qemu.${@} packer/ - -lint: - @packer fmt --check packer/ - @packer validate --syntax-only packer/ diff --git a/tests/Vagrantfile b/tests/Vagrantfile deleted file mode 100644 index 4bdaac985..000000000 --- a/tests/Vagrantfile +++ /dev/null @@ -1,62 +0,0 @@ -# -*- mode: ruby -*- -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -require 'yaml' - -machines = YAML.load_file(File.join(File.dirname(__FILE__), 'boxes.yml')) -default = machines['defaults'] - -Vagrant.require_version '>= 2.0.0' - -Vagrant.configure("2") do |config| - - config.ssh.keys_only = true - config.ssh.insert_key = false - config.ssh.private_key_path = [ '~/.ssh/id_ed25519' ] - config.ssh.username = 'user' - - machines['boxes'].each do |instance| - - # Configure the VMs per details in boxes.yml - config.vm.define instance['name'] do |srv| - srv.vm.box = instance['box'] - srv.vm.box_check_update = false - srv.vm.post_up_message = instance.to_yaml - srv.vm.synced_folder '.', '/vagrant', disabled: true - if !ENV['AA_INTEGRATION'] - srv.vm.synced_folder '../', '/home/user/Projects/apparmor.d', type: 'virtiofs', mount: false - end - - # Configure Libvirt provider - srv.vm.provider 'libvirt' do |libvirt| - libvirt.driver = 'kvm' - libvirt.default_prefix = 'aa-' - libvirt.connect_via_ssh = false - libvirt.storage_pool_name = 'ssd' - libvirt.memory = instance.fetch('ram', default['ram']) - libvirt.cpus = instance.fetch('cpu', default['cpu']) - libvirt.cpu_mode = 'host-passthrough' - libvirt.machine_type = 'q35' - libvirt.video_type = 'virtio' - libvirt.graphics_type = 'spice' - libvirt.sound_type = 'ich9' - libvirt.tpm_model = 'tpm-crb' - libvirt.tpm_type = 'emulator' - libvirt.tpm_version = '2.0' - libvirt.random model: 'random' - libvirt.memorybacking 'source', type: 'memfd' - libvirt.memorybacking 'access', mode: 'shared' - libvirt.channel type: 'unix', target_name: 'org.qemu.guest_agent.0', target_type: 'virtio' - (1..2).each do - libvirt.redirdev :type => "spicevmc" - end - if instance.fetch('uefi', default['uefi']) - libvirt.loader = '/usr/share/edk2/x64/OVMF_CODE.fd' - end - end - - end - end -end diff --git a/tests/bats/chsh.bats b/tests/bats/chsh.bats deleted file mode 100644 index a9f5a6978..000000000 --- a/tests/bats/chsh.bats +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "chsh: [l]ist available shells" { - chsh --list-shells || true -} - -@test "chsh: Set a specific login [s]hell for the current user" { - echo "$PASSWORD" | chsh --shell /usr/bin/bash -} - -# bats test_tags=chsh -@test "chsh: Set a login [s]hell for a specific user" { - sudo chsh --shell /usr/bin/sh root -} diff --git a/tests/bats/flatpak.bats b/tests/bats/flatpak.bats deleted file mode 100644 index e549e01ad..000000000 --- a/tests/bats/flatpak.bats +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "flatpak: List installed applications, ignoring runtimes" { - flatpak list --app -} - -@test "flatpak: Install an application from a remote source" { - flatpak install --noninteractive org.vim.Vim -} - -@test "flatpak: Show information about an installed application" { - flatpak info org.vim.Vim -} - -@test "flatpak: Run an installed application" { - flatpak run org.vim.Vim -} - -@test "flatpak: Update all installed applications and runtimes" { - flatpak update --noninteractive -} - -@test "flatpak: Remove an installed application" { - flatpak remove --noninteractive org.vim.Vim -} - -@test "flatpak: Remove all unused applications" { - flatpak remove --unused -} diff --git a/tests/boxes.yml b/tests/boxes.yml deleted file mode 100644 index ef037e07f..000000000 --- a/tests/boxes.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- - -defaults: - uefi: true - ram: '4096' - cpu: '6' - -boxes: - - name: arch-gnome - box: aa-archlinux-gnome - uefi: false - - - name: arch-kde - box: aa-archlinux-kde - uefi: false - - - name: arch-xfce - box: aa-archlinux-xfce - uefi: false - - - name: arch-cosmic - box: aa-archlinux-cosmic - uefi: false - - - name: arch-server - box: aa-archlinux-server - uefi: false - - - name: ubuntu-desktop - box: aa-ubuntu-desktop - - - name: ubuntu-desktop24 - box: aa-ubuntu-desktop24 - - - name: ubuntu-server - box: aa-ubuntu-server - - - name: ubuntu-server24 - box: aa-ubuntu-server24 - - - name: debian-server - box: aa-debian-server - - - name: debian-gnome - box: aa-debian-gnome - - - name: debian-kde - box: aa-debian-kde - - - name: opensuse-kde - box: aa-opensuse-kde diff --git a/tests/check.sh b/tests/check.sh index 3ddda9827..9bafd5104 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -1,174 +1,601 @@ #!/usr/bin/env bash # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: make check +# Usage: just check # shellcheck disable=SC2044 set -eu -o pipefail -readonly APPARMORD="apparmor.d" +RES=$(mktemp) +echo "false" >"$RES" +MAX_JOBS=$(nproc) +declare WITH_CHECK +declare _check_is_disabled +readonly RES MAX_JOBS APPARMORD="apparmor.d" +readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" +_msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } +_warn() { + local name="$1" file="$2" + shift 2 + printf '%bwarning%b %s(%b%s%b): %s\n' "$fgYellow" "$reset" "$name" "$fgWhite" "$file" "$reset" "$*" +} +_err() { + local name="$1" file="$2" + shift 2 + printf ' %berror%b %s(%b%s%b): %s\n' "$fgRed" "$reset" "$name" "$fgWhite" "$file" "$reset" "$*" + echo "true" >"$RES" +} + +_in_array() { + local item needle="$1" + shift + for item in "$@"; do + if [[ "${item}" == "${needle}" ]]; then + return 0 + fi + done + return 1 +} + +_is_enabled() { + local check="$1" + if _in_array "$check" "${WITH_CHECK[@]}"; then + if [[ -z "${_check_is_disabled+x}" || ${#_check_is_disabled[@]} -eq 0 ]]; then + return 0 + fi + if _in_array "$check" "${_check_is_disabled[@]}"; then + return 1 + fi + return 0 + fi + return 1 +} + +_wait() { + local -n job=$1 + job=$((job + 1)) + if ((job >= MAX_JOBS)); then + wait -n + job=$((job - 1)) + fi +} + +_IGNORE_LINT_BLOCK=false +readonly _IGNORE_LINT="#aa:lint ignore" +_ignore_lint() { + local checks line="$1" + + if [[ "$line" =~ ^[[:space:]]*$_IGNORE_LINT=.*$ ]]; then + # Start of an ignore block + _IGNORE_LINT_BLOCK=true + checks="${line#*"$_IGNORE_LINT="}" + read -ra _check_is_disabled <<<"${checks//,/ }" + + elif [[ $_IGNORE_LINT_BLOCK == true && "$line" =~ ^[[:space:]]*$ ]]; then + # New paragraph, end of block + _IGNORE_LINT_BLOCK=false + _check_is_disabled=() + + elif [[ $_IGNORE_LINT_BLOCK == true ]]; then + # Nothing to do, we are in a block + return 0 + + elif [[ "$line" == *"$_IGNORE_LINT="* ]]; then + # Inline ignore + checks="${line#*"$_IGNORE_LINT="}" + read -ra _check_is_disabled <<<"${checks//,/ }" + + else + _check_is_disabled=() + fi +} + +_check() { + local file="$1" + local line_number=0 + + while IFS= read -r line; do + line_number=$((line_number + 1)) + _ignore_lint "$line" + + # Style check + if [[ $line_number -lt 10 ]]; then + _check_header + fi + _check_tabs + _check_trailing + _check_indentation + _check_vim + _check_udev + + # The following checks do not apply to commented lines + [[ "$line" =~ ^[[:space:]]*# ]] && continue + if [[ "$line" =~ ,[[:space:]]*# ]]; then + line="${line%%#*}" + fi + + # Rules checks + _check_abstractions + _check_directory_mark + _check_equivalent + _check_too_wide + _check_transition + _check_useless + _check_tunables + + # Guidelines check + _check_abi + _check_include + _check_profile + _check_subprofiles + + done <"$file" + + # Results + _res_abi + _res_include + _res_profile + _res_subprofiles + _res_header + _res_vim +} + +# Rules checks: security, compatibility, and rule issues + +readonly ABS="abstractions" +readonly ABS_DANGEROUS=(dbus dbus-session dbus-system dbus-accessibility user-tmp) +declare -A ABS_DEPRECATED=( + ["nameservice"]="nameservice-strict" + ["bash"]="shell" + ["X"]="X-strict" + ["dbus-accessibility-strict"]="bus-accessibility" + ["dbus-network-manager-strict"]="bus/org.freedesktop.NetworkManager" + ["dbus-session-strict"]="bus-session" + ["dbus-system-strict"]="bus-system" + ["gnome"]="gnome-strict" + ["kde"]="kde-strict" +) +_check_abstractions() { + _is_enabled abstractions || return 0 + + local absname + for absname in "${ABS_DANGEROUS[@]}"; do + if [[ "$line" == *"<$ABS/$absname>"* ]]; then + _err abstractions "$file:$line_number" "dangerous abstraction '<$ABS/$absname>'" + fi + done + for absname in "${!ABS_DEPRECATED[@]}"; do + if [[ "$line" == *"<$ABS/$absname>"* ]]; then + _err abstractions "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" + fi + done +} + +readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}') +_check_directory_mark() { + _is_enabled directory-mark || return 0 + for pattern in "${DIRECTORIES[@]}"; do + if [[ "$line" == *"$pattern"* ]]; then + [[ "$line" == *'='* ]] && continue + if [[ ! "$line" == *"$pattern/"* ]]; then + _err directory-mark "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" + fi + fi + done +} + +declare -A EQUIVALENTS=( + ["awk"]="{m,g,}awk" + ["gawk"]="{m,g,}awk" + ["grep"]="{,e}grep" + ["which"]="which{,.debianutils}" +) +_check_equivalent() { + _is_enabled equivalent || return 0 + local prgmname + for prgmname in "${!EQUIVALENTS[@]}"; do + if [[ "$line" == *"/$prgmname "* ]]; then + if [[ ! "$line" == *"${EQUIVALENTS[$prgmname]}"* ]]; then + _err equivalent "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" + fi + fi + done +} + +readonly TOOWIDE=('/**' '/tmp/**' '/var/tmp/**' '@{tmp}/**' '/etc/**' '/dev/shm/**' '@{run}/user/@{uid}/**') +_check_too_wide() { + _is_enabled too-wide || return 0 + for pattern in "${TOOWIDE[@]}"; do + if [[ "$line" == *" $pattern "* ]]; then + _warn too-wide "$file:$line_number" "rule too wide: '$pattern'" + fi + done +} + +readonly TRANSITION_MUST_CI=( # Must transition to 'ix' or 'Cx' + chgrp chmod chown cp find head install link ln ls mkdir mktemp mv rm rmdir + sed shred stat tail tee test timeout touch truncate unlink +) +readonly TRANSITION_MUST_PC=( # Must transition to 'Px' + ischroot who +) +readonly TRANSITION_MUST_C=( # Must transition to 'Cx' + sysctl kmod pgrep pkexec sudo systemctl udevadm + fusermount fusermount3 fusermount{,3} + nvim vim sensible-editor +) +_check_transition() { + _is_enabled transition || return 0 + for prgmname in "${!TRANSITION_MUST_CI[@]}"; do + if [[ "$line" =~ "/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then + _err transition "$file:$line_number" \ + "@{bin}/${TRANSITION_MUST_CI[$prgmname]} should be used inherited: 'ix' | 'Cx'" + fi + done + for prgmname in "${!TRANSITION_MUST_PC[@]}"; do + if [[ "$line" =~ "/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then + _err transition "$file:$line_number" \ + "@{bin}/${TRANSITION_MUST_PC[$prgmname]} should transition to another (sub)profile with 'Px' or 'Cx'" + fi + done + for prgmname in "${!TRANSITION_MUST_C[@]}"; do + if [[ "$line" =~ "/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then + _warn transition "$file:$line_number" \ + "@{bin}/${TRANSITION_MUST_C[$prgmname]} should transition to a subprofile with 'Cx'" + fi + done +} + +readonly USELESS=( + 'ptrace readby' + '/usr/share/locale/' + '@{sys}/devices/system/cpu/online' + '@{sys}/devices/system/cpu/possible' + '@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size' + '@{PROC}/@{pid}/auxv' '@{PROC}/@{pid}/maps' '@{PROC}/@{pid}/status' '@{PROC}/cpuinfo' + '@{PROC}/filesystems' '@{PROC}/meminfo' '@{PROC}/stat' + '@{PROC}/sys/kernel/cap_last_cap' '@{PROC}/sys/kernel/ngroups_max' + '@{PROC}/sys/kernel/version' '@{PROC}/sys/vm/overcommit_memory' + '/dev/full' '/dev/zero' +) +_check_useless() { + _is_enabled useless || return 0 + for rule in "${!USELESS[@]}"; do + if [[ "$line" == *"${USELESS[$rule]}"* ]]; then + _err useless "$file:$line_number" "rule already included in the base abstraction, remove it" + fi + done +} + +declare -A TUNABLES=( + # User variables + ["(@\{HOME\}/|/home/[^/]+/).cache"]="@{user_cache_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).config"]="@{user_config_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/share"]="@{user_share_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/state"]="@{user_state_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/bin"]="@{user_bin_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/lib"]="@{user_lib_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).ssh"]="@{HOME}/@{XDG_SSH_DIR}" + ["(@\{HOME\}/|/home/[^/]+/).gnupg"]="@{HOME}/@{XDG_GPG_DIR}" + ["/home/[^/]+/"]="@{HOME}/" + + # System variables + ["/usr/lib(|32|64|exec)"]='@{lib}' + ["/usr/sbin"]='@{sbin}' + ["/usr/bin"]='@{bin}' + ["(x86_64|amd64|i386|i686)"]='@{arch}' + ["(@\{arch\}|x86_64|amd64|i386|i686)-*linux-gnu[^/]?"]='@{multiarch}' + ["/usr/etc/"]='@{etc_ro}/' + ["/boot/(|efi/)"]="@{efi}/" + ["/efi/"]="@{efi}/" + ["/var/run/"]='@{run}/' + ["/run/"]='@{run}/' + ["user/[0-9]*/"]='user/@{uid}/' + ["/tmp/user/[^/]+/"]='@{tmp}/' + ["/sys/"]='@{sys}/' + ["/proc/"]='@{PROC}/' + ["1000"]="@{uid}" + + # Some system glob + [":not.active.yet"]="@{busname}" + [":1.[0-9]*"]="@{busname}" + ["(@\{bin\}|/usr/bin)/(|ba|da)sh "]="@{sh_path}" + ["@\{lib\}/modules/[^/*]+/"]="@{lib}/modules/*/" +) +_check_tunables() { + _is_enabled tunables || return 0 + for pattern in "${!TUNABLES[@]}"; do + rpattern="$pattern" + [[ "$rpattern" == /* ]] && rpattern=" $rpattern" + if [[ "$line" =~ $rpattern ]]; then + match="${BASH_REMATCH[0]}" + _err tunables "$file:$line_number" "variable '${TUNABLES[$pattern]}' must be used instead of: $match" + fi + done +} + +# Guidelines check: https://apparmor.pujol.io/development/guidelines/ + +RES_ABI=false +readonly ABI_SYNTAX='abi ,' +_check_abi() { + _is_enabled abi || return 0 + if [[ "$line" == *"$ABI_SYNTAX" ]]; then + RES_ABI=true + fi +} +_res_abi() { + _is_enabled abi || return 0 + if ! $RES_ABI; then + _err abi "$file" "missing 'abi ,'" + fi +} + +RES_INCLUDE=false +_check_include() { + _is_enabled include || return 0 + if [[ "$line" == *"${include}"* ]]; then + RES_INCLUDE=true + fi +} +_res_include() { + _is_enabled include || return 0 + if ! $RES_INCLUDE; then + _err include "$file" "missing '$include'" + fi +} + +RES_PROFILE=false +_check_profile() { + _is_enabled profile || return 0 + if [[ "$line" =~ ^"profile $name" ]]; then + RES_PROFILE=true + fi +} +_res_profile() { + _is_enabled profile || return 0 + if ! $RES_PROFILE; then + _err profile "$file" "missing profile name: 'profile $name'" + fi +} + +# Style check + readonly HEADERS=( "# apparmor.d - Full set of apparmor profiles" "# Copyright (C) " "# SPDX-License-Identifier: GPL-2.0-only" ) - -_die() { - echo -e "\033[1;31m ✗ Error: \033[0m$*" - exit 1 -} - -_ensure_header() { - local file="$1" - for header in "${HEADERS[@]}"; do - if ! grep -q "^$header" "$file"; then - _die "$file does not contain '$header'" +_RES_HEADER=(false false false) +_check_header() { + _is_enabled header || return 0 + for idx in "${!HEADERS[@]}"; do + if [[ "$line" == "${HEADERS[$idx]}"* ]]; then + _RES_HEADER[idx]=true + break fi done } - -_ensure_indentation() { - local file="$1" - local in_profile=false - local first_line_after_profile=true - local line_number=0 - - while IFS= read -r line; do - line_number=$((line_number + 1)) - - if [[ "$line" =~ $'\t' ]]; then - _die "$file:$line_number: tabs are not allowed." +_res_header() { + _is_enabled header || return 0 + for idx in "${!_RES_HEADER[@]}"; do + if ${_RES_HEADER[$idx]}; then + continue fi + _err header "$file" "missing header: '${HEADERS[$idx]}'" + done +} - if [[ "$line" =~ ^profile ]]; then - in_profile=true - first_line_after_profile=true +_check_tabs() { + _is_enabled tabs || return 0 + if [[ "$line" =~ $'\t' ]]; then + _err tabs "$file:$line_number" "tabs are not allowed" + fi +} - elif [[ "$line" =~ [[:space:]]+$ ]]; then - _die "$file:$line_number: line has trailing whitespace." +_check_trailing() { + _is_enabled trailing || return 0 + if [[ "$line" =~ [[:space:]]+$ ]]; then + _err trailing "$file:$line_number" "line has trailing whitespace" + fi +} - elif $in_profile; then - if $first_line_after_profile; then - local leading_spaces="${line%%[! ]*}" - local num_spaces=${#leading_spaces} - if ((num_spaces != 2)); then - _die "$file: profile must have a two-space indentation." - fi - first_line_after_profile=false +_CHECK_IN_PROFILE=false +_CHECK_FIRST_LINE_AFTER_PROFILE=true +_check_indentation() { + _is_enabled indentation || return 0 + if [[ "$line" =~ ^profile ]]; then + _CHECK_IN_PROFILE=true + _CHECK_FIRST_LINE_AFTER_PROFILE=true - else - local leading_spaces="${line%%[! ]*}" - local num_spaces=${#leading_spaces} + elif $_CHECK_IN_PROFILE; then + if $_CHECK_FIRST_LINE_AFTER_PROFILE; then + local leading_spaces="${line%%[! ]*}" + local num_spaces=${#leading_spaces} + if ((num_spaces != 2)); then + _err indentation "$file:$line_number" "profile must have a two-space indentation" + fi + _CHECK_FIRST_LINE_AFTER_PROFILE=false - if ((num_spaces % 2 != 0)); then - ok=false - for offset in 5 11; do - num_spaces=$((num_spaces - offset)) - if ((num_spaces < 0)); then - break - fi - if ((num_spaces % 2 == 0)); then - ok=true - break - fi - done + else + local leading_spaces="${line%%[! ]*}" + local num_spaces=${#leading_spaces} - if ! $ok; then - _die "$file:$line_number: invalid indentation." + if ((num_spaces % 2 != 0)); then + ok=false + for offset in 5 11; do + num_spaces=$((num_spaces - offset)) + if ((num_spaces < 0)); then + break fi + if ((num_spaces % 2 == 0)); then + ok=true + break + fi + done + + if ! $ok; then + _err indentation "$file:$line_number" "invalid indentation" fi fi fi - done <"$file" -} - -_ensure_include() { - local file="$1" - local include="$2" - if ! grep -q "^ *${include}$" "$file"; then - _die "$file does not contain '$include'" fi } -_ensure_abi() { - local file="$1" - if ! grep -q "^ *abi ," "$file"; then - _die "$file does not contain 'abi ,'" +_CHEK_IN_SUBPROFILE=false +declare -A _RES_SUBPROFILES +_check_subprofiles() { + _is_enabled subprofiles || return 0 + if [[ "$line" =~ ^(' ')+'profile '(.*)' {' ]]; then + indentation="${BASH_REMATCH[1]}" + subprofile="${BASH_REMATCH[2]}" + subprofile="${subprofile%% *}" + include="${indentation}include if exists " + _RES_SUBPROFILES["$subprofile"]="$name//$subprofile does not contain '$include'" + _CHEK_IN_SUBPROFILE=true + elif $_CHEK_IN_SUBPROFILE; then + if [[ "$line" == *"$include" ]]; then + _RES_SUBPROFILES["$subprofile"]=true + fi + fi +} +_res_subprofiles() { + _is_enabled subprofiles || return 0 + for msg in "${_RES_SUBPROFILES[@]}"; do + if [[ $msg == true ]]; then + continue + fi + _err subprofiles "$file" "$msg" + done +} + +readonly VIM_SYNTAX="# vim:syntax=apparmor" +RES_VIM=false +_check_vim() { + _is_enabled vim || return 0 + if [[ "$line" =~ ^"$VIM_SYNTAX" ]]; then + RES_VIM=true + fi +} +_res_vim() { + _is_enabled vim || return 0 + if ! $RES_VIM; then + _err vim "$file" "missing vim syntax: '$VIM_SYNTAX'" fi } -_ensure_vim() { - local file="$1" - if ! grep -q "^# vim:syntax=apparmor" "$file"; then - _die "$file does not contain '# vim:syntax=apparmor'" +_check_udev() { + _is_enabled udev || return 0 + if [[ "$line" == *"@{run}/udev/data/"* ]]; then + if [[ "$line" != *"#"* ]]; then + _err udev "$file:$line_number" "udev data path without a description comment" + fi fi } +check_sbin() { + local file name jobs + mapfile -t sbin ,'" - echo " - 'profile '" - echo " - 'include if exists '" - echo " - include if exists local for subprofiles" - echo " - vim:syntax=apparmor" - directories=("$APPARMORD/groups/*" "$APPARMORD/profiles-*-*") - # shellcheck disable=SC2068 - for dir in ${directories[@]}; do - for file in $(find "$dir" -maxdepth 1 -type f); do - case "$file" in */README.md) continue ;; esac + _msg "Checking profiles" + mapfile -t files < <( + find "$APPARMORD" \( -path "$APPARMORD/abstractions" -o -path "$APPARMORD/local" -o -path "$APPARMORD/tunables" -o -path "$APPARMORD/mappings" \) \ + -prune -o -type f -print + ) + jobs=0 + WITH_CHECK=( + abstractions directory-mark equivalent too-wide useless transition tunables + abi include profile header tabs trailing indentation subprofiles vim udev + ) + for file in "${files[@]}"; do + ( name="$(basename "$file")" name="${name/.apparmor.d/}" include="include if exists " - _ensure_header "$file" - _ensure_indentation "$file" - _ensure_include "$file" "$include" - _ensure_abi "$file" - _ensure_vim "$file" - if ! grep -q "^profile $name" "$file"; then - _die "$name does not contain 'profile $name'" - fi - mapfile -t subrofiles < <(grep "^ *profile*" "$file" | awk '{print $2}') - for subprofile in "${subrofiles[@]}"; do - include="include if exists " - if ! grep -q "^ *${include}$" "$file"; then - _die "$name: $name//$subprofile does not contain '$include'" - fi - done - done + _check "$file" + ) & + _wait jobs done + wait } check_abstractions() { - echo -e "\033[1m â‹… \033[0mChecking if all abstractions contain:" - echo " - apparmor.d header & license" - echo " - Check indentation: 2 spaces" - echo " - Check for trailing whitespaces" - echo " - 'abi ,'" - echo " - 'include if exists '" - echo " - vim:syntax=apparmor" - directories=( - "$APPARMORD/abstractions/" "$APPARMORD/abstractions/app/" - "$APPARMORD/abstractions/attached/" - "$APPARMORD/abstractions/bus/" "$APPARMORD/abstractions/common/" + _msg "Checking abstractions" + mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) + jobs=0 + WITH_CHECK=( + abstractions directory-mark equivalent too-wide tunables + abi include header tabs trailing indentation vim udev ) - for dir in "${directories[@]}"; do - for file in $(find "$dir" -maxdepth 1 -type f); do + for file in "${files[@]}"; do + ( name="$(basename "$file")" - root="${dir/${APPARMORD}\/abstractions\//}" - include="include if exists " - _ensure_header "$file" - _ensure_indentation "$file" - _ensure_include "$file" "$include" - _ensure_abi "$file" - _ensure_vim "$file" - done + absdir="${file/${APPARMORD}\//}" + include="include if exists <${absdir}.d>" + _check "$file" + ) & + _wait jobs done + wait + + mapfile -t files < <( + find "$APPARMORD/abstractions" -type f -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true + find "$APPARMORD/mappings" -type f 2>/dev/null || true + ) + # shellcheck disable=SC2034 + jobs=0 + WITH_CHECK=( + abstractions directory-mark equivalent too-wide tunables + header tabs trailing indentation vim udev + ) + for file in "${files[@]}"; do + _check "$file" & + _wait jobs + done + wait } +check_sbin check_profiles check_abstractions + +FAIL=$(cat "$RES") +if [[ "$FAIL" == "true" ]]; then + exit 1 +fi diff --git a/tests/cloud-init/archlinux-cosmic.user-data.yml b/tests/cloud-init/archlinux-cosmic.user-data.yml new file mode 100644 index 000000000..9ed6c1d92 --- /dev/null +++ b/tests/cloud-init/archlinux-cosmic.user-data.yml @@ -0,0 +1,57 @@ +#cloud-config + +packages: + # Install core packages + - apparmor + - base-devel + - qemu-guest-agent + - rng-tools + - spice-vdagent + + # Install usefull core packages + - bash-completion + - just + - git + - htop + - man + - pass + - python-notify2 + - vim + - wget + + # Install basic services + - networkmanager + - cups + - cups-pdf + - system-config-printer + + # Install Applications + - firefox + - chromium + - terminator + + # Install Graphical Interface + - cosmic + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable cosmic-greeter + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-gnome.user-data.yml b/tests/cloud-init/archlinux-gnome.user-data.yml new file mode 100644 index 000000000..d33f685b6 --- /dev/null +++ b/tests/cloud-init/archlinux-gnome.user-data.yml @@ -0,0 +1,26 @@ +#cloud-config + +packages: *gnome-packages + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable gdm + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-kde.user-data.yml b/tests/cloud-init/archlinux-kde.user-data.yml new file mode 100644 index 000000000..cb4c4d3b0 --- /dev/null +++ b/tests/cloud-init/archlinux-kde.user-data.yml @@ -0,0 +1,26 @@ +#cloud-config + +packages: *kde-packages + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable sddm + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-server.user-data.yml b/tests/cloud-init/archlinux-server.user-data.yml new file mode 100644 index 000000000..2b3567171 --- /dev/null +++ b/tests/cloud-init/archlinux-server.user-data.yml @@ -0,0 +1,24 @@ +#cloud-config + +packages: *core-packages + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable rngd + - systemctl enable systemd-timesyncd.service + +write_files: + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/packer/init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml similarity index 51% rename from tests/packer/init/archlinux-xfce.user-data.yml rename to tests/cloud-init/archlinux-xfce.user-data.yml index 1cc18f556..5bab9bf08 100644 --- a/tests/packer/init/archlinux-xfce.user-data.yml +++ b/tests/cloud-init/archlinux-xfce.user-data.yml @@ -1,28 +1,9 @@ #cloud-config -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: # Install core packages - apparmor - base-devel - - firewalld - qemu-guest-agent - rng-tools - spice-vdagent @@ -30,6 +11,7 @@ packages: # Install usefull core packages - bash-completion - git + - just - htop - man - pass @@ -43,17 +25,17 @@ packages: - cups-pdf - system-config-printer + # Install Applications + - firefox + - chromium + - terminator + # Install Graphical Interface - xfce4 - xfce4-goodies - lightdm - lightdm-gtk-greeter - # Install Applications - - firefox - - chromium - - terminator - runcmd: # Regenerate grub.cfg - grub-mkconfig -o /boot/grub/grub.cfg @@ -73,20 +55,6 @@ runcmd: - systemctl enable systemd-timesyncd.service write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux.yml b/tests/cloud-init/archlinux.yml new file mode 100644 index 000000000..5299efda0 --- /dev/null +++ b/tests/cloud-init/archlinux.yml @@ -0,0 +1,103 @@ +#cloud-config + +core-packages: &core-packages + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + +gnome-packages: &gnome-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - alacarte + - gnome + - gnome-extra + - ptyxis + - seahorse + +kde-packages: &kde-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - plasma-meta + - sddm + - ark + - dolphin + - konsole + - okular + +# Enable AppArmor in kernel parameters +grub-enable-apparmor: &grub-enable-apparmor + path: /etc/default/grub + append: true + content: | + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" + +# Set some bash aliases +setup-bash-aliases: &setup-bash-aliases + path: /etc/skel/.bashrc + append: true + content: | + [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases diff --git a/tests/cloud-init/common.yml b/tests/cloud-init/common.yml new file mode 100644 index 000000000..2048e5368 --- /dev/null +++ b/tests/cloud-init/common.yml @@ -0,0 +1,39 @@ +#cloud-config + +hostname: ${hostname} + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false + +# Mount shared directory +shared-directory: &shared-directory + path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + +# Network configuration for server +systemd-netword: &systemd-netword + path: /etc/systemd/network/20-wired.network + owner: "root:root" + permissions: "0644" + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/cloud-init/debian.yml b/tests/cloud-init/debian.yml new file mode 100644 index 000000000..ea3012ad2 --- /dev/null +++ b/tests/cloud-init/debian.yml @@ -0,0 +1,96 @@ +#cloud-config + +# Core packages for Debian +core-packages: &core-packages + - apparmor-profiles + - apparmor-utils + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - docker.io + - htop + - just + - libpam-apparmor + - lintian + - qemu-guest-agent + - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades + - vim + +gnome-packages: &desktop-packages + # Core packages for Debian + - apparmor-profiles + - apparmor-utils + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - docker.io + - htop + - just + - libpam-apparmor + - lintian + - qemu-guest-agent + - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades + - vim + + # Gnome packages for Debian + - spice-vdagent + - task-gnome-desktop + - terminator + - loupe + - ptyxis + +kde-packages: &kubuntu-packages + # Core packages for Debian + - apparmor-profiles + - apparmor-utils + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - docker.io + - htop + - just + - libpam-apparmor + - lintian + - qemu-guest-agent + - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades + - vim + + # KDE packages for Debian + - spice-vdagent + - task-kde-desktop + - terminator + +debian12-runcmd: &debian12-runcmd + - apt-get update -y + - apt-get install -y -t bookworm-backports golang-go + +debian13-runcmd: &debian13-runcmd + - apt-get update -y + - apt-get install -y golang-go + +# Add backports repository +debian12-backports: &debian12-backports + path: /etc/apt/sources.list + append: true + content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free diff --git a/tests/cloud-init/debian12-gnome.user-data.yml b/tests/cloud-init/debian12-gnome.user-data.yml new file mode 100644 index 000000000..fbb3d1232 --- /dev/null +++ b/tests/cloud-init/debian12-gnome.user-data.yml @@ -0,0 +1,10 @@ +#cloud-config + +packages: *gnome-packages + +runcmd: *debian12-runcmd + +write_files: + - *debian12-backports # Add backports repository + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/packer/init/debian-kde.user-data.yml b/tests/cloud-init/debian12-kde.user-data.yml similarity index 65% rename from tests/packer/init/debian-kde.user-data.yml rename to tests/cloud-init/debian12-kde.user-data.yml index a608e9b0b..451068db1 100644 --- a/tests/packer/init/debian-kde.user-data.yml +++ b/tests/cloud-init/debian12-kde.user-data.yml @@ -1,23 +1,5 @@ #cloud-config -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: - apparmor-profiles - auditd @@ -27,8 +9,8 @@ packages: - devscripts - htop - qemu-guest-agent - - spice-vdagent - rsync + - spice-vdagent - vim - task-kde-desktop diff --git a/tests/cloud-init/debian12-server.user-data.yml b/tests/cloud-init/debian12-server.user-data.yml new file mode 100644 index 000000000..cec721285 --- /dev/null +++ b/tests/cloud-init/debian12-server.user-data.yml @@ -0,0 +1,10 @@ +#cloud-config + +packages: *core-packages + +runcmd: *debian12-runcmd + +write_files: + - *debian12-backports # Add backports repository + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian13-gnome.user-data.yml b/tests/cloud-init/debian13-gnome.user-data.yml new file mode 100644 index 000000000..0d5adfe17 --- /dev/null +++ b/tests/cloud-init/debian13-gnome.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *gnome-packages + +runcmd: *debian13-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian13-server.user-data.yml b/tests/cloud-init/debian13-server.user-data.yml new file mode 100644 index 000000000..692548770 --- /dev/null +++ b/tests/cloud-init/debian13-server.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *core-packages + +runcmd: *debian13-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/opensuse-gnome.user-data.yml b/tests/cloud-init/opensuse-gnome.user-data.yml new file mode 100644 index 000000000..3ab5a6c08 --- /dev/null +++ b/tests/cloud-init/opensuse-gnome.user-data.yml @@ -0,0 +1,6 @@ +#cloud-config + +packages: *core-packages + +write_files: + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/opensuse-kde.user-data.yml b/tests/cloud-init/opensuse-kde.user-data.yml new file mode 100644 index 000000000..3ab5a6c08 --- /dev/null +++ b/tests/cloud-init/opensuse-kde.user-data.yml @@ -0,0 +1,6 @@ +#cloud-config + +packages: *core-packages + +write_files: + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/opensuse-server.user-data.yml b/tests/cloud-init/opensuse-server.user-data.yml new file mode 100644 index 000000000..98b78ec80 --- /dev/null +++ b/tests/cloud-init/opensuse-server.user-data.yml @@ -0,0 +1,7 @@ +#cloud-config + +packages: *core-packages + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/opensuse.yml b/tests/cloud-init/opensuse.yml new file mode 100644 index 000000000..57c633678 --- /dev/null +++ b/tests/cloud-init/opensuse.yml @@ -0,0 +1,16 @@ +#cloud-config + +# Core packages for OpenSUSE +core-packages: &core-packages + - apparmor-profiles + - bash-completion + - distribution-release + - git + - go + - golang-packaging + - htop + - just + - rpmbuild + - rsync + - vim + diff --git a/tests/cloud-init/ubuntu.yml b/tests/cloud-init/ubuntu.yml new file mode 100644 index 000000000..14db33251 --- /dev/null +++ b/tests/cloud-init/ubuntu.yml @@ -0,0 +1,113 @@ +#cloud-config + +core-packages: &core-packages + - apparmor-profiles + - apparmor-utils + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - docker.io + - golang-go + - htop + - just + - libpam-apparmor + - lintian + - qemu-guest-agent + - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades + - vim + +desktop-packages: &desktop-packages + # Core packages for Ubuntu + - apparmor-profiles + - apparmor-utils + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - docker.io + - golang-go + - htop + - just + - libpam-apparmor + - lintian + - qemu-guest-agent + - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades + - vim + + # Desktop packages for Ubuntu + - spice-vdagent + - terminator + - ubuntu-desktop + - loupe + - ptyxis + +kubuntu-packages: &kubuntu-packages + # Core packages for Ubuntu + - apparmor-profiles + - apparmor-utils + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - docker.io + - golang-go + - htop + - just + - libpam-apparmor + - lintian + - qemu-guest-agent + - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades + - vim + + # Desktop packages for Ubuntu + - spice-vdagent + - terminator + - kubuntu-desktop + +desktop-runcmd: &desktop-runcmd + # Add missing snap packages + - snap install snap-store + - snap install snapd-desktop-integration + - snap install --edge desktop-security-center + + # Remove default filesystem and related tools not used with the suggested + # storage layout. These may yet be required if different partitioning schemes + # are used. + - apt-get -y purge btrfs-progs xfsprogs + + # Remove other packages present by default in Ubuntu Server but not + # normally present in Ubuntu Desktop. + - >- + apt-get -y purge + byobu dmeventd finalrd gawk kpartx landscape-common lxd-agent-loader + mdadm motd-news-config ncurses-term open-iscsi open-vm-tools + screen sg3-utils sosreport ssh-import-id sssd tmux + + # Finally, remove things only installed as dependencies of other things + # we have already removed. + - apt-get -y autoremove + + # Ensure systemd-networkd is disabled + - systemctl disable systemd-networkd-wait-online.service + + # Ensure auditd is enabled + - systemctl enable systemd-journald-audit.socket diff --git a/tests/cloud-init/ubuntu24-desktop.user-data.yml b/tests/cloud-init/ubuntu24-desktop.user-data.yml new file mode 100644 index 000000000..7f4183d49 --- /dev/null +++ b/tests/cloud-init/ubuntu24-desktop.user-data.yml @@ -0,0 +1,8 @@ +#cloud-config + +packages: *desktop-packages + +runcmd: *desktop-runcmd + +write_files: + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/ubuntu24-kubuntu.user-data.yml b/tests/cloud-init/ubuntu24-kubuntu.user-data.yml new file mode 100644 index 000000000..d4139c2f7 --- /dev/null +++ b/tests/cloud-init/ubuntu24-kubuntu.user-data.yml @@ -0,0 +1,8 @@ +#cloud-config + +packages: *kubuntu-packages + +runcmd: *desktop-runcmd + +write_files: + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/ubuntu24-server.user-data.yml b/tests/cloud-init/ubuntu24-server.user-data.yml new file mode 100644 index 000000000..98b78ec80 --- /dev/null +++ b/tests/cloud-init/ubuntu24-server.user-data.yml @@ -0,0 +1,7 @@ +#cloud-config + +packages: *core-packages + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu25-desktop.user-data.yml b/tests/cloud-init/ubuntu25-desktop.user-data.yml new file mode 100644 index 000000000..7f4183d49 --- /dev/null +++ b/tests/cloud-init/ubuntu25-desktop.user-data.yml @@ -0,0 +1,8 @@ +#cloud-config + +packages: *desktop-packages + +runcmd: *desktop-runcmd + +write_files: + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/ubuntu25-server.user-data.yml b/tests/cloud-init/ubuntu25-server.user-data.yml new file mode 100644 index 000000000..98b78ec80 --- /dev/null +++ b/tests/cloud-init/ubuntu25-server.user-data.yml @@ -0,0 +1,7 @@ +#cloud-config + +packages: *core-packages + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cmd/main.go b/tests/cmd/main.go index eb88de1ec..e7e620b00 100644 --- a/tests/cmd/main.go +++ b/tests/cmd/main.go @@ -88,7 +88,8 @@ func run() error { } logging.Bullet("Bats tests directory: %s", cfg.BatsDir) - logging.Bullet("Number of tests found %d", len(tests)) + logging.Bullet("Number of profiles with tests found %d", len(tests)) + logging.Bullet("Number of programs without profile found %d", len(tests)) return nil } diff --git a/tests/cmd/tldr.go b/tests/cmd/tldr.go index d86c80565..ec98fa8b4 100644 --- a/tests/cmd/tldr.go +++ b/tests/cmd/tldr.go @@ -17,14 +17,14 @@ import ( ) type Tldr struct { - Url string // Tldr download url + URL string // Tldr download url Dir *paths.Path // Tldr cache directory Ignore []string // List of ignored software } func NewTldr(dir *paths.Path) Tldr { return Tldr{ - Url: "https://github.com/tldr-pages/tldr/archive/refs/heads/main.tar.gz", + URL: "https://github.com/tldr-pages/tldr/archive/refs/heads/main.tar.gz", Dir: dir, } } @@ -33,9 +33,9 @@ func NewTldr(dir *paths.Path) Tldr { func (t Tldr) Download() error { gzPath := t.Dir.Parent().Join("tldr.tar.gz") if !gzPath.Exist() { - resp, err := http.Get(t.Url) + resp, err := http.Get(t.URL) if err != nil { - return fmt.Errorf("downloading %s: %w", t.Url, err) + return fmt.Errorf("downloading %s: %w", t.URL, err) } defer resp.Body.Close() diff --git a/tests/bats/aa-enforce.bats b/tests/integration/apparmor/aa-enforce.bats similarity index 94% rename from tests/bats/aa-enforce.bats rename to tests/integration/apparmor/aa-enforce.bats index d6b549b1e..7bc0e740b 100644 --- a/tests/bats/aa-enforce.bats +++ b/tests/integration/apparmor/aa-enforce.bats @@ -3,10 +3,9 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common setup_file() { - aa_setup skip } diff --git a/tests/bats/aa-status.bats b/tests/integration/apparmor/aa-status.bats similarity index 97% rename from tests/bats/aa-status.bats rename to tests/integration/apparmor/aa-status.bats index fbfb6667d..e7e0fc3d5 100644 --- a/tests/bats/aa-status.bats +++ b/tests/integration/apparmor/aa-status.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "aa-status: Check status" { sudo aa-status diff --git a/tests/integration/apt/apt.bats b/tests/integration/apt/apt.bats new file mode 100644 index 000000000..3f13d4ea4 --- /dev/null +++ b/tests/integration/apt/apt.bats @@ -0,0 +1,54 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "apt: Update the list of available packages and versions" { + sudo apt update +} + +@test "apt: Search for a given package" { + apt search apparmor +} + +@test "apt: Show information for a package" { + apt show apparmor +} + +@test "apt: Install a package, or update it to the latest available version" { + sudo apt install -y pass +} + +@test "apt: Remove a package and its configuration files" { + sudo apt purge -y pass +} + +@test "apt: Upgrade all installed packages to their newest available versions" { + sudo apt upgrade -y +} + +@test "apt: Upgrade installed packages, but remove obsolete packages and install additional packages to meet new dependencies" { + sudo apt dist-upgrade -y +} + +@test "apt: Clean the local repository - removing package files (.deb) from interrupted downloads that can no longer be downloaded" { + sudo apt autoclean -y +} + +@test "apt: Remove all packages that are no longer needed" { + sudo apt autoremove -y +} + +@test "apt: List all packages" { + apt list +} + +@test "apt: List installed packages" { + apt list --installed +} + +@test "apt: Print a cow easter egg" { + apt moo +} diff --git a/tests/integration/apt/dpkg-query.bats b/tests/integration/apt/dpkg-query.bats new file mode 100644 index 000000000..39259e0a0 --- /dev/null +++ b/tests/integration/apt/dpkg-query.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "dpkg-query: List all installed packages" { + dpkg-query --list +} + +@test "dpkg-query: List installed packages matching a pattern" { + dpkg-query --list 'libc6*' +} + +@test "dpkg-query: List all files installed by a package" { + dpkg-query --listfiles libc6 +} + +@test "dpkg-query: Show information about a package" { + dpkg-query --status libc6 +} + +@test "dpkg-query: Search for packages that own files matching a pattern" { + dpkg-query --search /etc/ld.so.conf.d +} + diff --git a/tests/integration/apt/dpkg-reconfigure.bats b/tests/integration/apt/dpkg-reconfigure.bats new file mode 100644 index 000000000..f6aec98ea --- /dev/null +++ b/tests/integration/apt/dpkg-reconfigure.bats @@ -0,0 +1,12 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "dpkg-reconfigure: Reconfigure one or more packages" { + sudo apt install -y pass + sudo dpkg-reconfigure pass +} + diff --git a/tests/integration/apt/dpkg.bats b/tests/integration/apt/dpkg.bats new file mode 100644 index 000000000..6a0e735b4 --- /dev/null +++ b/tests/integration/apt/dpkg.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "dpkg: Remove a package" { + sudo apt install -y pass + sudo dpkg -r pass +} + +@test "dpkg: List installed packages" { + dpkg -l apparmor +} + +@test "dpkg: List a package's contents" { + dpkg -L apparmor.d +} + +@test "dpkg: Find out which package owns a file" { + dpkg -S /etc/apparmor/parser.conf +} + +@test "dpkg: Purge an installed or already removed package, including configuration" { + sudo dpkg -P pass +} diff --git a/tests/bats/common.bash b/tests/integration/common.bash similarity index 91% rename from tests/bats/common.bash rename to tests/integration/common.bash index 556ef871b..7a012191b 100644 --- a/tests/bats/common.bash +++ b/tests/integration/common.bash @@ -6,6 +6,11 @@ export BATS_LIB_PATH=${BATS_LIB_PATH:-/usr/lib/bats} load "$BATS_LIB_PATH/bats-support/load" +export SYSTEMD_PAGER= + +# Ignore the profile not managed by apparmor.d +IGNORE=(php-fpm snapd/snap-confine snap.vault.vaultd) + # User password for sudo commands export PASSWORD=${PASSWORD:-user} @@ -105,12 +110,21 @@ aa_check() { now=$(date +%s) duration=$((now - _START + 1)) logs=$(aa-log --raw --systemd --since "-${duration}s") + for profile in "${IGNORE[@]}"; do + logs=$(echo "$logs" | grep -v "$profile") + done + aa_start if [[ -n "$logs" ]]; then fail "profile $PROGRAM raised logs: $logs" fi } +_timeout() { + local duration="2s" + timeout --preserve-status --kill-after="$duration" "$duration" "$@" +} + # Bats setup and teardown hooks setup_file() { diff --git a/tests/bats/cpuid.bats b/tests/integration/cpuid.bats similarity index 100% rename from tests/bats/cpuid.bats rename to tests/integration/cpuid.bats diff --git a/tests/bats/dfc.bats b/tests/integration/dfc.bats similarity index 100% rename from tests/bats/dfc.bats rename to tests/integration/dfc.bats diff --git a/tests/bats/fc-cache.bats b/tests/integration/fc-cache.bats similarity index 100% rename from tests/bats/fc-cache.bats rename to tests/integration/fc-cache.bats diff --git a/tests/bats/fc-list.bats b/tests/integration/fc-list.bats similarity index 100% rename from tests/bats/fc-list.bats rename to tests/integration/fc-list.bats diff --git a/tests/integration/flatpak.bats b/tests/integration/flatpak.bats new file mode 100644 index 000000000..b61024d06 --- /dev/null +++ b/tests/integration/flatpak.bats @@ -0,0 +1,47 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "flatpak: Add a new remote repository (by URL)" { + sudo flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo +} + +@test "flatpak: List all remote repositories" { + flatpak remotes +} + +@test "flatpak: Search for an application in a remote repository" { + sudo flatpak search vim + sudo flatpak search org.freedesktop.Platform +} + +@test "flatpak: Install an application from a remote source" { + sudo flatpak install --noninteractive org.vim.Vim +} + +@test "flatpak: List installed applications, ignoring runtimes" { + flatpak list --app +} + +@test "flatpak: Show information about an installed application" { + flatpak info org.vim.Vim +} + +# @test "flatpak: Run an installed application" { +# _timeout flatpak run org.vim.Vim +# } + +@test "flatpak: Update all installed applications and runtimes" { + sudo flatpak update --noninteractive +} + +@test "flatpak: Remove an installed application" { + sudo flatpak remove --noninteractive org.vim.Vim +} + +@test "flatpak: Remove all unused applications" { + sudo flatpak remove --noninteractive --unused +} diff --git a/tests/bats/fwupdmgr.bats b/tests/integration/fwupdmgr.bats similarity index 100% rename from tests/bats/fwupdmgr.bats rename to tests/integration/fwupdmgr.bats diff --git a/tests/bats/gpgconf.bats b/tests/integration/gpg/gpgconf.bats similarity index 98% rename from tests/bats/gpgconf.bats rename to tests/integration/gpg/gpgconf.bats index 7155c5aa9..41627dc67 100644 --- a/tests/bats/gpgconf.bats +++ b/tests/integration/gpg/gpgconf.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "gpgconf: List all components" { gpgconf --list-components diff --git a/tests/integration/hostname.bats b/tests/integration/hostname.bats new file mode 100644 index 000000000..35008bd79 --- /dev/null +++ b/tests/integration/hostname.bats @@ -0,0 +1,29 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "hostname: Show current host name" { + hostname +} + +@test "hostname: Show the network address of the host name" { + hostname -i +} + +@test "hostname: Show all network addresses of the host" { + hostname -I +} + +@test "hostname: Show the FQDN (Fully Qualified Domain Name)" { + hostname --fqdn +} + +@test "hostname: Set current host name" { + name=$(hostname) + sudo hostname "new-$(hostname)" + sudo hostname "$name" +} + diff --git a/tests/bats/id.bats b/tests/integration/id.bats similarity index 100% rename from tests/bats/id.bats rename to tests/integration/id.bats diff --git a/tests/bats/ip.bats b/tests/integration/ip.bats similarity index 100% rename from tests/bats/ip.bats rename to tests/integration/ip.bats diff --git a/tests/bats/needrestart.bats b/tests/integration/needrestart.bats similarity index 100% rename from tests/bats/needrestart.bats rename to tests/integration/needrestart.bats diff --git a/tests/integration/pacman/paccache.bats b/tests/integration/pacman/paccache.bats new file mode 100644 index 000000000..b2e1369e2 --- /dev/null +++ b/tests/integration/pacman/paccache.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "paccache: Perform a dry-run and show the number of candidate packages for deletion" { + sudo paccache -d +} + +@test "paccache: Move candidate packages to a directory instead of deleting them" { + sudo paccache -m "$USER_BUILD_DIRS" +} + +@test "paccache: Remove all but the 3 most recent package versions from the `pacman` cache" { + sudo paccache -r +} + +@test "paccache: Set the number of package versions to keep" { + sudo paccache -rk 3 +} diff --git a/tests/integration/pacman/pacman-key.bats b/tests/integration/pacman/pacman-key.bats new file mode 100644 index 000000000..82e34a379 --- /dev/null +++ b/tests/integration/pacman/pacman-key.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pacman-key: Initialize the 'pacman' keyring" { + sudo pacman-key --init +} + +@test "pacman-key: Add the default Arch Linux keys" { + sudo pacman-key --populate +} + +@test "pacman-key: List keys from the public keyring" { + pacman-key --list-keys +} + +@test "pacman-key: Receive a key from a key server" { + sudo pacman-key --recv-keys 06A26D531D56C42D66805049C5469996F0DF68EC +} + +@test "pacman-key: Print the fingerprint of a specific key" { + pacman-key --finger 06A26D531D56C42D66805049C5469996F0DF68EC +} + +@test "pacman-key: Sign an imported key locally" { + sudo pacman-key --lsign-key 06A26D531D56C42D66805049C5469996F0DF68EC +} + +@test "pacman-key: Remove a specific key" { + sudo pacman-key --delete 06A26D531D56C42D66805049C5469996F0DF68EC +} diff --git a/tests/integration/pacman/pacman.bats b/tests/integration/pacman/pacman.bats new file mode 100644 index 000000000..575a65bc1 --- /dev/null +++ b/tests/integration/pacman/pacman.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pacman: Synchronize and update all packages" { + sudo pacman -Syu --noconfirm +} + +@test "pacman: Install a new package" { + sudo pacman -S --noconfirm pass pass-otp +} + +@test "pacman: Remove a package and its dependencies" { + sudo pacman -Rs --noconfirm pass-otp +} + +@test "pacman: List installed packages and versions" { + pacman -Q +} + +@test "pacman: List only the explicitly installed packages and versions" { + pacman -Qe +} + +@test "pacman: List orphan packages (installed as dependencies but not actually required by any package)" { + pacman -Qtdq +} + +@test "pacman: Empty the entire 'pacman' cache" { + sudo pacman -Scc --noconfirm +} diff --git a/tests/integration/procps/free.bats b/tests/integration/procps/free.bats new file mode 100644 index 000000000..dcc216bfa --- /dev/null +++ b/tests/integration/procps/free.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "free: Display system memory" { + free +} + +@test "free: Display memory in GB" { + free -g +} + +@test "free: Display memory in human-readable units" { + free -h +} diff --git a/tests/integration/procps/pgrep.bats b/tests/integration/procps/pgrep.bats new file mode 100644 index 000000000..9fd6b92f8 --- /dev/null +++ b/tests/integration/procps/pgrep.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pgrep: Return PIDs of any running processes with a matching command string" { + pgrep systemd +} + +@test "pgrep: Search for processes including their command-line options" { + pgrep --full 'systemd' +} + +@test "pgrep: Search for processes run by a specific user" { + pgrep --euid root systemd-udevd +} + diff --git a/tests/integration/procps/pidof.bats b/tests/integration/procps/pidof.bats new file mode 100644 index 000000000..ec20cbe86 --- /dev/null +++ b/tests/integration/procps/pidof.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pidof: List all process IDs with given name" { + pidof systemd + pidof bash +} + +@test "pidof: List a single process ID with given name" { + pidof -s bash +} + +@test "pidof: List process IDs including scripts with given name" { + pidof -x bash +} diff --git a/tests/bats/ps.bats b/tests/integration/procps/ps.bats similarity index 97% rename from tests/bats/ps.bats rename to tests/integration/procps/ps.bats index bcdfbe1b8..a27bdf98d 100644 --- a/tests/bats/ps.bats +++ b/tests/integration/procps/ps.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "ps: List all running processes" { ps aux diff --git a/tests/bats/sysctl.bats b/tests/integration/procps/sysctl.bats similarity index 84% rename from tests/bats/sysctl.bats rename to tests/integration/procps/sysctl.bats index 171ee98a9..66720c434 100644 --- a/tests/bats/sysctl.bats +++ b/tests/integration/procps/sysctl.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "sysctl: Show all available variables and their values" { sysctl -a @@ -21,7 +21,6 @@ load common sysctl fs.file-max } -@test "sysctl: Apply changes from `/etc/sysctl.conf`" { - sysctl -p +@test "sysctl: Apply changes from '/etc/sysctl.conf'" { + sudo sysctl -p } - diff --git a/tests/integration/procps/uptime.bats b/tests/integration/procps/uptime.bats new file mode 100644 index 000000000..7d9361d5a --- /dev/null +++ b/tests/integration/procps/uptime.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "uptime: Print current time, uptime, number of logged-in users and other information" { + uptime +} + +@test "uptime: Show only the amount of time the system has been booted for" { + uptime --pretty +} + +@test "uptime: Print the date and time the system booted up at" { + uptime --since +} diff --git a/tests/integration/procps/vmstat.bats b/tests/integration/procps/vmstat.bats new file mode 100644 index 000000000..e5900a324 --- /dev/null +++ b/tests/integration/procps/vmstat.bats @@ -0,0 +1,25 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "vmstat: Display virtual memory statistics" { + vmstat + vmstat --active + vmstat --forks +} + +@test "vmstat: Display disk statistics" { + vmstat --disk + vmstat --disk-sum +} + +@test "vmstat: Display slabinfo" { + sudo vmstat --slabs +} + +@test "vmstat: Display reports every second for 3 times" { + vmstat 1 3 +} diff --git a/tests/bats/w.bats b/tests/integration/procps/w.bats similarity index 68% rename from tests/bats/w.bats rename to tests/integration/procps/w.bats index 1b97ba445..3ee1fe218 100644 --- a/tests/bats/w.bats +++ b/tests/integration/procps/w.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "w: Display information about all users who are currently logged in" { w @@ -12,3 +12,8 @@ load common @test "w: Display information about a specific user" { w root } + +@test "w: Display information without including the header, the login, JCPU and PCPU columns" { + w --no-header + w --short +} diff --git a/tests/bats/groupadd.bats b/tests/integration/shadow/groupadd.bats similarity index 97% rename from tests/bats/groupadd.bats rename to tests/integration/shadow/groupadd.bats index d93b1a690..3d07619b2 100644 --- a/tests/bats/groupadd.bats +++ b/tests/integration/shadow/groupadd.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "groupadd: Create a new group" { sudo groupadd user2 diff --git a/tests/bats/groups.bats b/tests/integration/shadow/groups.bats similarity index 95% rename from tests/bats/groups.bats rename to tests/integration/shadow/groups.bats index 60bf6ea45..f932e9129 100644 --- a/tests/bats/groups.bats +++ b/tests/integration/shadow/groups.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "groups: Print group memberships for the current user" { groups diff --git a/tests/bats/snap.bats b/tests/integration/snap.bats similarity index 52% rename from tests/bats/snap.bats rename to tests/integration/snap.bats index 1eff200a8..a670a9ece 100644 --- a/tests/bats/snap.bats +++ b/tests/integration/snap.bats @@ -10,11 +10,11 @@ load common } @test "snap: Install a package" { - sudo snap install nano-strict + sudo snap install vault } @test "snap: Update a package to another channel (track, risk, or branch)" { - sudo snap refresh nano-strict --channel=edge + sudo snap refresh vault --channel=edge } @test "snap: Update all packages" { @@ -25,10 +25,31 @@ load common sudo snap list } -@test "snap: Check for recent snap changes in the system" { - sudo snap changes +@test "snap: lists information about the services" { + sudo snap services + sudo snap services vault +} + +@test "snap: starts, and optionally enables, the given services" { + sudo snap start --enable vault +} + +@test "snap: logs of the given services" { + sudo snap logs vault || true +} + +@test "snap: restarts the given services" { + sudo snap restart vault +} + +@test "snap: stops, and optionally disables, the given services" { + sudo snap stop --disable vault } @test "snap: Uninstall a package" { - sudo snap remove nano-strict + sudo snap remove vault +} + +@test "snap: Check for recent snap changes in the system" { + sudo snap changes } diff --git a/tests/integration/systemd/bootctl.bats b/tests/integration/systemd/bootctl.bats new file mode 100644 index 000000000..2dfb39a7f --- /dev/null +++ b/tests/integration/systemd/bootctl.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "bootctl: Show information about the system firmware and the bootloaders" { + sudo bootctl status +} + +@test "bootctl: Show all available bootloader entries" { + sudo bootctl list +} + +@test "bootctl: Install 'systemd-boot' into the EFI system partition" { + sudo bootctl install +} + +@test "bootctl: Remove all installed versions of 'systemd-boot' from the EFI system partition" { + sudo bootctl remove +} diff --git a/tests/integration/systemd/busctl.bats b/tests/integration/systemd/busctl.bats new file mode 100644 index 000000000..ef3e973e9 --- /dev/null +++ b/tests/integration/systemd/busctl.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "busctl: Show all peers on the bus, by their service names" { + busctl list +} + +@test "busctl: Show process information and credentials of a bus service, a process, or the owner of the bus (if no parameter is specified)" { + busctl status 1 + busctl status org.freedesktop.DBus +} + +@test "busctl: Show an object tree of one or more services (or all services if no service is specified)" { + busctl tree org.freedesktop.DBus +} + +@test "busctl: Show interfaces, methods, properties and signals of the specified object on the specified service" { + busctl introspect org.freedesktop.login1 /org/freedesktop/login1 +} + +@test "busctl: Retrieve the current value of one or more object properties" { + busctl get-property org.freedesktop.login1 /org/freedesktop/login1 org.freedesktop.login1.Manager Docked +} diff --git a/tests/bats/homectl.bats b/tests/integration/systemd/homectl.bats similarity index 93% rename from tests/bats/homectl.bats rename to tests/integration/systemd/homectl.bats index 656a3407b..bb3b38227 100644 --- a/tests/bats/homectl.bats +++ b/tests/integration/systemd/homectl.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common setup_file() { sudo systemctl start systemd-homed @@ -16,7 +16,7 @@ setup_file() { } @test "homectl: Create a user account and their associated home directory" { - sudo homectl create user2 + printf "user2\nuser2" | sudo homectl create user2 } @test "homectl: List user accounts and their associated home directories" { diff --git a/tests/bats/hostnamectl.bats b/tests/integration/systemd/hostnamectl.bats similarity index 97% rename from tests/bats/hostnamectl.bats rename to tests/integration/systemd/hostnamectl.bats index 2c15658ad..38924920a 100644 --- a/tests/bats/hostnamectl.bats +++ b/tests/integration/systemd/hostnamectl.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "hostnamectl: Get the hostname of the computer" { hostnamectl diff --git a/tests/integration/systemd/journalctl.bats b/tests/integration/systemd/journalctl.bats new file mode 100644 index 000000000..9eeb7c9fe --- /dev/null +++ b/tests/integration/systemd/journalctl.bats @@ -0,0 +1,30 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "journalctl: Show all messages with priority level 3 (errors) from this boot" { + sudo journalctl -b --priority=3 +} + +@test "journalctl: Show only the last N lines of the journal" { + sudo journalctl --lines 100 +} + +@test "journalctl: Show all messages by a specific [u]nit" { + sudo journalctl --unit apparmor.service +} + +@test "journalctl: Show all messages by a specific process" { + sudo journalctl _PID=1 +} + +@test "journalctl: Show all messages by a specific executable" { + sudo journalctl /usr/bin/bootctl +} + +@test "journalctl: Delete journal logs which are older than 10 seconds" { + sudo journalctl --vacuum-time=10s +} diff --git a/tests/integration/systemd/localectl.bats b/tests/integration/systemd/localectl.bats new file mode 100644 index 000000000..71dfd2e06 --- /dev/null +++ b/tests/integration/systemd/localectl.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "localectl: Show the current settings of the system locale and keyboard mapping" { + localectl +} + +@test "localectl: List available locales" { + localectl list-locales +} + +@test "localectl: Set a system locale variable" { + sudo localectl set-locale LANG=en_US.UTF-8 +} + +@test "localectl: List available keymaps" { + localectl list-keymaps || true +} + +@test "localectl: Set the system keyboard mapping for the console and X11" { + sudo localectl set-keymap uk || true +} + diff --git a/tests/integration/systemd/machinectl.bats b/tests/integration/systemd/machinectl.bats new file mode 100644 index 000000000..18771ae72 --- /dev/null +++ b/tests/integration/systemd/machinectl.bats @@ -0,0 +1,26 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "importctl: Import an image as a machine" { + sudo importctl pull-tar --force --class=machine -N https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64-root.tar.xz noble || true +} + +@test "machinectl: Display a list of available images" { + sudo machinectl list-images +} + +@test "machinectl: Start a machine as a service using systemd-nspawn" { + sudo machinectl start noble || true +} + +@test "machinectl: Display a list of running machines" { + sudo machinectl list +} + +@test "machinectl: Stop a running machine" { + sudo machinectl stop noble || true +} diff --git a/tests/integration/systemd/networkctl.bats b/tests/integration/systemd/networkctl.bats new file mode 100644 index 000000000..81418ba01 --- /dev/null +++ b/tests/integration/systemd/networkctl.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "networkctl: List existing links with their status" { + sudo networkctl list +} + +@test "networkctl: Show an overall network status" { + sudo networkctl status +} + +@test "networkctl: Reload configuration files (.netdev and .network)" { + sudo networkctl reload +} diff --git a/tests/bats/systemd-ac-power.bats b/tests/integration/systemd/systemd-ac-power.bats similarity index 96% rename from tests/bats/systemd-ac-power.bats rename to tests/integration/systemd/systemd-ac-power.bats index 30019825a..65779b617 100644 --- a/tests/bats/systemd-ac-power.bats +++ b/tests/integration/systemd/systemd-ac-power.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "systemd-ac-power: Report whether we are connected to an external power source." { systemd-ac-power || true diff --git a/tests/bats/systemd-analyze.bats b/tests/integration/systemd/systemd-analyze.bats similarity index 97% rename from tests/bats/systemd-analyze.bats rename to tests/integration/systemd/systemd-analyze.bats index 6bb275bb6..b36abb62d 100644 --- a/tests/bats/systemd-analyze.bats +++ b/tests/integration/systemd/systemd-analyze.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "systemd-analyze: List all running units, ordered by the time they took to initialize" { systemd-analyze --no-pager blame @@ -16,5 +16,3 @@ load common @test "systemd-analyze: Show security scores of running units" { systemd-analyze --no-pager security } - - diff --git a/tests/bats/systemd-cat.bats b/tests/integration/systemd/systemd-cat.bats similarity index 96% rename from tests/bats/systemd-cat.bats rename to tests/integration/systemd/systemd-cat.bats index da634982a..9d796ff07 100644 --- a/tests/bats/systemd-cat.bats +++ b/tests/integration/systemd/systemd-cat.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "systemd-cat: Write the output of the specified command to the journal (both output streams are captured)" { systemd-cat pwd diff --git a/tests/bats/systemd-cgls.bats b/tests/integration/systemd/systemd-cgls.bats similarity index 97% rename from tests/bats/systemd-cgls.bats rename to tests/integration/systemd/systemd-cgls.bats index dca00b62a..a0822a516 100644 --- a/tests/bats/systemd-cgls.bats +++ b/tests/integration/systemd/systemd-cgls.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "systemd-cgls: Display the whole control group hierarchy on your system" { systemd-cgls --no-pager @@ -16,4 +16,3 @@ load common @test "systemd-cgls: Display the control group hierarchy of one or more systemd units" { systemd-cgls --no-pager --unit systemd-logind } - diff --git a/tests/bats/systemd-detect-virt.bats b/tests/integration/systemd/systemd-detect-virt.bats similarity index 85% rename from tests/bats/systemd-detect-virt.bats rename to tests/integration/systemd/systemd-detect-virt.bats index 41150ef7f..bb2b2a659 100644 --- a/tests/bats/systemd-detect-virt.bats +++ b/tests/integration/systemd/systemd-detect-virt.bats @@ -3,23 +3,20 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "systemd-detect-virt: List detectable virtualization technologies" { systemd-detect-virt --list } -# bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Detect virtualization, print the result and return a zero status code when running in a VM or a container, and a non-zero code otherwise" { systemd-detect-virt || true } -# bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Silently check without printing anything" { systemd-detect-virt --quiet || true } -# bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Only detect hardware virtualization" { systemd-detect-virt --vm || true } diff --git a/tests/bats/systemd-id128.bats b/tests/integration/systemd/systemd-id128.bats similarity index 97% rename from tests/bats/systemd-id128.bats rename to tests/integration/systemd/systemd-id128.bats index 67bf5907d..68e48d9a4 100644 --- a/tests/bats/systemd-id128.bats +++ b/tests/integration/systemd/systemd-id128.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "systemd-id128: Generate a new random identifier" { systemd-id128 new diff --git a/tests/bats/systemd-sysusers.bats b/tests/integration/systemd/systemd-sysusers.bats similarity index 97% rename from tests/bats/systemd-sysusers.bats rename to tests/integration/systemd/systemd-sysusers.bats index 0816fd45e..7fff472ee 100644 --- a/tests/bats/systemd-sysusers.bats +++ b/tests/integration/systemd/systemd-sysusers.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "systemd-sysusers: Print the contents of all configuration files (before each file, its name is printed as a comment)" { systemd-sysusers --cat-config diff --git a/tests/bats/userdbctl.bats b/tests/integration/systemd/userdbctl.bats similarity index 97% rename from tests/bats/userdbctl.bats rename to tests/integration/systemd/userdbctl.bats index 065dba5f5..eda5f5b09 100644 --- a/tests/bats/userdbctl.bats +++ b/tests/integration/systemd/userdbctl.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "userdbctl: List all known user records" { userdbctl --no-pager user diff --git a/tests/integration/tlp.bats b/tests/integration/tlp.bats new file mode 100644 index 000000000..b9a9530fc --- /dev/null +++ b/tests/integration/tlp.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "tlp: Apply settings (according to the actual power source)" { + sudo tlp start +} + +@test "tlp: Apply battery settings (ignoring the actual power source)" { + sudo tlp bat +} + +@test "tlp: Apply AC settings (ignoring the actual power source)" { + sudo tlp ac +} + +@test "tlp: Apply Disk settings" { + sudo tlp diskid +} diff --git a/tests/bats/uname.bats b/tests/integration/uname.bats similarity index 100% rename from tests/bats/uname.bats rename to tests/integration/uname.bats diff --git a/tests/bats/upower.bats b/tests/integration/upower.bats similarity index 100% rename from tests/bats/upower.bats rename to tests/integration/upower.bats diff --git a/tests/bats/uptime.bats b/tests/integration/uptime.bats similarity index 100% rename from tests/bats/uptime.bats rename to tests/integration/uptime.bats diff --git a/tests/bats/lsusb.bats b/tests/integration/usb/lsusb.bats similarity index 96% rename from tests/bats/lsusb.bats rename to tests/integration/usb/lsusb.bats index f5444fced..85bee2fd6 100644 --- a/tests/bats/lsusb.bats +++ b/tests/integration/usb/lsusb.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "lsusb: List all the USB devices available" { lsusb || true diff --git a/tests/bats/useradd.bats b/tests/integration/useradd.bats similarity index 100% rename from tests/bats/useradd.bats rename to tests/integration/useradd.bats diff --git a/tests/bats/blkid.bats b/tests/integration/utils/blkid.bats similarity index 95% rename from tests/bats/blkid.bats rename to tests/integration/utils/blkid.bats index 6dcf4b4d7..625f5f9bb 100644 --- a/tests/bats/blkid.bats +++ b/tests/integration/utils/blkid.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "blkid: List all partitions" { sudo blkid diff --git a/tests/integration/utils/chsh.bats b/tests/integration/utils/chsh.bats new file mode 100644 index 000000000..a23799def --- /dev/null +++ b/tests/integration/utils/chsh.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "chsh: list available shells" { + chsh --list-shells || true +} + +@test "chsh: Set a specific login shell for the current user" { + echo "$PASSWORD" | chsh --shell /usr/bin/bash || true +} + +# bats test_tags=chsh +@test "chsh: Set a login shell for a specific user" { + sudo chsh --shell /usr/bin/sh root || true +} diff --git a/tests/bats/df.bats b/tests/integration/utils/df.bats similarity index 93% rename from tests/bats/df.bats rename to tests/integration/utils/df.bats index a97ad53cb..c15a32d5f 100644 --- a/tests/bats/df.bats +++ b/tests/integration/utils/df.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "df: Display all filesystems and their disk usage" { df @@ -14,7 +14,7 @@ load common } @test "df: Display the filesystem and its disk usage containing the given file or directory" { - df apparmor.d/ + df /etc/apparmor.d/ } @test "df: Include statistics on the number of free inodes" { diff --git a/tests/bats/dmesg.bats b/tests/integration/utils/dmesg.bats similarity index 97% rename from tests/bats/dmesg.bats rename to tests/integration/utils/dmesg.bats index 722b3204b..f2880666d 100644 --- a/tests/bats/dmesg.bats +++ b/tests/integration/utils/dmesg.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "dmesg: Show kernel messages" { sudo dmesg diff --git a/tests/integration/utils/eject.bats b/tests/integration/utils/eject.bats new file mode 100644 index 000000000..c4c2a3e0d --- /dev/null +++ b/tests/integration/utils/eject.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "eject: Display the default device" { + eject -d || true +} + +@test "eject: Eject the default device" { + eject || true +} diff --git a/tests/integration/utils/fstrim.bats b/tests/integration/utils/fstrim.bats new file mode 100644 index 000000000..dff1083e2 --- /dev/null +++ b/tests/integration/utils/fstrim.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "fstrim: Trim unused blocks on all mounted partitions that support it" { + sudo fstrim --all +} + +@test "fstrim: Trim unused blocks on a specified partition" { + sudo fstrim --verbose / +} diff --git a/tests/integration/utils/hwclock.bats b/tests/integration/utils/hwclock.bats new file mode 100644 index 000000000..a3dcdc31a --- /dev/null +++ b/tests/integration/utils/hwclock.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "hwclock: Display the current time as reported by the hardware clock" { + sudo hwclock || true +} + +@test "hwclock: Write the current software clock time to the hardware clock (sometimes used during system setup)" { + sudo hwclock --systohc || true +} + +@test "hwclock: Write the current hardware clock time to the software clock" { + sudo hwclock --hctosys || true +} + diff --git a/tests/bats/lsblk.bats b/tests/integration/utils/lsblk.bats similarity index 98% rename from tests/bats/lsblk.bats rename to tests/integration/utils/lsblk.bats index 4dc3e20b7..4093526a9 100644 --- a/tests/bats/lsblk.bats +++ b/tests/integration/utils/lsblk.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "lsblk: List all storage devices in a tree-like format" { lsblk diff --git a/tests/bats/lscpu.bats b/tests/integration/utils/lscpu.bats similarity index 96% rename from tests/bats/lscpu.bats rename to tests/integration/utils/lscpu.bats index d09599065..eb60d890d 100644 --- a/tests/bats/lscpu.bats +++ b/tests/integration/utils/lscpu.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "lscpu: Display information about all CPUs" { lscpu diff --git a/tests/integration/utils/lsfd.bats b/tests/integration/utils/lsfd.bats new file mode 100644 index 000000000..bf0c4de0c --- /dev/null +++ b/tests/integration/utils/lsfd.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsfd: List all open file descriptors" { + lsfd +} + +@test "lsfd: List all files kept open by a specific program" { + sudo lsfd --filter 'PID == 1' +} + +@test "lsfd: List open IPv4 or IPv6 sockets" { + sudo lsfd -i4 + sudo lsfd -i6 +} diff --git a/tests/integration/utils/lsipc.bats b/tests/integration/utils/lsipc.bats new file mode 100644 index 000000000..a18126982 --- /dev/null +++ b/tests/integration/utils/lsipc.bats @@ -0,0 +1,16 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsipc: Show information about all active IPC facilities" { + lsipc +} + +@test "lsipc: Show information about active shared memory segments, message queues or sempahore sets" { + lsipc --shmems + lsipc --queues + lsipc --semaphores +} diff --git a/tests/integration/utils/lslocks.bats b/tests/integration/utils/lslocks.bats new file mode 100644 index 000000000..042834cae --- /dev/null +++ b/tests/integration/utils/lslocks.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lslocks: List all local system locks" { + sudo lslocks +} + +@test "lslocks: List locks producing a raw output (no columns), and without column headers" { + sudo lslocks --raw --noheadings +} + +@test "lslocks: List locks by PID input" { + sudo lslocks --pid "$(sudo lslocks --raw --noheadings --output PID | head -1)" +} + +@test "lslocks: List locks with JSON output to stdout" { + lslocks --json +} diff --git a/tests/integration/utils/lslogins.bats b/tests/integration/utils/lslogins.bats new file mode 100644 index 000000000..aa2df69b4 --- /dev/null +++ b/tests/integration/utils/lslogins.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lslogins: Display users in the system" { + lslogins + sudo lslogins +} + +@test "lslogins: Display user accounts" { + lslogins --user-accs +} + +@test "lslogins: Display last logins" { + lslogins --last +} + +@test "lslogins: Display system accounts" { + lslogins --system-accs +} + +@test "lslogins: Display supplementary groups" { + lslogins --supp-groups +} diff --git a/tests/integration/utils/lsns.bats b/tests/integration/utils/lsns.bats new file mode 100644 index 000000000..c7e6563e2 --- /dev/null +++ b/tests/integration/utils/lsns.bats @@ -0,0 +1,31 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsns: List all namespaces" { + lsns + sudo lsns +} + +@test "lsns: List namespaces in JSON format" { + sudo lsns --json +} + +@test "lsns: List namespaces associated with the specified process" { + sudo lsns --task 1 +} + +@test "lsns: List the specified type of namespaces only" { + sudo lsns --type mnt + sudo lsns --type net + sudo lsns --type ipc + sudo lsns --type user + sudo lsns --type pid + sudo lsns --type uts + sudo lsns --type cgroup + sudo lsns --type time +} + diff --git a/tests/bats/lspci.bats b/tests/integration/utils/lspci.bats similarity index 80% rename from tests/bats/lspci.bats rename to tests/integration/utils/lspci.bats index 021906602..facf379a9 100644 --- a/tests/bats/lspci.bats +++ b/tests/integration/utils/lspci.bats @@ -3,10 +3,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "lspci: Show a brief list of devices" { lspci + sudo lspci } @test "lspci: Display additional info" { @@ -21,6 +22,10 @@ load common lspci -s 00:00.0 } +@test "lspci: Query the PCI ID database for unknown ID's via DNS" { + sudo lspci -q +} + @test "lspci: Dump info in a readable form" { lspci -vm } diff --git a/tests/bats/pstree.bats b/tests/integration/utils/pstree.bats similarity index 96% rename from tests/bats/pstree.bats rename to tests/integration/utils/pstree.bats index 23094478c..1fc43c76c 100644 --- a/tests/bats/pstree.bats +++ b/tests/integration/utils/pstree.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "pstree: Display a tree of processes" { pstree diff --git a/tests/bats/sync.bats b/tests/integration/utils/sync.bats similarity index 95% rename from tests/bats/sync.bats rename to tests/integration/utils/sync.bats index 9f2e26885..03cc4730f 100644 --- a/tests/bats/sync.bats +++ b/tests/integration/utils/sync.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "sync: Flush all pending write operations on all disks" { sync diff --git a/tests/bats/users.bats b/tests/integration/utils/users.bats similarity index 95% rename from tests/bats/users.bats rename to tests/integration/utils/users.bats index 8f8ad383d..885121a58 100644 --- a/tests/bats/users.bats +++ b/tests/integration/utils/users.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "users: Print logged in usernames" { users diff --git a/tests/bats/uuidd.bats b/tests/integration/utils/uuidd.bats similarity index 96% rename from tests/bats/uuidd.bats rename to tests/integration/utils/uuidd.bats index 9e3ac5ef0..d3ab28cc0 100644 --- a/tests/bats/uuidd.bats +++ b/tests/integration/utils/uuidd.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "uuidd: Generate a random UUID" { uuidd --random diff --git a/tests/bats/uuidgen.bats b/tests/integration/utils/uuidgen.bats similarity index 95% rename from tests/bats/uuidgen.bats rename to tests/integration/utils/uuidgen.bats index eb6465c04..838be5cbc 100644 --- a/tests/bats/uuidgen.bats +++ b/tests/integration/utils/uuidgen.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "uuidgen: Create a random UUIDv4" { uuidgen --random diff --git a/tests/bats/who.bats b/tests/integration/utils/who.bats similarity index 96% rename from tests/bats/who.bats rename to tests/integration/utils/who.bats index c05995d0e..b69fc2dd1 100644 --- a/tests/bats/who.bats +++ b/tests/integration/utils/who.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "who: Display the username, line, and time of all currently logged-in sessions" { who diff --git a/tests/integration/utils/zramctl.bats b/tests/integration/utils/zramctl.bats new file mode 100644 index 000000000..41a3c1f51 --- /dev/null +++ b/tests/integration/utils/zramctl.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "zramctl: Check if zram is enabled; enable it if needed" { + lsmod | grep -i zram || sudo modprobe zram || true +} + +@test "zramctl: Find and initialize the next free zram device to a 1 GB virtual drive using LZ4 compression" { + sudo zramctl --find --size 1GB --algorithm lz4 || true +} + +@test "zramctl: List currently initialized devices" { + sudo zramctl || true +} diff --git a/tests/integration/whois.bats b/tests/integration/whois.bats new file mode 100644 index 000000000..fd1cba5fa --- /dev/null +++ b/tests/integration/whois.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "whois: Get information about a domain name" { + whois google.fr +} + +@test "whois: Get information about an IP address" { + whois 8.8.8.8 +} + +@test "whois: Get abuse contact for an IP address" { + whois -b 8.8.8.8 +} + diff --git a/tests/packer/archlinux.pkr.hcl b/tests/packer/archlinux.pkr.hcl deleted file mode 100644 index 41a2627d5..000000000 --- a/tests/packer/archlinux.pkr.hcl +++ /dev/null @@ -1,39 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -source "qemu" "archlinux" { - disk_image = true - iso_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" - iso_checksum = "file:https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" - iso_target_path = "${var.iso_dir}/archlinux-cloudimg-amd64.img" - cpu_model = "host" - cpus = 6 - memory = 4096 - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" - boot_wait = "10s" - shutdown_command = "echo ${var.password} | sudo -S shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}-${var.flavor}" - } - ) - } -} diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index 1c16a6b84..48a5fafb6 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -2,70 +2,91 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +locals { + name = "${var.prefix}${var.dist}-${var.flavor}" +} + +source "qemu" "default" { + disk_image = true + iso_url = var.DM[var.dist].img_url + iso_checksum = "file:${var.DM[var.dist].img_checksum}" + iso_target_path = pathexpand("${var.iso_dir}/${basename("${var.DM[var.dist].img_url}")}") + cpu_model = "host" + cpus = var.cpus + memory = var.ram + disk_size = var.disk_size + accelerator = "kvm" + headless = true + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "1000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = pathexpand(var.output_dir) + vm_name = "${local.name}.qcow2" + boot_wait = "10s" + firmware = pathexpand(var.firmware) + shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = format("%s\n%s\n%s", + templatefile("${path.cwd}/tests/cloud-init/common.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${local.name}" + } + ), + file("${path.cwd}/tests/cloud-init/${regex_replace(var.dist, "[0-9]*$", "")}.yml"), + file("${path.cwd}/tests/cloud-init/${var.dist}-${var.flavor}.user-data.yml") + ) + } +} + build { sources = [ - "source.qemu.archlinux", - "source.qemu.debian", - "source.qemu.fedora", - "source.qemu.opensuse", - "source.qemu.ubuntu22", - "source.qemu.ubuntu24", + "source.qemu.default", ] - # Upload local files + # Upload artifacts provisioner "file" { - destination = "/tmp" - sources = ["${path.cwd}/packer/src"] - } - - provisioner "file" { - only = ["qemu.archlinux"] - destination = "/tmp/src/" + destination = "/tmp/" sources = [ - "${path.cwd}/../.pkg/apparmor.d-${var.version}-1-x86_64.pkg.tar.zst", + "${path.cwd}/tests/packer/src/", + "${path.cwd}/tests/packer/init.sh", + "${path.cwd}/tests/packer/clean.sh", + "${path.cwd}/.pkg/", ] } - provisioner "file" { - only = ["qemu.opensuse"] - destination = "/tmp/src/" - sources = ["${path.cwd}/../.pkg/apparmor.d-${var.version}-1.x86_64.rpm"] - } - - provisioner "file" { - only = ["qemu.debian", "qemu.ubuntu22", "qemu.ubuntu24"] - destination = "/tmp/src/" - sources = ["${path.cwd}/../.pkg/apparmor.d_${var.version}-1_amd64.deb"] - } - - # Wait for cloud-init to finish + # Full system provisioning provisioner "shell" { execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" inline = [ + # Wait for cloud-init to finish "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for Cloud-Init...'; sleep 20; done", - "cloud-init clean", # Remove logs and artifacts so cloud-init can re-run + + # Ensure cloud-init is successful + # "cloud-init status", + + # Remove logs and artifacts so cloud-init can re-run + # "cloud-init clean", + + # Install local files and config + "bash /tmp/init.sh", + + # Minimize the image + "bash /tmp/clean.sh", ] } - # Install local files and config - provisioner "shell" { - script = "${path.cwd}/packer/init/init.sh" - execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" - } - - # Minimize the image - provisioner "shell" { - script = "${path.cwd}/packer/init/clean.sh" - execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" - } - - post-processor "vagrant" { - output = "${var.base_dir}/packer_${var.prefix}${source.name}-${var.flavor}.box" - } - post-processor "shell-local" { inline = [ - "vagrant box add --force --name ${var.prefix}${source.name}-${var.flavor} ${var.base_dir}/packer_${var.prefix}${source.name}-${var.flavor}.box" + "mv ${var.output_dir}/${local.name}.qcow2 ${var.base_dir}/${local.name}.qcow2", ] } diff --git a/tests/packer/init/clean.sh b/tests/packer/clean.sh similarity index 84% rename from tests/packer/init/clean.sh rename to tests/packer/clean.sh index 2e1e7b551..b7650a1d5 100644 --- a/tests/packer/init/clean.sh +++ b/tests/packer/clean.sh @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -set -u +set -eu -o pipefail # shellcheck source=/dev/null _lsb_release() { @@ -46,40 +46,28 @@ _sshdgenkeys() { _EOF } -clean_debian() { - _msg "Apt clean configuration" - - _msg "Full system upgrade" - apt-get update -y - apt-get -qq -y --no-install-recommends upgrade - apt-get -qq -y --no-install-recommends dist-upgrade - - _msg "Clean the apt cache" +clean_apt() { + _msg "Cleaning the apt cache" apt-get -y autoremove --purge apt-get -y autoclean apt-get -y clean } -clean_arch() { - _msg "Pacman clean configuration" - +clean_pacman() { + _msg "Cleaning pacman cache" pacman -Syu --noconfirm - pacman -Qdtq | while IFS='' read -r pkg; do - pacman -Rsccn --noconfirm "$pkg" - done pacman -Scc --noconfirm } -clean_opensuse() { - _msg "zypper clean configuration" - +clean_zypper() { + _msg "Cleaning zypper cache" zypper update -y zypper clean -y } # Make the image as impersonal as possible. impersonalize() { - _msg "Make the image as impersonal as possible." + _msg "Making the image as impersonal as possible." # Remove remaining pkg file, docs and caches dirs=( @@ -145,10 +133,6 @@ trim() { truncate --size=0 /swap/swapfile fi - # _msg "Fill root filesystem with 0 to reduce box size" - # dd if=/dev/zero of=/EMPTY bs=1M || true - # rm -f /EMPTY - # Block until the empty file has been removed, otherwise, Packer will # try to kill the box while the disk is still full and that is bad. sync @@ -159,16 +143,16 @@ main() { begin=$(_diskused) case "$DISTRIBUTION" in debian | ubuntu) - clean_debian + clean_apt _sshdgenkeys ;; opensuse*) - clean_opensuse + clean_zypper ;; arch) - clean_arch + clean_pacman ;; esac impersonalize diff --git a/tests/packer/debian.pkr.hcl b/tests/packer/debian.pkr.hcl deleted file mode 100644 index 7fd176b6e..000000000 --- a/tests/packer/debian.pkr.hcl +++ /dev/null @@ -1,40 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -source "qemu" "debian" { - disk_image = true - iso_url = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2" - iso_checksum = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS" - iso_target_path = "${var.iso_dir}/debian-cloudimg-amd64.img" - cpu_model = "host" - cpus = 6 - memory = 4096 - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} diff --git a/tests/packer/init/init.sh b/tests/packer/init.sh similarity index 70% rename from tests/packer/init/init.sh rename to tests/packer/init.sh index df300c0c4..4e4e1ec99 100644 --- a/tests/packer/init/init.sh +++ b/tests/packer/init.sh @@ -11,40 +11,42 @@ _lsb_release() { echo "$ID" } DISTRIBUTION="$(_lsb_release)" -readonly SRC=/tmp/src +readonly SRC=/tmp/ readonly DISTRIBUTION main() { install -dm0750 -o "$SUDO_USER" -g "$SUDO_USER" "/home/$SUDO_USER/Projects/" "/home/$SUDO_USER/Projects/apparmor.d" "/home/$SUDO_USER/.config/" install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/.bash_aliases "/home/$SUDO_USER/.bash_aliases" - install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/monitors.xml "/home/$SUDO_USER/.config/monitors.xml" install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/htoprc "/home/$SUDO_USER/.config/htop/htoprc" + install -Dm0644 $SRC/parser.conf /etc/apparmor/parser.conf install -Dm0644 $SRC/site.local /etc/apparmor.d/tunables/multiarch.d/site.local install -Dm0755 $SRC/aa-update /usr/bin/aa-update - install -Dm0755 $SRC/aa-log-clean /usr/bin/aa-log-clean - cat $SRC/parser.conf >>/etc/apparmor/parser.conf + install -Dm0755 $SRC/aa-clean /usr/bin/aa-clean chown -R "$SUDO_USER:$SUDO_USER" "/home/$SUDO_USER/.config/" case "$DISTRIBUTION" in arch) + rm -f $SRC/*.sig # Ignore signature files pacman --noconfirm -U $SRC/*.pkg.tar.zst - systemctl start apparmor.service ;; debian | ubuntu) - apt-get update -y - apt-get install -y apparmor-profiles build-essential config-package-dev \ - debhelper devscripts htop rsync vim dpkg -i $SRC/*.deb ;; opensuse*) mv "/home/$SUDO_USER/.bash_aliases" "/home/$SUDO_USER/.alias" - zypper install -y bash-completion git go htop make rsync vim rpm -i $SRC/*.rpm ;; esac + + verb="start" + rm -rf /var/cache/apparmor/* || true + if systemctl is-active -q apparmor; then + verb="reload" + fi + systemctl "$verb" apparmor.service || journalctl -xeu apparmor.service } main "$@" diff --git a/tests/packer/init/archlinux-cosmic.user-data.yml b/tests/packer/init/archlinux-cosmic.user-data.yml deleted file mode 100644 index 442c32470..000000000 --- a/tests/packer/init/archlinux-cosmic.user-data.yml +++ /dev/null @@ -1,90 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - # Install core packages - - apparmor - - audit - - base-devel - - firewalld - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Graphical Interface - - cosmic - - # Install Applications - - firefox - - chromium - - terminator - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable cosmic-greeter - - systemctl enable NetworkManager - - systemctl enable rngd - - systemctl enable avahi-daemon - - systemctl enable systemd-timesyncd.service - -write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/archlinux-gnome.user-data.yml b/tests/packer/init/archlinux-gnome.user-data.yml deleted file mode 100644 index c65dfc4dd..000000000 --- a/tests/packer/init/archlinux-gnome.user-data.yml +++ /dev/null @@ -1,92 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - # Install core packages - - apparmor - - base-devel - - firewalld - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Graphical Interface - - gnome - - gnome-extra - - seahorse - - alacarte - - # Install Applications - - firefox - - chromium - - terminator - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable gdm - - systemctl enable NetworkManager - - systemctl enable rngd - - systemctl enable avahi-daemon - - systemctl enable systemd-timesyncd.service - -write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/archlinux-kde.user-data.yml b/tests/packer/init/archlinux-kde.user-data.yml deleted file mode 100644 index 97e8ffa7b..000000000 --- a/tests/packer/init/archlinux-kde.user-data.yml +++ /dev/null @@ -1,94 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - # Install core packages - - apparmor - - base-devel - - firewalld - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Graphical Interface - - plasma-meta - - sddm - - ark - - dolphin - - konsole - - okular - - # Install Applications - - firefox - - chromium - - terminator - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable sddm - - systemctl enable NetworkManager - - systemctl enable rngd - - systemctl enable avahi-daemon - - systemctl enable systemd-timesyncd.service - -write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/archlinux-server.user-data.yml b/tests/packer/init/archlinux-server.user-data.yml deleted file mode 100644 index 93fd254a5..000000000 --- a/tests/packer/init/archlinux-server.user-data.yml +++ /dev/null @@ -1,85 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable rngd - - systemctl enable systemd-timesyncd.service - -write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/packer/init/debian-gnome.user-data.yml b/tests/packer/init/debian-gnome.user-data.yml deleted file mode 100644 index 0e2571883..000000000 --- a/tests/packer/init/debian-gnome.user-data.yml +++ /dev/null @@ -1,63 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - - apparmor-profiles - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - htop - - qemu-guest-agent - - spice-vdagent - - rsync - - vim - - task-gnome-desktop - -runcmd: - - apt-get update -y - - apt-get install -y -t bookworm-backports golang-go - -write_files: - # Add backports repository - - path: /etc/apt/sources.list - append: true - content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/packer/init/debian-server.user-data.yml b/tests/packer/init/debian-server.user-data.yml deleted file mode 100644 index 5f4fe526e..000000000 --- a/tests/packer/init/debian-server.user-data.yml +++ /dev/null @@ -1,61 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - - apparmor-profiles - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - htop - - qemu-guest-agent - - rsync - - vim - -runcmd: - - apt-get update -y - - apt-get install -y -t bookworm-backports golang-go - -write_files: - # Add backports repository - - path: /etc/apt/sources.list - append: true - content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/packer/init/opensuse-gnome.user-data.yml b/tests/packer/init/opensuse-gnome.user-data.yml deleted file mode 100644 index b54bb458e..000000000 --- a/tests/packer/init/opensuse-gnome.user-data.yml +++ /dev/null @@ -1,43 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - - apparmor-profiles - - bash-completion - - distribution-release - - git - - golang-packaging - - htop - - make - - rpmbuild - - vim - -write_files: - # Set some bash aliases - - path: /home/${username}/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/opensuse-kde.user-data.yml b/tests/packer/init/opensuse-kde.user-data.yml deleted file mode 100644 index b54bb458e..000000000 --- a/tests/packer/init/opensuse-kde.user-data.yml +++ /dev/null @@ -1,43 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - - apparmor-profiles - - bash-completion - - distribution-release - - git - - golang-packaging - - htop - - make - - rpmbuild - - vim - -write_files: - # Set some bash aliases - - path: /home/${username}/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/ubuntu22-desktop.user-data.yml b/tests/packer/init/ubuntu22-desktop.user-data.yml deleted file mode 100644 index 30a82279a..000000000 --- a/tests/packer/init/ubuntu22-desktop.user-data.yml +++ /dev/null @@ -1,83 +0,0 @@ -#cloud-config - -# Based on https://github.com/canonical/autoinstall-desktop - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - - ubuntu-desktop - - linux-generic-hwe-22.04 - - qemu-guest-agent - - spice-vdagent - - terminator - - apparmor-profiles - - build-essential - - config-package-dev - - debhelper - - devscripts - - golang-go - - rsync - -snap: - commands: - - install firefox - - install gtk-common-themes - - install snap-store - - install snapd-desktop-integration - -runcmd: - # Remove default filesystem and related tools not used with the suggested - # storage layout. These may yet be required if different partitioning schemes - # are used. - - apt-get -y purge btrfs-progs cryptsetup* lvm2 xfsprogs - - # Remove other packages present by default in Ubuntu Server but not - # normally present in Ubuntu Desktop. - - >- - apt-get -y purge - ubuntu-server ubuntu-server-minimal netplan.io cloud-init - binutils byobu curl dmeventd finalrd gawk - kpartx mdadm ncurses-term needrestart open-iscsi - sg3-utils ssh-import-id sssd thin-provisioning-tools tmux - sosreport screen open-vm-tools motd-news-config lxd-agent-loader - landscape-common fonts-ubuntu-console ethtool - - # Finally, remove things only installed as dependencies of other things - # we have already removed. - - apt-get -y autoremove - -write_files: - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/packer/init/ubuntu24-desktop.user-data.yml b/tests/packer/init/ubuntu24-desktop.user-data.yml deleted file mode 100644 index 3c3807e29..000000000 --- a/tests/packer/init/ubuntu24-desktop.user-data.yml +++ /dev/null @@ -1,85 +0,0 @@ -#cloud-config - -# Based on https://github.com/canonical/autoinstall-desktop - -# https://github.com/canonical/ubuntu-desktop-provision/blob/main/README.md - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - - ubuntu-desktop - - linux-generic-hwe-24.04 - - qemu-guest-agent - - spice-vdagent - - terminator - - apparmor-profiles - - build-essential - - config-package-dev - - debhelper - - devscripts - - golang-go - - rsync - -snap: - commands: - - install firefox - - install gtk-common-themes - - install snap-store - - install snapd-desktop-integration - -runcmd: - # Remove default filesystem and related tools not used with the suggested - # storage layout. These may yet be required if different partitioning schemes - # are used. - - apt-get -y purge btrfs-progs cryptsetup* lvm2 xfsprogs - - # Remove other packages present by default in Ubuntu Server but not - # normally present in Ubuntu Desktop. - # - >- - # apt-get -y purge - # ubuntu-server ubuntu-server-minimal netplan.io cloud-init - # binutils byobu curl dmeventd finalrd gawk - # kpartx mdadm ncurses-term needrestart open-iscsi - # sg3-utils ssh-import-id sssd thin-provisioning-tools tmux - # sosreport screen open-vm-tools motd-news-config lxd-agent-loader - # landscape-common fonts-ubuntu-console ethtool - - # Finally, remove things only installed as dependencies of other things - # we have already removed. - - apt-get -y autoremove - -write_files: - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/packer/init/ubuntu24-server.user-data.yml b/tests/packer/init/ubuntu24-server.user-data.yml deleted file mode 100644 index 5e6d853ba..000000000 --- a/tests/packer/init/ubuntu24-server.user-data.yml +++ /dev/null @@ -1,53 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - - apparmor-profiles - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - golang-go - - htop - - qemu-guest-agent - - rsync - - vim - -write_files: - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/packer/main.pkr.hcl b/tests/packer/main.pkr.hcl index ee13e8f92..d2b1a6dbf 100644 --- a/tests/packer/main.pkr.hcl +++ b/tests/packer/main.pkr.hcl @@ -8,9 +8,5 @@ packer { source = "github.com/hashicorp/qemu" version = "~> 1" } - vagrant = { - source = "github.com/hashicorp/vagrant" - version = "~> 1" - } } } diff --git a/tests/packer/opensuse.pkr.hcl b/tests/packer/opensuse.pkr.hcl deleted file mode 100644 index 49ba09f70..000000000 --- a/tests/packer/opensuse.pkr.hcl +++ /dev/null @@ -1,42 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# TODO: Fully automate the creation of the base image - -source "qemu" "opensuse" { - disk_image = true - iso_url = "${var.base_dir}/base-tumbleweed-gnome.qcow2" - iso_checksum = "sha256:223ed62160ef4f1a4f21b69c574f552a07eee6ef66cf66eef2b49c5a7c4864f4" - iso_target_path = "${var.base_dir}/base-tumbleweed-gnome.qcow2" - cpu_model = "host" - cpus = 6 - memory = 4096 - disk_size = var.disk_size - accelerator = "kvm" - headless = false - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} diff --git a/tests/packer/src/aa-clean b/tests/packer/src/aa-clean new file mode 100644 index 000000000..a01b9d77e --- /dev/null +++ b/tests/packer/src/aa-clean @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +set -eu -o pipefail +rm -vf /var/log/audit/* /var/log/syslog* +touch /var/log/audit/audit.log /var/log/syslog diff --git a/tests/packer/src/aa-log-clean b/tests/packer/src/aa-log-clean deleted file mode 100644 index 9f3ebd818..000000000 --- a/tests/packer/src/aa-log-clean +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/env bash -set -eu -rm -rf /var/log/audit/* -touch /var/log/audit/audit.log diff --git a/tests/packer/src/aa-update b/tests/packer/src/aa-update index 9a326305d..bdbd6ed00 100644 --- a/tests/packer/src/aa-update +++ b/tests/packer/src/aa-update @@ -1,5 +1,5 @@ #!/usr/bin/env bash -set -eu +set -eu -o pipefail export BUILDDIR=/tmp/build/ @@ -13,15 +13,15 @@ DISTRIBUTION="$(_lsb_release)" cd "$HOME/Projects/apparmor.d" case "$DISTRIBUTION" in arch) - make pkg + just pkg ;; debian | ubuntu | whonix) sudo rm -rf debian/.debhelper/ - make dpkg + just dpkg sudo rm -rf debian/.debhelper/ ;; opensuse*) - make rpm + just rpm ;; *) ;; esac diff --git a/tests/packer/src/monitors.xml b/tests/packer/src/monitors.xml deleted file mode 100644 index b17136584..000000000 --- a/tests/packer/src/monitors.xml +++ /dev/null @@ -1,23 +0,0 @@ - - - - 0 - 0 - 1 - yes - - - Virtual-1 - RHT - QEMU Monitor - 0x00000000 - - - 1920 - 1080 - 60 - - - - - diff --git a/tests/packer/src/parser.conf b/tests/packer/src/parser.conf index be8c42560..8651efad1 100644 --- a/tests/packer/src/parser.conf +++ b/tests/packer/src/parser.conf @@ -1,4 +1,9 @@ - +# Turn creating/updating of the cache on by default write-cache -cache-loc /etc/apparmor/earlypolicy/ + +# Enable early policy loads to confine systemd, and services that can not depend +# on the apparmor unit. +cache-loc=/etc/apparmor/earlypolicy/ + +# Adjust compression Optimize=compress-fast diff --git a/tests/packer/ubuntu.pkr.hcl b/tests/packer/ubuntu.pkr.hcl deleted file mode 100644 index 052b460da..000000000 --- a/tests/packer/ubuntu.pkr.hcl +++ /dev/null @@ -1,77 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -source "qemu" "ubuntu22" { - disk_image = true - iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu22.codename}/current/${var.release.ubuntu22.codename}-server-cloudimg-amd64.img" - iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu22.codename}/current/SHA256SUMS" - iso_target_path = "${var.iso_dir}/ubuntu22-cloudimg-amd64.img" - cpu_model = "host" - cpus = 6 - memory = 4096 - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} - -source "qemu" "ubuntu24" { - disk_image = true - iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/${var.release.ubuntu24.codename}-server-cloudimg-amd64.img" - iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/SHA256SUMS" - iso_target_path = "${var.iso_dir}/ubuntu24-cloudimg-amd64.img" - cpu_model = "host" - cpus = 6 - memory = 4096 - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl index a37c89bf0..073544f59 100644 --- a/tests/packer/variables.pkr.hcl +++ b/tests/packer/variables.pkr.hcl @@ -16,10 +16,16 @@ variable "password" { default = "user" } -variable "ssh_publickey" { - description = "Path to the ssh public key" +variable "cpus" { + description = "Default CPU of the VM" type = string - default = "~/.ssh/id_ed25519.pub" + default = "6" +} + +variable "ram" { + description = "Default RAM of the VM" + type = string + default = "4096" } variable "disk_size" { @@ -28,28 +34,34 @@ variable "disk_size" { default = "40G" } +variable "ssh_publickey" { + description = "Path to the ssh public key" + type = string + default = "~/.ssh/id_ed25519.pub" +} + variable "iso_dir" { description = "Original ISO file directory" type = string - default = "/var/lib/libvirt/images" + default = "~/.libvirt/iso" } variable "base_dir" { description = "Final packer image output directory" type = string - default = "/var/lib/libvirt/images" + default = "~/.libvirt/base" +} + +variable "output_dir" { + description = "Output build directory" + type = string + default = "~/.libvirt/base/packer" } variable "firmware" { description = "Path to the UEFI firmware" type = string - default = "/usr/share/edk2/x64/OVMF_CODE.fd" -} - -variable "output" { - description = "Output build directory" - type = string - default = "/tmp/packer" + default = "/usr/share/edk2/x64/OVMF.4m.fd" } variable "prefix" { @@ -58,10 +70,10 @@ variable "prefix" { default = "aa-" } -variable "version" { - description = "apparmor.d version" +variable "dist" { + description = "Distribution to target" type = string - default = "0.001" + default = "ubuntu24" } variable "flavor" { @@ -70,32 +82,40 @@ variable "flavor" { default = "" } -variable "release" { - description = "Distribution metadata to use" +variable "DM" { + description = "Distribution Metadata to use" type = map(object({ - codename = string - version = string + img_url = string + img_checksum = string })) default = { + "archlinux" : { + img_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" + img_checksum = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" + }, + "debian12" : { + img_url = "https://cdimage.debian.org/images/cloud/bookworm/latest/debian-12-genericcloud-amd64.qcow2" + img_checksum = "https://cdimage.debian.org/images/cloud/bookworm/latest/SHA512SUMS" + } + "debian13" : { + img_url = "https://cdimage.debian.org/images/cloud/trixie/daily/latest/debian-13-genericcloud-amd64-daily.qcow2" + img_checksum = "https://cdimage.debian.org/images/cloud/trixie/daily/latest/SHA512SUMS" + } "ubuntu22" : { - codename = "jammy", - version = "22.04.2", + img_url = "https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img" + img_checksum = "https://cloud-images.ubuntu.com/jammy/current/SHA256SUMS" }, "ubuntu24" : { - codename = "noble", - version = "24.04", + img_url = "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img" + img_checksum = "https://cloud-images.ubuntu.com/noble/current/SHA256SUMS" + }, + "ubuntu25" : { + img_url = "https://cloud-images.ubuntu.com/plucky/current/plucky-server-cloudimg-amd64.img" + img_checksum = "https://cloud-images.ubuntu.com/plucky/current/SHA256SUMS" }, - "debian" : { - codename = "bookworm", - version = "12", - } "opensuse" : { - codename = "tumbleweed", - version = "", - } - "fedora" : { - codename = "40", - version = "1.14", + img_url = "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-Cloud.qcow2" + img_checksum = "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-Cloud.qcow2.sha256" } } } diff --git a/tests/requirements.sh b/tests/requirements.sh index c12f9249c..efc357ad4 100644 --- a/tests/requirements.sh +++ b/tests/requirements.sh @@ -16,10 +16,16 @@ DISTRIBUTION="$(_lsb_release)" case "$DISTRIBUTION" in arch) + sudo pacman -Syu --noconfirm \ + bats bats-support \ + pacman-contrib tlp flatpak networkmanager ;; debian | ubuntu | whonix) - sudo apt-get install -y \ - cpuid dfc systemd-userdbd systemd-homed tlp + sudo apt update -y + sudo apt install -y \ + bats bats-support \ + cpuid dfc systemd-boot systemd-userdbd systemd-homed systemd-container tlp \ + network-manager systemd-container flatpak util-linux-extra ;; opensuse*) ;; diff --git a/tests/sbin.list b/tests/sbin.list new file mode 100644 index 000000000..a8b439478 --- /dev/null +++ b/tests/sbin.list @@ -0,0 +1,882 @@ +a2enmod +a2query +aa-audit +aa-autodep +aa-cleanprof +aa-complain +aa-decode +aa-disable +aa-enforce +aa-genprof +aa-load +aa-logprof +aa-mergeprof +aa-notify +aa-remove-unknown +aa-status +aa-teardown +aa-unconfined +aa-update-browser +accessdb +acpi_genl +acpid +acpidump +add-shell +addgnupghome +addpart +adduser +agetty +alsa +alsa-info +alsa-info.sh +alsa-init +alsabat-test +alsactl +anacron +apache2 +apache2ctl +apparmor_parser +apparmor_status +applygnupgdefaults +aptd +argdist-bpfcc +arp +arpd +aspell-autobuildhash +atd +audisp-af_unix +audisp-filter +audisp-syslog +audit +auditctl +auditd +augenrules +aureport +ausearch +autodep +automount +autrace +avahi-daemon +avahi-dnsconfd +badblocks +bashreadline-bpfcc +bashreadline.bt +bcache-super-show +bindsnoop-bpfcc +biolatency-bpfcc +biolatency-kp.bt +biolatency.bt +biolatpcts-bpfcc +biopattern-bpfcc +biosdecode +biosnoop-bpfcc +biosnoop.bt +biostacks.bt +biotop-bpfcc +bitesize-bpfcc +bitesize.bt +blkdeactivate +blkdiscard +blkid +blkmapd +blkpr +blkzone +blockdev +blogctl +blogd +blogger +bpflist-bpfcc +bpftool +brctl +bridge +brltty-setup +btrfs +btrfs-convert +btrfs-find-root +btrfs-image +btrfsdist-bpfcc +btrfsslower-bpfcc +btrfstune +cachestat-bpfcc +cachetop-bpfcc +capable-bpfcc +capable.bt +capsh +cfdisk +cgdisk +chat +chcpu +check_forensic +check_mail_queue +check-bios-nx +checkproc +chgpasswd +chkstat-polkit +chmem +chpasswd +chronyd +chroot +cifs.idmap +cifs.upcall +cobjnew-bpfcc +coldreboot +compactsnoop-bpfcc +complain +config.postfix +cppw +cpudist-bpfcc +cpuunclaimed-bpfcc +cpuwalk.bt +cracklib-check +cracklib-format +cracklib-packer +cracklib-unpacker +cracklib-update +crda +create-cracklib-dict +criticalstat-bpfcc +cron +cryptdisks_start +cryptdisks_stop +cryptsetup +ctrlaltdel +cups-browsed +cups-genppd.5.3 +cups-genppdupdate +cupsaccept +cupsctl +cupsd +cupsfilter +dbslower-bpfcc +dbstat-bpfcc +dcb +dcsnoop-bpfcc +dcsnoop.bt +dcstat-bpfcc +ddns-confgen +deadlock-bpfcc +debugfs +decode +delpart +deluser +devlink +dhcpcd +dirtop-bpfcc +disable +dkms +dmevent_tool +dmeventd +dmfilemapd +dmidecode +dmraid +dmsetup +dnsmasq +dosfsck +dosfslabel +dpkg-preconfigure +dpkg-reconfigure +drsnoop-bpfcc +dump.exfat +dump.f2fs +dumpe2fs +e2freefrag +e2fsck +e2image +e2label +e2mmpstatus +e2scrub +e2scrub_all +e2undo +e4crypt +e4defrag +eapol_test +ec_access +efibootdump +efibootmgr +enforce +ephemeral-disk-warning +escapesrc +ethtool +eventlogadm +execsnoop-bpfcc +execsnoop.bt +exfat2img +exfatlabel +exicyclog +exigrep +exim_checkaccess +exim_convert4r4 +exim_dbmbuild +exim_dumpdb +exim_fixdb +exim_id_update +exim_lock +exim_msgdate +exim_tidydb +exim4 +eximstats +exinext +exipick +exiqgrep +exiqsumm +exitsnoop-bpfcc +exiwhat +ext4dist-bpfcc +ext4slower-bpfcc +f2fsslower-bpfcc +faillock +fanatic +fancontrol +fanctl +fatlabel +fatresize +fbtest +fdformat +fdisk +filefrag +filegone-bpfcc +filelife-bpfcc +fileslower-bpfcc +filetop-bpfcc +findfs +firewalld +fixparts +flushb +fonts-config +fsadm +fsck +fsck. +fsck.btrfs +fsck.cramfs +fsck.exfat +fsck.ext2 +fsck.ext3 +fsck.ext4 +fsck.fat +fsck.minix +fsck.msdos +fsck.reiserfs +fsck.vfat +fsck.xfs +fsfreeze +fstab-decode +fstrim +funccount-bpfcc +funcinterval-bpfcc +funclatency-bpfcc +funcslower-bpfcc +g13-syshelp +gdisk +gdm +gdm3 +genccode +gencmn +genl +gennorm2 +genprof +gensprep +getcap +gethostlatency-bpfcc +gethostlatency.bt +getpcaps +getsysinfo +getweb +gnome-menus-blacklist +gpart +gparted +gpartedbin +gpm +groupadd +groupdel +groupmems +groupmod +grpck +grpconv +grpunconv +grub-install +grub-macbless +grub-mkconfig +grub-mkdevicemap +grub-probe +grub-reboot +grub-set-default +grub2-bios-setup +grub2-check-default +grub2-install +grub2-macbless +grub2-mkconfig +grub2-ofpathname +grub2-once +grub2-probe +grub2-reboot +grub2-set-default +grub2-sparc64-setup +grub2-switch-to-blscfg +hardirqs-bpfcc +haveged +hc-ifscan +hdparm +httxt2dbm +hv_fcopy_daemon +hv_get_dhcp_info +hv_get_dns_info +hv_kvp_daemon +hv_set_ifconfig +hv_vss_daemon +hwclock +hwinfo +iconvconfig +icupkg +ifconfig +ifrename +ifstat +import-openSUSE-build-key +inject-bpfcc +inputattach +install_acx100_firmware +install_intersil_firmware +install-sgmlcatalog +installkernel +integritysetup +invoke-rc.d +ip6tables-legacy-batch +ipmaddr +ipp-usb +ippevepcl +ippeveprinter +ippeveps +ipset +iptables-apply +iptables-legacy-batch +iptunnel +irqbalance +irqbalance-ui +isadump +isaset +iscsi_discovery +iscsi-iname +iscsiadm +iscsid +iscsistart +isosize +ispell-autobuildhash +isserial +issue-generator +iucode_tool +iw +iwconfig +iwevent +iwgetid +iwlist +iwpriv +iwspy +javacalls-bpfcc +javaflow-bpfcc +javagc-bpfcc +javaobjnew-bpfcc +javastat-bpfcc +javathreads-bpfcc +kbdrate +kbdsettings +kdump-config +kerneloops +kexec +kexec-bootloader +kexec-load-kernel +key.dns_resolver +killall5 +killproc +killsnoop-bpfcc +killsnoop.bt +klockstat-bpfcc +klogd +kpartx +kvm-ok +kvmexit-bpfcc +ldattach +ldconfig +ldconfig.real +libguestfs-make-fixed-appliance +libgvc6-config-update +libvirt-dbus +libvirtd +llcstat-bpfcc +lnstat +loads.bt +locale-gen +logprof +logrotate +logrotate-all +logsave +losetup +lpadmin +lpc +lpinfo +lpmove +lsvmbus +luksformat +lvm +lvm_import_vdo +lvmconfig +lvmdump +lvmpolld +lwepgen +lxc +lxd +make-bcache +make-ssl-cert +mariadbd +mcelog +mdadm +mdflush-bpfcc +mdflush.bt +mdmon +memleak-bpfcc +mii-tool +mk_isdnhwdb +mkdict +mkdosfs +mke2fs +mkfs +mkfs. +mkfs.bfs +mkfs.btrfs +mkfs.cramfs +mkfs.exfat +mkfs.ext2 +mkfs.ext3 +mkfs.ext4 +mkfs.f2fs +mkfs.fat +mkfs.minix +mkfs.xfs +mkhomedir_helper +mkill +mkinitramfs +mklost+found +mkntfs +mkpostfixcert +mkreiserfs +mksubvolume +mkswap +ModemManager +mount.cifs +mount.ddi +mount.fuse +mount.fuse3 +mount.lowntfs-3g +mount.nfs +mount.nfs4 +mount.ntfs +mount.ntfs-3g +mount.smb3 +mountsnoop-bpfcc +mountstats +mpathpersist +multipath +multipathc +multipathd +mysqld +mysqld_qslower-bpfcc +nameif +naptime.bt +needrestart +netqtop-bpfcc +NetworkManager +newusers +nfnl_osf +nfsconf +nfsdcld +nfsdist-bpfcc +nfsidmap +nfsiostat +nfsslower-bpfcc +nfsstat +nft +nginx +nmbd +nodegc-bpfcc +nodestat-bpfcc +nologin +notify +nss-mdns-config +nstat +ntfsclone +ntfscp +ntfslabel +ntfsresize +ntfsundelete +nvme +offcputime-bpfcc +offwaketime-bpfcc +on_ac_power +oomkill-bpfcc +oomkill.bt +openconnect +opensnoop-bpfcc +opensnoop.bt +openvpn +overlayroot-chroot +ownership +pam_extrausers_chkpwd +pam_extrausers_update +pam_getenv +pam_namespace_helper +pam_timestamp_check +pam-auth-update +pam-config +paperconfig +parted +partprobe +partx +pbl +pccardctl +pcscd +pdata_tools +perlcalls-bpfcc +perlflow-bpfcc +perlstat-bpfcc +pg_updatedicts +php-fpm8.3 +phpcalls-bpfcc +phpenmod +phpflow-bpfcc +phpquery +phpstat-bpfcc +pidpersec-bpfcc +pidpersec.bt +pivot_root +plipconfig +pluginviewer +plymouth-set-default-theme +plymouthd +postalias +postcat +postconf +postdrop +postfix +postkick +postlock +postlog +postmap +postmulti +postqueue +postsuper +posttls-finger +ppchcalls-bpfcc +pppd +pppdump +pppoe-discovery +pppstats +pptp +pptpsetup +profile-bpfcc +pwck +pwconv +pwhistory_helper +pwmconfig +pwunconv +pythoncalls-bpfcc +pythonflow-bpfcc +pythongc-bpfcc +pythonstat-bpfcc +qemu-ga +qmqp-source +qshape +rarp +rcfirewalld +rcopenvpn +rcpcscd +rcxdm +rcxvnc +rdma +rdmaucma-bpfcc +rdmsr +readahead-bpfcc +readprofile +realm +regdbdump +remove-default-ispell +remove-default-wordlist +remove-shell +request-key +reset-trace-bpfcc +resize2fs +resizepart +resolvconf +rfkill +rmt-tar +rndc +rndc-confgen +rngd +route +routel +rpc.gssd +rpc.idmapd +rpc.statd +rpc.svcgssd +rpcbind +rpcctl +rpcdebug +rpmconfigcheck +rsyncd +rsyslogd +rtacct +rtcwake +rtkitctl +rtmon +rubycalls-bpfcc +rubyflow-bpfcc +rubygc-bpfcc +rubyobjnew-bpfcc +rubystat-bpfcc +runc +runqlat-bpfcc +runqlat.bt +runqlen-bpfcc +runqlen.bt +runqslower-bpfcc +runuser +rvmtab +saned +sasldblistusers2 +saslpasswd2 +save_y2logs +schema2ldif +select-default-ispell +select-default-wordlist +sendmail +sensors-detect +service +set_polkit_default_privs +setcap +setuids.bt +setup-nsssysinit.sh +setvesablank +setvtrgb +sfdisk +sgdisk +shadowconfig +shim-install +shmsnoop-bpfcc +showconsole +showmount +skdump +sktest +slabratetop-bpfcc +slattach +sm-notify +smart_agetty +smartctl +smartd +smbd +smtp-sink +smtp-source +snapperd +snmpd +snmptrapd +sofdsnoop-bpfcc +softirqs-bpfcc +solisten-bpfcc +spice-vdagentd +split-logfile +ss +sshd +sshd-gen-keys-start +sshd.hmac +ssllatency.bt +sslsniff-bpfcc +sslsnoop.bt +sssd +stackcount-bpfcc +start-statd +start-stop-daemon +startproc +statsnoop-bpfcc +statsnoop.bt +status +sudo_logsrvd +sudo_sendlog +sulogin +swapin.bt +swaplabel +swapoff +swapon +switch_root +sync-available +syncsnoop-bpfcc +syncsnoop.bt +sysconf_addword +syscount-bpfcc +syscount.bt +sysctl +syslog2eximlog +sysusers2shadow +tarcat +tc +tclcalls-bpfcc +tclflow-bpfcc +tclobjnew-bpfcc +tclstat-bpfcc +tcpaccept-bpfcc +tcpaccept.bt +tcpcong-bpfcc +tcpconnect-bpfcc +tcpconnect.bt +tcpconnlat-bpfcc +tcpdrop-bpfcc +tcpdrop.bt +tcplife-bpfcc +tcplife.bt +tcpretrans-bpfcc +tcpretrans.bt +tcprtt-bpfcc +tcpstates-bpfcc +tcpsubnet-bpfcc +tcpsynbl-bpfcc +tcpsynbl.bt +tcptop-bpfcc +tcptracer-bpfcc +tcptraceroute.db +thermald +threadsnoop-bpfcc +threadsnoop.bt +tipc +tlp +tplist-bpfcc +trace-bpfcc +tsig-keygen +ttysnoop-bpfcc +tune.exfat +tune2fs +tuned +tuned-adm +tunelp +u-d-c-print-pci-ids +ucalls +uflow +ufw +ugc +umount.nfs +umount.nfs4 +umount.udisks2 +unconfined +undump.bt +unix_chkpwd +unix_update +unix2_chkpwd +uobjnew +update-ca-certificates +update-catalog +update-cracklib +update-default-ispell +update-default-wordlist +update-dictcommon-aspell +update-dictcommon-hunspell +update-exim4.conf +update-exim4.conf.template +update-fonts-alias +update-fonts-dir +update-fonts-scale +update-grub +update-grub-gfxpayload +update-gsfontmap +update-icon-caches +update-ieee-data +update-inetd +update-info-dir +update-initramfs +update-java-alternatives +update-language +update-locale +update-mime +update-passwd +update-pciids +update-rc.d +update-secureboot-policy +update-shells +update-smart-drivedb +update-texmf +update-texmf-config +update-tl-stacked-conffile +update-xmlcatalog +upgrade-from-grub-legacy +usb_modeswitch +usb_modeswitch_dispatcher +usbmuxd +useradd +userdel +usermod +ustat +uthreads +uuidd +validlocale +vconfig +vcstime +vdpa +veritysetup +vfscount-bpfcc +vfscount.bt +vfsstat-bpfcc +vfsstat.bt +vhangup +vipw +virt-what +virt-what-cvm +virtiostat-bpfcc +virtlockd +virtlogd +visudo +vmcore-dmesg +vncsession +vpddecode +vpnc +vpnc-disconnect +wakeuptime-bpfcc +wipefs +wiper.sh +wpa_action +wpa_cli +wpa_passphrase +wpa_supplicant +wqlat-bpfcc +writeback.bt +wrmsr +xfs_admin +xfs_bmap +xfs_copy +xfs_db +xfs_estimate +xfs_freeze +xfs_fsr +xfs_growfs +xfs_info +xfs_io +xfs_logprint +xfs_mdrestore +xfs_metadump +xfs_mkfile +xfs_ncheck +xfs_property +xfs_protofile +xfs_quota +xfs_repair +xfs_rtcp +xfs_scrub +xfs_scrub_all +xfs_spaceman +xfsdist-bpfcc +xfsdist.bt +xfsslower-bpfcc +xkbctrl +xtables-legacy-multi +xtables-nft-multi +yast2 +zdump +zerofree +zfsdist-bpfcc +zfsslower-bpfcc +zic +zramctl +zypp-refresh +zypper-log