From 7167de932cc3f2678b0b496e9fa9f84bde79b0ba Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 23 Dec 2024 22:17:35 +0100 Subject: [PATCH 001/672] feat(profile): firefox: restric access to /tmp --- apparmor.d/groups/browsers/firefox | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 27eb0d54d..dfaff6064 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -59,9 +59,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, owner @{tmp}/.xfsm-ICE-@{rand6} rw, - owner @{tmp}/@{rand6}.tmp r, - owner @{tmp}/@{rand8}.txt w, - owner @{tmp}/* w, # file downloads (to anywhere) + owner @{tmp}/@{rand8}.* rw, # file downloads (to anywhere) + owner @{tmp}/@{uuid}.zip{,.tmp} rw, owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk, owner @{tmp}/mozilla* rw, owner @{tmp}/mozilla*/ rw, From 01c1562e7cd3fde793b926247d8f0fd910b675b7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 23 Dec 2024 22:19:29 +0100 Subject: [PATCH 002/672] feat(profile): firefox: better naming of possible attachment. --- apparmor.d/groups/browsers/firefox | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index dfaff6064..f7b0e1964 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -7,8 +7,8 @@ abi , include -@{name} = firefox{,.sh,-esr,-bin} -@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{name} = firefox{,-esr,-bin} +@{lib_dirs} = @{lib}/firefox{,-esr,-beta,-devedition,-nightly} /opt/@{name} @{config_dirs} = @{HOME}/.mozilla/ @{cache_dirs} = @{user_cache_dirs}/mozilla/ From b35c2a0abf72340537c466e6fbdd6a08a2052163 Mon Sep 17 00:00:00 2001 From: Roman Beslik Date: Tue, 17 Dec 2024 20:28:17 +0200 Subject: [PATCH 003/672] non-owner accesses authorized_keys --- apparmor.d/groups/ssh/sshd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index b4ecc068e..825612af0 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -94,7 +94,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, - owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, + @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, owner @{user_cache_dirs}/{,motd*} rw, @{att}/@{run}/systemd/sessions/@{int}.ref rw, From cf1d7504f4a329d7654cc4afd8d6c2f9e912c91f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 23 Dec 2024 22:48:24 +0100 Subject: [PATCH 004/672] fix(profile): sensors: simplify hwmon access. fix #628 --- apparmor.d/profiles-s-z/sensors | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index fd839099e..e6ae103ae 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -18,19 +18,12 @@ profile sensors @{exec_path} { /etc/sensors.d/{,*} r, /etc/sensors3.conf r, + @{sys}/bus/i2c/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/**/hwmon*/{,**/} r, - @{sys}/devices/**/hwmon*/{in[0-9]_label,in[0-9]_min,in[0-9]_max} r, - @{sys}/devices/**/hwmon*/{name,temp*,*_input} r, - @{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r, - @{sys}/devices/**/hwmon/hwmon@{int}/power@{int}_crit r, - @{sys}/devices/**/hwmon/hwmon@{int}/fan@{int}_{label,max,min} r, @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-@{int}/name r, @{sys}/devices/@{pci}/name r, - @{sys}/devices/platform/**/power_supply/**/hwmon@{int}/curr1_max r, - @{sys}/devices/virtual/hwmon/hwmon@{int}/ r, - @{sys}/devices/virtual/hwmon/hwmon@{int}/{name,temp*} r, + @{sys}/devices/**/hwmon*/** r, # file_inherit deny @{PROC}/@{pid}/net/dev r, From f8fc1aa38743aafbb493132b955c99d9059f9e15 Mon Sep 17 00:00:00 2001 From: Roman Beslik Date: Sun, 15 Dec 2024 19:40:06 +0200 Subject: [PATCH 005/672] systemd user ask-password --- apparmor.d/groups/systemd/systemd-tty-ask-password-agent | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 3e2129d39..b16577de8 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -24,6 +24,7 @@ profile systemd-tty-ask-password-agent @{exec_path} { @{run}/systemd/ask-password-block/{,*} rw, @{run}/systemd/ask-password/{,*} rw, + @{run}/user/@{uid}/systemd/ask-password/ rw, @{run}/utmp rk, @{PROC}/@{pids}/stat r, From 57ddfd29ced85da5c0de78471a2136053e1e7038 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 24 Dec 2024 23:56:12 +0100 Subject: [PATCH 006/672] fix(profile): pacman-hook-systemd: add systemd-tty-ask-password-agent. fix #632 --- apparmor.d/groups/pacman/pacman-hook-systemd | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 2c32024a2..59acc34d9 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -45,6 +45,10 @@ profile pacman-hook-systemd @{exec_path} { capability net_admin, + signal send set=term peer=systemd-tty-ask-password-agent, + + @{bin}/systemd-tty-ask-password-agent Px, + include if exists } From 2560e9645ff11d4fd24c69ef8145adf9bc8f817c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 25 Dec 2024 00:05:36 +0100 Subject: [PATCH 007/672] feat(profile): various improvements and update. --- apparmor.d/groups/gnome/gnome-session | 2 ++ apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/network/mullvad-daemon | 1 + apparmor.d/groups/pacman/pacman-hook-systemd | 1 + apparmor.d/groups/systemd/bootctl | 2 +- apparmor.d/groups/systemd/busctl | 2 +- apparmor.d/groups/systemd/systemd-backlight | 2 +- apparmor.d/groups/systemd/systemd-cryptsetup | 2 +- apparmor.d/groups/systemd/systemd-generator-user-autostart | 2 +- apparmor.d/groups/systemd/systemd-generator-user-environment | 2 +- apparmor.d/groups/systemd/systemd-journald | 2 +- apparmor.d/groups/systemd/systemd-machined | 2 +- apparmor.d/groups/systemd/systemd-random-seed | 2 +- apparmor.d/groups/systemd/systemd-update-done | 2 +- apparmor.d/groups/systemd/systemd-update-utmp | 2 +- apparmor.d/groups/systemd/systemd-user-runtime-dir | 2 +- apparmor.d/groups/systemd/systemd-user-sessions | 2 +- apparmor.d/groups/virt/libvirtd | 1 + apparmor.d/profiles-a-f/flatpak-system-helper | 3 ++- apparmor.d/profiles-a-f/fwupd | 3 +-- 20 files changed, 22 insertions(+), 16 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 798868271..bec97e7de 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -58,6 +58,8 @@ profile gnome-session @{exec_path} { /etc/X11/xinit/xinputrc r, /etc/X11/Xsession.d/*im-config_launch r, + owner @{HOME}/ r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index a75cfee63..601e6b6df 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -39,6 +39,7 @@ profile gnome-software @{exec_path} { /usr/share/app-info/{,**} r, /usr/share/appdata/{,**} r, + /usr/share/flatpak/remotes.d/ r, /usr/share/metainfo/{,**} r, /usr/share/swcatalog/{,**} r, /usr/share/xml/iso-codes/{,**} r, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index ee98720b6..6c4c41e6c 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -59,6 +59,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { owner @{tmp}/@{uuid} rw, owner @{tmp}/talpid-openvpn-@{uuid} rw, + @{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw, @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 59acc34d9..6f154269d 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -44,6 +44,7 @@ profile pacman-hook-systemd @{exec_path} { include capability net_admin, + capability sys_resource, signal send set=term peer=systemd-tty-ask-password-agent, diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 05655d308..c7bb7b19f 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/bootctl -profile bootctl @{exec_path} { +profile bootctl @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index 6516a500c..826405d2d 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/busctl -profile busctl @{exec_path} { +profile busctl @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight index f67cb301c..374e9c4ae 100644 --- a/apparmor.d/groups/systemd/systemd-backlight +++ b/apparmor.d/groups/systemd/systemd-backlight @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-backlight -profile systemd-backlight @{exec_path} { +profile systemd-backlight @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup index f8950c1fe..090412ff5 100644 --- a/apparmor.d/groups/systemd/systemd-cryptsetup +++ b/apparmor.d/groups/systemd/systemd-cryptsetup @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/systemd-cryptsetup @{lib}/systemd/systemd-cryptsetup -profile systemd-cryptsetup @{exec_path} { +profile systemd-cryptsetup @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-generator-user-autostart b/apparmor.d/groups/systemd/systemd-generator-user-autostart index c42548ef5..8e3ebb6b3 100644 --- a/apparmor.d/groups/systemd/systemd-generator-user-autostart +++ b/apparmor.d/groups/systemd/systemd-generator-user-autostart @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/user-generators/systemd-xdg-autostart-generator -profile systemd-generator-user-autostart @{exec_path} { +profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-generator-user-environment b/apparmor.d/groups/systemd/systemd-generator-user-environment index db128405f..27db22078 100644 --- a/apparmor.d/groups/systemd/systemd-generator-user-environment +++ b/apparmor.d/groups/systemd/systemd-generator-user-environment @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/user-environment-generators/* -profile systemd-generator-user-environment @{exec_path} { +profile systemd-generator-user-environment @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index cc1f541dd..d63a4211d 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-journald -profile systemd-journald @{exec_path} { +profile systemd-journald @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 3a111f7f3..b37f2300b 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-machined -profile systemd-machined @{exec_path} { +profile systemd-machined @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-random-seed b/apparmor.d/groups/systemd/systemd-random-seed index be33d39cd..86ea02a0d 100644 --- a/apparmor.d/groups/systemd/systemd-random-seed +++ b/apparmor.d/groups/systemd/systemd-random-seed @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-random-seed -profile systemd-random-seed @{exec_path} { +profile systemd-random-seed @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-update-done b/apparmor.d/groups/systemd/systemd-update-done index c17be7ab2..e7a44d01d 100644 --- a/apparmor.d/groups/systemd/systemd-update-done +++ b/apparmor.d/groups/systemd/systemd-update-done @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-update-done -profile systemd-update-done @{exec_path} { +profile systemd-update-done @{exec_path} flags=(attach_disconnected) { include capability net_admin, diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp index 9d512b495..1a2ff9a31 100644 --- a/apparmor.d/groups/systemd/systemd-update-utmp +++ b/apparmor.d/groups/systemd/systemd-update-utmp @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-update-utmp -profile systemd-update-utmp @{exec_path} { +profile systemd-update-utmp @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 9c7fe975b..363b9a32d 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-user-runtime-dir -profile systemd-user-runtime-dir @{exec_path} { +profile systemd-user-runtime-dir @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-user-sessions b/apparmor.d/groups/systemd/systemd-user-sessions index 6f16b2f19..8de32dfe2 100644 --- a/apparmor.d/groups/systemd/systemd-user-sessions +++ b/apparmor.d/groups/systemd/systemd-user-sessions @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-user-sessions -profile systemd-user-sessions @{exec_path} { +profile systemd-user-sessions @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index db6d5d377..061866717 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -171,6 +171,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+leds:* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply:* r, @{run}/udev/data/+rfkill:* r, @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/+thunderbolt:* r, diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index 2268de064..60c41a6a9 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -37,8 +37,9 @@ profile flatpak-system-helper @{exec_path} { /etc/flatpak/{,**} r, /etc/machine-id r, - /usr/share/mime/mime.cache r, + /usr/share/flatpak/remotes.d/ r, /usr/share/flatpak/triggers/ r, + /usr/share/mime/mime.cache r, /var/lib/flatpak/{,**} rwkl, /var/tmp/flatpak-cache-*/{,**} rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index aa95a00d5..643bbe96a 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -17,7 +17,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include - include + include include include @@ -129,7 +129,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /dev/mei@{int} rw, /dev/mem r, /dev/mtd@{int} rw, - /dev/sd[a-z]* r, /dev/tpm@{int} rw, /dev/tpmrm@{int} rw, /dev/wmi/* r, From 6348dafa8e7a41303b6ecd26301247b614dc195f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Jan 2025 22:23:45 +0100 Subject: [PATCH 008/672] fix(profile): gnome on X fix #641 --- apparmor.d/groups/ssh/ssh-agent | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 72d6618e6..f6732b1cf 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -19,6 +19,7 @@ profile ssh-agent @{exec_path} { @{sh_path} rix, @{bin}/gpg-agent rPx, + @{bin}/im-launch rPx, owner @{HOME}/@{XDG_SSH_DIR}/ rw, owner @{HOME}/@{XDG_SSH_DIR}/* r, From f21006dfd2e37d0673be7faccf25ec0584cb99c6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Jan 2025 22:41:17 +0100 Subject: [PATCH 009/672] fix(profile): xfce-terminal graphics fix #638 --- apparmor.d/groups/xfce/xfce-terminal | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 342ffd3b4..d0d895c5a 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -9,8 +9,10 @@ include @{exec_path} = @{bin}/xfce4-terminal profile xfce-terminal @{exec_path} { include + include include include + include include include From 70c06a054744503ffc8fd98133c29e965e942b3d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Jan 2025 22:48:23 +0100 Subject: [PATCH 010/672] fix(profile): set dettached flag on some systemd services. should fix #630 --- dists/flags/main.flags | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index ac4547850..6a1a1b6a7 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -309,7 +309,7 @@ systemd-ask-password complain systemd-binfmt attach_disconnected,complain systemd-cgls complain systemd-cgtop complain -systemd-cryptsetup complain +systemd-cryptsetup attach_disconnected,complain systemd-dissect attach_disconnected,complain systemd-escape complain systemd-generator-bless-boot attach_disconnected,complain @@ -327,8 +327,8 @@ systemd-generator-integritysetup attach_disconnected,complain systemd-generator-ostree attach_disconnected,complain systemd-generator-run attach_disconnected,complain systemd-generator-system-update attach_disconnected,complain -systemd-generator-user-autostart complain -systemd-generator-user-environment complain +systemd-generator-user-autostart attach_disconnected,complain +systemd-generator-user-environment attach_disconnected,complain systemd-generator-veritysetup attach_disconnected,complain systemd-homed attach_disconnected,complain systemd-homework complain @@ -342,7 +342,7 @@ systemd-shutdown complain systemd-sleep-tlp complain systemd-socket-proxyd complain systemd-udevd attach_disconnected,complain -systemd-user-sessions complain +systemd-user-sessions attach_disconnected,complain systemd-userwork attach_disconnected,complain systemsettings complain telegram-desktop complain From fa85d909d70c80d524d320cc2e83f94e18fcf166 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Jan 2025 22:58:53 +0100 Subject: [PATCH 011/672] feat(profile): general update. --- apparmor.d/groups/apt/apt | 1 + apparmor.d/groups/bus/dbus-accessibility | 2 ++ apparmor.d/groups/freedesktop/xorg | 5 +++ apparmor.d/groups/gnome/gdm | 2 +- apparmor.d/groups/gnome/gdm-prime-defaut | 3 ++ apparmor.d/groups/network/NetworkManager | 1 + apparmor.d/groups/network/nm-dispatcher | 2 +- apparmor.d/groups/ssh/sshfs | 15 +++++++++ .../systemd/systemd-tty-ask-password-agent | 1 + apparmor.d/groups/systemd/systemd-udevd | 2 ++ apparmor.d/groups/virt/cockpit-bridge | 2 +- apparmor.d/groups/whonix/anondate | 2 +- apparmor.d/profiles-a-f/bluetoothd | 11 ++----- apparmor.d/profiles-a-f/fwupd | 6 +--- apparmor.d/profiles-g-l/gpu-manager | 1 + apparmor.d/profiles-m-r/mount-cifs | 31 ++++++++++++------- apparmor.d/profiles-s-z/udisksd | 2 +- apparmor.d/profiles-s-z/wireplumber | 2 +- apparmor.d/profiles-s-z/xinit | 1 + 19 files changed, 61 insertions(+), 31 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 369dd3bbd..c0545f2ec 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -130,6 +130,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /var/lib/update-notifier/dpkg-run-stamp rw, /var/log/apt/{,**} rw, + /var/log/ubuntu-advantage-apt-hook.log w, # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index e8f0328a2..35a507559 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -26,6 +26,8 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup kill) peer=dbus-session, signal (receive) set=(term hup kill) peer=gdm{,-session-worker}, + unix type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0), + #aa:dbus own bus=accessibility name=org.freedesktop.DBus #aa:dbus own bus=session name=org.a11y.{B,b}us dbus receive bus=accessibility path=/org/freedesktop/DBus diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 0f23d583c..90016a8ee 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -45,6 +45,11 @@ profile xorg @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/login1/session/* + interface=org.freedesktop.login1.Session + member=ReleaseControl + peer=(name=org.freedesktop.login1, label=systemd-logind), + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 6bafb132b..fc7ff4bb1 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -50,7 +50,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{bin}/plymouth rPx, @{bin}/prime-switch rPUx, @{bin}/sleep rix, - @{bin}/systemd-cat rPx, + @{bin}/systemd-cat rix, @{lib}/{,gdm/}gdm-session-worker rPx, /etc/gdm{3,}/PrimeOff/Default rix, diff --git a/apparmor.d/groups/gnome/gdm-prime-defaut b/apparmor.d/groups/gnome/gdm-prime-defaut index 189e166f2..eea0ee3b3 100644 --- a/apparmor.d/groups/gnome/gdm-prime-defaut +++ b/apparmor.d/groups/gnome/gdm-prime-defaut @@ -12,6 +12,9 @@ profile gdm-prime-defaut @{exec_path} flags=(complain) { @{exec_path} mr, + @{sh_path} r, + @{bin}/prime-offload ix, + include if exists } diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index de3a180bb..1bb2de231 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -43,6 +43,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.NetworkManager + #aa:dbus talk bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 40984f7fa..ee2e5274b 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -51,7 +51,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-cat rPx, + @{bin}/systemd-cat rix, @{bin}/tr rix, /usr/share/tlp/tlp-readconfs rPUx, diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs index a367b0f7a..173b6602e 100644 --- a/apparmor.d/groups/ssh/sshfs +++ b/apparmor.d/groups/ssh/sshfs @@ -13,6 +13,10 @@ profile sshfs @{exec_path} flags=(complain) { mount fstype=fuse.sshfs -> @{HOME}/*/, mount fstype=fuse.sshfs -> @{HOME}/*/*/, + mount fstype=fuse.sshfs -> @{MOUNTDIRS}/, + mount fstype=fuse.sshfs -> @{MOUNTS}/, + mount fstype=fuse.sshfs -> @{MOUNTS}/*/, + mount fstype=fuse.sshfs -> @{MOUNTS}/*/*/, unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none), @@ -33,6 +37,17 @@ profile sshfs @{exec_path} flags=(complain) { mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/, mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/, + mount fstype={fuse,fuse.sshfs} -> @{MOUNTDIRS}/, + mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/, + mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/, + mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/*/, + + umount @{HOME}/*/, + umount @{HOME}/*/*/, + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, + umount @{MOUNTS}/*/, + umount @{MOUNTS}/*/*/, unix (connect, send, receive) type=stream peer=(label="sshfs",addr=none), diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index b16577de8..4c57d0200 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -13,6 +13,7 @@ profile systemd-tty-ask-password-agent @{exec_path} { include capability dac_override, + capability dac_read_search, capability net_admin, capability sys_resource, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index b8a0c7e4c..f52a2fc6c 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -95,6 +95,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{run}/systemd/notify rw, @{run}/systemd/seats/seat@{int} r, + @{att}/@{run}/udev/control rw, + @{run}/udev/ rw, @{run}/udev/** rwk, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 1766cd2fb..94b185162 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -114,7 +114,7 @@ profile cockpit-bridge @{exec_path} { include include - signal (send receive) set=term peer=cockpit-bridge, + signal (send receive) set=(cont hup term) peer=cockpit-bridge, @{bin}/cockpit-bridge Px, @{lib}/cockpit/cockpit-askpass Px, diff --git a/apparmor.d/groups/whonix/anondate b/apparmor.d/groups/whonix/anondate index d39517569..27e4eb594 100644 --- a/apparmor.d/groups/whonix/anondate +++ b/apparmor.d/groups/whonix/anondate @@ -22,7 +22,7 @@ profile anondate @{exec_path} { @{bin}/grep rix, @{bin}/minimum-unixtime-show rix, @{bin}/rm rix, - @{bin}/systemd-cat rPx, + @{bin}/systemd-cat rix, @{bin}/tee rix, @{bin}/timeout rix, @{bin}/tor-circuit-established-check rix, diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/profiles-a-f/bluetoothd index ee7efdcfd..8ca699aaf 100644 --- a/apparmor.d/profiles-a-f/bluetoothd +++ b/apparmor.d/profiles-a-f/bluetoothd @@ -25,20 +25,15 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.bluez - dbus receive bus=system path=/ + dbus send bus=system path=/{,MediaEndpoint} interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label="{brave,NetworkManager,pulseaudio,upowerd}"), - - dbus send bus=system path=/MediaEndpoint - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=pulseaudio), + peer=(name=@{busname}), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved - peer=(name=org.freedesktop.DBus, label="{jwupd,NetworkManager,pulseaudio,upowerd}"), + peer=(name=org.freedesktop.DBus), @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 643bbe96a..5abf1d294 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -38,17 +38,13 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { network netlink raw, #aa:dbus own bus=system name=org.freedesktop.fwupd path=/ + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - dbus send bus=system path=/org/freedesktop/UDisks2/Manager - interface=org.freedesktop.UDisks2.Manager - member=GetBlockDevices - peer=(name=:*, label=udisksd), - @{exec_path} mr, @{lib}/fwupd/fwupd-detect-cet rix, diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 8cc49acdf..795c92f00 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -25,6 +25,7 @@ profile gpu-manager @{exec_path} { /var/lib/ubuntu-drivers-common/* rw, /var/log/gpu-manager.log w, + /var/log/gpu-manager-switch.log w, @{sys}/devices/@{pci}/boot_vga r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/profiles-m-r/mount-cifs index 78651ba23..190db34da 100644 --- a/apparmor.d/profiles-m-r/mount-cifs +++ b/apparmor.d/profiles-m-r/mount-cifs @@ -12,16 +12,29 @@ profile mount-cifs @{exec_path} flags=(complain) { include include - # To mount anything. capability sys_admin, - - # (#FIXME#) capability setpcap, + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink raw, + mount fstype=cifs -> @{HOME}/*/, + mount fstype=cifs -> @{HOME}/*/*/, + mount fstype=cifs -> @{MOUNTDIRS}/, + mount fstype=cifs -> @{MOUNTS}/, + mount fstype=cifs -> @{MOUNTS}/*/, + mount fstype=cifs -> @{MOUNTS}/*/*/, + + umount @{HOME}/*/, + umount @{HOME}/*/*/, + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, + umount @{MOUNTS}/*/, + umount @{MOUNTS}/*/*/, + @{exec_path} mr, @{bin}/systemd-ask-password rPUx, @@ -31,18 +44,12 @@ profile mount-cifs @{exec_path} flags=(complain) { owner @{HOME}/.smbcredentials r, # Mount points + @{HOME}/*/ r, + @{HOME}/*/*/ r, @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @{MOUNTS}/*/ r, - - # Allow to mount smb/cifs disks only under the /media/ dirs - mount fstype=cifs -> @{MOUNTDIRS}/, - mount fstype=cifs -> @{MOUNTS}/, - mount fstype=cifs -> @{MOUNTS}/*/, - - umount @{MOUNTDIRS}/, - umount @{MOUNTS}/, - umount @{MOUNTS}/*/, + @{MOUNTS}/*/*/ r, include if exists } diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 909112a70..90ea63dd2 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -132,7 +132,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{sys}/class/nvme/ r, @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w, @{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw, - @{sys}/devices/@{pci}/uevent r, + @{sys}/devices/@{pci}/uevent rw, @{sys}/devices/**/net/*/ r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/bdi/**/read_ahead_kb r, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 87b4e27ca..cc19872c6 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -24,7 +24,7 @@ profile wireplumber @{exec_path} { network bluetooth stream, network netlink raw, - #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio0 + #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio@{int} dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 0801ac188..a332bd20b 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/xinit profile xinit @{exec_path} { include + include include signal (receive) set=(usr1) peer=xorg, From 34913ab0c02b836b71a463fba234663174111dc4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Jan 2025 22:59:42 +0100 Subject: [PATCH 012/672] build: update debian control. --- debian/control | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/debian/control b/debian/control index 3d15800b8..800642d86 100644 --- a/debian/control +++ b/debian/control @@ -9,16 +9,15 @@ Build-Depends: debhelper (>= 13.4), Homepage: https://github.com/roddhjav/apparmor.d Vcs-Browser: https://github.com/roddhjav/apparmor.d Vcs-Git: https://github.com/roddhjav/apparmor.d.git -Standards-Version: 4.5.0 +Standards-Version: 4.6.0 Rules-Requires-Root: no Package: apparmor.d Architecture: any -Depends: - apparmor-profiles, +Depends: apparmor-profiles, ${shlibs:Depends} Conflicts: apparmor-profiles-extra Provides: apparmor-profiles-extra Description: Full set of AppArmor profiles (~ 1500 profiles) - apparmor.d is a set of over 1500 AppArmor profiles whose aim is to confine - most Linux based applications and processes. + apparmor.d is a set of over 1500 AppArmor profiles whose aim is to confine + most Linux based applications and processes. From 0769e42ea22d869f4079076c8d1012c5a5a406cf Mon Sep 17 00:00:00 2001 From: nobody43 Date: Tue, 31 Dec 2024 00:32:12 +0000 Subject: [PATCH 013/672] regression: session names 2 --- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/groups/gnome/gdm | 2 +- apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/virt/k3s | 2 +- apparmor.d/profiles-a-f/briar-desktop | 2 +- apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-m-r/mullvad-setup | 2 +- apparmor.d/profiles-m-r/ouch | 2 +- apparmor.d/profiles-s-z/signal-desktop | 4 ++-- apparmor.d/profiles-s-z/virt-manager | 2 +- 10 files changed, 11 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 87865197e..602651587 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -125,7 +125,7 @@ @{sys}/devices/power/events/energy-* r, @{sys}/devices/power/type r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, @{PROC}/@{pid}/net/arp r, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index fc7ff4bb1..10d116a6c 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -92,7 +92,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/virtual/tty/tty@{int}/active r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cgroup.events r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cgroup.events r, @{PROC}/@{pid}/cgroup r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 825612af0..21892cc47 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -107,7 +107,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{run}/sshd{,.init}.pid wl, @{sys}/fs/cgroup/*/user/*/@{int}/ rw, - @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw, + @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-@{word}.scope/ rw, @{PROC}/@{pids}/fd/ r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 96e50ba35..0949e72ee 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -159,7 +159,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user-runtime-dir@@{uid}.service/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**/} r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{,**/} r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{,**/} r, @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, diff --git a/apparmor.d/profiles-a-f/briar-desktop b/apparmor.d/profiles-a-f/briar-desktop index a0b57a38b..24088be3f 100644 --- a/apparmor.d/profiles-a-f/briar-desktop +++ b/apparmor.d/profiles-a-f/briar-desktop @@ -57,7 +57,7 @@ profile briar-desktop @{exec_path} { owner @{tmp}/jna@{u64}.tmp mrw, @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{cpu,memory}.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, @{sys}/kernel/mm/{hugepages/,transparent_hugepage/enabled} r, @{PROC}/cgroups r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 63634d788..03dfe9749 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -99,7 +99,7 @@ profile libreoffice @{exec_path} { @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{cpu,memory}.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index b30da1c13..d2bb2eb44 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -13,7 +13,7 @@ profile mullvad-setup @{exec_path} { @{exec_path} mr, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/cpu.max r, diff --git a/apparmor.d/profiles-m-r/ouch b/apparmor.d/profiles-m-r/ouch index ef3ea4bee..a5b62ca93 100644 --- a/apparmor.d/profiles-m-r/ouch +++ b/apparmor.d/profiles-m-r/ouch @@ -19,7 +19,7 @@ profile ouch @{exec_path} { @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index b905e8f3a..ca9da155c 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -44,8 +44,8 @@ profile signal-desktop @{exec_path} { @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.high r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 0a67b365b..052192d8f 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -85,7 +85,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/drm/ttm/uevent r, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, @{PROC}/@{pids}/net/route r, owner @{PROC}/@{pid}/cgroup r, From f66ef4d5ea65c8e911337fb5495ba9b937b39341 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Jan 2025 23:36:42 +0100 Subject: [PATCH 014/672] chore: fix profile styling issue. --- apparmor.d/groups/ssh/sshfs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs index 173b6602e..f7c635dd4 100644 --- a/apparmor.d/groups/ssh/sshfs +++ b/apparmor.d/groups/ssh/sshfs @@ -41,7 +41,7 @@ profile sshfs @{exec_path} flags=(complain) { mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/, mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/, mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/*/, - + umount @{HOME}/*/, umount @{HOME}/*/*/, umount @{MOUNTDIRS}/, From bffb837ff3814e416e7ddca6d1db604c29e61ee7 Mon Sep 17 00:00:00 2001 From: EricLin0509 Date: Fri, 3 Jan 2025 11:07:04 +0800 Subject: [PATCH 015/672] Update profile for xray --- apparmor.d/profiles-s-z/xray | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-s-z/xray b/apparmor.d/profiles-s-z/xray index 7e86ada2c..fccd2c569 100644 --- a/apparmor.d/profiles-s-z/xray +++ b/apparmor.d/profiles-s-z/xray @@ -22,6 +22,7 @@ profile xray @{exec_path} flags=(attach_disconnected) { /etc/xray/{,*} r, /usr/share/xray/**.dat r, + /usr/share/v2ray/**.dat r, @{PROC}/sys/net/core/somaxconn r, From 17520a94bf1be89d5025722ab4397b911dcbcd71 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 10 Jan 2025 00:09:24 +0100 Subject: [PATCH 016/672] feat(profile): improve snap & login bus. --- apparmor.d/abstractions/bus/org.freedesktop.login1 | 2 +- apparmor.d/profiles-s-z/snap | 1 + apparmor.d/profiles-s-z/snapd | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index 77271fe23..385c75730 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -21,7 +21,7 @@ dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager - member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareFor*} + member={SessionNew,SessionRemoved,UserNew,UserRemoved,SeatNew,PrepareFor*} peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1 diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index aa1f6b2b8..cdb01d14a 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -73,6 +73,7 @@ profile snap @{exec_path} { @{run}/mount/utab r, @{run}/snapd.socket rw, + @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/kernel/security/apparmor/features/{,**} r, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 250005f55..4e383b777 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -153,6 +153,7 @@ profile snapd @{exec_path} { @{run}/systemd/private rw, @{sys}/fs/cgroup/{,*/} r, + @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/system.slice/{,**/} r, @{sys}/fs/cgroup/user.slice/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r, From b94b11cbee0ea96b7fc7272b68a27b3b21ed5679 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 10 Jan 2025 18:55:37 +0100 Subject: [PATCH 017/672] feat(profile): steam: update web paths. --- apparmor.d/profiles-s-z/steam | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 252c89869..9cb5ac86b 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -317,6 +317,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{share_dirs}/public/** k, @{tmp}/ r, + owner @{tmp}/.com.valvesoftware.Steam.@{rand6} rw, + owner @{tmp}/.com.valvesoftware.Steam.@{rand6}/{,**} rw, owner @{tmp}/#@{int} rw, owner @{tmp}/dumps/ rw, owner @{tmp}/dumps/** rwk, @@ -324,6 +326,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw, + owner /dev/shm/.com.valvesoftware.Steam.@{rand6} rw, owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex6} rw, owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, From 078b0de752d302a63b48ba32d5f3da5b4c37823b Mon Sep 17 00:00:00 2001 From: nobody43 <15267739+nobody43@users.noreply.github.com> Date: Fri, 10 Jan 2025 19:42:29 +0000 Subject: [PATCH 018/672] Fix `rand` typo --- apparmor.d/tunables/multiarch.d/system | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index cc4192d28..4e8b1bc11 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -78,7 +78,7 @@ @{rand15}=@{rand8}@{rand4}@{rand2}@{c} @{rand16}=@{rand8}@{rand8} @{rand32}=@{rand16}@{rand16} -@{rand64}=@{rand64}@{rand64} +@{rand64}=@{rand32}@{rand32} # Any x word characters @{word2}=@{w}@{w} From 61939a3bf8732d71088396a7a8b5f73196442b39 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Jan 2025 18:22:39 +0100 Subject: [PATCH 019/672] build: disable dummy upstream profile in favor of ours. --- dists/overwrite | 1 + pkg/prebuild/prepare/overwrite.go | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/dists/overwrite b/dists/overwrite index 767c07312..3ddd83d97 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -13,6 +13,7 @@ flatpak foliate loupe msedge +mullvad nautilus opera plasmashell diff --git a/pkg/prebuild/prepare/overwrite.go b/pkg/prebuild/prepare/overwrite.go index 6f8951161..1bacd446f 100644 --- a/pkg/prebuild/prepare/overwrite.go +++ b/pkg/prebuild/prepare/overwrite.go @@ -49,9 +49,10 @@ func (p Overwrite) Apply() ([]string, error) { if !dest.Exist() && p.OneFile { continue } - if err := origin.Rename(dest); err != nil { - - return res, err + if origin.Exist() { + if err := origin.Rename(dest); err != nil { + return res, err + } } originRel, err := origin.RelFrom(dest) if err != nil { From 88f1821b19d9a298592727898f7b2055bde4102d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Jan 2025 18:23:43 +0100 Subject: [PATCH 020/672] tests: cosmetic. --- tests/bats/chsh.bats | 6 +++--- tests/boxes.yml | 2 +- tests/cmd/main.go | 3 ++- tests/requirements.sh | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/tests/bats/chsh.bats b/tests/bats/chsh.bats index a9f5a6978..81a9f76a6 100644 --- a/tests/bats/chsh.bats +++ b/tests/bats/chsh.bats @@ -5,15 +5,15 @@ load common -@test "chsh: [l]ist available shells" { +@test "chsh: list available shells" { chsh --list-shells || true } -@test "chsh: Set a specific login [s]hell for the current user" { +@test "chsh: Set a specific login shell for the current user" { echo "$PASSWORD" | chsh --shell /usr/bin/bash } # bats test_tags=chsh -@test "chsh: Set a login [s]hell for a specific user" { +@test "chsh: Set a login shell for a specific user" { sudo chsh --shell /usr/bin/sh root } diff --git a/tests/boxes.yml b/tests/boxes.yml index ef037e07f..532c5e18f 100644 --- a/tests/boxes.yml +++ b/tests/boxes.yml @@ -2,7 +2,7 @@ defaults: uefi: true - ram: '4096' + ram: '3072' cpu: '6' boxes: diff --git a/tests/cmd/main.go b/tests/cmd/main.go index eb88de1ec..e7e620b00 100644 --- a/tests/cmd/main.go +++ b/tests/cmd/main.go @@ -88,7 +88,8 @@ func run() error { } logging.Bullet("Bats tests directory: %s", cfg.BatsDir) - logging.Bullet("Number of tests found %d", len(tests)) + logging.Bullet("Number of profiles with tests found %d", len(tests)) + logging.Bullet("Number of programs without profile found %d", len(tests)) return nil } diff --git a/tests/requirements.sh b/tests/requirements.sh index c12f9249c..c22e70108 100644 --- a/tests/requirements.sh +++ b/tests/requirements.sh @@ -19,7 +19,7 @@ arch) ;; debian | ubuntu | whonix) sudo apt-get install -y \ - cpuid dfc systemd-userdbd systemd-homed tlp + cpuid dfc systemd-userdbd systemd-homed tlp network-manager ;; opensuse*) ;; From fc85b9fc58d814c5029c0e377cde5c65c07eff2a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Jan 2025 19:41:47 +0100 Subject: [PATCH 021/672] build: better division of prebuild stages. --- cmd/prebuild/main.go | 1 + pkg/prebuild/cli/cli.go | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 3f2dd9f43..59eff4912 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -67,5 +67,6 @@ func init() { } func main() { + cli.Configure() cli.Prebuild() } diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 2821d52c2..53f3c5589 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -58,7 +58,7 @@ func init() { flag.StringVar(&file, "file", "", "Only prebuild a given file.") } -func Prebuild() { +func Configure() { flag.Usage = func() { fmt.Printf("%s\n%s\n%s\n%s", usage, prebuild.Help("Prepare", prepare.Tasks), @@ -103,7 +103,9 @@ func Prebuild() { overwrite, _ := prepare.Tasks["overwrite"].(*prepare.Overwrite) overwrite.OneFile = true } +} +func Prebuild() { logging.Step("Building apparmor.d profiles for %s on ABI%d.", prebuild.Distribution, prebuild.ABI) if err := Prepare(); err != nil { logging.Fatal("%s", err.Error()) From f1182b27bb64a3bf44e92a4bafb58178ebfbf5ac Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Jan 2025 20:30:52 +0100 Subject: [PATCH 022/672] build: do not resolve files in local/ --- pkg/prebuild/builder/userspace.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/pkg/prebuild/builder/userspace.go b/pkg/prebuild/builder/userspace.go index d62cad522..71c1ce23e 100644 --- a/pkg/prebuild/builder/userspace.go +++ b/pkg/prebuild/builder/userspace.go @@ -33,11 +33,10 @@ func init() { } func (b Userspace) Apply(opt *Option, profile string) (string, error) { - if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join("abstractions")); ok { - return profile, nil - } - if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join("tunables")); ok { - return profile, nil + for _, dir := range []string{"abstractions", "tunables", "local"} { + if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join(dir)); ok { + return profile, nil + } } f := aa.DefaultTunables() From 9953cf1fbd08375c24f4263e18ec28fa1b0b8700 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 14 Jan 2025 23:57:19 +0100 Subject: [PATCH 023/672] build: make synchronise task configurable. Required by downtream repository. --- pkg/prebuild/cli/cli.go | 2 +- pkg/prebuild/prepare/synchronise.go | 47 +++++++++++++++-------------- 2 files changed, 25 insertions(+), 24 deletions(-) diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 53f3c5589..2af5549a1 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -99,7 +99,7 @@ func Configure() { if file != "" { sync, _ := prepare.Tasks["synchronise"].(*prepare.Synchronise) - sync.Path = file + sync.Paths = []string{file} overwrite, _ := prepare.Tasks["overwrite"].(*prepare.Overwrite) overwrite.OneFile = true } diff --git a/pkg/prebuild/prepare/synchronise.go b/pkg/prebuild/prepare/synchronise.go index b272388c7..fe24471d8 100644 --- a/pkg/prebuild/prepare/synchronise.go +++ b/pkg/prebuild/prepare/synchronise.go @@ -11,7 +11,7 @@ import ( type Synchronise struct { prebuild.Base - Path string + Paths []string // File or directory to sync into the build directory. } func init() { @@ -20,38 +20,39 @@ func init() { Keyword: "synchronise", Msg: "Initialize a new clean apparmor.d build directory", }, - Path: "", + Paths: []string{"apparmor.d", "share"}, }) } func (p Synchronise) Apply() ([]string, error) { res := []string{} - dirs := paths.PathList{prebuild.RootApparmord, prebuild.Root.Join("share"), prebuild.Root.Join("systemd")} - for _, dir := range dirs { - if err := dir.RemoveAll(); err != nil { + if err := prebuild.Root.Join("systemd").RemoveAll(); err != nil { + return res, err + } + if err := prebuild.RootApparmord.RemoveAll(); err != nil { + return res, err + } + + for _, name := range p.Paths { + src := paths.New(name) + dst := prebuild.Root.Join(name) + if err := dst.RemoveAll(); err != nil { return res, err } - } - if p.Path == "" { - for _, name := range []string{"apparmor.d", "share"} { - if err := paths.CopyTo(paths.New(name), prebuild.Root.Join(name)); err != nil { + + if src.IsDir() { + if err := paths.CopyTo(src, dst); err != nil { + return res, err + } + } else { + if err := dst.Parent().MkdirAll(); err != nil { + return res, err + } + if err := src.CopyTo(dst); err != nil { return res, err } } - } else { - file := paths.New(p.Path) - destination, err := file.RelFrom(paths.New("apparmor.d")) - if err != nil { - return res, err - } - destination = prebuild.RootApparmord.JoinPath(destination) - if err := destination.Parent().MkdirAll(); err != nil { - return res, err - } - if err := file.CopyTo(destination); err != nil { - return res, err - } - res = append(res, destination.String()) + res = append(res, dst.String()) } return res, nil } From ba067a021472d89714c3ee26814277374d9a223a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 14 Jan 2025 23:58:01 +0100 Subject: [PATCH 024/672] build: naming cosmetic. --- pkg/prebuild/cli/cli.go | 2 +- pkg/prebuild/prepare/overwrite.go | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 2af5549a1..f33296881 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -101,7 +101,7 @@ func Configure() { sync, _ := prepare.Tasks["synchronise"].(*prepare.Synchronise) sync.Paths = []string{file} overwrite, _ := prepare.Tasks["overwrite"].(*prepare.Overwrite) - overwrite.OneFile = true + overwrite.Optional = true } } diff --git a/pkg/prebuild/prepare/overwrite.go b/pkg/prebuild/prepare/overwrite.go index 1bacd446f..530e88690 100644 --- a/pkg/prebuild/prepare/overwrite.go +++ b/pkg/prebuild/prepare/overwrite.go @@ -15,7 +15,7 @@ const ext = ".apparmor.d" type Overwrite struct { prebuild.Base - OneFile bool + Optional bool } func init() { @@ -24,7 +24,7 @@ func init() { Keyword: "overwrite", Msg: "Overwrite dummy upstream profiles", }, - OneFile: false, + Optional: false, }) } @@ -46,7 +46,7 @@ func (p Overwrite) Apply() ([]string, error) { for _, name := range path.MustReadFilteredFileAsLines() { origin := prebuild.RootApparmord.Join(name) dest := prebuild.RootApparmord.Join(name + ext) - if !dest.Exist() && p.OneFile { + if !dest.Exist() && p.Optional { continue } if origin.Exist() { From d20435eb210708b50748732cdb46cbd914abcb24 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 Jan 2025 00:08:43 +0100 Subject: [PATCH 025/672] feat(profiles): remove unused user role & mappings - Not enabled, tested. - Will come back under another form later. --- apparmor.d/groups/children/user_confined | 31 ---------- apparmor.d/groups/children/user_default | 32 ---------- apparmor.d/groups/children/user_unconfined | 25 -------- apparmor.d/profiles-m-r/pam/mappings | 72 ---------------------- 4 files changed, 160 deletions(-) delete mode 100644 apparmor.d/groups/children/user_confined delete mode 100644 apparmor.d/groups/children/user_default delete mode 100644 apparmor.d/groups/children/user_unconfined delete mode 100644 apparmor.d/profiles-m-r/pam/mappings diff --git a/apparmor.d/groups/children/user_confined b/apparmor.d/groups/children/user_confined deleted file mode 100644 index c4d3c9fed..000000000 --- a/apparmor.d/groups/children/user_confined +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow confined users to read, write, lock and link to their own files -# anywhere, and execute from some places. - -abi , - -include - -profile user_confined flags=(complain) { - include - include - include - include - - deny capability sys_ptrace, - - @{bin}/** Pixmr, - - owner /** rwkl, - owner @{HOMEDIRS}/bin/** ixmr, - owner @{user_bin_dirs}/** ixmr, - - @{PROC}/** r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/user_default b/apparmor.d/groups/children/user_default deleted file mode 100644 index 2853a8deb..000000000 --- a/apparmor.d/groups/children/user_default +++ /dev/null @@ -1,32 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# By default, allow users to read, lock and link to their own files anywhere, -# but only write to files in their home directory. Only allow limited execution -# of files. - -abi , - -include - -profile user_default flags=(complain) { - include - include - include - include - - deny capability sys_ptrace, - - @{bin}/** Pixmr, - - owner /** rkl, - owner @{HOMEDIRS}/ w, - owner @{HOMEDIRS}/** w, - - @{PROC}/** r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/user_unconfined b/apparmor.d/groups/children/user_unconfined deleted file mode 100644 index db410d6a2..000000000 --- a/apparmor.d/groups/children/user_unconfined +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -profile user_unconfined flags=(attach_disconnected,mediate_deleted) { - capability, - network, - mount, - remount, - umount, - pivot_root, - ptrace, - signal, - dbus, - unix, - file, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pam/mappings b/apparmor.d/profiles-m-r/pam/mappings deleted file mode 100644 index cbcb539ed..000000000 --- a/apparmor.d/profiles-m-r/pam/mappings +++ /dev/null @@ -1,72 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# See more at: https://gitlab.com/apparmor/apparmor/wikis/Pam_apparmor_example - -# This file contains the mappings from users to roles for the binaries -# confined with AppArmor and configured for use with libpam-apparmor. Users -# without a mapping will not be able to login. -# -# The default hat is a confined user. The hat contains only the permissions -# necessary to transition to the user's login shell. All other permissions have -# been moved into the default_user profile. -^DEFAULT { - include - include - - capability dac_override, - capability setgid, - capability setuid, - - /etc/default/su r, - @{etc_ro}/environment r, - - @{shells_path} rPx -> user_default, - - include if exists -} - -# USER is a confined user. The hat contains only the permissions necessary -# to transition to gray's login shell. All other permissions have been -# moved into the confined_user profile. -^USER { - include - include - - capability dac_override, - capability audit_write, - capability setgid, - capability setuid, - - @{shells_path} rPx -> user_confined, - - /etc/default/su r, - @{etc_ro}/environment r, - - include if exists -} - -# Don't confine members whose primary group is 'admin' who are not specifically -# confined. Systems without this special primary group may want to define an -# unconfined 'root' hat in this manner (depending on site policy). -^root { - include - include - include - - capability dac_override, - capability audit_write, - capability setgid, - capability setuid, - - @{shells_path} rUx, - - /etc/default/su r, - @{etc_ro}/environment r, - - include if exists -} - -# vim:syntax=apparmor From 462a972abc12e834c7ecdd44cf7b1944c3b07645 Mon Sep 17 00:00:00 2001 From: adombeck <18482300+adombeck@users.noreply.github.com> Date: Wed, 15 Jan 2025 18:54:43 +0100 Subject: [PATCH 026/672] docs: Fix typos --- docs/development/integration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/development/integration.md b/docs/development/integration.md index 1e5878aa0..15f939cdd 100644 --- a/docs/development/integration.md +++ b/docs/development/integration.md @@ -49,7 +49,7 @@ To build a VM image for development purpose, run the following from the `tests` | Debian | Server | `make debian flavor=server` | `debian-server` | | openSUSE | KDE | `make opensuse flavor=kde` | `opensuse-kde` | | Ubuntu | Server | `make ubuntu flavor=server` | `ubuntu-server` | -| Ubuntu | Desktop | `make ubuntu falvor=desktop` | `ubuntu-desktop` | +| Ubuntu | Desktop | `make ubuntu flavor=desktop` | `ubuntu-desktop` | **VM management** @@ -88,7 +88,7 @@ On all images, `aa-update` can be used to rebuild and install the latest version Prepare the test environment: ```sh cd tests -make falvor= +make flavor= AA_INTEGRATION=true vagrant up ``` From e41c5f6055197b3ad0985f5af735b7d272148360 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 17 Jan 2025 00:06:35 +0100 Subject: [PATCH 027/672] build; make the pkgname configurable. --- pkg/prebuild/directories.go | 3 +++ pkg/prebuild/prepare/overwrite.go | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index cd5958b72..dcf368f51 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -10,6 +10,9 @@ var ( // AppArmor ABI version ABI uint = 0 + // Pkgname is the name of the package + Pkgname string = "apparmor.d" + // Root is the root directory for the build (default: .build) Root *paths.Path = paths.New(".build") diff --git a/pkg/prebuild/prepare/overwrite.go b/pkg/prebuild/prepare/overwrite.go index 530e88690..d974b26e4 100644 --- a/pkg/prebuild/prepare/overwrite.go +++ b/pkg/prebuild/prepare/overwrite.go @@ -11,7 +11,7 @@ import ( "github.com/roddhjav/apparmor.d/pkg/prebuild" ) -const ext = ".apparmor.d" +var ext = "." + prebuild.Pkgname type Overwrite struct { prebuild.Base From 693259d8c12eeab2bc996fb5c7a2c78475dea7b3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 20 Jan 2025 21:23:31 +0100 Subject: [PATCH 028/672] feat(profile): general update --- apparmor.d/groups/apt/apt-extracttemplates | 2 +- apparmor.d/groups/apt/dpkg-preconfigure | 1 + apparmor.d/groups/freedesktop/pipewire | 1 + apparmor.d/groups/freedesktop/xdg-dbus-proxy | 1 + apparmor.d/groups/freedesktop/xdg-desktop-portal | 3 +-- apparmor.d/groups/freedesktop/xdg-permission-store | 2 +- apparmor.d/groups/gnome/gdm-session-worker | 1 + apparmor.d/groups/kde/konsole | 7 +++++-- apparmor.d/groups/kde/xembedsniproxy | 2 ++ apparmor.d/groups/pacman/pacman | 2 ++ apparmor.d/groups/pacman/pacman-hook-systemd | 2 +- apparmor.d/groups/ssh/sftp-server | 3 +-- apparmor.d/groups/systemd/systemd-fsck | 2 +- apparmor.d/groups/systemd/systemd-networkd | 2 +- apparmor.d/groups/systemd/systemd-rfkill | 2 +- apparmor.d/groups/virt/cockpit-session | 3 ++- apparmor.d/groups/virt/cockpit-ws | 2 ++ apparmor.d/groups/virt/dockerd | 11 ++++------- apparmor.d/profiles-m-r/mullvad-setup | 6 ++++-- apparmor.d/profiles-m-r/needrestart | 8 ++++++-- apparmor.d/profiles-s-z/update-alternatives | 2 ++ apparmor.d/profiles-s-z/virt-manager | 2 +- 22 files changed, 42 insertions(+), 25 deletions(-) diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index 2e41b10bf..beb563f31 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/apt-extracttemplates +@{exec_path} = @{bin}/apt-extracttemplates @{lib}/apt/apt-extracttemplates profile apt-extracttemplates @{exec_path} { include include diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index cf957ab4f..34163333b 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -34,6 +34,7 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/apt-extracttemplates rPx, @{bin}/whiptail rPx, + @{lib}/apt/apt-extracttemplates rPx, /usr/share/debconf/confmodule r, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index e2b1b22d9..da4350d74 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -46,6 +46,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { / r, @{att}/ r, + owner @{att}// r, owner @{att}/.flatpak-info r, owner @{user_config_dirs}/pipewire/{,**} r, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index e51f21e1e..eaaa90769 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -28,6 +28,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + owner @{att}/@{HOME}/.var/app/** r, owner @{HOME}/.var/app/*/.local/share/*/logs/* rw, owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 57b17b655..80fa07ec7 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -77,11 +77,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/user-dirs.dirs r, - @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/xdg-desktop-portal/* r, - owner @{tmp}/icon* rw, + owner @{tmp}/icon@{rand6} rw, owner @{run}/user/@{uid}/.flatpak/{,*/*} r, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 08cfc840c..ceca1e2b1 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -43,7 +43,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/flatpak/db/background rw, - owner @{user_share_dirs}/flatpak/db/desktop-used-apps r, + owner @{user_share_dirs}/flatpak/db/desktop-used-apps rw, owner @{user_share_dirs}/flatpak/db/devices rw, owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/notifications rw, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 59e6df788..d98b764df 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -107,6 +107,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/ w, + @{run}/cockpit/active.issue r, @{run}/cockpit/inactive.motd r, owner @{run}/systemd/seats/seat@{int} r, owner @{run}/user/@{uid}/keyring/control rw, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 17ed13f27..8f9ff48dd 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -74,8 +74,11 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/#@{int} rw, owner @{tmp}/konsole.@{rand6} rw, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/stat r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/** rw, + + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/cgroup r, /dev/ptmx rw, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 969a82f6c..6cb93163c 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -21,6 +21,8 @@ profile xembedsniproxy @{exec_path} { owner @{tmp}/xauth_@{rand6} r, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + @{run}/user/@{uid}/xauth_@{rand6} rl, include if exists diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 8215e3f6a..6c0e782fa 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -99,6 +99,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/update-grub rPx, @{bin}/update-mime-database rPx, @{bin}/vercmp rix, + @{bin}/which rix, @{bin}/xmlcatalog rix, @{lib}/systemd/systemd-* rPx, @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rix, @@ -198,6 +199,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { signal receive set=winch peer=makepkg//sudo, @{pager_path} rPx -> child-pager, + @{bin}/systemd-tty-ask-password-agent rPx, /etc/machine-id r, diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 6f154269d..0878385c5 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -46,7 +46,7 @@ profile pacman-hook-systemd @{exec_path} { capability net_admin, capability sys_resource, - signal send set=term peer=systemd-tty-ask-password-agent, + signal send set=(cont, term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent Px, diff --git a/apparmor.d/groups/ssh/sftp-server b/apparmor.d/groups/ssh/sftp-server index 3deddb092..a0fc3e2f8 100644 --- a/apparmor.d/groups/ssh/sftp-server +++ b/apparmor.d/groups/ssh/sftp-server @@ -6,8 +6,7 @@ abi , include -@{exec_path} = @{lib}/openssh/sftp-server -@{exec_path} += @{lib}/ssh/sftp-server +@{exec_path} = @{lib}/{openssh,ssh}/sftp-server profile sftp-server @{exec_path} { include include diff --git a/apparmor.d/groups/systemd/systemd-fsck b/apparmor.d/groups/systemd/systemd-fsck index a7290dc48..0680e0be8 100644 --- a/apparmor.d/groups/systemd/systemd-fsck +++ b/apparmor.d/groups/systemd/systemd-fsck @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-fsck -profile systemd-fsck @{exec_path} { +profile systemd-fsck @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 3eaedfaac..7b271c9de 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -51,12 +51,12 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { /etc/networkd-dispatcher/carrier.d/{,*} r, @{att}/ r, + @{att}/@{run}/systemd/notify rw, owner @{att}/var/lib/systemd/network/ r, @{run}/systemd/network/ r, @{run}/systemd/network/*.network r, - @{run}/systemd/notify rw, owner @{run}/systemd/netif/** rw, @{run}/udev/data/n@{int} r, diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index ff9e2d540..552bd9996 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-rfkill -profile systemd-rfkill @{exec_path} { +profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 67ecd800e..5b67b14d7 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -36,11 +36,12 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { /etc/motd.d/ r, /etc/shells r, + @{att}/@{run}/systemd/sessions/*.ref rw, + @{run}/cockpit/active.motd r, @{run}/cockpit/inactive.motd r, @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, - @{run}/systemd/sessions/*.ref rw, @{run}/utmp rwk, /var/log/btmp rw, diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws index c78f63a63..2a685f04e 100644 --- a/apparmor.d/groups/virt/cockpit-ws +++ b/apparmor.d/groups/virt/cockpit-ws @@ -9,9 +9,11 @@ include @{exec_path} = @{lib}/cockpit/cockpit-ws profile cockpit-ws @{exec_path} { include + include @{exec_path} mr, + @{sh_path} rix, @{lib}/cockpit/cockpit-session rPx, /usr/share/cockpit/{,**} r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 2ea35f7b9..13f050c7d 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -33,15 +33,9 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { network netlink raw, mount /tmp/containerd-mount@{int}/, - mount /var/lib/docker/buildkit/**/, - mount /var/lib/docker/overlay2/**/, - mount /var/lib/docker/tmp/buildkit-mount@{int}/, - mount fstype=overlay overlay -> /var/lib/docker/rootfs/overlayfs/@{hex64}/, + mount /var/lib/docker/**/, mount options=(rw bind) -> /run/docker/netns/*, - mount options=(rw rbind) -> /var/lib/docker/tmp/docker-builder@{int}/, - mount options=(rw rbind) /var/lib/docker/volumes/**/- -> /var/lib/docker/rootfs/overlayfs/**/, mount options=(rw rprivate) -> /.pivot_root@{int}/, - mount options=(rw rprivate) -> /var/lib/docker/rootfs/overlayfs/@{hex64}/var/lib/buildkit/, mount options=(rw rslave) -> /, remount /tmp/containerd-mount@{int10}/, @@ -90,6 +84,9 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { owner /var/lib/docker/{,**} rwk, owner /var/lib/docker/tmp/qemu-check@{int}/check rix, + /tmp/build/ w, + /tmp/containerd-mount@{int10}/{,**} rw, + owner @{run}/docker/ rw, owner @{run}/docker/** rwlk, owner @{run}/docker.pid rw, diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index d2bb2eb44..bc20a0f9a 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -13,9 +13,11 @@ profile mullvad-setup @{exec_path} { @{exec_path} mr, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 56f95b589..4bc314b0e 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -20,9 +20,9 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { capability kill, capability sys_ptrace, - ptrace (read), + ptrace read, - mqueue (r,getattr) type=posix /, + mqueue r type=posix /, @{exec_path} mrix, @@ -43,6 +43,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{lib}/needrestart/* rPx, /usr/share/debconf/frontend rix, + @{att}/@{lib}/python3.@{int}/** r, + /usr/share/needrestart/{,**} r, /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, @@ -60,6 +62,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { owner /var/lib/juju/agents/{,**} r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + /tmp/@{word10}/ rw, + owner @{run}/sshd.pid r, @{PROC}/ r, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index a83e985d7..8f08b74fa 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -12,6 +12,8 @@ profile update-alternatives @{exec_path} { include include + capability dac_override, + @{exec_path} mr, @{bin}/* w, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 052192d8f..af472b4d5 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -31,7 +31,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{exec_path} rix, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{bin}/python3.@{int} rix, @{lib}/python3.@{int}/site-packages/__pycache__/guestfs.cpython-@{int}.pyc.@{int} w, @{bin}/ r, From 2f98d0817e426ca01bc183d4173250b65f6de37f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 20 Jan 2025 21:26:54 +0100 Subject: [PATCH 029/672] fix(profile): child-open-any See #647 --- apparmor.d/groups/children/child-open-any | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any index ea21f8487..b0c0b053e 100644 --- a/apparmor.d/groups/children/child-open-any +++ b/apparmor.d/groups/children/child-open-any @@ -11,11 +11,11 @@ abi , include -profile child-open-any flags=(attach_disconnected) { +profile child-open-any flags=(attach_disconnected,mediate_deleted) { include include - @{open_path} mr, + @{open_path} mrix, @{sh_path} r, @@ -32,6 +32,8 @@ profile child-open-any flags=(attach_disconnected) { /usr/ r, /usr/local/bin/ r, + owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + /dev/tty rw, include if exists From cf254c8021fd76609ffe855a848d3988d4142bdf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 20 Jan 2025 21:31:08 +0100 Subject: [PATCH 030/672] feat(profile): do not use the uname profile directly see #611 --- apparmor.d/groups/gnome/gnome-session | 2 +- apparmor.d/profiles-a-f/amule | 2 +- apparmor.d/profiles-m-r/rustdesk | 2 +- apparmor.d/profiles-s-z/tlp | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index bec97e7de..ce6abe6d9 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -32,7 +32,7 @@ profile gnome-session @{exec_path} { @{bin}/tput rix, @{bin}/tr rix, @{bin}/tty rix, - @{bin}/uname rPx, + @{bin}/uname rix, @{bin}/xargs rix, @{bin}/dpkg-query rpx, diff --git a/apparmor.d/profiles-a-f/amule b/apparmor.d/profiles-a-f/amule index b54e62022..ce600200a 100644 --- a/apparmor.d/profiles-a-f/amule +++ b/apparmor.d/profiles-a-f/amule @@ -27,7 +27,7 @@ profile amule @{exec_path} { # @{open_path} rPx -> child-open, @{exec_path} mr, - @{bin}/uname rPx, + @{bin}/uname rix, @{sh_path} rix, @{system_share_dirs}/amule/{,**} r, owner @{HOME}/.aMule/{,**} rwk, diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index 004c29d64..2a0f9b391 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -80,7 +80,7 @@ profile rustdesk @{exec_path} { @{sh_path} rix, @{bin}/chmod rix, - @{bin}/uname rPx, + @{bin}/uname rix, /usr/share/rustdesk/files/pynput_service.py rix, /usr/share/[rR]ust[dD]esk/files/{,**} r, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 153ded880..5d81c0a75 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -49,7 +49,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/touch rix, @{bin}/tr rix, @{bin}/udevadm rCx -> udevadm, - @{bin}/uname rpx, + @{bin}/uname rix, /usr/share/tlp/tlp-readconfs rix, / r, From f15cbdfc5bbe4e55ce7718360d1eb61e8eab444a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 20 Jan 2025 21:36:52 +0100 Subject: [PATCH 031/672] feat(tunable): add terminal_path fix #656 --- apparmor.d/tunables/multiarch.d/paths | 3 +++ apparmor.d/tunables/multiarch.d/programs | 3 +++ 2 files changed, 6 insertions(+) diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 83aec3ce3..eedf07033 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -65,4 +65,7 @@ # Help @{help_path} = @{bin}/@{help_names} +# Terminal emulator +@{terminal_path} = @{bin}/@{offices_names} + # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index e8f523b6a..18ba854d5 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -89,4 +89,7 @@ # Help @{help_names} = yelp +# Terminal emulator +@{terminal_name} = kgx terminator konsole + # vim:syntax=apparmor From ef99c81eb1f5f590801932fad51e85598517f80c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 20 Jan 2025 22:40:36 +0100 Subject: [PATCH 032/672] feat(abs): rewrite the app/open abstraction to accomodate kde requirements. See #630 #605 #647 --- apparmor.d/abstractions/app/open | 31 ++++++++++++++++++++--- apparmor.d/groups/children/child-open-any | 10 +------- 2 files changed, 28 insertions(+), 13 deletions(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 256eb5a6d..d47c3a4ba 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -3,19 +3,42 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Full set of rules for child-open-* profiles. +# Full set of rules for desktop generic open-* used in child-open-* profiles. abi , include - @{open_path} mrix, + # We cannot use `@{open_path} mrix,` here because it includes: + # @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop + # And `@{multiarch}` as a wildcard that cannot be merged and that will generate + # "has merged rule with conflicting x modifiers" error when used with other + # wilcard over PUx transition. + @{bin}/exo-open mrix, + @{bin}/xdg-open mrix, + @{bin}/gio mrix, + @{bin}/kde-open mrix, + @{bin}/gio-launch-desktop mrix, + @{lib}/gio-launch-desktop mrix, - @{sh_path} r, @{bin}/env rix, - + @{sh_path} r, + /dev/tty rw, + # if @{DE} == kde + + include + include + include + include + include + + owner @{run}/user//@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + + # fi + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any index b0c0b053e..1259d7708 100644 --- a/apparmor.d/groups/children/child-open-any +++ b/apparmor.d/groups/children/child-open-any @@ -13,11 +13,7 @@ include profile child-open-any flags=(attach_disconnected,mediate_deleted) { include - include - - @{open_path} mrix, - - @{sh_path} r, + include @{bin}/** PUx, @{lib}/** PUx, @@ -32,10 +28,6 @@ profile child-open-any flags=(attach_disconnected,mediate_deleted) { /usr/ r, /usr/local/bin/ r, - owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, - - /dev/tty rw, - include if exists include if exists } From c6a7879e02eab51a738368e565db34217df8ba87 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 20 Jan 2025 23:00:20 +0100 Subject: [PATCH 033/672] fix: profile linter. --- apparmor.d/abstractions/app/open | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index d47c3a4ba..be4eda72d 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -11,7 +11,7 @@ # We cannot use `@{open_path} mrix,` here because it includes: # @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop - # And `@{multiarch}` as a wildcard that cannot be merged and that will generate + # And `@{multiarch}` as a wildcard that cannot be merged and that will generate # "has merged rule with conflicting x modifiers" error when used with other # wilcard over PUx transition. @{bin}/exo-open mrix, @@ -23,7 +23,7 @@ @{bin}/env rix, @{sh_path} r, - + /dev/tty rw, # if @{DE} == kde @@ -34,7 +34,7 @@ include include - owner @{run}/user//@{uid}/#@{int} rw, + owner @{run}/user//@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, # fi From 0b3c49d26af85211c32c3b6462465fcc74b428e2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 20 Jan 2025 23:29:13 +0100 Subject: [PATCH 034/672] fix(profile): mqueue definition in needrestart. --- apparmor.d/profiles-m-r/needrestart | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 4bc314b0e..1e5ee2f91 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -22,7 +22,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { ptrace read, - mqueue r type=posix /, + mqueue (r,getattr) type=posix /, @{exec_path} mrix, From 044c490f10d26018aa5ccc747464b30db004fefd Mon Sep 17 00:00:00 2001 From: beroal Date: Thu, 23 Jan 2025 00:26:31 +0200 Subject: [PATCH 035/672] `pacat`: a CLI utility for playing and recording audio from the PulseAudio suite (#653) --- apparmor.d/groups/freedesktop/pacat | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 apparmor.d/groups/freedesktop/pacat diff --git a/apparmor.d/groups/freedesktop/pacat b/apparmor.d/groups/freedesktop/pacat new file mode 100644 index 000000000..8329b7924 --- /dev/null +++ b/apparmor.d/groups/freedesktop/pacat @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pacat +profile pacat @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + owner @{user_music_dirs}/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor From 4286b5330ca33335f957501cadfb776d516e3464 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Wed, 22 Jan 2025 22:50:59 +0000 Subject: [PATCH 036/672] xfce, updates --- apparmor.d/groups/apt/dpkg-preconfigure | 7 +++++++ apparmor.d/groups/children/child-dpkg-divert | 1 + apparmor.d/groups/display-manager/lightdm | 11 +++++++++++ .../polkit-gnome-authentication-agent | 8 ++++++++ apparmor.d/groups/freedesktop/polkitd | 1 + apparmor.d/groups/gnome/gnome-system-monitor | 2 +- apparmor.d/groups/grub/grub-mkconfig | 1 + apparmor.d/groups/grub/grub-probe | 1 + apparmor.d/groups/gvfs/gvfsd-computer | 3 +++ apparmor.d/groups/gvfs/gvfsd-wsdd | 3 +++ apparmor.d/groups/network/NetworkManager | 1 + apparmor.d/groups/network/wg | 1 + apparmor.d/groups/network/wg-quick | 1 + apparmor.d/groups/systemd/systemd-hwdb | 4 ++-- apparmor.d/groups/systemd/systemd-udevd | 2 +- apparmor.d/groups/xfce/startxfce | 4 ++++ apparmor.d/groups/xfce/thunar | 9 +++++++++ apparmor.d/groups/xfce/thunar-volman | 2 ++ apparmor.d/groups/xfce/tumblerd | 15 +++++++++++++++ apparmor.d/groups/xfce/xfce-clipman-settings | 4 ++++ apparmor.d/groups/xfce/xfce-notifyd | 5 +++++ apparmor.d/groups/xfce/xfce-panel | 18 +++++++++++++++++- apparmor.d/groups/xfce/xfce-power-manager | 7 +++++++ apparmor.d/groups/xfce/xfce-screensaver | 4 ++++ apparmor.d/groups/xfce/xfce-session | 11 +++++++++++ apparmor.d/groups/xfce/xfce-terminal | 11 +++++++++++ apparmor.d/groups/xfce/xfconfd | 5 ++++- apparmor.d/groups/xfce/xfdesktop | 10 ++++++++++ apparmor.d/groups/xfce/xfsettingsd | 6 ++++++ apparmor.d/groups/xfce/xfwm | 2 ++ apparmor.d/profiles-a-f/blueman | 2 ++ apparmor.d/profiles-a-f/blueman-mechanism | 1 + apparmor.d/profiles-a-f/filezilla | 2 ++ apparmor.d/profiles-g-l/iceauth | 2 +- apparmor.d/profiles-g-l/im-launch | 1 + apparmor.d/profiles-g-l/libreoffice | 9 +++++++-- apparmor.d/profiles-m-r/mkinitramfs | 1 + apparmor.d/profiles-m-r/mount-cifs | 2 ++ apparmor.d/profiles-m-r/nemo | 5 +++++ apparmor.d/profiles-m-r/remmina | 6 ++++++ apparmor.d/profiles-m-r/run-parts | 2 ++ apparmor.d/profiles-s-z/su | 2 ++ .../profiles-s-z/system-config-printer-applet | 3 +++ apparmor.d/profiles-s-z/xarchiver | 1 + 44 files changed, 190 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 34163333b..eb022b3cb 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -30,6 +30,9 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/sort rix, @{bin}/stty rix, @{bin}/tr rix, + @{bin}/head rix, + @{bin}/readlink rix, + @{bin}/realpath rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/apt-extracttemplates rPx, @@ -37,11 +40,14 @@ profile dpkg-preconfigure @{exec_path} { @{lib}/apt/apt-extracttemplates rPx, /usr/share/debconf/confmodule r, + /usr/share/dictionaries-common/{,*} r, + /etc/cloud/cloud.cfg.d/90_dpkg.cfg r, /etc/debconf.conf r, /etc/default/grub r, /etc/inputrc r, /etc/shadow r, + /etc/X11/Xwrapper.config r, owner @{tmp}/*.template.* rw, owner @{tmp}/*.config.* rwPUx, @@ -54,6 +60,7 @@ profile dpkg-preconfigure @{exec_path} { owner /var/cache/debconf/tmp.ci/*.config.@{rand6} w, owner /var/cache/debconf/tmp.ci/*.passwords.@{rand6} w, owner /var/cache/debconf/tmp.ci/*.template.@{rand6} w, + owner /var/cache/dictionaries-common/flag-wordlist-new w, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, diff --git a/apparmor.d/groups/children/child-dpkg-divert b/apparmor.d/groups/children/child-dpkg-divert index 6ea41a9e8..ddfff5fc2 100644 --- a/apparmor.d/groups/children/child-dpkg-divert +++ b/apparmor.d/groups/children/child-dpkg-divert @@ -22,6 +22,7 @@ profile child-dpkg-divert { /var/lib/dpkg/arch r, /var/lib/dpkg/status r, /var/lib/dpkg/updates/ r, + /var/lib/dpkg/updates/@{int} r, /var/lib/dpkg/triggers/File r, /var/lib/dpkg/triggers/Unincorp r, /var/lib/dpkg/diversions r, diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm index 04accbbf0..a70779fc4 100644 --- a/apparmor.d/groups/display-manager/lightdm +++ b/apparmor.d/groups/display-manager/lightdm @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/lightdm profile lightdm @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -36,6 +37,10 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=xfce-session, signal (send) set=(term) peer=xorg, + unix (bind) type=stream addr="@@{hex}/bus/lightdm/system", + + dbus (bind) bus=system name=org.freedesktop.DisplayManager, + @{exec_path} mrix, @{bin}/rm rix, @@ -45,6 +50,7 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { @{bin}/Xorg rPx, @{bin}/plymouth rPx, @{bin}/gnome-keyring-daemon rPx, + @{bin}/lightdm-session rPx, @{lib}/security-misc/* rPx, #aa:only whonix @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, @@ -52,6 +58,10 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { /etc/lightdm/Xsession rPx, /etc/X11/Xsession rPx, + @{sh_path} rix, + @{bin}/{,e,f}grep rix, + @{bin}/df rix, + /usr/share/lightdm/{,**} r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xgreeters/{,**} r, @@ -81,6 +91,7 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r, + owner @{PROC}/@{pid}/mountinfo r, /dev/tty@{int} r, diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent index 94bc7ece6..e488272ca 100644 --- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent @@ -12,11 +12,19 @@ include @{exec_path} += @{lib}/polkit-gnome/polkit-gnome-authentication-agent-1 profile polkit-gnome-authentication-agent @{exec_path} { include + include + include + include + include include include + signal (send) set=(term) peer=polkit-agent-helper, + @{exec_path} mr, + @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + @{PROC}/@{pid}/cgroup r, include if exists diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 5e3d3ee78..5b630a15a 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -31,6 +31,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/pkla-check-authorization rPUx, + @{bin}/pkla-admin-identities rPx, /etc/machine-id r, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 92cbd369e..8df82b290 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -36,7 +36,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, /usr/share/gnome-system-monitor/{,**} r, - /usr/share/firefox-esr/browser/chrome/icons/default/*.png r, + /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, / r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 2a60d69c5..1ff23f1fe 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -65,6 +65,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{lib}/grub/grub-sort-version rPx, @{lib}/libostree/grub[0-9]-@{int}_ostree rix, + /usr/share/desktop-base/*/grub/* r, /usr/share/grub/{,**} r, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 80d517deb..2e2d9232b 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -27,6 +27,7 @@ profile grub-probe @{exec_path} { / r, /boot/ r, + /boot/grub/ r, /boot/grub/themes/{,**} r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index e756c8440..f72fc17c7 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -10,6 +10,9 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-computer profile gvfsd-computer @{exec_path} { include + include + + dbus (bind) bus=session name=org.gtk.vfs.mountpoint_@{int}, @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index f971b5f6a..1b0dc2cc2 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -9,9 +9,12 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-wsdd profile gvfsd-wsdd @{exec_path} { include + include network netlink raw, + dbus (bind) bus=session name=org.gtk.vfs.mountpoint_wsdd, + @{exec_path} mr, @{bin}/env r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 1bb2de231..39c68fda9 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -105,6 +105,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /etc/ r, /etc/iproute2/* r, /etc/machine-id r, + /etc/netplan/90-NM-@{uuid}.yaml w, /etc/network/interfaces r, /etc/network/interfaces.d/{,*} r, /etc/NetworkManager/{,**} r, diff --git a/apparmor.d/groups/network/wg b/apparmor.d/groups/network/wg index 781a52f7a..57e6ec769 100644 --- a/apparmor.d/groups/network/wg +++ b/apparmor.d/groups/network/wg @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/wg profile wg @{exec_path} { include + include capability net_admin, capability net_bind_service, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index c7ea6b1bd..5c4a5579b 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/wg-quick profile wg-quick @{exec_path} { include + include capability dac_read_search, capability net_admin, diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb index 9b6203e92..ae64274c6 100644 --- a/apparmor.d/groups/systemd/systemd-hwdb +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -16,10 +16,10 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{exec_path} mr, @{lib}/udev/#@{int} rwl, - @{lib}/udev/.#hwdb.bin@{hex16} wl -> @{lib}/udev/#@{int}, + @{lib}/udev/.#hwdb.bin{@{hex16},@{rand6}} wl -> @{lib}/udev/#@{int}, @{lib}/udev/hwdb.bin w, - /etc/udev/.#hwdb.bin@{hex16} wl -> /etc/udev/#@{int}, + /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} wl -> /etc/udev/#@{int}, /etc/udev/hwdb.bin w, /etc/udev/hwdb.d/{,*} r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index f52a2fc6c..0ba3be209 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -79,7 +79,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { /etc/nfs.conf rk, /etc/udev/{,**} r, - /etc/udev/.#hwdb.bin* rw, + /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} rw, /etc/udev/hwdb.bin rw, /etc/modprobe.d/ r, diff --git a/apparmor.d/groups/xfce/startxfce b/apparmor.d/groups/xfce/startxfce index 8d91581cb..110da187b 100644 --- a/apparmor.d/groups/xfce/startxfce +++ b/apparmor.d/groups/xfce/startxfce @@ -19,6 +19,7 @@ profile startxfce @{exec_path} { @{bin}/mkdir rix, @{bin}/id rix, + @{bin}/xdg-user-dirs-update rPx, @{bin}/xfce4-session rPx, @{bin}/xrdb rPx, @{bin}/systemctl rCx -> systemctl, @@ -27,6 +28,8 @@ profile startxfce @{exec_path} { /etc/X11/xinit/xinitrc.d/{,**} r, /etc/xdg/xfce4/{,**} r, + owner @{HOME}/.Xdefaults r, + profile systemctl flags=(attach_disconnected) { include include @@ -36,6 +39,7 @@ profile startxfce @{exec_path} { profile dbus { include + include @{bin}/dbus-update-activation-environment mr, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index d8f04d49c..629fc2b4b 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/thunar profile thunar @{exec_path} { include + include + include include include include @@ -17,6 +19,10 @@ profile thunar @{exec_path} { network netlink raw, + dbus (bind) bus=session name=org.xfce.Thunar, + dbus (bind) bus=session name=org.xfce.FileManager, + dbus (bind) bus=session name=org.freedesktop.FileManager1, + @{exec_path} mr, @{bin}/thunar-volman rPx, @@ -30,6 +36,7 @@ profile thunar @{exec_path} { /etc/fstab r, /etc/timezone r, + /etc/xdg/{,xdg-xubuntu/}Thunar/{,**} r, # Full access to user's data / r, @@ -50,6 +57,8 @@ profile thunar @{exec_path} { deny /tmp/.* rw, deny /tmp/.*/{,**} rw, + @{run}/mount/utab r, + owner @{PROC}/@{pid}/mountinfo r, profile dbus { diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman index 350255834..fc73a14c9 100644 --- a/apparmor.d/groups/xfce/thunar-volman +++ b/apparmor.d/groups/xfce/thunar-volman @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/thunar-volman profile thunar-volman @{exec_path} { include + include + include include include diff --git a/apparmor.d/groups/xfce/tumblerd b/apparmor.d/groups/xfce/tumblerd index 99971abb8..db90af4c5 100644 --- a/apparmor.d/groups/xfce/tumblerd +++ b/apparmor.d/groups/xfce/tumblerd @@ -9,18 +9,33 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}tumbler-1/tumblerd profile tumblerd @{exec_path} { include + include + include + include + include + include + include include include include + dbus (bind) bus=session name=org.freedesktop.thumbnails.Cache1, + dbus (bind) bus=session name=org.freedesktop.thumbnails.Manager1, + dbus (bind) bus=session name=org.freedesktop.thumbnails.Thumbnailer1, + @{exec_path} mr, + @{bin}/gdk-pixbuf-thumbnailer rPx, + /usr/share/backgrounds/xfce/{,**} r, /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/xdg/tumbler/* r, + owner /tmp/tumbler-@{rand6}.png r, + owner /tmp/tumbler-@{rand6}.??? w, + owner @{PROC}/@{pid}/mountinfo r, /dev/ r, diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings index 248d60b7e..2c777a0a1 100644 --- a/apparmor.d/groups/xfce/xfce-clipman-settings +++ b/apparmor.d/groups/xfce/xfce-clipman-settings @@ -9,8 +9,12 @@ include @{exec_path} = @{bin}/xfce4-clipman-settings profile xfce-clipman-settings @{exec_path} { include + include + include include + dbus (bind) bus=session name=org.xfce.clipman.settings, + @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/xfce/xfce-notifyd b/apparmor.d/groups/xfce/xfce-notifyd index f5c80e07c..d8ef2a9e0 100644 --- a/apparmor.d/groups/xfce/xfce-notifyd +++ b/apparmor.d/groups/xfce/xfce-notifyd @@ -10,6 +10,8 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/notifyd/xfce4-notifyd profile xfce-notifyd @{exec_path} { include + include + include include include include @@ -22,6 +24,9 @@ profile xfce-notifyd @{exec_path} { network inet6 stream, network netlink raw, + dbus (bind) bus=session name=org.xfce.Notifyd, + dbus (bind) bus=session name=org.freedesktop.Notifications, + @{exec_path} mr, owner @{user_cache_dirs}/xfce4/notifyd/ rw, diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel index 7b192ffc5..d2a9cdbf6 100644 --- a/apparmor.d/groups/xfce/xfce-panel +++ b/apparmor.d/groups/xfce/xfce-panel @@ -9,12 +9,22 @@ include @{exec_path} = @{bin}/xfce4-panel @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 profile xfce-panel @{exec_path} { include + include + include + include + include + include include include include include include + ptrace (read) peer=xfce-terminal, + + dbus (bind) bus=session name=org.xfce.Panel, + dbus (bind) bus=session name=org.kde.StatusNotifierWatcher, + @{exec_path} mr, @{bin}/exo-open rix, @@ -26,6 +36,7 @@ profile xfce-panel @{exec_path} { @{bin}/sudo rCx -> root, /usr/share/desktop-directories/{,**} r, + /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, /usr/share/livecheck/** r, /usr/share/xfce4/{,**} r, @@ -33,15 +44,20 @@ profile xfce-panel @{exec_path} { /etc/machine-id r, /etc/timezone r, /etc/xdg/menus/{,**} r, - /etc/xdg/xfce4/{,**} r, + /etc/xdg/{,xdg-xubuntu/}xfce4/{,**} r, owner @{user_cache_dirs}/xfce4/notifyd/icons/ rw, + owner @{user_cache_dirs}/xfce4-indicator-plugin.log w, owner @{user_config_dirs}/xfce4/panel/{,**} rw, + owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} w, + @{PROC}/cmdline r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, + deny @{user_share_dirs}/gvfs-metadata/{,*} r, + profile root { include include diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager index 1c2a0263d..4f3199a9e 100644 --- a/apparmor.d/groups/xfce/xfce-power-manager +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -9,9 +9,16 @@ include @{exec_path} = @{bin}/xfce4-power-manager profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { include + include + include + include + include include include + dbus (bind) bus=session name=org.xfce.PowerManager, + dbus (bind) bus=session name=org.freedesktop.PowerManagement, + @{exec_path} mr, @{bin}/xfpm-power-backlight-helper rPx, diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver index e486ac6d9..911cc1b9f 100644 --- a/apparmor.d/groups/xfce/xfce-screensaver +++ b/apparmor.d/groups/xfce/xfce-screensaver @@ -9,11 +9,15 @@ include @{exec_path} = @{bin}/xfce4-screensaver profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { include + include + include include include include include + dbus (bind) bus=session name=org.xfce.ScreenSaver, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index 17007122e..6db8277d7 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -9,6 +9,10 @@ include @{exec_path} = @{bin}/xfce4-session profile xfce-session @{exec_path} flags=(attach_disconnected) { include + include + include + include + include include include include @@ -16,6 +20,8 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=lightdm, + dbus (bind) bus=session name=org.xfce.SessionManager, + @{exec_path} mr, @{sh_path} rix, @@ -33,6 +39,7 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { @{lib}/msgcollector/msgdispatcher_xdg_autostart rPx, @{lib}/sdwdate-gui/start-maybe rPx, @{lib}/setup-wizard-dist/setup-dist_check_for_start rPx, + @{lib}/xapps/sn-watcher/xapp-sn-watcher rPUx, /usr/share/kde-power-savings-disable-in-vms/{,**} r, /usr/share/kde-screen-locker-disable-in-vms/{,**} r, @@ -48,11 +55,15 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { /etc/xdg/autostart/*.desktop r, owner @{user_cache_dirs}/sessions/{,**} rw, + owner @{user_config_dirs}/autostart/ r, + owner @{user_config_dirs}/autostart/*.desktop r, owner @{tmp}/.xfsm-ICE-@{rand6} rw, owner @{PROC}/@{pid}/stat r, + @{sys}/class/i2c-adapter/ r, + /dev/tty rw, profile systemctl flags=(attach_disconnected) { diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index d0d895c5a..46a17ca7f 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -9,6 +9,9 @@ include @{exec_path} = @{bin}/xfce4-terminal profile xfce-terminal @{exec_path} { include + include + include + include include include include @@ -16,6 +19,10 @@ profile xfce-terminal @{exec_path} { include include + signal (send), + + dbus (bind) bus=session name=org.xfce.Terminal5, + @{exec_path} mr, @{open_path} rPx -> child-open-help, @@ -28,7 +35,10 @@ profile xfce-terminal @{exec_path} { @{bin}/micro rPUx, @{bin}/nvtop rPx, + @{bin}/vim{,.basic} rPUx, + /usr/share/ r, + /usr/share/desktop-base/profiles/xdg-config/ r, /usr/share/xfce4/ r, /usr/share/xfce4/terminal/{,**} r, @@ -36,6 +46,7 @@ profile xfce-terminal @{exec_path} { /etc/xdg/ r, /etc/xdg/xfce4/ r, + owner @{user_config_dirs}/xfce4/ r, owner @{user_config_dirs}/xfce4/terminal/{,**} r, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/groups/xfce/xfconfd b/apparmor.d/groups/xfce/xfconfd index 0ab17ac5c..de82191a7 100644 --- a/apparmor.d/groups/xfce/xfconfd +++ b/apparmor.d/groups/xfce/xfconfd @@ -10,11 +10,14 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/xfconf/xfconfd profile xfconfd @{exec_path} { include + include include + dbus (bind) bus=session name=org.xfce.Xfconf, + @{exec_path} mr, - /etc/xdg/xfce4/xfconf/** r, + /etc/xdg/{,xdg-xubuntu/}xfce4/xfconf/** r, owner @{HOME}/ r, diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop index d19e3de63..ed7d18ddc 100644 --- a/apparmor.d/groups/xfce/xfdesktop +++ b/apparmor.d/groups/xfce/xfdesktop @@ -9,15 +9,25 @@ include @{exec_path} = @{bin}/xfdesktop profile xfdesktop @{exec_path} { include + include + include + include + include include include include include + dbus (bind) bus=session name=org.xfce.xfdesktop, + @{exec_path} mr, @{bin}/xfce4-mime-helper rix, + /etc/xdg/{,xdg-xubuntu/}xfce4/helpers.rc r, + /etc/xdg/menus/{,*.menu} r, + /usr/share/xfce4/helpers/{,*.desktop} r, + /usr/share/desktop-directories/{,*.directory} r, /usr/share/backgrounds/xfce/{,**} r, /etc/fstab r, diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd index 3eec3377f..b2f783390 100644 --- a/apparmor.d/groups/xfce/xfsettingsd +++ b/apparmor.d/groups/xfce/xfsettingsd @@ -10,8 +10,14 @@ include profile xfsettingsd @{exec_path} { include include + include + include + include + include include + dbus (bind) bus=session name=org.xfce.SettingsDaemon, + @{exec_path} mr, /etc/xdg/autostart/xfsettingsd.desktop r, diff --git a/apparmor.d/groups/xfce/xfwm b/apparmor.d/groups/xfce/xfwm index d7af2ccb9..7ecd2c8fe 100644 --- a/apparmor.d/groups/xfce/xfwm +++ b/apparmor.d/groups/xfce/xfwm @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/xfwm4 profile xfwm @{exec_path} { include + include + include include include include diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index 08a553c1d..7a2b4530f 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -11,6 +11,7 @@ include profile blueman @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -61,6 +62,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) { /dev/shm/ r, /dev/tty rw, + deny @{lib}/python3/dist-packages/blueman/__pycache__/** w, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/profiles-a-f/blueman-mechanism b/apparmor.d/profiles-a-f/blueman-mechanism index aae5d53cd..bb6c6cdf7 100644 --- a/apparmor.d/profiles-a-f/blueman-mechanism +++ b/apparmor.d/profiles-a-f/blueman-mechanism @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/blueman-mechanism @{lib}/blueman/blueman-mechanism profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index be734ed50..4463ac581 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -29,6 +29,7 @@ profile filezilla @{exec_path} { network netlink raw, signal send set=(term, kill) peer=fzsftp, + signal send set=(term, kill) peer=fzputtygen, @{exec_path} mr, @@ -36,6 +37,7 @@ profile filezilla @{exec_path} { @{bin}/uname rix, @{bin}/fzsftp rPx, # When using SFTP protocol + @{bin}/fzputtygen rPUx, @{bin}/lsb_release rPx -> lsb_release, /usr/share/filezilla/{,**} r, diff --git a/apparmor.d/profiles-g-l/iceauth b/apparmor.d/profiles-g-l/iceauth index 03c8650dd..d46374984 100644 --- a/apparmor.d/profiles-g-l/iceauth +++ b/apparmor.d/profiles-g-l/iceauth @@ -16,7 +16,7 @@ profile iceauth @{exec_path} { owner @{tmp}/.xfsm-ICE-@{rand6} r, owner @{tmp}/user/@{uid}/.xfsm-ICE-@{rand6} r, - owner @{run}/user/@{uid}/ICEauthority rl -> @{run}/user/@{uid}/ICEauthority-n, + owner @{run}/user/@{uid}/ICEauthority rwl -> @{run}/user/@{uid}/ICEauthority-n, owner @{run}/user/@{uid}/ICEauthority-c w, owner @{run}/user/@{uid}/ICEauthority-l wl -> @{run}/user/@{uid}/ICEauthority-c, owner @{run}/user/@{uid}/ICEauthority-n rw, diff --git a/apparmor.d/profiles-g-l/im-launch b/apparmor.d/profiles-g-l/im-launch index c5c4aa276..04abb7e0c 100644 --- a/apparmor.d/profiles-g-l/im-launch +++ b/apparmor.d/profiles-g-l/im-launch @@ -22,6 +22,7 @@ profile im-launch @{exec_path} { @{bin}/sed rix, @{bin}/sleep rix, @{bin}/startplasma-x11 rPx, + @{bin}/startxfce4 rPx, @{bin}/true rix, @{bin}/uim-toolbar-gtk3 rPUx, @{bin}/uim-xim rPUx, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 03dfe9749..11773c911 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -11,6 +11,7 @@ include profile libreoffice @{exec_path} { include include + include include include include @@ -67,11 +68,14 @@ profile libreoffice @{exec_path} { /usr/share/mythes/{,**} r, /usr/share/thumbnailers/{,**} r, - /etc/java{,@{version}}-openjdk/{,**} r, + /etc/java{,-}{,@{version}}-openjdk/{,**} r, /etc/libreoffice/{,**} r, /etc/paperspecs r, + /etc/papersize r, /etc/xdg/* r, + owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w, + owner @{user_cache_dirs}/libreoffice/{,**} rw, owner @{user_config_dirs}/libreoffice/ rw, owner @{user_config_dirs}/libreoffice/** rwk, @@ -90,7 +94,7 @@ profile libreoffice @{exec_path} { owner @{tmp}/*.tmp/{,**} rwk, owner @{tmp}/hsperfdata_@{user}/ rw, owner @{tmp}/hsperfdata_@{user}/@{int} rwk, - owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} w, + owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex32} rw, owner @{run}/user/@{uid}/#@{int} rw, @@ -99,6 +103,7 @@ profile libreoffice @{exec_path} { @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 6585f6382..00fdc5cf0 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -43,6 +43,7 @@ profile mkinitramfs @{exec_path} { @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/readlink rix, + @{bin}/realpath rix, @{bin}/rm rix, @{bin}/rmdir rix, @{bin}/sed rix, diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/profiles-m-r/mount-cifs index 190db34da..6000f6334 100644 --- a/apparmor.d/profiles-m-r/mount-cifs +++ b/apparmor.d/profiles-m-r/mount-cifs @@ -10,10 +10,12 @@ include @{exec_path} = @{bin}/mount.cifs profile mount-cifs @{exec_path} flags=(complain) { include + include include capability sys_admin, capability setpcap, + capability dac_read_search, network inet dgram, network inet stream, diff --git a/apparmor.d/profiles-m-r/nemo b/apparmor.d/profiles-m-r/nemo index e3edb99c3..c7c9160d7 100644 --- a/apparmor.d/profiles-m-r/nemo +++ b/apparmor.d/profiles-m-r/nemo @@ -21,7 +21,12 @@ profile nemo @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open, + + @{bin}/gdk-pixbuf-thumbnailer rPx, + /usr/share/nemo/** r, + /usr/share/thumbnailers/{,*.thumbnailer} r, # Full access to user's data / r, diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index f59880046..44b18cf42 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -22,6 +22,7 @@ profile remmina @{exec_path} { include include include + include include include include @@ -29,6 +30,8 @@ profile remmina @{exec_path} { network inet stream, network inet6 stream, + network inet dgram, + network inet6 dgram, network netlink raw, #aa:dbus own bus=session name=org.remmina.Remmina @@ -58,6 +61,9 @@ profile remmina @{exec_path} { owner @{run}/user/@{uid}/keyring/ssh rw, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + include if exists } diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index c20b305e1..dca0fbe63 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -247,6 +247,8 @@ profile run-parts @{exec_path} { @{run}/reboot-required w, @{run}/reboot-required.pkgs rw, + @{sys}/module/compression r, + @{PROC}/devices r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 02a212150..8d717274d 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -27,6 +27,8 @@ profile su @{exec_path} { @{bin}/nologin rPx, @{etc_ro}/default/su r, + /etc/default/locale r, + /etc/environment r, @{HOME}/.xauth@{rand6} rw, diff --git a/apparmor.d/profiles-s-z/system-config-printer-applet b/apparmor.d/profiles-s-z/system-config-printer-applet index 0197e3c3b..99cdbc996 100644 --- a/apparmor.d/profiles-s-z/system-config-printer-applet +++ b/apparmor.d/profiles-s-z/system-config-printer-applet @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/system-config-printer-applet /usr/share/system-config-printer/applet.py profile system-config-printer-applet @{exec_path} { include + include include include @@ -29,6 +30,8 @@ profile system-config-printer-applet @{exec_path} { /dev/tty rw, + deny @{lib}/python3/dist-packages/cupshelpers/__pycache__/** w, + include if exists } diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 003770008..1e0d75fd0 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -55,6 +55,7 @@ profile xarchiver @{exec_path} { /home/ r, #owner @{HOME}/ r, #owner @{HOME}/** rw, + owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rwl, @{MOUNTS}/ r, @{MOUNTS}/** rw, /tmp/ r, From c04ee92d26ff0846da2e6d7332cb0135eb3bb374 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Wed, 22 Jan 2025 23:06:56 +0000 Subject: [PATCH 037/672] xfce, new profiles --- .../groups/display-manager/lightdm-session | 23 ++++++++++ .../groups/freedesktop/pkla-admin-identities | 20 +++++++++ .../profiles-g-l/gdk-pixbuf-thumbnailer | 15 +++++++ apparmor.d/profiles-s-z/ucf | 45 +++++++++++++++++++ 4 files changed, 103 insertions(+) create mode 100644 apparmor.d/groups/display-manager/lightdm-session create mode 100644 apparmor.d/groups/freedesktop/pkla-admin-identities create mode 100644 apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer create mode 100644 apparmor.d/profiles-s-z/ucf diff --git a/apparmor.d/groups/display-manager/lightdm-session b/apparmor.d/groups/display-manager/lightdm-session new file mode 100644 index 000000000..fda263a8a --- /dev/null +++ b/apparmor.d/groups/display-manager/lightdm-session @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lightdm-session +profile lightdm-session @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/im-launch rPx, + + @{sh_path} rix, + @{bin}/mktemp rix, + @{bin}/expr rix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pkla-admin-identities b/apparmor.d/groups/freedesktop/pkla-admin-identities new file mode 100644 index 000000000..0fa176db5 --- /dev/null +++ b/apparmor.d/groups/freedesktop/pkla-admin-identities @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pkla-admin-identities +profile pkla-admin-identities @{exec_path} { + include + include + + @{exec_path} mr, + + /etc/polkit-1/localauthority.conf.d/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer new file mode 100644 index 000000000..99ffb6dad --- /dev/null +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gdk-pixbuf-thumbnailer +profile gdk-pixbuf-thumbnailer @{exec_path} { + include + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf new file mode 100644 index 000000000..52d65e0c5 --- /dev/null +++ b/apparmor.d/profiles-s-z/ucf @@ -0,0 +1,45 @@ +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ucf +profile ucf @{bin}/ucf { + include + include + + @{exec_path} mr, + + @{bin}/dpkg-query rPx, + @{bin}/dpkg-divert rPx -> child-dpkg-divert, + /usr/share/debconf/frontend rPx, + + @{sh_path} rix, + @{bin}/perl rix, + @{bin}/basename rix, + @{bin}/dirname rix, + @{bin}/getopt rix, + @{bin}/id rix, + @{bin}/readlink rix, + @{bin}/sed rix, + @{bin}/tr rix, + @{bin}/{,e,f}grep rix, + @{bin}/{,g,m}awk rix, + @{bin}/md5sum rix, + @{bin}/cp rix, + + /etc/ucf.conf r, + /etc/libreoffice/registry/** r, + + /var/lib/ucf/hashfile r, + + /usr/share/debconf/confmodule r, + + owner /tmp/tmp.@{rand10} r, + + include if exists +} + +# vim:syntax=apparmor From bb3bbb492b7fd83af869daa047b1b1a30d9f87c7 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Wed, 22 Jan 2025 23:10:29 +0000 Subject: [PATCH 038/672] xfce, proper abi --- apparmor.d/groups/freedesktop/pkla-admin-identities | 2 +- apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer | 2 +- apparmor.d/profiles-s-z/ucf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pkla-admin-identities b/apparmor.d/groups/freedesktop/pkla-admin-identities index 0fa176db5..973de2be3 100644 --- a/apparmor.d/groups/freedesktop/pkla-admin-identities +++ b/apparmor.d/groups/freedesktop/pkla-admin-identities @@ -1,7 +1,7 @@ # apparmor.d - Full set of apparmor profiles # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer index 99ffb6dad..1fd7d9e12 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer @@ -1,7 +1,7 @@ # apparmor.d - Full set of apparmor profiles # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 52d65e0c5..5f810269a 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -1,7 +1,7 @@ # apparmor.d - Full set of apparmor profiles # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include From e749145544a52b99d6dedf34610bfea583749778 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Wed, 22 Jan 2025 23:10:50 +0000 Subject: [PATCH 039/672] xfce, flags --- dists/flags/main.flags | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 6a1a1b6a7..27cb94d22 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -113,6 +113,7 @@ flatpak-validate-icon complain fstrim complain fuse-overlayfs complain fusermount complain +gdk-pixbuf-thumbnailer complain gdm-generate-config complain gdm-runtime-config complain gdm-session attach_disconnected,complain @@ -217,6 +218,7 @@ libreoffice complain libvirt-dbus complain libvirtd attach_disconnected,complain lightdm attach_disconnected,complain +lightdm-session complain locale-gen complain localectl complain login attach_disconnected,complain @@ -251,6 +253,7 @@ pam-tmpdir-helper complain passimd attach_disconnected,complain pidof complain pkttyagent complain +pkla-admin-identities complain plank complain plasma_waitforname complain plasma-browser-integration-host complain @@ -348,6 +351,7 @@ systemsettings complain telegram-desktop complain totem attach_disconnected,complain tracker-writeback complain +ucf complain udev-dmi-memory-id complain udisksctl complain udisksd attach_disconnected,complain From 39b38b9ee50c021eadf93dc3162d8d2d05e91752 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Thu, 23 Jan 2025 00:13:29 +0000 Subject: [PATCH 040/672] Adapt to RO root --- apparmor.d/groups/network/NetworkManager | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 39c68fda9..cb2e1c9c7 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -105,11 +105,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /etc/ r, /etc/iproute2/* r, /etc/machine-id r, - /etc/netplan/90-NM-@{uuid}.yaml w, /etc/network/interfaces r, /etc/network/interfaces.d/{,*} r, /etc/NetworkManager/{,**} r, /etc/NetworkManager/system-connections/{,**} w, + @{etc_rw}/netplan/90-NM-@{uuid}.yaml w, @{etc_rw}/resolv.conf rw, @{etc_rw}/resolv.conf.[0-9A-Z]* rw, From 8ce3c02000b10e37c64bb17aa99332cfb2486a71 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 24 Jan 2025 21:47:49 +0100 Subject: [PATCH 041/672] feat(abs): add modern dbus definition in upstream dbus abs. required for compqtibility with profile using upstream abstaction. --- .../abstractions/dbus-accessibility-strict.d/complete | 7 +++++++ apparmor.d/abstractions/dbus-session-strict.d/complete | 7 +++++++ apparmor.d/abstractions/dbus-strict.d/complete | 7 +++++++ 3 files changed, 21 insertions(+) create mode 100644 apparmor.d/abstractions/dbus-accessibility-strict.d/complete create mode 100644 apparmor.d/abstractions/dbus-session-strict.d/complete create mode 100644 apparmor.d/abstractions/dbus-strict.d/complete diff --git a/apparmor.d/abstractions/dbus-accessibility-strict.d/complete b/apparmor.d/abstractions/dbus-accessibility-strict.d/complete new file mode 100644 index 000000000..f71f7d869 --- /dev/null +++ b/apparmor.d/abstractions/dbus-accessibility-strict.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + include + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dbus-session-strict.d/complete b/apparmor.d/abstractions/dbus-session-strict.d/complete new file mode 100644 index 000000000..8d82bd277 --- /dev/null +++ b/apparmor.d/abstractions/dbus-session-strict.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + include + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dbus-strict.d/complete b/apparmor.d/abstractions/dbus-strict.d/complete new file mode 100644 index 000000000..86936b953 --- /dev/null +++ b/apparmor.d/abstractions/dbus-strict.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + include + +# vim:syntax=apparmor From cd8ae6a39128eae759161dd7de45dead9879c2c9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 24 Jan 2025 21:51:44 +0100 Subject: [PATCH 042/672] refraator(test): cloud init source out of packer directory. --- tests/{packer/init => cloud-init}/archlinux-cosmic.user-data.yml | 0 tests/{packer/init => cloud-init}/archlinux-gnome.user-data.yml | 0 tests/{packer/init => cloud-init}/archlinux-kde.user-data.yml | 0 tests/{packer/init => cloud-init}/archlinux-server.user-data.yml | 0 tests/{packer/init => cloud-init}/archlinux-xfce.user-data.yml | 0 tests/{packer/init => cloud-init}/debian-gnome.user-data.yml | 0 tests/{packer/init => cloud-init}/debian-kde.user-data.yml | 0 tests/{packer/init => cloud-init}/debian-server.user-data.yml | 0 tests/{packer/init => cloud-init}/opensuse-gnome.user-data.yml | 0 tests/{packer/init => cloud-init}/opensuse-kde.user-data.yml | 0 tests/{packer/init => cloud-init}/ubuntu22-desktop.user-data.yml | 0 tests/{packer/init => cloud-init}/ubuntu24-desktop.user-data.yml | 0 tests/{packer/init => cloud-init}/ubuntu24-server.user-data.yml | 0 tests/packer/{init => }/clean.sh | 0 tests/packer/{init => }/init.sh | 0 15 files changed, 0 insertions(+), 0 deletions(-) rename tests/{packer/init => cloud-init}/archlinux-cosmic.user-data.yml (100%) rename tests/{packer/init => cloud-init}/archlinux-gnome.user-data.yml (100%) rename tests/{packer/init => cloud-init}/archlinux-kde.user-data.yml (100%) rename tests/{packer/init => cloud-init}/archlinux-server.user-data.yml (100%) rename tests/{packer/init => cloud-init}/archlinux-xfce.user-data.yml (100%) rename tests/{packer/init => cloud-init}/debian-gnome.user-data.yml (100%) rename tests/{packer/init => cloud-init}/debian-kde.user-data.yml (100%) rename tests/{packer/init => cloud-init}/debian-server.user-data.yml (100%) rename tests/{packer/init => cloud-init}/opensuse-gnome.user-data.yml (100%) rename tests/{packer/init => cloud-init}/opensuse-kde.user-data.yml (100%) rename tests/{packer/init => cloud-init}/ubuntu22-desktop.user-data.yml (100%) rename tests/{packer/init => cloud-init}/ubuntu24-desktop.user-data.yml (100%) rename tests/{packer/init => cloud-init}/ubuntu24-server.user-data.yml (100%) rename tests/packer/{init => }/clean.sh (100%) rename tests/packer/{init => }/init.sh (100%) diff --git a/tests/packer/init/archlinux-cosmic.user-data.yml b/tests/cloud-init/archlinux-cosmic.user-data.yml similarity index 100% rename from tests/packer/init/archlinux-cosmic.user-data.yml rename to tests/cloud-init/archlinux-cosmic.user-data.yml diff --git a/tests/packer/init/archlinux-gnome.user-data.yml b/tests/cloud-init/archlinux-gnome.user-data.yml similarity index 100% rename from tests/packer/init/archlinux-gnome.user-data.yml rename to tests/cloud-init/archlinux-gnome.user-data.yml diff --git a/tests/packer/init/archlinux-kde.user-data.yml b/tests/cloud-init/archlinux-kde.user-data.yml similarity index 100% rename from tests/packer/init/archlinux-kde.user-data.yml rename to tests/cloud-init/archlinux-kde.user-data.yml diff --git a/tests/packer/init/archlinux-server.user-data.yml b/tests/cloud-init/archlinux-server.user-data.yml similarity index 100% rename from tests/packer/init/archlinux-server.user-data.yml rename to tests/cloud-init/archlinux-server.user-data.yml diff --git a/tests/packer/init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml similarity index 100% rename from tests/packer/init/archlinux-xfce.user-data.yml rename to tests/cloud-init/archlinux-xfce.user-data.yml diff --git a/tests/packer/init/debian-gnome.user-data.yml b/tests/cloud-init/debian-gnome.user-data.yml similarity index 100% rename from tests/packer/init/debian-gnome.user-data.yml rename to tests/cloud-init/debian-gnome.user-data.yml diff --git a/tests/packer/init/debian-kde.user-data.yml b/tests/cloud-init/debian-kde.user-data.yml similarity index 100% rename from tests/packer/init/debian-kde.user-data.yml rename to tests/cloud-init/debian-kde.user-data.yml diff --git a/tests/packer/init/debian-server.user-data.yml b/tests/cloud-init/debian-server.user-data.yml similarity index 100% rename from tests/packer/init/debian-server.user-data.yml rename to tests/cloud-init/debian-server.user-data.yml diff --git a/tests/packer/init/opensuse-gnome.user-data.yml b/tests/cloud-init/opensuse-gnome.user-data.yml similarity index 100% rename from tests/packer/init/opensuse-gnome.user-data.yml rename to tests/cloud-init/opensuse-gnome.user-data.yml diff --git a/tests/packer/init/opensuse-kde.user-data.yml b/tests/cloud-init/opensuse-kde.user-data.yml similarity index 100% rename from tests/packer/init/opensuse-kde.user-data.yml rename to tests/cloud-init/opensuse-kde.user-data.yml diff --git a/tests/packer/init/ubuntu22-desktop.user-data.yml b/tests/cloud-init/ubuntu22-desktop.user-data.yml similarity index 100% rename from tests/packer/init/ubuntu22-desktop.user-data.yml rename to tests/cloud-init/ubuntu22-desktop.user-data.yml diff --git a/tests/packer/init/ubuntu24-desktop.user-data.yml b/tests/cloud-init/ubuntu24-desktop.user-data.yml similarity index 100% rename from tests/packer/init/ubuntu24-desktop.user-data.yml rename to tests/cloud-init/ubuntu24-desktop.user-data.yml diff --git a/tests/packer/init/ubuntu24-server.user-data.yml b/tests/cloud-init/ubuntu24-server.user-data.yml similarity index 100% rename from tests/packer/init/ubuntu24-server.user-data.yml rename to tests/cloud-init/ubuntu24-server.user-data.yml diff --git a/tests/packer/init/clean.sh b/tests/packer/clean.sh similarity index 100% rename from tests/packer/init/clean.sh rename to tests/packer/clean.sh diff --git a/tests/packer/init/init.sh b/tests/packer/init.sh similarity index 100% rename from tests/packer/init/init.sh rename to tests/packer/init.sh From 5b9c1a8fea2213c83db14ba853775acf10ddadce Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 24 Jan 2025 21:59:02 +0100 Subject: [PATCH 043/672] test(packer): remove useless definition in cloud-init. --- tests/cloud-init/archlinux-cosmic.user-data.yml | 3 --- tests/cloud-init/archlinux-gnome.user-data.yml | 3 --- tests/cloud-init/archlinux-kde.user-data.yml | 3 --- tests/cloud-init/archlinux-server.user-data.yml | 3 --- tests/cloud-init/archlinux-xfce.user-data.yml | 3 --- tests/cloud-init/debian-gnome.user-data.yml | 3 --- tests/cloud-init/debian-kde.user-data.yml | 3 --- tests/cloud-init/debian-server.user-data.yml | 3 --- tests/cloud-init/opensuse-gnome.user-data.yml | 3 --- tests/cloud-init/opensuse-kde.user-data.yml | 3 --- tests/cloud-init/ubuntu22-desktop.user-data.yml | 3 --- tests/cloud-init/ubuntu24-desktop.user-data.yml | 3 --- tests/cloud-init/ubuntu24-server.user-data.yml | 3 --- 13 files changed, 39 deletions(-) diff --git a/tests/cloud-init/archlinux-cosmic.user-data.yml b/tests/cloud-init/archlinux-cosmic.user-data.yml index 442c32470..d95381b96 100644 --- a/tests/cloud-init/archlinux-cosmic.user-data.yml +++ b/tests/cloud-init/archlinux-cosmic.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/archlinux-gnome.user-data.yml b/tests/cloud-init/archlinux-gnome.user-data.yml index c65dfc4dd..a2a3d78b8 100644 --- a/tests/cloud-init/archlinux-gnome.user-data.yml +++ b/tests/cloud-init/archlinux-gnome.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/archlinux-kde.user-data.yml b/tests/cloud-init/archlinux-kde.user-data.yml index 97e8ffa7b..eea5df046 100644 --- a/tests/cloud-init/archlinux-kde.user-data.yml +++ b/tests/cloud-init/archlinux-kde.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/archlinux-server.user-data.yml b/tests/cloud-init/archlinux-server.user-data.yml index 93fd254a5..4a7f17374 100644 --- a/tests/cloud-init/archlinux-server.user-data.yml +++ b/tests/cloud-init/archlinux-server.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml index 1cc18f556..07d87364b 100644 --- a/tests/cloud-init/archlinux-xfce.user-data.yml +++ b/tests/cloud-init/archlinux-xfce.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/debian-gnome.user-data.yml b/tests/cloud-init/debian-gnome.user-data.yml index 0e2571883..5c95dc231 100644 --- a/tests/cloud-init/debian-gnome.user-data.yml +++ b/tests/cloud-init/debian-gnome.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/debian-kde.user-data.yml b/tests/cloud-init/debian-kde.user-data.yml index a608e9b0b..c81ced653 100644 --- a/tests/cloud-init/debian-kde.user-data.yml +++ b/tests/cloud-init/debian-kde.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/debian-server.user-data.yml b/tests/cloud-init/debian-server.user-data.yml index 5f4fe526e..47e4d832d 100644 --- a/tests/cloud-init/debian-server.user-data.yml +++ b/tests/cloud-init/debian-server.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/opensuse-gnome.user-data.yml b/tests/cloud-init/opensuse-gnome.user-data.yml index b54bb458e..66966bd6d 100644 --- a/tests/cloud-init/opensuse-gnome.user-data.yml +++ b/tests/cloud-init/opensuse-gnome.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/opensuse-kde.user-data.yml b/tests/cloud-init/opensuse-kde.user-data.yml index b54bb458e..66966bd6d 100644 --- a/tests/cloud-init/opensuse-kde.user-data.yml +++ b/tests/cloud-init/opensuse-kde.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/ubuntu22-desktop.user-data.yml b/tests/cloud-init/ubuntu22-desktop.user-data.yml index 30a82279a..4c6450a6a 100644 --- a/tests/cloud-init/ubuntu22-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu22-desktop.user-data.yml @@ -3,9 +3,6 @@ # Based on https://github.com/canonical/autoinstall-desktop hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/ubuntu24-desktop.user-data.yml b/tests/cloud-init/ubuntu24-desktop.user-data.yml index 3c3807e29..4fa229416 100644 --- a/tests/cloud-init/ubuntu24-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu24-desktop.user-data.yml @@ -5,9 +5,6 @@ # https://github.com/canonical/ubuntu-desktop-provision/blob/main/README.md hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/ubuntu24-server.user-data.yml b/tests/cloud-init/ubuntu24-server.user-data.yml index 5e6d853ba..96318214c 100644 --- a/tests/cloud-init/ubuntu24-server.user-data.yml +++ b/tests/cloud-init/ubuntu24-server.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: From 45f5689d6aa62d1fc3a12f3e49587023c6709b06 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Fri, 24 Jan 2025 21:48:31 +0000 Subject: [PATCH 044/672] xfce, fixes --- apparmor.d/groups/display-manager/lightdm | 4 ++-- apparmor.d/groups/gvfs/gvfsd-computer | 2 +- apparmor.d/groups/gvfs/gvfsd-wsdd | 2 +- apparmor.d/groups/xfce/thunar | 6 +++--- apparmor.d/groups/xfce/tumblerd | 9 +++------ apparmor.d/groups/xfce/xfce-clipman-settings | 2 +- apparmor.d/groups/xfce/xfce-notifyd | 4 ++-- apparmor.d/groups/xfce/xfce-panel | 4 ++-- apparmor.d/groups/xfce/xfce-power-manager | 4 ++-- apparmor.d/groups/xfce/xfce-screensaver | 2 +- apparmor.d/groups/xfce/xfce-session | 2 +- apparmor.d/groups/xfce/xfce-terminal | 4 ++-- apparmor.d/groups/xfce/xfconfd | 2 +- apparmor.d/groups/xfce/xfdesktop | 3 +-- apparmor.d/groups/xfce/xfsettingsd | 2 +- apparmor.d/profiles-a-f/blueman | 1 - apparmor.d/profiles-s-z/system-config-printer-applet | 2 -- apparmor.d/profiles-s-z/xarchiver | 1 - 18 files changed, 24 insertions(+), 32 deletions(-) diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm index a70779fc4..67b789906 100644 --- a/apparmor.d/groups/display-manager/lightdm +++ b/apparmor.d/groups/display-manager/lightdm @@ -37,9 +37,9 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=xfce-session, signal (send) set=(term) peer=xorg, - unix (bind) type=stream addr="@@{hex}/bus/lightdm/system", + unix (bind) type=stream addr="@@{udbus}/bus/lightdm/system", - dbus (bind) bus=system name=org.freedesktop.DisplayManager, + #aa:dbus own bus=system name=org.freedesktop.DisplayManager @{exec_path} mrix, diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index f72fc17c7..0a520d138 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -12,7 +12,7 @@ profile gvfsd-computer @{exec_path} { include include - dbus (bind) bus=session name=org.gtk.vfs.mountpoint_@{int}, + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 1b0dc2cc2..b88d36b18 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -13,7 +13,7 @@ profile gvfsd-wsdd @{exec_path} { network netlink raw, - dbus (bind) bus=session name=org.gtk.vfs.mountpoint_wsdd, + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index 629fc2b4b..77379c54f 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -19,9 +19,9 @@ profile thunar @{exec_path} { network netlink raw, - dbus (bind) bus=session name=org.xfce.Thunar, - dbus (bind) bus=session name=org.xfce.FileManager, - dbus (bind) bus=session name=org.freedesktop.FileManager1, + #aa:dbus own bus=session name=org.xfce.Thunar + #aa:dbus own bus=session name=org.xfce.FileManager + #aa:dbus own bus=session name=org.freedesktop.FileManager1 @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/tumblerd b/apparmor.d/groups/xfce/tumblerd index db90af4c5..d47be7e98 100644 --- a/apparmor.d/groups/xfce/tumblerd +++ b/apparmor.d/groups/xfce/tumblerd @@ -12,16 +12,13 @@ profile tumblerd @{exec_path} { include include include - include - include - include include include include - dbus (bind) bus=session name=org.freedesktop.thumbnails.Cache1, - dbus (bind) bus=session name=org.freedesktop.thumbnails.Manager1, - dbus (bind) bus=session name=org.freedesktop.thumbnails.Thumbnailer1, + #aa:dbus own bus=session name=org.freedesktop.thumbnails.Cache1 + #aa:dbus own bus=session name=org.freedesktop.thumbnails.Manager1 + #aa:dbus own bus=session name=org.freedesktop.thumbnails.Thumbnailer1 @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings index 2c777a0a1..9e74d8046 100644 --- a/apparmor.d/groups/xfce/xfce-clipman-settings +++ b/apparmor.d/groups/xfce/xfce-clipman-settings @@ -13,7 +13,7 @@ profile xfce-clipman-settings @{exec_path} { include include - dbus (bind) bus=session name=org.xfce.clipman.settings, + #aa:dbus own bus=session name=org.xfce.clipman.settings @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfce-notifyd b/apparmor.d/groups/xfce/xfce-notifyd index d8ef2a9e0..c594b8ed3 100644 --- a/apparmor.d/groups/xfce/xfce-notifyd +++ b/apparmor.d/groups/xfce/xfce-notifyd @@ -24,8 +24,8 @@ profile xfce-notifyd @{exec_path} { network inet6 stream, network netlink raw, - dbus (bind) bus=session name=org.xfce.Notifyd, - dbus (bind) bus=session name=org.freedesktop.Notifications, + #aa:dbus own bus=session name=org.xfce.Notifyd + #aa:dbus own bus=session name=org.freedesktop.Notifications @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel index d2a9cdbf6..b04ed2eb9 100644 --- a/apparmor.d/groups/xfce/xfce-panel +++ b/apparmor.d/groups/xfce/xfce-panel @@ -22,8 +22,8 @@ profile xfce-panel @{exec_path} { ptrace (read) peer=xfce-terminal, - dbus (bind) bus=session name=org.xfce.Panel, - dbus (bind) bus=session name=org.kde.StatusNotifierWatcher, + #aa:dbus own bus=session name=org.xfce.Panel + #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager index 4f3199a9e..91be9eede 100644 --- a/apparmor.d/groups/xfce/xfce-power-manager +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -16,8 +16,8 @@ profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { include include - dbus (bind) bus=session name=org.xfce.PowerManager, - dbus (bind) bus=session name=org.freedesktop.PowerManagement, + #aa:dbus own bus=session name=org.xfce.PowerManager + #aa:dbus own bus=session name=org.freedesktop.PowerManagement @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver index 911cc1b9f..2c0f13bc1 100644 --- a/apparmor.d/groups/xfce/xfce-screensaver +++ b/apparmor.d/groups/xfce/xfce-screensaver @@ -16,7 +16,7 @@ profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { include include - dbus (bind) bus=session name=org.xfce.ScreenSaver, + #aa:dbus own bus=session name=org.xfce.ScreenSaver @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index 6db8277d7..beddcce1f 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -20,7 +20,7 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=lightdm, - dbus (bind) bus=session name=org.xfce.SessionManager, + #aa:dbus own bus=session name=org.xfce.SessionManager @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 46a17ca7f..5250814de 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -21,7 +21,7 @@ profile xfce-terminal @{exec_path} { signal (send), - dbus (bind) bus=session name=org.xfce.Terminal5, + #aa:dbus own bus=session name=org.xfce.Terminal5 @{exec_path} mr, @@ -35,7 +35,7 @@ profile xfce-terminal @{exec_path} { @{bin}/micro rPUx, @{bin}/nvtop rPx, - @{bin}/vim{,.basic} rPUx, + @{editor_path} rPUx, /usr/share/ r, /usr/share/desktop-base/profiles/xdg-config/ r, diff --git a/apparmor.d/groups/xfce/xfconfd b/apparmor.d/groups/xfce/xfconfd index de82191a7..9cd273544 100644 --- a/apparmor.d/groups/xfce/xfconfd +++ b/apparmor.d/groups/xfce/xfconfd @@ -13,7 +13,7 @@ profile xfconfd @{exec_path} { include include - dbus (bind) bus=session name=org.xfce.Xfconf, + #aa:dbus own bus=session name=org.xfce.Xfconf @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop index ed7d18ddc..05705332d 100644 --- a/apparmor.d/groups/xfce/xfdesktop +++ b/apparmor.d/groups/xfce/xfdesktop @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfdesktop profile xfdesktop @{exec_path} { include - include include include include @@ -18,7 +17,7 @@ profile xfdesktop @{exec_path} { include include - dbus (bind) bus=session name=org.xfce.xfdesktop, + #aa:dbus own bus=session name=org.xfce.xfdesktop @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd index b2f783390..22db3f80d 100644 --- a/apparmor.d/groups/xfce/xfsettingsd +++ b/apparmor.d/groups/xfce/xfsettingsd @@ -16,7 +16,7 @@ profile xfsettingsd @{exec_path} { include include - dbus (bind) bus=session name=org.xfce.SettingsDaemon, + #aa:dbus own bus=session name=org.xfce.SettingsDaemon @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index 7a2b4530f..469fb24a0 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -62,7 +62,6 @@ profile blueman @{exec_path} flags=(attach_disconnected) { /dev/shm/ r, /dev/tty rw, - deny @{lib}/python3/dist-packages/blueman/__pycache__/** w, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/profiles-s-z/system-config-printer-applet b/apparmor.d/profiles-s-z/system-config-printer-applet index 99cdbc996..6424ebcc4 100644 --- a/apparmor.d/profiles-s-z/system-config-printer-applet +++ b/apparmor.d/profiles-s-z/system-config-printer-applet @@ -30,8 +30,6 @@ profile system-config-printer-applet @{exec_path} { /dev/tty rw, - deny @{lib}/python3/dist-packages/cupshelpers/__pycache__/** w, - include if exists } diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 1e0d75fd0..003770008 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -55,7 +55,6 @@ profile xarchiver @{exec_path} { /home/ r, #owner @{HOME}/ r, #owner @{HOME}/** rw, - owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rwl, @{MOUNTS}/ r, @{MOUNTS}/** rw, /tmp/ r, From aae36aa4e02700e5108b1fbddfc9f9327d03dc7b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 24 Jan 2025 23:32:24 +0100 Subject: [PATCH 045/672] test(packer): make image builder simplier. --- tests/Makefile | 5 +- tests/cloud-init/debian-gnome.user-data.yml | 4 +- tests/cloud-init/debian-kde.user-data.yml | 2 +- tests/cloud-init/opensuse-gnome.user-data.yml | 8 +-- tests/cloud-init/opensuse-kde.user-data.yml | 8 +-- .../cloud-init/ubuntu22-desktop.user-data.yml | 11 ++-- .../cloud-init/ubuntu24-desktop.user-data.yml | 11 ++-- tests/packer/archlinux.pkr.hcl | 2 +- tests/packer/builds.pkr.hcl | 55 +++++++------------ tests/packer/clean.sh | 31 ++++------- tests/packer/debian.pkr.hcl | 4 +- tests/packer/init.sh | 11 ++-- tests/packer/opensuse.pkr.hcl | 2 +- tests/packer/ubuntu.pkr.hcl | 8 +-- tests/packer/variables.pkr.hcl | 6 -- 15 files changed, 65 insertions(+), 103 deletions(-) diff --git a/tests/Makefile b/tests/Makefile index 8bf5f6182..3453ecee8 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -12,14 +12,13 @@ flavor ?= disk ?= 10G -VERSION := 0.$(shell git rev-list --count HEAD) -BASE = archlinux debian ubuntu opensuse fedora +BASE = archlinux debian ubuntu22 ubuntu24 opensuse fedora .PHONY: ${BASE} lint $(BASE): @make --directory=../ package dist=${@} - @packer build -force -var version=${VERSION} \ + @packer build -force \ -var disk_size=${disk} -var flavor="${flavor}" \ -only=qemu.${@} packer/ diff --git a/tests/cloud-init/debian-gnome.user-data.yml b/tests/cloud-init/debian-gnome.user-data.yml index 5c95dc231..1c48eb2e9 100644 --- a/tests/cloud-init/debian-gnome.user-data.yml +++ b/tests/cloud-init/debian-gnome.user-data.yml @@ -24,10 +24,10 @@ packages: - devscripts - htop - qemu-guest-agent - - spice-vdagent - rsync - - vim + - spice-vdagent - task-gnome-desktop + - vim runcmd: - apt-get update -y diff --git a/tests/cloud-init/debian-kde.user-data.yml b/tests/cloud-init/debian-kde.user-data.yml index c81ced653..e644414fa 100644 --- a/tests/cloud-init/debian-kde.user-data.yml +++ b/tests/cloud-init/debian-kde.user-data.yml @@ -24,8 +24,8 @@ packages: - devscripts - htop - qemu-guest-agent - - spice-vdagent - rsync + - spice-vdagent - vim - task-kde-desktop diff --git a/tests/cloud-init/opensuse-gnome.user-data.yml b/tests/cloud-init/opensuse-gnome.user-data.yml index 66966bd6d..5e5b197bc 100644 --- a/tests/cloud-init/opensuse-gnome.user-data.yml +++ b/tests/cloud-init/opensuse-gnome.user-data.yml @@ -20,19 +20,15 @@ packages: - bash-completion - distribution-release - git + - go - golang-packaging - htop - make - rpmbuild + - rsync - vim write_files: - # Set some bash aliases - - path: /home/${username}/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - # Setup shared directory - path: /etc/fstab append: true diff --git a/tests/cloud-init/opensuse-kde.user-data.yml b/tests/cloud-init/opensuse-kde.user-data.yml index 66966bd6d..5e5b197bc 100644 --- a/tests/cloud-init/opensuse-kde.user-data.yml +++ b/tests/cloud-init/opensuse-kde.user-data.yml @@ -20,19 +20,15 @@ packages: - bash-completion - distribution-release - git + - go - golang-packaging - htop - make - rpmbuild + - rsync - vim write_files: - # Set some bash aliases - - path: /home/${username}/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - # Setup shared directory - path: /etc/fstab append: true diff --git a/tests/cloud-init/ubuntu22-desktop.user-data.yml b/tests/cloud-init/ubuntu22-desktop.user-data.yml index 4c6450a6a..75dc6349d 100644 --- a/tests/cloud-init/ubuntu22-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu22-desktop.user-data.yml @@ -18,18 +18,19 @@ package_update: true package_upgrade: true package_reboot_if_required: false packages: - - ubuntu-desktop - - linux-generic-hwe-22.04 - - qemu-guest-agent - - spice-vdagent - - terminator - apparmor-profiles - build-essential - config-package-dev - debhelper - devscripts - golang-go + - linux-generic-hwe-22.04 + - qemu-guest-agent - rsync + - spice-vdagent + - terminator + - ubuntu-desktop + - vim snap: commands: diff --git a/tests/cloud-init/ubuntu24-desktop.user-data.yml b/tests/cloud-init/ubuntu24-desktop.user-data.yml index 4fa229416..9f7225367 100644 --- a/tests/cloud-init/ubuntu24-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu24-desktop.user-data.yml @@ -20,18 +20,19 @@ package_update: true package_upgrade: true package_reboot_if_required: false packages: - - ubuntu-desktop - - linux-generic-hwe-24.04 - - qemu-guest-agent - - spice-vdagent - - terminator - apparmor-profiles - build-essential - config-package-dev - debhelper - devscripts - golang-go + - linux-generic-hwe-24.04 + - qemu-guest-agent - rsync + - spice-vdagent + - terminator + - ubuntu-desktop + - vim snap: commands: diff --git a/tests/packer/archlinux.pkr.hcl b/tests/packer/archlinux.pkr.hcl index 41a2627d5..88a5a1cba 100644 --- a/tests/packer/archlinux.pkr.hcl +++ b/tests/packer/archlinux.pkr.hcl @@ -27,7 +27,7 @@ source "qemu" "archlinux" { cd_label = "cidata" cd_content = { "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", + "user-data" = templatefile("${path.cwd}/cloud-init/${source.name}-${var.flavor}.user-data.yml", { username = "${var.username}" password = "${var.password}" diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index 1c16a6b84..7071c3983 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -12,53 +12,38 @@ build { "source.qemu.ubuntu24", ] - # Upload local files + # Upload artifacts provisioner "file" { - destination = "/tmp" - sources = ["${path.cwd}/packer/src"] - } - - provisioner "file" { - only = ["qemu.archlinux"] - destination = "/tmp/src/" + destination = "/tmp/" sources = [ - "${path.cwd}/../.pkg/apparmor.d-${var.version}-1-x86_64.pkg.tar.zst", + "${path.cwd}/packer/src/", + "${path.cwd}/packer/init.sh", + "${path.cwd}/packer/clean.sh", + "${path.cwd}/../.pkg/", ] } - provisioner "file" { - only = ["qemu.opensuse"] - destination = "/tmp/src/" - sources = ["${path.cwd}/../.pkg/apparmor.d-${var.version}-1.x86_64.rpm"] - } - - provisioner "file" { - only = ["qemu.debian", "qemu.ubuntu22", "qemu.ubuntu24"] - destination = "/tmp/src/" - sources = ["${path.cwd}/../.pkg/apparmor.d_${var.version}-1_amd64.deb"] - } - - # Wait for cloud-init to finish + # Full system provisioning provisioner "shell" { execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" inline = [ + # Wait for cloud-init to finish "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for Cloud-Init...'; sleep 20; done", - "cloud-init clean", # Remove logs and artifacts so cloud-init can re-run + + # Ensure cloud-init is successful + "cloud-init status", + + # Remove logs and artifacts so cloud-init can re-run + "cloud-init clean", + + # Install local files and config + "bash /tmp/init.sh", + + # Minimize the image + "bash /tmp/clean.sh", ] } - # Install local files and config - provisioner "shell" { - script = "${path.cwd}/packer/init/init.sh" - execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" - } - - # Minimize the image - provisioner "shell" { - script = "${path.cwd}/packer/init/clean.sh" - execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" - } - post-processor "vagrant" { output = "${var.base_dir}/packer_${var.prefix}${source.name}-${var.flavor}.box" } diff --git a/tests/packer/clean.sh b/tests/packer/clean.sh index 2e1e7b551..8459421a1 100644 --- a/tests/packer/clean.sh +++ b/tests/packer/clean.sh @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -set -u +set -eu -o pipefail # shellcheck source=/dev/null _lsb_release() { @@ -46,23 +46,15 @@ _sshdgenkeys() { _EOF } -clean_debian() { - _msg "Apt clean configuration" - - _msg "Full system upgrade" - apt-get update -y - apt-get -qq -y --no-install-recommends upgrade - apt-get -qq -y --no-install-recommends dist-upgrade - - _msg "Clean the apt cache" +clean_apt() { + _msg "Cleaning the apt cache" apt-get -y autoremove --purge apt-get -y autoclean apt-get -y clean } -clean_arch() { - _msg "Pacman clean configuration" - +clean_pacman() { + _msg "Cleaning pacman cache" pacman -Syu --noconfirm pacman -Qdtq | while IFS='' read -r pkg; do pacman -Rsccn --noconfirm "$pkg" @@ -70,16 +62,15 @@ clean_arch() { pacman -Scc --noconfirm } -clean_opensuse() { - _msg "zypper clean configuration" - +clean_zypper() { + _msg "Cleaning zypper cache" zypper update -y zypper clean -y } # Make the image as impersonal as possible. impersonalize() { - _msg "Make the image as impersonal as possible." + _msg "Making the image as impersonal as possible." # Remove remaining pkg file, docs and caches dirs=( @@ -159,16 +150,16 @@ main() { begin=$(_diskused) case "$DISTRIBUTION" in debian | ubuntu) - clean_debian + clean_apt _sshdgenkeys ;; opensuse*) - clean_opensuse + clean_zypper ;; arch) - clean_arch + clean_pacman ;; esac impersonalize diff --git a/tests/packer/debian.pkr.hcl b/tests/packer/debian.pkr.hcl index 7fd176b6e..d45ed3d37 100644 --- a/tests/packer/debian.pkr.hcl +++ b/tests/packer/debian.pkr.hcl @@ -6,7 +6,7 @@ source "qemu" "debian" { disk_image = true iso_url = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2" iso_checksum = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS" - iso_target_path = "${var.iso_dir}/debian-cloudimg-amd64.img" + iso_target_path = "${var.iso_dir}/debian-${var.release.debian.codename}-cloudimg-amd64.img" cpu_model = "host" cpus = 6 memory = 4096 @@ -28,7 +28,7 @@ source "qemu" "debian" { cd_label = "cidata" cd_content = { "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", + "user-data" = templatefile("${path.cwd}/cloud-init/${source.name}-${var.flavor}.user-data.yml", { username = "${var.username}" password = "${var.password}" diff --git a/tests/packer/init.sh b/tests/packer/init.sh index df300c0c4..be9529666 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -11,7 +11,7 @@ _lsb_release() { echo "$ID" } DISTRIBUTION="$(_lsb_release)" -readonly SRC=/tmp/src +readonly SRC=/tmp/ readonly DISTRIBUTION main() { @@ -28,23 +28,22 @@ main() { case "$DISTRIBUTION" in arch) pacman --noconfirm -U $SRC/*.pkg.tar.zst - systemctl start apparmor.service ;; debian | ubuntu) - apt-get update -y - apt-get install -y apparmor-profiles build-essential config-package-dev \ - debhelper devscripts htop rsync vim dpkg -i $SRC/*.deb ;; opensuse*) mv "/home/$SUDO_USER/.bash_aliases" "/home/$SUDO_USER/.alias" - zypper install -y bash-completion git go htop make rsync vim rpm -i $SRC/*.rpm ;; esac + + rm -rf /var/cache/apparmor/* + rm -rf /etc/apparmor/earlypolicy/ + systemctl reload apparmor.service } main "$@" diff --git a/tests/packer/opensuse.pkr.hcl b/tests/packer/opensuse.pkr.hcl index 49ba09f70..29649d4bc 100644 --- a/tests/packer/opensuse.pkr.hcl +++ b/tests/packer/opensuse.pkr.hcl @@ -30,7 +30,7 @@ source "qemu" "opensuse" { cd_label = "cidata" cd_content = { "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", + "user-data" = templatefile("${path.cwd}/cloud-init/${source.name}-${var.flavor}.user-data.yml", { username = "${var.username}" password = "${var.password}" diff --git a/tests/packer/ubuntu.pkr.hcl b/tests/packer/ubuntu.pkr.hcl index 052b460da..f69818060 100644 --- a/tests/packer/ubuntu.pkr.hcl +++ b/tests/packer/ubuntu.pkr.hcl @@ -6,7 +6,7 @@ source "qemu" "ubuntu22" { disk_image = true iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu22.codename}/current/${var.release.ubuntu22.codename}-server-cloudimg-amd64.img" iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu22.codename}/current/SHA256SUMS" - iso_target_path = "${var.iso_dir}/ubuntu22-cloudimg-amd64.img" + iso_target_path = "${var.iso_dir}/ubuntu-${var.release.ubuntu22.codename}-cloudimg-amd64.img" cpu_model = "host" cpus = 6 memory = 4096 @@ -28,7 +28,7 @@ source "qemu" "ubuntu22" { cd_label = "cidata" cd_content = { "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", + "user-data" = templatefile("${path.cwd}/cloud-init/${source.name}-${var.flavor}.user-data.yml", { username = "${var.username}" password = "${var.password}" @@ -43,7 +43,7 @@ source "qemu" "ubuntu24" { disk_image = true iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/${var.release.ubuntu24.codename}-server-cloudimg-amd64.img" iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/SHA256SUMS" - iso_target_path = "${var.iso_dir}/ubuntu24-cloudimg-amd64.img" + iso_target_path = "${var.iso_dir}/ubuntu-${var.release.ubuntu24.codename}-cloudimg-amd64.img" cpu_model = "host" cpus = 6 memory = 4096 @@ -65,7 +65,7 @@ source "qemu" "ubuntu24" { cd_label = "cidata" cd_content = { "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", + "user-data" = templatefile("${path.cwd}/cloud-init/${source.name}-${var.flavor}.user-data.yml", { username = "${var.username}" password = "${var.password}" diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl index a37c89bf0..82251f25a 100644 --- a/tests/packer/variables.pkr.hcl +++ b/tests/packer/variables.pkr.hcl @@ -58,12 +58,6 @@ variable "prefix" { default = "aa-" } -variable "version" { - description = "apparmor.d version" - type = string - default = "0.001" -} - variable "flavor" { description = "Distribution flavor to use (server, desktop, gnome, kde...)" type = string From 4e73f7209fcdec7f7a87e8bb0fd6150a5a5dd470 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 24 Jan 2025 23:44:11 +0100 Subject: [PATCH 046/672] test(packer): add cpu & ram internal variable. --- tests/packer/archlinux.pkr.hcl | 4 ++-- tests/packer/debian.pkr.hcl | 4 ++-- tests/packer/opensuse.pkr.hcl | 4 ++-- tests/packer/ubuntu.pkr.hcl | 8 ++++---- tests/packer/variables.pkr.hcl | 12 ++++++++++++ 5 files changed, 22 insertions(+), 10 deletions(-) diff --git a/tests/packer/archlinux.pkr.hcl b/tests/packer/archlinux.pkr.hcl index 88a5a1cba..06f2ad3a7 100644 --- a/tests/packer/archlinux.pkr.hcl +++ b/tests/packer/archlinux.pkr.hcl @@ -8,8 +8,8 @@ source "qemu" "archlinux" { iso_checksum = "file:https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" iso_target_path = "${var.iso_dir}/archlinux-cloudimg-amd64.img" cpu_model = "host" - cpus = 6 - memory = 4096 + cpus = var.cpus + memory = var.ram disk_size = var.disk_size accelerator = "kvm" headless = true diff --git a/tests/packer/debian.pkr.hcl b/tests/packer/debian.pkr.hcl index d45ed3d37..12d4a513c 100644 --- a/tests/packer/debian.pkr.hcl +++ b/tests/packer/debian.pkr.hcl @@ -8,8 +8,8 @@ source "qemu" "debian" { iso_checksum = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS" iso_target_path = "${var.iso_dir}/debian-${var.release.debian.codename}-cloudimg-amd64.img" cpu_model = "host" - cpus = 6 - memory = 4096 + cpus = var.cpus + memory = var.ram disk_size = var.disk_size accelerator = "kvm" headless = true diff --git a/tests/packer/opensuse.pkr.hcl b/tests/packer/opensuse.pkr.hcl index 29649d4bc..46cf4af29 100644 --- a/tests/packer/opensuse.pkr.hcl +++ b/tests/packer/opensuse.pkr.hcl @@ -10,8 +10,8 @@ source "qemu" "opensuse" { iso_checksum = "sha256:223ed62160ef4f1a4f21b69c574f552a07eee6ef66cf66eef2b49c5a7c4864f4" iso_target_path = "${var.base_dir}/base-tumbleweed-gnome.qcow2" cpu_model = "host" - cpus = 6 - memory = 4096 + cpus = var.cpus + memory = var.ram disk_size = var.disk_size accelerator = "kvm" headless = false diff --git a/tests/packer/ubuntu.pkr.hcl b/tests/packer/ubuntu.pkr.hcl index f69818060..3689882ad 100644 --- a/tests/packer/ubuntu.pkr.hcl +++ b/tests/packer/ubuntu.pkr.hcl @@ -8,8 +8,8 @@ source "qemu" "ubuntu22" { iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu22.codename}/current/SHA256SUMS" iso_target_path = "${var.iso_dir}/ubuntu-${var.release.ubuntu22.codename}-cloudimg-amd64.img" cpu_model = "host" - cpus = 6 - memory = 4096 + cpus = var.cpus + memory = var.ram disk_size = var.disk_size accelerator = "kvm" headless = true @@ -45,8 +45,8 @@ source "qemu" "ubuntu24" { iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/SHA256SUMS" iso_target_path = "${var.iso_dir}/ubuntu-${var.release.ubuntu24.codename}-cloudimg-amd64.img" cpu_model = "host" - cpus = 6 - memory = 4096 + cpus = var.cpus + memory = var.ram disk_size = var.disk_size accelerator = "kvm" headless = true diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl index 82251f25a..0361698d6 100644 --- a/tests/packer/variables.pkr.hcl +++ b/tests/packer/variables.pkr.hcl @@ -22,6 +22,18 @@ variable "ssh_publickey" { default = "~/.ssh/id_ed25519.pub" } +variable "cpus" { + description = "Default CPU of the VM" + type = string + default = "6" +} + +variable "ram" { + description = "Default RAM of the VM" + type = string + default = "4096" +} + variable "disk_size" { description = "Disk size of the VM to build" type = string From 8806030a0a41835c2bf75437c1a7c519f19dc7fc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Jan 2025 22:31:29 +0100 Subject: [PATCH 047/672] feat(profile): more use @{etc_ro} when we know it is needed. --- apparmor.d/groups/_full/systemd | 4 ++-- apparmor.d/groups/apt/unattended-upgrade | 2 +- apparmor.d/groups/cron/crontab | 4 ++-- apparmor.d/groups/display-manager/lightdm | 4 ++-- apparmor.d/groups/gnome/gnome-initial-setup | 4 ++-- apparmor.d/groups/hyprland/hyprlock | 2 +- apparmor.d/groups/kde/kscreenlocker_greet | 9 +++++---- apparmor.d/groups/kde/sddm | 6 +++--- apparmor.d/groups/ubuntu/apport | 2 +- apparmor.d/groups/ubuntu/apport-checkreports | 2 +- apparmor.d/groups/virt/cockpit-bridge | 2 +- apparmor.d/profiles-a-f/agetty | 5 ++--- apparmor.d/profiles-a-f/chage | 2 +- apparmor.d/profiles-a-f/chpasswd | 3 ++- apparmor.d/profiles-a-f/firecfg | 3 ++- apparmor.d/profiles-g-l/gamemoded | 4 ++-- apparmor.d/profiles-g-l/gpasswd | 2 +- apparmor.d/profiles-g-l/groupadd | 2 +- apparmor.d/profiles-g-l/groupdel | 2 +- apparmor.d/profiles-g-l/groupmod | 2 +- apparmor.d/profiles-g-l/grpck | 2 +- apparmor.d/profiles-g-l/lastlog | 3 ++- apparmor.d/profiles-g-l/login | 6 +++--- apparmor.d/profiles-m-r/newgrp | 4 ++-- apparmor.d/profiles-m-r/pwck | 3 ++- apparmor.d/profiles-s-z/snapd | 2 +- apparmor.d/profiles-s-z/useradd | 2 +- apparmor.d/profiles-s-z/userdel | 2 +- apparmor.d/profiles-s-z/usermod | 2 +- apparmor.d/profiles-s-z/vipw-vigr | 2 +- 30 files changed, 49 insertions(+), 45 deletions(-) diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 9f611cf3d..d71647705 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -181,12 +181,12 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /var/lib/*/ r, /var/tmp/ r, + @{etc_ro}/environment r, + @{etc_ro}/environment.d/{,**} r, /etc/binfmt.d/{,**} r, /etc/conf.d/{,**} r, /etc/credstore.encrypted/{,**} r, /etc/credstore/{,**} r, - /etc/environment r, - /etc/environment.d/{,**} r, /etc/machine-id r, /etc/modules-load.d/{,**} r, /etc/systemd/{,**} r, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index d0fdad4b7..ead68957a 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -62,6 +62,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /usr/share/distro-info/* r, + @{etc_ro}/security/capability.conf r, /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, @@ -79,7 +80,6 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd/{,**} r, /etc/profile.d/* r, - /etc/security/capability.conf r, /etc/update-manager/{,**} r, /etc/update-motd.d/* r, /etc/vmware-tools/* r, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index ccc948b01..d240454f5 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -28,10 +28,10 @@ profile crontab @{exec_path} { @{sh_path} rix, @{editor_path} rCx -> editor, + @{etc_ro}/environment r, + @{etc_ro}/security/*.conf r, /etc/cron.{allow,deny} r, - /etc/environment r, /etc/pam.d/* r, - /etc/security/*.conf r, /var/spool/cron/ r, /var/spool/cron/** rw, diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm index 04accbbf0..112daf091 100644 --- a/apparmor.d/groups/display-manager/lightdm +++ b/apparmor.d/groups/display-manager/lightdm @@ -56,11 +56,11 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xgreeters/{,**} r, + @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/{,*} r, /etc/default/locale r, - /etc/environment r, /etc/lightdm/{,**} r, /etc/machine-id r, - /etc/security/limits.d/{,*} r, /etc/shells r, /var/cache/lightdm/dmrc/*.dmrc* rw, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index d27ccb8bb..84f6b15c8 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -46,8 +46,8 @@ profile gnome-initial-setup @{exec_path} { /usr/share/gnome-initial-setup/{,**} r, /usr/share/xml/iso-codes/{,**} r, - /etc/security/pwquality.conf r, - /etc/security/pwquality.conf.d/{,**} r, + @{etc_ro}/security/pwquality.conf r, + @{etc_ro}/security/pwquality.conf.d/{,**} r, /etc/timezone r, /etc/gdm{,3}/custom.conf r, diff --git a/apparmor.d/groups/hyprland/hyprlock b/apparmor.d/groups/hyprland/hyprlock index b17c0c66a..996d9f170 100644 --- a/apparmor.d/groups/hyprland/hyprlock +++ b/apparmor.d/groups/hyprland/hyprlock @@ -19,7 +19,7 @@ profile hyprlock @{exec_path} { @{exec_path} mr, - /etc/security/faillock.conf r, + @{etc_ro}/security/faillock.conf r, /etc/shells r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 79e2b4c59..a13270c93 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -51,12 +51,13 @@ profile kscreenlocker_greet @{exec_path} { /usr/share/xsessions/{,*.desktop} r, /usr/share/hunspell/* r, - /{usr/,}etc/environment r, - /{usr/,}etc/login.defs r, - /{usr/,}etc/login.defs.d/ r, - /{usr/,}etc/security/*.conf r, + @{etc_ro}/environment r, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/ r, + @{etc_ro}/security/*.conf r, /etc/fstab r, /etc/machine-id r, + /etc/os-release r, /etc/pam.d/* r, /etc/shells r, /etc/xdg/kscreenlockerrc r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 8e491bb2b..56f0f5820 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -128,9 +128,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/X11/xinit/xinitrc.d/{,*} r, - /{usr/,}etc/environment r, - /{usr/,}etc/security/limits.d/{,*.conf} r, - /{usr/,}etc/X11/Xmodmap r, + @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/{,*.conf} r, + @{etc_ro}/X11/Xmodmap r, /etc/debuginfod/{,*} r, /etc/manpath.config r, /etc/default/locale r, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 11aad0da3..7c683ae27 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -33,8 +33,8 @@ profile apport @{exec_path} flags=(attach_disconnected) { /usr/share/apport/{,**} r, + @{etc_ro}/login.defs r, /etc/apport/report-ignore/{,**} r, - /etc/login.defs r, /var/lib/dpkg/info/ r, /var/lib/dpkg/info/*.list r, diff --git a/apparmor.d/groups/ubuntu/apport-checkreports b/apparmor.d/groups/ubuntu/apport-checkreports index 665b3eaca..6e1bb05f2 100644 --- a/apparmor.d/groups/ubuntu/apport-checkreports +++ b/apparmor.d/groups/ubuntu/apport-checkreports @@ -20,9 +20,9 @@ profile apport-checkreports @{exec_path} flags=(attach_disconnected) { /usr/share/dpkg/tupletable r, /usr/share/apport/ r, + @{etc_ro}/login.defs r, /etc/apt/apt.conf.d/{,**} r, /etc/default/apport r, - /etc/login.defs r, /var/crash/ r, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 94b185162..6ca662859 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -67,9 +67,9 @@ profile cockpit-bridge @{exec_path} { /usr/share/file/** r, /usr/share/iproute2/* r, + @{etc_ro}/login.defs r, /etc/cockpit/{,**} r, /etc/httpd/conf/mime.types r, - /etc/login.defs r, /etc/machine-id r, /etc/mime.types r, /etc/motd r, diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index 9e6db414e..4605822e7 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -24,15 +24,14 @@ profile agetty @{exec_path} { @{bin}/login rPx, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, @{etc_rw}/issue r, /{,usr/}lib/os-release r, /{etc,run,lib,usr/lib}/issue r, /{etc,run,lib,usr/lib}/issue.d/{,*} r, /etc/inittab r, - /etc/login.defs r, - /etc/login.defs.d/{,*} r, /etc/os-release r, - /usr/etc/login.defs r, @{run}/credentials/getty@tty@{int}.service/ r, @{run}/credentials/serial-getty@ttyS@{int}.service/ r, diff --git a/apparmor.d/profiles-a-f/chage b/apparmor.d/profiles-a-f/chage index a89e204a8..43f34a703 100644 --- a/apparmor.d/profiles-a-f/chage +++ b/apparmor.d/profiles-a-f/chage @@ -20,7 +20,7 @@ profile chage @{exec_path} { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow} rw, /etc/{passwd,shadow}.@{pid} w, diff --git a/apparmor.d/profiles-a-f/chpasswd b/apparmor.d/profiles-a-f/chpasswd index fb8438cc1..869ba20ab 100644 --- a/apparmor.d/profiles-a-f/chpasswd +++ b/apparmor.d/profiles-a-f/chpasswd @@ -18,8 +18,9 @@ profile chpasswd @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + /etc/.pwd.lock wk, - /etc/login.defs r, /etc/passwd rw, /etc/passwd.@{int} w, /etc/passwd.lock l -> /etc/passwd.@{int}, diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index a3aba8af1..02201e78e 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -21,7 +21,8 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/apparmor_parser rPx, - /etc/login.defs r, + @{etc_ro}/login.defs r, + /etc/firejail/firejail.users r, /etc/firejail/firecfg.config r, diff --git a/apparmor.d/profiles-g-l/gamemoded b/apparmor.d/profiles-g-l/gamemoded index 8f5067b77..eb2d3fc1e 100644 --- a/apparmor.d/profiles-g-l/gamemoded +++ b/apparmor.d/profiles-g-l/gamemoded @@ -57,8 +57,8 @@ profile gamemoded @{exec_path} flags=(attach_disconnected) { @{lib}/gamemode/gpuclockctl ix, @{lib}/gamemode/procsysctl ix, - /etc/security/limits.d/ r, - /etc/security/limits.d/@{int}-gamemode.conf r, + @{etc_ro}/security/limits.d/ r, + @{etc_ro}/security/limits.d/@{int}-gamemode.conf r, /etc/shells r, @{sys}/devices/@{pci}/power_dpm_force_performance_level rw, diff --git a/apparmor.d/profiles-g-l/gpasswd b/apparmor.d/profiles-g-l/gpasswd index 8afdff8db..ab2d21860 100644 --- a/apparmor.d/profiles-g-l/gpasswd +++ b/apparmor.d/profiles-g-l/gpasswd @@ -29,7 +29,7 @@ profile gpasswd @{exec_path} { owner @{PROC}/@{pid}/loginuid r, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}.@{pid} w, diff --git a/apparmor.d/profiles-g-l/groupadd b/apparmor.d/profiles-g-l/groupadd index 9450974a1..65e735605 100644 --- a/apparmor.d/profiles-g-l/groupadd +++ b/apparmor.d/profiles-g-l/groupadd @@ -22,7 +22,7 @@ profile groupadd @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}- w, diff --git a/apparmor.d/profiles-g-l/groupdel b/apparmor.d/profiles-g-l/groupdel index 99b7fddaa..734b22463 100644 --- a/apparmor.d/profiles-g-l/groupdel +++ b/apparmor.d/profiles-g-l/groupdel @@ -25,7 +25,7 @@ profile groupdel @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}.@{pid} w, diff --git a/apparmor.d/profiles-g-l/groupmod b/apparmor.d/profiles-g-l/groupmod index 4b9b0446a..01841483e 100644 --- a/apparmor.d/profiles-g-l/groupmod +++ b/apparmor.d/profiles-g-l/groupmod @@ -24,7 +24,7 @@ profile groupmod @{exec_path} { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,gshadow,group} rw, /etc/{passwd,gshadow,group}.@{pid} w, diff --git a/apparmor.d/profiles-g-l/grpck b/apparmor.d/profiles-g-l/grpck index 5fad8960c..3b820febb 100644 --- a/apparmor.d/profiles-g-l/grpck +++ b/apparmor.d/profiles-g-l/grpck @@ -18,7 +18,7 @@ profile grpck @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{gshadow,group} rw, /etc/{gshadow,group}.@{pid} rw, diff --git a/apparmor.d/profiles-g-l/lastlog b/apparmor.d/profiles-g-l/lastlog index 392aba362..0cb62819f 100644 --- a/apparmor.d/profiles-g-l/lastlog +++ b/apparmor.d/profiles-g-l/lastlog @@ -17,8 +17,9 @@ profile lastlog @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + /var/log/lastlog r, - /etc/login.defs r, include if exists } diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index 9b32614a9..a4d1b8cd2 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -43,15 +43,15 @@ profile login @{exec_path} flags=(attach_disconnected) { @{bin}/@{shells} rUx, @{etc_ro}/environment r, + @{etc_ro}/security/group.conf r, + @{etc_ro}/security/limits.conf r, @{etc_ro}/security/limits.d/{,*} r, + @{etc_ro}/security/pam_env.conf r, /etc/default/locale r, /etc/legal r, /etc/machine-id r, /etc/motd r, /etc/motd.d/ r, - /etc/security/group.conf r, - /etc/security/limits.conf r, - /etc/security/pam_env.conf r, /etc/shells r, /var/lib/faillock/@{user} rwk, diff --git a/apparmor.d/profiles-m-r/newgrp b/apparmor.d/profiles-m-r/newgrp index ebd15d4b6..1452f34fc 100644 --- a/apparmor.d/profiles-m-r/newgrp +++ b/apparmor.d/profiles-m-r/newgrp @@ -23,9 +23,9 @@ profile newgrp @{exec_path} { @{bin}/@{shells} rUx, - /etc/{passwd,group,shadow,gshadow} r, + @{etc_ro}/login.defs r, - /etc/login.defs r, + /etc/{passwd,group,shadow,gshadow} r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/profiles-m-r/pwck b/apparmor.d/profiles-m-r/pwck index 0c9e1ac0a..6aef4d028 100644 --- a/apparmor.d/profiles-m-r/pwck +++ b/apparmor.d/profiles-m-r/pwck @@ -16,7 +16,8 @@ profile pwck @{exec_path} flags=(attach_disconnected) { @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, + /etc/.pwd.lock wk, /etc/passwd rw, /etc/passwd.@{int} rw, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 4e383b777..2788ed4a3 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -98,9 +98,9 @@ profile snapd @{exec_path} { /usr/share/dbus-1/services/*snap* r, /usr/share/polkit-1/actions/{,**/} r, + @{etc_ro}/environment r, /etc/apparmor.d/*snapd.snap* r, /etc/dbus-1/system.d/{,**/} r, - /etc/environment r, /etc/fstab r, /etc/mime.types r, /etc/modprobe.d/{,**/} r, diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index d27a34207..021ede783 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -30,7 +30,7 @@ profile useradd @{exec_path} { @{bin}/pam_tally2 rCx -> pam_tally2, /etc/default/useradd r, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid}- w, diff --git a/apparmor.d/profiles-s-z/userdel b/apparmor.d/profiles-s-z/userdel index 05df64874..afaa52a03 100644 --- a/apparmor.d/profiles-s-z/userdel +++ b/apparmor.d/profiles-s-z/userdel @@ -26,7 +26,7 @@ profile userdel @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w, diff --git a/apparmor.d/profiles-s-z/usermod b/apparmor.d/profiles-s-z/usermod index c0f8f0e45..1e5c6e4eb 100644 --- a/apparmor.d/profiles-s-z/usermod +++ b/apparmor.d/profiles-s-z/usermod @@ -28,7 +28,7 @@ profile usermod @{exec_path} flags=(attach_disconnected) { @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/subuid r, /etc/{passwd,shadow,gshadow,group} rw, diff --git a/apparmor.d/profiles-s-z/vipw-vigr b/apparmor.d/profiles-s-z/vipw-vigr index 50ada1d64..396f1e4f8 100644 --- a/apparmor.d/profiles-s-z/vipw-vigr +++ b/apparmor.d/profiles-s-z/vipw-vigr @@ -18,7 +18,7 @@ profile vipw-vigr @{exec_path} { @{sh_path} rix, @{editor_path} rCx -> editor, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow,gshadow,group}{,.edit} rw, /etc/{passwd,shadow,gshadow,group}.@{pid} rw, From de690ab878200fe0727571aeb97ff06d08323a64 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Jan 2025 22:34:15 +0100 Subject: [PATCH 048/672] fix(ci): update path to shellcheck. --- .gitlab-ci.yml | 2 +- Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 960dd2884..a93767d20 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -24,7 +24,7 @@ bash: script: - shellcheck --shell=bash PKGBUILD dists/build.sh dists/docker.sh tests/check.sh - tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh + tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh golangci-lint: stage: lint diff --git a/Makefile b/Makefile index 911bd4027..7de055c9f 100644 --- a/Makefile +++ b/Makefile @@ -104,7 +104,7 @@ lint: @make --directory=tests lint @shellcheck --shell=bash \ PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \ - tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \ + tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \ debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm .PHONY: check From df8ac22e0cb67aa6e612ac9dba55fb38008d08b7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Jan 2025 12:10:23 +0100 Subject: [PATCH 049/672] test(vagrant): update boxes name. --- tests/boxes.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/boxes.yml b/tests/boxes.yml index 532c5e18f..3e15fc304 100644 --- a/tests/boxes.yml +++ b/tests/boxes.yml @@ -26,17 +26,17 @@ boxes: box: aa-archlinux-server uefi: false - - name: ubuntu-desktop - box: aa-ubuntu-desktop + - name: ubuntu22-desktop + box: aa-ubuntu22-desktop - - name: ubuntu-desktop24 - box: aa-ubuntu-desktop24 + - name: ubuntu24-desktop + box: aa-ubuntu24-desktop - - name: ubuntu-server - box: aa-ubuntu-server + - name: ubuntu22-server + box: aa-ubuntu22-server - - name: ubuntu-server24 - box: aa-ubuntu-server24 + - name: ubuntu24-server + box: aa-ubuntu24-server24 - name: debian-server box: aa-debian-server From c427765909c2790e40346b67c8400c9bb342354d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Jan 2025 17:04:11 +0100 Subject: [PATCH 050/672] feat(profile): initial support for gimp 3. see #656 --- apparmor.d/profiles-g-l/gimp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index a9be29bec..83457578f 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -13,6 +13,7 @@ profile gimp @{exec_path} { include include include + include include include @@ -23,7 +24,12 @@ profile gimp @{exec_path} { @{exec_path} mr, + @{bin}/env rix, + @{bin}/gjs-console rix, + @{bin}/lua rix, + @{lib}/gimp/@{version}/extensions/*/* rix, @{lib}/gimp/*/plug-ins/** rix, + @{python_path} rix, @{bin}/xsane-gimp rPx, @{open_path} rPx -> child-open-help, From aefa46359ee66ef22d5da6090fc4684059bcfd82 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 26 Jan 2025 18:36:18 +0100 Subject: [PATCH 051/672] Update firecfg --- apparmor.d/profiles-a-f/firecfg | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index 02201e78e..a54d1c9ac 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -25,6 +25,7 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { /etc/firejail/firejail.users r, /etc/firejail/firecfg.config r, + /etc/firejail/firecfg.d/{,*} r, /usr/local/bin/ r, /usr/local/bin/* rw, @@ -33,10 +34,14 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { /usr/share/applications/ r, /usr/share/applications/*.desktop r, @{user_share_dirs}/applications/ r, - @{user_share_dirs}/applications/*.desktop rw, - /dev/tty rw, + @{user_config_dirs}/firejail/{,*} r, + + /dev/tty rw, + /dev/tty@{int} rw, + owner /dev/pts/@{int} rw, + include if exists } From 01b173a1daef6d4c47adf6f369e28858020e4b06 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 26 Jan 2025 18:28:42 +0100 Subject: [PATCH 052/672] Update needrestart-vmlinuz-get-version --- apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version index f7e9d76a1..0c3c669a0 100644 --- a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -14,12 +14,19 @@ profile needrestart-vmlinuz-get-version @{exec_path} { @{exec_path} mr, @{sh_path} rix, + @{bin}/bzip2 rix, @{bin}/grep rix, + @{bin}/gunzip rix, + @{bin}/gzip rix, + @{bin}/lzop rix, @{bin}/mktemp rix, @{bin}/rm rix, + @{bin}/tail rix, @{bin}/tr rix, @{bin}/which{,.debianutils} rix, + @{bin}/xz rix, + /boot/intel-ucode.img r, /boot/vmlinuz* r, owner @{tmp}/tmp.@{rand10} rw, From 54a16eb0559197a1b8d6c582c3e9dbd09d4a40b0 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 26 Jan 2025 18:03:37 +0100 Subject: [PATCH 053/672] Update okular Typo. --- apparmor.d/groups/kde/okular | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index fe1c5d8da..7618a10d4 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -94,7 +94,7 @@ profile okular @{exec_path} { include @{bin}/gpg{,2} mr, - @{bin}/gpgcon mr, + @{bin}/gpgconf mr, @{bin}/gpgsm mr, owner @{HOME}/@{XDG_GPG_DIR}/*.conf r, From 5a1a5418eccbf21b966aa1a9e6528e3d7c7a39e1 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 26 Jan 2025 17:53:34 +0100 Subject: [PATCH 054/672] Update kscreenlocker_greet --- apparmor.d/groups/kde/kscreenlocker_greet | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index a13270c93..c006f354c 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -101,9 +101,11 @@ profile kscreenlocker_greet @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, + @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/loginuid r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/loginuid r, From aec02b8f64221d7d22f318d9de4ce1d09ea3d796 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 26 Jan 2025 17:49:11 +0100 Subject: [PATCH 055/672] Update systemd-tmpfiles profile systemd-tmpfiles { @{sys}/devices/system/cpu/cpufreq/ r, @{sys}/devices/system/cpu/cpufreq/policy0/scaling_governor w, @{sys}/devices/system/cpu/cpufreq/policy1/scaling_governor w, @{sys}/devices/system/cpu/cpufreq/policy2/scaling_governor w, @{sys}/devices/system/cpu/cpufreq/policy3/scaling_governor w, @{sys}/devices/system/cpu/cpufreq/policy4/scaling_governor w, @{sys}/devices/system/cpu/cpufreq/policy5/scaling_governor w, @{sys}/devices/system/cpu/cpufreq/policy6/scaling_governor w, @{sys}/devices/system/cpu/cpufreq/policy7/scaling_governor w, @{sys}/module/pcie_aspm/parameters/policy w, } --- apparmor.d/groups/systemd/systemd-tmpfiles | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index f591ef9f7..e37073f47 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -51,7 +51,10 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/{,**} rw, @{sys}/class/net/ r, + @{sys}/devices/system/cpu/cpufreq/ r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor w, @{sys}/devices/system/cpu/microcode/reload w, + @{sys}/module/pcie_aspm/parameters/policy w, @{PROC}/@{pid}/net/unix r, @{PROC}/1/cmdline r, From d802bf82f28ac3566c431f7ad7ebbf306ea1b33b Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 26 Jan 2025 17:41:53 +0100 Subject: [PATCH 056/672] Update pacman profile pacman//systemctl { signal send set=(cont term) peer=systemd-tty-ask-password-agent, } --- apparmor.d/groups/pacman/pacman | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 6c0e782fa..16a8171ca 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -196,6 +196,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability sys_resource, signal send set=cont peer=child-pager, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, signal receive set=winch peer=makepkg//sudo, @{pager_path} rPx -> child-pager, From 4a978ef9b6d6a846a3a34618b3f978b795399735 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 26 Jan 2025 21:07:44 +0100 Subject: [PATCH 057/672] systemd-journald: adding mediate_deleted (#657) * Update systemd-journald profile systemd-journald flags=(mediate_deleted) { link /var/log/journal/@{hex32}/#42742 , # Failed name lookup - deleted entry link /var/log/journal/@{hex32}/#42744 , # Failed name lookup - deleted entry link /var/log/journal/@{hex32}/.#system@@{hex32}-@{hex16}-@{hex16}.journal@{hex16} -> /var/log/journal/@{hex32}/#42744, link /var/log/journal/@{hex32}/.#user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal@{hex16} -> /var/log/journal/@{hex32}/#42742, } * Update main.flags Adding `systemd-journald attach_disconnected,mediate_deleted` --- apparmor.d/groups/systemd/systemd-journald | 2 +- dists/flags/main.flags | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index d63a4211d..b0a646f66 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-journald -profile systemd-journald @{exec_path} flags=(attach_disconnected) { +profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 6a1a1b6a7..70bbd4a36 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -333,6 +333,7 @@ systemd-generator-veritysetup attach_disconnected,complain systemd-homed attach_disconnected,complain systemd-homework complain systemd-inhibit attach_disconnected,complain +systemd-journald attach_disconnected,mediate_deleted systemd-mount complain systemd-network-generator complain systemd-portabled complain From a68cd26d4103036a50ae64fc67a5512cee5cec4d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Jan 2025 21:10:26 +0100 Subject: [PATCH 058/672] fix(profile): yay: pacman can be used by yay without installing anything ie: without `sudo pacmcan -U ...` see #420 --- apparmor.d/groups/pacman/yay | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay index 52c2de345..42932cc2e 100644 --- a/apparmor.d/groups/pacman/yay +++ b/apparmor.d/groups/pacman/yay @@ -25,6 +25,7 @@ profile yay @{exec_path} { @{bin}/git Cx -> git, @{bin}/gpg{,2} Cx -> gpg, @{bin}/makepkg Px, + @{bin}/pacman Px, @{bin}/pacman-conf Px, @{bin}/sudo Cx -> sudo, From feee34ef7e9fe0baaab6c2680e8ac90c0cec991d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Jan 2025 21:17:18 +0100 Subject: [PATCH 059/672] feat(profile): allow drkonqi to read logs. fix #655 --- apparmor.d/groups/kde/drkonqi | 17 +++++++++++++++++ .../groups/kde/drkonqi-coredump-processor | 1 + 2 files changed, 18 insertions(+) diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi index 961c18cfe..83fd07181 100644 --- a/apparmor.d/groups/kde/drkonqi +++ b/apparmor.d/groups/kde/drkonqi @@ -23,18 +23,35 @@ profile drkonqi @{exec_path} { @{exec_path} mr, + @{bin}/plasmashell r, @{bin}/lsb_release rPx -> lsb_release, /usr/share/drkonqi/{,**} r, + /etc/machine-id r, + + / r, + owner @{user_cache_dirs}/drkonqi/ rw, owner @{user_cache_dirs}/drkonqi/** rwlk -> @{user_cache_dirs}/drkonqi/**, owner @{user_cache_dirs}/kcrash-metadata/* w, + owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/drkonqirc r, + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/remote/ r, + /dev/tty r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/groups/kde/drkonqi-coredump-processor b/apparmor.d/groups/kde/drkonqi-coredump-processor index e07a6c1d4..9b1e6c379 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-processor +++ b/apparmor.d/groups/kde/drkonqi-coredump-processor @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}drkonqi-coredump-processor profile drkonqi-coredump-processor @{exec_path} { include + include include capability dac_override, From c29927ea2ffa0501d9ba6b6a3c90d323241db6ce Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 28 Jan 2025 23:28:11 +0100 Subject: [PATCH 060/672] fix(profile): ensure all child-open* profiles share the same flags. fix #630 --- apparmor.d/groups/children/child-open | 2 +- apparmor.d/groups/children/child-open-browsers | 2 +- apparmor.d/groups/children/child-open-help | 2 +- apparmor.d/groups/children/child-open-strict | 2 +- dists/flags/main.flags | 1 - 5 files changed, 4 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index 6804326aa..84b1d1ea1 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -19,7 +19,7 @@ abi , include -profile child-open flags=(attach_disconnected) { +profile child-open flags=(attach_disconnected,mediate_deleted) { include include include diff --git a/apparmor.d/groups/children/child-open-browsers b/apparmor.d/groups/children/child-open-browsers index 6873ea2fc..473276bff 100644 --- a/apparmor.d/groups/children/child-open-browsers +++ b/apparmor.d/groups/children/child-open-browsers @@ -15,7 +15,7 @@ abi , include -profile child-open-browsers flags=(attach_disconnected) { +profile child-open-browsers flags=(attach_disconnected,mediate_deleted) { include include diff --git a/apparmor.d/groups/children/child-open-help b/apparmor.d/groups/children/child-open-help index d70cd920a..1150d16d3 100644 --- a/apparmor.d/groups/children/child-open-help +++ b/apparmor.d/groups/children/child-open-help @@ -6,7 +6,7 @@ abi , include -profile child-open-help { +profile child-open-help flags=(attach_disconnected,mediate_deleted) { include include diff --git a/apparmor.d/groups/children/child-open-strict b/apparmor.d/groups/children/child-open-strict index 98bbdcdb9..7faf52185 100644 --- a/apparmor.d/groups/children/child-open-strict +++ b/apparmor.d/groups/children/child-open-strict @@ -11,7 +11,7 @@ abi , include -profile child-open-strict { +profile child-open-strict flags=(attach_disconnected,mediate_deleted) { include include diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 70bbd4a36..cf38d2756 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -45,7 +45,6 @@ calibre complain cc-remote-login-helper complain cctk complain child-modprobe-nvidia attach_disconnected,complain -child-open attach_disconnected,complain cockpit-askpass complain cockpit-bridge complain cockpit-certificate-ensure attach_disconnected,complain From 5784ff83cf98c821375d6e9337077e889c3dddd8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 28 Jan 2025 23:30:25 +0100 Subject: [PATCH 061/672] feat(abs): minor improvement to some abstraction. --- apparmor.d/abstractions/app/pgrep | 1 + apparmor.d/abstractions/common/systemd | 1 + apparmor.d/abstractions/dconf.d/complete | 2 +- apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/gnome-strict | 2 +- apparmor.d/abstractions/gnome.d/complete | 2 +- apparmor.d/abstractions/gtk.d/complete | 8 ++++---- apparmor.d/abstractions/kde-open5.d/complete | 2 +- 8 files changed, 11 insertions(+), 9 deletions(-) diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index 211c2710d..d6b7ba8a7 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -21,6 +21,7 @@ @{PROC}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/stat r, @{PROC}/sys/kernel/osrelease r, @{PROC}/uptime r, diff --git a/apparmor.d/abstractions/common/systemd b/apparmor.d/abstractions/common/systemd index df138bf6c..f4a10076e 100644 --- a/apparmor.d/abstractions/common/systemd +++ b/apparmor.d/abstractions/common/systemd @@ -8,6 +8,7 @@ ptrace read peer=@{p_systemd}, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, + @{sys}/fs/cgroup/system.slice/@{profile_name}.service/ r, @{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw, @{PROC}/1/cgroup r, diff --git a/apparmor.d/abstractions/dconf.d/complete b/apparmor.d/abstractions/dconf.d/complete index ed8fa33e6..4f53689d5 100644 --- a/apparmor.d/abstractions/dconf.d/complete +++ b/apparmor.d/abstractions/dconf.d/complete @@ -10,7 +10,7 @@ dbus receive bus=session path=/ca/desrt/dconf/Writer/user interface=ca.desrt.dconf.Writer member=Notify - peer=(name=:*, label=dconf-service), + peer=(name=@{busname}, label=dconf-service), /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 743dfaf2d..78a98a3cf 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -22,7 +22,7 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), /usr/{local/,}share/ r, /usr/{local/,}share/glib-@{version}/schemas/** r, diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 9862ca5e7..fadaedcbf 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -14,7 +14,7 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 90f705ac7..71e76f9da 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -7,7 +7,7 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index ac702a70f..700e5e305 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -5,7 +5,7 @@ dbus send bus=session interface=org.gtk.Actions member=DescribeAll - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session interface=org.gtk.Actions member=DescribeAll @@ -14,7 +14,7 @@ dbus receive bus=session interface=org.gtk.Actions member=Changed - peer=(name=:*), + peer=(name=@{busname}), dbus receive bus=session interface=org.gtk.Actions member=Changed @@ -23,11 +23,11 @@ dbus send bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gsd-xsettings), + peer=(name=@{busname}, label=gsd-xsettings), dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=gsd-xsettings), + peer=(name=@{busname}, label=gsd-xsettings), @{lib}/{,@{multiarch}/}gtk*/** mr, diff --git a/apparmor.d/abstractions/kde-open5.d/complete b/apparmor.d/abstractions/kde-open5.d/complete index 37038b129..adeb9a4bb 100644 --- a/apparmor.d/abstractions/kde-open5.d/complete +++ b/apparmor.d/abstractions/kde-open5.d/complete @@ -6,6 +6,6 @@ owner @{user_config_dirs}/menus/{,**} r, - owner @{run}/user/@{uid}/kioclient*.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, # vim:syntax=apparmor From da68c4f2d9bd65e4d6f7ebb099d4487b62285231 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Feb 2025 00:11:09 +0100 Subject: [PATCH 062/672] feat(profile): general update. --- apparmor.d/groups/apt/dpkg-preconfigure | 3 +++ apparmor.d/groups/bus/dbus-accessibility | 1 + apparmor.d/groups/bus/dbus-session | 3 ++- apparmor.d/groups/freedesktop/polkitd | 2 +- apparmor.d/groups/gnome/gnome-shell | 8 +++----- apparmor.d/groups/gnome/session-migration | 4 +++- apparmor.d/groups/gnome/yelp | 1 + apparmor.d/groups/grub/grub-check-signatures | 4 +++- apparmor.d/groups/grub/grub-install | 12 ++++++++++-- apparmor.d/groups/kde/dolphin | 4 ++++ apparmor.d/groups/kde/kde-powerdevil | 1 + apparmor.d/groups/systemd/systemd-networkd | 7 ++++--- apparmor.d/groups/systemd/systemd-udevd | 1 + apparmor.d/profiles-a-f/boltd | 3 ++- apparmor.d/profiles-a-f/frontend | 5 ++++- apparmor.d/profiles-g-l/libreoffice | 5 +++-- apparmor.d/profiles-s-z/setpci | 1 + apparmor.d/profiles-s-z/snap | 10 ++++++++++ apparmor.d/profiles-s-z/snapd | 9 ++++----- apparmor.d/profiles-s-z/syncthing | 8 ++++---- 20 files changed, 65 insertions(+), 27 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 34163333b..94b7603fa 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -41,8 +41,11 @@ profile dpkg-preconfigure @{exec_path} { /etc/debconf.conf r, /etc/default/grub r, /etc/inputrc r, + /etc/locale.gen r, /etc/shadow r, + /var/lib/locales/supported.d/{,*} r, + owner @{tmp}/*.template.* rw, owner @{tmp}/*.config.* rwPUx, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 35a507559..e699d416d 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -76,6 +76,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj r, diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 014f7afd4..f87e71c81 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -74,8 +74,9 @@ profile dbus-session flags=(attach_disconnected) { @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/oom_score_adj r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_score_adj r, /dev/ptmx rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 5e3d3ee78..9b3db683f 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{lib}/{,polkit-1/}polkitd +@{exec_path} = @{lib}/polkitd @{lib}/polkit-1/polkitd profile polkitd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 462733874..f8888f95b 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -83,15 +83,17 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Talk with gnome-shell #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding + #aa:dbus talk bus=session name=org.gnome.* label=gnome-* #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console - #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus # System bus @@ -163,10 +165,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { member=Introspect peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=session path=/org/gnome/*/SearchProvider - interface=org.gnome.Shell.SearchProvider2 - peer=(name=@{busname}), - @{exec_path} mr, @{bin}/unzip rix, diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index d519dca6e..c2df97896 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -9,12 +9,14 @@ include @{exec_path} = @{bin}/session-migration profile session-migration @{exec_path} { include + include @{exec_path} mr, @{sh_path} rix, + @{python_path} rix, @{bin}/gsettings rPx, - /usr/share/session-migration/scripts/*.sh rix, + /usr/share/session-migration/scripts/* rix, /usr/share/session-migration/{,**} r, diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index f0dd3b46c..f172eac21 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -14,6 +14,7 @@ profile yelp @{exec_path} { network netlink raw, + #aa:dbus own bus=accessibility name=org.gnome.Yelp #aa:dbus own bus=session name=org.gnome.Yelp @{exec_path} mr, diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index 1a1110091..d33b33265 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -22,7 +22,9 @@ profile grub-check-signatures @{exec_path} { /usr/share/debconf/confmodule r, - owner @{tmp}/tmp.*/ rw, + owner @{tmp}/tmp.@{rand10}/ rw, + + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, include if exists } diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index 83e30cbf6..e52e96b8a 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -25,20 +25,28 @@ profile grub-install @{exec_path} flags=(complain) { @{bin}/udevadm rPx, /usr/share/grub/{,**} r, + /usr/share/locale-langpack/{,**} r, /etc/default/grub.d/{,**} r, /etc/default/grub r, - /boot/efi/EFI/ubuntu/* w, - /boot/efi/EFI/BOOT/{,**} rw, + /boot/efi/ r, /boot/EFI/*/grubx*.efi rw, + /boot/efi/EFI/ r, + /boot/efi/EFI/BOOT/{,**} rw, + /boot/efi/EFI/ubuntu/* w, /boot/grub/{,**} rw, + @{sys}/devices/**/hid r, + @{sys}/devices/**/path r, + @{sys}/devices/**/uid r, + @{sys}/firmware/efi/ r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootCurrent-@{uuid} r, @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, @{sys}/firmware/efi/efivars/Timeout-@{uuid} r, + @{sys}/firmware/efi/fw_platform_size r, @{sys}/firmware/efi/w_platform_size r, @{PROC}/devices r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 8465da560..d01965bb0 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -40,6 +40,7 @@ profile dolphin @{exec_path} { /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, /usr/share/misc/termcap r, + /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/machine-id r, @@ -71,6 +72,7 @@ profile dolphin @{exec_path} { owner @{user_share_dirs}/dolphin/ rw, owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int}, owner @{user_share_dirs}/recently-used.xbel{,.*} rwlk, + owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/dolphinrc rwl -> @{user_config_dirs}/#@{int}, @@ -89,6 +91,8 @@ profile dolphin @{exec_path} { owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int}, + owner @{tmp}/dolphin.@{rand6} rwl, + @{run}/issue r, @{run}/mount/utab r, owner @{run}/user/@{uid}/#@{int} rw, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index d37b53ddd..c37ee870b 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -72,6 +72,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/devices/platform/*/i2c-@{int}/name r, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, /dev/i2c-@{int} rwk, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 7b271c9de..0ca507140 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -68,9 +68,10 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/pressure/* r, - @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, + @{PROC}/sys/net/ipv{4,6}/** rw, + owner @{PROC}/@{pid}/fdinfo/@{int} r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index f52a2fc6c..d71ccf1a1 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -95,6 +95,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{run}/systemd/notify rw, @{run}/systemd/seats/seat@{int} r, + @{att}/@{run}/systemd/notify w, @{att}/@{run}/udev/control rw, @{run}/udev/ rw, diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd index b70b72088..8f55bb375 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -25,7 +25,8 @@ profile boltd @{exec_path} flags=(attach_disconnected) { owner @{run}/boltd/{,**} rw, - @{run}/systemd/notify rw, + @{att}/@{run}/systemd/notify w, + @{run}/udev/data/+thunderbolt:* r, @{sys}/bus/ r, diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend index ac8a6a5a8..3d7ee07f8 100644 --- a/apparmor.d/profiles-a-f/frontend +++ b/apparmor.d/profiles-a-f/frontend @@ -74,9 +74,12 @@ profile frontend @{exec_path} flags=(complain) { /etc/inputrc r, /etc/shadow r, - owner @{tmp}/file* w, owner /var/cache/debconf/* rwk, + owner @{tmp}/file* w, + owner @{tmp}/tmp.@{rand10} rw, + owner @{tmp}/updateppds.@{rand6} rw, + @{HOME}/.Xauthority r, @{run}/user/@{uid}/pk-debconf-socket rw, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 03dfe9749..ac3ee0c26 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -49,11 +49,12 @@ profile libreoffice @{exec_path} { @{bin}/gpgconf rPx, @{bin}/gpgsm rPx, + @{lib}/jvm/java*/bin/java rix, + @{lib}/jvm/java*/lib/** rm, @{lib}/libreoffice/program/javaldx rix, @{lib}/libreoffice/program/oosplash rix, @{lib}/libreoffice/program/soffice.bin rix, - @{lib}/jvm/java*/bin/java rix, - @{lib}/jvm/java*/lib/** rm, + @{lib}/libreoffice/program/xpdfimport rix, @{lib}/libreoffice/{,**} rm, @{lib}/libreoffice/share/uno_packages/cache/stamp.sys w, diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci index 72c9b8a93..019e89e23 100644 --- a/apparmor.d/profiles-s-z/setpci +++ b/apparmor.d/profiles-s-z/setpci @@ -16,6 +16,7 @@ profile setpci @{exec_path} flags=(complain) { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/** r, + @{sys}/devices/@{pci}/config w, include if exists } diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index cdb01d14a..90b2ceef3 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -14,6 +14,7 @@ profile snap @{exec_path} { include include include + include include include include @@ -24,6 +25,8 @@ profile snap @{exec_path} { network netlink raw, + ptrace read peer=snap.snap-store.snap-store, + unix (send, receive) type=stream peer=(label=apt), mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/, @@ -32,6 +35,7 @@ profile snap @{exec_path} { #aa:dbus own bus=session name=io.snapcraft.SessionAgent #aa:dbus own bus=session name=io.snapcraft.Settings + #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.snap-store #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" dbus send bus=session path=/org/freedesktop/portal/documents @@ -39,6 +43,11 @@ profile snap @{exec_path} { member=GetMountPoint peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mrix, @{bin}/mount rix, @@ -83,6 +92,7 @@ profile snap @{exec_path} { @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/version r, + owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/mounts r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 2788ed4a3..dc80b17a4 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -47,8 +47,8 @@ profile snapd @{exec_path} { umount /tmp/syscheck-mountpoint-@{int}/, umount /snap/*/*/, - ptrace (read) peer=snap, - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, + ptrace read peer=snap{,.*}, unix (bind) type=stream addr=@@{udbus}/bus/systemctl/, @@ -155,16 +155,15 @@ profile snapd @{exec_path} { @{sys}/fs/cgroup/{,*/} r, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/system.slice/{,**/} r, + @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r, @{sys}/fs/cgroup/user.slice/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r, @{sys}/kernel/kexec_loaded r, @{sys}/kernel/security/apparmor/.notify r, @{sys}/kernel/security/apparmor/features/{,**} r, @{sys}/kernel/security/apparmor/profiles r, - @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r, - @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index f668f5a00..d03ece9e4 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/syncthing profile syncthing @{exec_path} { include + include include include @@ -28,15 +29,14 @@ profile syncthing @{exec_path} { /etc/mime.types r, - owner @{HOME}/ r, - owner @{HOME}/@{XDG_DATA_DIR}/syncthing/{,**} rwk, - owner @{user_config_dirs}/syncthing/{,**} rwk, - owner @{user_state_dirs}/syncthing/{,**} rwk, + @{HOME}/ r, + @{HOME}/** rwk, /home/ r, @{user_sync_dirs}/{,**} rw, @{PROC}/@{pids}/net/route r, + @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/net/core/somaxconn r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, From 77eb8c3c11a0b8983567aca7d48f370fb978a073 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Feb 2025 20:26:52 +0100 Subject: [PATCH 063/672] feat(profile): minor update. --- apparmor.d/groups/virt/dockerd | 2 +- apparmor.d/profiles-a-f/fractal | 4 +++- apparmor.d/profiles-m-r/mount-cifs | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 13f050c7d..2e2d36355 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -85,7 +85,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { owner /var/lib/docker/tmp/qemu-check@{int}/check rix, /tmp/build/ w, - /tmp/containerd-mount@{int10}/{,**} rw, + /tmp/containerd-mount@{int}/{,**} rw, owner @{run}/docker/ rw, owner @{run}/docker/** rwlk, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 6dfb84452..9de5761c2 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -33,11 +33,13 @@ profile fractal @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, - owner @{tmp}/@{rand6} rw, + + owner @{run}/user/@{uid}/fractal/{,**} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, /dev/ r, diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/profiles-m-r/mount-cifs index 190db34da..899ab0801 100644 --- a/apparmor.d/profiles-m-r/mount-cifs +++ b/apparmor.d/profiles-m-r/mount-cifs @@ -40,6 +40,7 @@ profile mount-cifs @{exec_path} flags=(complain) { @{bin}/systemd-ask-password rPUx, /etc/fstab r, + /etc/sync-credentials r, owner @{HOME}/.smbcredentials r, From 63cbf2829b43325a5d77a0f82ce11e2db3b44015 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Feb 2025 20:28:40 +0100 Subject: [PATCH 064/672] feat(tunable): add p_ variables definition for a few core profiles. --- apparmor.d/tunables/multiarch.d/profiles | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index 2d1fccb32..8917c88d8 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -16,4 +16,13 @@ @{p_dbus_session}=dbus-session @{p_dbus_accessibility}=dbus-accessibility +@{p_at_spi2_registryd}=at-spi2-registryd +@{p_colord}=colord +@{p_gnome_shell}=gnome-shell +@{p_packagekitd}=packagekitd +@{p_snap}=snap +@{p_systemd_logind}=systemd-logind +@{p_xdg_desktop_portal}=xdg-desktop-portal + + # vim:syntax=apparmor From 86906d26014bb331f737bd47f68ad62c2116a784 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Feb 2025 20:32:06 +0100 Subject: [PATCH 065/672] feat(profile): add localsearch (renamed from tracker-extract localsearch is the new name of tracker-extract. The profile for tracker-extract is kept as they will differ in the future. --- apparmor.d/groups/gnome/localsearch | 69 +++++++++++++++++++ apparmor.d/groups/gnome/localsearch-control | 21 ++++++ apparmor.d/groups/gnome/localsearch-writeback | 21 ++++++ 3 files changed, 111 insertions(+) create mode 100644 apparmor.d/groups/gnome/localsearch create mode 100644 apparmor.d/groups/gnome/localsearch-control create mode 100644 apparmor.d/groups/gnome/localsearch-writeback diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch new file mode 100644 index 000000000..e6d2bba7c --- /dev/null +++ b/apparmor.d/groups/gnome/localsearch @@ -0,0 +1,69 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/localsearch @{lib}/localsearch-3 +profile localsearch @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + + network netlink raw, + + #aa:dbus own bus=session name=org.freedesktop.LocalSearch3 + + @{exec_path} mr, + + @{lib}/localsearch-extractor-3 ix, # nnp + + /usr/share/localsearch3/{,**} r, + /usr/share/poppler/{,**} r, + + # Allow to search user files + owner @{HOME}/ r, + owner @{HOME}/{,**} r, + owner @{MOUNTS}/{,**} r, + owner @{tmp}/*/{,**} r, + + owner @{user_cache_dirs}/tracker3/ rw, + owner @{user_cache_dirs}/tracker3/files/ rw, + owner @{user_cache_dirs}/tracker3/files/** rwk, + + owner /var/tmp/etilqs_@{hex15} rw, + owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{hex15} rw, + owner @{tmp}/etilqs_@{hex16} rw, + + @{run}/mount/utab r, + + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{PROC}/sys/fs/fanotify/max_user_marks r, + @{PROC}/sys/fs/inotify/max_user_watches r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/media@{int} rw, + /dev/video@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/localsearch-control b/apparmor.d/groups/gnome/localsearch-control new file mode 100644 index 000000000..354f85009 --- /dev/null +++ b/apparmor.d/groups/gnome/localsearch-control @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/localsearch-control-3 +profile localsearch-control @{exec_path} { + include + include + + #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files.Control + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/localsearch-writeback b/apparmor.d/groups/gnome/localsearch-writeback new file mode 100644 index 000000000..7d50726c0 --- /dev/null +++ b/apparmor.d/groups/gnome/localsearch-writeback @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/localsearch-writeback-3 +profile localsearch-writeback @{exec_path} { + include + include + + #aa:dbus own bus=session name=org.freedesktop.LocalSearch3.Writeback + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor From ba5079d95c2b457db9e1758829c0e7db4aafdfee Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Feb 2025 20:33:37 +0100 Subject: [PATCH 066/672] build: update flag manifest. --- dists/flags/main.flags | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index cf38d2756..87c070c56 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -40,11 +40,9 @@ avahi-resolve complain avahi-set-host-name complain baloo complain baloorunner complain -busctl complain calibre complain cc-remote-login-helper complain cctk complain -child-modprobe-nvidia attach_disconnected,complain cockpit-askpass complain cockpit-bridge complain cockpit-certificate-ensure attach_disconnected,complain @@ -218,6 +216,9 @@ libvirtd attach_disconnected,complain lightdm attach_disconnected,complain locale-gen complain localectl complain +localsearch complain +localsearch-control complain +localsearch-writeback complain login attach_disconnected,complain loginctl complain low-memory-monitor attach_disconnected,complain @@ -373,6 +374,7 @@ xdg-dbus-proxy attach_disconnected,complain xdg-desktop-icon complain xdg-desktop-portal-kde complain xdg-desktop-portal-rewrite-launchers complain +xdg-desktop-portal-validate-icon attach_disconnected,complain xdg-user-dirs-gtk-update complain xdm-xsession complain xembedsniproxy complain From ace9a12c95c16e36fb233ddad819e053764eb475 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Feb 2025 20:34:25 +0100 Subject: [PATCH 067/672] feat(profile): add profile for xdg-desktop-portal-validate-icon. --- .../xdg-desktop-portal-validate-icon | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon b/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon new file mode 100644 index 000000000..2c6c37538 --- /dev/null +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/xdg-desktop-portal-validate-icon +profile xdg-desktop-portal-validate-icon @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability dac_override, + + @{exec_path} mrix, + + @{bin}/bwrap ix, + + owner @{tmp}/icon@{rand6} r, + + include if exists +} + +# vim:syntax=apparmor From 5ea339803a4cbf8d0d359a261b9a31fe84dc03cd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Feb 2025 20:39:44 +0100 Subject: [PATCH 068/672] chore: fix typo & cosmetic. --- apparmor.d/abstractions/app/open | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index be4eda72d..2b865457c 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -11,15 +11,15 @@ # We cannot use `@{open_path} mrix,` here because it includes: # @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop - # And `@{multiarch}` as a wildcard that cannot be merged and that will generate + # And `@{multiarch}` has a wildcard that cannot be merged and that will generate # "has merged rule with conflicting x modifiers" error when used with other # wilcard over PUx transition. - @{bin}/exo-open mrix, - @{bin}/xdg-open mrix, - @{bin}/gio mrix, - @{bin}/kde-open mrix, - @{bin}/gio-launch-desktop mrix, - @{lib}/gio-launch-desktop mrix, + @{bin}/exo-open mrix, + @{bin}/xdg-open mrix, + @{bin}/gio mrix, + @{bin}/kde-open mrix, + @{bin}/gio-launch-desktop mrix, + @{lib}/gio-launch-desktop mrix, @{bin}/env rix, @{sh_path} r, From e5aad04be45270297eb709743bf5a5cea47964e7 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 9 Feb 2025 21:07:43 +0100 Subject: [PATCH 069/672] Update dkms (#663) --- apparmor.d/profiles-a-f/dkms | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index ecf1d1c64..75487fbec 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -28,11 +28,14 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{coreutils_path} rix, @{bin}/as rix, @{bin}/bc rix, + @{bin}/clang-@{version} rix, @{bin}/gcc rix, @{bin}/getconf rix, @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @{bin}/ld rix, + @{bin}/ld.lld rix, + @{bin}/llvm-objcopy rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/make rix, @{bin}/objcopy rix, @@ -47,10 +50,14 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{lib}/linux-kbuild-*/scripts/** rix, @{lib}/linux-kbuild-*/tools/objtool/objtool rix, @{lib}/llvm-[0-9]*/bin/clang rix, + @{lib}/modules/*/build/arch/x86/** rix, + @{lib}/modules/*/build/include/** rix, @{lib}/modules/*/build/scripts/** rix, @{lib}/modules/*/build/tools/** rix, + @{lib}/os-release rix, /var/lib/dkms/**/build/* rix, + /var/lib/dkms/vboxhost/*/build/** rw, /var/lib/dkms/**/configure rix, /var/lib/dkms/**/dkms.postbuild rix, @@ -94,9 +101,13 @@ profile dkms @{exec_path} flags=(attach_disconnected) { owner @{tmp}/sh-thd.* rw, owner @{tmp}/tmp.* rw, + @{PROC}/cpuinfo r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/vm/overcommit_memory r, owner @{PROC}/@{pid}/fd/ r, + /dev/pts/@{int} rw, + profile kmod { include include From 9304c9a668e656047aa4ca97ca506f92780b6dfe Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Feb 2025 21:46:10 +0100 Subject: [PATCH 070/672] refractor: moce a lot of profiles inside they own groups. --- .../{profiles-a-f => groups/apparmor}/aa-enabled | 0 .../{profiles-a-f => groups/apparmor}/aa-enforce | 0 apparmor.d/{profiles-a-f => groups/apparmor}/aa-log | 0 apparmor.d/{profiles-a-f => groups/apparmor}/aa-notify | 0 apparmor.d/{profiles-a-f => groups/apparmor}/aa-status | 0 .../{profiles-a-f => groups/apparmor}/aa-teardown | 0 .../{profiles-a-f => groups/apparmor}/aa-unconfined | 0 .../{profiles-a-f => groups/apparmor}/apparmor.systemd | 0 .../{profiles-a-f => groups/apparmor}/apparmor_parser | 0 .../{profiles-a-f => groups/cups}/cups-backend-beh | 0 .../cups}/cups-backend-bluetooth | 0 .../{profiles-a-f => groups/cups}/cups-backend-brf | 0 .../{profiles-a-f => groups/cups}/cups-backend-dnssd | 0 .../{profiles-a-f => groups/cups}/cups-backend-hp | 0 .../cups}/cups-backend-implicitclass | 0 .../{profiles-a-f => groups/cups}/cups-backend-ipp | 0 .../{profiles-a-f => groups/cups}/cups-backend-lpd | 0 .../{profiles-a-f => groups/cups}/cups-backend-mdns | 0 .../cups}/cups-backend-parallel | 0 .../{profiles-a-f => groups/cups}/cups-backend-pdf | 0 .../{profiles-a-f => groups/cups}/cups-backend-serial | 0 .../{profiles-a-f => groups/cups}/cups-backend-snmp | 0 .../{profiles-a-f => groups/cups}/cups-backend-socket | 0 .../{profiles-a-f => groups/cups}/cups-backend-usb | 0 apparmor.d/{profiles-a-f => groups/cups}/cups-browsed | 0 .../{profiles-a-f => groups/cups}/cups-notifier-dbus | 0 .../{profiles-a-f => groups/cups}/cups-notifier-mailto | 0 .../{profiles-a-f => groups/cups}/cups-notifier-rss | 0 .../cups}/cups-pk-helper-mechanism | 0 apparmor.d/{profiles-a-f => groups/cups}/cupsd | 0 apparmor.d/{profiles-a-f => groups/flatpak}/flatpak | 0 .../{profiles-a-f => groups/flatpak}/flatpak-app | 0 .../flatpak}/flatpak-oci-authenticator | 0 .../{profiles-a-f => groups/flatpak}/flatpak-portal | 0 .../flatpak}/flatpak-session-helper | 0 .../flatpak}/flatpak-system-helper | 0 .../flatpak}/flatpak-validate-icon | 0 apparmor.d/{profiles-s-z => groups/snap}/snap | 0 .../{profiles-s-z => groups/snap}/snap-bootstrap | 0 .../{profiles-s-z => groups/snap}/snap-device-helper | 0 .../{profiles-s-z => groups/snap}/snap-discard-ns | 0 apparmor.d/{profiles-s-z => groups/snap}/snap-failure | 0 apparmor.d/{profiles-s-z => groups/snap}/snap-repair | 0 apparmor.d/{profiles-s-z => groups/snap}/snap-seccomp | 0 .../{profiles-s-z => groups/snap}/snap-update-ns | 0 apparmor.d/{profiles-s-z => groups/snap}/snapd | 0 .../snap}/snapd-aa-prompt-listener | 0 .../{profiles-s-z => groups/snap}/snapd-aa-prompt-ui | 0 .../{profiles-s-z => groups/snap}/snapd-apparmor | 0 .../{profiles-s-z => groups/snap}/snapd-core-fixup | 0 apparmor.d/{profiles-s-z => groups/steam}/steam | 0 .../{profiles-s-z => groups/steam}/steam-fossilize | 0 .../{profiles-s-z => groups/steam}/steam-game-native | 0 .../{profiles-s-z => groups/steam}/steam-game-proton | 0 .../{profiles-s-z => groups/steam}/steam-gameoverlayui | 0 apparmor.d/{profiles-s-z => groups/steam}/steam-launch | 0 .../{profiles-s-z => groups/steam}/steam-launcher | 0 .../{profiles-s-z => groups/steam}/steam-runtime | 0 .../steam}/steam-runtime-steam-remote | 0 .../{profiles-s-z => groups/steam}/steamerrorreporter | 0 dists/ignore/main.ignore | 10 +--------- 61 files changed, 1 insertion(+), 9 deletions(-) rename apparmor.d/{profiles-a-f => groups/apparmor}/aa-enabled (100%) rename apparmor.d/{profiles-a-f => groups/apparmor}/aa-enforce (100%) rename apparmor.d/{profiles-a-f => groups/apparmor}/aa-log (100%) rename apparmor.d/{profiles-a-f => groups/apparmor}/aa-notify (100%) rename apparmor.d/{profiles-a-f => groups/apparmor}/aa-status (100%) rename apparmor.d/{profiles-a-f => groups/apparmor}/aa-teardown (100%) rename apparmor.d/{profiles-a-f => groups/apparmor}/aa-unconfined (100%) rename apparmor.d/{profiles-a-f => groups/apparmor}/apparmor.systemd (100%) rename apparmor.d/{profiles-a-f => groups/apparmor}/apparmor_parser (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-beh (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-bluetooth (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-brf (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-dnssd (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-hp (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-implicitclass (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-ipp (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-lpd (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-mdns (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-parallel (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-pdf (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-serial (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-snmp (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-socket (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-usb (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-browsed (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-notifier-dbus (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-notifier-mailto (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-notifier-rss (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-pk-helper-mechanism (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cupsd (100%) rename apparmor.d/{profiles-a-f => groups/flatpak}/flatpak (100%) rename apparmor.d/{profiles-a-f => groups/flatpak}/flatpak-app (100%) rename apparmor.d/{profiles-a-f => groups/flatpak}/flatpak-oci-authenticator (100%) rename apparmor.d/{profiles-a-f => groups/flatpak}/flatpak-portal (100%) rename apparmor.d/{profiles-a-f => groups/flatpak}/flatpak-session-helper (100%) rename apparmor.d/{profiles-a-f => groups/flatpak}/flatpak-system-helper (100%) rename apparmor.d/{profiles-a-f => groups/flatpak}/flatpak-validate-icon (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snap (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snap-bootstrap (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snap-device-helper (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snap-discard-ns (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snap-failure (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snap-repair (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snap-seccomp (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snap-update-ns (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snapd (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snapd-aa-prompt-listener (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snapd-aa-prompt-ui (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snapd-apparmor (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snapd-core-fixup (100%) rename apparmor.d/{profiles-s-z => groups/steam}/steam (100%) rename apparmor.d/{profiles-s-z => groups/steam}/steam-fossilize (100%) rename apparmor.d/{profiles-s-z => groups/steam}/steam-game-native (100%) rename apparmor.d/{profiles-s-z => groups/steam}/steam-game-proton (100%) rename apparmor.d/{profiles-s-z => groups/steam}/steam-gameoverlayui (100%) rename apparmor.d/{profiles-s-z => groups/steam}/steam-launch (100%) rename apparmor.d/{profiles-s-z => groups/steam}/steam-launcher (100%) rename apparmor.d/{profiles-s-z => groups/steam}/steam-runtime (100%) rename apparmor.d/{profiles-s-z => groups/steam}/steam-runtime-steam-remote (100%) rename apparmor.d/{profiles-s-z => groups/steam}/steamerrorreporter (100%) diff --git a/apparmor.d/profiles-a-f/aa-enabled b/apparmor.d/groups/apparmor/aa-enabled similarity index 100% rename from apparmor.d/profiles-a-f/aa-enabled rename to apparmor.d/groups/apparmor/aa-enabled diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/groups/apparmor/aa-enforce similarity index 100% rename from apparmor.d/profiles-a-f/aa-enforce rename to apparmor.d/groups/apparmor/aa-enforce diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/groups/apparmor/aa-log similarity index 100% rename from apparmor.d/profiles-a-f/aa-log rename to apparmor.d/groups/apparmor/aa-log diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/groups/apparmor/aa-notify similarity index 100% rename from apparmor.d/profiles-a-f/aa-notify rename to apparmor.d/groups/apparmor/aa-notify diff --git a/apparmor.d/profiles-a-f/aa-status b/apparmor.d/groups/apparmor/aa-status similarity index 100% rename from apparmor.d/profiles-a-f/aa-status rename to apparmor.d/groups/apparmor/aa-status diff --git a/apparmor.d/profiles-a-f/aa-teardown b/apparmor.d/groups/apparmor/aa-teardown similarity index 100% rename from apparmor.d/profiles-a-f/aa-teardown rename to apparmor.d/groups/apparmor/aa-teardown diff --git a/apparmor.d/profiles-a-f/aa-unconfined b/apparmor.d/groups/apparmor/aa-unconfined similarity index 100% rename from apparmor.d/profiles-a-f/aa-unconfined rename to apparmor.d/groups/apparmor/aa-unconfined diff --git a/apparmor.d/profiles-a-f/apparmor.systemd b/apparmor.d/groups/apparmor/apparmor.systemd similarity index 100% rename from apparmor.d/profiles-a-f/apparmor.systemd rename to apparmor.d/groups/apparmor/apparmor.systemd diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser similarity index 100% rename from apparmor.d/profiles-a-f/apparmor_parser rename to apparmor.d/groups/apparmor/apparmor_parser diff --git a/apparmor.d/profiles-a-f/cups-backend-beh b/apparmor.d/groups/cups/cups-backend-beh similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-beh rename to apparmor.d/groups/cups/cups-backend-beh diff --git a/apparmor.d/profiles-a-f/cups-backend-bluetooth b/apparmor.d/groups/cups/cups-backend-bluetooth similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-bluetooth rename to apparmor.d/groups/cups/cups-backend-bluetooth diff --git a/apparmor.d/profiles-a-f/cups-backend-brf b/apparmor.d/groups/cups/cups-backend-brf similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-brf rename to apparmor.d/groups/cups/cups-backend-brf diff --git a/apparmor.d/profiles-a-f/cups-backend-dnssd b/apparmor.d/groups/cups/cups-backend-dnssd similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-dnssd rename to apparmor.d/groups/cups/cups-backend-dnssd diff --git a/apparmor.d/profiles-a-f/cups-backend-hp b/apparmor.d/groups/cups/cups-backend-hp similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-hp rename to apparmor.d/groups/cups/cups-backend-hp diff --git a/apparmor.d/profiles-a-f/cups-backend-implicitclass b/apparmor.d/groups/cups/cups-backend-implicitclass similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-implicitclass rename to apparmor.d/groups/cups/cups-backend-implicitclass diff --git a/apparmor.d/profiles-a-f/cups-backend-ipp b/apparmor.d/groups/cups/cups-backend-ipp similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-ipp rename to apparmor.d/groups/cups/cups-backend-ipp diff --git a/apparmor.d/profiles-a-f/cups-backend-lpd b/apparmor.d/groups/cups/cups-backend-lpd similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-lpd rename to apparmor.d/groups/cups/cups-backend-lpd diff --git a/apparmor.d/profiles-a-f/cups-backend-mdns b/apparmor.d/groups/cups/cups-backend-mdns similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-mdns rename to apparmor.d/groups/cups/cups-backend-mdns diff --git a/apparmor.d/profiles-a-f/cups-backend-parallel b/apparmor.d/groups/cups/cups-backend-parallel similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-parallel rename to apparmor.d/groups/cups/cups-backend-parallel diff --git a/apparmor.d/profiles-a-f/cups-backend-pdf b/apparmor.d/groups/cups/cups-backend-pdf similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-pdf rename to apparmor.d/groups/cups/cups-backend-pdf diff --git a/apparmor.d/profiles-a-f/cups-backend-serial b/apparmor.d/groups/cups/cups-backend-serial similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-serial rename to apparmor.d/groups/cups/cups-backend-serial diff --git a/apparmor.d/profiles-a-f/cups-backend-snmp b/apparmor.d/groups/cups/cups-backend-snmp similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-snmp rename to apparmor.d/groups/cups/cups-backend-snmp diff --git a/apparmor.d/profiles-a-f/cups-backend-socket b/apparmor.d/groups/cups/cups-backend-socket similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-socket rename to apparmor.d/groups/cups/cups-backend-socket diff --git a/apparmor.d/profiles-a-f/cups-backend-usb b/apparmor.d/groups/cups/cups-backend-usb similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-usb rename to apparmor.d/groups/cups/cups-backend-usb diff --git a/apparmor.d/profiles-a-f/cups-browsed b/apparmor.d/groups/cups/cups-browsed similarity index 100% rename from apparmor.d/profiles-a-f/cups-browsed rename to apparmor.d/groups/cups/cups-browsed diff --git a/apparmor.d/profiles-a-f/cups-notifier-dbus b/apparmor.d/groups/cups/cups-notifier-dbus similarity index 100% rename from apparmor.d/profiles-a-f/cups-notifier-dbus rename to apparmor.d/groups/cups/cups-notifier-dbus diff --git a/apparmor.d/profiles-a-f/cups-notifier-mailto b/apparmor.d/groups/cups/cups-notifier-mailto similarity index 100% rename from apparmor.d/profiles-a-f/cups-notifier-mailto rename to apparmor.d/groups/cups/cups-notifier-mailto diff --git a/apparmor.d/profiles-a-f/cups-notifier-rss b/apparmor.d/groups/cups/cups-notifier-rss similarity index 100% rename from apparmor.d/profiles-a-f/cups-notifier-rss rename to apparmor.d/groups/cups/cups-notifier-rss diff --git a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism b/apparmor.d/groups/cups/cups-pk-helper-mechanism similarity index 100% rename from apparmor.d/profiles-a-f/cups-pk-helper-mechanism rename to apparmor.d/groups/cups/cups-pk-helper-mechanism diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/groups/cups/cupsd similarity index 100% rename from apparmor.d/profiles-a-f/cupsd rename to apparmor.d/groups/cups/cupsd diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/groups/flatpak/flatpak similarity index 100% rename from apparmor.d/profiles-a-f/flatpak rename to apparmor.d/groups/flatpak/flatpak diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app similarity index 100% rename from apparmor.d/profiles-a-f/flatpak-app rename to apparmor.d/groups/flatpak/flatpak-app diff --git a/apparmor.d/profiles-a-f/flatpak-oci-authenticator b/apparmor.d/groups/flatpak/flatpak-oci-authenticator similarity index 100% rename from apparmor.d/profiles-a-f/flatpak-oci-authenticator rename to apparmor.d/groups/flatpak/flatpak-oci-authenticator diff --git a/apparmor.d/profiles-a-f/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal similarity index 100% rename from apparmor.d/profiles-a-f/flatpak-portal rename to apparmor.d/groups/flatpak/flatpak-portal diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/groups/flatpak/flatpak-session-helper similarity index 100% rename from apparmor.d/profiles-a-f/flatpak-session-helper rename to apparmor.d/groups/flatpak/flatpak-session-helper diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper similarity index 100% rename from apparmor.d/profiles-a-f/flatpak-system-helper rename to apparmor.d/groups/flatpak/flatpak-system-helper diff --git a/apparmor.d/profiles-a-f/flatpak-validate-icon b/apparmor.d/groups/flatpak/flatpak-validate-icon similarity index 100% rename from apparmor.d/profiles-a-f/flatpak-validate-icon rename to apparmor.d/groups/flatpak/flatpak-validate-icon diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/groups/snap/snap similarity index 100% rename from apparmor.d/profiles-s-z/snap rename to apparmor.d/groups/snap/snap diff --git a/apparmor.d/profiles-s-z/snap-bootstrap b/apparmor.d/groups/snap/snap-bootstrap similarity index 100% rename from apparmor.d/profiles-s-z/snap-bootstrap rename to apparmor.d/groups/snap/snap-bootstrap diff --git a/apparmor.d/profiles-s-z/snap-device-helper b/apparmor.d/groups/snap/snap-device-helper similarity index 100% rename from apparmor.d/profiles-s-z/snap-device-helper rename to apparmor.d/groups/snap/snap-device-helper diff --git a/apparmor.d/profiles-s-z/snap-discard-ns b/apparmor.d/groups/snap/snap-discard-ns similarity index 100% rename from apparmor.d/profiles-s-z/snap-discard-ns rename to apparmor.d/groups/snap/snap-discard-ns diff --git a/apparmor.d/profiles-s-z/snap-failure b/apparmor.d/groups/snap/snap-failure similarity index 100% rename from apparmor.d/profiles-s-z/snap-failure rename to apparmor.d/groups/snap/snap-failure diff --git a/apparmor.d/profiles-s-z/snap-repair b/apparmor.d/groups/snap/snap-repair similarity index 100% rename from apparmor.d/profiles-s-z/snap-repair rename to apparmor.d/groups/snap/snap-repair diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/groups/snap/snap-seccomp similarity index 100% rename from apparmor.d/profiles-s-z/snap-seccomp rename to apparmor.d/groups/snap/snap-seccomp diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns similarity index 100% rename from apparmor.d/profiles-s-z/snap-update-ns rename to apparmor.d/groups/snap/snap-update-ns diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/groups/snap/snapd similarity index 100% rename from apparmor.d/profiles-s-z/snapd rename to apparmor.d/groups/snap/snapd diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener b/apparmor.d/groups/snap/snapd-aa-prompt-listener similarity index 100% rename from apparmor.d/profiles-s-z/snapd-aa-prompt-listener rename to apparmor.d/groups/snap/snapd-aa-prompt-listener diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-ui b/apparmor.d/groups/snap/snapd-aa-prompt-ui similarity index 100% rename from apparmor.d/profiles-s-z/snapd-aa-prompt-ui rename to apparmor.d/groups/snap/snapd-aa-prompt-ui diff --git a/apparmor.d/profiles-s-z/snapd-apparmor b/apparmor.d/groups/snap/snapd-apparmor similarity index 100% rename from apparmor.d/profiles-s-z/snapd-apparmor rename to apparmor.d/groups/snap/snapd-apparmor diff --git a/apparmor.d/profiles-s-z/snapd-core-fixup b/apparmor.d/groups/snap/snapd-core-fixup similarity index 100% rename from apparmor.d/profiles-s-z/snapd-core-fixup rename to apparmor.d/groups/snap/snapd-core-fixup diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/groups/steam/steam similarity index 100% rename from apparmor.d/profiles-s-z/steam rename to apparmor.d/groups/steam/steam diff --git a/apparmor.d/profiles-s-z/steam-fossilize b/apparmor.d/groups/steam/steam-fossilize similarity index 100% rename from apparmor.d/profiles-s-z/steam-fossilize rename to apparmor.d/groups/steam/steam-fossilize diff --git a/apparmor.d/profiles-s-z/steam-game-native b/apparmor.d/groups/steam/steam-game-native similarity index 100% rename from apparmor.d/profiles-s-z/steam-game-native rename to apparmor.d/groups/steam/steam-game-native diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/groups/steam/steam-game-proton similarity index 100% rename from apparmor.d/profiles-s-z/steam-game-proton rename to apparmor.d/groups/steam/steam-game-proton diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/groups/steam/steam-gameoverlayui similarity index 100% rename from apparmor.d/profiles-s-z/steam-gameoverlayui rename to apparmor.d/groups/steam/steam-gameoverlayui diff --git a/apparmor.d/profiles-s-z/steam-launch b/apparmor.d/groups/steam/steam-launch similarity index 100% rename from apparmor.d/profiles-s-z/steam-launch rename to apparmor.d/groups/steam/steam-launch diff --git a/apparmor.d/profiles-s-z/steam-launcher b/apparmor.d/groups/steam/steam-launcher similarity index 100% rename from apparmor.d/profiles-s-z/steam-launcher rename to apparmor.d/groups/steam/steam-launcher diff --git a/apparmor.d/profiles-s-z/steam-runtime b/apparmor.d/groups/steam/steam-runtime similarity index 100% rename from apparmor.d/profiles-s-z/steam-runtime rename to apparmor.d/groups/steam/steam-runtime diff --git a/apparmor.d/profiles-s-z/steam-runtime-steam-remote b/apparmor.d/groups/steam/steam-runtime-steam-remote similarity index 100% rename from apparmor.d/profiles-s-z/steam-runtime-steam-remote rename to apparmor.d/groups/steam/steam-runtime-steam-remote diff --git a/apparmor.d/profiles-s-z/steamerrorreporter b/apparmor.d/groups/steam/steamerrorreporter similarity index 100% rename from apparmor.d/profiles-s-z/steamerrorreporter rename to apparmor.d/groups/steam/steamerrorreporter diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index 917b117f1..3cccf4c05 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -9,14 +9,6 @@ apparmor.d/groups/_full man # Work in progress profiles +apparmor.d/groups/steam dunst plasma-discover -steam -steam-fossilize -steam-game-native -steam-game-proton -steam-gameoverlayui -steam-launch -steam-launcher -steam-runtime -steamerrorreporter From fadc08b1ea0a7a887abef8f49d24c1e023336aed Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Feb 2025 22:16:33 +0100 Subject: [PATCH 071/672] fix(test): update reference path for aa-status. --- pkg/aa/apparmor_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index 0cc74d438..9d68596d3 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -237,7 +237,7 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { }, }}, }, - want: mustReadProfileFile(intData.Join("profiles-a-f/aa-status")), + want: mustReadProfileFile(intData.Join("groups/apparmor/aa-status")), }, } for _, tt := range tests { From 9d74168be2700f18b031ebd580553c6001caabf6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 10 Feb 2025 00:20:15 +0100 Subject: [PATCH 072/672] refractor: move more profiles to groups. --- apparmor.d/{profiles-a-f => groups/cron}/anacron | 0 apparmor.d/{profiles-g-l => groups/procps}/htop | 0 apparmor.d/{profiles-m-r => groups/procps}/ps | 0 apparmor.d/{profiles-s-z => groups/procps}/sysctl | 0 apparmor.d/{profiles-s-z => groups/procps}/top | 0 apparmor.d/{profiles-s-z => groups/procps}/uptime | 0 apparmor.d/{profiles-s-z => groups/procps}/w | 0 apparmor.d/{profiles-a-f => groups/shadow}/chage | 0 apparmor.d/{profiles-a-f => groups/shadow}/chpasswd | 0 apparmor.d/{profiles-g-l => groups/shadow}/gpasswd | 0 apparmor.d/{profiles-g-l => groups/shadow}/groupadd | 0 apparmor.d/{profiles-g-l => groups/shadow}/groupdel | 0 apparmor.d/{profiles-g-l => groups/shadow}/groupmod | 0 apparmor.d/{profiles-g-l => groups/shadow}/grpck | 0 apparmor.d/{profiles-g-l => groups/shadow}/lastlog | 0 apparmor.d/{profiles-m-r => groups/shadow}/newgidmap | 0 apparmor.d/{profiles-m-r => groups/shadow}/newuidmap | 0 apparmor.d/{profiles-m-r => groups/shadow}/passwd | 0 apparmor.d/{profiles-m-r => groups/shadow}/pwck | 0 apparmor.d/{profiles-s-z => groups/shadow}/useradd | 0 apparmor.d/{profiles-s-z => groups/shadow}/userdel | 0 apparmor.d/{profiles-s-z => groups/shadow}/usermod | 0 apparmor.d/{profiles-a-f => groups/utils}/agetty | 0 apparmor.d/{profiles-a-f => groups/utils}/blkid | 0 apparmor.d/{profiles-a-f => groups/utils}/blockdev | 0 apparmor.d/{profiles-a-f => groups/utils}/chfn | 0 apparmor.d/{profiles-a-f => groups/utils}/chsh | 0 apparmor.d/{profiles-a-f => groups/utils}/df | 0 apparmor.d/{profiles-a-f => groups/utils}/eject | 0 apparmor.d/{profiles-a-f => groups/utils}/findmnt | 0 apparmor.d/{profiles-a-f => groups/utils}/fsck | 0 apparmor.d/{profiles-a-f => groups/utils}/fstrim | 0 apparmor.d/{profiles-g-l => groups/utils}/locale-gen | 0 apparmor.d/{profiles-g-l => groups/utils}/login | 0 apparmor.d/{profiles-g-l => groups/utils}/losetup | 0 apparmor.d/{profiles-g-l => groups/utils}/lsblk | 0 apparmor.d/{profiles-g-l => groups/utils}/lscpu | 0 apparmor.d/{profiles-g-l => groups/utils}/lspci | 0 apparmor.d/{profiles-m-r => groups/utils}/newgrp | 0 apparmor.d/{profiles-m-r => groups/utils}/nologin | 0 apparmor.d/{profiles-m-r => groups/utils}/pstree | 0 apparmor.d/{profiles-s-z => groups/utils}/su | 0 apparmor.d/{profiles-s-z => groups/utils}/sulogin | 0 apparmor.d/{profiles-s-z => groups/utils}/swapon | 0 apparmor.d/{profiles-s-z => groups/utils}/sync | 0 apparmor.d/{profiles-s-z => groups/utils}/uname | 0 apparmor.d/{profiles-s-z => groups/utils}/users | 0 apparmor.d/{profiles-s-z => groups/utils}/uuidd | 0 apparmor.d/{profiles-s-z => groups/utils}/uuidgen | 0 apparmor.d/{profiles-s-z => groups/utils}/who | 0 apparmor.d/groups/{systemd => utils}/zramctl | 0 51 files changed, 0 insertions(+), 0 deletions(-) rename apparmor.d/{profiles-a-f => groups/cron}/anacron (100%) rename apparmor.d/{profiles-g-l => groups/procps}/htop (100%) rename apparmor.d/{profiles-m-r => groups/procps}/ps (100%) rename apparmor.d/{profiles-s-z => groups/procps}/sysctl (100%) rename apparmor.d/{profiles-s-z => groups/procps}/top (100%) rename apparmor.d/{profiles-s-z => groups/procps}/uptime (100%) rename apparmor.d/{profiles-s-z => groups/procps}/w (100%) rename apparmor.d/{profiles-a-f => groups/shadow}/chage (100%) rename apparmor.d/{profiles-a-f => groups/shadow}/chpasswd (100%) rename apparmor.d/{profiles-g-l => groups/shadow}/gpasswd (100%) rename apparmor.d/{profiles-g-l => groups/shadow}/groupadd (100%) rename apparmor.d/{profiles-g-l => groups/shadow}/groupdel (100%) rename apparmor.d/{profiles-g-l => groups/shadow}/groupmod (100%) rename apparmor.d/{profiles-g-l => groups/shadow}/grpck (100%) rename apparmor.d/{profiles-g-l => groups/shadow}/lastlog (100%) rename apparmor.d/{profiles-m-r => groups/shadow}/newgidmap (100%) rename apparmor.d/{profiles-m-r => groups/shadow}/newuidmap (100%) rename apparmor.d/{profiles-m-r => groups/shadow}/passwd (100%) rename apparmor.d/{profiles-m-r => groups/shadow}/pwck (100%) rename apparmor.d/{profiles-s-z => groups/shadow}/useradd (100%) rename apparmor.d/{profiles-s-z => groups/shadow}/userdel (100%) rename apparmor.d/{profiles-s-z => groups/shadow}/usermod (100%) rename apparmor.d/{profiles-a-f => groups/utils}/agetty (100%) rename apparmor.d/{profiles-a-f => groups/utils}/blkid (100%) rename apparmor.d/{profiles-a-f => groups/utils}/blockdev (100%) rename apparmor.d/{profiles-a-f => groups/utils}/chfn (100%) rename apparmor.d/{profiles-a-f => groups/utils}/chsh (100%) rename apparmor.d/{profiles-a-f => groups/utils}/df (100%) rename apparmor.d/{profiles-a-f => groups/utils}/eject (100%) rename apparmor.d/{profiles-a-f => groups/utils}/findmnt (100%) rename apparmor.d/{profiles-a-f => groups/utils}/fsck (100%) rename apparmor.d/{profiles-a-f => groups/utils}/fstrim (100%) rename apparmor.d/{profiles-g-l => groups/utils}/locale-gen (100%) rename apparmor.d/{profiles-g-l => groups/utils}/login (100%) rename apparmor.d/{profiles-g-l => groups/utils}/losetup (100%) rename apparmor.d/{profiles-g-l => groups/utils}/lsblk (100%) rename apparmor.d/{profiles-g-l => groups/utils}/lscpu (100%) rename apparmor.d/{profiles-g-l => groups/utils}/lspci (100%) rename apparmor.d/{profiles-m-r => groups/utils}/newgrp (100%) rename apparmor.d/{profiles-m-r => groups/utils}/nologin (100%) rename apparmor.d/{profiles-m-r => groups/utils}/pstree (100%) rename apparmor.d/{profiles-s-z => groups/utils}/su (100%) rename apparmor.d/{profiles-s-z => groups/utils}/sulogin (100%) rename apparmor.d/{profiles-s-z => groups/utils}/swapon (100%) rename apparmor.d/{profiles-s-z => groups/utils}/sync (100%) rename apparmor.d/{profiles-s-z => groups/utils}/uname (100%) rename apparmor.d/{profiles-s-z => groups/utils}/users (100%) rename apparmor.d/{profiles-s-z => groups/utils}/uuidd (100%) rename apparmor.d/{profiles-s-z => groups/utils}/uuidgen (100%) rename apparmor.d/{profiles-s-z => groups/utils}/who (100%) rename apparmor.d/groups/{systemd => utils}/zramctl (100%) diff --git a/apparmor.d/profiles-a-f/anacron b/apparmor.d/groups/cron/anacron similarity index 100% rename from apparmor.d/profiles-a-f/anacron rename to apparmor.d/groups/cron/anacron diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/groups/procps/htop similarity index 100% rename from apparmor.d/profiles-g-l/htop rename to apparmor.d/groups/procps/htop diff --git a/apparmor.d/profiles-m-r/ps b/apparmor.d/groups/procps/ps similarity index 100% rename from apparmor.d/profiles-m-r/ps rename to apparmor.d/groups/procps/ps diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/groups/procps/sysctl similarity index 100% rename from apparmor.d/profiles-s-z/sysctl rename to apparmor.d/groups/procps/sysctl diff --git a/apparmor.d/profiles-s-z/top b/apparmor.d/groups/procps/top similarity index 100% rename from apparmor.d/profiles-s-z/top rename to apparmor.d/groups/procps/top diff --git a/apparmor.d/profiles-s-z/uptime b/apparmor.d/groups/procps/uptime similarity index 100% rename from apparmor.d/profiles-s-z/uptime rename to apparmor.d/groups/procps/uptime diff --git a/apparmor.d/profiles-s-z/w b/apparmor.d/groups/procps/w similarity index 100% rename from apparmor.d/profiles-s-z/w rename to apparmor.d/groups/procps/w diff --git a/apparmor.d/profiles-a-f/chage b/apparmor.d/groups/shadow/chage similarity index 100% rename from apparmor.d/profiles-a-f/chage rename to apparmor.d/groups/shadow/chage diff --git a/apparmor.d/profiles-a-f/chpasswd b/apparmor.d/groups/shadow/chpasswd similarity index 100% rename from apparmor.d/profiles-a-f/chpasswd rename to apparmor.d/groups/shadow/chpasswd diff --git a/apparmor.d/profiles-g-l/gpasswd b/apparmor.d/groups/shadow/gpasswd similarity index 100% rename from apparmor.d/profiles-g-l/gpasswd rename to apparmor.d/groups/shadow/gpasswd diff --git a/apparmor.d/profiles-g-l/groupadd b/apparmor.d/groups/shadow/groupadd similarity index 100% rename from apparmor.d/profiles-g-l/groupadd rename to apparmor.d/groups/shadow/groupadd diff --git a/apparmor.d/profiles-g-l/groupdel b/apparmor.d/groups/shadow/groupdel similarity index 100% rename from apparmor.d/profiles-g-l/groupdel rename to apparmor.d/groups/shadow/groupdel diff --git a/apparmor.d/profiles-g-l/groupmod b/apparmor.d/groups/shadow/groupmod similarity index 100% rename from apparmor.d/profiles-g-l/groupmod rename to apparmor.d/groups/shadow/groupmod diff --git a/apparmor.d/profiles-g-l/grpck b/apparmor.d/groups/shadow/grpck similarity index 100% rename from apparmor.d/profiles-g-l/grpck rename to apparmor.d/groups/shadow/grpck diff --git a/apparmor.d/profiles-g-l/lastlog b/apparmor.d/groups/shadow/lastlog similarity index 100% rename from apparmor.d/profiles-g-l/lastlog rename to apparmor.d/groups/shadow/lastlog diff --git a/apparmor.d/profiles-m-r/newgidmap b/apparmor.d/groups/shadow/newgidmap similarity index 100% rename from apparmor.d/profiles-m-r/newgidmap rename to apparmor.d/groups/shadow/newgidmap diff --git a/apparmor.d/profiles-m-r/newuidmap b/apparmor.d/groups/shadow/newuidmap similarity index 100% rename from apparmor.d/profiles-m-r/newuidmap rename to apparmor.d/groups/shadow/newuidmap diff --git a/apparmor.d/profiles-m-r/passwd b/apparmor.d/groups/shadow/passwd similarity index 100% rename from apparmor.d/profiles-m-r/passwd rename to apparmor.d/groups/shadow/passwd diff --git a/apparmor.d/profiles-m-r/pwck b/apparmor.d/groups/shadow/pwck similarity index 100% rename from apparmor.d/profiles-m-r/pwck rename to apparmor.d/groups/shadow/pwck diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/groups/shadow/useradd similarity index 100% rename from apparmor.d/profiles-s-z/useradd rename to apparmor.d/groups/shadow/useradd diff --git a/apparmor.d/profiles-s-z/userdel b/apparmor.d/groups/shadow/userdel similarity index 100% rename from apparmor.d/profiles-s-z/userdel rename to apparmor.d/groups/shadow/userdel diff --git a/apparmor.d/profiles-s-z/usermod b/apparmor.d/groups/shadow/usermod similarity index 100% rename from apparmor.d/profiles-s-z/usermod rename to apparmor.d/groups/shadow/usermod diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/groups/utils/agetty similarity index 100% rename from apparmor.d/profiles-a-f/agetty rename to apparmor.d/groups/utils/agetty diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/groups/utils/blkid similarity index 100% rename from apparmor.d/profiles-a-f/blkid rename to apparmor.d/groups/utils/blkid diff --git a/apparmor.d/profiles-a-f/blockdev b/apparmor.d/groups/utils/blockdev similarity index 100% rename from apparmor.d/profiles-a-f/blockdev rename to apparmor.d/groups/utils/blockdev diff --git a/apparmor.d/profiles-a-f/chfn b/apparmor.d/groups/utils/chfn similarity index 100% rename from apparmor.d/profiles-a-f/chfn rename to apparmor.d/groups/utils/chfn diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/groups/utils/chsh similarity index 100% rename from apparmor.d/profiles-a-f/chsh rename to apparmor.d/groups/utils/chsh diff --git a/apparmor.d/profiles-a-f/df b/apparmor.d/groups/utils/df similarity index 100% rename from apparmor.d/profiles-a-f/df rename to apparmor.d/groups/utils/df diff --git a/apparmor.d/profiles-a-f/eject b/apparmor.d/groups/utils/eject similarity index 100% rename from apparmor.d/profiles-a-f/eject rename to apparmor.d/groups/utils/eject diff --git a/apparmor.d/profiles-a-f/findmnt b/apparmor.d/groups/utils/findmnt similarity index 100% rename from apparmor.d/profiles-a-f/findmnt rename to apparmor.d/groups/utils/findmnt diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/groups/utils/fsck similarity index 100% rename from apparmor.d/profiles-a-f/fsck rename to apparmor.d/groups/utils/fsck diff --git a/apparmor.d/profiles-a-f/fstrim b/apparmor.d/groups/utils/fstrim similarity index 100% rename from apparmor.d/profiles-a-f/fstrim rename to apparmor.d/groups/utils/fstrim diff --git a/apparmor.d/profiles-g-l/locale-gen b/apparmor.d/groups/utils/locale-gen similarity index 100% rename from apparmor.d/profiles-g-l/locale-gen rename to apparmor.d/groups/utils/locale-gen diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/groups/utils/login similarity index 100% rename from apparmor.d/profiles-g-l/login rename to apparmor.d/groups/utils/login diff --git a/apparmor.d/profiles-g-l/losetup b/apparmor.d/groups/utils/losetup similarity index 100% rename from apparmor.d/profiles-g-l/losetup rename to apparmor.d/groups/utils/losetup diff --git a/apparmor.d/profiles-g-l/lsblk b/apparmor.d/groups/utils/lsblk similarity index 100% rename from apparmor.d/profiles-g-l/lsblk rename to apparmor.d/groups/utils/lsblk diff --git a/apparmor.d/profiles-g-l/lscpu b/apparmor.d/groups/utils/lscpu similarity index 100% rename from apparmor.d/profiles-g-l/lscpu rename to apparmor.d/groups/utils/lscpu diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/groups/utils/lspci similarity index 100% rename from apparmor.d/profiles-g-l/lspci rename to apparmor.d/groups/utils/lspci diff --git a/apparmor.d/profiles-m-r/newgrp b/apparmor.d/groups/utils/newgrp similarity index 100% rename from apparmor.d/profiles-m-r/newgrp rename to apparmor.d/groups/utils/newgrp diff --git a/apparmor.d/profiles-m-r/nologin b/apparmor.d/groups/utils/nologin similarity index 100% rename from apparmor.d/profiles-m-r/nologin rename to apparmor.d/groups/utils/nologin diff --git a/apparmor.d/profiles-m-r/pstree b/apparmor.d/groups/utils/pstree similarity index 100% rename from apparmor.d/profiles-m-r/pstree rename to apparmor.d/groups/utils/pstree diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/groups/utils/su similarity index 100% rename from apparmor.d/profiles-s-z/su rename to apparmor.d/groups/utils/su diff --git a/apparmor.d/profiles-s-z/sulogin b/apparmor.d/groups/utils/sulogin similarity index 100% rename from apparmor.d/profiles-s-z/sulogin rename to apparmor.d/groups/utils/sulogin diff --git a/apparmor.d/profiles-s-z/swapon b/apparmor.d/groups/utils/swapon similarity index 100% rename from apparmor.d/profiles-s-z/swapon rename to apparmor.d/groups/utils/swapon diff --git a/apparmor.d/profiles-s-z/sync b/apparmor.d/groups/utils/sync similarity index 100% rename from apparmor.d/profiles-s-z/sync rename to apparmor.d/groups/utils/sync diff --git a/apparmor.d/profiles-s-z/uname b/apparmor.d/groups/utils/uname similarity index 100% rename from apparmor.d/profiles-s-z/uname rename to apparmor.d/groups/utils/uname diff --git a/apparmor.d/profiles-s-z/users b/apparmor.d/groups/utils/users similarity index 100% rename from apparmor.d/profiles-s-z/users rename to apparmor.d/groups/utils/users diff --git a/apparmor.d/profiles-s-z/uuidd b/apparmor.d/groups/utils/uuidd similarity index 100% rename from apparmor.d/profiles-s-z/uuidd rename to apparmor.d/groups/utils/uuidd diff --git a/apparmor.d/profiles-s-z/uuidgen b/apparmor.d/groups/utils/uuidgen similarity index 100% rename from apparmor.d/profiles-s-z/uuidgen rename to apparmor.d/groups/utils/uuidgen diff --git a/apparmor.d/profiles-s-z/who b/apparmor.d/groups/utils/who similarity index 100% rename from apparmor.d/profiles-s-z/who rename to apparmor.d/groups/utils/who diff --git a/apparmor.d/groups/systemd/zramctl b/apparmor.d/groups/utils/zramctl similarity index 100% rename from apparmor.d/groups/systemd/zramctl rename to apparmor.d/groups/utils/zramctl From 33681e14f22c8738d04caa3e89433b643f6932fe Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 13 Feb 2025 19:12:48 +0100 Subject: [PATCH 073/672] refractor: tests/bats -> tests/integration --- .github/workflows/main.yml | 4 ++-- Makefile | 6 +++--- tests/{bats => integration}/aa-enforce.bats | 0 tests/{bats => integration}/aa-status.bats | 0 tests/{bats => integration}/blkid.bats | 0 tests/{bats => integration}/chsh.bats | 0 tests/{bats => integration}/common.bash | 0 tests/{bats => integration}/cpuid.bats | 0 tests/{bats => integration}/df.bats | 0 tests/{bats => integration}/dfc.bats | 0 tests/{bats => integration}/dmesg.bats | 0 tests/{bats => integration}/fc-cache.bats | 0 tests/{bats => integration}/fc-list.bats | 0 tests/{bats => integration}/flatpak.bats | 0 tests/{bats => integration}/fwupdmgr.bats | 0 tests/{bats => integration}/gpgconf.bats | 0 tests/{bats => integration}/groupadd.bats | 0 tests/{bats => integration}/groups.bats | 0 tests/{bats => integration}/homectl.bats | 0 tests/{bats => integration}/hostnamectl.bats | 0 tests/{bats => integration}/id.bats | 0 tests/{bats => integration}/ip.bats | 0 tests/{bats => integration}/lsblk.bats | 0 tests/{bats => integration}/lscpu.bats | 0 tests/{bats => integration}/lspci.bats | 0 tests/{bats => integration}/lsusb.bats | 0 tests/{bats => integration}/needrestart.bats | 0 tests/{bats => integration}/ps.bats | 0 tests/{bats => integration}/pstree.bats | 0 tests/{bats => integration}/snap.bats | 0 tests/{bats => integration}/sync.bats | 0 tests/{bats => integration}/sysctl.bats | 0 tests/{bats => integration}/systemd-ac-power.bats | 0 tests/{bats => integration}/systemd-analyze.bats | 0 tests/{bats => integration}/systemd-cat.bats | 0 tests/{bats => integration}/systemd-cgls.bats | 0 tests/{bats => integration}/systemd-detect-virt.bats | 0 tests/{bats => integration}/systemd-id128.bats | 0 tests/{bats => integration}/systemd-sysusers.bats | 0 tests/{bats => integration}/uname.bats | 0 tests/{bats => integration}/upower.bats | 0 tests/{bats => integration}/uptime.bats | 0 tests/{bats => integration}/useradd.bats | 0 tests/{bats => integration}/userdbctl.bats | 0 tests/{bats => integration}/users.bats | 0 tests/{bats => integration}/uuidd.bats | 0 tests/{bats => integration}/uuidgen.bats | 0 tests/{bats => integration}/w.bats | 0 tests/{bats => integration}/who.bats | 0 49 files changed, 5 insertions(+), 5 deletions(-) rename tests/{bats => integration}/aa-enforce.bats (100%) rename tests/{bats => integration}/aa-status.bats (100%) rename tests/{bats => integration}/blkid.bats (100%) rename tests/{bats => integration}/chsh.bats (100%) rename tests/{bats => integration}/common.bash (100%) rename tests/{bats => integration}/cpuid.bats (100%) rename tests/{bats => integration}/df.bats (100%) rename tests/{bats => integration}/dfc.bats (100%) rename tests/{bats => integration}/dmesg.bats (100%) rename tests/{bats => integration}/fc-cache.bats (100%) rename tests/{bats => integration}/fc-list.bats (100%) rename tests/{bats => integration}/flatpak.bats (100%) rename tests/{bats => integration}/fwupdmgr.bats (100%) rename tests/{bats => integration}/gpgconf.bats (100%) rename tests/{bats => integration}/groupadd.bats (100%) rename tests/{bats => integration}/groups.bats (100%) rename tests/{bats => integration}/homectl.bats (100%) rename tests/{bats => integration}/hostnamectl.bats (100%) rename tests/{bats => integration}/id.bats (100%) rename tests/{bats => integration}/ip.bats (100%) rename tests/{bats => integration}/lsblk.bats (100%) rename tests/{bats => integration}/lscpu.bats (100%) rename tests/{bats => integration}/lspci.bats (100%) rename tests/{bats => integration}/lsusb.bats (100%) rename tests/{bats => integration}/needrestart.bats (100%) rename tests/{bats => integration}/ps.bats (100%) rename tests/{bats => integration}/pstree.bats (100%) rename tests/{bats => integration}/snap.bats (100%) rename tests/{bats => integration}/sync.bats (100%) rename tests/{bats => integration}/sysctl.bats (100%) rename tests/{bats => integration}/systemd-ac-power.bats (100%) rename tests/{bats => integration}/systemd-analyze.bats (100%) rename tests/{bats => integration}/systemd-cat.bats (100%) rename tests/{bats => integration}/systemd-cgls.bats (100%) rename tests/{bats => integration}/systemd-detect-virt.bats (100%) rename tests/{bats => integration}/systemd-id128.bats (100%) rename tests/{bats => integration}/systemd-sysusers.bats (100%) rename tests/{bats => integration}/uname.bats (100%) rename tests/{bats => integration}/upower.bats (100%) rename tests/{bats => integration}/uptime.bats (100%) rename tests/{bats => integration}/useradd.bats (100%) rename tests/{bats => integration}/userdbctl.bats (100%) rename tests/{bats => integration}/users.bats (100%) rename tests/{bats => integration}/uuidd.bats (100%) rename tests/{bats => integration}/uuidgen.bats (100%) rename tests/{bats => integration}/w.bats (100%) rename tests/{bats => integration}/who.bats (100%) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 75fa5c051..c97229256 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -125,9 +125,9 @@ jobs: run: | bash tests/requirements.sh - - name: Run the bats integration tests + - name: Run the integration tests run: | - make bats + make integration - name: Show final AppArmor logs if: always() diff --git a/Makefile b/Makefile index 7de055c9f..90dacd5c0 100644 --- a/Makefile +++ b/Makefile @@ -111,9 +111,9 @@ lint: check: @bash tests/check.sh -.PHONY: bats -bats: - @bats --timing --print-output-on-failure tests/bats/ +.PHONY: integration +integration : + @bats --timing --print-output-on-failure tests/integration/ .PHONY: manual manual: diff --git a/tests/bats/aa-enforce.bats b/tests/integration/aa-enforce.bats similarity index 100% rename from tests/bats/aa-enforce.bats rename to tests/integration/aa-enforce.bats diff --git a/tests/bats/aa-status.bats b/tests/integration/aa-status.bats similarity index 100% rename from tests/bats/aa-status.bats rename to tests/integration/aa-status.bats diff --git a/tests/bats/blkid.bats b/tests/integration/blkid.bats similarity index 100% rename from tests/bats/blkid.bats rename to tests/integration/blkid.bats diff --git a/tests/bats/chsh.bats b/tests/integration/chsh.bats similarity index 100% rename from tests/bats/chsh.bats rename to tests/integration/chsh.bats diff --git a/tests/bats/common.bash b/tests/integration/common.bash similarity index 100% rename from tests/bats/common.bash rename to tests/integration/common.bash diff --git a/tests/bats/cpuid.bats b/tests/integration/cpuid.bats similarity index 100% rename from tests/bats/cpuid.bats rename to tests/integration/cpuid.bats diff --git a/tests/bats/df.bats b/tests/integration/df.bats similarity index 100% rename from tests/bats/df.bats rename to tests/integration/df.bats diff --git a/tests/bats/dfc.bats b/tests/integration/dfc.bats similarity index 100% rename from tests/bats/dfc.bats rename to tests/integration/dfc.bats diff --git a/tests/bats/dmesg.bats b/tests/integration/dmesg.bats similarity index 100% rename from tests/bats/dmesg.bats rename to tests/integration/dmesg.bats diff --git a/tests/bats/fc-cache.bats b/tests/integration/fc-cache.bats similarity index 100% rename from tests/bats/fc-cache.bats rename to tests/integration/fc-cache.bats diff --git a/tests/bats/fc-list.bats b/tests/integration/fc-list.bats similarity index 100% rename from tests/bats/fc-list.bats rename to tests/integration/fc-list.bats diff --git a/tests/bats/flatpak.bats b/tests/integration/flatpak.bats similarity index 100% rename from tests/bats/flatpak.bats rename to tests/integration/flatpak.bats diff --git a/tests/bats/fwupdmgr.bats b/tests/integration/fwupdmgr.bats similarity index 100% rename from tests/bats/fwupdmgr.bats rename to tests/integration/fwupdmgr.bats diff --git a/tests/bats/gpgconf.bats b/tests/integration/gpgconf.bats similarity index 100% rename from tests/bats/gpgconf.bats rename to tests/integration/gpgconf.bats diff --git a/tests/bats/groupadd.bats b/tests/integration/groupadd.bats similarity index 100% rename from tests/bats/groupadd.bats rename to tests/integration/groupadd.bats diff --git a/tests/bats/groups.bats b/tests/integration/groups.bats similarity index 100% rename from tests/bats/groups.bats rename to tests/integration/groups.bats diff --git a/tests/bats/homectl.bats b/tests/integration/homectl.bats similarity index 100% rename from tests/bats/homectl.bats rename to tests/integration/homectl.bats diff --git a/tests/bats/hostnamectl.bats b/tests/integration/hostnamectl.bats similarity index 100% rename from tests/bats/hostnamectl.bats rename to tests/integration/hostnamectl.bats diff --git a/tests/bats/id.bats b/tests/integration/id.bats similarity index 100% rename from tests/bats/id.bats rename to tests/integration/id.bats diff --git a/tests/bats/ip.bats b/tests/integration/ip.bats similarity index 100% rename from tests/bats/ip.bats rename to tests/integration/ip.bats diff --git a/tests/bats/lsblk.bats b/tests/integration/lsblk.bats similarity index 100% rename from tests/bats/lsblk.bats rename to tests/integration/lsblk.bats diff --git a/tests/bats/lscpu.bats b/tests/integration/lscpu.bats similarity index 100% rename from tests/bats/lscpu.bats rename to tests/integration/lscpu.bats diff --git a/tests/bats/lspci.bats b/tests/integration/lspci.bats similarity index 100% rename from tests/bats/lspci.bats rename to tests/integration/lspci.bats diff --git a/tests/bats/lsusb.bats b/tests/integration/lsusb.bats similarity index 100% rename from tests/bats/lsusb.bats rename to tests/integration/lsusb.bats diff --git a/tests/bats/needrestart.bats b/tests/integration/needrestart.bats similarity index 100% rename from tests/bats/needrestart.bats rename to tests/integration/needrestart.bats diff --git a/tests/bats/ps.bats b/tests/integration/ps.bats similarity index 100% rename from tests/bats/ps.bats rename to tests/integration/ps.bats diff --git a/tests/bats/pstree.bats b/tests/integration/pstree.bats similarity index 100% rename from tests/bats/pstree.bats rename to tests/integration/pstree.bats diff --git a/tests/bats/snap.bats b/tests/integration/snap.bats similarity index 100% rename from tests/bats/snap.bats rename to tests/integration/snap.bats diff --git a/tests/bats/sync.bats b/tests/integration/sync.bats similarity index 100% rename from tests/bats/sync.bats rename to tests/integration/sync.bats diff --git a/tests/bats/sysctl.bats b/tests/integration/sysctl.bats similarity index 100% rename from tests/bats/sysctl.bats rename to tests/integration/sysctl.bats diff --git a/tests/bats/systemd-ac-power.bats b/tests/integration/systemd-ac-power.bats similarity index 100% rename from tests/bats/systemd-ac-power.bats rename to tests/integration/systemd-ac-power.bats diff --git a/tests/bats/systemd-analyze.bats b/tests/integration/systemd-analyze.bats similarity index 100% rename from tests/bats/systemd-analyze.bats rename to tests/integration/systemd-analyze.bats diff --git a/tests/bats/systemd-cat.bats b/tests/integration/systemd-cat.bats similarity index 100% rename from tests/bats/systemd-cat.bats rename to tests/integration/systemd-cat.bats diff --git a/tests/bats/systemd-cgls.bats b/tests/integration/systemd-cgls.bats similarity index 100% rename from tests/bats/systemd-cgls.bats rename to tests/integration/systemd-cgls.bats diff --git a/tests/bats/systemd-detect-virt.bats b/tests/integration/systemd-detect-virt.bats similarity index 100% rename from tests/bats/systemd-detect-virt.bats rename to tests/integration/systemd-detect-virt.bats diff --git a/tests/bats/systemd-id128.bats b/tests/integration/systemd-id128.bats similarity index 100% rename from tests/bats/systemd-id128.bats rename to tests/integration/systemd-id128.bats diff --git a/tests/bats/systemd-sysusers.bats b/tests/integration/systemd-sysusers.bats similarity index 100% rename from tests/bats/systemd-sysusers.bats rename to tests/integration/systemd-sysusers.bats diff --git a/tests/bats/uname.bats b/tests/integration/uname.bats similarity index 100% rename from tests/bats/uname.bats rename to tests/integration/uname.bats diff --git a/tests/bats/upower.bats b/tests/integration/upower.bats similarity index 100% rename from tests/bats/upower.bats rename to tests/integration/upower.bats diff --git a/tests/bats/uptime.bats b/tests/integration/uptime.bats similarity index 100% rename from tests/bats/uptime.bats rename to tests/integration/uptime.bats diff --git a/tests/bats/useradd.bats b/tests/integration/useradd.bats similarity index 100% rename from tests/bats/useradd.bats rename to tests/integration/useradd.bats diff --git a/tests/bats/userdbctl.bats b/tests/integration/userdbctl.bats similarity index 100% rename from tests/bats/userdbctl.bats rename to tests/integration/userdbctl.bats diff --git a/tests/bats/users.bats b/tests/integration/users.bats similarity index 100% rename from tests/bats/users.bats rename to tests/integration/users.bats diff --git a/tests/bats/uuidd.bats b/tests/integration/uuidd.bats similarity index 100% rename from tests/bats/uuidd.bats rename to tests/integration/uuidd.bats diff --git a/tests/bats/uuidgen.bats b/tests/integration/uuidgen.bats similarity index 100% rename from tests/bats/uuidgen.bats rename to tests/integration/uuidgen.bats diff --git a/tests/bats/w.bats b/tests/integration/w.bats similarity index 100% rename from tests/bats/w.bats rename to tests/integration/w.bats diff --git a/tests/bats/who.bats b/tests/integration/who.bats similarity index 100% rename from tests/bats/who.bats rename to tests/integration/who.bats From 8ba3dbd90f63758a2b89bffd587d7a6897b741e5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 15 Feb 2025 16:09:52 +0100 Subject: [PATCH 074/672] refractor: move more profiles to groups. --- apparmor.d/{profiles-a-f => groups/bluetooth}/blueman | 0 apparmor.d/{profiles-a-f => groups/bluetooth}/blueman-mechanism | 0 .../{profiles-a-f => groups/bluetooth}/blueman-rfcomm-watcher | 2 +- apparmor.d/{profiles-a-f => groups/bluetooth}/bluemoon | 0 apparmor.d/{profiles-a-f => groups/bluetooth}/bluetoothctl | 0 apparmor.d/{profiles-a-f => groups/bluetooth}/bluetoothd | 0 .../{profiles-m-r => groups/bluetooth}/obex-folder-listing | 0 apparmor.d/{profiles-m-r => groups/bluetooth}/obexautofs | 0 apparmor.d/{profiles-m-r => groups/bluetooth}/obexctl | 0 apparmor.d/{profiles-m-r => groups/bluetooth}/obexd | 0 apparmor.d/{profiles-m-r => groups/bluetooth}/obexfs | 0 apparmor.d/{profiles-m-r => groups/bluetooth}/obexpush-atd | 0 apparmor.d/{profiles-m-r => groups/bluetooth}/obexpushd | 0 apparmor.d/{profiles-m-r => groups/filesystem}/mke2fs | 0 apparmor.d/{profiles-m-r => groups/filesystem}/mkfs-btrfs | 0 apparmor.d/{profiles-m-r => groups/filesystem}/mkfs-fat | 0 apparmor.d/{profiles-m-r => groups/filesystem}/mkntfs | 0 apparmor.d/{profiles-m-r => groups/filesystem}/mkswap | 0 apparmor.d/{profiles-m-r => groups/filesystem}/mount | 0 apparmor.d/{profiles-m-r => groups/filesystem}/mount-cifs | 0 apparmor.d/{profiles-m-r => groups/filesystem}/mount-nfs | 0 apparmor.d/{profiles-m-r => groups/filesystem}/mount-zfs | 0 apparmor.d/{profiles-a-f => groups/firewall}/firewall-applet | 0 apparmor.d/{profiles-a-f => groups/firewall}/firewall-config | 0 apparmor.d/{profiles-a-f => groups/firewall}/firewalld | 0 apparmor.d/{profiles-m-r => groups/firewall}/nft | 0 apparmor.d/{profiles-s-z => groups/firewall}/ufw | 0 apparmor.d/{profiles-a-f => groups/freedesktop}/boltd | 0 apparmor.d/{profiles-s-z => groups/freedesktop}/wireplumber | 0 apparmor.d/{profiles-g-l => groups/usb}/lsusb | 2 +- apparmor.d/{profiles-s-z => groups/usb}/usb-devices | 1 + apparmor.d/{profiles-s-z => groups/usb}/usbguard | 0 apparmor.d/{profiles-s-z => groups/usb}/usbguard-applet-qt | 0 apparmor.d/{profiles-s-z => groups/usb}/usbguard-daemon | 0 apparmor.d/{profiles-s-z => groups/usb}/usbguard-dbus | 0 apparmor.d/{profiles-s-z => groups/usb}/usbguard-notifier | 0 apparmor.d/{profiles-a-f => groups/utils}/dmesg | 0 apparmor.d/{profiles-s-z => groups/utils}/whereis | 0 38 files changed, 3 insertions(+), 2 deletions(-) rename apparmor.d/{profiles-a-f => groups/bluetooth}/blueman (100%) rename apparmor.d/{profiles-a-f => groups/bluetooth}/blueman-mechanism (100%) rename apparmor.d/{profiles-a-f => groups/bluetooth}/blueman-rfcomm-watcher (86%) rename apparmor.d/{profiles-a-f => groups/bluetooth}/bluemoon (100%) rename apparmor.d/{profiles-a-f => groups/bluetooth}/bluetoothctl (100%) rename apparmor.d/{profiles-a-f => groups/bluetooth}/bluetoothd (100%) rename apparmor.d/{profiles-m-r => groups/bluetooth}/obex-folder-listing (100%) rename apparmor.d/{profiles-m-r => groups/bluetooth}/obexautofs (100%) rename apparmor.d/{profiles-m-r => groups/bluetooth}/obexctl (100%) rename apparmor.d/{profiles-m-r => groups/bluetooth}/obexd (100%) rename apparmor.d/{profiles-m-r => groups/bluetooth}/obexfs (100%) rename apparmor.d/{profiles-m-r => groups/bluetooth}/obexpush-atd (100%) rename apparmor.d/{profiles-m-r => groups/bluetooth}/obexpushd (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/mke2fs (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/mkfs-btrfs (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/mkfs-fat (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/mkntfs (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/mkswap (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/mount (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/mount-cifs (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/mount-nfs (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/mount-zfs (100%) rename apparmor.d/{profiles-a-f => groups/firewall}/firewall-applet (100%) rename apparmor.d/{profiles-a-f => groups/firewall}/firewall-config (100%) rename apparmor.d/{profiles-a-f => groups/firewall}/firewalld (100%) rename apparmor.d/{profiles-m-r => groups/firewall}/nft (100%) rename apparmor.d/{profiles-s-z => groups/firewall}/ufw (100%) rename apparmor.d/{profiles-a-f => groups/freedesktop}/boltd (100%) rename apparmor.d/{profiles-s-z => groups/freedesktop}/wireplumber (100%) rename apparmor.d/{profiles-g-l => groups/usb}/lsusb (92%) rename apparmor.d/{profiles-s-z => groups/usb}/usb-devices (96%) rename apparmor.d/{profiles-s-z => groups/usb}/usbguard (100%) rename apparmor.d/{profiles-s-z => groups/usb}/usbguard-applet-qt (100%) rename apparmor.d/{profiles-s-z => groups/usb}/usbguard-daemon (100%) rename apparmor.d/{profiles-s-z => groups/usb}/usbguard-dbus (100%) rename apparmor.d/{profiles-s-z => groups/usb}/usbguard-notifier (100%) rename apparmor.d/{profiles-a-f => groups/utils}/dmesg (100%) rename apparmor.d/{profiles-s-z => groups/utils}/whereis (100%) diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/groups/bluetooth/blueman similarity index 100% rename from apparmor.d/profiles-a-f/blueman rename to apparmor.d/groups/bluetooth/blueman diff --git a/apparmor.d/profiles-a-f/blueman-mechanism b/apparmor.d/groups/bluetooth/blueman-mechanism similarity index 100% rename from apparmor.d/profiles-a-f/blueman-mechanism rename to apparmor.d/groups/bluetooth/blueman-mechanism diff --git a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher b/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher similarity index 86% rename from apparmor.d/profiles-a-f/blueman-rfcomm-watcher rename to apparmor.d/groups/bluetooth/blueman-rfcomm-watcher index 516f14bdd..639e475ac 100644 --- a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher +++ b/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{lib}/blueman-rfcomm-watcher +@{exec_path} = @{lib}/blueman-mechanism @{lib}/blueman/blueman-rfcomm-watcher profile blueman-rfcomm-watcher @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/bluemoon b/apparmor.d/groups/bluetooth/bluemoon similarity index 100% rename from apparmor.d/profiles-a-f/bluemoon rename to apparmor.d/groups/bluetooth/bluemoon diff --git a/apparmor.d/profiles-a-f/bluetoothctl b/apparmor.d/groups/bluetooth/bluetoothctl similarity index 100% rename from apparmor.d/profiles-a-f/bluetoothctl rename to apparmor.d/groups/bluetooth/bluetoothctl diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd similarity index 100% rename from apparmor.d/profiles-a-f/bluetoothd rename to apparmor.d/groups/bluetooth/bluetoothd diff --git a/apparmor.d/profiles-m-r/obex-folder-listing b/apparmor.d/groups/bluetooth/obex-folder-listing similarity index 100% rename from apparmor.d/profiles-m-r/obex-folder-listing rename to apparmor.d/groups/bluetooth/obex-folder-listing diff --git a/apparmor.d/profiles-m-r/obexautofs b/apparmor.d/groups/bluetooth/obexautofs similarity index 100% rename from apparmor.d/profiles-m-r/obexautofs rename to apparmor.d/groups/bluetooth/obexautofs diff --git a/apparmor.d/profiles-m-r/obexctl b/apparmor.d/groups/bluetooth/obexctl similarity index 100% rename from apparmor.d/profiles-m-r/obexctl rename to apparmor.d/groups/bluetooth/obexctl diff --git a/apparmor.d/profiles-m-r/obexd b/apparmor.d/groups/bluetooth/obexd similarity index 100% rename from apparmor.d/profiles-m-r/obexd rename to apparmor.d/groups/bluetooth/obexd diff --git a/apparmor.d/profiles-m-r/obexfs b/apparmor.d/groups/bluetooth/obexfs similarity index 100% rename from apparmor.d/profiles-m-r/obexfs rename to apparmor.d/groups/bluetooth/obexfs diff --git a/apparmor.d/profiles-m-r/obexpush-atd b/apparmor.d/groups/bluetooth/obexpush-atd similarity index 100% rename from apparmor.d/profiles-m-r/obexpush-atd rename to apparmor.d/groups/bluetooth/obexpush-atd diff --git a/apparmor.d/profiles-m-r/obexpushd b/apparmor.d/groups/bluetooth/obexpushd similarity index 100% rename from apparmor.d/profiles-m-r/obexpushd rename to apparmor.d/groups/bluetooth/obexpushd diff --git a/apparmor.d/profiles-m-r/mke2fs b/apparmor.d/groups/filesystem/mke2fs similarity index 100% rename from apparmor.d/profiles-m-r/mke2fs rename to apparmor.d/groups/filesystem/mke2fs diff --git a/apparmor.d/profiles-m-r/mkfs-btrfs b/apparmor.d/groups/filesystem/mkfs-btrfs similarity index 100% rename from apparmor.d/profiles-m-r/mkfs-btrfs rename to apparmor.d/groups/filesystem/mkfs-btrfs diff --git a/apparmor.d/profiles-m-r/mkfs-fat b/apparmor.d/groups/filesystem/mkfs-fat similarity index 100% rename from apparmor.d/profiles-m-r/mkfs-fat rename to apparmor.d/groups/filesystem/mkfs-fat diff --git a/apparmor.d/profiles-m-r/mkntfs b/apparmor.d/groups/filesystem/mkntfs similarity index 100% rename from apparmor.d/profiles-m-r/mkntfs rename to apparmor.d/groups/filesystem/mkntfs diff --git a/apparmor.d/profiles-m-r/mkswap b/apparmor.d/groups/filesystem/mkswap similarity index 100% rename from apparmor.d/profiles-m-r/mkswap rename to apparmor.d/groups/filesystem/mkswap diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/groups/filesystem/mount similarity index 100% rename from apparmor.d/profiles-m-r/mount rename to apparmor.d/groups/filesystem/mount diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/groups/filesystem/mount-cifs similarity index 100% rename from apparmor.d/profiles-m-r/mount-cifs rename to apparmor.d/groups/filesystem/mount-cifs diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/groups/filesystem/mount-nfs similarity index 100% rename from apparmor.d/profiles-m-r/mount-nfs rename to apparmor.d/groups/filesystem/mount-nfs diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/groups/filesystem/mount-zfs similarity index 100% rename from apparmor.d/profiles-m-r/mount-zfs rename to apparmor.d/groups/filesystem/mount-zfs diff --git a/apparmor.d/profiles-a-f/firewall-applet b/apparmor.d/groups/firewall/firewall-applet similarity index 100% rename from apparmor.d/profiles-a-f/firewall-applet rename to apparmor.d/groups/firewall/firewall-applet diff --git a/apparmor.d/profiles-a-f/firewall-config b/apparmor.d/groups/firewall/firewall-config similarity index 100% rename from apparmor.d/profiles-a-f/firewall-config rename to apparmor.d/groups/firewall/firewall-config diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/groups/firewall/firewalld similarity index 100% rename from apparmor.d/profiles-a-f/firewalld rename to apparmor.d/groups/firewall/firewalld diff --git a/apparmor.d/profiles-m-r/nft b/apparmor.d/groups/firewall/nft similarity index 100% rename from apparmor.d/profiles-m-r/nft rename to apparmor.d/groups/firewall/nft diff --git a/apparmor.d/profiles-s-z/ufw b/apparmor.d/groups/firewall/ufw similarity index 100% rename from apparmor.d/profiles-s-z/ufw rename to apparmor.d/groups/firewall/ufw diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/groups/freedesktop/boltd similarity index 100% rename from apparmor.d/profiles-a-f/boltd rename to apparmor.d/groups/freedesktop/boltd diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/groups/freedesktop/wireplumber similarity index 100% rename from apparmor.d/profiles-s-z/wireplumber rename to apparmor.d/groups/freedesktop/wireplumber diff --git a/apparmor.d/profiles-g-l/lsusb b/apparmor.d/groups/usb/lsusb similarity index 92% rename from apparmor.d/profiles-g-l/lsusb rename to apparmor.d/groups/usb/lsusb index 40e902a87..f824343d6 100644 --- a/apparmor.d/profiles-g-l/lsusb +++ b/apparmor.d/groups/usb/lsusb @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/lsusb +@{exec_path} = @{bin}/lsusb @{bin}/lsusb.py profile lsusb @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/usb-devices b/apparmor.d/groups/usb/usb-devices similarity index 96% rename from apparmor.d/profiles-s-z/usb-devices rename to apparmor.d/groups/usb/usb-devices index c67b78faf..59ff12feb 100644 --- a/apparmor.d/profiles-s-z/usb-devices +++ b/apparmor.d/groups/usb/usb-devices @@ -22,6 +22,7 @@ profile usb-devices @{exec_path} { @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat rix, + @{bin}/sed rix, @{bin}/cut rix, @{bin}/find rix, @{bin}/readlink rix, diff --git a/apparmor.d/profiles-s-z/usbguard b/apparmor.d/groups/usb/usbguard similarity index 100% rename from apparmor.d/profiles-s-z/usbguard rename to apparmor.d/groups/usb/usbguard diff --git a/apparmor.d/profiles-s-z/usbguard-applet-qt b/apparmor.d/groups/usb/usbguard-applet-qt similarity index 100% rename from apparmor.d/profiles-s-z/usbguard-applet-qt rename to apparmor.d/groups/usb/usbguard-applet-qt diff --git a/apparmor.d/profiles-s-z/usbguard-daemon b/apparmor.d/groups/usb/usbguard-daemon similarity index 100% rename from apparmor.d/profiles-s-z/usbguard-daemon rename to apparmor.d/groups/usb/usbguard-daemon diff --git a/apparmor.d/profiles-s-z/usbguard-dbus b/apparmor.d/groups/usb/usbguard-dbus similarity index 100% rename from apparmor.d/profiles-s-z/usbguard-dbus rename to apparmor.d/groups/usb/usbguard-dbus diff --git a/apparmor.d/profiles-s-z/usbguard-notifier b/apparmor.d/groups/usb/usbguard-notifier similarity index 100% rename from apparmor.d/profiles-s-z/usbguard-notifier rename to apparmor.d/groups/usb/usbguard-notifier diff --git a/apparmor.d/profiles-a-f/dmesg b/apparmor.d/groups/utils/dmesg similarity index 100% rename from apparmor.d/profiles-a-f/dmesg rename to apparmor.d/groups/utils/dmesg diff --git a/apparmor.d/profiles-s-z/whereis b/apparmor.d/groups/utils/whereis similarity index 100% rename from apparmor.d/profiles-s-z/whereis rename to apparmor.d/groups/utils/whereis From 5aab9da0308f209c27fc98ca5486c9cd2ee03e49 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 15 Feb 2025 16:38:07 +0100 Subject: [PATCH 075/672] fix(profile): blueman-rfcomm-watcher entrypoint. --- apparmor.d/groups/bluetooth/blueman-rfcomm-watcher | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher b/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher index 639e475ac..2d52a6e01 100644 --- a/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher +++ b/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{lib}/blueman-mechanism @{lib}/blueman/blueman-rfcomm-watcher +@{exec_path} = @{lib}/blueman-rfcomm-watcher @{lib}/blueman/blueman-rfcomm-watcher profile blueman-rfcomm-watcher @{exec_path} { include include From 5870e1ee4026b28b9ffe0f232b1e1b900857e0bd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 17 Feb 2025 21:04:28 +0100 Subject: [PATCH 076/672] refractor: move more profiles to groups. --- apparmor.d/{profiles-a-f => groups/cap}/filecap | 0 apparmor.d/{profiles-m-r => groups/cap}/netcap | 0 apparmor.d/{profiles-m-r => groups/cap}/pscap | 0 apparmor.d/{profiles-a-f => groups/filesystem}/btrfs | 0 apparmor.d/{profiles-a-f => groups/filesystem}/btrfs-convert | 0 apparmor.d/{profiles-a-f => groups/filesystem}/btrfs-find-root | 0 apparmor.d/{profiles-a-f => groups/filesystem}/btrfs-image | 0 apparmor.d/{profiles-a-f => groups/filesystem}/btrfs-map-logical | 0 apparmor.d/{profiles-a-f => groups/filesystem}/btrfs-select-super | 0 apparmor.d/{profiles-a-f => groups/filesystem}/btrfstune | 0 apparmor.d/{profiles-a-f => groups/filesystem}/fsck.btrfs | 0 apparmor.d/{profiles-a-f => groups/filesystem}/fsck.fat | 0 apparmor.d/{profiles-g-l => groups/filesystem}/lvm | 0 apparmor.d/{profiles-g-l => groups/filesystem}/lvmconfig | 0 apparmor.d/{profiles-g-l => groups/filesystem}/lvmdump | 0 apparmor.d/{profiles-g-l => groups/filesystem}/lvmpolld | 0 apparmor.d/{profiles-m-r => groups/filesystem}/mtools | 0 apparmor.d/{profiles-m-r => groups/filesystem}/nfsdcld | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfs-3g | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfs-3g-probe | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfscat | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsclone | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfscluster | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfscmp | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfscp | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsdecrypt | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsfallocate | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsfix | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsinfo | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfslabel | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsls | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsmove | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsrecover | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsresize | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfssecaudit | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfstruncate | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsundelete | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsusermap | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfswipe | 0 apparmor.d/{profiles-s-z => groups/filesystem}/udiskie | 0 apparmor.d/{profiles-s-z => groups/filesystem}/udiskie-info | 0 apparmor.d/{profiles-s-z => groups/filesystem}/udiskie-mount | 0 apparmor.d/{profiles-s-z => groups/filesystem}/udiskie-umount | 0 apparmor.d/{profiles-s-z => groups/filesystem}/udisksctl | 0 apparmor.d/{profiles-s-z => groups/filesystem}/udisksd | 0 apparmor.d/{profiles-s-z => groups/filesystem}/umount.udisks2 | 0 apparmor.d/{profiles-s-z => groups/utils}/swaplabel | 0 apparmor.d/{profiles-s-z => groups/utils}/umount | 0 48 files changed, 0 insertions(+), 0 deletions(-) rename apparmor.d/{profiles-a-f => groups/cap}/filecap (100%) rename apparmor.d/{profiles-m-r => groups/cap}/netcap (100%) rename apparmor.d/{profiles-m-r => groups/cap}/pscap (100%) rename apparmor.d/{profiles-a-f => groups/filesystem}/btrfs (100%) rename apparmor.d/{profiles-a-f => groups/filesystem}/btrfs-convert (100%) rename apparmor.d/{profiles-a-f => groups/filesystem}/btrfs-find-root (100%) rename apparmor.d/{profiles-a-f => groups/filesystem}/btrfs-image (100%) rename apparmor.d/{profiles-a-f => groups/filesystem}/btrfs-map-logical (100%) rename apparmor.d/{profiles-a-f => groups/filesystem}/btrfs-select-super (100%) rename apparmor.d/{profiles-a-f => groups/filesystem}/btrfstune (100%) rename apparmor.d/{profiles-a-f => groups/filesystem}/fsck.btrfs (100%) rename apparmor.d/{profiles-a-f => groups/filesystem}/fsck.fat (100%) rename apparmor.d/{profiles-g-l => groups/filesystem}/lvm (100%) rename apparmor.d/{profiles-g-l => groups/filesystem}/lvmconfig (100%) rename apparmor.d/{profiles-g-l => groups/filesystem}/lvmdump (100%) rename apparmor.d/{profiles-g-l => groups/filesystem}/lvmpolld (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/mtools (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/nfsdcld (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfs-3g (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfs-3g-probe (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfscat (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsclone (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfscluster (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfscmp (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfscp (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsdecrypt (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsfallocate (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsfix (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsinfo (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfslabel (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsls (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsmove (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsrecover (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsresize (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfssecaudit (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfstruncate (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsundelete (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsusermap (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfswipe (100%) rename apparmor.d/{profiles-s-z => groups/filesystem}/udiskie (100%) rename apparmor.d/{profiles-s-z => groups/filesystem}/udiskie-info (100%) rename apparmor.d/{profiles-s-z => groups/filesystem}/udiskie-mount (100%) rename apparmor.d/{profiles-s-z => groups/filesystem}/udiskie-umount (100%) rename apparmor.d/{profiles-s-z => groups/filesystem}/udisksctl (100%) rename apparmor.d/{profiles-s-z => groups/filesystem}/udisksd (100%) rename apparmor.d/{profiles-s-z => groups/filesystem}/umount.udisks2 (100%) rename apparmor.d/{profiles-s-z => groups/utils}/swaplabel (100%) rename apparmor.d/{profiles-s-z => groups/utils}/umount (100%) diff --git a/apparmor.d/profiles-a-f/filecap b/apparmor.d/groups/cap/filecap similarity index 100% rename from apparmor.d/profiles-a-f/filecap rename to apparmor.d/groups/cap/filecap diff --git a/apparmor.d/profiles-m-r/netcap b/apparmor.d/groups/cap/netcap similarity index 100% rename from apparmor.d/profiles-m-r/netcap rename to apparmor.d/groups/cap/netcap diff --git a/apparmor.d/profiles-m-r/pscap b/apparmor.d/groups/cap/pscap similarity index 100% rename from apparmor.d/profiles-m-r/pscap rename to apparmor.d/groups/cap/pscap diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/groups/filesystem/btrfs similarity index 100% rename from apparmor.d/profiles-a-f/btrfs rename to apparmor.d/groups/filesystem/btrfs diff --git a/apparmor.d/profiles-a-f/btrfs-convert b/apparmor.d/groups/filesystem/btrfs-convert similarity index 100% rename from apparmor.d/profiles-a-f/btrfs-convert rename to apparmor.d/groups/filesystem/btrfs-convert diff --git a/apparmor.d/profiles-a-f/btrfs-find-root b/apparmor.d/groups/filesystem/btrfs-find-root similarity index 100% rename from apparmor.d/profiles-a-f/btrfs-find-root rename to apparmor.d/groups/filesystem/btrfs-find-root diff --git a/apparmor.d/profiles-a-f/btrfs-image b/apparmor.d/groups/filesystem/btrfs-image similarity index 100% rename from apparmor.d/profiles-a-f/btrfs-image rename to apparmor.d/groups/filesystem/btrfs-image diff --git a/apparmor.d/profiles-a-f/btrfs-map-logical b/apparmor.d/groups/filesystem/btrfs-map-logical similarity index 100% rename from apparmor.d/profiles-a-f/btrfs-map-logical rename to apparmor.d/groups/filesystem/btrfs-map-logical diff --git a/apparmor.d/profiles-a-f/btrfs-select-super b/apparmor.d/groups/filesystem/btrfs-select-super similarity index 100% rename from apparmor.d/profiles-a-f/btrfs-select-super rename to apparmor.d/groups/filesystem/btrfs-select-super diff --git a/apparmor.d/profiles-a-f/btrfstune b/apparmor.d/groups/filesystem/btrfstune similarity index 100% rename from apparmor.d/profiles-a-f/btrfstune rename to apparmor.d/groups/filesystem/btrfstune diff --git a/apparmor.d/profiles-a-f/fsck.btrfs b/apparmor.d/groups/filesystem/fsck.btrfs similarity index 100% rename from apparmor.d/profiles-a-f/fsck.btrfs rename to apparmor.d/groups/filesystem/fsck.btrfs diff --git a/apparmor.d/profiles-a-f/fsck.fat b/apparmor.d/groups/filesystem/fsck.fat similarity index 100% rename from apparmor.d/profiles-a-f/fsck.fat rename to apparmor.d/groups/filesystem/fsck.fat diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/groups/filesystem/lvm similarity index 100% rename from apparmor.d/profiles-g-l/lvm rename to apparmor.d/groups/filesystem/lvm diff --git a/apparmor.d/profiles-g-l/lvmconfig b/apparmor.d/groups/filesystem/lvmconfig similarity index 100% rename from apparmor.d/profiles-g-l/lvmconfig rename to apparmor.d/groups/filesystem/lvmconfig diff --git a/apparmor.d/profiles-g-l/lvmdump b/apparmor.d/groups/filesystem/lvmdump similarity index 100% rename from apparmor.d/profiles-g-l/lvmdump rename to apparmor.d/groups/filesystem/lvmdump diff --git a/apparmor.d/profiles-g-l/lvmpolld b/apparmor.d/groups/filesystem/lvmpolld similarity index 100% rename from apparmor.d/profiles-g-l/lvmpolld rename to apparmor.d/groups/filesystem/lvmpolld diff --git a/apparmor.d/profiles-m-r/mtools b/apparmor.d/groups/filesystem/mtools similarity index 100% rename from apparmor.d/profiles-m-r/mtools rename to apparmor.d/groups/filesystem/mtools diff --git a/apparmor.d/profiles-m-r/nfsdcld b/apparmor.d/groups/filesystem/nfsdcld similarity index 100% rename from apparmor.d/profiles-m-r/nfsdcld rename to apparmor.d/groups/filesystem/nfsdcld diff --git a/apparmor.d/profiles-m-r/ntfs-3g b/apparmor.d/groups/filesystem/ntfs-3g similarity index 100% rename from apparmor.d/profiles-m-r/ntfs-3g rename to apparmor.d/groups/filesystem/ntfs-3g diff --git a/apparmor.d/profiles-m-r/ntfs-3g-probe b/apparmor.d/groups/filesystem/ntfs-3g-probe similarity index 100% rename from apparmor.d/profiles-m-r/ntfs-3g-probe rename to apparmor.d/groups/filesystem/ntfs-3g-probe diff --git a/apparmor.d/profiles-m-r/ntfscat b/apparmor.d/groups/filesystem/ntfscat similarity index 100% rename from apparmor.d/profiles-m-r/ntfscat rename to apparmor.d/groups/filesystem/ntfscat diff --git a/apparmor.d/profiles-m-r/ntfsclone b/apparmor.d/groups/filesystem/ntfsclone similarity index 100% rename from apparmor.d/profiles-m-r/ntfsclone rename to apparmor.d/groups/filesystem/ntfsclone diff --git a/apparmor.d/profiles-m-r/ntfscluster b/apparmor.d/groups/filesystem/ntfscluster similarity index 100% rename from apparmor.d/profiles-m-r/ntfscluster rename to apparmor.d/groups/filesystem/ntfscluster diff --git a/apparmor.d/profiles-m-r/ntfscmp b/apparmor.d/groups/filesystem/ntfscmp similarity index 100% rename from apparmor.d/profiles-m-r/ntfscmp rename to apparmor.d/groups/filesystem/ntfscmp diff --git a/apparmor.d/profiles-m-r/ntfscp b/apparmor.d/groups/filesystem/ntfscp similarity index 100% rename from apparmor.d/profiles-m-r/ntfscp rename to apparmor.d/groups/filesystem/ntfscp diff --git a/apparmor.d/profiles-m-r/ntfsdecrypt b/apparmor.d/groups/filesystem/ntfsdecrypt similarity index 100% rename from apparmor.d/profiles-m-r/ntfsdecrypt rename to apparmor.d/groups/filesystem/ntfsdecrypt diff --git a/apparmor.d/profiles-m-r/ntfsfallocate b/apparmor.d/groups/filesystem/ntfsfallocate similarity index 100% rename from apparmor.d/profiles-m-r/ntfsfallocate rename to apparmor.d/groups/filesystem/ntfsfallocate diff --git a/apparmor.d/profiles-m-r/ntfsfix b/apparmor.d/groups/filesystem/ntfsfix similarity index 100% rename from apparmor.d/profiles-m-r/ntfsfix rename to apparmor.d/groups/filesystem/ntfsfix diff --git a/apparmor.d/profiles-m-r/ntfsinfo b/apparmor.d/groups/filesystem/ntfsinfo similarity index 100% rename from apparmor.d/profiles-m-r/ntfsinfo rename to apparmor.d/groups/filesystem/ntfsinfo diff --git a/apparmor.d/profiles-m-r/ntfslabel b/apparmor.d/groups/filesystem/ntfslabel similarity index 100% rename from apparmor.d/profiles-m-r/ntfslabel rename to apparmor.d/groups/filesystem/ntfslabel diff --git a/apparmor.d/profiles-m-r/ntfsls b/apparmor.d/groups/filesystem/ntfsls similarity index 100% rename from apparmor.d/profiles-m-r/ntfsls rename to apparmor.d/groups/filesystem/ntfsls diff --git a/apparmor.d/profiles-m-r/ntfsmove b/apparmor.d/groups/filesystem/ntfsmove similarity index 100% rename from apparmor.d/profiles-m-r/ntfsmove rename to apparmor.d/groups/filesystem/ntfsmove diff --git a/apparmor.d/profiles-m-r/ntfsrecover b/apparmor.d/groups/filesystem/ntfsrecover similarity index 100% rename from apparmor.d/profiles-m-r/ntfsrecover rename to apparmor.d/groups/filesystem/ntfsrecover diff --git a/apparmor.d/profiles-m-r/ntfsresize b/apparmor.d/groups/filesystem/ntfsresize similarity index 100% rename from apparmor.d/profiles-m-r/ntfsresize rename to apparmor.d/groups/filesystem/ntfsresize diff --git a/apparmor.d/profiles-m-r/ntfssecaudit b/apparmor.d/groups/filesystem/ntfssecaudit similarity index 100% rename from apparmor.d/profiles-m-r/ntfssecaudit rename to apparmor.d/groups/filesystem/ntfssecaudit diff --git a/apparmor.d/profiles-m-r/ntfstruncate b/apparmor.d/groups/filesystem/ntfstruncate similarity index 100% rename from apparmor.d/profiles-m-r/ntfstruncate rename to apparmor.d/groups/filesystem/ntfstruncate diff --git a/apparmor.d/profiles-m-r/ntfsundelete b/apparmor.d/groups/filesystem/ntfsundelete similarity index 100% rename from apparmor.d/profiles-m-r/ntfsundelete rename to apparmor.d/groups/filesystem/ntfsundelete diff --git a/apparmor.d/profiles-m-r/ntfsusermap b/apparmor.d/groups/filesystem/ntfsusermap similarity index 100% rename from apparmor.d/profiles-m-r/ntfsusermap rename to apparmor.d/groups/filesystem/ntfsusermap diff --git a/apparmor.d/profiles-m-r/ntfswipe b/apparmor.d/groups/filesystem/ntfswipe similarity index 100% rename from apparmor.d/profiles-m-r/ntfswipe rename to apparmor.d/groups/filesystem/ntfswipe diff --git a/apparmor.d/profiles-s-z/udiskie b/apparmor.d/groups/filesystem/udiskie similarity index 100% rename from apparmor.d/profiles-s-z/udiskie rename to apparmor.d/groups/filesystem/udiskie diff --git a/apparmor.d/profiles-s-z/udiskie-info b/apparmor.d/groups/filesystem/udiskie-info similarity index 100% rename from apparmor.d/profiles-s-z/udiskie-info rename to apparmor.d/groups/filesystem/udiskie-info diff --git a/apparmor.d/profiles-s-z/udiskie-mount b/apparmor.d/groups/filesystem/udiskie-mount similarity index 100% rename from apparmor.d/profiles-s-z/udiskie-mount rename to apparmor.d/groups/filesystem/udiskie-mount diff --git a/apparmor.d/profiles-s-z/udiskie-umount b/apparmor.d/groups/filesystem/udiskie-umount similarity index 100% rename from apparmor.d/profiles-s-z/udiskie-umount rename to apparmor.d/groups/filesystem/udiskie-umount diff --git a/apparmor.d/profiles-s-z/udisksctl b/apparmor.d/groups/filesystem/udisksctl similarity index 100% rename from apparmor.d/profiles-s-z/udisksctl rename to apparmor.d/groups/filesystem/udisksctl diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/groups/filesystem/udisksd similarity index 100% rename from apparmor.d/profiles-s-z/udisksd rename to apparmor.d/groups/filesystem/udisksd diff --git a/apparmor.d/profiles-s-z/umount.udisks2 b/apparmor.d/groups/filesystem/umount.udisks2 similarity index 100% rename from apparmor.d/profiles-s-z/umount.udisks2 rename to apparmor.d/groups/filesystem/umount.udisks2 diff --git a/apparmor.d/profiles-s-z/swaplabel b/apparmor.d/groups/utils/swaplabel similarity index 100% rename from apparmor.d/profiles-s-z/swaplabel rename to apparmor.d/groups/utils/swaplabel diff --git a/apparmor.d/profiles-s-z/umount b/apparmor.d/groups/utils/umount similarity index 100% rename from apparmor.d/profiles-s-z/umount rename to apparmor.d/groups/utils/umount From af85db9148b17bb37b4d73454e78d4efec4c2db9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 17 Feb 2025 21:28:40 +0100 Subject: [PATCH 077/672] refractor: use @{python_path} in all profiles. --- apparmor.d/groups/apt/apt-listchanges | 2 +- apparmor.d/groups/apt/command-not-found | 4 ++-- apparmor.d/groups/apt/debsecan | 2 +- apparmor.d/groups/apt/debtags | 2 +- apparmor.d/groups/apt/querybts | 2 +- apparmor.d/groups/apt/reportbug | 4 ++-- apparmor.d/groups/apt/unattended-upgrade | 2 +- apparmor.d/groups/apt/update-apt-xapian-index | 2 +- apparmor.d/groups/bus/ibus-engine-table | 2 +- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/filesystem/udiskie | 2 +- apparmor.d/groups/filesystem/udiskie-info | 2 +- apparmor.d/groups/filesystem/udiskie-mount | 2 +- apparmor.d/groups/filesystem/udiskie-umount | 2 +- apparmor.d/groups/firewall/firewall-applet | 2 +- apparmor.d/groups/firewall/firewalld | 2 +- apparmor.d/groups/firewall/ufw | 2 +- apparmor.d/groups/gnome/gnome-browser-connector-host | 4 ++-- apparmor.d/groups/gnome/gnome-music | 4 ++-- apparmor.d/groups/gnome/gnome-tweaks | 4 ++-- apparmor.d/groups/kde/kconf_update | 2 +- apparmor.d/groups/kde/kded | 2 +- apparmor.d/groups/network/nm-dispatcher | 2 +- apparmor.d/groups/pacman/pacman-hook-code | 2 +- apparmor.d/groups/steam/steam-game-proton | 2 +- apparmor.d/groups/ubuntu/apport-checkreports | 2 +- apparmor.d/groups/ubuntu/check-new-release-gtk | 4 ++-- apparmor.d/groups/ubuntu/list-oem-metapackages | 2 +- apparmor.d/groups/ubuntu/software-properties-dbus | 2 +- apparmor.d/groups/ubuntu/software-properties-gtk | 2 +- apparmor.d/groups/ubuntu/update-manager | 6 +++--- apparmor.d/groups/ubuntu/update-motd-updates-available | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/groups/virt/cockpit-bridge | 2 +- apparmor.d/groups/whonix/sdwdate-gui | 2 +- apparmor.d/profiles-a-f/alacarte | 4 ++-- apparmor.d/profiles-a-f/arandr | 2 +- apparmor.d/profiles-a-f/borg | 2 +- apparmor.d/profiles-a-f/convertall | 2 +- apparmor.d/profiles-a-f/execute-dcut | 2 +- apparmor.d/profiles-a-f/execute-dput | 2 +- apparmor.d/profiles-a-f/fail2ban-client | 2 +- apparmor.d/profiles-a-f/fail2ban-server | 2 +- apparmor.d/profiles-g-l/gajim | 2 +- apparmor.d/profiles-g-l/ganyremote | 2 +- apparmor.d/profiles-g-l/gpo | 2 +- apparmor.d/profiles-g-l/gpodder | 2 +- apparmor.d/profiles-g-l/gpodder-migrate2tres | 2 +- apparmor.d/profiles-g-l/hardinfo | 2 +- apparmor.d/profiles-g-l/hypnotix | 2 +- apparmor.d/profiles-g-l/install-printerdriver | 2 +- apparmor.d/profiles-g-l/iotop | 2 +- apparmor.d/profiles-g-l/kconfig-hardened-check | 2 +- apparmor.d/profiles-m-r/metadata-cleaner | 2 +- apparmor.d/profiles-m-r/mpsyt | 2 +- apparmor.d/profiles-m-r/needrestart | 4 ++-- apparmor.d/profiles-m-r/obamenu | 2 +- apparmor.d/profiles-m-r/openbox | 2 +- apparmor.d/profiles-m-r/pass | 2 +- apparmor.d/profiles-m-r/pass-import | 2 +- apparmor.d/profiles-m-r/ps-mem | 2 +- apparmor.d/profiles-m-r/qbittorrent | 6 +++--- apparmor.d/profiles-m-r/repo | 2 +- apparmor.d/profiles-m-r/rustdesk | 6 +++--- apparmor.d/profiles-s-z/speedtest | 2 +- apparmor.d/profiles-s-z/system-config-printer | 2 +- apparmor.d/profiles-s-z/system-config-printer-applet | 2 +- apparmor.d/profiles-s-z/terminator | 2 +- apparmor.d/profiles-s-z/update-command-not-found | 2 +- apparmor.d/profiles-s-z/vcsi | 2 +- apparmor.d/profiles-s-z/vidcutter | 2 +- apparmor.d/profiles-s-z/virt-manager | 4 ++-- apparmor.d/profiles-s-z/wsdd | 2 +- apparmor.d/profiles-s-z/youtube-dl | 2 +- apparmor.d/profiles-s-z/yt-dlp | 2 +- apparmor.d/profiles-s-z/ytdl | 2 +- apparmor.d/profiles-s-z/zenmap | 2 +- 77 files changed, 92 insertions(+), 92 deletions(-) diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 89cf63067..dbbba9d4d 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -17,7 +17,7 @@ profile apt-listchanges @{exec_path} { #capability sys_tty_config, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index e6c0fdee6..1ba7b5cb3 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -18,12 +18,12 @@ profile command-not-found @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/lsb_release rPx -> lsb_release, @{bin}/snap rPUx, - @{lib}/python3/dist-packages/CommandNotFound/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, + @{lib}/@{python_name}/dist-packages/CommandNotFound/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, @{lib}/ r, diff --git a/apparmor.d/groups/apt/debsecan b/apparmor.d/groups/apt/debsecan index ee29b4923..c9448c7fb 100644 --- a/apparmor.d/groups/apt/debsecan +++ b/apparmor.d/groups/apt/debsecan @@ -21,7 +21,7 @@ profile debsecan @{exec_path} { network inet6 stream, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, diff --git a/apparmor.d/groups/apt/debtags b/apparmor.d/groups/apt/debtags index 8bda4efff..3e3fd2ab9 100644 --- a/apparmor.d/groups/apt/debtags +++ b/apparmor.d/groups/apt/debtags @@ -17,7 +17,7 @@ profile debtags @{exec_path} { #capability sys_tty_config, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index 5c46246a2..85bd2e6c3 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -26,7 +26,7 @@ profile querybts @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index 8681e46d8..ae2e64e5d 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -28,7 +28,7 @@ profile reportbug @{exec_path} { @{exec_path} r, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ldconfig rix, @{bin}/selinuxenabled rix, @@ -57,7 +57,7 @@ profile reportbug @{exec_path} { @{bin}/run-parts rCx -> run-parts, @{open_path} rPx -> child-open, - @{lib}/python3/dist-packages/pylocales/locales.db rk, + @{lib}/@{python_name}/dist-packages/pylocales/locales.db rk, /usr/share/bug/*/{control,presubj} r, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index ead68957a..dbbfb413e 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -43,7 +43,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/ischroot rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/test rix, @{bin}/touch rix, @{bin}/uname rix, diff --git a/apparmor.d/groups/apt/update-apt-xapian-index b/apparmor.d/groups/apt/update-apt-xapian-index index 15af33d88..5da82090f 100644 --- a/apparmor.d/groups/apt/update-apt-xapian-index +++ b/apparmor.d/groups/apt/update-apt-xapian-index @@ -14,7 +14,7 @@ profile update-apt-xapian-index @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/groups/bus/ibus-engine-table b/apparmor.d/groups/bus/ibus-engine-table index 5182b0dca..abe0d22c0 100644 --- a/apparmor.d/groups/bus/ibus-engine-table +++ b/apparmor.d/groups/bus/ibus-engine-table @@ -14,7 +14,7 @@ profile ibus-engine-table @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, /usr/share/ibus-table/engine/{,**} r, /usr/share/ibus-table/tables/ r, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index f65fc8349..697a307f9 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -57,7 +57,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/ippfind rix, @{bin}/mktemp rix, @{bin}/printenv rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/rm rix, @{bin}/sed rix, @{bin}/smbspool rPx, diff --git a/apparmor.d/groups/filesystem/udiskie b/apparmor.d/groups/filesystem/udiskie index 014955032..a6a2e2ad3 100644 --- a/apparmor.d/groups/filesystem/udiskie +++ b/apparmor.d/groups/filesystem/udiskie @@ -23,7 +23,7 @@ profile udiskie @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{open_path} rPx -> child-open, diff --git a/apparmor.d/groups/filesystem/udiskie-info b/apparmor.d/groups/filesystem/udiskie-info index 855c5b54c..0b39fd3dc 100644 --- a/apparmor.d/groups/filesystem/udiskie-info +++ b/apparmor.d/groups/filesystem/udiskie-info @@ -13,7 +13,7 @@ profile udiskie-info @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, /usr/bin/ r, diff --git a/apparmor.d/groups/filesystem/udiskie-mount b/apparmor.d/groups/filesystem/udiskie-mount index a57a6091f..0513a8c35 100644 --- a/apparmor.d/groups/filesystem/udiskie-mount +++ b/apparmor.d/groups/filesystem/udiskie-mount @@ -13,7 +13,7 @@ profile udiskie-mount @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, /usr/bin/ r, diff --git a/apparmor.d/groups/filesystem/udiskie-umount b/apparmor.d/groups/filesystem/udiskie-umount index 8fe075f94..cf147b875 100644 --- a/apparmor.d/groups/filesystem/udiskie-umount +++ b/apparmor.d/groups/filesystem/udiskie-umount @@ -13,7 +13,7 @@ profile udiskie-umount @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, /usr/bin/ r, diff --git a/apparmor.d/groups/firewall/firewall-applet b/apparmor.d/groups/firewall/firewall-applet index 17fca1462..280bd9d04 100644 --- a/apparmor.d/groups/firewall/firewall-applet +++ b/apparmor.d/groups/firewall/firewall-applet @@ -17,7 +17,7 @@ profile firewall-applet @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 142b25cde..123dff77f 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -42,7 +42,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{bin}/xtables-legacy-multi rix, @{bin}/xtables-nft-multi rix, - /usr/local/lib/python3.@{int}/dist-packages/ r, + /usr/local/lib/@{python_name}/dist-packages/ r, /usr/share/iproute2/{,**} r, /usr/share/libalternatives/{,**} r, diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw index b7e5f0c79..3b5a1dcc1 100644 --- a/apparmor.d/groups/firewall/ufw +++ b/apparmor.d/groups/firewall/ufw @@ -32,7 +32,7 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/cat ix, @{bin}/env r, - @{bin}/python3.@{int} ix, + @{python_path} ix, @{bin}/sysctl ix, @{bin}/xtables-legacy-multi ix, @{bin}/xtables-nft-multi ix, diff --git a/apparmor.d/groups/gnome/gnome-browser-connector-host b/apparmor.d/groups/gnome/gnome-browser-connector-host index d31811152..95af09ed6 100644 --- a/apparmor.d/groups/gnome/gnome-browser-connector-host +++ b/apparmor.d/groups/gnome/gnome-browser-connector-host @@ -15,9 +15,9 @@ profile gnome-browser-connector-host @{exec_path} { @{exec_path} mr, @{bin}/env rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, - @{lib}/python3.@{int}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, + @{lib}/@{python_name}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 82be211fc..7874e95ff 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -33,8 +33,8 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/env r, - @{bin}/python3.@{int} rix, - @{lib}/python3.@{int}/site-packages/gnomemusic/__pycache__/{,**} rw, + @{python_path} rix, + @{lib}/@{python_name}/site-packages/gnomemusic/__pycache__/{,**} rw, /usr/share/grilo-plugins/grl-lua-factory/{,*} r, /usr/share/org.gnome.Music/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index d104e75c6..fa94d56e8 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -21,11 +21,11 @@ profile gnome-tweaks @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/env r, @{bin}/ps rPx, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{open_path} rPx -> child-open-help, - @{lib}/python3.@{int}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w, + @{lib}/@{python_name}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w, /etc/xdg/autostart/{,**} r, diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index e152325ed..49da5e3ca 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -25,7 +25,7 @@ profile kconf_update @{exec_path} { @{sh_path} rix, @{bin}/{,p}grep rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/qtpaths rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 0ff08d02f..9efaec4fc 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -54,7 +54,7 @@ profile kded @{exec_path} { @{bin}/kcminit rPx, @{bin}/pgrep rCx -> pgrep, @{bin}/plasma-welcome rPUx, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/setxkbmap rix, @{bin}/xmodmap rPUx, @{bin}/xrdb rPx, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index ee2e5274b..e6150c509 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -45,7 +45,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{bin}/mktemp rix, @{bin}/netconfig rPUx, @{bin}/nmcli rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index 3a6bbd7fe..2496d7a9b 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -16,7 +16,7 @@ profile pacman-hook-code @{exec_path} { @{exec_path} mr, @{bin}/env r, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{lib}/code/product.json rw, diff --git a/apparmor.d/groups/steam/steam-game-proton b/apparmor.d/groups/steam/steam-game-proton index ab82925a5..3c4695e4f 100644 --- a/apparmor.d/groups/steam/steam-game-proton +++ b/apparmor.d/groups/steam/steam-game-proton @@ -41,7 +41,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { @{bin}/gzip rix, @{bin}/ldconfig rix, @{bin}/localedef rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/readlink rix, @{bin}/steam-runtime-launcher-interface-@{int} rix, @{bin}/steam-runtime-system-info rix, diff --git a/apparmor.d/groups/ubuntu/apport-checkreports b/apparmor.d/groups/ubuntu/apport-checkreports index 6e1bb05f2..5e39988fd 100644 --- a/apparmor.d/groups/ubuntu/apport-checkreports +++ b/apparmor.d/groups/ubuntu/apport-checkreports @@ -14,7 +14,7 @@ profile apport-checkreports @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/python3.@{int} r, + @{python_path} r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index b2fe83f6b..1ff6df2ae 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -32,8 +32,8 @@ profile check-new-release-gtk @{exec_path} { @{bin}/ischroot rix, @{bin}/lsb_release rPx -> lsb_release, - @{lib}/python3/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, - @{lib}/python3/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, + @{lib}/@{python_name}/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, + @{lib}/@{python_name}/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index 0023b48cb..75e4279f2 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -17,7 +17,7 @@ profile list-oem-metapackages @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/ischroot rix, - @{lib}/python3/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/@{python_name}/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw, /etc/machine-id r, diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index 93fd9ffcc..c4c795649 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -27,7 +27,7 @@ profile software-properties-dbus @{exec_path} { @{exec_path} mr, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/env rix, @{bin}/apt-key rPx, # Changing trusted keys @{bin}/lsb_release rPx -> lsb_release, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 4715f570c..e2bb2dc98 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -28,7 +28,7 @@ profile software-properties-gtk @{exec_path} { @{bin}/ r, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/aplay rPx, @{bin}/apt-key rPx, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 119ac517c..44e0cc403 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -51,9 +51,9 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{bin}/uname rix, @{lib}/apt/methods/http{,s} rPx, - @{lib}/python3/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, - @{lib}/python3/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, - @{lib}/python3/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index b0101504c..776cc9bf8 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -18,7 +18,7 @@ profile update-motd-updates-available @{exec_path} { @{exec_path} mr, - @{bin}/python3.@{int} r, + @{python_path} r, @{sh_path} rix, @{bin}/apt-config rPx, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 4ffaf60e0..d540ed0e8 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -49,7 +49,7 @@ profile update-notifier @{exec_path} { /usr/share/apport/apport-checkreports rPx, /usr/share/apport/apport-gtk rPx, - @{lib}/python3.@{int}/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, + @{lib}/@{python_name}/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 6ca662859..d7b1b45e0 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -39,7 +39,7 @@ profile cockpit-bridge @{exec_path} { @{bin}/date ix, @{bin}/find ix, @{bin}/ip ix, - @{bin}/python3.@{int} ix, + @{python_path} ix, @{bin}/test ix, @{bin}/file ix, diff --git a/apparmor.d/groups/whonix/sdwdate-gui b/apparmor.d/groups/whonix/sdwdate-gui index 23c0a6df4..84a6fb379 100644 --- a/apparmor.d/groups/whonix/sdwdate-gui +++ b/apparmor.d/groups/whonix/sdwdate-gui @@ -28,7 +28,7 @@ profile sdwdate-gui @{exec_path} { @{lib}/sdwdate-gui/log-viewer rix, @{lib}/helper-scripts/* rix, - @{lib}/python3/dist-packages/sdwdate_gui/__pycache__/ rw, + @{lib}/@{python_name}/dist-packages/sdwdate_gui/__pycache__/ rw, @{lib}/sdwdate-gui/ r, diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index 7ebb3b629..eed67619d 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -14,9 +14,9 @@ profile alacarte @{exec_path} { include @{exec_path} mr, - @{bin}/python3.@{int} rix, + @{python_path} rix, - @{lib}/python3.@{int}/site-packages/Alacarte/{,**/}__pycache__/*.cpython-@{int}.*.pyc.@{int} w, + @{lib}/@{python_name}/site-packages/Alacarte/{,**/}__pycache__/*.cpython-@{int}.*.pyc.@{int} w, /usr/share/alacarte/{,**} r, /usr/share/desktop-directories/{,**} r, diff --git a/apparmor.d/profiles-a-f/arandr b/apparmor.d/profiles-a-f/arandr index e260321e6..77bf1bf96 100644 --- a/apparmor.d/profiles-a-f/arandr +++ b/apparmor.d/profiles-a-f/arandr @@ -19,7 +19,7 @@ profile arandr @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/xrandr rPx, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index dbf6c228d..a53c135ca 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -27,7 +27,7 @@ profile borg @{exec_path} { @{exec_path} r, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/{,@{multiarch}-}ld.bfd rix, @{bin}/cat rix, diff --git a/apparmor.d/profiles-a-f/convertall b/apparmor.d/profiles-a-f/convertall index 8c38f85a3..52e80cc54 100644 --- a/apparmor.d/profiles-a-f/convertall +++ b/apparmor.d/profiles-a-f/convertall @@ -20,7 +20,7 @@ profile convertall @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, /usr/share/convertall/{,**} r, /usr/share/doc/convertall/{,*} r, diff --git a/apparmor.d/profiles-a-f/execute-dcut b/apparmor.d/profiles-a-f/execute-dcut index 41d2324f6..817ba6215 100644 --- a/apparmor.d/profiles-a-f/execute-dcut +++ b/apparmor.d/profiles-a-f/execute-dcut @@ -13,7 +13,7 @@ profile execute-dcut @{exec_path} flags=(complain) { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, include if exists } diff --git a/apparmor.d/profiles-a-f/execute-dput b/apparmor.d/profiles-a-f/execute-dput index 0decde05c..7161c5900 100644 --- a/apparmor.d/profiles-a-f/execute-dput +++ b/apparmor.d/profiles-a-f/execute-dput @@ -15,7 +15,7 @@ profile execute-dput @{exec_path} flags=(complain) { @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/profiles-a-f/fail2ban-client b/apparmor.d/profiles-a-f/fail2ban-client index 7fae1218c..d432bee94 100644 --- a/apparmor.d/profiles-a-f/fail2ban-client +++ b/apparmor.d/profiles-a-f/fail2ban-client @@ -15,7 +15,7 @@ profile fail2ban-client @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, /etc/fail2ban/{,**} r, diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index e858c2d8e..2506b1db9 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -24,7 +24,7 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { @{bin}/iptables rix, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, /etc/fail2ban/{,**} r, diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 1de493892..e06c49b9d 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -86,7 +86,7 @@ profile gajim @{exec_path} { # Silencer deny /usr/share/gajim/** w, - deny /usr/lib/python3/dist-packages/** w, + deny @{lib}/@{python_name}/dist-packages/** w, profile ccache { include diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote index e9f4d4e30..79f8c2fc7 100644 --- a/apparmor.d/profiles-g-l/ganyremote +++ b/apparmor.d/profiles-g-l/ganyremote @@ -22,7 +22,7 @@ profile ganyremote @{exec_path} { network inet6 stream, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index 4088f51fb..562980d35 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -22,7 +22,7 @@ profile gpo @{exec_path} { network inet6 stream, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index ec1adabe4..7ccf428c3 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -24,7 +24,7 @@ profile gpodder @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, diff --git a/apparmor.d/profiles-g-l/gpodder-migrate2tres b/apparmor.d/profiles-g-l/gpodder-migrate2tres index 11896a26c..55033d107 100644 --- a/apparmor.d/profiles-g-l/gpodder-migrate2tres +++ b/apparmor.d/profiles-g-l/gpodder-migrate2tres @@ -13,7 +13,7 @@ profile gpodder-migrate2tres @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index f91887297..839e0d98a 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -38,7 +38,7 @@ profile hardinfo @{exec_path} { @{bin}/locale rix, @{bin}/make rix, @{bin}/perl rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/route rix, @{bin}/ruby[0-9].@{int} rix, @{bin}/strace rix, diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix index be18726a0..cda55bc59 100644 --- a/apparmor.d/profiles-g-l/hypnotix +++ b/apparmor.d/profiles-g-l/hypnotix @@ -31,7 +31,7 @@ profile hypnotix @{exec_path} { network netlink raw, @{exec_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, @{sh_path} rix, @{bin}/ldconfig rix, diff --git a/apparmor.d/profiles-g-l/install-printerdriver b/apparmor.d/profiles-g-l/install-printerdriver index 8ea351857..facd2fa3b 100644 --- a/apparmor.d/profiles-g-l/install-printerdriver +++ b/apparmor.d/profiles-g-l/install-printerdriver @@ -16,7 +16,7 @@ profile install-printerdriver @{exec_path} flags=(complain) { @{exec_path} mrix, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/profiles-g-l/iotop b/apparmor.d/profiles-g-l/iotop index d85b0244f..8ea787ea6 100644 --- a/apparmor.d/profiles-g-l/iotop +++ b/apparmor.d/profiles-g-l/iotop @@ -21,7 +21,7 @@ profile iotop @{exec_path} { @{bin}/ r, @{bin}/file rix, - @{bin}/python3.@{int} r, + @{python_path} r, /etc/magic r, diff --git a/apparmor.d/profiles-g-l/kconfig-hardened-check b/apparmor.d/profiles-g-l/kconfig-hardened-check index 743da77a1..264e49ebc 100644 --- a/apparmor.d/profiles-g-l/kconfig-hardened-check +++ b/apparmor.d/profiles-g-l/kconfig-hardened-check @@ -13,7 +13,7 @@ profile kconfig-hardened-check @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner index 0de151536..4aa662cd0 100644 --- a/apparmor.d/profiles-m-r/metadata-cleaner +++ b/apparmor.d/profiles-m-r/metadata-cleaner @@ -18,7 +18,7 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include @{exec_path} mr, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/bwrap rCx -> bwrap, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/profiles-m-r/mpsyt b/apparmor.d/profiles-m-r/mpsyt index 9a138ff50..502f941be 100644 --- a/apparmor.d/profiles-m-r/mpsyt +++ b/apparmor.d/profiles-m-r/mpsyt @@ -24,7 +24,7 @@ profile mpsyt @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/ldconfig rix, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 1e5ee2f91..41d327f93 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -31,7 +31,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, @{bin}/locale rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/sed rix, @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @@ -43,7 +43,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{lib}/needrestart/* rPx, /usr/share/debconf/frontend rix, - @{att}/@{lib}/python3.@{int}/** r, + @{att}/@{lib}/@{python_name}/** r, /usr/share/needrestart/{,**} r, /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, diff --git a/apparmor.d/profiles-m-r/obamenu b/apparmor.d/profiles-m-r/obamenu index b0c4d88c6..9d9ed2a94 100644 --- a/apparmor.d/profiles-m-r/obamenu +++ b/apparmor.d/profiles-m-r/obamenu @@ -13,7 +13,7 @@ profile obamenu @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/ r, diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox index d136ee08f..15957b348 100644 --- a/apparmor.d/profiles-m-r/openbox +++ b/apparmor.d/profiles-m-r/openbox @@ -75,7 +75,7 @@ profile openbox @{exec_path} { /etc/xdg/autostart/{,*} r, # Silencer - deny @{lib}/python3/** w, + deny @{lib}/@{python_name}/** w, deny owner @{user_lib_dirs}/python*/site-packages/ r, # file_inherit diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index fe06a346d..5ae5df7e6 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -53,7 +53,7 @@ profile pass @{exec_path} { # Pass extensions @{bin}/oathtool ix, # pass-otp - @{bin}/python3.@{int} Px -> pass-import, # pass-import, pass-audit + @{python_path} Px -> pass-import, # pass-import, pass-audit @{bin}/qrencode PUx, # pass-otp @{bin}/tomb PUx, # pass-tomb diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index 4977bb51a..c8fb38e44 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -26,7 +26,7 @@ profile pass-import @{exec_path} { @{bin}/ld rix, @{bin}/ldconfig rix, @{bin}/pass rPx, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{lib}/gcc/**/collect2 rix, @{lib}/python{2.[4-7],3,3.@{int}}/** w, # TODO: Test deny diff --git a/apparmor.d/profiles-m-r/ps-mem b/apparmor.d/profiles-m-r/ps-mem index da5753161..08b286b5a 100644 --- a/apparmor.d/profiles-m-r/ps-mem +++ b/apparmor.d/profiles-m-r/ps-mem @@ -17,7 +17,7 @@ profile ps-mem @{exec_path} { ptrace (read), @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index a5fcbb91e..8c6608e01 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -29,7 +29,7 @@ profile qbittorrent @{exec_path} { include include - signal send set=(term, kill) peer=qbittorrent//python3, + signal send set=(term, kill) peer=qbittorrent//python, network inet dgram, network inet6 dgram, @@ -68,7 +68,7 @@ profile qbittorrent @{exec_path} { @{exec_path} mr, @{open_path} rPx -> child-open, - @{bin}/python3.@{int} rCx -> python, # For "search engine" + @{python_path} rCx -> python, # For "search engine" # Allowed apps to open @{bin}/ebook-viewer rPx, @@ -129,7 +129,7 @@ profile qbittorrent @{exec_path} { network inet6 stream, network netlink raw, - @{bin}/python3.@{int} r, + @{python_path} r, owner @{user_share_dirs}/{,data/}qBittorrent/nova[0-9]/{,**} rw, diff --git a/apparmor.d/profiles-m-r/repo b/apparmor.d/profiles-m-r/repo index a1fd7b3b3..5ad84fb15 100644 --- a/apparmor.d/profiles-m-r/repo +++ b/apparmor.d/profiles-m-r/repo @@ -27,7 +27,7 @@ profile repo @{exec_path} { @{bin}/curl rix, @{bin}/env rix, @{bin}/git rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/uname rix, @{lib}/git{,-core}/git* rix, diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index 2a0f9b391..acdad5640 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -36,7 +36,7 @@ profile rustdesk @{exec_path} { @{bin}/ls rix, @{bin}/sudo rCx -> sudo, - @{bin}/python3.@{int} rCx -> python, + @{python_path} rCx -> python, @{sh_path} rCx -> shell, /etc/gdm{,3}/custom.conf r, @@ -64,7 +64,7 @@ profile rustdesk @{exec_path} { include @{bin}/rustdesk rPx, - @{bin}/python3.@{int} rPx -> rustdesk//python, + @{python_path} rPx -> rustdesk//python, include if exists } @@ -76,7 +76,7 @@ profile rustdesk @{exec_path} { capability dac_read_search, capability dac_override, - @{bin}/python3.@{int} r, + @{python_path} r, @{sh_path} rix, @{bin}/chmod rix, diff --git a/apparmor.d/profiles-s-z/speedtest b/apparmor.d/profiles-s-z/speedtest index f31818354..7e9728fc9 100644 --- a/apparmor.d/profiles-s-z/speedtest +++ b/apparmor.d/profiles-s-z/speedtest @@ -21,7 +21,7 @@ profile speedtest @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/file rix, diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index 4db5c6f92..84f6d52d3 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -28,7 +28,7 @@ profile system-config-printer @{exec_path} flags=(complain) { @{exec_path} mrix, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, @{lib}/cups/*/* rPUx, /usr/share/hplip/query.py rPUx, diff --git a/apparmor.d/profiles-s-z/system-config-printer-applet b/apparmor.d/profiles-s-z/system-config-printer-applet index 0197e3c3b..de34ea608 100644 --- a/apparmor.d/profiles-s-z/system-config-printer-applet +++ b/apparmor.d/profiles-s-z/system-config-printer-applet @@ -19,7 +19,7 @@ profile system-config-printer-applet @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index e5a8f80d9..679a0fd32 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -30,7 +30,7 @@ profile terminator @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/ r, - @{bin}/python3.@{int} rix, + @{python_path} rix, # The shell is not confined on purpose. @{bin}/@{shells} rUx, diff --git a/apparmor.d/profiles-s-z/update-command-not-found b/apparmor.d/profiles-s-z/update-command-not-found index f1bf99bf8..9801f8737 100644 --- a/apparmor.d/profiles-s-z/update-command-not-found +++ b/apparmor.d/profiles-s-z/update-command-not-found @@ -20,7 +20,7 @@ profile update-command-not-found @{exec_path} { @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{lib}/ r, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/profiles-s-z/vcsi b/apparmor.d/profiles-s-z/vcsi index 25f4a979f..eaf6ca24b 100644 --- a/apparmor.d/profiles-s-z/vcsi +++ b/apparmor.d/profiles-s-z/vcsi @@ -16,7 +16,7 @@ profile vcsi @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/ffmpeg rPx, diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 283eab051..1460fb1a7 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -25,7 +25,7 @@ profile vidcutter @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/ldconfig rix, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index af472b4d5..614084c71 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -31,8 +31,8 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{exec_path} rix, @{sh_path} rix, - @{bin}/python3.@{int} rix, - @{lib}/python3.@{int}/site-packages/__pycache__/guestfs.cpython-@{int}.pyc.@{int} w, + @{python_path} rix, + @{lib}/@{python_name}/site-packages/__pycache__/guestfs.cpython-@{int}.pyc.@{int} w, @{bin}/ r, @{bin}/env rix, diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 22713e3bf..20575b2a8 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -21,7 +21,7 @@ profile wsdd @{exec_path} { @{exec_path} mr, @{bin}/env r, - @{bin}/python3.@{int} rix, + @{python_path} rix, /etc/machine-id r, diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl index 781e24768..d618a0db1 100644 --- a/apparmor.d/profiles-s-z/youtube-dl +++ b/apparmor.d/profiles-s-z/youtube-dl @@ -30,7 +30,7 @@ profile youtube-dl @{exec_path} { signal (receive) set=(term, kill), @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ffmpeg rPx, @{bin}/ffprobe rPx, diff --git a/apparmor.d/profiles-s-z/yt-dlp b/apparmor.d/profiles-s-z/yt-dlp index 551a8edf4..ffa78eda3 100644 --- a/apparmor.d/profiles-s-z/yt-dlp +++ b/apparmor.d/profiles-s-z/yt-dlp @@ -24,7 +24,7 @@ profile yt-dlp @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/file rix, diff --git a/apparmor.d/profiles-s-z/ytdl b/apparmor.d/profiles-s-z/ytdl index 81ccfc284..12fd657c3 100644 --- a/apparmor.d/profiles-s-z/ytdl +++ b/apparmor.d/profiles-s-z/ytdl @@ -24,7 +24,7 @@ profile ytdl @{exec_path} { signal (receive) set=(term, kill), @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/ldconfig rix, diff --git a/apparmor.d/profiles-s-z/zenmap b/apparmor.d/profiles-s-z/zenmap index 59a8d772e..f4dc9fc77 100644 --- a/apparmor.d/profiles-s-z/zenmap +++ b/apparmor.d/profiles-s-z/zenmap @@ -20,7 +20,7 @@ profile zenmap @{exec_path} { signal (send) set=(term, kill) peer=nmap, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/nmap rPx, From a53ffeb251da8df49f12676e497c82fb243bd40c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 20 Feb 2025 20:18:44 +0100 Subject: [PATCH 078/672] fix(profile): ensure gsconnect-preferences is part of gnome-extension-gsconnect. --- apparmor.d/groups/gnome/gnome-extension-gsconnect | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 4c4b00c5d..cf5c0a855 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -9,7 +9,7 @@ include @{share_dirs} = /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io @{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io -@{exec_path} = @{share_dirs}/service/daemon.js +@{exec_path} = @{share_dirs}/service/daemon.js @{share_dirs}/gsconnect-preferences profile gnome-extension-gsconnect @{exec_path} { include include From 1f3fb1513a0ae0959b556f294c5c605cf05c9db3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 21 Feb 2025 00:05:36 +0100 Subject: [PATCH 079/672] feat(profile): enforce apparmor.systemd --- apparmor.d/groups/apparmor/apparmor.systemd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/apparmor/apparmor.systemd b/apparmor.d/groups/apparmor/apparmor.systemd index 75394f5de..79b3f1a86 100644 --- a/apparmor.d/groups/apparmor/apparmor.systemd +++ b/apparmor.d/groups/apparmor/apparmor.systemd @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/apparmor/apparmor.systemd -profile apparmor.systemd @{exec_path} flags=(complain) { +profile apparmor.systemd @{exec_path} { include include include From 2ae16a93f4b68aa16a6362557a435134d6ae0cb0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 21 Feb 2025 00:07:08 +0100 Subject: [PATCH 080/672] feat(abs): remove mesa 24.2 fix as it has been fixed upstream. --- apparmor.d/abstractions/base.d/complete | 6 ------ 1 file changed, 6 deletions(-) diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 3b5ecaf41..230e0c9d5 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -23,12 +23,6 @@ @{etc_rw}/localtime r, /etc/locale.conf r, - # mesa 24.2 introduced a shader disk cache which opens quite a lot of fd. - # They are not closed and get inherited by child programs. Denying it can cause - # crash, so we are allowing it globally while the issue is beeing fixed in mesa. - owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rw, - owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rw, - @{sys}/devices/system/cpu/possible r, @{PROC}/sys/kernel/core_pattern r, From c1bea69cbf1c062a1aa501867a0dbf22774681e1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 21 Feb 2025 00:10:08 +0100 Subject: [PATCH 081/672] feat(profile): minor gnome improvments. --- apparmor.d/groups/gnome/gnome-control-center | 4 ++-- apparmor.d/groups/gnome/gnome-extension-gsconnect | 2 +- apparmor.d/groups/gnome/nautilus | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 91f49c219..cfb40f5c4 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -90,10 +90,10 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/wallpapers/{,**} r, /usr/share/xml/iso-codes/{,**} r, + @{etc_ro}/security/pwquality.conf r, + @{etc_ro}/security/pwquality.conf.d/{,**} r, /etc/machine-info r, /etc/rygel.conf r, - /etc/security/pwquality.conf r, - /etc/security/pwquality.conf.d/{,**} r, /etc/fstab r, /etc/machine-id r, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index cf5c0a855..7bb34e52f 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -53,7 +53,7 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{user_config_dirs}/mimeapps.list w, owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, - owner @{run}/user/@{uid}/gsconnect/ w, + owner @{run}/user/@{uid}/gsconnect/{,**} rw, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 890e5b34e..7e25ee08c 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -108,6 +108,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/tty rw, From 8912aaf12695b4b2278d471db76cbbe4fcf7e1bf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 21 Feb 2025 00:55:52 +0100 Subject: [PATCH 082/672] feat(profile): general update. --- apparmor.d/groups/gvfs/gvfsd-sftp | 1 + apparmor.d/groups/pacman/mkinitcpio | 1 + apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/groups/procps/htop | 95 +++++++++++------------ apparmor.d/groups/procps/uptime | 2 + apparmor.d/groups/ssh/ssh | 10 ++- apparmor.d/groups/ssh/ssh-sk-helper | 2 +- apparmor.d/groups/systemd/busctl | 6 +- apparmor.d/groups/systemd/systemd-analyze | 1 + apparmor.d/profiles-s-z/spotify | 3 +- apparmor.d/profiles-s-z/transmission | 1 + apparmor.d/profiles-s-z/wpa-cli | 2 +- 12 files changed, 67 insertions(+), 59 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index cabee57c2..157af621c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -19,6 +19,7 @@ profile gvfsd-sftp @{exec_path} { @{bin}/ssh rPx, owner @{run}/user/@{uid}/gvfsd-sftp/ rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} w, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index ed91f6c9c..8c92421f1 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -49,6 +49,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/plymouth rPx, @{bin}/plymouth-set-default-theme rPx, @{bin}/sbctl rPx, + @{bin}/sync rPx, @{lib}/initcpio/busybox rix, @{lib}/initcpio/post/** rix, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 16a8171ca..327af130f 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -135,8 +135,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/stat r, - @{PROC}/1/environ r, @{PROC}/sys/kernel/osrelease r, @{PROC}/tty/drivers r, @{PROC}/uptime r, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index 08b58ebd2..c720929f3 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -20,10 +20,10 @@ profile htop @{exec_path} { network netlink raw, - signal (send), - signal (receive) set=(hup) peer=gnome-terminal-server, + signal send, + signal receive set=hup peer=gnome-terminal-server, - ptrace (read), + ptrace read, @{exec_path} mr, @@ -38,51 +38,6 @@ profile htop @{exec_path} { owner @{user_config_dirs}/htop/ rw, owner @{user_config_dirs}/htop/* rw, - owner @{PROC}/@{pid}/smaps_rollup r, - - @{PROC}/ r, - @{PROC}/diskstats r, - @{PROC}/loadavg r, - @{PROC}/pressure/cpu r, - @{PROC}/pressure/io r, - @{PROC}/pressure/memory r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/sys/kernel/sched_autogroup_enabled r, - @{PROC}/tty/drivers r, - @{PROC}/uptime r, - - @{PROC}/@{pids}/ r, - @{PROC}/@{pids}/attr/current r, - @{PROC}/@{pids}/autogroup rw, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/io r, - @{PROC}/@{pids}/mounts r, - @{PROC}/@{pids}/net/dev r, - @{PROC}/@{pids}/oom_{,score_}adj r, - @{PROC}/@{pids}/oom_score r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/statm r, - @{PROC}/@{pids}/wchan r, - - @{PROC}/@{pids}/task/ r, - @{PROC}/@{pids}/task/@{tid}/ r, - @{PROC}/@{pids}/task/@{tid}/attr/current r, - @{PROC}/@{pids}/task/@{tid}/cgroup r, - @{PROC}/@{pids}/task/@{tid}/cmdline r, - @{PROC}/@{pids}/task/@{tid}/comm r, - @{PROC}/@{pids}/task/@{tid}/environ r, - @{PROC}/@{pids}/task/@{tid}/io r, - @{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r, - @{PROC}/@{pids}/task/@{tid}/oom_score r, - @{PROC}/@{pids}/task/@{tid}/stat r, - @{PROC}/@{pids}/task/@{tid}/statm r, - @{PROC}/@{pids}/task/@{tid}/status r, - @{PROC}/@{pids}/task/@{tid}/wchan r, - @{sys}/bus/dax/devices/ r, @{sys}/bus/i2c/devices/ r, @{sys}/bus/soc/devices/ r, @@ -129,8 +84,52 @@ profile htop @{exec_path} { @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, + @{PROC}/ r, + @{PROC}/diskstats r, + @{PROC}/loadavg r, + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/sched_autogroup_enabled r, + @{PROC}/tty/drivers r, + @{PROC}/uptime r, + + @{PROC}/@{pids}/ r, + @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pids}/autogroup rw, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/net/dev r, + @{PROC}/@{pids}/oom_{,score_}adj r, + @{PROC}/@{pids}/oom_score r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/wchan r, + + @{PROC}/@{pids}/task/ r, + @{PROC}/@{pids}/task/@{tid}/ r, + @{PROC}/@{pids}/task/@{tid}/attr/current r, + @{PROC}/@{pids}/task/@{tid}/cgroup r, + @{PROC}/@{pids}/task/@{tid}/cmdline r, + @{PROC}/@{pids}/task/@{tid}/comm r, + @{PROC}/@{pids}/task/@{tid}/environ r, + @{PROC}/@{pids}/task/@{tid}/io r, + @{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r, + @{PROC}/@{pids}/task/@{tid}/oom_score r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/task/@{tid}/statm r, + @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/task/@{tid}/wchan r, + @{PROC}/cmdline r, owner @{PROC}/@{pid}/cpuset r, + owner @{PROC}/@{pid}/smaps_rollup r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/procps/uptime b/apparmor.d/groups/procps/uptime index 904ebe415..3da204a38 100644 --- a/apparmor.d/groups/procps/uptime +++ b/apparmor.d/groups/procps/uptime @@ -15,6 +15,8 @@ profile uptime @{exec_path} { @{exec_path} mr, + @{run}/systemd/sessions/@{int} r, + @{PROC}/uptime r, @{PROC}/loadavg r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 69f594f7a..0c86919b1 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -13,19 +13,20 @@ profile ssh @{exec_path} { include include - signal (receive) set=(term) peer=gnome-keyring-daemon, - network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, network netlink raw, + signal receive set=term peer=gnome-keyring-daemon, + signal send set=hup peer=unconfined, + @{exec_path} mrix, @{bin}/@{shells} rUx, - @{lib}/ssh/ssh-sk-helper rPx -> ssh-sk-helper, + @{lib}/{,ssh/}ssh-sk-helper rPx, @{etc_ro}/ssh/ssh_config r, @{etc_ro}/ssh/ssh_config.d/{,*} r, @@ -42,8 +43,9 @@ profile ssh @{exec_path} { owner @{user_projects_dirs}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/config r, - owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, + audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{hex16} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{hex16}, owner @{run}/user/@{uid}/keyring/ssh rw, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/ssh/ssh-sk-helper b/apparmor.d/groups/ssh/ssh-sk-helper index d913e2a2d..c8c29dbaf 100644 --- a/apparmor.d/groups/ssh/ssh-sk-helper +++ b/apparmor.d/groups/ssh/ssh-sk-helper @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/ssh/ssh-sk-helper +@{exec_path} = @{lib}/{,ssh/}ssh-sk-helper profile ssh-sk-helper flags=(complain) { include diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index 826405d2d..765758771 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -20,11 +20,11 @@ profile busctl @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, - ptrace (read), + ptrace read, - unix (bind) type=stream addr=@@{udbus}/bus/busctl/busctl, + unix bind type=stream addr=@@{udbus}/bus/busctl/busctl, - signal (send) set=(cont) peer=child-pager, + signal send set=cont peer=child-pager, dbus eavesdrop bus=accessibility, dbus eavesdrop bus=session, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 039f8dc64..7310586e8 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -61,6 +61,7 @@ profile systemd-analyze @{exec_path} { @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r, @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 41219a4f8..ef516a7d6 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -44,9 +44,10 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, - @{PROC}/pressure/* r, @{PROC}/@{pid}/net/unix r, + @{PROC}/pressure/* r, owner @{PROC}/@{pid}/clear_refs w, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index 2a39981df..ad219f1ab 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -59,6 +59,7 @@ profile transmission @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-s-z/wpa-cli b/apparmor.d/profiles-s-z/wpa-cli index c9987fa01..3920a21df 100644 --- a/apparmor.d/profiles-s-z/wpa-cli +++ b/apparmor.d/profiles-s-z/wpa-cli @@ -13,7 +13,7 @@ profile wpa-cli @{exec_path} { @{exec_path} mr, - /{usr/,}{s,}/wpa_action rPx, + @{bin}/wpa_action rPx, /etc/inputrc r, From 360c009a6797a49bd55b4b0eb851400dc3e070e6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 21 Feb 2025 21:17:57 +0100 Subject: [PATCH 083/672] fix: add missing desktop abs to gcr-prompter see #404 --- apparmor.d/groups/gnome/gcr-prompter | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/gnome/gcr-prompter b/apparmor.d/groups/gnome/gcr-prompter index a1e323c87..6bcbd1cc0 100644 --- a/apparmor.d/groups/gnome/gcr-prompter +++ b/apparmor.d/groups/gnome/gcr-prompter @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gcr-prompter profile gcr-prompter @{exec_path} { include + include @{exec_path} mr, From 7c49a45cbb170c4c3dba27dc47dedfbdd0d42734 Mon Sep 17 00:00:00 2001 From: c-jaenicke <72254270+c-jaenicke@users.noreply.github.com> Date: Sat, 22 Feb 2025 14:56:18 +0100 Subject: [PATCH 084/672] fix regex on line 65, missing star --- apparmor.d/groups/pacman/mkinitcpio | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 8c92421f1..f1d4818ef 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -62,7 +62,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/mkinitcpio.conf r, /etc/mkinitcpio.conf.d/{,**} r, /etc/mkinitcpio.d/{,**} r, - /etc/modprobe.d/{,*} r, + /etc/modprobe.d/{,**} r, /etc/os-release r, /etc/plymouth/plymouthd.conf r, /etc/vconsole.conf r, From 6ea379eecde880ce45b5e9d9b8387efbf0b7e959 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 21 Feb 2025 21:30:05 +0100 Subject: [PATCH 085/672] chore: remove deprecated golangci config. --- .golangci.yaml | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 .golangci.yaml diff --git a/.golangci.yaml b/.golangci.yaml deleted file mode 100644 index 7718ccda2..000000000 --- a/.golangci.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -linters-settings: - staticcheck: - checks: ["all", "-SA1019" ] From 898066c76c409852ea57d3b9a383044c09868894 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 22 Feb 2025 22:56:40 +0100 Subject: [PATCH 086/672] refractor: add new polkit group. --- apparmor.d/{profiles-m-r => groups/polkit}/pkexec | 0 apparmor.d/{profiles-m-r => groups/polkit}/pkttyagent | 0 apparmor.d/groups/{freedesktop => polkit}/polkit-agent-helper | 0 apparmor.d/groups/{freedesktop => polkit}/polkitd | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename apparmor.d/{profiles-m-r => groups/polkit}/pkexec (100%) rename apparmor.d/{profiles-m-r => groups/polkit}/pkttyagent (100%) rename apparmor.d/groups/{freedesktop => polkit}/polkit-agent-helper (100%) rename apparmor.d/groups/{freedesktop => polkit}/polkitd (100%) diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/groups/polkit/pkexec similarity index 100% rename from apparmor.d/profiles-m-r/pkexec rename to apparmor.d/groups/polkit/pkexec diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/groups/polkit/pkttyagent similarity index 100% rename from apparmor.d/profiles-m-r/pkttyagent rename to apparmor.d/groups/polkit/pkttyagent diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper similarity index 100% rename from apparmor.d/groups/freedesktop/polkit-agent-helper rename to apparmor.d/groups/polkit/polkit-agent-helper diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/polkit/polkitd similarity index 100% rename from apparmor.d/groups/freedesktop/polkitd rename to apparmor.d/groups/polkit/polkitd From e9b022a9a1711bc94bd531a2c632e7df7e17f347 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 12:47:22 +0100 Subject: [PATCH 087/672] fix: ensure sync is not inherited fix #670 --- apparmor.d/tunables/multiarch.d/programs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index 18ba854d5..97a9446aa 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -22,7 +22,7 @@ @{coreutils} += ln locate logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt @{coreutils} += od paste pathchk pinky pr printenv printf ptx pwd readlink realpath rm rmdir @{coreutils} += runcon sdiff sed seq sha1sum sha224sum sha256sum sha384sum sha512sum shred shuf sleep -@{coreutils} += sort split stat stdbuf stty sum sync tac tail tee test timeout touch tr true +@{coreutils} += sort split stat stdbuf stty sum tac tail tee test timeout touch tr true @{coreutils} += truncate tsort tty uname unexpand uniq unlink updatedb vdir wc who whoami xargs yes # Python interpreters From 8a381b2f6babcf429ba2edb7dcb25d772d9dbeab Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 18:13:16 +0100 Subject: [PATCH 088/672] feat(profile): various update for ubuntu. --- apparmor.d/groups/apt/apt | 1 + apparmor.d/groups/apt/apt-methods-gpgv | 1 + apparmor.d/groups/apt/dpkg | 1 - apparmor.d/groups/apt/dpkg-preconfigure | 6 ++++++ apparmor.d/groups/filesystem/lvm | 1 + apparmor.d/groups/firewall/firewalld | 2 +- apparmor.d/groups/polkit/polkitd | 1 + apparmor.d/groups/snap/snapd | 2 +- apparmor.d/groups/utils/login | 3 ++- apparmor.d/profiles-g-l/landscape-sysinfo.wrapper | 1 + apparmor.d/profiles-m-r/mkinitramfs | 11 +++++++---- apparmor.d/profiles-m-r/needrestart | 2 +- apparmor.d/profiles-m-r/run-parts | 6 ++++++ 13 files changed, 29 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index c0545f2ec..cbf1c4f9f 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -53,6 +53,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { peer=(name="{:*,org.freedesktop.DBus}"), @{exec_path} mr, + @{python_path} mr, @{bin}/ r, diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index 4b2a15773..f4e77fa4d 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -84,6 +84,7 @@ profile apt-methods-gpgv @{exec_path} { owner @{tmp}/apt-key-gpghome.*/ rw, owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, owner @{tmp}/apt.{conf,sig,data}.* rw, + owner @{tmp}/apt.@{rand6}.gpg rw, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index dd87414bf..6d47e748b 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -37,7 +37,6 @@ profile dpkg @{exec_path} { @{pager_path} rPx -> child-pager, # Package maintainer's scripts - # Move it to a child profile once more transitions will be available /var/lib/dpkg/info/*.{config,templates} rPUx, /var/lib/dpkg/info/*.{preinst,postinst} rPUx, /var/lib/dpkg/info/*.{prerm,postrm} rPUx, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 94b7603fa..30fc78445 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -23,14 +23,17 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/{,e}grep rix, @{bin}/{,g,m}awk rix, @{bin}/cat rix, + @{bin}/debconf-escape rix, @{bin}/dialog rix, @{bin}/expr rix, @{bin}/locale rix, + @{bin}/readlink rix, @{bin}/sed rix, @{bin}/sort rix, @{bin}/stty rix, @{bin}/tr rix, + @{bin}/findmnt rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/apt-extracttemplates rPx, @{bin}/whiptail rPx, @@ -40,9 +43,12 @@ profile dpkg-preconfigure @{exec_path} { /etc/debconf.conf r, /etc/default/grub r, + /etc/default/mdadm r, /etc/inputrc r, /etc/locale.gen r, + /etc/mdadm/mdadm.conf r, /etc/shadow r, + /etc/ssh/sshd_config r, /var/lib/locales/supported.d/{,*} r, diff --git a/apparmor.d/groups/filesystem/lvm b/apparmor.d/groups/filesystem/lvm index cff4ce186..75cd0de80 100644 --- a/apparmor.d/groups/filesystem/lvm +++ b/apparmor.d/groups/filesystem/lvm @@ -23,6 +23,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) { ptrace (read), + mqueue getattr type=posix /, mqueue r type=posix /, @{exec_path} rm, diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 123dff77f..6d84dfe47 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -40,7 +40,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{bin}/kmod rix, @{bin}/modprobe rix, @{bin}/xtables-legacy-multi rix, - @{bin}/xtables-nft-multi rix, + @{bin}/xtables-nft-multi rmix, /usr/local/lib/@{python_name}/dist-packages/ r, diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index 9b3db683f..649fe9ceb 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -53,6 +53,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { /var/lib/polkit{,-1}/localauthority/{,**} r, owner /var/lib/polkit{,-1}/.cache/ rw, + @{att}/@{run}/systemd/notify w, @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index dc80b17a4..273b68fc5 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -108,7 +108,7 @@ profile snapd @{exec_path} { /etc/modules-load.d/*snap* rw, /etc/systemd/system/{,**/} r, /etc/systemd/system/snap* rw, - /etc/systemd/user/{,**/} r, + /etc/systemd/user/{,**/} rw, /etc/systemd/user/**/*snap* rw, /etc/systemd/user/*snap* rw, /etc/udev/rules.d/{,*snap*} rw, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index a4d1b8cd2..f83c1687e 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -59,12 +59,13 @@ profile login @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/motd.legal-displayed rw, + @{att}/@{run}/systemd/sessions/@{int}.ref w, + @{run}/credentials/getty@tty@{int}.service/ r, @{run}/dbus/system_bus_socket rw, @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, @{run}/motd.dynamic{,.new} rw, - @{run}/systemd/sessions/*.ref rw, @{PROC}/@{pids}/cgroup r, @{PROC}/1/limits r, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index e5c739bd5..fb9b75824 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -15,6 +15,7 @@ profile landscape-sysinfo.wrapper @{exec_path} { capability fsetid, @{exec_path} mr, + @{python_path} mr, @{sh_path} rix, @{bin}/bc rix, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 6585f6382..c377889c8 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -19,11 +19,10 @@ profile mkinitramfs @{exec_path} { capability fsetid, @{exec_path} r, - @{sh_path} rix, + @{sh_path} rix, - @{bin}/ r, - @{lib}/ r, - @{lib}64/ r, + @{bin}/ r, + @{lib}/ r, @{bin}/{,e}grep rix, @{bin}/basename rix, @@ -43,6 +42,7 @@ profile mkinitramfs @{exec_path} { @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/readlink rix, + @{bin}/realpath rix, @{bin}/rm rix, @{bin}/rmdir rix, @{bin}/sed rix, @@ -60,6 +60,7 @@ profile mkinitramfs @{exec_path} { @{bin}/kmod rCx -> kmod, @{bin}/ldconfig rCx -> ldconfig, @{bin}/ldd rCx -> ldd, + @{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd, @{lib}/ld-linux.so* rCx -> ldd, @{bin}/dpkg rPx -> child-dpkg, @@ -108,6 +109,8 @@ profile mkinitramfs @{exec_path} { include @{bin}/ldd mr, + @{lib}/@{multiarch}/ld-linux-*so* mr, + @{lib}/ld-linux.so* mr, @{sh_path} rix, @{bin}/kmod mr, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 41d327f93..397646c5e 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -84,7 +84,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { capability sys_resource, capability net_admin, - signal send set=term peer=systemd-tty-ask-password-agent, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent Px, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index c20b305e1..d0ecbbd9e 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -38,6 +38,7 @@ profile run-parts @{exec_path} { /etc/anacrontab r, /etc/conf.d/snapper{,**} r, /etc/default/* r, + /etc/profile.d/{,**} r, /etc/snapper/configs/root r, # Crontab @@ -159,6 +160,10 @@ profile run-parts @{exec_path} { include include + network inet dgram, + network inet6 dgram, + network netlink raw, + @{sh_path} rix, @{bin}/{e,}grep rix, @{bin}/cat rix, @@ -169,6 +174,7 @@ profile run-parts @{exec_path} { @{bin}/sort rix, @{bin}/tr rix, @{bin}/uname rix, + @{bin}/hostname rPx, @{bin}/snap rPUx, @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, From d51826542b37e941824a3ccd594e1f85757155c1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 18:13:49 +0100 Subject: [PATCH 089/672] Revert "chore: remove deprecated golangci config." This reverts commit 6ea379eecde880ce45b5e9d9b8387efbf0b7e959. --- .golangci.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .golangci.yaml diff --git a/.golangci.yaml b/.golangci.yaml new file mode 100644 index 000000000..7718ccda2 --- /dev/null +++ b/.golangci.yaml @@ -0,0 +1,5 @@ +--- + +linters-settings: + staticcheck: + checks: ["all", "-SA1019" ] From 2f5637bd6587444f46730b52bcd894dafcbdc606 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 18:16:27 +0100 Subject: [PATCH 090/672] feat(profile): improve makepkg. --- apparmor.d/groups/pacman/makepkg | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index d5abc07db..b2c043a6e 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -28,14 +28,20 @@ profile makepkg @{exec_path} { file, - @{bin}/gpg{,2} Cx -> gpg, - @{bin}/gpgconf Cx -> gpg, - @{bin}/gpgsm Cx -> gpg, - @{bin}/sudo Cx -> sudo, + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/gpgconf Cx -> gpg, + @{bin}/gpgsm Cx -> gpg, + @{bin}/sudo Cx -> sudo, + + deny capability sys_ptrace, + deny ptrace read, profile gpg { include include + include + + network netlink raw, @{bin}/gpg{,2} mr, @{bin}/gpgconf mr, From b10f2df5ecc4229368427732bdb5ae975af4aa35 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 20:10:21 +0100 Subject: [PATCH 091/672] doc: add roadmap and prebuilt pages. --- docs/development/build.md | 152 ++++++++++++++++++++++++++++++++++++ docs/development/roadmap.md | 60 ++++++++++++++ mkdocs.yml | 3 + 3 files changed, 215 insertions(+) create mode 100644 docs/development/build.md create mode 100644 docs/development/roadmap.md diff --git a/docs/development/build.md b/docs/development/build.md new file mode 100644 index 000000000..89bf8e89e --- /dev/null +++ b/docs/development/build.md @@ -0,0 +1,152 @@ +--- +title: Building the profiles +--- + +The profiles in `apparmor.d` must not be used directly. They need to be prebuilt (by running `make`). This page documents all possibles prebuild tasks. It is not intended to be read by end user, and it is only targeted at developers and maintainers. + +The build system is fully configurable, general usage can be seen with: +```sh +go run ./cmd/prebuild -h +``` + +``` +aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4] + + Prebuild apparmor.d profiles for a given distribution and apply + internal built-in directives. + +Options: + -h, --help Show this help message and exit. + -c, --complain Set complain flag on all profiles. + -e, --enforce Set enforce flag on all profiles. + -a, --abi ABI Target apparmor ABI. + -f, --full Set AppArmor for full system policy. + -F, --file Only prebuild a given file. + +Prepare tasks: + configure - Set distribution specificities + setflags - Set flags on some profiles + fsp - Configure AppArmor for full system policy + merge - Merge profiles (from group/, profiles-*-*/) to a unified apparmor.d directory + overwrite - Overwrite dummy upstream profiles + synchronise - Initialize a new clean apparmor.d build directory + ignore - Ignore profiles and files from: + systemd-default - Configure systemd unit drop in files to a profile for some units + systemd-early - Configure systemd unit drop in files to ensure some service start after apparmor + +Build tasks: + abi3 - Convert all profiles from abi 4.0 to abi 3.0 + attach - Re-attach disconnected path + complain - Set complain flag on all profiles + enforce - All profiles have been enforced + fsp - Prevent unconfined transitions in profile rules + hotfix - Temporary fix for #74, #80 & #235 + userspace - Resolve variable in profile attachments + +Directive: + #aa:dbus own bus= name= [interface=AARE] [path=AARE] + #aa:dbus talk bus= name= label= [interface=AARE] [path=AARE] + #aa:exec [P|U|p|u|PU|pu|] profiles... + #aa:only filters... + #aa:exclude filters... + #aa:stack [X] profiles... +``` + +## Prepare Tasks + +### **`synchronise`** + +Initialize a new clean `apparmor.d` build directory in `.build/`. + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`ignore`** + +Ignore profiles and files as defined in the `dist/ignore` directory. See [workflow](workflow.md#ignore-profiles). + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`merge`** + +Merge profiles from `apparmor.d/group/`, `apparmor.d/profiles-*-*/` to a unified directory in `.build/apparmor.d` that AppArmor can parse. + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`configure`** + +Set distribution specificities as defined in [`pkg/prebuild/prepare/configure.go`](https://github.com/roddhjav/apparmor.d/blob/main/pkg/prebuild/prepare/configure.go) + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`setflags`** + +Set flags on profiles as defined in the [flags manifest](workflow.md#profile-flags). + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`overwrite`** + +Overwrite (dummy) upstream profiles as defined in `dist/overwrite`. + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`systemd-default`** + +Install systemd unit drop in files from `systemd/default`. They configure the various dbus daemon to use specific profiles. + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`systemd-early`** + +Install systemd unit drop in files from `systemd/early` to ensure some services start after AppArmor. THis task will be removed in the future, as it will not be needed any more. + +*Enabled by default. Can be disabled in `pkg/prebuild/cli/cli.go`* + +### **`fsp`** + +Configure AppArmor for full system policy. + +*Enable with the `--full` option in the prebuild command.* + + +## Build Tasks + +### **`abi3`** + +This task will convert all profiles from `abi/4.0` to `abi/3.0`. The rules not supported by `abi/3.0` are commented in the build profiles. + +*Enable with the `--abi 3` option in the prebuild command.* + +### **`complain | enforce`** + +Set or remove the complain flag on all profiles. The `complain` task is enabled by default. When building in enforce mode, it is disabled. Enabling the `enforce` task will enforce **all** profiles including the one set in the [flags manifest](workflow.md#profile-flags). It is intended to be used in specialized system such as CTF or (very) high security VM. + +*Enable with the `--complain` or `--enforce` option in the prebuild command.* + +### **`userspace`** + +Resolve variables in profile attachments. It fixes issues with the userland AppArmor tools (aa-enforce, aa-logprof...) that does not support identical variable in the profiles attachments. + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`attach`** + +This task reattaches disconnected paths. See [#559](https://github.com/roddhjav/apparmor.d/issues/559): + +- Add the `attach_disconnected.path` flag on all profiles with the `attach_disconnected` flag +- Add the attached/base abstraction in the profile +- For compatibility, non-disconnected profile will have the `@{att}` variable set to `/` + +*Enabled when abi >= 4.0* + +### **`hotfix`** + +Temporary fix for #74, #80 & #235. Only an issue on Gnome, can be disabled on server. + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`fsp`** + +Prevent unconfined transitions in profile rules. + +*Enable with the `--full` option in the prebuild command.* diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md new file mode 100644 index 000000000..e8a047a03 --- /dev/null +++ b/docs/development/roadmap.md @@ -0,0 +1,60 @@ +--- +title: Roadmap +--- + +## Toward a stable release + +This is the current list of features that must be implemented to get to a stable release + +- [ ] **Play machine** + +- [ ] **[Sub packages](https://github.com/roddhjav/apparmor.d/issues/464)** + - [x] Move most profiles into groups such that + - [ ] New simplified build system to generate the packages with profile dependencies check + +- [ ] **Tests** + - [x] Tests VM for all supported targets (see [tests/vm](vm.md)) + - [ ] Small integration tests for all core profiles (see [tests/integration](integration.md)) + +- [ ] **Documentation** + - [ ] Initial draft of the security model and goal + - [ ] General documentation improvements + +- [ ] **General improvements** + - [ ] Provide a proper fix for #74, #80 & #235 + - [ ] The apt/dpkg profiles needs to be reworked + +## Next features + +- [ ] **Conditions** + - [ ] Integrate the new condition feature in the profiles and restrict them a lot according to the application actually in use. Eg: `Gnome | KDE`, `X11 | Wayland`, etc. + - [ ] Create a new `aa-config` tool, similar to seboolean, to manage various settings, based on conditions. + +- [ ] **User Data** + - [ ] Fully rewrite the way user data is allowed / denied. The current implementation requires too much configuration to be usable by everyone. + - [ ] Add a prompt listener to handle the user data access. + +- [ ] **[Full System Policy](https://github.com/roddhjav/apparmor.d/issues/252)** + - [ ] Debug tool to show the profiles transition tree, and ensure no profile is missing + - [ ] Remove the `default` profile + +## Done + +**Abstractions** + +- [x] New `audio-client` and `audio-server` abstractions +- [x] New desktop agnostic `desktop` abstraction for all common access for any GUI app. +- [x] New `graphics` abstraction, hardware-agnostic. Fully replace and restrict the old `opencl` abstractions +- [x] All new abstractions are documented in the [abstractions](abstractions.md) page + +**Dbus** + +- [x] New `dbus-{system,session,accessibility}` profiles. Works regardless of the dbus implementation in use. +- [x] New talk directive: Allow the application to talk to session services. (send to) +- [x] New own directive: Allow the application to own session services under the given name. (receive, send, bind) +- [x] New `bus-{system,session,accessibility}` abstraction to be used in the profiles + +**Directives** + +- [x] Add directive. See the [directive](directives.md) page + diff --git a/mkdocs.yml b/mkdocs.yml index 9390b3dde..ed14108a8 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -152,6 +152,7 @@ nav: - recovery.md - Development: - development/index.md + - development/roadmap.md - Profiles: - development/workflow.md - development/guidelines.md @@ -160,6 +161,8 @@ nav: - development/directives.md - development/dbus.md - development/recommendations.md + - Packages: + - development/build.md - Tests: - development/tests.md - development/integration.md From 7bc248577ac391fbdcb69cdaf7f758597a0b0223 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 20:13:21 +0100 Subject: [PATCH 092/672] feat(profile): small improvment with systemd. --- apparmor.d/groups/systemd/bootctl | 1 + apparmor.d/groups/systemd/busctl | 15 ++++++++------- apparmor.d/groups/systemd/networkctl | 2 ++ apparmor.d/groups/systemd/systemd-coredump | 1 + apparmor.d/groups/systemd/systemd-logind | 2 ++ apparmor.d/groups/systemd/systemd-networkd | 1 + apparmor.d/groups/systemd/systemd-sulogin-shell | 2 +- .../groups/systemd/systemd-tty-ask-password-agent | 4 ++++ 8 files changed, 20 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index c7bb7b19f..28c2851fa 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -43,6 +43,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected) { @{sys}/class/tpmrm/ r, + @{sys}/devices/pnp@{int}/**/tpm/tpm@{int}/tpm_version_major r, @{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index 765758771..8b32b348f 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -39,13 +39,14 @@ profile busctl @{exec_path} flags=(attach_disconnected) { @{pager_path} rPx -> child-pager, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fdinfo/@{int} r, - owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/attr/current r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/loginuid r, + @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/stat r, include if exists } diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index ce81686ae..0163f2258 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -50,6 +50,8 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { /{run,var}/log/journal/@{hex32}/system.journal* r, /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + @{att}/@{run}/systemd/netif/io.systemd.Network rw, + @{run}/systemd/netif/leases/@{int} r, @{run}/systemd/netif/links/@{int} r, @{run}/systemd/netif/state r, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 2e841dc51..b26dabae7 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -34,6 +34,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted / r, @{bin}/* r, /opt/** r, + @{user_lib_dirs}/** r, /etc/systemd/coredump.conf r, /etc/systemd/coredump.conf.d/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index f7e0af838..f558e57e7 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -27,6 +27,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { network netlink raw, + mqueue getattr type=posix /, mqueue r type=posix /, unix (bind) type=stream addr=@@{udbus}/bus/systemd-logind/system, @@ -95,6 +96,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, @{run}/systemd/inhibit/ rw, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 0ca507140..619ca9dbb 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -72,6 +72,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{PROC}/pressure/* r, @{PROC}/sys/net/ipv{4,6}/** rw, owner @{PROC}/@{pid}/fdinfo/@{int} r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sulogin-shell b/apparmor.d/groups/systemd/systemd-sulogin-shell index 094366391..d28531e56 100644 --- a/apparmor.d/groups/systemd/systemd-sulogin-shell +++ b/apparmor.d/groups/systemd/systemd-sulogin-shell @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-sulogin-shell -profile systemd-sulogin-shell @{exec_path} { +profile systemd-sulogin-shell @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 4c57d0200..71c5a1503 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -25,7 +25,11 @@ profile systemd-tty-ask-password-agent @{exec_path} { @{run}/systemd/ask-password-block/{,*} rw, @{run}/systemd/ask-password/{,*} rw, + + @{run}/user/@{uid}/ w, + @{run}/user/@{uid}/systemd/ w, @{run}/user/@{uid}/systemd/ask-password/ rw, + @{run}/utmp rk, @{PROC}/@{pids}/stat r, From 644f6b74aab62c4f20b7101a766e20442bf7668f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 20:15:09 +0100 Subject: [PATCH 093/672] feat(profile): improve some core profiles. --- apparmor.d/groups/utils/blockdev | 2 +- apparmor.d/groups/utils/losetup | 11 ++++++++--- apparmor.d/groups/utils/sulogin | 6 +++--- apparmor.d/groups/virt/virtnodedevd | 9 +++++---- apparmor.d/profiles-a-f/dmsetup | 1 + apparmor.d/profiles-g-l/hostname | 1 + 6 files changed, 19 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/utils/blockdev b/apparmor.d/groups/utils/blockdev index 88059a4c5..96e3ad23f 100644 --- a/apparmor.d/groups/utils/blockdev +++ b/apparmor.d/groups/utils/blockdev @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/blockdev profile blockdev @{exec_path} { include - include + include capability sys_admin, diff --git a/apparmor.d/groups/utils/losetup b/apparmor.d/groups/utils/losetup index fd2472dce..bb0ac6c74 100644 --- a/apparmor.d/groups/utils/losetup +++ b/apparmor.d/groups/utils/losetup @@ -10,18 +10,23 @@ include profile losetup @{exec_path} { include include + include capability dac_override, capability dac_read_search, - unix (receive) type=stream, + unix receive type=stream, @{exec_path} mr, - @{sys}/devices/**/usb[0-9]/{,**} r, + @{user_img_dirs}/** rw, + @{user_vm_dirs}/** rw, + + @{sys}/block/ r, + @{sys}/devices/virtual/block/loop@{int}/{,**} r, /dev/loop-control rw, - /dev/loop[0-9]* rw, + /dev/loop@{int} rw, include if exists } diff --git a/apparmor.d/groups/utils/sulogin b/apparmor.d/groups/utils/sulogin index 556808aeb..ccf7216e0 100644 --- a/apparmor.d/groups/utils/sulogin +++ b/apparmor.d/groups/utils/sulogin @@ -9,9 +9,12 @@ include @{exec_path} = @{bin}/sulogin profile sulogin @{exec_path} { include + include include + capability checkpoint_restore, capability sys_admin, + capability sys_tty_config, @{exec_path} mr, @@ -22,9 +25,6 @@ profile sulogin @{exec_path} { @{PROC}/consoles r, - /dev/ r, - /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 0b48d63fd..957164e85 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -52,6 +52,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+leds:* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply:* r, @{run}/udev/data/+rfkill:* r, @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/+thunderbolt:* r, @@ -73,14 +74,14 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/n@{int} r, @{sys}/**/ r, + @{sys}/devices/@{pci}/net/{,**} r, + @{sys}/devices/@{pci}/numa_node r, + @{sys}/devices/@{pci}/resource r, + @{sys}/devices/@{pci}/sriov_totalvfs r, @{sys}/devices/@{pci}/vpd r, @{sys}/devices/**/{class,revision,subsystem_vendor,subsystem_device} r, @{sys}/devices/**/{config,device,vendor} r, @{sys}/devices/**/uevent r, - @{sys}/devices/@{pci}/net/{,**} r, - @{sys}/devices/@{pci}/net/*/{duplex,address,speed,operstate} r, - @{sys}/devices/@{pci}/numa_node r, - @{sys}/devices/@{pci}/sriov_totalvfs r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/{product_name,product_serial,product_uuid,sys_vendor,board_vendor,bios_vendor,bios_date,bios_version,product_version} r, diff --git a/apparmor.d/profiles-a-f/dmsetup b/apparmor.d/profiles-a-f/dmsetup index d532bb8cf..b5a1f3ab7 100644 --- a/apparmor.d/profiles-a-f/dmsetup +++ b/apparmor.d/profiles-a-f/dmsetup @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/dmsetup profile dmsetup @{exec_path} { include + include include capability sys_admin, diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname index 326d156ef..ac2ceb6e2 100644 --- a/apparmor.d/profiles-g-l/hostname +++ b/apparmor.d/profiles-g-l/hostname @@ -16,6 +16,7 @@ profile hostname @{exec_path} { capability sys_admin, network inet dgram, + network inet6 dgram, # network ip=127.0.0.1:53, TODO: abi 4.0 network netlink raw, From 81ecce1ef7a63de5e9be21fd79f8448abc117ac0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 20:17:49 +0100 Subject: [PATCH 094/672] fix(build): test in directive. --- pkg/prebuild/directive/exec_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/prebuild/directive/exec_test.go b/pkg/prebuild/directive/exec_test.go index 5581d7f2b..255d9a237 100644 --- a/pkg/prebuild/directive/exec_test.go +++ b/pkg/prebuild/directive/exec_test.go @@ -36,7 +36,7 @@ func TestExec_Apply(t *testing.T) { }, { name: "exec-unconfined", - rootApparmord: paths.New("../../../apparmor.d/groups/freedesktop/"), + rootApparmord: paths.New("../../../apparmor.d/groups/polkit/"), opt: &Option{ Name: "exec", ArgMap: map[string]string{"U": "", "polkit-agent-helper": ""}, From 972ae950e41a5091375dcbfff21259e2a279282c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 20:53:49 +0100 Subject: [PATCH 095/672] build: improve the dbus directive. - Support for additional interfaces: += - Restrict the generated dbus rules - Add the required unix bind rule. --- pkg/prebuild/directive/core_test.go | 12 +- pkg/prebuild/directive/dbus.go | 187 ++++++++++++++++++---------- pkg/prebuild/directive/dbus_test.go | 131 ++++++++++--------- 3 files changed, 199 insertions(+), 131 deletions(-) diff --git a/pkg/prebuild/directive/core_test.go b/pkg/prebuild/directive/core_test.go index faf39df4b..229dda630 100644 --- a/pkg/prebuild/directive/core_test.go +++ b/pkg/prebuild/directive/core_test.go @@ -20,7 +20,7 @@ func TestNewOption(t *testing.T) { }{ { name: "dbus", - file: nil, + file: paths.New("dbus"), match: []string{ " #aa:dbus own bus=system name=org.gnome.DisplayManager", "dbus", @@ -34,13 +34,13 @@ func TestNewOption(t *testing.T) { "own": "", }, ArgList: []string{"own", "bus=system", "name=org.gnome.DisplayManager"}, - File: nil, + File: paths.New("dbus"), Raw: " #aa:dbus own bus=system name=org.gnome.DisplayManager", }, }, { name: "only", - file: nil, + file: paths.New("only"), match: []string{ " #aa:only opensuse", "only", @@ -50,7 +50,7 @@ func TestNewOption(t *testing.T) { Name: "only", ArgMap: map[string]string{"opensuse": ""}, ArgList: []string{"opensuse"}, - File: nil, + File: paths.New("only"), Raw: " #aa:only opensuse", }, }, @@ -74,13 +74,13 @@ func TestRun(t *testing.T) { }{ { name: "none", - file: nil, + file: paths.New("dummy"), profile: ` `, want: ` `, }, { name: "present", - file: nil, + file: paths.New("fake-own"), profile: ` #aa:dbus own bus=system name=org.freedesktop.systemd1`, want: dbusOwnSystemd1, }, diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index a1135d675..4a9030505 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -21,11 +21,6 @@ import ( "github.com/roddhjav/apparmor.d/pkg/prebuild" ) -var defaultInterfaces = []string{ - "org.freedesktop.DBus.Properties", - "org.freedesktop.DBus.ObjectManager", -} - type Dbus struct { prebuild.Base } @@ -43,15 +38,6 @@ func init() { ) } -func setInterfaces(rules map[string]string) []string { - interfaces := []string{rules["name"]} - if _, present := rules["interface"]; present { - interfaces = append(interfaces, rules["interface"]) - } - interfaces = append(interfaces, defaultInterfaces...) - return interfaces -} - func (d Dbus) Apply(opt *Option, profile string) (string, error) { var r aa.Rules @@ -59,11 +45,15 @@ func (d Dbus) Apply(opt *Option, profile string) (string, error) { if err != nil { return "", err } + name := opt.File.Base() + if len(name) > 15 { + name = name[:15] + } switch action { case "own": - r = d.own(opt.ArgMap) + r = d.own(opt.ArgMap, name) case "talk": - r = d.talk(opt.ArgMap) + r = d.talk(opt.ArgMap, name) } aa.IndentationLevel = strings.Count( @@ -103,63 +93,132 @@ func (d Dbus) sanityCheck(opt *Option) (string, error) { return action, nil } -func (d Dbus) own(rules map[string]string) aa.Rules { - interfaces := setInterfaces(rules) - res := aa.Rules{} - res = append(res, &aa.Dbus{ - Access: []string{"bind"}, Bus: rules["bus"], Name: rules["name"], - }) - for _, iface := range interfaces { - res = append(res, &aa.Dbus{ - Access: []string{"receive"}, - Bus: rules["bus"], - Path: rules["path"], - Interface: iface, - PeerName: `":1.@{int}"`, - }) +func getInterfaces(rules map[string]string) []string { + var interfaces []string + if _, present := rules["interface"]; present { + interfaces = []string{rules["interface"]} + } else { + interfaces = []string{rules["name"]} } - for _, iface := range interfaces { - res = append(res, &aa.Dbus{ - Access: []string{"send"}, - Bus: rules["bus"], - Path: rules["path"], - Interface: iface, - PeerName: `"{:1.@{int},org.freedesktop.DBus}"`, - }) + + if _, present := rules["interface+"]; present { + interfaces = append(interfaces, rules["interface+"]) } - res = append(res, &aa.Dbus{ - Access: []string{"receive"}, - Bus: rules["bus"], - Path: rules["path"], - Interface: "org.freedesktop.DBus.Introspectable", - Member: "Introspect", - PeerName: `":1.@{int}"`, - }) + return interfaces +} + +func (d Dbus) own(rules map[string]string, name string) aa.Rules { + interfaces := getInterfaces(rules) + + res := aa.Rules{ + &aa.Unix{ + Access: []string{"bind"}, Type: "stream", + Address: `@@{udbus}/bus/` + name + `/` + rules["bus"], + }, + &aa.Dbus{ + Access: []string{"bind"}, Bus: rules["bus"], Name: rules["name"], + }, + } + + // Interfaces + for _, iface := range interfaces { + res = append(res, + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: iface, + PeerName: `"@{busname}"`, + }, + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: iface, + PeerName: `"{@{busname},org.freedesktop.DBus}"`, + }, + ) + } + + res = append(res, + // DBus.Properties + &aa.Dbus{ + Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Properties", + Member: "{Get,GetAll,Set,PropertiesChanged}", + PeerName: `"{@{busname},org.freedesktop.DBus}"`, + }, + + // DBus.Introspectable + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Introspectable", + Member: "Introspect", + PeerName: `"@{busname}"`, + }, + + // DBus.ObjectManager + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.ObjectManager", + Member: "GetManagedObjects", + PeerName: `"{@{busname},` + rules["name"] + `}"`, + }, + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.ObjectManager", + Member: "{InterfacesAdded,InterfacesRemoved}", + PeerName: `"{@{busname},org.freedesktop.DBus}"`, + }, + ) return res } -func (d Dbus) talk(rules map[string]string) aa.Rules { - interfaces := setInterfaces(rules) - res := aa.Rules{} +func (d Dbus) talk(rules map[string]string, name string) aa.Rules { + interfaces := getInterfaces(rules) + + res := aa.Rules{ + &aa.Unix{ + Access: []string{"bind"}, Type: "stream", + Address: `@@{udbus}/bus/` + name + `/` + rules["bus"], + }, + } + + // Interfaces for _, iface := range interfaces { res = append(res, &aa.Dbus{ - Access: []string{"send"}, - Bus: rules["bus"], - Path: rules["path"], + Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], Interface: iface, - PeerName: `"{:1.@{int},` + rules["name"] + `}"`, - PeerLabel: rules["label"], - }) - } - for _, iface := range interfaces { - res = append(res, &aa.Dbus{ - Access: []string{"receive"}, - Bus: rules["bus"], - Path: rules["path"], - Interface: iface, - PeerName: `"{:1.@{int},` + rules["name"] + `}"`, - PeerLabel: rules["label"], + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], }) } + + res = append(res, + // DBus.Properties + &aa.Dbus{ + Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Properties", + Member: "{Get,GetAll,Set,PropertiesChanged}", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + + // DBus.Introspectable + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Introspectable", + Member: "Introspect", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + + // DBus.ObjectManager + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.ObjectManager", + Member: "GetManagedObjects", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.ObjectManager", + Member: "{InterfacesAdded,InterfacesRemoved}", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + ) return res } diff --git a/pkg/prebuild/directive/dbus_test.go b/pkg/prebuild/directive/dbus_test.go index 65e55e785..f2d4997e4 100644 --- a/pkg/prebuild/directive/dbus_test.go +++ b/pkg/prebuild/directive/dbus_test.go @@ -6,31 +6,35 @@ package directive import ( "testing" + + "github.com/roddhjav/apparmor.d/pkg/paths" ) -const dbusOwnSystemd1 = ` dbus bind bus=system name=org.freedesktop.systemd1{,.*}, +const dbusOwnSystemd1 = ` unix bind type=stream addr=@@{udbus}/bus/fake-own/system, + + dbus bind bus=system name=org.freedesktop.systemd1{,.*}, dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.systemd1{,.*} - peer=(name=":1.@{int}"), - dbus receive bus=system path=/org/freedesktop/systemd1{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=":1.@{int}"), - dbus receive bus=system path=/org/freedesktop/systemd1{,/**} - interface=org.freedesktop.DBus.ObjectManager - peer=(name=":1.@{int}"), + peer=(name="@{busname}"), dbus send bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.systemd1{,.*} - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=system path=/org/freedesktop/systemd1{,/**} + peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus (send receive) bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.Properties - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=system path=/org/freedesktop/systemd1{,/**} - interface=org.freedesktop.DBus.ObjectManager - peer=(name="{:1.@{int},org.freedesktop.DBus}"), + member={Get,GetAll,Set,PropertiesChanged} + peer=(name="{@{busname},org.freedesktop.DBus}"), dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=":1.@{int}"),` + peer=(name="@{busname}"), + dbus receive bus=system path=/org/freedesktop/systemd1{,/**} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name="{@{busname},org.freedesktop.systemd1{,.*}}"), + dbus send bus=system path=/org/freedesktop/systemd1{,/**} + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(name="{@{busname},org.freedesktop.DBus}"),` func TestDbus_Apply(t *testing.T) { tests := []struct { @@ -50,7 +54,7 @@ func TestDbus_Apply(t *testing.T) { "own": "", }, ArgList: []string{"own", "bus=system", "name=org.freedesktop.systemd1"}, - File: nil, + File: paths.New("fake-own"), Raw: " #aa:dbus own bus=system name=org.freedesktop.systemd1", }, profile: " #aa:dbus own bus=system name=org.freedesktop.systemd1", @@ -61,45 +65,47 @@ func TestDbus_Apply(t *testing.T) { opt: &Option{ Name: "dbus", ArgMap: map[string]string{ - "bus": "session", - "name": "com.rastersoft.dingextension", - "interface": "org.gtk.Actions", - "own": "", + "bus": "session", + "name": "com.rastersoft.ding", + "interface+": "org.gtk.Actions", + "own": "", }, - ArgList: []string{"own", "bus=session", "name=com.rastersoft.dingextension", "interface=org.gtk.Actions"}, - File: nil, - Raw: " #aa:dbus own bus=session name=com.rastersoft.dingextension interface=org.gtk.Actions", + ArgList: []string{"own", "bus=session", "name=com.rastersoft.ding", "interface+=org.gtk.Actions"}, + File: paths.New("fake-interface"), + Raw: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", }, - profile: " #aa:dbus own bus=session name=com.rastersoft.dingextension interface=org.gtk.Actions", - want: ` dbus bind bus=session name=com.rastersoft.dingextension{,.*}, - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} - interface=com.rastersoft.dingextension{,.*} - peer=(name=":1.@{int}"), - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} + profile: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", + want: ` unix bind type=stream addr=@@{udbus}/bus/fake-interface/session, + + dbus bind bus=session name=com.rastersoft.ding{,.*}, + dbus receive bus=session path=/com/rastersoft/ding{,/**} + interface=com.rastersoft.ding{,.*} + peer=(name="@{busname}"), + dbus send bus=session path=/com/rastersoft/ding{,/**} + interface=com.rastersoft.ding{,.*} + peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus receive bus=session path=/com/rastersoft/ding{,/**} interface=org.gtk.Actions - peer=(name=":1.@{int}"), - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=":1.@{int}"), - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} - interface=org.freedesktop.DBus.ObjectManager - peer=(name=":1.@{int}"), - dbus send bus=session path=/com/rastersoft/dingextension{,/**} - interface=com.rastersoft.dingextension{,.*} - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=session path=/com/rastersoft/dingextension{,/**} + peer=(name="@{busname}"), + dbus send bus=session path=/com/rastersoft/ding{,/**} interface=org.gtk.Actions - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=session path=/com/rastersoft/dingextension{,/**} + peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus (send receive) bus=session path=/com/rastersoft/ding{,/**} interface=org.freedesktop.DBus.Properties - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=session path=/com/rastersoft/dingextension{,/**} - interface=org.freedesktop.DBus.ObjectManager - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} + member={Get,GetAll,Set,PropertiesChanged} + peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus receive bus=session path=/com/rastersoft/ding{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=":1.@{int}"),`, + peer=(name="@{busname}"), + dbus receive bus=session path=/com/rastersoft/ding{,/**} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name="{@{busname},com.rastersoft.ding{,.*}}"), + dbus send bus=session path=/com/rastersoft/ding{,/**} + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(name="{@{busname},org.freedesktop.DBus}"),`, }, { name: "talk", @@ -112,28 +118,31 @@ func TestDbus_Apply(t *testing.T) { "talk": "", }, ArgList: []string{"talk", "bus=system", "name=org.freedesktop.Accounts", "label=accounts-daemon"}, - File: nil, + File: paths.New("gdm-session-worker"), Raw: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", }, profile: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", - want: ` dbus send bus=system path=/org/freedesktop/Accounts{,/**} + want: ` unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system, + + dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.Accounts{,.*} - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), - dbus send bus=system path=/org/freedesktop/Accounts{,/**} + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.Properties - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + member={Get,GetAll,Set,PropertiesChanged} + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + dbus send bus=system path=/org/freedesktop/Accounts{,/**} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus send bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.ObjectManager - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), - dbus receive bus=system path=/org/freedesktop/Accounts{,/**} - interface=org.freedesktop.Accounts{,.*} - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), - dbus receive bus=system path=/org/freedesktop/Accounts{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + member=GetManagedObjects + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus receive bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.ObjectManager - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon),`, + member={InterfacesAdded,InterfacesRemoved} + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon),`, }, } for _, tt := range tests { From 6ebbb31589f908ed2e37669104429ef721dd9243 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 21:06:41 +0100 Subject: [PATCH 096/672] feat(profile): dbus directive use the new interface+= --- apparmor.d/groups/gnome/gnome-calculator-search-provider | 2 +- apparmor.d/groups/gnome/gnome-characters | 2 +- apparmor.d/groups/gnome/gnome-extension-ding | 4 ++-- apparmor.d/groups/gnome/gnome-initial-setup | 2 +- apparmor.d/groups/gnome/gnome-terminal-server | 2 +- apparmor.d/groups/gnome/nautilus | 2 +- apparmor.d/groups/gnome/tracker-extract | 2 +- apparmor.d/groups/gvfs/gvfs-afc-volume-monitor | 2 +- apparmor.d/groups/gvfs/gvfs-goa-volume-monitor | 2 +- apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor | 2 +- apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor | 2 +- apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor | 2 +- 12 files changed, 13 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index 2eaacdefb..da03ed665 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -17,7 +17,7 @@ profile gnome-calculator-search-provider @{exec_path} { signal (send) set=kill peer=unconfined, - #aa:dbus own bus=session name=org.gnome.Calculator.SearchProvider interface=org.gnome.Shell.SearchProvider2 + #aa:dbus own bus=session name=org.gnome.Calculator.SearchProvider interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 9ae8a7b8a..9511e781f 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -15,7 +15,7 @@ profile gnome-characters @{exec_path} { include include - #aa:dbus own bus=session name=org.gnome.Characters interface=org.gnome.Shell.SearchProvider2 + #aa:dbus own bus=session name=org.gnome.Characters interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 068469606..72833a065 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -32,8 +32,8 @@ profile gnome-extension-ding @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gnome-shell), - #aa:dbus own bus=session name=com.rastersoft.ding interface=org.gtk.Actions - #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface=org.gtk.Actions + #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions + #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface+=org.gtk.Actions dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 84f6b15c8..89769477a 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -29,7 +29,7 @@ profile gnome-initial-setup @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.gnome.InitialSetup interface=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.InitialSetup interface+=org.gtk.Actions @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index d96c20c36..55a7f4687 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -25,7 +25,7 @@ profile gnome-terminal-server @{exec_path} { ptrace (read) peer=htop, ptrace (read) peer=unconfined, - #aa:dbus own bus=session name=org.gnome.Terminal interface=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.Terminal interface+=org.gtk.Actions dbus receive bus=session path=/org/gnome/Terminal/SearchProvider interface=org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 7e25ee08c..3a7fdd4f4 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -28,7 +28,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { mqueue r type=posix /, - #aa:dbus own bus=session name=org.gnome.Nautilus interface=org.gtk.{Application,Actions} + #aa:dbus own bus=session name=org.gnome.Nautilus interface+=org.gtk.{Application,Actions} #aa:dbus own bus=session name=org.freedesktop.FileManager1 #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 02237d932..40d938a63 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -28,7 +28,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Extract - #aa:dbus talk bus=session name=org.freedesktop.Tracker3 label=tracker-miner interface=org.freedesktop.DBus.Peer + #aa:dbus talk bus=session name=org.freedesktop.Tracker3 label=tracker-miner interface+=org.freedesktop.DBus.Peer dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index c1058c158..7f50d8b45 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -12,7 +12,7 @@ profile gvfs-afc-volume-monitor @{exec_path} { include include - #aa:dbus own bus=session name=org.gtk.vfs.AfcVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.AfcVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 1b5f74ae3..3f2fb0138 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -12,7 +12,7 @@ profile gvfs-goa-volume-monitor @{exec_path} { include include - #aa:dbus own bus=session name=org.gtk.vfs.GoaVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.GoaVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index f2b534635..dd03254b1 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -16,7 +16,7 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index d71b71523..6fbbc6092 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -15,7 +15,7 @@ profile gvfs-mtp-volume-monitor @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gtk.vfs.MTPVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.MTPVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index ccbe15fd1..4ed214b71 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -29,7 +29,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { ptrace (read), - #aa:dbus own bus=session name=org.gtk.vfs.UDisks2VolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.UDisks2VolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd dbus receive bus=session From a793e711e5789097114bd4b72e85371a472ef05a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 22:18:38 +0100 Subject: [PATCH 097/672] fix(profile): dbus rule malformed. --- apparmor.d/groups/bus/dbus-session | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index f87e71c81..cc6b33f61 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -30,7 +30,7 @@ profile dbus-session flags=(attach_disconnected) { signal (send) set=(term hup kill) peer=dconf-service, signal (send) set=(term hup kill) peer=xdg-*, - #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{d,D}Bus} + #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} dbus receive bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello From 161078ed900493f028e06ffc7efc3c5f816374d6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 13:18:19 +0100 Subject: [PATCH 098/672] tests: move common cloud-init config to a unified file, rename some base distribution. --- .../cloud-init/archlinux-cosmic.user-data.yml | 15 -------- .../cloud-init/archlinux-gnome.user-data.yml | 15 -------- tests/cloud-init/archlinux-kde.user-data.yml | 15 -------- .../cloud-init/archlinux-server.user-data.yml | 15 -------- tests/cloud-init/archlinux-xfce.user-data.yml | 15 -------- tests/cloud-init/common.yml | 17 +++++++++ ...-data.yml => debian12-gnome.user-data.yml} | 15 -------- ...er-data.yml => debian12-kde.user-data.yml} | 15 -------- ...data.yml => debian12-server.user-data.yml} | 15 -------- tests/cloud-init/opensuse-gnome.user-data.yml | 15 -------- tests/cloud-init/opensuse-kde.user-data.yml | 15 -------- .../cloud-init/opensuse-server.user-data.yml | 36 +++++++++++++++++++ .../cloud-init/ubuntu22-desktop.user-data.yml | 15 -------- .../cloud-init/ubuntu24-desktop.user-data.yml | 17 --------- .../cloud-init/ubuntu24-server.user-data.yml | 15 -------- 15 files changed, 53 insertions(+), 197 deletions(-) create mode 100644 tests/cloud-init/common.yml rename tests/cloud-init/{debian-gnome.user-data.yml => debian12-gnome.user-data.yml} (74%) rename tests/cloud-init/{debian-kde.user-data.yml => debian12-kde.user-data.yml} (68%) rename tests/cloud-init/{debian-server.user-data.yml => debian12-server.user-data.yml} (73%) create mode 100644 tests/cloud-init/opensuse-server.user-data.yml diff --git a/tests/cloud-init/archlinux-cosmic.user-data.yml b/tests/cloud-init/archlinux-cosmic.user-data.yml index d95381b96..70d446076 100644 --- a/tests/cloud-init/archlinux-cosmic.user-data.yml +++ b/tests/cloud-init/archlinux-cosmic.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: # Install core packages - apparmor diff --git a/tests/cloud-init/archlinux-gnome.user-data.yml b/tests/cloud-init/archlinux-gnome.user-data.yml index a2a3d78b8..1fa1c9c1d 100644 --- a/tests/cloud-init/archlinux-gnome.user-data.yml +++ b/tests/cloud-init/archlinux-gnome.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: # Install core packages - apparmor diff --git a/tests/cloud-init/archlinux-kde.user-data.yml b/tests/cloud-init/archlinux-kde.user-data.yml index eea5df046..5953eab2e 100644 --- a/tests/cloud-init/archlinux-kde.user-data.yml +++ b/tests/cloud-init/archlinux-kde.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: # Install core packages - apparmor diff --git a/tests/cloud-init/archlinux-server.user-data.yml b/tests/cloud-init/archlinux-server.user-data.yml index 4a7f17374..e0edaca16 100644 --- a/tests/cloud-init/archlinux-server.user-data.yml +++ b/tests/cloud-init/archlinux-server.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: # Install core packages - apparmor diff --git a/tests/cloud-init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml index 07d87364b..e9f4a78a6 100644 --- a/tests/cloud-init/archlinux-xfce.user-data.yml +++ b/tests/cloud-init/archlinux-xfce.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: # Install core packages - apparmor diff --git a/tests/cloud-init/common.yml b/tests/cloud-init/common.yml new file mode 100644 index 000000000..ac619c879 --- /dev/null +++ b/tests/cloud-init/common.yml @@ -0,0 +1,17 @@ +#cloud-config + +hostname: ${hostname} + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false diff --git a/tests/cloud-init/debian-gnome.user-data.yml b/tests/cloud-init/debian12-gnome.user-data.yml similarity index 74% rename from tests/cloud-init/debian-gnome.user-data.yml rename to tests/cloud-init/debian12-gnome.user-data.yml index 1c48eb2e9..5ce6cedf5 100644 --- a/tests/cloud-init/debian-gnome.user-data.yml +++ b/tests/cloud-init/debian12-gnome.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: - apparmor-profiles - auditd diff --git a/tests/cloud-init/debian-kde.user-data.yml b/tests/cloud-init/debian12-kde.user-data.yml similarity index 68% rename from tests/cloud-init/debian-kde.user-data.yml rename to tests/cloud-init/debian12-kde.user-data.yml index e644414fa..451068db1 100644 --- a/tests/cloud-init/debian-kde.user-data.yml +++ b/tests/cloud-init/debian12-kde.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: - apparmor-profiles - auditd diff --git a/tests/cloud-init/debian-server.user-data.yml b/tests/cloud-init/debian12-server.user-data.yml similarity index 73% rename from tests/cloud-init/debian-server.user-data.yml rename to tests/cloud-init/debian12-server.user-data.yml index 47e4d832d..aef29f579 100644 --- a/tests/cloud-init/debian-server.user-data.yml +++ b/tests/cloud-init/debian12-server.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: - apparmor-profiles - auditd diff --git a/tests/cloud-init/opensuse-gnome.user-data.yml b/tests/cloud-init/opensuse-gnome.user-data.yml index 5e5b197bc..406b4445d 100644 --- a/tests/cloud-init/opensuse-gnome.user-data.yml +++ b/tests/cloud-init/opensuse-gnome.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: - apparmor-profiles - bash-completion diff --git a/tests/cloud-init/opensuse-kde.user-data.yml b/tests/cloud-init/opensuse-kde.user-data.yml index 5e5b197bc..406b4445d 100644 --- a/tests/cloud-init/opensuse-kde.user-data.yml +++ b/tests/cloud-init/opensuse-kde.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: - apparmor-profiles - bash-completion diff --git a/tests/cloud-init/opensuse-server.user-data.yml b/tests/cloud-init/opensuse-server.user-data.yml new file mode 100644 index 000000000..7699fb074 --- /dev/null +++ b/tests/cloud-init/opensuse-server.user-data.yml @@ -0,0 +1,36 @@ +#cloud-config + +packages: + - apparmor-profiles + - bash-completion + - distribution-release + - git + - go + - golang-packaging + - htop + - make + - rpmbuild + - rsync + - vim + +write_files: + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + + # Network configuration + - path: /etc/systemd/network/20-wired.network + owner: "root:root" + permissions: "0644" + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/cloud-init/ubuntu22-desktop.user-data.yml b/tests/cloud-init/ubuntu22-desktop.user-data.yml index 75dc6349d..5f4dc69f5 100644 --- a/tests/cloud-init/ubuntu22-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu22-desktop.user-data.yml @@ -2,21 +2,6 @@ # Based on https://github.com/canonical/autoinstall-desktop -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: - apparmor-profiles - build-essential diff --git a/tests/cloud-init/ubuntu24-desktop.user-data.yml b/tests/cloud-init/ubuntu24-desktop.user-data.yml index 9f7225367..7a71b0afe 100644 --- a/tests/cloud-init/ubuntu24-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu24-desktop.user-data.yml @@ -2,23 +2,6 @@ # Based on https://github.com/canonical/autoinstall-desktop -# https://github.com/canonical/ubuntu-desktop-provision/blob/main/README.md - -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: - apparmor-profiles - build-essential diff --git a/tests/cloud-init/ubuntu24-server.user-data.yml b/tests/cloud-init/ubuntu24-server.user-data.yml index 96318214c..8e9c7bd38 100644 --- a/tests/cloud-init/ubuntu24-server.user-data.yml +++ b/tests/cloud-init/ubuntu24-server.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: - apparmor-profiles - auditd From d8d4ec11a611c153bae2f68aec69a7aa02c64298 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 14:20:35 +0100 Subject: [PATCH 099/672] feat(profile): systemd-networkd: update cap. --- apparmor.d/groups/systemd/systemd-networkd | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 619ca9dbb..20b396a72 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -14,10 +14,12 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { include include + capability bpf, capability net_admin, capability net_bind_service, capability net_broadcast, capability net_raw, + capability sys_admin, network inet dgram, network inet6 dgram, @@ -61,12 +63,14 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/n@{int} r, + @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/rfkill@{int}/* r, @{sys}/devices/**/net/** r, - @{sys}/devices/@{pci}/ r, @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/fs/cgroup/ r, + @{sys}/kernel/btf/vmlinux r, @{PROC}/@{pid}/cgroup r, @{PROC}/pressure/* r, From 835b73f64e72e8c81542ea4f9ea937cbf54b0b0a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 14:27:55 +0100 Subject: [PATCH 100/672] build: prepare apparmor 4.1 Split upstreamed and non upstreamed tunable so that it easy to ignore the upstreamed version on apparmor 4.1. --- apparmor.d/tunables/multiarch.d/base | 93 ++++++++++++++++++++++++++ apparmor.d/tunables/multiarch.d/system | 92 ------------------------- 2 files changed, 93 insertions(+), 92 deletions(-) create mode 100644 apparmor.d/tunables/multiarch.d/base diff --git a/apparmor.d/tunables/multiarch.d/base b/apparmor.d/tunables/multiarch.d/base new file mode 100644 index 000000000..9661b1e51 --- /dev/null +++ b/apparmor.d/tunables/multiarch.d/base @@ -0,0 +1,93 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Base variables, upstreamed in apparmor 4.1 + +# Any digit +@{d}=[0-9] + +# Any letter +@{l}=[a-zA-Z] + +# Single alphanumeric character +@{c}=[0-9a-zA-Z] + +# Word character: matches any letter, digit or underscore. +@{w}=[a-zA-Z0-9_] + +# Single hexadecimal character +@{h}=[0-9a-fA-F] + +# Integer up to 10 digits (0-9999999999) +@{int}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},} + +# hexadecimal, alphanumeric and word up to 64 characters +@{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} +@{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},} +@{word}=@{w}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} + +# Unsigned integer over 8 bits (0...255) +@{u8}=[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5] + +# Unsigned integer over 16 bits (0...65,535 5 digits) +@{u16}={@{d},[1-9]@{d},[1-9][@{d}@{d},[1-9]@{d}@{d}@{d},[1-6]@{d}@{d}@{d}@{d}} + +# Unsigned integer over 32 bits (0...4,294,967,295 10 digits) +@{u32}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-4]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} + +# Unsigned integer over 64 bits (0...18,446,744,073,709,551,615 20 digits). +@{u64}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},1@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} + +# Any x digits characters +@{int2}=@{d}@{d} +@{int4}=@{int2}@{int2} +@{int6}=@{int4}@{int2} +@{int8}=@{int4}@{int4} +@{int9}=@{int8}@{d} +@{int10}=@{int8}@{int2} +@{int12}=@{int8}@{int4} +@{int15}=@{int8}@{int4}@{int2}@{d} +@{int16}=@{int8}@{int8} +@{int32}=@{int16}@{int16} +@{int64}=@{int32}@{int32} + +# Any x hexadecimal characters +@{hex2}=@{h}@{h} +@{hex4}=@{hex2}@{hex2} +@{hex6}=@{hex4}@{hex2} +@{hex8}=@{hex4}@{hex4} +@{hex9}=@{hex8}@{h} +@{hex10}=@{hex8}@{hex2} +@{hex12}=@{hex8}@{hex4} +@{hex15}=@{hex8}@{hex4}@{hex2}@{h} +@{hex16}=@{hex8}@{hex8} +@{hex32}=@{hex16}@{hex16} +@{hex38}=@{hex32}@{hex6} +@{hex64}=@{hex32}@{hex32} + +# Any x alphanumeric characters +@{rand2}=@{c}@{c} +@{rand4}=@{rand2}@{rand2} +@{rand6}=@{rand4}@{rand2} +@{rand8}=@{rand4}@{rand4} +@{rand9}=@{rand8}@{c} +@{rand10}=@{rand8}@{rand2} +@{rand12}=@{rand8}@{rand4} +@{rand15}=@{rand8}@{rand4}@{rand2}@{c} +@{rand16}=@{rand8}@{rand8} +@{rand32}=@{rand16}@{rand16} +@{rand64}=@{rand32}@{rand32} + +# Any x word characters +@{word2}=@{w}@{w} +@{word4}=@{word2}@{word2} +@{word6}=@{word4}@{word2} +@{word8}=@{word4}@{word4} +@{word9}=@{word8}@{w} +@{word10}=@{word8}@{word2} +@{word12}=@{word8}@{word4} +@{word15}=@{word8}@{word4}@{word2}@{w} +@{word16}=@{word8}@{word8} +@{word32}=@{word16}@{word16} +@{word64}=@{word32}@{word32} diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 4e8b1bc11..a2f99a2ec 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -2,98 +2,6 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Base variables -# -------------- - -# Any digit -@{d}=[0-9] - -# Any letter -@{l}=[a-zA-Z] - -# Single alphanumeric character -@{c}=[0-9a-zA-Z] - -# Word character: matches any letter, digit or underscore. -@{w}=[a-zA-Z0-9_] - -# Single hexadecimal character -@{h}=[0-9a-fA-F] - -# Integer up to 10 digits (0-9999999999) -@{int}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},} - -# hexadecimal, alphanumeric and word up to 64 characters -@{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} -@{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},} -@{word}=@{w}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} - -# Unsigned integer over 8 bits (0...255) -@{u8}=[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5] - -# Unsigned integer over 16 bits (0...65,535 5 digits) -@{u16}={@{d},[1-9]@{d},[1-9][@{d}@{d},[1-9]@{d}@{d}@{d},[1-6]@{d}@{d}@{d}@{d}} - -# Unsigned integer over 32 bits (0...4,294,967,295 10 digits) -@{u32}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-4]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} - -# Unsigned integer over 64 bits (0...18,446,744,073,709,551,615 20 digits). -@{u64}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},1@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} - -# Any x digits characters -@{int2}=@{d}@{d} -@{int4}=@{int2}@{int2} -@{int6}=@{int4}@{int2} -@{int8}=@{int4}@{int4} -@{int9}=@{int8}@{d} -@{int10}=@{int8}@{int2} -@{int12}=@{int8}@{int4} -@{int15}=@{int8}@{int4}@{int2}@{d} -@{int16}=@{int8}@{int8} -@{int32}=@{int16}@{int16} -@{int64}=@{int32}@{int32} - -# Any x hexadecimal characters -@{hex2}=@{h}@{h} -@{hex4}=@{hex2}@{hex2} -@{hex6}=@{hex4}@{hex2} -@{hex8}=@{hex4}@{hex4} -@{hex9}=@{hex8}@{h} -@{hex10}=@{hex8}@{hex2} -@{hex12}=@{hex8}@{hex4} -@{hex15}=@{hex8}@{hex4}@{hex2}@{h} -@{hex16}=@{hex8}@{hex8} -@{hex32}=@{hex16}@{hex16} -@{hex38}=@{hex32}@{hex6} -@{hex64}=@{hex32}@{hex32} - -# Any x alphanumeric characters -@{rand2}=@{c}@{c} -@{rand4}=@{rand2}@{rand2} -@{rand6}=@{rand4}@{rand2} -@{rand8}=@{rand4}@{rand4} -@{rand9}=@{rand8}@{c} -@{rand10}=@{rand8}@{rand2} -@{rand12}=@{rand8}@{rand4} -@{rand15}=@{rand8}@{rand4}@{rand2}@{c} -@{rand16}=@{rand8}@{rand8} -@{rand32}=@{rand16}@{rand16} -@{rand64}=@{rand32}@{rand32} - -# Any x word characters -@{word2}=@{w}@{w} -@{word4}=@{word2}@{word2} -@{word6}=@{word4}@{word2} -@{word8}=@{word4}@{word4} -@{word9}=@{word8}@{w} -@{word10}=@{word8}@{word2} -@{word12}=@{word8}@{word4} -@{word15}=@{word8}@{word4}@{word2}@{w} -@{word16}=@{word8}@{word8} -@{word32}=@{word16}@{word16} -@{word64}=@{word32}@{word32} - - # System Paths # ------------ From fa6c37a7ab1cdbe94340ee50d857552c5415effd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 16:04:18 +0100 Subject: [PATCH 101/672] doc: update integration tests section. --- docs/development/integration.md | 136 +++----------------------------- docs/development/internal.md | 10 ++- docs/development/tests.md | 38 +++++++-- docs/development/vm.md | 112 ++++++++++++++++++++++++++ mkdocs.yml | 1 + 5 files changed, 161 insertions(+), 136 deletions(-) create mode 100644 docs/development/vm.md diff --git a/docs/development/integration.md b/docs/development/integration.md index 15f939cdd..de60c8c47 100644 --- a/docs/development/integration.md +++ b/docs/development/integration.md @@ -2,147 +2,33 @@ title: Integration Tests --- -!!! danger "Work in Progress" - The purpose of integration testing in apparmor.d is to ensure the profiles are not going to break programs found in Linux distributions and Desktop Environment that we support. +Although the integration test suite is intended to be run in a [Development VM](vm.md), it is also deployed the GitHub Action pipeline. + **Workflow** 1. Create a testing VM -2. Start the VM, do some dev -3. Run the integration tests against the testing VM -4. Ensure no new logs have been raised +2. Run the integration tests against the testing VM +3. Ensure no new logs have been raised - -## Test Virtual Machines - -The test VMs are built using [`cloud-init`][cloud-init] (when available), [`packer`][packer], and [`vagrant`][vagrant] on Qemu/KVM using Libvirt. No other hypervisor will be targeted for these tests. The files that generate these images can be found in the **[tests/packer](https://github.com/roddhjav/apparmor.d/tree/main/tests/packer)** directory. - -[cloud-init]: https://cloud-init.io/ -[packer]: https://www.packer.io/ -[vagrant]: https://www.vagrantup.com/ - -### Requirements - -* docker -* [packer] -* [vagrant] -* vagrant plugin install vagrant-libvirt - -!!! note - - You may need to edit some settings to fit your setup: - - - The libvirt configuration in `tests/Vagrantfile` - - The default ssh key and ISO directory in `tests/packer/variables.pkr.hcl` - -### Build - -**Build an image** - -To build a VM image for development purpose, run the following from the `tests` directory: - -| Distribution | Flavor | Build command | VM name | -|:------------:|:------:|:-------------:|:-------:| -| Arch Linux | Gnome | `make archlinux flavor=gnome` | `arch-gnome` | -| Arch Linux | KDE | `make archlinux flavor=kde` | `arch-kde` | -| Debian | Server | `make debian flavor=server` | `debian-server` | -| openSUSE | KDE | `make opensuse flavor=kde` | `opensuse-kde` | -| Ubuntu | Server | `make ubuntu flavor=server` | `ubuntu-server` | -| Ubuntu | Desktop | `make ubuntu flavor=desktop` | `ubuntu-desktop` | - -**VM management** - -The development workflow is done through vagrant: - -* Star a VM: `vagran up ` -* Shutdown a VM: `vagrant halt ` -* Reboot a VM: `vagrant reload ` - -The available VM `name` is defined in the `tests/boxes.yml` file - - -### Develop - -**Credentials** - -The admin user is: `user`, its password is: `user`. It has passwordless sudo access. Automatic login is **not** enabled on DE. The root user is not locked. - -**Directories** - -All the images come pre-configured with the latest version of `apparmor.d` installed and running in the VM. apparmor.d is mounted as `/home/user/Projects/apparmor.d` - -**Usage** - -On all images, `aa-update` can be used to rebuild and install the latest version of the profiles. `p`, `pf`, and `pu` are two pre-configured aliases of `ps` that show the security status of processes. `htop` is also configured to show this status. - - -## Tests - -!!! warning - - The test suite is expected to be run in a [VM](#test-virtual-machines) - -### Getting started +## Getting started Prepare the test environment: ```sh -cd tests -make flavor= -AA_INTEGRATION=true vagrant up +just img +just vm ``` Run the integration tests on the test VM: ```sh -make integration box= IP= +just integration ``` -### Create integration tests +## Create integration tests -**Test suite usage** +All integration tests are written in [Bats](https://github.com/bats-core/bats-core) and are located in the `tests/integration` directory. The initial tests have been generated using [tldr page](https://tldr.sh/) with the following command: -Initialise the tests with: ```sh -./aa-test --bootstrap -``` - -List the tests scenarios to be run -```sh -./aa-test --list -``` - -Start the tests and collect the results -```sh -./aa-test --run -``` - -**Tests manifest** - -A basic set of test is generated on initialization. More tests can be manually written in yaml file. They must have the following structure: - -```yaml -- name: acpi - profiled: true - root: false - require: [] - arguments: {} - tests: - - dsc: Show battery information - cmd: acpi - stdin: [] - - dsc: Show thermal information - cmd: acpi -t - stdin: [] - - dsc: Show cooling device information - cmd: acpi -c - stdin: [] - - dsc: Show thermal information in Fahrenheit - cmd: acpi -tf - stdin: [] - - dsc: Show all information - cmd: acpi -V - stdin: [] - - dsc: Extract information from `/proc` instead of `/sys` - cmd: acpi -p - stdin: [] +go run ./tests/cmd --bootstrap ``` diff --git a/docs/development/internal.md b/docs/development/internal.md index 459f1ad71..c90391b04 100644 --- a/docs/development/internal.md +++ b/docs/development/internal.md @@ -157,12 +157,14 @@ It is recommended to transition [in a subprofile](abstractions.md#appsystemctl) All common programs are tracked and labelled in the [`apparmor.d/tunables/multiarch.d/programs`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/tunables/multiarch.d/programs) and [`apparmor.d/tunables/multiarch.d/paths`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/tunables/multiarch.d/paths) files. They can be used in a `child-open` profile or directly in a profile. They are useful to allow opening resources using a kind of program (browsers, image viewer, text editor...), instead of allowing a given program path. -## Re-attached path +## Re-attached path + +**[:material-tag-heart-outline: abi/4.0]("Minimum version")** The flag `attach_disconnect` control how disconnected paths are handled. It determines if pathnames resolved to be outside the namespace are attached to the root (ie. have the `/` character prepended). It is a security issue as it allows disconnected paths to alias to other files that exist in the file name. Therefore, it is only provided to work around problems that can arise with sandboxed programs. -AppAmor 4.0 provides the `attach_disconnect.path` flag allowing to reattach this path to a prefix that is not `/`. When used it provide an important security improvement from AppArmor 3.0. +AppAmor 4.0 provides the `attach_disconnect.path` flag allowing to reattach this path to a prefix that is not `/`. When used it provides an important security improvement from AppArmor 3.0. **`apparmor.d`** uses `attach_disconnect.path` by **default and automatically** on all profiles with the `attach_disconnect` flag. The attached path is set to `@{att}` a new dynamically generated variable set at build time in the preamble of all profile to be: @@ -170,7 +172,9 @@ AppAmor 4.0 provides the `attach_disconnect.path` flag allowing to reattach this - `@{att}=/` for other profiles -## User Confinement [:material-police-badge-outline:{ .pg-red }](../full-system-policy.md "Only for Full System Policy (FSP)") +## User Confinement + +[:material-police-badge-outline:{ .pg-red }](../full-system-policy.md "Full System Policy only (FSP)") !!! warning "TODO" diff --git a/docs/development/tests.md b/docs/development/tests.md index 7fcdf1555..652907155 100644 --- a/docs/development/tests.md +++ b/docs/development/tests.md @@ -1,15 +1,37 @@ --- -title: Tests suite +title: Overview --- -A full test suite to ensure compatibility across supported distributions and that software is still considered a work in progress. Here is an overview of the current CI jobs: +Misconfigured AppArmor profiles is one of the most effective ways to break someone's system. This section present the various tests applied to the profiles as well as their current stage of deployment. -**On Gitlab CI** +**Current** -- Packages build for all supported distributions -- Profiles preprocessing verification for all supported distributions -- Go based command linting, coverage, and unit tests +- [x] **[Build:](https://gitlab.com/roddhjav/apparmor.d/-/pipelines)** `make` + - Build the profiles for all supported distributions. + - All CI jobs validate the profiles syntax and ensure they can be safely loaded into a kernel. + - Ensure the profile entry point (`@{exec_path}`) is defined. -**On Github Action** +- [x] **[Checks:](https://github.com/roddhjav/apparmor.d/blob/main/tests/check.sh)** `make check` checks basic style of profiles: + - Ensure apparmor.d header & licence + - Ensure 2 spaces indentation + - Ensure local include for profile and subprofiles + - Ensure abi 4 is used + - Ensure modern profile naming + - Ensure `vim:syntax=apparmor` -- Integration test on the ubuntu-latest VM: run a simple list of tasks with all the rules enabled and ensure no new issue has been raised. Github Action is used as it offers direct access to a VM with AppArmor included. +- [x] **[Integration Tests:](integration.md)** `make integration` + - Run simple CLI commands to ensure no logs are raised. + - Uses the [bats](https://github.com/bats-core/bats-core) test system. + - Run in the Github Action as well as in all local [test VM](vm.md). + +**Plan** + +For more complex software suite, more integration tests need to be done. The plan is to run existing integration suite from these very software in an environment with `apparmor.d` profiles. + +- [ ] Systemd + - They use mkosi to generate a VM image to run their own integration tests. + - See https://www.codethink.co.uk/articles/2024/systemd-integration-testing-part-1/ + +- [ ] Gnome + - They use openQA to run their integration tests. + - See https://gitlab.gnome.org/GNOME/openqa-tests/ diff --git a/docs/development/vm.md b/docs/development/vm.md new file mode 100644 index 000000000..ead82ed0f --- /dev/null +++ b/docs/development/vm.md @@ -0,0 +1,112 @@ +--- +title: Development VM +--- + +To ensure compatibility across distribution, this project ships a wide range of development and tests VM images. + +The test VMs can be built locally using [cloud-init](https://cloud-init.io/), [packer](https://www.packer.io/) on Qemu/KVM using Libvirt. No other hypervisor will be targeted for these tests. The files that generate these images can be found in the **[tests/packer](https://github.com/roddhjav/apparmor.d/tree/main/tests/packer)** directory. +The VMs are fully managed using a [justfile](https://github.com/casey/just) that provide an integration environment helper for `apparmor.d`. + +```sh +$ just +``` + +``` +Integration environment helper for apparmor.d + +Available recipes: + default # Show this help message + package dist # Build the apparmor.d package + img dist flavor # Build the image + vm dist flavor # Create the machine + up dist flavor # Start a machine + halt dist flavor # Stops the machine + destroy dist flavor # Destroy the machine + ssh dist flavor # Connect to the machine + list # List the machines + images # List the machine images + available # List the machine that can be created + integration dist flavor # Run the integration tests on the machine + lint # Run the linters + clean # Remove the machine images + get_ip dist flavor + get_osinfo dist +``` + +## Requirements + +* [docker](https://www.docker.com/) +* [just](https://github.com/casey/just) +* [packer](https://www.packer.io/) +* [libvirt](https://libvirt.org/) +* [qemu](https://www.qemu.org/) + +!!! note + + You may need to edit some settings to fit your setup: + + - The default ssh key and ISO directory in `tests/packer/variables.pkr.hcl` + +## Build + +One can see the available images by running: + +```sh +$ just available +``` + +``` +Distribution Flavor +archlinux gnome +archlinux kde +archlinux server +archlinux xfce +debian12 gnome +debian12 kde +debian12 server +ubuntu24 server +... +``` + +A VM image can be build with: + +```sh +$ just img archlinux gnome +``` + +The image will then be showed in the list of images: + +```sh +$ just images +``` + +``` +Distribution Flavor Size Date +archlinux gnome 3.3G Mar 1 14:49 +``` + +The VM can then be created with: + +```sh +$ just vm archlinux gnome +``` + +And connected to with: + +```sh +$ just ssh archlinux gnome +``` + +## Develop + +**Credentials** + +The admin user is: `user`, its password is: `user`. It has passwordless sudo access. Automatic login is **not** enabled on DE. The root user is not locked. + +**Directories** + +All the images come pre-configured with the latest version of `apparmor.d` installed and running in the VM. The apparmor.d project directory is mounted as `/home/user/Projects/apparmor.d` + +**Usage** + +On all images, `aa-update` can be used to rebuild and install the latest version of the profiles. `p`, `pf`, and `pu` are two pre-configured aliases of `ps` that show the security status of processes. `htop` is also configured to show this status. diff --git a/mkdocs.yml b/mkdocs.yml index ed14108a8..153af0d4e 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -165,4 +165,5 @@ nav: - development/build.md - Tests: - development/tests.md + - development/vm.md - development/integration.md From 6d5a522dcb03f3f51ae5e9fe39dead9d1dbde447 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 16:07:10 +0100 Subject: [PATCH 102/672] test(packer): update sources --- tests/packer/init.sh | 5 ++--- tests/packer/src/aa-clean | 4 ++++ tests/packer/src/aa-log-clean | 4 ---- tests/packer/src/aa-update | 2 +- tests/packer/src/monitors.xml | 23 ----------------------- tests/packer/src/parser.conf | 9 +++++++-- 6 files changed, 14 insertions(+), 33 deletions(-) create mode 100644 tests/packer/src/aa-clean delete mode 100644 tests/packer/src/aa-log-clean delete mode 100644 tests/packer/src/monitors.xml diff --git a/tests/packer/init.sh b/tests/packer/init.sh index be9529666..4a189d176 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -17,12 +17,11 @@ readonly DISTRIBUTION main() { install -dm0750 -o "$SUDO_USER" -g "$SUDO_USER" "/home/$SUDO_USER/Projects/" "/home/$SUDO_USER/Projects/apparmor.d" "/home/$SUDO_USER/.config/" install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/.bash_aliases "/home/$SUDO_USER/.bash_aliases" - install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/monitors.xml "/home/$SUDO_USER/.config/monitors.xml" install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/htoprc "/home/$SUDO_USER/.config/htop/htoprc" + install -Dm0644 $SRC/parser.conf /etc/apparmor/parser.conf install -Dm0644 $SRC/site.local /etc/apparmor.d/tunables/multiarch.d/site.local install -Dm0755 $SRC/aa-update /usr/bin/aa-update - install -Dm0755 $SRC/aa-log-clean /usr/bin/aa-log-clean - cat $SRC/parser.conf >>/etc/apparmor/parser.conf + install -Dm0755 $SRC/aa-clean /usr/bin/aa-clean chown -R "$SUDO_USER:$SUDO_USER" "/home/$SUDO_USER/.config/" case "$DISTRIBUTION" in diff --git a/tests/packer/src/aa-clean b/tests/packer/src/aa-clean new file mode 100644 index 000000000..a01b9d77e --- /dev/null +++ b/tests/packer/src/aa-clean @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +set -eu -o pipefail +rm -vf /var/log/audit/* /var/log/syslog* +touch /var/log/audit/audit.log /var/log/syslog diff --git a/tests/packer/src/aa-log-clean b/tests/packer/src/aa-log-clean deleted file mode 100644 index 9f3ebd818..000000000 --- a/tests/packer/src/aa-log-clean +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/env bash -set -eu -rm -rf /var/log/audit/* -touch /var/log/audit/audit.log diff --git a/tests/packer/src/aa-update b/tests/packer/src/aa-update index 9a326305d..48267d2f0 100644 --- a/tests/packer/src/aa-update +++ b/tests/packer/src/aa-update @@ -1,5 +1,5 @@ #!/usr/bin/env bash -set -eu +set -eu -o pipefail export BUILDDIR=/tmp/build/ diff --git a/tests/packer/src/monitors.xml b/tests/packer/src/monitors.xml deleted file mode 100644 index b17136584..000000000 --- a/tests/packer/src/monitors.xml +++ /dev/null @@ -1,23 +0,0 @@ - - - - 0 - 0 - 1 - yes - - - Virtual-1 - RHT - QEMU Monitor - 0x00000000 - - - 1920 - 1080 - 60 - - - - - diff --git a/tests/packer/src/parser.conf b/tests/packer/src/parser.conf index be8c42560..8651efad1 100644 --- a/tests/packer/src/parser.conf +++ b/tests/packer/src/parser.conf @@ -1,4 +1,9 @@ - +# Turn creating/updating of the cache on by default write-cache -cache-loc /etc/apparmor/earlypolicy/ + +# Enable early policy loads to confine systemd, and services that can not depend +# on the apparmor unit. +cache-loc=/etc/apparmor/earlypolicy/ + +# Adjust compression Optimize=compress-fast From 0b029ec42f55946c13f2a360b21cbf7f6dc5d518 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 16:10:09 +0100 Subject: [PATCH 103/672] tests(packer): rewrite the way to build the tests images. --- tests/packer/archlinux.pkr.hcl | 39 ----------------- tests/packer/builds.pkr.hcl | 65 +++++++++++++++++++++------- tests/packer/clean.sh | 7 ---- tests/packer/debian.pkr.hcl | 40 ------------------ tests/packer/init.sh | 10 +++-- tests/packer/main.pkr.hcl | 4 -- tests/packer/opensuse.pkr.hcl | 42 ------------------- tests/packer/ubuntu.pkr.hcl | 77 ---------------------------------- tests/packer/variables.pkr.hcl | 68 ++++++++++++++++++------------ 9 files changed, 98 insertions(+), 254 deletions(-) delete mode 100644 tests/packer/archlinux.pkr.hcl delete mode 100644 tests/packer/debian.pkr.hcl delete mode 100644 tests/packer/opensuse.pkr.hcl delete mode 100644 tests/packer/ubuntu.pkr.hcl diff --git a/tests/packer/archlinux.pkr.hcl b/tests/packer/archlinux.pkr.hcl deleted file mode 100644 index 06f2ad3a7..000000000 --- a/tests/packer/archlinux.pkr.hcl +++ /dev/null @@ -1,39 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -source "qemu" "archlinux" { - disk_image = true - iso_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" - iso_checksum = "file:https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" - iso_target_path = "${var.iso_dir}/archlinux-cloudimg-amd64.img" - cpu_model = "host" - cpus = var.cpus - memory = var.ram - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" - boot_wait = "10s" - shutdown_command = "echo ${var.password} | sudo -S shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/cloud-init/${source.name}-${var.flavor}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}-${var.flavor}" - } - ) - } -} diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index 7071c3983..151df236e 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -2,24 +2,63 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +locals { + name = "${var.prefix}${var.dist}-${var.flavor}" +} + +source "qemu" "default" { + disk_image = true + iso_url = var.DM[var.dist].img_url + iso_checksum = "file:${var.DM[var.dist].img_checksum}" + iso_target_path = pathexpand("${var.iso_dir}/${basename("${var.DM[var.dist].img_url}")}") + cpu_model = "host" + cpus = var.cpus + memory = var.ram + disk_size = var.disk_size + accelerator = "kvm" + headless = true + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "1000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = pathexpand(var.output) + vm_name = "${local.name}.qcow2" + boot_wait = "10s" + firmware = pathexpand(var.firmware) + shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = format("%s\n%s", + templatefile("${path.cwd}/tests/cloud-init/common.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${local.name}" + } + ), + file("${path.cwd}/tests/cloud-init/${var.dist}-${var.flavor}.user-data.yml") + ) + } +} + build { sources = [ - "source.qemu.archlinux", - "source.qemu.debian", - "source.qemu.fedora", - "source.qemu.opensuse", - "source.qemu.ubuntu22", - "source.qemu.ubuntu24", + "source.qemu.default", ] # Upload artifacts provisioner "file" { destination = "/tmp/" sources = [ - "${path.cwd}/packer/src/", - "${path.cwd}/packer/init.sh", - "${path.cwd}/packer/clean.sh", - "${path.cwd}/../.pkg/", + "${path.cwd}/tests/packer/src/", + "${path.cwd}/tests/packer/init.sh", + "${path.cwd}/tests/packer/clean.sh", + "${path.cwd}/.pkg/", ] } @@ -44,13 +83,9 @@ build { ] } - post-processor "vagrant" { - output = "${var.base_dir}/packer_${var.prefix}${source.name}-${var.flavor}.box" - } - post-processor "shell-local" { inline = [ - "vagrant box add --force --name ${var.prefix}${source.name}-${var.flavor} ${var.base_dir}/packer_${var.prefix}${source.name}-${var.flavor}.box" + "mv ${var.output}/${local.name}.qcow2 ${var.base_dir}/${local.name}.qcow2", ] } diff --git a/tests/packer/clean.sh b/tests/packer/clean.sh index 8459421a1..b7650a1d5 100644 --- a/tests/packer/clean.sh +++ b/tests/packer/clean.sh @@ -56,9 +56,6 @@ clean_apt() { clean_pacman() { _msg "Cleaning pacman cache" pacman -Syu --noconfirm - pacman -Qdtq | while IFS='' read -r pkg; do - pacman -Rsccn --noconfirm "$pkg" - done pacman -Scc --noconfirm } @@ -136,10 +133,6 @@ trim() { truncate --size=0 /swap/swapfile fi - # _msg "Fill root filesystem with 0 to reduce box size" - # dd if=/dev/zero of=/EMPTY bs=1M || true - # rm -f /EMPTY - # Block until the empty file has been removed, otherwise, Packer will # try to kill the box while the disk is still full and that is bad. sync diff --git a/tests/packer/debian.pkr.hcl b/tests/packer/debian.pkr.hcl deleted file mode 100644 index 12d4a513c..000000000 --- a/tests/packer/debian.pkr.hcl +++ /dev/null @@ -1,40 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -source "qemu" "debian" { - disk_image = true - iso_url = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2" - iso_checksum = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS" - iso_target_path = "${var.iso_dir}/debian-${var.release.debian.codename}-cloudimg-amd64.img" - cpu_model = "host" - cpus = var.cpus - memory = var.ram - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/cloud-init/${source.name}-${var.flavor}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} diff --git a/tests/packer/init.sh b/tests/packer/init.sh index 4a189d176..4e4e1ec99 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -26,6 +26,7 @@ main() { case "$DISTRIBUTION" in arch) + rm -f $SRC/*.sig # Ignore signature files pacman --noconfirm -U $SRC/*.pkg.tar.zst ;; @@ -40,9 +41,12 @@ main() { esac - rm -rf /var/cache/apparmor/* - rm -rf /etc/apparmor/earlypolicy/ - systemctl reload apparmor.service + verb="start" + rm -rf /var/cache/apparmor/* || true + if systemctl is-active -q apparmor; then + verb="reload" + fi + systemctl "$verb" apparmor.service || journalctl -xeu apparmor.service } main "$@" diff --git a/tests/packer/main.pkr.hcl b/tests/packer/main.pkr.hcl index ee13e8f92..d2b1a6dbf 100644 --- a/tests/packer/main.pkr.hcl +++ b/tests/packer/main.pkr.hcl @@ -8,9 +8,5 @@ packer { source = "github.com/hashicorp/qemu" version = "~> 1" } - vagrant = { - source = "github.com/hashicorp/vagrant" - version = "~> 1" - } } } diff --git a/tests/packer/opensuse.pkr.hcl b/tests/packer/opensuse.pkr.hcl deleted file mode 100644 index 46cf4af29..000000000 --- a/tests/packer/opensuse.pkr.hcl +++ /dev/null @@ -1,42 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# TODO: Fully automate the creation of the base image - -source "qemu" "opensuse" { - disk_image = true - iso_url = "${var.base_dir}/base-tumbleweed-gnome.qcow2" - iso_checksum = "sha256:223ed62160ef4f1a4f21b69c574f552a07eee6ef66cf66eef2b49c5a7c4864f4" - iso_target_path = "${var.base_dir}/base-tumbleweed-gnome.qcow2" - cpu_model = "host" - cpus = var.cpus - memory = var.ram - disk_size = var.disk_size - accelerator = "kvm" - headless = false - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/cloud-init/${source.name}-${var.flavor}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} diff --git a/tests/packer/ubuntu.pkr.hcl b/tests/packer/ubuntu.pkr.hcl deleted file mode 100644 index 3689882ad..000000000 --- a/tests/packer/ubuntu.pkr.hcl +++ /dev/null @@ -1,77 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -source "qemu" "ubuntu22" { - disk_image = true - iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu22.codename}/current/${var.release.ubuntu22.codename}-server-cloudimg-amd64.img" - iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu22.codename}/current/SHA256SUMS" - iso_target_path = "${var.iso_dir}/ubuntu-${var.release.ubuntu22.codename}-cloudimg-amd64.img" - cpu_model = "host" - cpus = var.cpus - memory = var.ram - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/cloud-init/${source.name}-${var.flavor}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} - -source "qemu" "ubuntu24" { - disk_image = true - iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/${var.release.ubuntu24.codename}-server-cloudimg-amd64.img" - iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/SHA256SUMS" - iso_target_path = "${var.iso_dir}/ubuntu-${var.release.ubuntu24.codename}-cloudimg-amd64.img" - cpu_model = "host" - cpus = var.cpus - memory = var.ram - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/cloud-init/${source.name}-${var.flavor}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl index 0361698d6..de83ac659 100644 --- a/tests/packer/variables.pkr.hcl +++ b/tests/packer/variables.pkr.hcl @@ -16,12 +16,6 @@ variable "password" { default = "user" } -variable "ssh_publickey" { - description = "Path to the ssh public key" - type = string - default = "~/.ssh/id_ed25519.pub" -} - variable "cpus" { description = "Default CPU of the VM" type = string @@ -40,22 +34,28 @@ variable "disk_size" { default = "40G" } +variable "ssh_publickey" { + description = "Path to the ssh public key" + type = string + default = "~/.ssh/id_ed25519.pub" +} + variable "iso_dir" { description = "Original ISO file directory" type = string - default = "/var/lib/libvirt/images" + default = "~/.libvirt/iso" } variable "base_dir" { description = "Final packer image output directory" type = string - default = "/var/lib/libvirt/images" + default = "~/.libvirt/base" } variable "firmware" { description = "Path to the UEFI firmware" type = string - default = "/usr/share/edk2/x64/OVMF_CODE.fd" + default = "/usr/share/edk2/x64/OVMF.4m.fd" } variable "output" { @@ -70,38 +70,52 @@ variable "prefix" { default = "aa-" } +variable "dist" { + description = "Distribution to target" + type = string + default = "ubuntu24" +} + variable "flavor" { description = "Distribution flavor to use (server, desktop, gnome, kde...)" type = string default = "" } -variable "release" { - description = "Distribution metadata to use" +variable "DM" { + description = "Distribution Metadata to use" type = map(object({ - codename = string - version = string + img_url = string + img_checksum = string })) default = { + "archlinux" : { + img_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" + img_checksum = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" + }, + "debian12" : { + img_url = "https://cdimage.debian.org/images/cloud/bookworm/latest/debian-12-genericcloud-amd64.qcow2" + img_checksum = "https://cdimage.debian.org/images/cloud/bookworm/latest/SHA512SUMS" + } + "debian13" : { + img_url = "https://cdimage.debian.org/images/cloud/trixie/daily/latest/debian-13-genericcloud-amd64-daily.qcow2" + img_checksum = "https://cdimage.debian.org/images/cloud/trixie/daily/latest/SHA512SUMS" + } "ubuntu22" : { - codename = "jammy", - version = "22.04.2", + img_url = "https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img" + img_checksum = "https://cloud-images.ubuntu.com/jammy/current/SHA256SUMS" }, "ubuntu24" : { - codename = "noble", - version = "24.04", + img_url = "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img" + img_checksum = "https://cloud-images.ubuntu.com/noble/current/SHA256SUMS" + }, + "ubuntu25" : { + img_url = "https://cloud-images.ubuntu.com/plucky/current/plucky-server-cloudimg-amd64.img" + img_checksum = "https://cloud-images.ubuntu.com/plucky/current/SHA256SUMS" }, - "debian" : { - codename = "bookworm", - version = "12", - } "opensuse" : { - codename = "tumbleweed", - version = "", - } - "fedora" : { - codename = "40", - version = "1.14", + img_url = "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-Cloud.qcow2" + img_checksum = "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-Cloud.qcow2.sha256" } } } From 1392b078ab9348d35cd6073761694ef574bd06d1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 16:15:55 +0100 Subject: [PATCH 104/672] tests: add Justile, used as integration environment helper. --- Justfile | 162 ++++++++++++++++++++++++++++++++++++++++++++++ tests/Makefile | 27 -------- tests/Vagrantfile | 62 ------------------ tests/boxes.yml | 51 --------------- 4 files changed, 162 insertions(+), 140 deletions(-) create mode 100644 Justfile delete mode 100644 tests/Makefile delete mode 100644 tests/Vagrantfile delete mode 100644 tests/boxes.yml diff --git a/Justfile b/Justfile new file mode 100644 index 000000000..7b39fb8a6 --- /dev/null +++ b/Justfile @@ -0,0 +1,162 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Integration environment for apparmor.d +# +# Usage: +# just +# just img ubuntu24 server +# just vm ubuntu24 server +# just up ubuntu24 server +# just ssh ubuntu24 server +# just halt ubuntu24 server +# just destroy ubuntu24 server +# just list +# just images +# just available +# just clean + +base_dir := home_dir() / ".libvirt/base" +vm := home_dir() / ".vm" +output := base_dir / "packer" +disk_size := "15G" +prefix := "aa-" +c := "--connect=qemu:///system" +sshopt := "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" + +[doc('Show this help message')] +default: + @echo -e "Integration environment helper for apparmor.d\n" + @just --list --unsorted + @echo -e "\nSee https://apparmor.pujol.io/development/vm/ for more information." + +[doc('Build the apparmor.d package')] +package dist: + #!/usr/bin/env bash + set -eu -o pipefail + dist="{{dist}}" + [[ $dist =~ ubuntu* ]] && dist=ubuntu + [[ $dist =~ debian* ]] && dist=debian + make package dist=$dist + +[doc('Build the image')] +img dist flavor: (package dist) + @mkdir -p {{base_dir}} + packer build -force \ + -var dist={{dist}} \ + -var flavor={{flavor}} \ + -var disk_size={{disk_size}} \ + -var prefix={{prefix}} \ + -var base_dir={{base_dir}} \ + -var output={{output}} \ + tests/packer/ + +[doc('Create the machine')] +vm dist flavor: + @cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 + virt-install {{c}} \ + --import \ + --name {{prefix}}{{dist}}-{{flavor}} \ + --vcpus 6 \ + --ram 4096 \ + --machine q35 \ + --boot uefi \ + --memorybacking source.type=memfd,access.mode=shared \ + --disk path={{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \ + --filesystem "`pwd`,0a31bc478ef8e2461a4b1cc10a24cc4",accessmode=passthrough,driver.type=virtiofs \ + --os-variant "`just get_osinfo {{dist}}`" \ + --graphics spice \ + --audio id=1,type=spice \ + --sound model=ich9 \ + --noautoconsole + +[doc('Start a machine')] +up dist flavor: + @virsh {{c}} start {{prefix}}{{dist}}-{{flavor}} + +[doc('Stops the machine')] +halt dist flavor: + @virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}} + +[doc('Destroy the machine')] +destroy dist flavor: + @virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true + @virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram + @rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 + +[doc('Connect to the machine')] +ssh dist flavor: + @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` + +[doc('List the machines')] +list: + @echo -e '\033[1m Id Name State\033[0m' + @virsh {{c}} list --all | grep {{prefix}} + +[doc('List the machine images')] +images: + #!/usr/bin/env bash + set -eu -o pipefail + ls -lh {{base_dir}} | awk ' + BEGIN { + printf("\033[1m%-18s %-10s %-5s %s\033[0m\n", "Distribution", "Flavor", "Size", "Date") + } + { + if ($9 ~ /^{{prefix}}.*\.qcow2$/) { + split($9, arr, "-|\\.") + printf("%-18s %-10s %-5s %s %s %s\n", arr[2], arr[3], $5, $6, $7, $8) + } + } + ' + +[doc('List the machine that can be created')] +available: + #!/usr/bin/env bash + set -eu -o pipefail + ls -lh tests/cloud-init | awk ' + BEGIN { + printf("\033[1m%-18s %s\033[0m\n", "Distribution", "Flavor") + } + { + if ($9 ~ /^.*\.user-data.yml$/) { + split($9, arr, "-|\\.") + printf("%-18s %s\n", arr[1], arr[2]) + } + } + ' + +[doc('Run the integration tests on the machine')] +integration dist flavor: + @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ + cp -rf /home/user/Projects/apparmor.d/tests/integration/ /home/user/Projects + @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ + sudo umount /home/user/Projects/apparmor.d + @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ + @bats --recursive --timing --print-output-on-failure Projects/integration/ + +[doc('Run the linters')] +lint: + @packer fmt packer/ + @packer validate --syntax-only packer/ + +[doc('Remove the machine images')] +clean: + @rm -fv {{base_dir}}/{{prefix}}*.qcow2 + +get_ip dist flavor: + @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ + grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' + +get_osinfo dist: + #!/usr/bin/env python3 + osinfo = { + "archlinux": "archlinux", + "debian12": "debian12", + "debian13": "debian13", + "ubuntu22": "ubuntu22.04", + "ubuntu24": "ubuntu24.04", + "ubuntu25": "ubuntu25.04", + "opensuse": "opensusetumbleweed", + } + print(osinfo.get("{{dist}}", "{{dist}}")) diff --git a/tests/Makefile b/tests/Makefile deleted file mode 100644 index 3453ecee8..000000000 --- a/tests/Makefile +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/make -f -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Usage: -# make archlinux flavor=gnome -# vagrant up arch-gnome -# vagrant ssh archl-gnome - -# Build variables -flavor ?= -disk ?= 10G - -BASE = archlinux debian ubuntu22 ubuntu24 opensuse fedora - -.PHONY: ${BASE} lint - -$(BASE): - @make --directory=../ package dist=${@} - @packer build -force \ - -var disk_size=${disk} -var flavor="${flavor}" \ - -only=qemu.${@} packer/ - -lint: - @packer fmt --check packer/ - @packer validate --syntax-only packer/ diff --git a/tests/Vagrantfile b/tests/Vagrantfile deleted file mode 100644 index 4bdaac985..000000000 --- a/tests/Vagrantfile +++ /dev/null @@ -1,62 +0,0 @@ -# -*- mode: ruby -*- -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -require 'yaml' - -machines = YAML.load_file(File.join(File.dirname(__FILE__), 'boxes.yml')) -default = machines['defaults'] - -Vagrant.require_version '>= 2.0.0' - -Vagrant.configure("2") do |config| - - config.ssh.keys_only = true - config.ssh.insert_key = false - config.ssh.private_key_path = [ '~/.ssh/id_ed25519' ] - config.ssh.username = 'user' - - machines['boxes'].each do |instance| - - # Configure the VMs per details in boxes.yml - config.vm.define instance['name'] do |srv| - srv.vm.box = instance['box'] - srv.vm.box_check_update = false - srv.vm.post_up_message = instance.to_yaml - srv.vm.synced_folder '.', '/vagrant', disabled: true - if !ENV['AA_INTEGRATION'] - srv.vm.synced_folder '../', '/home/user/Projects/apparmor.d', type: 'virtiofs', mount: false - end - - # Configure Libvirt provider - srv.vm.provider 'libvirt' do |libvirt| - libvirt.driver = 'kvm' - libvirt.default_prefix = 'aa-' - libvirt.connect_via_ssh = false - libvirt.storage_pool_name = 'ssd' - libvirt.memory = instance.fetch('ram', default['ram']) - libvirt.cpus = instance.fetch('cpu', default['cpu']) - libvirt.cpu_mode = 'host-passthrough' - libvirt.machine_type = 'q35' - libvirt.video_type = 'virtio' - libvirt.graphics_type = 'spice' - libvirt.sound_type = 'ich9' - libvirt.tpm_model = 'tpm-crb' - libvirt.tpm_type = 'emulator' - libvirt.tpm_version = '2.0' - libvirt.random model: 'random' - libvirt.memorybacking 'source', type: 'memfd' - libvirt.memorybacking 'access', mode: 'shared' - libvirt.channel type: 'unix', target_name: 'org.qemu.guest_agent.0', target_type: 'virtio' - (1..2).each do - libvirt.redirdev :type => "spicevmc" - end - if instance.fetch('uefi', default['uefi']) - libvirt.loader = '/usr/share/edk2/x64/OVMF_CODE.fd' - end - end - - end - end -end diff --git a/tests/boxes.yml b/tests/boxes.yml deleted file mode 100644 index 3e15fc304..000000000 --- a/tests/boxes.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- - -defaults: - uefi: true - ram: '3072' - cpu: '6' - -boxes: - - name: arch-gnome - box: aa-archlinux-gnome - uefi: false - - - name: arch-kde - box: aa-archlinux-kde - uefi: false - - - name: arch-xfce - box: aa-archlinux-xfce - uefi: false - - - name: arch-cosmic - box: aa-archlinux-cosmic - uefi: false - - - name: arch-server - box: aa-archlinux-server - uefi: false - - - name: ubuntu22-desktop - box: aa-ubuntu22-desktop - - - name: ubuntu24-desktop - box: aa-ubuntu24-desktop - - - name: ubuntu22-server - box: aa-ubuntu22-server - - - name: ubuntu24-server - box: aa-ubuntu24-server24 - - - name: debian-server - box: aa-debian-server - - - name: debian-gnome - box: aa-debian-gnome - - - name: debian-kde - box: aa-debian-kde - - - name: opensuse-kde - box: aa-opensuse-kde From 4dd78c0087f189a8b678faac9bb4bb1086c85363 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 22:06:38 +0100 Subject: [PATCH 105/672] tests: improve justfile. --- Justfile | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Justfile b/Justfile index 7b39fb8a6..79e2c5fd5 100644 --- a/Justfile +++ b/Justfile @@ -20,7 +20,6 @@ base_dir := home_dir() / ".libvirt/base" vm := home_dir() / ".vm" output := base_dir / "packer" -disk_size := "15G" prefix := "aa-" c := "--connect=qemu:///system" sshopt := "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" @@ -46,7 +45,6 @@ img dist flavor: (package dist) packer build -force \ -var dist={{dist}} \ -var flavor={{flavor}} \ - -var disk_size={{disk_size}} \ -var prefix={{prefix}} \ -var base_dir={{base_dir}} \ -var output={{output}} \ @@ -137,8 +135,8 @@ integration dist flavor: [doc('Run the linters')] lint: - @packer fmt packer/ - @packer validate --syntax-only packer/ + @packer fmt tests/packer/ + @packer validate --syntax-only tests/packer/ [doc('Remove the machine images')] clean: @@ -146,6 +144,7 @@ clean: get_ip dist flavor: @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ + head -1 | \ grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' get_osinfo dist: From 80e85769ce83098c88a64be3e0cbe1ba4b61a718 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 22:09:19 +0100 Subject: [PATCH 106/672] feat(profile): improve gnome profiles. --- apparmor.d/groups/freedesktop/xorg | 1 + apparmor.d/groups/gnome/deja-dup-monitor | 3 ++- apparmor.d/groups/gnome/gdm-generate-config | 4 ++-- apparmor.d/groups/gnome/gnome-calculator | 2 ++ apparmor.d/groups/gnome/gnome-clocks | 4 ++-- apparmor.d/groups/gnome/gnome-control-center | 2 ++ .../groups/gnome/gnome-extension-gsconnect | 9 ++++++-- apparmor.d/groups/gnome/gnome-initial-setup | 1 + .../groups/gnome/gnome-remote-desktop-daemon | 1 + apparmor.d/groups/gnome/gnome-session-check | 22 +++++++++++++++++++ apparmor.d/groups/gnome/gnome-shell | 3 +++ apparmor.d/groups/gnome/mutter-x11-frames | 2 +- apparmor.d/groups/gnome/nautilus | 2 +- apparmor.d/groups/gnome/session-migration | 1 + apparmor.d/groups/gnome/yelp | 2 +- 15 files changed, 49 insertions(+), 10 deletions(-) create mode 100644 apparmor.d/groups/gnome/gnome-session-check diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 90016a8ee..00e277f1f 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -121,6 +121,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, @{sys}/devices/@{pci}/backlight/**/brightness rw, @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/resource@{int} rw, @{sys}/devices/**/{uevent,name,id,config} r, @{sys}/devices/**/hid r, @{sys}/devices/**/power_supply/**/{type,online} r, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index b7fc6a5b0..90a5b0f64 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -15,12 +15,13 @@ profile deja-dup-monitor @{exec_path} { include include include + include include network netlink raw, #aa:dbus own bus=session name=org.gnome.DejaDup.Monitor - #aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup + #aa:dbus talk bus=session name=org.gnome.DejaDup interface+=org.gtk.Actions label=deja-dup dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index dc11e8169..6d621f18b 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -32,8 +32,7 @@ profile gdm-generate-config @{exec_path} { /usr/share/gdm{3,}/{,**} r, /var/lib/ r, - @{GDM_HOME}/ r, - owner @{GDM_HOME}/ rw, + @{GDM_HOME}/ rw, owner @{GDM_HOME}/greeter-dconf-defaults rw, owner @{GDM_HOME}/greeter-dconf-defaults.@{rand6} rw, @@ -44,6 +43,7 @@ profile gdm-generate-config @{exec_path} { @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/stat r, + @{PROC}/tty/drivers r, @{PROC}/uptime r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 2e553d9f4..3f2290e6a 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -23,6 +23,8 @@ profile gnome-calculator @{exec_path} { @{open_path} rPx -> child-open-help, + owner @{PROC}/@{pid}/stat r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index fd6ded04f..13f161dfd 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -10,7 +10,7 @@ include profile gnome-clocks @{exec_path} { include include - include + include include include include @@ -19,7 +19,7 @@ profile gnome-clocks @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gnome.clocks + #aa:dbus own bus=session name=org.gnome.clocks interface+=org.gtk.Actions @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index cfb40f5c4..74b0cb041 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -38,7 +38,9 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), #aa:dbus own bus=session name=org.gnome.Settings + #aa:dbus own bus=session name=org.bluez.obex.Agent1 + #aa:dbus talk bus=session name=org.bluez.obex label=obexd #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 7bb34e52f..c0f131dd1 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -36,8 +36,9 @@ profile gnome-extension-gsconnect @{exec_path} { @{bin}/openssl rix, @{bin}/ssh-add rix, - @{bin}/ssh-keygen rPx, - @{bin}/xdg-screensaver rPx, + @{bin}/dconf rPx, + @{bin}/ssh-keygen rPx, + @{bin}/xdg-screensaver rPx, @{lib}/gio/modules/*.so* rm, @{lib}/girepository-1.0/* r, @@ -53,6 +54,10 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{user_config_dirs}/mimeapps.list w, owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, + owner @{HOME}/.mozilla/firefox/firefox-mpris/@{word}.png r, + + owner @{tmp}/.org.chromium.Chromium.@{rand6} r, + owner @{run}/user/@{uid}/gsconnect/{,**} rw, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 89769477a..be73974c8 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -41,6 +41,7 @@ profile gnome-initial-setup @{exec_path} { @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, + @{lib}/@{multiarch}/ld-linux-*.so* rix, /usr/share/dconf/profile/gdm r, /usr/share/gnome-initial-setup/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 19e448b1b..c092f9372 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -15,6 +15,7 @@ profile gnome-remote-desktop-daemon @{exec_path} { include include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/gnome/gnome-session-check b/apparmor.d/groups/gnome/gnome-session-check new file mode 100644 index 000000000..2a0b4965f --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-session-check @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/gnome-session-check-* +profile gnome-session-check @{exec_path} { + include + include + + @{exec_path} mr, + + @{lib}/gnome-session-check-accelerated-gl-helper ix, + @{lib}/gnome-session-check-accelerated-gles-helper ix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index f8888f95b..f2ff71f03 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -242,6 +242,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, + owner @{HOME}/.mozilla/native-messaging-hosts/ r, + owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json rw, + owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json.@{rand6} rw, owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, owner @{HOME}/.var/app/**.{png,jpg,svg} r, owner @{HOME}/.var/app/**/ r, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 8a48b97a2..d41ba2c7e 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -28,7 +28,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rw, owner @{gdm_config_dirs}/dconf/user r, @{sys}/devices/@{pci}/boot_vga r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 3a7fdd4f4..016a41bd5 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -28,7 +28,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { mqueue r type=posix /, - #aa:dbus own bus=session name=org.gnome.Nautilus interface+=org.gtk.{Application,Actions} + #aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}" #aa:dbus own bus=session name=org.freedesktop.FileManager1 #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index c2df97896..ac3009fc7 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/session-migration profile session-migration @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index f172eac21..b3f27187b 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -15,7 +15,7 @@ profile yelp @{exec_path} { network netlink raw, #aa:dbus own bus=accessibility name=org.gnome.Yelp - #aa:dbus own bus=session name=org.gnome.Yelp + #aa:dbus own bus=session name=org.gnome.Yelp interface+=org.gtk.Actions @{exec_path} mr, @{open_path} rPx -> child-open-help, From e6752cb4b9761c58a26362891e8bbc29474e9435 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 22:11:06 +0100 Subject: [PATCH 107/672] feat(profile): improve libreoffice, add missing dbus access. --- apparmor.d/profiles-g-l/libreoffice | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index ac3ee0c26..43fe51757 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -11,7 +11,13 @@ include profile libreoffice @{exec_path} { include include + include include + include + include + include + include + include include include include @@ -30,7 +36,7 @@ profile libreoffice @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.libreoffice.LibreOfficeIpc0 + #aa:dbus own bus=session name=org.libreoffice interface+=org.gtk.Actions @{exec_path} mr, From c9d249e5e35613aaf7b474c1a19abea0df07fc45 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 22:44:56 +0100 Subject: [PATCH 108/672] tests(packer): add test images for ubuntu 25.04 & debian 13 --- .../cloud-init/debian13-server.user-data.yml | 36 +++++++++++++++++ .../cloud-init/ubuntu24-desktop.user-data.yml | 39 +++++-------------- ...ata.yml => ubuntu25-desktop.user-data.yml} | 37 +++++------------- 3 files changed, 55 insertions(+), 57 deletions(-) create mode 100644 tests/cloud-init/debian13-server.user-data.yml rename tests/cloud-init/{ubuntu22-desktop.user-data.yml => ubuntu25-desktop.user-data.yml} (53%) diff --git a/tests/cloud-init/debian13-server.user-data.yml b/tests/cloud-init/debian13-server.user-data.yml new file mode 100644 index 000000000..1400584ba --- /dev/null +++ b/tests/cloud-init/debian13-server.user-data.yml @@ -0,0 +1,36 @@ +#cloud-config + +packages: + - apparmor-profiles + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - golang-go + - htop + - qemu-guest-agent + - rsync + - vim + +write_files: + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + + # Network configuration + - path: /etc/systemd/network/20-wired.network + owner: "root:root" + permissions: "0644" + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/cloud-init/ubuntu24-desktop.user-data.yml b/tests/cloud-init/ubuntu24-desktop.user-data.yml index 7a71b0afe..d1b1f169c 100644 --- a/tests/cloud-init/ubuntu24-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu24-desktop.user-data.yml @@ -17,29 +17,23 @@ packages: - ubuntu-desktop - vim -snap: - commands: - - install firefox - - install gtk-common-themes - - install snap-store - - install snapd-desktop-integration - runcmd: + # Add missing snap packages + - snap install snap-store + - snap install snapd-desktop-integration + # Remove default filesystem and related tools not used with the suggested # storage layout. These may yet be required if different partitioning schemes # are used. - - apt-get -y purge btrfs-progs cryptsetup* lvm2 xfsprogs + - apt-get -y purge btrfs-progs xfsprogs # Remove other packages present by default in Ubuntu Server but not # normally present in Ubuntu Desktop. - # - >- - # apt-get -y purge - # ubuntu-server ubuntu-server-minimal netplan.io cloud-init - # binutils byobu curl dmeventd finalrd gawk - # kpartx mdadm ncurses-term needrestart open-iscsi - # sg3-utils ssh-import-id sssd thin-provisioning-tools tmux - # sosreport screen open-vm-tools motd-news-config lxd-agent-loader - # landscape-common fonts-ubuntu-console ethtool + - >- + apt-get -y purge + byobu dmeventd finalrd gawk kpartx landscape-common lxd-agent-loader + mdadm motd-news-config ncurses-term open-iscsi open-vm-tools + screen sg3-utils sosreport ssh-import-id sssd tmux # Finally, remove things only installed as dependencies of other things # we have already removed. @@ -51,16 +45,3 @@ write_files: append: true content: | 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/cloud-init/ubuntu22-desktop.user-data.yml b/tests/cloud-init/ubuntu25-desktop.user-data.yml similarity index 53% rename from tests/cloud-init/ubuntu22-desktop.user-data.yml rename to tests/cloud-init/ubuntu25-desktop.user-data.yml index 5f4dc69f5..881e9b4e9 100644 --- a/tests/cloud-init/ubuntu22-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu25-desktop.user-data.yml @@ -9,7 +9,7 @@ packages: - debhelper - devscripts - golang-go - - linux-generic-hwe-22.04 + - linux-generic-hwe-24.04 - qemu-guest-agent - rsync - spice-vdagent @@ -17,29 +17,23 @@ packages: - ubuntu-desktop - vim -snap: - commands: - - install firefox - - install gtk-common-themes - - install snap-store - - install snapd-desktop-integration - runcmd: + - snap install snap-store + - snap install snapd-desktop-integration + - snap install --edge desktop-security-center + # Remove default filesystem and related tools not used with the suggested # storage layout. These may yet be required if different partitioning schemes # are used. - - apt-get -y purge btrfs-progs cryptsetup* lvm2 xfsprogs + - apt-get -y purge btrfs-progs xfsprogs # Remove other packages present by default in Ubuntu Server but not # normally present in Ubuntu Desktop. - >- apt-get -y purge - ubuntu-server ubuntu-server-minimal netplan.io cloud-init - binutils byobu curl dmeventd finalrd gawk - kpartx mdadm ncurses-term needrestart open-iscsi - sg3-utils ssh-import-id sssd thin-provisioning-tools tmux - sosreport screen open-vm-tools motd-news-config lxd-agent-loader - landscape-common fonts-ubuntu-console ethtool + byobu dmeventd finalrd gawk kpartx landscape-common lxd-agent-loader + mdadm motd-news-config ncurses-term open-iscsi open-vm-tools + screen sg3-utils sosreport ssh-import-id sssd tmux # Finally, remove things only installed as dependencies of other things # we have already removed. @@ -51,16 +45,3 @@ write_files: append: true content: | 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 From eba7357cb13e51a8a78978d560fc4851f37affc7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 22:48:24 +0100 Subject: [PATCH 109/672] doc: show off our tests a bit. --- README.md | 3 +-- docs/index.md | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 7aed183da..a2ae8d6fb 100644 --- a/README.md +++ b/README.md @@ -35,8 +35,7 @@ * Gnome (GDM) * KDE (SDDM) * XFCE (Lightdm) *(work in progress)* -- Fully tested *(work in progress)* - +- [Fully tested](https://apparmor.pujol.io/development/tests/) > This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments. diff --git a/docs/index.md b/docs/index.md index 8f5696074..6f09983cb 100644 --- a/docs/index.md +++ b/docs/index.md @@ -34,7 +34,7 @@ See the [Concepts](concepts.md)' page for more detail on the architecture. - [x] :material-gnome: Gnome (GDM) - [x] :simple-kde: KDE (SDDM) - [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)* -- Fully tested *(work in progress)* +- [Fully tested](development/tests.md) ### Presentations From 86aba45d67a69c99d2e930c93da9f2616262aadb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 2 Mar 2025 00:00:08 +0100 Subject: [PATCH 110/672] tests(integration): move most test inside groups. --- tests/integration/{ => apparmor}/aa-enforce.bats | 3 +-- tests/integration/{ => apparmor}/aa-status.bats | 2 +- tests/integration/{ => gpg}/gpgconf.bats | 2 +- tests/integration/{ => procps}/ps.bats | 2 +- tests/integration/{ => procps}/sysctl.bats | 3 +-- tests/integration/{ => procps}/w.bats | 7 ++++++- tests/integration/{ => shadow}/groupadd.bats | 2 +- tests/integration/{ => shadow}/groups.bats | 2 +- tests/integration/{ => systemd}/homectl.bats | 2 +- tests/integration/{ => systemd}/hostnamectl.bats | 2 +- tests/integration/{ => systemd}/systemd-ac-power.bats | 2 +- tests/integration/{ => systemd}/systemd-analyze.bats | 4 +--- tests/integration/{ => systemd}/systemd-cat.bats | 2 +- tests/integration/{ => systemd}/systemd-cgls.bats | 3 +-- tests/integration/{ => systemd}/systemd-detect-virt.bats | 5 +---- tests/integration/{ => systemd}/systemd-id128.bats | 2 +- tests/integration/{ => systemd}/systemd-sysusers.bats | 2 +- tests/integration/{ => systemd}/userdbctl.bats | 2 +- tests/integration/{ => usb}/lsusb.bats | 2 +- tests/integration/{ => utils}/blkid.bats | 2 +- tests/integration/{ => utils}/chsh.bats | 2 +- tests/integration/{ => utils}/df.bats | 2 +- tests/integration/{ => utils}/dmesg.bats | 2 +- tests/integration/{ => utils}/lsblk.bats | 2 +- tests/integration/{ => utils}/lscpu.bats | 2 +- tests/integration/{ => utils}/lspci.bats | 2 +- tests/integration/{ => utils}/pstree.bats | 2 +- tests/integration/{ => utils}/sync.bats | 2 +- tests/integration/{ => utils}/users.bats | 2 +- tests/integration/{ => utils}/uuidd.bats | 2 +- tests/integration/{ => utils}/uuidgen.bats | 2 +- tests/integration/{ => utils}/who.bats | 2 +- 32 files changed, 37 insertions(+), 40 deletions(-) rename tests/integration/{ => apparmor}/aa-enforce.bats (94%) rename tests/integration/{ => apparmor}/aa-status.bats (97%) rename tests/integration/{ => gpg}/gpgconf.bats (98%) rename tests/integration/{ => procps}/ps.bats (97%) rename tests/integration/{ => procps}/sysctl.bats (97%) rename tests/integration/{ => procps}/w.bats (68%) rename tests/integration/{ => shadow}/groupadd.bats (97%) rename tests/integration/{ => shadow}/groups.bats (95%) rename tests/integration/{ => systemd}/homectl.bats (98%) rename tests/integration/{ => systemd}/hostnamectl.bats (97%) rename tests/integration/{ => systemd}/systemd-ac-power.bats (96%) rename tests/integration/{ => systemd}/systemd-analyze.bats (97%) rename tests/integration/{ => systemd}/systemd-cat.bats (96%) rename tests/integration/{ => systemd}/systemd-cgls.bats (97%) rename tests/integration/{ => systemd}/systemd-detect-virt.bats (85%) rename tests/integration/{ => systemd}/systemd-id128.bats (97%) rename tests/integration/{ => systemd}/systemd-sysusers.bats (97%) rename tests/integration/{ => systemd}/userdbctl.bats (97%) rename tests/integration/{ => usb}/lsusb.bats (96%) rename tests/integration/{ => utils}/blkid.bats (95%) rename tests/integration/{ => utils}/chsh.bats (96%) rename tests/integration/{ => utils}/df.bats (97%) rename tests/integration/{ => utils}/dmesg.bats (97%) rename tests/integration/{ => utils}/lsblk.bats (98%) rename tests/integration/{ => utils}/lscpu.bats (96%) rename tests/integration/{ => utils}/lspci.bats (97%) rename tests/integration/{ => utils}/pstree.bats (96%) rename tests/integration/{ => utils}/sync.bats (95%) rename tests/integration/{ => utils}/users.bats (95%) rename tests/integration/{ => utils}/uuidd.bats (96%) rename tests/integration/{ => utils}/uuidgen.bats (95%) rename tests/integration/{ => utils}/who.bats (96%) diff --git a/tests/integration/aa-enforce.bats b/tests/integration/apparmor/aa-enforce.bats similarity index 94% rename from tests/integration/aa-enforce.bats rename to tests/integration/apparmor/aa-enforce.bats index d6b549b1e..7bc0e740b 100644 --- a/tests/integration/aa-enforce.bats +++ b/tests/integration/apparmor/aa-enforce.bats @@ -3,10 +3,9 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common setup_file() { - aa_setup skip } diff --git a/tests/integration/aa-status.bats b/tests/integration/apparmor/aa-status.bats similarity index 97% rename from tests/integration/aa-status.bats rename to tests/integration/apparmor/aa-status.bats index fbfb6667d..e7e0fc3d5 100644 --- a/tests/integration/aa-status.bats +++ b/tests/integration/apparmor/aa-status.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "aa-status: Check status" { sudo aa-status diff --git a/tests/integration/gpgconf.bats b/tests/integration/gpg/gpgconf.bats similarity index 98% rename from tests/integration/gpgconf.bats rename to tests/integration/gpg/gpgconf.bats index 7155c5aa9..41627dc67 100644 --- a/tests/integration/gpgconf.bats +++ b/tests/integration/gpg/gpgconf.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "gpgconf: List all components" { gpgconf --list-components diff --git a/tests/integration/ps.bats b/tests/integration/procps/ps.bats similarity index 97% rename from tests/integration/ps.bats rename to tests/integration/procps/ps.bats index bcdfbe1b8..a27bdf98d 100644 --- a/tests/integration/ps.bats +++ b/tests/integration/procps/ps.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "ps: List all running processes" { ps aux diff --git a/tests/integration/sysctl.bats b/tests/integration/procps/sysctl.bats similarity index 97% rename from tests/integration/sysctl.bats rename to tests/integration/procps/sysctl.bats index 171ee98a9..2f284070a 100644 --- a/tests/integration/sysctl.bats +++ b/tests/integration/procps/sysctl.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "sysctl: Show all available variables and their values" { sysctl -a @@ -24,4 +24,3 @@ load common @test "sysctl: Apply changes from `/etc/sysctl.conf`" { sysctl -p } - diff --git a/tests/integration/w.bats b/tests/integration/procps/w.bats similarity index 68% rename from tests/integration/w.bats rename to tests/integration/procps/w.bats index 1b97ba445..3ee1fe218 100644 --- a/tests/integration/w.bats +++ b/tests/integration/procps/w.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "w: Display information about all users who are currently logged in" { w @@ -12,3 +12,8 @@ load common @test "w: Display information about a specific user" { w root } + +@test "w: Display information without including the header, the login, JCPU and PCPU columns" { + w --no-header + w --short +} diff --git a/tests/integration/groupadd.bats b/tests/integration/shadow/groupadd.bats similarity index 97% rename from tests/integration/groupadd.bats rename to tests/integration/shadow/groupadd.bats index d93b1a690..3d07619b2 100644 --- a/tests/integration/groupadd.bats +++ b/tests/integration/shadow/groupadd.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "groupadd: Create a new group" { sudo groupadd user2 diff --git a/tests/integration/groups.bats b/tests/integration/shadow/groups.bats similarity index 95% rename from tests/integration/groups.bats rename to tests/integration/shadow/groups.bats index 60bf6ea45..f932e9129 100644 --- a/tests/integration/groups.bats +++ b/tests/integration/shadow/groups.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "groups: Print group memberships for the current user" { groups diff --git a/tests/integration/homectl.bats b/tests/integration/systemd/homectl.bats similarity index 98% rename from tests/integration/homectl.bats rename to tests/integration/systemd/homectl.bats index 656a3407b..0bdd625c4 100644 --- a/tests/integration/homectl.bats +++ b/tests/integration/systemd/homectl.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common setup_file() { sudo systemctl start systemd-homed diff --git a/tests/integration/hostnamectl.bats b/tests/integration/systemd/hostnamectl.bats similarity index 97% rename from tests/integration/hostnamectl.bats rename to tests/integration/systemd/hostnamectl.bats index 2c15658ad..38924920a 100644 --- a/tests/integration/hostnamectl.bats +++ b/tests/integration/systemd/hostnamectl.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "hostnamectl: Get the hostname of the computer" { hostnamectl diff --git a/tests/integration/systemd-ac-power.bats b/tests/integration/systemd/systemd-ac-power.bats similarity index 96% rename from tests/integration/systemd-ac-power.bats rename to tests/integration/systemd/systemd-ac-power.bats index 30019825a..65779b617 100644 --- a/tests/integration/systemd-ac-power.bats +++ b/tests/integration/systemd/systemd-ac-power.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "systemd-ac-power: Report whether we are connected to an external power source." { systemd-ac-power || true diff --git a/tests/integration/systemd-analyze.bats b/tests/integration/systemd/systemd-analyze.bats similarity index 97% rename from tests/integration/systemd-analyze.bats rename to tests/integration/systemd/systemd-analyze.bats index 6bb275bb6..b36abb62d 100644 --- a/tests/integration/systemd-analyze.bats +++ b/tests/integration/systemd/systemd-analyze.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "systemd-analyze: List all running units, ordered by the time they took to initialize" { systemd-analyze --no-pager blame @@ -16,5 +16,3 @@ load common @test "systemd-analyze: Show security scores of running units" { systemd-analyze --no-pager security } - - diff --git a/tests/integration/systemd-cat.bats b/tests/integration/systemd/systemd-cat.bats similarity index 96% rename from tests/integration/systemd-cat.bats rename to tests/integration/systemd/systemd-cat.bats index da634982a..9d796ff07 100644 --- a/tests/integration/systemd-cat.bats +++ b/tests/integration/systemd/systemd-cat.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "systemd-cat: Write the output of the specified command to the journal (both output streams are captured)" { systemd-cat pwd diff --git a/tests/integration/systemd-cgls.bats b/tests/integration/systemd/systemd-cgls.bats similarity index 97% rename from tests/integration/systemd-cgls.bats rename to tests/integration/systemd/systemd-cgls.bats index dca00b62a..a0822a516 100644 --- a/tests/integration/systemd-cgls.bats +++ b/tests/integration/systemd/systemd-cgls.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "systemd-cgls: Display the whole control group hierarchy on your system" { systemd-cgls --no-pager @@ -16,4 +16,3 @@ load common @test "systemd-cgls: Display the control group hierarchy of one or more systemd units" { systemd-cgls --no-pager --unit systemd-logind } - diff --git a/tests/integration/systemd-detect-virt.bats b/tests/integration/systemd/systemd-detect-virt.bats similarity index 85% rename from tests/integration/systemd-detect-virt.bats rename to tests/integration/systemd/systemd-detect-virt.bats index 41150ef7f..bb2b2a659 100644 --- a/tests/integration/systemd-detect-virt.bats +++ b/tests/integration/systemd/systemd-detect-virt.bats @@ -3,23 +3,20 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "systemd-detect-virt: List detectable virtualization technologies" { systemd-detect-virt --list } -# bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Detect virtualization, print the result and return a zero status code when running in a VM or a container, and a non-zero code otherwise" { systemd-detect-virt || true } -# bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Silently check without printing anything" { systemd-detect-virt --quiet || true } -# bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Only detect hardware virtualization" { systemd-detect-virt --vm || true } diff --git a/tests/integration/systemd-id128.bats b/tests/integration/systemd/systemd-id128.bats similarity index 97% rename from tests/integration/systemd-id128.bats rename to tests/integration/systemd/systemd-id128.bats index 67bf5907d..68e48d9a4 100644 --- a/tests/integration/systemd-id128.bats +++ b/tests/integration/systemd/systemd-id128.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "systemd-id128: Generate a new random identifier" { systemd-id128 new diff --git a/tests/integration/systemd-sysusers.bats b/tests/integration/systemd/systemd-sysusers.bats similarity index 97% rename from tests/integration/systemd-sysusers.bats rename to tests/integration/systemd/systemd-sysusers.bats index 0816fd45e..7fff472ee 100644 --- a/tests/integration/systemd-sysusers.bats +++ b/tests/integration/systemd/systemd-sysusers.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "systemd-sysusers: Print the contents of all configuration files (before each file, its name is printed as a comment)" { systemd-sysusers --cat-config diff --git a/tests/integration/userdbctl.bats b/tests/integration/systemd/userdbctl.bats similarity index 97% rename from tests/integration/userdbctl.bats rename to tests/integration/systemd/userdbctl.bats index 065dba5f5..eda5f5b09 100644 --- a/tests/integration/userdbctl.bats +++ b/tests/integration/systemd/userdbctl.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "userdbctl: List all known user records" { userdbctl --no-pager user diff --git a/tests/integration/lsusb.bats b/tests/integration/usb/lsusb.bats similarity index 96% rename from tests/integration/lsusb.bats rename to tests/integration/usb/lsusb.bats index f5444fced..85bee2fd6 100644 --- a/tests/integration/lsusb.bats +++ b/tests/integration/usb/lsusb.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "lsusb: List all the USB devices available" { lsusb || true diff --git a/tests/integration/blkid.bats b/tests/integration/utils/blkid.bats similarity index 95% rename from tests/integration/blkid.bats rename to tests/integration/utils/blkid.bats index 6dcf4b4d7..625f5f9bb 100644 --- a/tests/integration/blkid.bats +++ b/tests/integration/utils/blkid.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "blkid: List all partitions" { sudo blkid diff --git a/tests/integration/chsh.bats b/tests/integration/utils/chsh.bats similarity index 96% rename from tests/integration/chsh.bats rename to tests/integration/utils/chsh.bats index 81a9f76a6..ccdadc6e3 100644 --- a/tests/integration/chsh.bats +++ b/tests/integration/utils/chsh.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "chsh: list available shells" { chsh --list-shells || true diff --git a/tests/integration/df.bats b/tests/integration/utils/df.bats similarity index 97% rename from tests/integration/df.bats rename to tests/integration/utils/df.bats index a97ad53cb..b0f3430ea 100644 --- a/tests/integration/df.bats +++ b/tests/integration/utils/df.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "df: Display all filesystems and their disk usage" { df diff --git a/tests/integration/dmesg.bats b/tests/integration/utils/dmesg.bats similarity index 97% rename from tests/integration/dmesg.bats rename to tests/integration/utils/dmesg.bats index 722b3204b..f2880666d 100644 --- a/tests/integration/dmesg.bats +++ b/tests/integration/utils/dmesg.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "dmesg: Show kernel messages" { sudo dmesg diff --git a/tests/integration/lsblk.bats b/tests/integration/utils/lsblk.bats similarity index 98% rename from tests/integration/lsblk.bats rename to tests/integration/utils/lsblk.bats index 4dc3e20b7..4093526a9 100644 --- a/tests/integration/lsblk.bats +++ b/tests/integration/utils/lsblk.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "lsblk: List all storage devices in a tree-like format" { lsblk diff --git a/tests/integration/lscpu.bats b/tests/integration/utils/lscpu.bats similarity index 96% rename from tests/integration/lscpu.bats rename to tests/integration/utils/lscpu.bats index d09599065..eb60d890d 100644 --- a/tests/integration/lscpu.bats +++ b/tests/integration/utils/lscpu.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "lscpu: Display information about all CPUs" { lscpu diff --git a/tests/integration/lspci.bats b/tests/integration/utils/lspci.bats similarity index 97% rename from tests/integration/lspci.bats rename to tests/integration/utils/lspci.bats index 021906602..1b86dd41f 100644 --- a/tests/integration/lspci.bats +++ b/tests/integration/utils/lspci.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "lspci: Show a brief list of devices" { lspci diff --git a/tests/integration/pstree.bats b/tests/integration/utils/pstree.bats similarity index 96% rename from tests/integration/pstree.bats rename to tests/integration/utils/pstree.bats index 23094478c..1fc43c76c 100644 --- a/tests/integration/pstree.bats +++ b/tests/integration/utils/pstree.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "pstree: Display a tree of processes" { pstree diff --git a/tests/integration/sync.bats b/tests/integration/utils/sync.bats similarity index 95% rename from tests/integration/sync.bats rename to tests/integration/utils/sync.bats index 9f2e26885..03cc4730f 100644 --- a/tests/integration/sync.bats +++ b/tests/integration/utils/sync.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "sync: Flush all pending write operations on all disks" { sync diff --git a/tests/integration/users.bats b/tests/integration/utils/users.bats similarity index 95% rename from tests/integration/users.bats rename to tests/integration/utils/users.bats index 8f8ad383d..885121a58 100644 --- a/tests/integration/users.bats +++ b/tests/integration/utils/users.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "users: Print logged in usernames" { users diff --git a/tests/integration/uuidd.bats b/tests/integration/utils/uuidd.bats similarity index 96% rename from tests/integration/uuidd.bats rename to tests/integration/utils/uuidd.bats index 9e3ac5ef0..d3ab28cc0 100644 --- a/tests/integration/uuidd.bats +++ b/tests/integration/utils/uuidd.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "uuidd: Generate a random UUID" { uuidd --random diff --git a/tests/integration/uuidgen.bats b/tests/integration/utils/uuidgen.bats similarity index 95% rename from tests/integration/uuidgen.bats rename to tests/integration/utils/uuidgen.bats index eb6465c04..838be5cbc 100644 --- a/tests/integration/uuidgen.bats +++ b/tests/integration/utils/uuidgen.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "uuidgen: Create a random UUIDv4" { uuidgen --random diff --git a/tests/integration/who.bats b/tests/integration/utils/who.bats similarity index 96% rename from tests/integration/who.bats rename to tests/integration/utils/who.bats index c05995d0e..b69fc2dd1 100644 --- a/tests/integration/who.bats +++ b/tests/integration/utils/who.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "who: Display the username, line, and time of all currently logged-in sessions" { who From 189064c9f83ba8b4b4312fe9b833236b5387ef6a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 2 Mar 2025 13:25:30 +0100 Subject: [PATCH 111/672] tests: make the integration tests work recursivelly. --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 90dacd5c0..cef8bd719 100644 --- a/Makefile +++ b/Makefile @@ -112,8 +112,8 @@ check: @bash tests/check.sh .PHONY: integration -integration : - @bats --timing --print-output-on-failure tests/integration/ +integration: + @bats --recursive --timing --print-output-on-failure tests/integration/ .PHONY: manual manual: From 6c284435ae6c47c5f832bcf2b509699f65af3dcb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 2 Mar 2025 13:52:38 +0100 Subject: [PATCH 112/672] feat(profile): improve bluetoothctl fix #671 --- apparmor.d/groups/bluetooth/bluetoothctl | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/apparmor.d/groups/bluetooth/bluetoothctl b/apparmor.d/groups/bluetooth/bluetoothctl index 01565b4ff..e408b94b9 100644 --- a/apparmor.d/groups/bluetooth/bluetoothctl +++ b/apparmor.d/groups/bluetooth/bluetoothctl @@ -10,9 +10,17 @@ include @{exec_path} = @{bin}/bluetoothctl profile bluetoothctl @{exec_path} { include + include + include + + network bluetooth raw, + + #aa:dbus talk bus=system name=org.bluez label=bluetoothd @{exec_path} mr, + /usr/share/terminfo/** r, + /etc/inputrc r, owner @{user_cache_dirs}/ rw, From 3f9fe25fd469123c17022979c91be6fe278b465e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 2 Mar 2025 14:03:38 +0100 Subject: [PATCH 113/672] doc: update aa-log usage. --- cmd/aa-log/main.go | 6 +++--- docs/usage.md | 9 +++++---- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index 58aee3716..d58089310 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -15,15 +15,15 @@ import ( "github.com/roddhjav/apparmor.d/pkg/logs" ) -const usage = `aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile] +const usage = `aa-log [-h] [--systemd] [--file file] [--rules | --raw] [--since] [profile] Review AppArmor generated messages in a colorful way. It supports logs from auditd, systemd, syslog as well as dbus session events. It can be given an optional profile name to filter the output with. - Default logs are read from '/var/log/audit/audit.log'. Other files in - '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' + Default logs are read from '/var/log/audit/audit.log'. Other files in + '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' Options: -h, --help Show this help message and exit. diff --git a/docs/usage.md b/docs/usage.md index e73439efc..372762998 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -116,15 +116,15 @@ profile dnsmasq { ### Help ``` -aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile] +aa-log [-h] [--systemd] [--file file] [--rules | --raw] [--since] [profile] - Review AppArmor generated messages in a colorful way. Supports logs from + Review AppArmor generated messages in a colorful way. It supports logs from auditd, systemd, syslog as well as dbus session events. It can be given an optional profile name to filter the output with. - Default logs are read from '/var/log/audit/audit.log'. Other files in - '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' + Default logs are read from '/var/log/audit/audit.log'. Other files in + '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' Options: -h, --help Show this help message and exit. @@ -132,4 +132,5 @@ Options: -s, --systemd Parse systemd logs from journalctl. -r, --rules Convert the log into AppArmor rules. -R, --raw Print the raw log without any formatting. + -S, --since DATE Show entries not older than the specified date. ``` From d49e93523fca55b4fa359e0195c93bb0deeada34 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Mar 2025 22:26:07 +0100 Subject: [PATCH 114/672] feat(profile): restrict the qemu-ga profile. --- apparmor.d/profiles-m-r/qemu-ga | 36 ++++++++++++++------------------- 1 file changed, 15 insertions(+), 21 deletions(-) diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 7e63560ec..b100e4e15 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -7,40 +7,34 @@ abi , include @{exec_path} = @{bin}/qemu-ga -profile qemu-ga @{exec_path} { +profile qemu-ga @{exec_path} flags=(complain) { include - include - - capability mknod, - capability net_admin, - capability sys_ptrace, - - network inet stream, - network inet6 stream, - network netlink raw, - - ptrace (read) peer=@{p_systemd}, - - unix type=stream addr=@@{udbus}/bus/shutdown/system, - - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind @{exec_path} mr, - @{bin}/systemctl rix, + audit @{bin}/systemctl Cx -> systemctl, /etc/qemu/qemu-ga.conf r, - owner @{run}/qga.state* rw, + owner @{run}/qga.state rw, + owner @{run}/qga.state.@{rand6} rw, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{PROC}/sys/vm/max_map_count r, - owner @{PROC}/@{pid}/net/dev r, - /dev/vport@{int}p@{int} rw, + profile systemctl flags=(complain) { + include + include + + unix type=stream addr=@@{udbus}/bus/shutdown/system, + + #aa-dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + + include if exists + } + include if exists } From 334b48749a67f97d2eab517ce8418807965390ea Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Mar 2025 22:33:42 +0100 Subject: [PATCH 115/672] feat(profile): various minor update. --- apparmor.d/groups/bus/dbus-system | 2 ++ apparmor.d/groups/filesystem/lvm | 1 + apparmor.d/groups/gnome/gnome-shell | 2 ++ apparmor.d/groups/shadow/chpasswd | 8 ++++++++ apparmor.d/groups/snap/snapd | 5 +++++ apparmor.d/groups/ssh/ssh | 3 ++- apparmor.d/groups/ssh/sshd | 12 ++++++------ apparmor.d/groups/systemd/systemd-coredump | 2 ++ apparmor.d/groups/systemd/systemd-update-utmp | 2 +- apparmor.d/groups/systemd/systemd-vconsole-setup | 2 +- apparmor.d/groups/ubuntu/release-upgrade-motd | 2 ++ apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot | 2 ++ apparmor.d/groups/utils/login | 1 - apparmor.d/groups/utils/uname | 3 +++ apparmor.d/groups/virt/dockerd | 3 +++ apparmor.d/profiles-a-f/console-setup | 1 + apparmor.d/profiles-a-f/file-roller | 1 + apparmor.d/profiles-a-f/fractal | 2 ++ apparmor.d/profiles-g-l/landscape-sysinfo.wrapper | 2 ++ apparmor.d/profiles-m-r/run-parts | 2 ++ apparmor.d/profiles-s-z/tlp | 3 +++ 21 files changed, 51 insertions(+), 10 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 0296a262f..cafaf0570 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -63,6 +63,7 @@ profile dbus-system flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, + @{run}/systemd/notify w, @{run}/systemd/users/@{int} r, @@ -78,6 +79,7 @@ profile dbus-system flags=(attach_disconnected) { @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj rw, diff --git a/apparmor.d/groups/filesystem/lvm b/apparmor.d/groups/filesystem/lvm index 75cd0de80..a73262d75 100644 --- a/apparmor.d/groups/filesystem/lvm +++ b/apparmor.d/groups/filesystem/lvm @@ -30,6 +30,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) { @{etc_rw}/lvm/** rwkl, /etc/multipath.conf r, + /etc/multipath/* r, @{run}/lock/ rw, @{run}/lock/lvm/ rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index f2ff71f03..ee4bfe33b 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -269,6 +269,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, + owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop rw, + owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop.@{rand6} w, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, diff --git a/apparmor.d/groups/shadow/chpasswd b/apparmor.d/groups/shadow/chpasswd index 869ba20ab..4b752a440 100644 --- a/apparmor.d/groups/shadow/chpasswd +++ b/apparmor.d/groups/shadow/chpasswd @@ -9,13 +9,18 @@ include @{exec_path} = @{bin}/chpasswd profile chpasswd @{exec_path} { include + include include include + capability audit_write, capability chown, capability fsetid, + capability net_admin, capability setuid, + network netlink raw, + @{exec_path} mr, @{etc_ro}/login.defs r, @@ -32,6 +37,9 @@ profile chpasswd @{exec_path} { /etc/shadow.lock w, /etc/shadow+ rw, + /etc/pam.d/chpasswd r, + /etc/pam.d/common-* r, + include if exists } diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 273b68fc5..3e6a4460a 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -57,6 +57,11 @@ profile snapd @{exec_path} { member={SetWallMessage,ScheduleShutdown} peer=(name=org.freedesktop.login1, label=systemd-logind), + dbus send bus=system path=/org/freedesktop/timedate1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.timedate1, label=unconfined), + @{exec_path} mrix, @{bin}/adduser rPx, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 0c86919b1..bdbcf8fa6 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -45,7 +45,8 @@ profile ssh @{exec_path} { audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, - owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{hex16} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{hex16}, + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, owner @{run}/user/@{uid}/keyring/ssh rw, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 21892cc47..f6638d5d9 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -62,12 +62,12 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/@{shells} rUx, - @{bin}/false rix, - @{bin}/nologin rPx, - @{bin}/passwd rPx, - @{lib}/openssh/sftp-server rPx, - @{lib}/ssh/sshd-session rix, + @{bin}/@{shells} rUx, + @{bin}/false rix, + @{bin}/nologin rPx, + @{bin}/passwd rPx, + @{lib}/{openssh,ssh}/sftp-server rPx, + @{lib}/{openssh,ssh}/sshd-session rix, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index b26dabae7..856bee914 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -39,6 +39,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted /etc/systemd/coredump.conf r, /etc/systemd/coredump.conf.d/{,**} r, + owner @{HOME}/**.so r, + /var/lib/systemd/coredump/{,**} rwl, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp index 1a2ff9a31..82025859b 100644 --- a/apparmor.d/groups/systemd/systemd-update-utmp +++ b/apparmor.d/groups/systemd/systemd-update-utmp @@ -17,7 +17,7 @@ profile systemd-update-utmp @{exec_path} flags=(attach_disconnected) { network netlink raw, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-update-/, + unix bind type=stream addr=@@{udbus}/bus/systemd-update-/, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup index 5f28050c1..8c99d606c 100644 --- a/apparmor.d/groups/systemd/systemd-vconsole-setup +++ b/apparmor.d/groups/systemd/systemd-vconsole-setup @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-vconsole-setup -profile systemd-vconsole-setup @{exec_path} { +profile systemd-vconsole-setup @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd index 08a54df0a..b5d7d2885 100644 --- a/apparmor.d/groups/ubuntu/release-upgrade-motd +++ b/apparmor.d/groups/ubuntu/release-upgrade-motd @@ -22,6 +22,8 @@ profile release-upgrade-motd @{exec_path} { /var/lib/ubuntu-release-upgrader/release-upgrade-available rw, + @{run}/motd.dynamic.new w, + /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index 86ac61f41..77b24fa27 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -25,6 +25,8 @@ profile update-motd-fsck-at-reboot @{exec_path} { /var/lib/update-notifier/fsck-at-reboot rw, + @{run}/motd.dynamic.new w, + @{PROC}/uptime r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index f83c1687e..dbf334577 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -62,7 +62,6 @@ profile login @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/sessions/@{int}.ref w, @{run}/credentials/getty@tty@{int}.service/ r, - @{run}/dbus/system_bus_socket rw, @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, @{run}/motd.dynamic{,.new} rw, diff --git a/apparmor.d/groups/utils/uname b/apparmor.d/groups/utils/uname index 45a864c23..6ca8a6370 100644 --- a/apparmor.d/groups/utils/uname +++ b/apparmor.d/groups/utils/uname @@ -14,6 +14,9 @@ profile uname @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{lib}/@{multiarch}/ld-linux-*so* r, + @{lib}/@{multiarch}/libc.so* mr, + @{att}/dev/tty@{int} rw, deny network, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 2e2d36355..b2228ec6f 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -21,6 +21,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { capability kill, capability mknod, capability net_admin, + capability net_raw, capability setfcap, capability sys_admin, capability sys_chroot, @@ -31,6 +32,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network inet6 stream, network netlink raw, + network packet dgram, mount /tmp/containerd-mount@{int}/, mount /var/lib/docker/**/, @@ -91,6 +93,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { owner @{run}/docker/** rwlk, owner @{run}/docker.pid rw, + @{sys}/devices/virtual/net/** r, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/cpuset.cpus.effective r, @{sys}/fs/cgroup/cpuset.mems.effective r, diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup index d3aaddf7f..5b867e1eb 100644 --- a/apparmor.d/profiles-a-f/console-setup +++ b/apparmor.d/profiles-a-f/console-setup @@ -15,6 +15,7 @@ profile console-setup @{exec_path} { @{bin}/uname rPx, @{bin}/mkdir rix, + @{run}/console-setup/ rw, @{run}/console-setup/boot_completed w, include if exists diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 0c5a18e83..269a3b02a 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -47,6 +47,7 @@ profile file-roller @{exec_path} { @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, include if exists } diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 9de5761c2..0895d12eb 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -33,6 +33,8 @@ profile fractal @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, + owner @{tmp}/@{rand6} rw, + owner @{tmp}/etilqs_@{hex16} rw, owner @{run}/user/@{uid}/fractal/{,**} rw, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index fb9b75824..44c7a8ac7 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -32,6 +32,8 @@ profile landscape-sysinfo.wrapper @{exec_path} { /var/lib/landscape/landscape-sysinfo.cache rw, + @{run}/motd.dynamic.new w, + @{PROC}/loadavg r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index d0ecbbd9e..f50b23199 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -154,6 +154,8 @@ profile run-parts @{exec_path} { owner @{sys}/class/power_supply/ r, + @{run}/motd.dynamic.new w, + /dev/tty@{int} rw, profile motd { diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 5d81c0a75..04e3b7ffc 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -44,6 +44,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/mktemp rix, @{bin}/readlink rix, @{bin}/rm rix, + @{bin}/sed rix, @{bin}/sort rix, @{bin}/systemctl rCx -> systemctl, @{bin}/touch rix, @@ -71,7 +72,9 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+platform:* r, @{sys}/bus/pci/devices/ r, + @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/{,**/}power/control w, + @{sys}/devices/@{pci}/class r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, @{sys}/firmware/acpi/platform_profile* rw, @{sys}/firmware/acpi/pm_profile* rw, From b752ff540c9df45cb560073659088c9a0342fb7b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Mar 2025 22:38:46 +0100 Subject: [PATCH 116/672] build: allow the docker build script to be sourced by downstream repository. --- dists/docker.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dists/docker.sh b/dists/docker.sh index 4dd958759..a99fefaf7 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -14,7 +14,7 @@ readonly VOLUME=/tmp/build readonly BUILDIR=/home/build/tmp readonly OUTDIR=".pkg" readonly OUTPUT="$PWD/$OUTDIR" -readonly COMMAND="$1" +readonly COMMAND="${1:-}" VERSION="0.$(git rev-list --count HEAD)" PACKAGER="$(git config user.name) <$(git config user.email)>" readonly VERSION PACKAGER From e3a1ba5d0d10bb5186f998544a162c029b1bdcf0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Mar 2025 21:15:46 +0100 Subject: [PATCH 117/672] feat(profile): systemd-tty-ask-password-agent: add support for rpm. see #576 --- apparmor.d/groups/systemd/systemd-tty-ask-password-agent | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 71c5a1503..ecac3e1a8 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -20,6 +20,7 @@ profile systemd-tty-ask-password-agent @{exec_path} { signal (receive) set=(term cont) peer=*//systemctl, signal (receive) set=(term cont) peer=default, signal (receive) set=(term cont) peer=logrotate, + signal (receive) set=(term cont) peer=rpm, @{exec_path} mrix, From 06f2fb46597758ac968779ee06a6b258e52cc3a6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Mar 2025 21:22:57 +0100 Subject: [PATCH 118/672] feat(profile): improve gimp. see #656 --- apparmor.d/profiles-g-l/gimp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index 83457578f..158885375 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -11,8 +11,10 @@ profile gimp @{exec_path} { include include include + include include include + include include include include @@ -38,12 +40,14 @@ profile gimp @{exec_path} { /usr/share/mypaint-data/{,**} r, /usr/share/xml/iso-codes/{,**} r, + /etc/fstab r, /etc/gimp/{,**} r, owner @{user_documents_dirs}/{,**} rw, owner @{user_pictures_dirs}/{,**} rw, owner @{user_work_dirs}/{,**} rw, + owner @{user_cache_dirs}//thumbnails/normal/gimp-thumb* rw, owner @{user_cache_dirs}/babl/{,**} rw, owner @{user_cache_dirs}/gegl-*/{,**} r, owner @{user_cache_dirs}/gegl-*/{,**} r, @@ -58,6 +62,8 @@ profile gimp @{exec_path} { owner @{tmp}/gimp/{,**} rw, + owner @{PROC}/@{pid}/mountinfo r, + include if exists } From 7e1c08b75d1d3eb6e2bb4c0cf64067e2ddd6a7b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Mar 2025 21:53:41 +0100 Subject: [PATCH 119/672] feat(profile): improve kde profiles. See #676 --- .../groups/freedesktop/xdg-desktop-portal-kde | 4 +++ apparmor.d/groups/kde/dolphin | 32 +++++++++++++++++++ apparmor.d/groups/kde/kioworker | 11 ++++--- apparmor.d/groups/kde/plasmashell | 4 ++- apparmor.d/profiles-s-z/thunderbird | 3 ++ 5 files changed, 49 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index 309248e18..3b02d2b16 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -21,6 +21,8 @@ profile xdg-desktop-portal-kde @{exec_path} { network inet6 stream, network netlink raw, + signal send set=term peer=kioworker, + @{exec_path} mr, #aa:exec kioworker @@ -33,6 +35,8 @@ profile xdg-desktop-portal-kde @{exec_path} { owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rw, + owner @{PROC}/@{pid}/mountinfo r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index d01965bb0..b42b37dec 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -21,6 +21,7 @@ profile dolphin @{exec_path} { include include include + include network netlink raw, @@ -98,9 +99,40 @@ profile dolphin @{exec_path} { owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+dmi* r, # for motherboard info + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+leds:* r, + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply* r, + @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+sound:card@{int} r, # for sound card + + @{run}/udev/data/c1:@{int} r, # For RAM disk + @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices + @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c13:@{int} r, # For /dev/input/* + @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* + @{run}/udev/data/c89:@{int} r, # For I2C bus interface + @{run}/udev/data/c202:@{int} r, # CPU model-specific registers + @{run}/udev/data/c203:@{int} r, # CPU CPUID information + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/bus/ r, @{sys}/bus/*/devices/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/uevent r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 37dd3eeae..e992e09fd 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -26,10 +26,11 @@ profile kioworker @{exec_path} { network netlink raw, network netlink dgram, - signal (receive) set=term peer=dolphin, - signal (receive) set=term peer=firefox-kmozillahelper, - signal (receive) set=term peer=plasma-discover, - signal (receive) set=term peer=plasmashell, + signal receive set=term peer=dolphin, + signal receive set=term peer=firefox-kmozillahelper, + signal receive set=term peer=plasma-discover, + signal receive set=term peer=plasmashell, + signal receive set=term peer=xdg-desktop-portal-kde, @{exec_path} mr, @@ -37,6 +38,7 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, + @{bin}/gs rPUx, #aa:exec kio_http_cache_cleaner @@ -91,6 +93,7 @@ profile kioworker @{exec_path} { owner @{run}/user/@{uid}/kio_*.socket rwl -> @{run}/user/@{uid}/#@{int}, owner @{run}/user/@{uid}/kioworker*.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 0d8a5d8cb..f800136e0 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -93,6 +93,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{MOUNTS}/ r, @{HOME}/ r, + owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, owner @{HOME}/.var/app/**.{png,jpg,svg} r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, @@ -137,6 +138,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/kcookiejarrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kdiff3fileitemactionrc r, + owner @{user_config_dirs}/kiorc r, owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/klaunchrc r, owner @{user_config_dirs}/klipperrc r, @@ -156,7 +158,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, owner @{user_share_dirs}/kio/servicemenus/{,**} r, - owner @{user_share_dirs}/klipper/{,*} rwl, + owner @{user_share_dirs}/klipper/{,**} rwl, owner @{user_share_dirs}/konsole/ r, owner @{user_share_dirs}/kpeople/persondb rwk, owner @{user_share_dirs}/kpeoplevcard/ r, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 9a50dafa0..594d04b64 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -37,6 +37,9 @@ profile thunderbird @{exec_path} { # Desktop integration @{open_path} rPx -> child-open, + # Extensions + @{bin}/SysTray-X rPUx, + /usr/share/lightning/{,**} r, owner /var/mail/** rwk, From cfce68a5df7fd49042d22258420c75d52a463a9b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Mar 2025 21:59:20 +0100 Subject: [PATCH 120/672] feat(profile): allow to start hyprland from sddm. fix #674 --- apparmor.d/groups/kde/sddm | 1 + apparmor.d/profiles-m-r/pidof | 2 +- apparmor.d/profiles-s-z/waybar | 4 +++- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 56f0f5820..0205dacd7 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -94,6 +94,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/dbus-update-activation-environment rPx -> dbus-session, @{bin}/flatpak rPx, @{bin}/gnome-keyring-daemon rPx, + @{bin}/Hyprland rPx, @{bin}/kwalletd{5,6} rPx, @{bin}/kwin_wayland rPx, @{bin}/sddm-greeter{,-qt6} rPx, diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof index 5da955cba..76b9942fb 100644 --- a/apparmor.d/profiles-m-r/pidof +++ b/apparmor.d/profiles-m-r/pidof @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/pidof -profile pidof @{exec_path} { +profile pidof @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar index 8499a1ad6..b8d1d5326 100644 --- a/apparmor.d/profiles-s-z/waybar +++ b/apparmor.d/profiles-s-z/waybar @@ -26,11 +26,13 @@ profile waybar @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/waybar/{,**} r, + @{sys}/devices/@{pci}/uevent r, + @{sys}/devices/system/cpu/present r, @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/system/cpu/present r, + @{sys}/devices/virtual/dmi/id/uevent r, @{PROC}/@{pid}/net/dev r, @{PROC}/spl/kstat/zfs/arcstats r, From f360d12ec19fcc2ade26e330400a56c1d706036d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Mar 2025 22:22:56 +0100 Subject: [PATCH 121/672] feat(profile): improve kde profiles. See #675 --- apparmor.d/groups/kde/baloo | 17 ++++++----------- apparmor.d/groups/kde/kde-powerdevil | 8 ++++++-- apparmor.d/groups/kde/kioworker | 2 +- apparmor.d/groups/kde/kwin_wayland | 17 +++++++++++++++++ apparmor.d/groups/kde/plasmashell | 2 +- apparmor.d/groups/kde/sddm | 2 +- 6 files changed, 32 insertions(+), 16 deletions(-) diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 9a2f4c961..75532a773 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -42,27 +42,22 @@ profile baloo @{exec_path} { owner @{user_share_dirs}/baloo/{,**} rwk, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+dmi:* r, # For motherboard info - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+sound:card@{int} r, # for sound card + @{run}/mount/utab r, + + @{run}/udev/data/+*:* r, @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # For /dev/input/* @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* @{run}/udev/data/c89:@{int} r, # For I2C bus interface + @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c202:@{int} r, # CPU model-specific registers + @{run}/udev/data/c203:@{int} r, # CPU CPUID information @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index c37ee870b..0747d1b47 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -27,6 +27,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{bin}/grep rix, @{bin}/kcminit rPx, @{bin}/sed rix, + @{bin}/uname rPx, @{bin}/xargs rix, @{lib}/drkonqi rPx, @@ -45,10 +46,13 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk, owner @{user_config_dirs}/powermanagementprofilesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + + @{run}/mount/utab r, owner @{run}/user/@{uid}kcrash_@{int} rw, + @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** + @{sys}/bus/ r, @{sys}/bus/i2c/devices/ r, @{sys}/class/ r, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index e992e09fd..592e5811e 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -30,7 +30,7 @@ profile kioworker @{exec_path} { signal receive set=term peer=firefox-kmozillahelper, signal receive set=term peer=plasma-discover, signal receive set=term peer=plasmashell, - signal receive set=term peer=xdg-desktop-portal-kde, + signal receive set=term peer=xdg-desktop-portal-kde, @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 24d86bec6..240869a31 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -30,6 +30,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{exec_path} mr, /etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi, + /etc/xdg/Xwayland-session.d/00-pulseaudio-x11 Cx -> pulseaudio, #aa:exec kscreenlocker_greet /usr/share/color-schemes/*.colors r, @@ -119,6 +120,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+serio:* r, # for touchpad @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/+usb:* r, @@ -137,6 +139,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { profile at-spi { include + include @{sh_path} r, @{bin}/busctl rix, @@ -151,6 +154,20 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { include if exists } + profile pulseaudio { + include + include + + @{sh_path} rix, + @{bin}/pactl Px, + + /etc/xdg/Xwayland-session.d/00-pulseaudio-x11 r, + + owner @{HOME}/ r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index f800136e0..059760bd3 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -158,7 +158,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, owner @{user_share_dirs}/kio/servicemenus/{,**} r, - owner @{user_share_dirs}/klipper/{,**} rwl, + owner @{user_share_dirs}/klipper/{,**} rwlk, owner @{user_share_dirs}/konsole/ r, owner @{user_share_dirs}/kpeople/persondb rwk, owner @{user_share_dirs}/kpeoplevcard/ r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 0205dacd7..a7525d099 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -97,8 +97,8 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/Hyprland rPx, @{bin}/kwalletd{5,6} rPx, @{bin}/kwin_wayland rPx, - @{bin}/sddm-greeter{,-qt6} rPx, @{bin}/labwc rPx, + @{bin}/sddm-greeter{,-qt6} rPx, @{bin}/startlxqt rPx, @{bin}/startlxqtwayland rPx, @{bin}/startplasma-wayland rPx, From 03406096ceb9b395bb7245eae8f08d606f61e04b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Mar 2025 23:46:49 +0100 Subject: [PATCH 122/672] feat(dbus): simplify the way to provide unix address for dbus. --- apparmor.d/abstractions/bus-session | 4 +--- apparmor.d/abstractions/bus-system | 2 ++ pkg/prebuild/directive/dbus.go | 24 +++++------------------- pkg/prebuild/directive/dbus_test.go | 12 +++--------- 4 files changed, 11 insertions(+), 31 deletions(-) diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index 95325d7d3..0c3abd96e 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -4,9 +4,7 @@ abi , - unix (bind, listen) type=stream addr="@/tmp/dbus-*", - unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*", - unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-*"), + unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/session, dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/abstractions/bus-system b/apparmor.d/abstractions/bus-system index 870443002..24d2cf4c2 100644 --- a/apparmor.d/abstractions/bus-system +++ b/apparmor.d/abstractions/bus-system @@ -4,6 +4,8 @@ abi , + unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/system, + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index 4a9030505..99a8f6138 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -45,15 +45,11 @@ func (d Dbus) Apply(opt *Option, profile string) (string, error) { if err != nil { return "", err } - name := opt.File.Base() - if len(name) > 15 { - name = name[:15] - } switch action { case "own": - r = d.own(opt.ArgMap, name) + r = d.own(opt.ArgMap) case "talk": - r = d.talk(opt.ArgMap, name) + r = d.talk(opt.ArgMap) } aa.IndentationLevel = strings.Count( @@ -107,14 +103,10 @@ func getInterfaces(rules map[string]string) []string { return interfaces } -func (d Dbus) own(rules map[string]string, name string) aa.Rules { +func (d Dbus) own(rules map[string]string) aa.Rules { interfaces := getInterfaces(rules) res := aa.Rules{ - &aa.Unix{ - Access: []string{"bind"}, Type: "stream", - Address: `@@{udbus}/bus/` + name + `/` + rules["bus"], - }, &aa.Dbus{ Access: []string{"bind"}, Bus: rules["bus"], Name: rules["name"], }, @@ -170,15 +162,9 @@ func (d Dbus) own(rules map[string]string, name string) aa.Rules { return res } -func (d Dbus) talk(rules map[string]string, name string) aa.Rules { +func (d Dbus) talk(rules map[string]string) aa.Rules { interfaces := getInterfaces(rules) - - res := aa.Rules{ - &aa.Unix{ - Access: []string{"bind"}, Type: "stream", - Address: `@@{udbus}/bus/` + name + `/` + rules["bus"], - }, - } + res := aa.Rules{} // Interfaces for _, iface := range interfaces { diff --git a/pkg/prebuild/directive/dbus_test.go b/pkg/prebuild/directive/dbus_test.go index f2d4997e4..5f8d57d10 100644 --- a/pkg/prebuild/directive/dbus_test.go +++ b/pkg/prebuild/directive/dbus_test.go @@ -10,9 +10,7 @@ import ( "github.com/roddhjav/apparmor.d/pkg/paths" ) -const dbusOwnSystemd1 = ` unix bind type=stream addr=@@{udbus}/bus/fake-own/system, - - dbus bind bus=system name=org.freedesktop.systemd1{,.*}, +const dbusOwnSystemd1 = ` dbus bind bus=system name=org.freedesktop.systemd1{,.*}, dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.systemd1{,.*} peer=(name="@{busname}"), @@ -75,9 +73,7 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", }, profile: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", - want: ` unix bind type=stream addr=@@{udbus}/bus/fake-interface/session, - - dbus bind bus=session name=com.rastersoft.ding{,.*}, + want: ` dbus bind bus=session name=com.rastersoft.ding{,.*}, dbus receive bus=session path=/com/rastersoft/ding{,/**} interface=com.rastersoft.ding{,.*} peer=(name="@{busname}"), @@ -122,9 +118,7 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", }, profile: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", - want: ` unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system, - - dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} + want: ` dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.Accounts{,.*} peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} From f270809c5f3770cb7645ace2734e1135b8f49e89 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Mar 2025 23:49:55 +0100 Subject: [PATCH 123/672] feat(tunable): set alias // -> / for all install. This is required when the re-attached path feature is enabled. --- apparmor.d/tunables/multiarch.d/system | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index a2f99a2ec..b155b2e36 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -62,6 +62,7 @@ # Attachment path for attach_disconnected.path flag. # Automatically generated and set in profile preamble on ABI4. Disabled on ABI3. @{att}=/ + alias // -> /, # vim:syntax=apparmor From 0d5e363bbca961b87c464cc151ed4580f67aaf4d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Mar 2025 23:50:27 +0100 Subject: [PATCH 124/672] feat(abs): add more base attached files. --- apparmor.d/abstractions/attached/base | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 9a53d1548..4fcfe2665 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -9,6 +9,7 @@ @{att}/@{run}/systemd/journal/dev-log w, @{att}/@{run}/systemd/journal/socket w, + @{att}/@{run}/systemd/journal/stdout rw, deny /apparmor/.null rw, deny @{att}/apparmor/.null rw, From 71632a6456ab3edd82253d6081887c34db1bb085 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Mar 2025 23:58:20 +0100 Subject: [PATCH 125/672] doc: minor improvements --- docs/development/build.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/development/build.md b/docs/development/build.md index 89bf8e89e..5145a8416 100644 --- a/docs/development/build.md +++ b/docs/development/build.md @@ -119,22 +119,22 @@ This task will convert all profiles from `abi/4.0` to `abi/3.0`. The rules not s ### **`complain | enforce`** -Set or remove the complain flag on all profiles. The `complain` task is enabled by default. When building in enforce mode, it is disabled. Enabling the `enforce` task will enforce **all** profiles including the one set in the [flags manifest](workflow.md#profile-flags). It is intended to be used in specialized system such as CTF or (very) high security VM. +Set or remove the complain flag on all profiles. The `complain` task is enabled by default. When building in enforce mode, it is disabled. Enabling the `enforce` task will enforce **all** profiles including the one set in the [flags manifest](workflow.md#profile-flags). It is intended to be used in specialized system such as a CTF challenge or in (very) high security VM. *Enable with the `--complain` or `--enforce` option in the prebuild command.* ### **`userspace`** -Resolve variables in profile attachments. It fixes issues with the userland AppArmor tools (aa-enforce, aa-logprof...) that does not support identical variable in the profiles attachments. +Resolve variables in profile attachments. It fixes issues with the userland AppArmor tools (aa-enforce, aa-logprof...) that do not support identical variable in the profiles attachments. *Enabled by default. Can be disabled in `cmd/prebuild/main.go`* ### **`attach`** -This task reattaches disconnected paths. See [#559](https://github.com/roddhjav/apparmor.d/issues/559): +This task reattaches disconnected paths. See the [Re-attached path](internal.md#re-attached-path) page. It will: - Add the `attach_disconnected.path` flag on all profiles with the `attach_disconnected` flag -- Add the attached/base abstraction in the profile +- Add the `` abstraction in the profile - For compatibility, non-disconnected profile will have the `@{att}` variable set to `/` *Enabled when abi >= 4.0* From da7958a2f9a02e86df049d3b2a5760d99b045d92 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 7 Mar 2025 00:00:24 +0100 Subject: [PATCH 126/672] feat(fsp): improve the base systemd profiles. --- apparmor.d/groups/_full/systemd | 25 +++++++++++++++----- apparmor.d/groups/_full/systemd-service | 5 ++++ apparmor.d/groups/_full/systemd-user | 10 ++++++++ apparmor.d/groups/_full/systemd-user-service | 2 +- 4 files changed, 35 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index d71647705..0206b0189 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -65,14 +65,21 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { mount fstype=autofs systemd-1 -> @{PROC}/sys/fs/binfmt_misc/, mount fstype=autofs systemd-1 -> /efi/, - mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, - mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/, - mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/, + mount fstype=binfmt_misc options=(rw nodev noexec nosuid) binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/, + mount fstype=configfs options=(rw nodev noexec nosuid) configfs -> @{sys}/kernel/config/, + mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/, + mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/, + mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, + mount fstype=mqueue options=(rw nodev noexec nosuid) mqueue -> /dev/mqueue/, + mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/, + mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/, mount fstype=tmpfs tmpfs -> /dev/shm/, mount fstype=tmpfs tmpfs -> /tmp/, - mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/, - mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, - mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, + mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/, + mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, + mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, + mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, + mount fstype=vfat -> /boot/efi/, mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**, @@ -157,8 +164,10 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { # Unit services @{bin}/mount ix, + @{bin}/kill ix, # Shell based systemd unit services + # TODO: create unit profile for all of them @{bin}/ldconfig Px -> systemd-service, @{bin}/mandb Px -> systemd-service, @{bin}/savelog Px -> systemd-service, @@ -187,8 +196,10 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /etc/conf.d/{,**} r, /etc/credstore.encrypted/{,**} r, /etc/credstore/{,**} r, + /etc/default/{,**} r, /etc/machine-id r, /etc/modules-load.d/{,**} r, + /etc/networkd-dispatcher/{,**} r, /etc/systemd/{,**} r, /etc/udev/hwdb.d/{,**} r, @@ -199,6 +210,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /tmp/systemd-private-*/{,**} rw, @{run}/ rw, + @{run}/*.socket w, @{run}/*/ rw, @{run}/*/* rw, @{run}/auditd.pid r, @@ -263,6 +275,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /dev/autofs r, /dev/kmsg w, + /dev/tty@{int} rw, owner /dev/console rwk, owner /dev/dri/card@{int} rw, owner /dev/hugepages/ rw, diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service index e6c4a4b7b..dfe3000bc 100644 --- a/apparmor.d/groups/_full/systemd-service +++ b/apparmor.d/groups/_full/systemd-service @@ -17,6 +17,7 @@ profile systemd-service flags=(attach_disconnected) { include include + capability dac_read_search, capability chown, capability fsetid, @@ -42,9 +43,13 @@ profile systemd-service flags=(attach_disconnected) { /var/cache/ldconfig/{,**} rw, + / r, + /boot/grub/grubenv rw, /boot/grub/ w, + /var/spool/cron/atjobs/ r, + /var/log/ r, /var/log/dmesg rw, /var/log/dmesg.* rwl -> /var/log/dmesg, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 919c53457..401e73bd9 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -102,6 +102,9 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{run}/udev/tags/systemd/ r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/**/uevent r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r, @@ -112,6 +115,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/stat r, + @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, @@ -134,6 +138,12 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { /dev/tty rw, + deny capability bpf, + deny capability mknod, + deny capability net_admin, + deny capability perfmon, + deny capability sys_resource, + profile systemctl { include include diff --git a/apparmor.d/groups/_full/systemd-user-service b/apparmor.d/groups/_full/systemd-user-service index d65846f82..0cb9efa49 100644 --- a/apparmor.d/groups/_full/systemd-user-service +++ b/apparmor.d/groups/_full/systemd-user-service @@ -12,7 +12,7 @@ abi , include -profile systemd-user-service flags=(complain) { +profile systemd-user-service flags=(attach_disconnected) { include include From b623dc4a77ed6919428844ce48aca382d5930a8a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 7 Mar 2025 00:07:11 +0100 Subject: [PATCH 127/672] feat(profile): minor improvements. --- apparmor.d/abstractions/app/sudo | 2 -- apparmor.d/groups/apt/command-not-found | 2 +- apparmor.d/groups/gnome/gnome-logs | 2 ++ apparmor.d/groups/systemd/journalctl | 2 ++ apparmor.d/groups/systemd/loginctl | 4 +++- apparmor.d/groups/systemd/systemd-networkd | 2 +- apparmor.d/groups/systemd/systemd-udevd | 4 ++-- apparmor.d/groups/utils/chsh | 2 -- apparmor.d/groups/utils/login | 2 -- apparmor.d/groups/utils/su | 2 -- apparmor.d/profiles-a-f/console-setup | 1 + apparmor.d/profiles-g-l/hugo | 9 ++++++++- apparmor.d/profiles-m-r/qemu-ga | 4 ++-- 13 files changed, 22 insertions(+), 16 deletions(-) diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 4c7de6ba5..333cbddbd 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -24,8 +24,6 @@ network netlink raw, # PAM - unix bind type=stream addr=@@{udbus}/bus/sudo/system, - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 1ba7b5cb3..ee8e3bcb5 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -21,7 +21,7 @@ profile command-not-found @{exec_path} { @{python_path} r, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/snap rPUx, + @{bin}/snap rPx, @{lib}/@{python_name}/dist-packages/CommandNotFound/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, diff --git a/apparmor.d/groups/gnome/gnome-logs b/apparmor.d/groups/gnome/gnome-logs index 5e3ab03bd..06e66a43b 100644 --- a/apparmor.d/groups/gnome/gnome-logs +++ b/apparmor.d/groups/gnome/gnome-logs @@ -27,6 +27,8 @@ profile gnome-logs @{exec_path} { /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal r, /{run,var}/log/journal/remote/ r, + owner @{PROC}/@{pid}/stat r, + include if exists } diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index 3c5595345..36fbd9e75 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -33,6 +33,8 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/catalog/database rw, /var/lib/systemd/catalog/.#database* rw, + /var/log/dmesg w, + /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal* r, diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index 5386662c0..2892c88c3 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/loginctl -profile loginctl @{exec_path} { +profile loginctl @{exec_path} flags=(attach_disconnected) { include include include @@ -27,6 +27,8 @@ profile loginctl @{exec_path} { @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, + /dev/rfkill r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 20b396a72..ca5450826 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -29,7 +29,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { network packet dgram, network packet raw, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network, + unix bind type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network, #aa:dbus own bus=system name=org.freedesktop.network1 diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index d71ccf1a1..1af847cd4 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -42,7 +42,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/*-print-pci-ids rix, @{bin}/alsactl rPUx, @{bin}/ddcutil rPx, - @{bin}/dmsetup rPUx, + @{bin}/dmsetup rPx, @{bin}/ethtool rix, @{bin}/issue-generator rPx, @{bin}/kmod rPx, @@ -56,7 +56,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/perl rix, @{bin}/setfacl rix, @{bin}/sg_inq rix, - @{bin}/snap rPUx, + @{bin}/snap rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-run rix, @{bin}/unshare rix, diff --git a/apparmor.d/groups/utils/chsh b/apparmor.d/groups/utils/chsh index bf2b92a98..73f097a94 100644 --- a/apparmor.d/groups/utils/chsh +++ b/apparmor.d/groups/utils/chsh @@ -24,8 +24,6 @@ profile chsh @{exec_path} { network netlink raw, - unix type=stream addr=@@{udbus}/bus/chsh/system, - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed @{exec_path} mr, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index dbf334577..c04c4230c 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -32,8 +32,6 @@ profile login @{exec_path} flags=(attach_disconnected) { signal (send) set=(hup term), - unix type=stream addr=@@{udbus}/bus/login/system, - ptrace read, #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index 02a212150..2615085ab 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -19,8 +19,6 @@ profile su @{exec_path} { signal (receive) set=(int,quit,term), signal (receive) set=(cont,hup) peer=sudo, - unix (bind) type=dgram, - @{exec_path} mr, @{bin}/@{shells} rUx, diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup index 5b867e1eb..7a11e407f 100644 --- a/apparmor.d/profiles-a-f/console-setup +++ b/apparmor.d/profiles-a-f/console-setup @@ -12,6 +12,7 @@ profile console-setup @{exec_path} { @{exec_path} mr, + @{sh_path} r, @{bin}/uname rPx, @{bin}/mkdir rix, diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index 6bb737ca0..ed62f48f1 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -37,10 +37,17 @@ profile hugo @{exec_path} { owner @{user_cache_dirs}/hugo_cache/{,**} rwkl, + owner @{user_config_dirs}/git/*config r, + owner @{user_config_dirs}/go/telemetry/mode r, + owner @{tmp}/hugo_cache/{,**} rwkl, owner @{tmp}/go-codehost-@{int} rw, - @{PROC}/sys/net/core/somaxconn r, + @{sys}/kernel/mm/hugepages/ r, + + @{PROC}/sys/net/core/somaxconn r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index b100e4e15..b6bbf5f73 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/qemu-ga -profile qemu-ga @{exec_path} flags=(complain) { +profile qemu-ga @{exec_path} { include @{exec_path} mr, @@ -24,7 +24,7 @@ profile qemu-ga @{exec_path} flags=(complain) { /dev/vport@{int}p@{int} rw, - profile systemctl flags=(complain) { + profile systemctl { include include From 9e1cc72cc443e8604a747315678e212196a4a698 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 7 Mar 2025 00:08:17 +0100 Subject: [PATCH 128/672] feat(abs): kde: allow to access gtk resources. They are required for gtk based app on KDE. --- apparmor.d/abstractions/kde-strict | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 282ae1974..0f4410a12 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -6,6 +6,7 @@ include include + include include include include From 106921df234b90762c481e97ee390dc3428f7a6f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 8 Mar 2025 14:23:08 +0100 Subject: [PATCH 129/672] fix(build): ensure fsp mode set the systemd profile name correctly. --- pkg/prebuild/prepare/fsp.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go index 1d38ca294..c216b53eb 100644 --- a/pkg/prebuild/prepare/fsp.go +++ b/pkg/prebuild/prepare/fsp.go @@ -34,7 +34,7 @@ func (p FullSystemPolicy) Apply() ([]string, error) { } // Set systemd profile name - path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") + path := prebuild.RootApparmord.Join("tunables/multiarch.d/profiles") out, err := path.ReadFileAsString() if err != nil { return res, err From 0ef623ed40a36d4653a81f3a1525aa904716ef1f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 8 Mar 2025 21:54:39 +0100 Subject: [PATCH 130/672] fix: ensure pidof use the attach_disconnected and enforce it. see #677 --- dists/flags/main.flags | 1 - 1 file changed, 1 deletion(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 87c070c56..d4e7d5a9f 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -249,7 +249,6 @@ os-prober attach_disconnected,complain pam_kwallet_init complain pam-tmpdir-helper complain passimd attach_disconnected,complain -pidof complain pkttyagent complain plank complain plasma_waitforname complain From 7badf80854e6bf008110e56ba839d272f5219beb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Mar 2025 22:58:27 +0100 Subject: [PATCH 131/672] feat(profile): improve dbus abstractions and interopaerability with profiles. --- apparmor.d/abstractions/app/systemctl | 1 + apparmor.d/abstractions/dbus-strict.d/complete | 12 +++++++++++- apparmor.d/abstractions/ibus.d/complete | 5 +++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl index 8489bb275..4ecfbecad 100644 --- a/apparmor.d/abstractions/app/systemctl +++ b/apparmor.d/abstractions/app/systemctl @@ -11,6 +11,7 @@ ptrace read peer=@{p_systemd}, unix bind type=stream addr=@@{udbus}/bus/systemctl/, + unix bind type=stream addr=@@{udbus}/bus/systemctl/system, @{bin}/systemctl mr, diff --git a/apparmor.d/abstractions/dbus-strict.d/complete b/apparmor.d/abstractions/dbus-strict.d/complete index 86936b953..0428c745a 100644 --- a/apparmor.d/abstractions/dbus-strict.d/complete +++ b/apparmor.d/abstractions/dbus-strict.d/complete @@ -2,6 +2,16 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - include + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + @{run}/dbus/system_bus_socket rw, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index 33d034b5a..5c53b9fa1 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -21,6 +21,11 @@ type=stream addr="@/home/*/.cache/ibus/dbus-????????", + dbus receive bus=session path=/org/freedesktop/IBus + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=@{busname}, label=ibus-daemon), + owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw, # vim:syntax=apparmor From 47b6e3c616f8b57575436bfc09e57d424cea0fac Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Mar 2025 23:04:32 +0100 Subject: [PATCH 132/672] feat(profile): various core update. --- apparmor.d/groups/filesystem/mke2fs | 2 ++ apparmor.d/groups/firewall/firewalld | 1 + apparmor.d/groups/procps/htop | 1 + apparmor.d/groups/procps/w | 2 +- apparmor.d/groups/systemd/systemd-cryptsetup | 2 ++ apparmor.d/groups/systemd/systemd-generator-ds-identify | 1 + apparmor.d/groups/systemd/systemd-modules-load | 2 +- apparmor.d/groups/systemd/systemd-remount-fs | 4 ++-- apparmor.d/groups/systemd/systemd-tty-ask-password-agent | 9 +++++---- apparmor.d/groups/systemd/zram-generator | 4 ++-- apparmor.d/groups/ubuntu/apt-esm-json-hook | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 -- apparmor.d/groups/utils/agetty | 2 ++ apparmor.d/groups/utils/login | 4 ++-- apparmor.d/groups/utils/su | 6 +++--- apparmor.d/groups/utils/uname | 3 --- apparmor.d/profiles-a-f/blkdeactivate | 2 ++ apparmor.d/profiles-s-z/YACReader | 2 ++ 18 files changed, 30 insertions(+), 21 deletions(-) diff --git a/apparmor.d/groups/filesystem/mke2fs b/apparmor.d/groups/filesystem/mke2fs index acf88197f..56a223bdd 100644 --- a/apparmor.d/groups/filesystem/mke2fs +++ b/apparmor.d/groups/filesystem/mke2fs @@ -34,6 +34,8 @@ profile mke2fs @{exec_path} { owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, + owner @{tmp}/.guestfs-@{uid}/appliance.d.@{rand8}/@{user} rw, + @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 6d84dfe47..003089ca4 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -30,6 +30,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.fedoraproject.FirewallD1 @{exec_path} mr, + @{python_path} r, @{bin}/ r, @{bin}/alts rix, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index c720929f3..5e1079802 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -28,6 +28,7 @@ profile htop @{exec_path} { @{exec_path} mr, @{bin}/lsof rix, + @{bin}/strace rix, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/procps/w b/apparmor.d/groups/procps/w index b23a7bc23..2445034e9 100644 --- a/apparmor.d/groups/procps/w +++ b/apparmor.d/groups/procps/w @@ -16,7 +16,7 @@ profile w @{exec_path} { capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup index 090412ff5..fdddebe03 100644 --- a/apparmor.d/groups/systemd/systemd-cryptsetup +++ b/apparmor.d/groups/systemd/systemd-cryptsetup @@ -31,6 +31,8 @@ profile systemd-cryptsetup @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/bdi/*/read_ahead_kb r, @{sys}/fs/ r, + @{run}/systemd/ask-password/ r, + @{PROC}/devices r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify index 6b42e55ed..d9a6639c1 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify @@ -18,6 +18,7 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/blkid rPx, + @{bin}/grep rix, @{bin}/systemd-detect-virt rPx, @{bin}/tr rix, @{bin}/uname rix, diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load index d3527c22b..cc44f385f 100644 --- a/apparmor.d/groups/systemd/systemd-modules-load +++ b/apparmor.d/groups/systemd/systemd-modules-load @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-modules-load -profile systemd-modules-load @{exec_path} { +profile systemd-modules-load @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 8c63a1d5a..4231f7e7b 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-remount-fs -profile systemd-remount-fs @{exec_path} { +profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { include include include @@ -17,7 +17,7 @@ profile systemd-remount-fs @{exec_path} { capability sys_resource, mount options=(rw, remount) -> /, - mount options=(rw, remount) -> /proc/, + mount options=(rw, remount) -> @{PROC}/, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index ecac3e1a8..7ab8be35c 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -17,10 +17,11 @@ profile systemd-tty-ask-password-agent @{exec_path} { capability net_admin, capability sys_resource, - signal (receive) set=(term cont) peer=*//systemctl, - signal (receive) set=(term cont) peer=default, - signal (receive) set=(term cont) peer=logrotate, - signal (receive) set=(term cont) peer=rpm, + signal receive set=(term cont) peer=*//systemctl, + signal receive set=(term cont) peer=default, + signal receive set=(term cont) peer=logrotate, + signal receive set=(term cont) peer=role_*, + signal receive set=(term cont) peer=rpm, @{exec_path} mrix, diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index f6406811d..d156d88a4 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -27,8 +27,8 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { owner @{run}/systemd/generator/swap.target.wants/{,dev-zram@{int}.swap} rw, owner @{run}/systemd/generator/systemd-zram-setup@zram@{int}.service.d/{,*.conf} rw, - @{sys}/block/zram@{int}/{disksize,reset} rw, - @{sys}/devices/virtual/block/zram@{int}/{disksize,reset,comp_algorithm} rw, + @{sys}/block/zram@{int}/* rw, + @{sys}/devices/virtual/block/zram@{int}/* rw, @{sys}/module/compression r, @{PROC}/crypto r, diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index 2dcf50743..2edc09970 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -22,7 +22,7 @@ profile apt-esm-json-hook @{exec_path} { /var/lib/ubuntu-advantage/apt-esm/{,**} rw, /var/log/ubuntu-advantage-apt-hook.log w, - @{run}/cloud-init/cloud-id-nocloud r, + @{run}/cloud-init/cloud-id-* r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index d540ed0e8..8d1571c1e 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -87,8 +87,6 @@ profile update-notifier @{exec_path} { include include - unix (bind) type=stream addr=@@{udbus}/bus/systemctl/system, - dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=GetUnitFileState diff --git a/apparmor.d/groups/utils/agetty b/apparmor.d/groups/utils/agetty index 4605822e7..3eca54abc 100644 --- a/apparmor.d/groups/utils/agetty +++ b/apparmor.d/groups/utils/agetty @@ -20,6 +20,8 @@ profile agetty @{exec_path} { network netlink raw, + signal receive set=hup peer=@{p_systemd}, + @{exec_path} mr, @{bin}/login rPx, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index c04c4230c..6968be40e 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -30,7 +30,7 @@ profile login @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (send) set=(hup term), + signal send set=(hup term), ptrace read, @@ -38,7 +38,7 @@ profile login @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/@{shells} rUx, + @{shells_path} rUx, @{etc_ro}/environment r, @{etc_ro}/security/group.conf r, diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index 2615085ab..aec037e84 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -15,9 +15,9 @@ profile su @{exec_path} { capability chown, # pseudo-terminal - signal (send) set=(term,kill), - signal (receive) set=(int,quit,term), - signal (receive) set=(cont,hup) peer=sudo, + signal send set=(term kill), + signal receive set=(int quit term), + signal receive set=(cont hup) peer=sudo, @{exec_path} mr, diff --git a/apparmor.d/groups/utils/uname b/apparmor.d/groups/utils/uname index 6ca8a6370..45a864c23 100644 --- a/apparmor.d/groups/utils/uname +++ b/apparmor.d/groups/utils/uname @@ -14,9 +14,6 @@ profile uname @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{lib}/@{multiarch}/ld-linux-*so* r, - @{lib}/@{multiarch}/libc.so* mr, - @{att}/dev/tty@{int} rw, deny network, diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index ad575351f..2cabb639f 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -14,8 +14,10 @@ profile blkdeactivate @{exec_path} flags=(complain) { @{exec_path} rm, + @{sh_path} rix, @{bin}/dmsetup rPUx, @{bin}/grep rix, + @{bin}/touch rix, @{bin}/lsblk rPx, @{bin}/lvm rPx, @{bin}/multipathd rPx, diff --git a/apparmor.d/profiles-s-z/YACReader b/apparmor.d/profiles-s-z/YACReader index de55bf829..3552b6dc0 100644 --- a/apparmor.d/profiles-s-z/YACReader +++ b/apparmor.d/profiles-s-z/YACReader @@ -39,6 +39,8 @@ profile YACReader @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } From ab41d2e0f37c5cf795eaff074d06a288cef8a84d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Mar 2025 23:12:01 +0100 Subject: [PATCH 133/672] feat(fsp): improve the systemd profiles. --- apparmor.d/groups/_full/systemd | 22 ++++++++++++++++------ apparmor.d/groups/_full/systemd-user | 6 ++++++ 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 0206b0189..c56a0936a 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -108,6 +108,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { remount @{run}/systemd/unit-root/{,**}, remount /, remount /snap/{,**}, + remount options=(ro bind) /boot/efi/, remount options=(ro noexec noatime bind) /var/snap/{,**}, remount options=(ro nosuid bind) /dev/, remount options=(ro nosuid nodev bind) /dev/hugepages/, @@ -127,18 +128,20 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/, + mqueue (read getattr) type=posix /, + change_profile, - signal (receive) set=(rtmin+23) peer=plymouthd, - signal (receive) set=(term, hup, cont), - signal (send), + signal receive set=(rtmin+23) peer=plymouthd, + signal receive set=(term hup cont), + signal send, ptrace (read, readby), - unix (send) type=dgram, + unix send type=dgram, - unix (receive) type=dgram addr=none peer=(label=systemd-timesyncd, addr=none), - unix (send, receive, connect) type=stream addr=none peer=(label=plymouthd, addr=@/org/freedesktop/plymouthd), + unix receive type=dgram peer=(label=systemd-timesyncd), + unix (send, receive, connect) type=stream peer=(label=plymouthd, addr=@/org/freedesktop/plymouthd), #aa:dbus own bus=system name=org.freedesktop.systemd1 @@ -151,6 +154,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{lib}/** Px, /etc/cron.*/* Px, /etc/init.d/* Px, + /etc/update-motd.d/* Px, /usr/share/*/** Px, # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) @@ -192,6 +196,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{etc_ro}/environment r, @{etc_ro}/environment.d/{,**} r, + /etc/acpi/events/{,**} r, /etc/binfmt.d/{,**} r, /etc/conf.d/{,**} r, /etc/credstore.encrypted/{,**} r, @@ -203,12 +208,16 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /etc/systemd/{,**} r, /etc/udev/hwdb.d/{,**} r, + /var/log/dmesg rw, /var/lib/systemd/{,**} rw, owner /var/tmp/systemd-private-*/{,**} rw, /tmp/namespace-dev-@{rand6}/{,**} rw, /tmp/systemd-private-*/{,**} rw, + @{att}/@{run}/systemd/journal/socket r, + @{att}/@{run}/systemd/journal/dev-log r, + @{run}/ rw, @{run}/*.socket w, @{run}/*/ rw, @@ -274,6 +283,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/oom_score_adj rw, /dev/autofs r, + /dev/input/ r, /dev/kmsg w, /dev/tty@{int} rw, owner /dev/console rwk, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 401e73bd9..e3ae3acb4 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -136,18 +136,24 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pids}/fd/ r, owner @{PROC}/@{pids}/oom_score_adj rw, + /dev/kmsg w, /dev/tty rw, deny capability bpf, + deny capability dac_override, + deny capability dac_read_search, deny capability mknod, deny capability net_admin, deny capability perfmon, + deny capability sys_admin, deny capability sys_resource, profile systemctl { include include + deny capability net_admin, + include if exists include if exists } From f8340aa6605e4bb22e75e71257f4e296e51b7fd4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Mar 2025 23:14:53 +0100 Subject: [PATCH 134/672] feat(fsp): add mapping abstractions for use with pam_apparmor. --- apparmor.d/abstractions/mapping/login | 41 +++++++++++++++++++ apparmor.d/abstractions/mapping/shadow | 11 ++++++ apparmor.d/abstractions/mapping/sshd | 55 ++++++++++++++++++++++++++ apparmor.d/abstractions/mapping/sudo | 20 ++++++++++ 4 files changed, 127 insertions(+) create mode 100644 apparmor.d/abstractions/mapping/login create mode 100644 apparmor.d/abstractions/mapping/shadow create mode 100644 apparmor.d/abstractions/mapping/sshd create mode 100644 apparmor.d/abstractions/mapping/sudo diff --git a/apparmor.d/abstractions/mapping/login b/apparmor.d/abstractions/mapping/login new file mode 100644 index 000000000..54a8c1c7f --- /dev/null +++ b/apparmor.d/abstractions/mapping/login @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for login based hat mapping. + + abi , + + include + include + include + include + + capability audit_write, + capability chown, + capability fowner, + capability setgid, + capability setuid, + capability fsetid, + + deny capability net_admin, + + network netlink raw, + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=ReleaseSession + peer=(name=org.freedesktop.login1, label=systemd-logind), + + @{etc_ro}/security/group.conf r, + @{etc_ro}/security/limits.conf r, + @{etc_ro}/security/limits.d/{,*} r, + @{etc_ro}/security/pam_env.conf r, + + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, + @{etc_ro}/security/capability.conf r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/shadow b/apparmor.d/abstractions/mapping/shadow new file mode 100644 index 000000000..5bf542c17 --- /dev/null +++ b/apparmor.d/abstractions/mapping/shadow @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for shadow based hat mapping. + + abi , + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/sshd b/apparmor.d/abstractions/mapping/sshd new file mode 100644 index 000000000..d9cf57761 --- /dev/null +++ b/apparmor.d/abstractions/mapping/sshd @@ -0,0 +1,55 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for sshd based hat mapping. Similar to sshd-session + + abi , + + include + include + include + include + include + + capability audit_write, + capability chown, + capability dac_read_search, + capability kill, + capability setgid, + capability setuid, + capability sys_resource, + + # sshd doesn't require net_admin. libpam-systemd tries to + # use it if available to set the send/receive buffers size, + # but will fall back to a non-privileged version if it fails. + deny capability net_admin, + + network inet6 stream, + network netlink raw, + network netlink raw, + + signal receive set=exists peer=systemd-journald, + signal receive set=hup peer=@{p_systemd}, + + unix bind type=stream addr=@@{udbus}/bus/sshd/system, + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} + peer=(name=org.freedesktop.login1, label=systemd-logind), + + /etc/motd r, + /etc/locale.conf r, + + @{run}/motd.dynamic rw, + @{run}/motd.dynamic.new rw, + + @{PROC}/1/limits r, + + /dev/ptmx rw, + /dev/pts/@{int} k, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/sudo b/apparmor.d/abstractions/mapping/sudo new file mode 100644 index 000000000..3347a91af --- /dev/null +++ b/apparmor.d/abstractions/mapping/sudo @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for su/sudo based hat mapping. + + abi , + + capability audit_write, + capability setgid, + capability setuid, + + network netlink raw, + + @{etc_ro}/login.defs r, + /etc/passwd r, + + include if exists + +# vim:syntax=apparmor From d93db0eca92f7255040ab7ecdd88ef82c7a1610c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Mar 2025 23:43:39 +0100 Subject: [PATCH 135/672] feat(profile): add motd. --- apparmor.d/profiles-m-r/motd | 58 ++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 apparmor.d/profiles-m-r/motd diff --git a/apparmor.d/profiles-m-r/motd b/apparmor.d/profiles-m-r/motd new file mode 100644 index 000000000..414512c89 --- /dev/null +++ b/apparmor.d/profiles-m-r/motd @@ -0,0 +1,58 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/update-motd.d/* +profile motd @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{e,}grep rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/find rix, + @{bin}/head rix, + @{bin}/hostname rPx, + @{bin}/id rix, + @{bin}/snap rPx, + @{bin}/sort rix, + @{bin}/tr rix, + @{bin}/uname rPx, + + @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, + @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, + @{lib}/update-notifier/update-motd-reboot-required rix, + /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, + /usr/share/update-notifier/notify-updates-outdated rPx, + + / r, + /etc/default/motd-news r, + /etc/lsb-release r, + /etc/update-motd.d/* r, + + /var/cache/motd-news rw, + /var/lib/update-notifier/updates-available r, + /var/lib/ubuntu-advantage/messages/motd-esm-announce r, + + @{run}/motd.d/{,*} r, + @{run}/motd.dynamic.new rw, + + @{PROC}/@{pids}/mounts r, + + /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor From 20699b20b609a033fe683a2d38509df128d32f9a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Mar 2025 23:58:18 +0100 Subject: [PATCH 136/672] fix: minor build issue. --- apparmor.d/groups/_full/systemd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index c56a0936a..a2f5fbd87 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -70,7 +70,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/, mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/, mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, - mount fstype=mqueue options=(rw nodev noexec nosuid) mqueue -> /dev/mqueue/, + mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/, mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/, mount fstype=tmpfs tmpfs -> /dev/shm/, From 404b3d0ce2d2bdfd856db54f0c71bdc98a0bd29e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 10 Mar 2025 00:03:30 +0100 Subject: [PATCH 137/672] ci(github): drop FSP tests in ubtuntu 22.04 --- .github/workflows/main.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c97229256..584b0b75a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -18,12 +18,13 @@ jobs: needs: check strategy: matrix: - os: - - ubuntu-24.04 - - ubuntu-22.04 - mode: - - default - - full-system-policy + include: + - os: ubuntu-24.04 + mode: default + - os: ubuntu-24.04 + mode: full-system-policy + - os: ubuntu-22.04 + mode: default steps: - name: Check out repository code uses: actions/checkout@v4 From f79f22c06aea2b8cb769d514d5e3cde71ff764b2 Mon Sep 17 00:00:00 2001 From: Yifan Zhu Date: Sun, 9 Mar 2025 21:01:45 -0700 Subject: [PATCH 138/672] docs: fix typo --- docs/configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuration.md b/docs/configuration.md index c3017c28d..dda450a85 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -189,7 +189,7 @@ Common mount points are defined in the `@{MOUNTS}` variable. If you mount a disk If you mount a disk on `/ssd/`, add the following to `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d/local`: ```sh -@{MOUNT}+=/ssd/ +@{MOUNTS}+=/ssd/ ``` nOmHc!RJ3FmglyY2dy>^F?u5n@ss1ezyB@ z^>D|_XgyzQUaqDu*j?Cu&kI~UpS}I@(~OOqJG3R1GatBdd&P>}O}teVdN&(q*wwyu z^?PEIBzyeI=VxvwckDSHx6+%zdg-+_S5M@cK9VtcX+DQHzV=qHmA&!#!)Jb1T4$^) z*!((WPKq*D+ntsC7N9BlQ%_F3Ue7Nv^S*b`(&_52t$uF&R`=m|SKOCHV);gHo72vR zy`G}^a=-XzQ{~-jH*S~YW8b;`XTf3P!{Pf+Np^K}ymu|xeRTW&#b4EPtnU0MvHtkL zzDVx*PT88A-Z^LM1@C|INj6w~PE}b`ZE<UuWbld5vXV^ zDoX30v*bY7AJO+qb$zlm+%^_h9nLM@AM^ZP+M2ZRNxQ0dZB00?9oK&MLn6<`PuF@P zjvId6_p?nrF?>>)YLv+IlRr2MpZGVbeO5nl8J6|rz_H~FFBOwwprWr zoa*!UUXvD0l$`@wEAZ4VbMD119;j zPFJ72WUKz(bB;4oUg)~tn7ZWt{t3J9uFcq--NmyzamJ>7+xD!vAz=08gw)PC&!Y-^ zlck1Fdd^IFmR_L-+Q~Oz=6w13&`T?yIKAKut*YJhuHXKm^zLs(3TlE?%TrqKb+*NN zT75WlqO?3)7c_Ep{d{TV|AmR?uO9AKTfgd=_l;i5%;o4A5MZN zeGio%@I2Wvd)I;1(wA)JwKuyzbmdR%*?M+P%9DLFe!KqGw&`v>z#Vep-QC@f-EK|# z=OB7-&$l1m>x)1hS-$Mv3A35t)brCiZtcqr(slbSbl02z+H~t~R(tHpmuC~Y*n;c5 z>)&>4nEj{6n>G5ek<{%@ligl=?$fw-Z#tF(in%%I1_Bk0Tt$L^&1#jx6+h(N{=be- zCi}UAkJ6WOb1aQztJH-6+1@lY;97P8{F4r}xGuxymn%CA(ic-zc4A z#-=-!cXyYD(2Xl)lR91Mj~k0~>~Uyi4cwmhBWQD2(Y8hVUu`}2a-aIVrw&sTzW8P4 z&JDQn_T9^if99^g>Ux9s;-|3q_~V9O^X|Uzy)kvk-)*jQ%~loYtt+0?EfKl%O3=Q; ziQ(sX;+I*A7R-(Lb^fI3**SAg-q70<5Uo#lR>J&OdD+=uLbz1`g2 zd*(x^!m10O_H9XR?<*v9!!wVUqh*6i(g zxWM3s9`_25QP3OfW7k@~f z`f$Cce({9QHX+w6r&j8Aohf!Usxq`owUB$BQI_hqFIYEx^XeW@YkBs+X5LHj&qXXN zGCp(1l(MtLE$|Y3xa*7j=a_Gs=P+e|y+6OE@3Fzl!!xp~mT&3%5m9#H#Fe|37gt)x zYrndbzN|wdyNm1jPy6ZL-=?j*VAm_Q{U2-Gb%ocTzLm;cKe;wv<@18mHs(2fkHzP$ zK52X)MJ8W3FCSVcNIv&|wlh)X?>*O&17_hSZ=_nM3zWglh8EZCJ7fCfs{ye&PzuN0LQkK03HL7nNY5TFIt1b4VXQOX>tmiqcD*N+63LluR zRuxwLz4?9a7W=T_+)ju zYc5)`DH{A^3Q(^g8M-oZKkMu zMb>{_{9U>F>rcTl)t4(>X6GC|ocBYnBjtwau{k-vOMWria5o;{u6T5yjko#Si;IH# zVP=6-Yk&Il+pKaCC2hr+e#bm2>Oeg87g7rfrW&l0AO)_cOQkhu*bsi+q1; z8K_!or>nK7uN6B$Uc(fV2L}Re75V))|9r%jl6C8ks*%ledSqySI@RoQ2ll= zxIcT>oG70q3lFVR;l1=}+S!T6uk}Rj-#sfad{W)y8DSqcyuLKOg8Oiu%7(Mw)>l4b zY!v@+rZN1wyor&rSo+$q)4#X(+brF8gCU$x@8a6co4vWs@+VBZa!tgu{hk}gZpHP{ z_oQssC%rv>b@$WK{6p&|Zc#OKZEs$7sx5Zrm5_x7Z=_roz1y0+KF{KWHaEwfhW4J` ze??F3uQs0k{qcFb>-Otv+n9rt-rN6-C`xU+l3kMaBDV$7nl4Uu=iR=?T`pRAy5Zjy zw-U<(-27FSh1tE?^(3|B@CI$=n-2dE81r-NX;{v;@8gv!Px;=6AdQJDyo4%V+`Rwl z?_qaKjmcLk7kPi)o+DwnXOhWU%|&X-pX8WC3ul-d<4UX4fA{*6`%NeDt{HFaRBLi8 z6-ub>wimnZhJbbWy6wN6P!3x8#i#P+`PcYA~bCm zW7&B*v2WY|&Uw21>DH%z>UPgr+AfwQ#Iqzo$fNN{*_@UM8f8|T0v@H)Q%;xNNsZoS z`uWcFpUG)YCYnrg%Y8QSOXdDJznqsdXS(~(ejl@I{_DKeH{M;#x1YNG%f-IrrM1~p ze_v*Md;8PB?pObhe%iQD>-Ww-Tcba1-glz7H{VLHd6UrcJxOaVnefkqZ~=-sjpseZ|bAKOt7{runaW)m)GGdrq@nJ)R!B z_Qkn4$@b-W7EyQK%IkMey{8s@^?mP>X{XlpD!uUwOWht6W^LwkRO|h*u2=6;Ldw<} z-RujvIdw^T@`dwU#eMr$M8|8q+nzRcYOHnC#;>c`Z#SIE+rKAz)$^*TS(EPm66?Hl z-Q8vZBa{Ax2S;Atjh|fOzW;T7^RZ8M`|_Ieb}a6lYvdNaJ@@*@@9SmET(&)%RJX8v zSKHlBp97xC?oUc@+ja)jn=4FQ$MuzO_cJcTZ``{l*=GCN#y8p3wwA?+Oyt!_wnW@5? zX~!Hxbc9l-=VoPFpSjA;5|_aB;@wvL8EfKCZE;FowTGQw_L}&*eSLF{ypFzlw{}(P zfh{Mm&f-4RYmmNy_jB#~igmZ12~KO9<6W`hxztlD-mf+xmB-gD&)!^ix4vAnM(*yu zxO?Yn*X~Smy|CuYWgTWg978I3DJcV&On-Jj(>MS4+` z)m81?Q~Q<}PX3*v6;f#)S3Y%5lF$DSQ)5@}l2==`N!!z0JnHKj^{@Q94X2*@eSNjA z&fU*1=KkLCtKk5*&(h}IN9~?(YM#2)P}_7yzRT}r|BHW`-m2fwE*spu`0Cw@l3HK< zmT!m->)2TGyteG$k$KHC*L|9{dUqt}?%B4>tv_vkl2^3)Pp#v|XE8hn)cPky$Mf#| z|6cUhHRToYYj0{<_f3hOSb6_;U1it1ebJ%Et24t9Jzp%dJ3dQlVtE-=Fe!zS?v~E_}Aus@=VOyY()c{;c$B zU-2eN^G#pK&8r^S<4`x2>PPz4(5>-7bcRRQrgh zc5+{SEI!^Adh`6%Z_i_2>a5j%@=C7k?A}G$y;Fl6EGC#dwL53c#{c`ERK)a7@zzrWP$?VlwZeDqpTX?c^3?7f7`dT+kfmYvR+S{~na?9;cB z+-vLDZy5=e-EG=eoU)G3TlDiM&!8!hnP%HwO!|8E>$UoScG~?PboZBKTCRR$5wt2I zdd-YWJ4)_q|1Z=2V*7qw^UitxgbW7<7}S4emeKRx>hZp z^qj{a@ao-0#Uj6=5~)WoMaooH?b({Kf7^}n?H3cTpD9V-=jva*?%&kdn->@IEIqX@ z#)y0V?TgpS8dmdj>^Wd!@crhr^)n)?|4$GWy;O7f+DqZ^n6@K>sLHfow`8OB$*Qc($)D!mN)!UWQ>n3}J?l}2F*>m&c1xK`Q{rg=IZ2RNG`Sh)O zpSkE7&nY_Iw&tYM)a`$7t)4QiE<51f{Y?ii_pCT&r}_TzzJsjy{@++3(`!+{gPit!NZJ3#Ke_49n-i(iu@28g3?EgOL z#iu2P%MVRUFJGlO{qpMgnrA)t%%ivGhDTI&o>4d7Hgn0d1h2goK1DB2`AO5*`-r~q^|NIlLznA1*`?Yj>n9AK>p=G%T4sNoscjrIyY*%~iPHmA( zmuB4U+93VrV_)d@f2!|!W@xVXkfc^P`R~>kX0KHn^PRffempC+zj(Oc-gI&KnUtQp zvVPe@Q@G7?53M^>a>RCa?lY-~r@8yzWmV2Hvw4%()0wAvW?lV_sa^XIa&3&iF;!&t zo&RyCp6IiImdnLS-*=&YJb+# z*geXiQZ2dDyf)`SipWvDf4#dKb8oM^`|JC9-KoFNXz#ePdzZDr7cZh$+7AA&ITK6*dYM8&2K-p4(&qpsFo0@pN#K7ce{iC@I#_#sd_idP& z_I=s%UE+FmiJPB1|6bp(={q^4_ovK_jitMvotwEhd`{)9o}1!drFL7-S(eaM#2YR% zmn(7mrml%sH}2W|+63%{Yw>|HyKkS^P+fm((QNKwDWS5n!6zRd*swa`*OO!0rf&b> z*D$kPEkyXnpM2baNnQ5@~=0hUpqVF?}Zbu@|IfGPQABM7L;!$ zU8&10e3Peq_#Gerue$tf=R@mMG?z6WT6gE#`J0yCi}x@$9N<19(r-7*{CmC3m(uTT z-=67;1pR$HUGMU{cYiO}iHjV6w=N(oZ~d&vGiEjYsy& z>{#}12|NF_RGobP@a1K9>!+Vt#Ae2|S?l+bJ^g$CnA%%?j(qw(x8rYS=r`{vuejQHx?Qxn6Nsa!ms;mpRQZ*Vv#BYN8%-8B+2RnoV&Cf@Fg{q|%;`<2|d`>a#%tbV}4FEU?wcI$OsR_&JoJC}zjdkQ#Yd0(xV4HK z$5r3<-=DXsn!R?hjcht|?W5@HFHU})z3l3@d%JRX_wE0F?acb;Z&X&SJk>sTr9fGK z+r2lr*S}nN5>i>c%c{G!Tw0{8f5*$!KUuBb^m6PDTJc6TPO@z3np;=4{V7`aMd1U} z1lRu^cdFR#{ZGzx?An<4JxJE>&g%X9pS-?xd2jrwCpJ-w|9`&1Yd_^uiPxI9Yg9DS z-SY#3c>7o8O0Le8&8b;`U3#W`)TI?`Pa2S!-Do{>GiT+Z7q9_u1e_ z`^T;guQ&d$`0VJ+;klckur|M^8^l zGuhMQc75Aht9SRN24~GZJ@wwokeh3#9M#IVDeyd#-!qb?I%Z zQ*|lc$`2 z!M;@Y{@fjXyl=0^sV?29nE1W(#u{m^;x5OyusN>}{+cyMGwMInIu%#$rLT%IcXlnx zeZzfHPctOsw|3p-fM2^q_8h#X`z?P)m`u>e+r5eQw&jgNc~Q)#Zr!RmD5+nkvgG68 z=5xIHZ*+1deVJ|gdTYi(o4sGYJoi6&c6aIT&6l=IS+BlTVbXf3Hz!!*&9_jqGgCI6 zy#A!MX;!~|+-C9q{IrA4v2&xouk~jCE4EB7u{_%6%hEqgvJ-nFZoZA~FAOVN8-K&M z+jv#zx~ZOO)=9HUAMUFTD=SQ7_qy(A##j(?T-LreM9wbO)M3i;&t@0W_y2Xi`}st2 zaM5kM(!W>MybGHZyEHZO+TnE}Yd)nF_Iz;(sWcB=`RhxWP`pdBo~c)x(c`i$I~szXayd3RjjweFI{*YokaV$SEhniF)p z2E^seal`yE&R{51#*ekRbuCFd$sY# zodp}B|2>dpZ@sH<`~6wn`b!u5pE5Lx&#*GPR~lR`^+i8)zofMF*9{?W?tHjDe^*F* zzs$)$+vfOPz1z6Z+}!8I*`OP`?rU}2?j2e<&oH!-zqB;#`rq7A{@ve~ZQioUV0B{R z^(3vI4>m++wSVK6Ex)&;QQN}d0c+N^o7?^r8Apei#+X#RO7yHsy6g7${rcK)Ior!; zbCyS!Zl88x_R$U5YNAF}haWt9Uz2?0_|;`yuk!XDdS{$DdEKe=xiL3N^?Ps2%9Ndb zGws{e)BDa&l~(w`w3y$-^WAxs+|^Z|L_YDpJ+JM#{qFY-`zp?Uoq4zJ^449}F)z+$ z-B|ml{MwSmYd*=ndUfU9@7u4W%C=W6S}*oY`~HFr+TSk~tU8z&{waO-^Ygzo!gCTb zwx}|-)c&+Pqi?An2O{`>3F=0>HTzodQ6Mz{F(d+~7nt9N?+ zeSbezNnfV1{_ki1=0odZy54c6&Gg>)TmJvndB5NBU)}O%*V6dQ2Yp|+aqOOIfBQ(w z-M?}rp6{97ep}+07|ylPAmQn$?A*Xj-R6JZEIZE9aDcn#>b-BK*~H0| z*)PuMO;P(UtE~^Cr_1qfo-9*VeHWBff!gp3`a;)?VF|U$m61 z?f3+?1#EBgE3Vpm?%Mw<;n0jzNpZb08n5NP%1@77SzZ5i_L-c`%kzFb+#A!``>P&x7g|JGerM?>D^x-%Kd)o?Ik7q9elh`PjjxTtgPN~ zch~>9+9n1@T6-LHZ{7N1=^a<#p7qe*cb2h6L&cQ#V|=+C7fYWv@4xbX@0X*$=05Jr zeDUnozU1~tqVwk)UcKve)GPn1BSTT=?ocDEa;s zoqp=>>bBU`e}1}g?M`#fyZ!0^dhh3%p;oKo**7F@(EWS-)a%5h8>~N^T$3bg`s&m= z8?7nnLDB&?OE=&346e95Z}+L)KJ1u-@zESp_ z?V|m^&rIK1czRpgy5o=S|2ckKwoh`E>WrerJd?lj><(Ken6_cH`}0fdd47K0`hP{l z-L>vFVg;j1s~0vVhObl6m6>~O&;7R(#GHBLZx%e?#JBDYD9aYSU7a8K@Kb&Wzw}X0 zO{rMp+m~w{>i@3P&pbY_miMGi?CtqiH?Gc~{qgvz45$3Phx6`-8{Js;=EF7JS9NbD zIvx)NH<`-IV-LM!E}WKk;(TVp4P8IIhpWWORKtI~T6Xnx-m@+qfr>`Y%Zcp&9mV9< z%(Ggg!#wrux!m)w^#8s7d~5fAhr98=S4!8dP&r$?;EF_*v}oDVQxg~6+_ckc>h{O( z?(bR7PJpci`2Ef=?MAK6wv5cWxcxh2UrCj%HJLo?_^QO~I)4@^zxkhjP7l;fUbk(V z)1=Es^R{iS`sE>Q_jiNJ+RXcF?En8zy;Z+qdEWY+wa58ncmFEun<(X+uY5S~ez|S+ z_Vu#2cDdf&U$-P*mVfH1-IHa@%q#rvpEw_!lX1gW)qiz(+1au-wd(n|ZgI_t1chCR z^t+gAi5KCo#D?X$JQf<<&E>iC8T$m zFeGnTUwii0PyLF-^*i_Ptcu9|vqWUlmfYugf6MN&?fqK1K2UGwp5VIQeX^e3(>mcqnvL#-pPrrv#Y z=itfxIlIztez%wmI)3i|h24c`YrCiI`QSQfe(2lZif)yYOleU32M?u<=H|kar7yo2|LK`NNdU^EV`juYPrQfnM=R^Rag3QX=Y-QQ~sJ2Uxdoq z>(<7&zL3qnvDak3ga2~hUf$h?r$QvG-bDTItG@lI{^=XgR=_gn_mhOD>wk%SeyYav zt3bf3to&g6FLpIogSO^XOqy$VkNac8L*BoK*IgATQ~z+`M8*xF zLr%6cTQ|J^sd#wZov?D58^7Fd?V9R8k)cui#0KBli*&6XKAScz^8M7G8?TCSzB_v0 z_KDdyw4C05ySw`fd;0#YkcH*H`((ZJ|Jx*&tDiXFrJq>-;yTw-hF9;lw%@IJe0bfR zsXs1EjrDx}_>E=$tGL?dj^{WU4sfU3dzd?$Prmw7=JwsK_R~UN-wAkgarK1W3%}3Y z;$6(Qmp^`INb$;demO6;CcWsr*RUZvctUQ?4c+zb>tq73?zx2<(W!|LqeAZOw{7Ew}>`s0!H~0IiiS6b& zcmJ(gStM!_x61=wU=HOJ2Pa} zmo|fg6Vq}QZeLv7JuhZ^V1C`*>?xh=q}-J1jtudDo#czo5<`ok0XeD)nsV|cY#`Abd6rSolZN?IbHHnFW= z9vyJT^yNNx`OEQtpD!=n@I2uD_igWQEKCl&f9%|v#m@w$NF;8bR%(^fX%`%^gqN3Z zchTgfl`9w7#jC!#ceifC>%%e+LA62Lty^5~-=5sh-4xF&UZwkXYSxU})p85JPw%&1 z-2d;rf7bhd%#)U=*L?w13BNZnE;RQEcro( zd;3=2&7*<5S3c_Y`Z8R(|LC)RRpP5%*G2ke-+j*TDeC3jJLycfv#wu8*RSatqK`{9 zZl73{93tcVYVNwk?b^@2yga1z_G8L{<8CJxPfs&j6MVz>v(&atueTi+w%-2uU8;Y9 z3UjHR)CSImU$=K>o;{cBZ~N9!Ge##k`0LU=5wp2?9mPD^Wp`WA~`C?tp(rSipqGnC!jlLOrZ_mqS>G1o1jQcec1honGrTd)NJbq%&6{XzqazZEc)O1;o-5ZqzEwUFyxvebxGf&rA8T?x}ZA zef_R@DDS8dbJ(VB8?0l@*JT*25OP4arFS}$Nd-&blmol~LbImu*vr4(4`~UKpS8`>lJ8f## zJf8Q|+cF9i5|2yE*HorloMha$~3T1zKa>AL+r6|Lf_&s7qBD(J=Bb&21v zZ3(@veMVZs(4A*@ZRAy_RFS!FHfT@(x4HQ0r}M>AK?~g7ad17bkD5d~|4C=$Z#lTJFBKdLQ}E-a@J|CowBgp?c5fc~9kw zw#)NLi`a-&*QcdOCGGr@l5?$IR4jA)=g3`wvzjzRIwuC}zRBzC{I|JajoFc9o&39* zneuZJx3?woq?woPdw8{8r*osN!!<6Z943X?yZ*m%wx7E{^Ym%oZ-*8#H=lkob7tF( zq$_r+RTrYaB%RJy+*>7GoG2gga&A`Q_mwvmofi|!eBZEr1t;(B+WM^z53gH&%y4(q z#YFb|%U7>k6fQr((MOjj<>t@l&;9z=n$LPU_pt7>w62Ak#+L<7FNu8iD}LwRs-0gq z$xExq?_FkjbCXC}`10Z}b1nQUx1Z$Sy|i9@`e(!T*y(HE*lhU9|MkVx52EU0bdc@0}d|F#|u3^aqoi^Xd#r~O-bxvGb(d5IwWV7k{MR5-6?;VSIa8{%? zt0i`NNwHP`Uaou+6-8 zI{!`X+5KUcKDToViJdmyl$u=8Jp0S*8;j&v_g?wbtLGqGWh_UoTj2 zt7C(5^T=_z!FKMc8%8twd)e5@zrp(l1DVIU@cWXT>wg69 zGp*mYIggyJ#By>8O7Ro^QXwLi+)Ya(;8CM`8P;>B5~8?`FuE{St4(#<30hYF|J*rw?^km1-s&4qW4b(pGh_0Z^-Vh{E&3OJ*>0}riw74tSicu;&6o4P(VMr+^4wK_u3|6WubTwQVim>M))#NRmTY_b z-dWzP16Q0|#b>=i>Kn+jv5&J{#SYPuEVrG_&zdK>p*EU;5PF z$OT?Ved+YqX0B?g)|+Rh84HdtIJGYC-J6@=;=ub_0-j&ky}tG=FSnm@#4FBdE8zL=(=w)5D!Hw}h+Cv7dy@}B0jgizX4XljXRc@8t0NPb zF#VeTmubvP`|aQ4eVt<$ZV~2xG)+@Ear=!`>jR=DCmvpR`s>GYSGE7OE(RSecVfjm z-|Y9%8-9FwJ1JIycdn%GBq>|%=&2X9J*D@0`d4p`OLV_-Xve)@t@paT-bWmM*ZeZ4 zc4I-$H;t1%H>U1(ikfhfBk{WE;zP%+!u9{#xPuOEoKX1t)^$6p`je8`Ic!ft!uyi z!?VBA>K1>O{rR^RKX(29zpC?HSLi*HAkWj6D|cz0 z3;Z%+?S|RQmM*k9+#c&0Yk2GS_B*@(7=AMW6&t)Z|L1i3X|n9U`&3`X@QaqlvrUp! z>9b$|_x$$C^dX1!)^iKD@3AhcTy&bN`%BMrHkVs$?XgpD^;ND>d~@rTLUs1#;|TRl84D?!zxuPyXYP zRx1{4cG6#a`qd`uzIQF|$=&-V$SqzwFXZQf5|fIk`xCGH-~E_>_ce3VQo}dX*#GXD zwB<^2dCP{^mz-zWKIffV{x?Ot8dTWNNaM@DUGn3{^f})SJFVY)$S0j={}%IY&4&fd zH%(ouzg4e#F3hiT@HIg`==dijSXJ;c1F#UQ|oT#p4z^zw)pnf z-#1r-(uB#@>btwP>`s1L`q|I+?@qP7RX5J847zPJ(`);#bgeJ%zPNnP6?p#a@ONZd-Nt*tH8AUT3a6zAlSn_pVK!dDs7R`2KzW$v;;?#`x!7uXOW`+MQ-BDMvG{*mps}gYc}61c`_-_JNoO^KTdDI#e6%I z=OcQ`d^xXtS*+Z?J3F(E-e0x0Hy(V^nz3j3?^{v`L6 zZcP3%`^KWv+@H6ech)?Truk;qq#5!eIjdV^Cx1J7#eT=neN(l;fyq$vs`7nB;FSAX znT5L3`(`|OBFVdVQc0b~68n>Huj{PZYig}?ng7%0lIiF5mY&IJjs3hrfZMb+c6#ZF z%iU({_q{cL6A3DsYvVrLzgJuH{-N^er&hbCJ?&n&{h#vUGmD+9KGnJ(k6g9?s>xzwG-Ij{EO@_CP|*4{8ZWW%>R zqQB`~Z}F2!=eESzJq({Xy`(mA-Lz%gB@T+!iPuAUc0bKiRBnl#9(H8jlee?w_f+y% zi#zQ1W?|sjV>YMe9P9iEH}_vJnY&?u$&*)g#?fo1#(7%lKKW{XGEUb2_a-~pd6%F5 zWWBXyS&@D-Putx+YwoiMJGaG7KQ!GsT>t;_g>hU5&bYRUJA~eqef@4$`76ouv)Oj@xX_C@f;?G!Vl;6B7-#35B(Aqoc%dY~D`bj0(?|9}c z%uUX@bm-CMAr56x><}2$>owmCwx+3k5t_hUICLW#mPKHzkTb1?*SkOXl3WwriJ#|nH0Vw=U-FYN*o|MfEY)`2=KXi>Y=1ZRC&xa_ z`vz}fx6`L}=e9-5J$wVI9Rv1X_`R&$Zu@tSs^*#VgI}vIpBF6DZ~DdS(&J#rY+S&v-(Yxq_s5ydzvtIK`Yu*+I_6~k{%QOdYd3Gcs{EyIk^g&#+qTQA zAIWSzu~p@XsL>wzYZaUK#Y8N*`Z7m!lU!M{qoVE=sj|DxvD;L??AiZ&-RJ9v9b7xOpdPTDkGj3n9}L`5v$Q;&n-L+V%Fyd2`t9$sTZ?(c3*pZ@L$^LRifd=WuPcJ;rGJ!d#?Uub@P*dShvPC zC3(EMbTo0#!s{w?C(B%7pZs^$`eXO5O!L~MK6ml!%R6tazvP=K$+vr%hBx=okGo7; zV$HYiPTRjc`>XH%Cu=~%WfLs9;|u>Cs{EW5|9sQ-Yrkexl@?0mznI!(zICs;P=g+?7_5UWv&hZ7sx>0Se z<;y$eF-qU-S8R=6pW;>QJGm}$R>uYHP`=_9YfrP?ecV|m^Zez#l5ZCm%zU^ZTWgz4 zab<4ebLC zSb}r#=by^vUjJ6zTJPg%m^tf;(S4WJxRn;cx2q>HR|Q*GBp#Mov?R2!FVE+B=KBLm zm2HRfI#!;!JnQhflzy}GUiUUXJeMjvM;GMNW$VKCu6p^z^8D{L)qf(^I?KeU&3`g) zudrm5>PrjnujdLJp5IoS*=xJbUM{*Mcg}LY{8if$H%XQ))~@*X;&h)(+1<12?rqxr zRsZXeuY2dHfQ@XOe189jq@^FZri)$qC9!>p#gW8Gc^R``T+sIP)>+>@IdAU~x9N|q zY?sR~`}}pscAl@A3e}0%W1p>b+PS~TH}N`ORY(2q)T_B$WI(ybfYSY>sHxkIt-u^O?ghqz1#LF@9xXo6=**>dtvS-r}ZIoj{n_L;PKv@ zPowa9QT|og!oI57mifxriQ!spvEMJY++~(~^L}^O+CO^kwxAP?C7)mUtQR#&>+i%n z=jF~W)oz<(dHH=-ve}~-|uOSEe`K!-FGyLbGO>>UhO^gr}u7O_b`L~ zf(GYo1_$N0+3}mVSD)+**X!`@^jSao`n976ZBE_s?)HC@UOxFuN?{RGzN6Wn53M|H zv6Hns1I4&&`{ga)MDcj(-Mv%t;_vV9zd7vgRt;{84sk0O`_=rlzL)Uq{^UPLF2)>t zq_RbS_8YJFS2%YED*FDmty{7o`{1_7Rs7|41-IYITxHm#uz`~y<><8EVR!D{z4gmz z`dSHJE1t}KH=@p{>&@9EYVCYwuik`-8=}{|64P?3&rLL+@h)ek@$aWCu?&$;t>O-9 za|`ZS|I=LZQP}9L)LB*CHW$0bVBzaqFU_91LAtxP^!L(R6A!Jst!R4l|Nhjgr}T@y zfI2n~z4OZNS;vVa{i>b3x2Pn1ThRS`oV$)(RsE8t@Mc!bv}K#>?l!pd?M|zT@%*&# z?CQL~y6(CSI**o_GR!PpQ2X}W-}8|LPn(uqQ@H#(MG{0XGQl))p-PGmm>lEKiyR;`H`Nq~y#XLN_-*II+rZwk>Yqvjsm3V!Z z5P$u(%KxXVEvy(*WJTi`f}P5b@A_uhJ*~!iOUrZ5D%Z90H+qdxQ6+Kfm~!v$y4AeyX^uHLPsl(r?gw{=~lGHhZ#SP3*JdJ?|zi-MIJh zoTa%=T6=kUc2Ck43G&RGD*3vNdw1gYNl)^3hppeyw^-mnh*PWhfhm{o?tAy~xt`tI zQ+rA_d8YTOrOsNulqWNJ{=AAkQ}4O8#+J{#6cm5gV%3K1H0{~5CvPuXx9h88p94cM zFUaAyIG@K>Y^?lMy0cIE?bG}{x@V4syvz-_p?l6}y4S_-)7PcSM88G&{oj!KH8;F) z3#f8%Xr5E`u6kbhhr{4>R;z^E#7^wq@n}F5J$TXnrIqbo>2JTU%ne?@s!+ z_VvHp`%VV3HXPt)kSzWbeXp`fUaRK#(|qZ_q8CNhddj)gXUdp;xn}uh)@~=AzRO=1 zb6*iDYi_N6G-sLp+g-(x?C!##TTfCff6V*5jei-}^jUv?T(rC9om}m19UOi2LiF(s z*Ma{vz^&M+9-~1B$xn}?Cs)U>VmR<}# z=^+)2KGk<+UtbeX&-6|^S+Z?OpzqGGoR?3R&b*biLU@YyUc+hA=Cy2)j_njrF??Hn za@OH>ky_Wk^Bup_dfslwBf~xchRdJ?X?)5vf6oWgSH1TOe?}%(?rC>1e3Hd?O7X1x z*)75XWvZT;As?Lf*Tfdz=-qZLrGDejgST&4NHLrd38`Q_qj6XIdd|zbbAR&nGiJ@6 zb@S$=S?-~#1>r);hO_%j&K&gFuF%1si@XMBx#HUDPNjjxUG z;@8|eFp(iaZQ&vAgqiXyS{WEvzI(bjh8(kcIH%h$uw!~u&wIJs#wUh}g*q*POcwHxFn(F@@PxnRFpNV5Lm~6O&@j%b^{l$N8 zJ&rHB^|Uo^rssb9TiJ_OK00Q`ef9Q?sd*{fPqp3_Bwkas|JO~g6h*Z6UEOy#{N>dJ8?xipyqIb{(bqu|3$z5mfM`W2fk^Z=Vi-hy*)Sfd|=(_C-wTNX`2hz$p;T! z1%{oF=iU8|OVoHtujZRsxzk(y%kGx{zJ9Zs;ex!g6vKk9zi+eWRpfnsd0*$u*28MQ zZGXPlW$CeWTgt|ewYp{pY@@O_ERm?O)$+U?bVHXlN_tL3JJ)VC>!fKl&U<&?yZQCP ztKT<@83NX_FfvG7<9r@d(iO7f%ANbB*IqB1stm#~pvbpySc5RT>SrZie zd47J})*9VvPEbR^AWwbowm7|BH>$x^HH^ zEo%LL=huVR|CUsLE?@DA$zkpEC^JTeo_mGs>;LW%oBv;*>(`9k+xz}Y#>Q!c@a|TV z{V1^R-Oc-7*8i^Cox~q44{}<7x%!;qi<+MfrK{9Bd@?w9LfiXyX;#OkC+VKSm;a~C z(E~Nc7A*9uxw|_~(fW_-^m_*DF1!vDTkP{t@vN8KwxzjGn{#5p`#IeAW%qoL zoPJK`wyUMh+l&9#zHXdqpPJ1Cx{cnbI@k8&o$Y`5U4Q#e*I)P1FgEXDcXY9Bd}wrZ zqb~;oOB}-tCObJlo9_qhr`}e-`}ate_l}(1XY_7XW&FPW<;CL4ZIU3@B%HE*yM;T7 z?_b~FwVwag`j2}~+WB_!m#>E!zZl=HFFx+LO$egQ`q_8A8TQ)g|L3d7>itkJx8Jg9 k_F5)}Q81)JAfe=+e(#Q2@o23_pFj@xboFyt=akR{01LcOlK=n! literal 0 HcmV?d00001 diff --git a/docs/index.md b/docs/index.md index 39679d01a..5e6c70c56 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,52 +1,106 @@ --- title: AppArmor.d +hide: + - toc --- - + + -### Presentations - -Building the largest set of AppArmor profiles: - -- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* -- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* - -### Chat - -A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org +
+
+
+
+ +

apparmor.d

+

Full set of AppArmor policies

+

apparmor.d is a collection of AppArmor profiles designed to restrict the behavior of Linux applications and processes.

+

Its goal is to confine everything, targeting both desktops and servers across all distributions that support AppArmor.

+ + Get started + + + + Demo Server + + +
+
+
+
diff --git a/docs/install.md b/docs/install.md index ff4a1b6bb..a18185fbf 100644 --- a/docs/install.md +++ b/docs/install.md @@ -89,7 +89,7 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf !!! warning - **Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are different. + **Beware**: do not install a `.deb` made for Debian on Ubuntu as the packages are different. If your distribution is based on Ubuntu, you may want to manually set the target distribution by exporting `DISTRIBUTION=ubuntu`. @@ -125,7 +125,7 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf !!! warning - **Beware**: do not install a `.deb` made for Ubuntu on Debian, the packages are different. + **Beware**: do not install a `.deb` made for Ubuntu on Debian as the packages are different. If your distribution is based on Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian`. diff --git a/docs/overview.md b/docs/overview.md new file mode 100644 index 000000000..fb6712a14 --- /dev/null +++ b/docs/overview.md @@ -0,0 +1,48 @@ +--- +title: Overview +--- + +!!! danger "Help Wanted" + + This project is still in its early development. Help is very welcome; see [Development](development/index.md) + +**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes. + +### Purpose + +- Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`, `polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord` +- Confine all Desktop environments +- Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland` +- Confine some *"special"* user applications: web browsers, file managers, etc +- Should not break a normal usage of the confined software + +See the [Concepts](concepts.md)' page for more detail on the architecture. + +### Goals + +- Target both desktops and servers +- Support for all distributions that support AppArmor: + * [:material-arch: Arch Linux](install.md#archlinux) + * [:material-ubuntu: Ubuntu 24.04/22.04](install.md#ubuntu) + * [:material-debian: Debian 12/13](install.md#debian) + * [:simple-suse: openSUSE Tumbleweed](install.md#opensuse) +- Support for all major desktop environments: + - [x] :material-gnome: Gnome (GDM) + - [x] :simple-kde: KDE (SDDM) + - [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)* +- [Fully tested](development/tests.md) + +### Demo + +You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/ + +### Presentations + +Building the largest set of AppArmor profiles: + +- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* +- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* + +### Chat + +A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org diff --git a/mkdocs.yml b/mkdocs.yml index 153af0d4e..12783b566 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -138,6 +138,7 @@ nav: - Home: - index.md - Getting Started: + - overview.md - concepts.md - install.md - configuration.md From daa6a1239b810dbc4458869a59a896dca42296df Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 14:20:08 +0200 Subject: [PATCH 370/672] feat(profile): improve protonmail-bridge-core. --- apparmor.d/profiles-m-r/protonmail-bridge-core | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index 92d379724..493199974 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -12,8 +12,9 @@ abi , include @{exec_path} = @{lib}/protonmail/bridge/bridge -profile protonmail-bridge-core @{exec_path} { +profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { include + include include include @@ -25,7 +26,7 @@ profile protonmail-bridge-core @{exec_path} { @{exec_path} mr, - @{bin}/pass rCx -> pass, + @{bin}/pass Cx -> pass, @{lib}/protonmail/bridge/bridge-gui ix, @@ -49,7 +50,6 @@ profile protonmail-bridge-core @{exec_path} { @{PROC}/1/cgroup r, @{PROC}/sys/net/core/somaxconn r, - deny @{bin}/pass x, deny owner @{user_passwordstore_dirs}/** r, profile pass { @@ -76,6 +76,7 @@ profile protonmail-bridge-core @{exec_path} { owner @{user_passwordstore_dirs}/ r, owner @{user_passwordstore_dirs}/.gpg-id r, + owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} rw, owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} rw, deny owner @{user_passwordstore_dirs}/**/ r, From a46967cb43e643efc925644b234093f249fdc313 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 14:56:51 +0200 Subject: [PATCH 371/672] feat(tunable): add papers to the list of document viewers. --- apparmor.d/tunables/multiarch.d/programs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index 198776f9b..b3e36cae7 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -76,7 +76,7 @@ @{text_editors_names} = code gedit mousepad gnome-text-editor zeditor zedit zed-cli # Document viewers -@{document_viewers_names} = evince okular *{F,f}oliate YACReader +@{document_viewers_names} = evince papers okular *{F,f}oliate YACReader # Image viewers @{image_viewers_names} = eog loupe ristretto From 043dc3fc0589d3c361dd9e4a1cdf543fab8284df Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 15:23:24 +0200 Subject: [PATCH 372/672] feat(profile): add paperspecs to cups backend. --- apparmor.d/groups/cups/cups-backend-beh | 1 + apparmor.d/groups/cups/cups-backend-bluetooth | 1 + apparmor.d/groups/cups/cups-backend-brf | 1 + apparmor.d/groups/cups/cups-backend-dnssd | 1 + apparmor.d/groups/cups/cups-backend-hp | 1 + apparmor.d/groups/cups/cups-backend-implicitclass | 1 + apparmor.d/groups/cups/cups-backend-ipp | 1 + apparmor.d/groups/cups/cups-backend-lpd | 1 + apparmor.d/groups/cups/cups-backend-mdns | 1 + apparmor.d/groups/cups/cups-backend-parallel | 1 + apparmor.d/groups/cups/cups-backend-pdf | 6 ++++-- apparmor.d/groups/cups/cups-backend-serial | 1 + apparmor.d/groups/cups/cups-backend-snmp | 1 + apparmor.d/groups/cups/cups-backend-socket | 1 + apparmor.d/groups/cups/cups-backend-usb | 1 + 15 files changed, 18 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/cups/cups-backend-beh b/apparmor.d/groups/cups/cups-backend-beh index e2dbc1b51..1e9fe5b78 100644 --- a/apparmor.d/groups/cups/cups-backend-beh +++ b/apparmor.d/groups/cups/cups-backend-beh @@ -13,6 +13,7 @@ profile cups-backend-beh @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-bluetooth b/apparmor.d/groups/cups/cups-backend-bluetooth index ada4926ce..78ffbac77 100644 --- a/apparmor.d/groups/cups/cups-backend-bluetooth +++ b/apparmor.d/groups/cups/cups-backend-bluetooth @@ -13,6 +13,7 @@ profile cups-backend-bluetooth @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-brf b/apparmor.d/groups/cups/cups-backend-brf index 27e98efc3..6d50b284f 100644 --- a/apparmor.d/groups/cups/cups-backend-brf +++ b/apparmor.d/groups/cups/cups-backend-brf @@ -15,6 +15,7 @@ profile cups-backend-brf @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-dnssd b/apparmor.d/groups/cups/cups-backend-dnssd index f45b99216..1009a0ef2 100644 --- a/apparmor.d/groups/cups/cups-backend-dnssd +++ b/apparmor.d/groups/cups/cups-backend-dnssd @@ -14,6 +14,7 @@ profile cups-backend-dnssd @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-hp b/apparmor.d/groups/cups/cups-backend-hp index 636121553..cd9af3d7f 100644 --- a/apparmor.d/groups/cups/cups-backend-hp +++ b/apparmor.d/groups/cups/cups-backend-hp @@ -13,6 +13,7 @@ profile cups-backend-hp @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-implicitclass b/apparmor.d/groups/cups/cups-backend-implicitclass index ba85c62fa..c71295f83 100644 --- a/apparmor.d/groups/cups/cups-backend-implicitclass +++ b/apparmor.d/groups/cups/cups-backend-implicitclass @@ -13,6 +13,7 @@ profile cups-backend-implicitclass @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-ipp b/apparmor.d/groups/cups/cups-backend-ipp index b473ecaa3..8d61f4072 100644 --- a/apparmor.d/groups/cups/cups-backend-ipp +++ b/apparmor.d/groups/cups/cups-backend-ipp @@ -13,6 +13,7 @@ profile cups-backend-ipp @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-lpd b/apparmor.d/groups/cups/cups-backend-lpd index af2901be0..89b62b569 100644 --- a/apparmor.d/groups/cups/cups-backend-lpd +++ b/apparmor.d/groups/cups/cups-backend-lpd @@ -13,6 +13,7 @@ profile cups-backend-lpd @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-mdns b/apparmor.d/groups/cups/cups-backend-mdns index 0b9cce0da..9e5dfbe0f 100644 --- a/apparmor.d/groups/cups/cups-backend-mdns +++ b/apparmor.d/groups/cups/cups-backend-mdns @@ -13,6 +13,7 @@ profile cups-backend-mdns @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-parallel b/apparmor.d/groups/cups/cups-backend-parallel index a985e5042..b4340b2ed 100644 --- a/apparmor.d/groups/cups/cups-backend-parallel +++ b/apparmor.d/groups/cups/cups-backend-parallel @@ -13,6 +13,7 @@ profile cups-backend-parallel @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-pdf b/apparmor.d/groups/cups/cups-backend-pdf index 7782ecb11..6f658b064 100644 --- a/apparmor.d/groups/cups/cups-backend-pdf +++ b/apparmor.d/groups/cups/cups-backend-pdf @@ -14,9 +14,10 @@ profile cups-backend-pdf @{exec_path} { include capability chown, + capability dac_override, + capability dac_read_search, capability setgid, capability setuid, - capability dac_override, unix peer=(label=cupsd), @@ -30,10 +31,11 @@ profile cups-backend-pdf @{exec_path} { /usr/share/ghostscript/{,**} r, - /etc/papersize r, /etc/cups/ r, /etc/cups/cups-pdf.conf r, /etc/cups/ppd/*.ppd r, + /etc/papersize r, + /etc/paperspecs r, /var/log/cups/cups-pdf*_log w, /var/spool/cups-pdf/{,**} rw, diff --git a/apparmor.d/groups/cups/cups-backend-serial b/apparmor.d/groups/cups/cups-backend-serial index 3959a091d..26811ab59 100644 --- a/apparmor.d/groups/cups/cups-backend-serial +++ b/apparmor.d/groups/cups/cups-backend-serial @@ -13,6 +13,7 @@ profile cups-backend-serial @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, /dev/ttyS@{int} w, diff --git a/apparmor.d/groups/cups/cups-backend-snmp b/apparmor.d/groups/cups/cups-backend-snmp index 5badd529a..816f6c25b 100644 --- a/apparmor.d/groups/cups/cups-backend-snmp +++ b/apparmor.d/groups/cups/cups-backend-snmp @@ -19,6 +19,7 @@ profile cups-backend-snmp @{exec_path} { /etc/cups/snmp.conf r, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-socket b/apparmor.d/groups/cups/cups-backend-socket index 3efcf183b..f8f36a056 100644 --- a/apparmor.d/groups/cups/cups-backend-socket +++ b/apparmor.d/groups/cups/cups-backend-socket @@ -13,6 +13,7 @@ profile cups-backend-socket @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-usb b/apparmor.d/groups/cups/cups-backend-usb index fa21e0204..7d9dbd237 100644 --- a/apparmor.d/groups/cups/cups-backend-usb +++ b/apparmor.d/groups/cups/cups-backend-usb @@ -21,6 +21,7 @@ profile cups-backend-usb @{exec_path} { /etc/cups/ppd/*.ppd r, /etc/papersize r, + /etc/paperspecs r, include if exists } From 00327dfae17112aac14ab572ddb1ed026797465c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 18:38:48 +0200 Subject: [PATCH 373/672] feat(profile): minor improvements. --- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/apt/apt-systemd-daily | 2 +- apparmor.d/groups/apt/aptitude-create-state-bundle | 2 +- apparmor.d/groups/apt/unattended-upgrade | 7 +++++-- apparmor.d/groups/grub/update-grub | 5 +++-- apparmor.d/profiles-a-f/acpi | 1 - apparmor.d/profiles-a-f/evince | 5 +++-- apparmor.d/profiles-g-l/kmod | 14 +++++++++++++- apparmor.d/profiles-m-r/mkinitramfs | 6 ++++++ apparmor.d/profiles-s-z/spice-vdagent | 2 ++ 10 files changed, 35 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 5c33a1866..947dba149 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -177,7 +177,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{sh_path} rix, @{pager_path} rmix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, /root/ r, # For shell pwd diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index 04907876e..08e1400b2 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -37,7 +37,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/touch rix, @{bin}/uniq rix, @{bin}/wc rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/xargs rix, @{bin}/apt-config rPx, diff --git a/apparmor.d/groups/apt/aptitude-create-state-bundle b/apparmor.d/groups/apt/aptitude-create-state-bundle index c700e325f..59f7a54f6 100644 --- a/apparmor.d/groups/apt/aptitude-create-state-bundle +++ b/apparmor.d/groups/apt/aptitude-create-state-bundle @@ -16,7 +16,7 @@ profile aptitude-create-state-bundle @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/tar rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 3e60798e9..8413d9975 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -10,13 +10,14 @@ include @{exec_path} = @{bin}/unattended-upgrade profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include - include include include include include + include include include + include include capability chown, @@ -65,7 +66,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{etc_ro}/login.defs r, @{etc_ro}/security/capability.conf r, - /etc/apport/report-ignore/ r, + /etc/apport/report-ignore/{,**} r, /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, @@ -89,8 +90,10 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/vmware-tools/* r, /var/log/unattended-upgrades/{,**} rw, + /var/crash/*.crash w, /var/lib/apt/periodic/unattended-upgrades-stamp w, + /var/lib/dpkg/info/ r, /var/lib/dpkg/lock rwk, /var/lib/dpkg/lock-frontend rwk, /var/lib/dpkg/updates/ r, diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index 1996b346b..ff17c160a 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -14,8 +14,9 @@ profile update-grub @{exec_path} { capability dac_read_search, @{exec_path} mr, - @{sh_path} rix, - @{sbin}/grub-mkconfig rPx, + + @{sh_path} rix, + @{sbin}/grub-mkconfig rPx, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-a-f/acpi b/apparmor.d/profiles-a-f/acpi index 2914180e6..3b42be234 100644 --- a/apparmor.d/profiles-a-f/acpi +++ b/apparmor.d/profiles-a-f/acpi @@ -19,7 +19,6 @@ profile acpi @{exec_path} flags=(complain) { @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/virtual/thermal/{,**} r, - include if exists } diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 5ae754138..b7b087309 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -44,13 +44,14 @@ profile evince @{exec_path} { /usr/share/poppler/{,**} r, /usr/share/thumbnailers/{,*} r, - owner @{user_share_dirs}/ r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_config_dirs}/evince/{,*} rw, + owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/*.pdf r, owner @{tmp}/evince-@{int}/{,**} rw, - owner @{tmp}/gtkprint* rw, + owner @{tmp}/gtkprint_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 0338e3975..ccc8d6913 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -28,7 +28,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{bin}/basename rix, @{bin}/false rix, @{bin}/id rix, - @{sbin}/sysctl rPx, + @{sbin}/sysctl rCx -> sysctl, @{bin}/true rix, @{lib}/modprobe.d/{,*.conf} r, @@ -74,6 +74,18 @@ profile kmod @{exec_path} flags=(attach_disconnected) { deny @{user_share_dirs}/gvfs-metadata/* r, deny unix (receive) type=stream, + profile sysctl { + include + + @{sbin}/sysctl mr, + + /etc/sysctl.conf r, + /etc/sysctl.d/{,**} r, + /usr/lib/sysctl.d/{,**} r, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index ad626192c..eaf5645f3 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -96,6 +96,12 @@ profile mkinitramfs @{exec_path} { owner /var/tmp/mkinitramfs-@{rand6} rw, owner /var/tmp/mkinitramfs-*_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + @{sys}/devices/platform/ r, @{sys}/devices/platform/**/ r, @{sys}/devices/platform/**/modalias r, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 9562fec75..c73f5f678 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -47,6 +47,8 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/task/@{tid}/comm rw, + /dev/udmabuf rw, + include if exists } From 2bad07f5ffe85486104bb775df646bb5cc5aad6f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 18:44:59 +0200 Subject: [PATCH 374/672] doc: hide the date of revision on the front page. --- docs/index.md | 5 +++++ mkdocs.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/index.md b/docs/index.md index 5e6c70c56..9602207d0 100644 --- a/docs/index.md +++ b/docs/index.md @@ -19,6 +19,11 @@ hide: display: none; } + /* Hide the date of revision */ + .md-source-file { + display: none; + } + /* Get started button */ .md-typeset .md-button--primary { color: var(--md-primary-fg-color); diff --git a/mkdocs.yml b/mkdocs.yml index 12783b566..e5244a529 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -15,7 +15,7 @@ repo_url: https://github.com/roddhjav/apparmor.d edit_uri: edit/main/docs/ # Copyright -copyright: Copyright © 2021-2024 Alexandre Pujol +copyright: Copyright © 2021-2025 Alexandre Pujol # Configuration theme: From f9f409716434735336e9de871cad8fcfb329cd4f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:12:24 +0200 Subject: [PATCH 375/672] feat(abs): add the path abstraction. --- apparmor.d/abstractions/app-launcher-root | 7 ++----- apparmor.d/abstractions/app-launcher-user | 10 +++------- apparmor.d/abstractions/common/app | 5 +---- apparmor.d/abstractions/path | 23 +++++++++++++++++++++++ apparmor.d/groups/children/child-open-any | 7 +------ 5 files changed, 30 insertions(+), 22 deletions(-) create mode 100644 apparmor.d/abstractions/path diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index 0bc7dbeff..7f7e2a673 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -5,15 +5,12 @@ abi , + include + @{bin}/** PUx, @{sbin}/** PUx, /usr/local/{s,}bin/** PUx, - @{bin}/ r, - / r, - /usr/ r, - /usr/local/{s,}bin/ r, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 800de5106..3f35d5882 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -5,6 +5,8 @@ abi , + include + @{bin}/** PUx, /opt/*/** PUx, /usr/share/** PUx, @@ -18,13 +20,7 @@ @{thunderbird_path} Px, @{offices_path} PUx, - @{bin}/ r, - / r, - /usr/ r, - /usr/local/bin/ r, - - @{user_bin_dirs}/ r, - @{user_bin_dirs}/** PUx, + @{user_bin_dirs}/** PUx, include if exists diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index cc802ef06..0d63b72c8 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -27,6 +27,7 @@ include include include + include include include @@ -39,12 +40,8 @@ /etc/{,**} r, - / r, /.* r, - /*/ r, - @{bin}/ r, @{lib}/ r, - /usr/local/bin/ r, owner /_@{int}_/ w, owner /@{uuid}/ w, owner /var/cache/ldconfig/{,**} rw, diff --git a/apparmor.d/abstractions/path b/apparmor.d/abstractions/path new file mode 100644 index 000000000..dee241b29 --- /dev/null +++ b/apparmor.d/abstractions/path @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Common directories in $PATH, used by launchers and interactive shells. + + abi , + + @{bin}/ r, + @{bin}/*/ r, + @{sbin}/ r, + @{sbin}/*/ r, + + / r, + /usr/ r, + /usr/local/bin/ r, + /usr/local/sbin/ r, + + @{user_bin_dirs}/ r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any index 1259d7708..446627e85 100644 --- a/apparmor.d/groups/children/child-open-any +++ b/apparmor.d/groups/children/child-open-any @@ -14,6 +14,7 @@ include profile child-open-any flags=(attach_disconnected,mediate_deleted) { include include + include @{bin}/** PUx, @{lib}/** PUx, @@ -22,12 +23,6 @@ profile child-open-any flags=(attach_disconnected,mediate_deleted) { /usr/local/bin/** PUx, /usr/share/** PUx, - @{bin}/ r, - @{user_bin_dirs}/ r, - / r, - /usr/ r, - /usr/local/bin/ r, - include if exists include if exists } From efba6e164e8dcb99e26856394f924333b302fa60 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:22:00 +0200 Subject: [PATCH 376/672] feat(profile): add initial profile for decibels. --- apparmor.d/groups/gnome/decibels | 37 ++++++++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 38 insertions(+) create mode 100644 apparmor.d/groups/gnome/decibels diff --git a/apparmor.d/groups/gnome/decibels b/apparmor.d/groups/gnome/decibels new file mode 100644 index 000000000..88d292b07 --- /dev/null +++ b/apparmor.d/groups/gnome/decibels @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/decibels @{bin}/org.gnome.Decibels +profile decibels @{exec_path} { + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/gjs-console rix, + + @{open_path} rPx -> child-open-help, + + /usr/share/org.gnome.Decibels/{,**} r, + + owner @{user_music_dirs}/{,**} r, + owner @{user_pictures_dirs}/{,**} r, + owner @{user_torrents_dirs}/{,**} r, + owner @{user_videos_dirs}/{,**} r, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index adced30c9..bcebd472d 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -77,6 +77,7 @@ cupsd attach_disconnected,complain ddcutil complain deb-systemd-helper complain deb-systemd-invoke complain +decibels complain dino attach_disconnected,complain discord complain discord-chrome-sandbox complain From 5a448cb39dda25ddf11ce446af10dda253613bc4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:23:35 +0200 Subject: [PATCH 377/672] feat(profile): add initial profile for papers. --- apparmor.d/groups/gnome/papers | 51 ++++++++++++++++++++++++++++++++++ dists/flags/main.flags | 2 +- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/gnome/papers diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers new file mode 100644 index 000000000..ee829d8f3 --- /dev/null +++ b/apparmor.d/groups/gnome/papers @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/papers +profile papers @{exec_path} { + include + include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + @{exec_path} mr, + + @{open_path} Cx -> open, + + /usr/share/poppler/{,**} r, + + owner @{user_share_dirs}/gvfs-metadata/{,*} r, + + owner @{tmp}/.goutputstream-@{rand6} rw, + owner @{tmp}/gtkprint_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} rw, + + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + + profile open { + include + include + + @{browsers_path} Px, + @{help_path} Px, + @{bin}/papers Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index bcebd472d..70d484953 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -257,7 +257,7 @@ nvidia-persistenced complain ollama attach_disconnected,complain os-prober attach_disconnected,complain pam_kwallet_init complain -pam-tmpdir-helper complain +papers complain passimd attach_disconnected,complain pkla-admin-identities complain pkla-check-authorization complain From 8d374ed8761dfd518e7d4f09e8ec699261d76b56 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:25:27 +0200 Subject: [PATCH 378/672] feat(fsp): add tunables for the future systemd executor profiles. --- apparmor.d/tunables/multiarch.d/profiles | 2 ++ pkg/prebuild/prepare/fsp.go | 2 ++ 2 files changed, 4 insertions(+) diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index e966623d4..92ab19fc9 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -9,7 +9,9 @@ # Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user` @{p_systemd}=unconfined +@{p_systemd_executor}=unconfined @{p_systemd_user}=unconfined +@{p_systemd_user_executor}=unconfined # Name of the dbus daemon profiles @{p_dbus_accessibility}=dbus-accessibility diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go index e46efe0e8..0d4c23076 100644 --- a/pkg/prebuild/prepare/fsp.go +++ b/pkg/prebuild/prepare/fsp.go @@ -40,7 +40,9 @@ func (p FullSystemPolicy) Apply() ([]string, error) { return res, err } out = strings.ReplaceAll(out, "@{p_systemd}=unconfined", "@{p_systemd}=systemd") + out = strings.ReplaceAll(out, "@{p_systemd_executor}=unconfined", "@{p_systemd_executor}=systemd-executor") out = strings.ReplaceAll(out, "@{p_systemd_user}=unconfined", "@{p_systemd_user}=systemd-user") + out = strings.ReplaceAll(out, "@{p_systemd_user_executor}=unconfined", "@{p_systemd_user_executor}=systemd-user-executor") if err := path.WriteFile([]byte(out)); err != nil { return res, err } From dbd0a7d271930f6a85ceda79feab610599b54222 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:25:58 +0200 Subject: [PATCH 379/672] feat(tunable): add the efi variable. --- apparmor.d/tunables/multiarch.d/system | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 3f6e0f890..d7834cc8a 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -22,6 +22,8 @@ # Common places for temporary files @{tmp}=/tmp/ /tmp/user/@{uid}/ +# Common places for EFI +@{efi}=/boot/ /efi/ /boot/efi/ # System Variables # ---------------- From 4beb096532ab6c60c376fb4a3acf070e11e2d56b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:29:33 +0200 Subject: [PATCH 380/672] feat(abs): expand zsh abs to more default locations - Add support for oh-my-zsh - Add support for gitstatus & p10k - Add more zsh config dirctories. --- apparmor.d/abstractions/zsh | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index a22895c91..ff90849c0 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -10,24 +10,40 @@ @{lib}/@{multiarch}/zsh/@{int}/zsh/*.so mr, - /usr/share/zsh/{,**} r, /usr/local/share/zsh/{,**} r, + /usr/share/oh-my-zsh/{,**} r, + /usr/share/zsh/{,**} r, /etc/zsh/* r, - owner @{HOME}/.zshrc r, - owner @{HOME}/.zshenv r, + owner @{HOME}/.zcompdump-* rw, owner @{HOME}/.zsh_history rw, owner @{HOME}/.zsh_history.LOCK rwk, + owner @{HOME}/.zsh_history.new rw, + owner @{HOME}/.zshenv r, + owner @{HOME}/.zshrc r, owner @{HOME}/.oh-my-zsh/{,**} r, owner @{HOME}/.oh-my-zsh/log/update.lock/ w, - owner @{HOME}/.zcompdump-* rw, + owner @{user_cache_dirs}/oh-my-zsh/{,**} r, + owner @{user_cache_dirs}/p10k-@{user}/{,**} rw, + owner @{user_cache_dirs}/p10k-dump-@{user}.zsh{,.*} rw, + owner @{user_cache_dirs}/p10k-instant-prompt-@{user}.zsh{,.*} rw, owner @{user_config_dirs}/zsh/.zcompdump-* rw, owner @{user_config_dirs}/zsh/{,**} r, + owner @{user_share_dirs}/zsh/history rw, + owner @{user_share_dirs}/zsh/history.LOCK rwk, + owner @{user_share_dirs}/zsh/history.new rw, + + owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo rw, + owner @{tmp}/gitstatus.POWERLEVEL9K.*.lock rwk, + + @{PROC}/version r, + owner @{PROC}/@{pid}/loginuid r, + include if exists # vim:syntax=apparmor From d74a47764665fbdcbfd74ec8d0549b557ab1075e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:33:03 +0200 Subject: [PATCH 381/672] feat(tunable): add @{backup_path}. --- apparmor.d/abstractions/app-open | 7 ++----- apparmor.d/tunables/multiarch.d/paths | 3 +++ apparmor.d/tunables/multiarch.d/programs | 3 +++ 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 8c74d1f08..27f0c96fc 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -26,6 +26,7 @@ @{image_viewers_path} PUx, @{offices_path} PUx, @{text_editors_path} PUx, + @{backup_path} PUx, # Others @{bin}/amule Px, @@ -41,6 +42,7 @@ @{bin}/gnome-calculator Px, @{bin}/gnome-disk-image-mounter Px, @{bin}/gnome-disks Px, + @{bin}/gnome-session-quit Px, @{bin}/gnome-software Px, @{bin}/gwenview PUx, @{bin}/kgx Px, @@ -57,11 +59,6 @@ #aa:only opensuse @{lib}/YaST2/** PUx, - # Backup - @{lib}/deja-dup/deja-dup-monitor PUx, - - @{bin}/gnome-session-quit rPx, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 733f8925c..cb889ee19 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -69,4 +69,7 @@ # Terminal emulator @{terminal_path} = @{bin}/@{offices_names} +# Backup +@{backup_path} = @{bin}/@{backup_names} @{lib}/deja-dup/deja-dup-monitor + # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index b3e36cae7..c1eea10b3 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -93,4 +93,7 @@ # Terminal emulator @{terminal_name} = kgx terminator konsole +# Backup +@{backup_names} = deja-dup borg + # vim:syntax=apparmor From 3b1fe1f931337c7e6d9428797866045effe3e0ca Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:41:43 +0200 Subject: [PATCH 382/672] feat(tunable): fix and use terminal_path. --- apparmor.d/abstractions/app-open | 4 ++-- apparmor.d/tunables/multiarch.d/paths | 2 +- apparmor.d/tunables/multiarch.d/programs | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 27f0c96fc..c7d2a86c8 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -18,6 +18,7 @@ # Labeled programs @{archive_viewers_path} PUx, + @{backup_path} PUx, @{browsers_path} Px, @{document_viewers_path} PUx, @{emails_path} PUx, @@ -25,8 +26,8 @@ @{help_path} Px, @{image_viewers_path} PUx, @{offices_path} PUx, + @{terminal_path} Px, @{text_editors_path} PUx, - @{backup_path} PUx, # Others @{bin}/amule Px, @@ -45,7 +46,6 @@ @{bin}/gnome-session-quit Px, @{bin}/gnome-software Px, @{bin}/gwenview PUx, - @{bin}/kgx Px, @{bin}/qbittorrent Px, @{bin}/qpdfview Px, @{bin}/smplayer Px, diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index cb889ee19..059f337fd 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -67,7 +67,7 @@ @{help_path} = @{bin}/@{help_names} # Terminal emulator -@{terminal_path} = @{bin}/@{offices_names} +@{terminal_path} = @{bin}/@{terminal_names} # Backup @{backup_path} = @{bin}/@{backup_names} @{lib}/deja-dup/deja-dup-monitor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index c1eea10b3..cddb1a7d2 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -91,7 +91,7 @@ @{help_names} = yelp # Terminal emulator -@{terminal_name} = kgx terminator konsole +@{terminal_names} = kgx terminator konsole ptyxis # Backup @{backup_names} = deja-dup borg From 053ce04c8e040c47095b32468d8e046033a14466 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 13:09:06 +0200 Subject: [PATCH 383/672] feat(tunanle): add the sqlhex variable. --- apparmor.d/abstractions/common/app | 3 ++- apparmor.d/groups/flatpak/flatpak-app | 1 - apparmor.d/groups/gnome/gnome-music | 4 ++-- apparmor.d/groups/gnome/localsearch | 8 ++------ apparmor.d/groups/gnome/tracker-miner | 6 ++---- apparmor.d/profiles-a-f/dropbox | 3 ++- apparmor.d/profiles-a-f/fractal | 2 +- apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-g-l/gpo | 3 ++- apparmor.d/profiles-g-l/gpodder | 3 ++- apparmor.d/profiles-m-r/protonmail-bridge-core | 4 ++-- apparmor.d/profiles-m-r/psi | 2 +- apparmor.d/profiles-m-r/psi-plus | 2 +- apparmor.d/profiles-m-r/quiterss | 3 ++- apparmor.d/profiles-s-z/strawberry | 2 +- apparmor.d/profiles-s-z/wechat-appimage | 6 ++++-- apparmor.d/tunables/multiarch.d/system | 3 +++ 17 files changed, 30 insertions(+), 27 deletions(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 0d63b72c8..99da31590 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -59,9 +59,10 @@ owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, owner @{user_games_dirs}/** rmix, - owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, + owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, + owner /var/tmp/etilqs_@{sqlhex} rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index 8d35bc8e0..bb824c7cb 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -82,7 +82,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/exports/** rw, - /var/tmp/etilqs_@{hex16} rw, @{run}/.userns r, @{run}/parent/** r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 7874e95ff..511a48987 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -51,8 +51,8 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, - owner /var/tmp/etilqs_@{hex15} rw, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 263604ba7..1503ba747 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -47,12 +47,8 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/tracker3/files/ rw, owner @{user_cache_dirs}/tracker3/files/** rwk, - owner /var/tmp/etilqs_@{hex15} rw, - owner /var/tmp/etilqs_@{hex16} rw, - owner @{tmp}/etilqs_@{hex12}@{h} rw, - owner @{tmp}/etilqs_@{hex12}@{hex2} rw, - owner @{tmp}/etilqs_@{hex15} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index e10d81bb2..d35f6467f 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -63,10 +63,8 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ r, - owner /var/tmp/etilqs_@{hex15} rw, - owner /var/tmp/etilqs_@{hex16} rw, - owner @{tmp}/etilqs_@{hex15} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, # Allow to search user files owner @{HOME}/{,**} r, diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index eecdb2e6d..b4baf1d0c 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -61,7 +61,8 @@ profile dropbox @{exec_path} { # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead owner @{tmp}/dropbox-antifreeze-* rw, owner @{tmp}/#@{int} rw, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index c6746843d..5971764f0 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -34,7 +34,7 @@ profile fractal @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, owner @{run}/user/@{uid}/fractal/{,**} rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 75d5197ae..71addde64 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -67,7 +67,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, /var/lib/flatpak/exports/share/mime/mime.cache r, - /var/tmp/etilqs_@{hex16} rw, + /var/tmp/etilqs_@{sqlhex} rw, owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, owner /var/lib/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index 562980d35..cebfc955f 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -36,7 +36,8 @@ profile gpo @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index 7ccf428c3..dd7a20eb7 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -47,7 +47,8 @@ profile gpodder @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index 493199974..ee7adab75 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -43,8 +43,8 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { owner "@{user_config_dirs}/autostart/Proton Mail Bridge.desktop" rw, owner @{tmp}/bridge@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/ r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 33435fa8d..24e0c61dd 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -54,7 +54,7 @@ profile psi @{exec_path} { owner @{user_share_dirs}/psi/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index 32c05e55b..1d3850ba5 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -54,7 +54,7 @@ profile psi-plus @{exec_path} { owner @{user_share_dirs}/psi+/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index 89395f8b5..d1194abf5 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -47,7 +47,8 @@ profile quiterss @{exec_path} { owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 6a337a66b..84bbcf1f2 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -68,7 +68,7 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/.*/s rw, owner @{tmp}/*= w, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/kdsingleapp-daemonspudguy-strawberry w, owner @{tmp}/kdsingleapp-daemonspudguy-strawberry.lock rwk, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 67b3cf503..6f4c120a0 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -59,11 +59,13 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{tmp}/.mount_wechat@{word6}/ rw, @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} mr, - owner /var/tmp/etilqs_* rw, - @{HOME}/.xwechat/{,**} rwk, + owner @{user_documents_dirs}/xwechat_files/{,**} rwk, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, + /dev/fuse rw, /dev/tty rw, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index d7834cc8a..f1be21e49 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -54,6 +54,9 @@ # System Internal # --------------- +# SQlite temporary files (hexadecimal from 12 to 16 characters) +@{sqlhex}=@{hex12} @{hex12}@{h} @{hex12}@{hex2} @{hex15} @{hex16} + # Shortcut for PCI device @{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h} @{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h} From 94991165421ca3bc422af6893792bb3aa5dfbd9f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 13:39:32 +0200 Subject: [PATCH 384/672] feat(profile): add initial profile for ptyxis. --- apparmor.d/groups/gnome/ptyxis | 38 +++++++++++++++++++++++ apparmor.d/groups/gnome/ptyxis-agent | 46 ++++++++++++++++++++++++++++ dists/flags/main.flags | 2 ++ 3 files changed, 86 insertions(+) create mode 100644 apparmor.d/groups/gnome/ptyxis create mode 100644 apparmor.d/groups/gnome/ptyxis-agent diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis new file mode 100644 index 000000000..739681eae --- /dev/null +++ b/apparmor.d/groups/gnome/ptyxis @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ptyxis +profile ptyxis @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{lib}/ptyxis-agent Px, + @{open_path} Px -> child-open-help, + + /etc/shells r, + + owner @{user_cache_dirs}/org.gnome.Ptyxis/ rw, + owner @{user_cache_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_cache_dirs}/org.gnome.Ptyxis/**, + + owner @{user_config_dirs}/org.gnome.Ptyxis/ rw, + owner @{user_config_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_config_dirs}/org.gnome.Ptyxis/**, + + owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, + owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, + + owner @{PROC}/@{pid}/stat r, + + /dev/ptmx rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent new file mode 100644 index 000000000..239993f21 --- /dev/null +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -0,0 +1,46 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ptyxis-agent +profile ptyxis-agent @{exec_path} { + include + include + include + include + + signal send set=hup peer=unconfined, + + ptrace read, + + @{exec_path} mr, + + @{bin}/podman Px, + @{bin}/systemd-run Cx -> shell, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + owner @{PROC}/@{pid}/cmdline r, + + /dev/ptmx rw, + + profile shell { + include + include + + signal send, + + @{bin}/systemd-run mr, + @{bin}/@{shells} Ux, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 70d484953..2cef12304 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -271,6 +271,8 @@ plymouth complain plymouth-set-default-theme attach_disconnected,complain plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted +ptyxis complain +ptyxis-agent complain qdbus complain remmina complain run-parts complain From 1fab846875cae905de7c4e194848a043793185c6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 13:47:08 +0200 Subject: [PATCH 385/672] feat(abs): add proc stat to the gnome common abs. --- apparmor.d/abstractions/common/gnome | 1 + apparmor.d/groups/apparmor/aa-notify | 1 - apparmor.d/groups/gnome/decibels | 1 - apparmor.d/groups/gnome/gnome-calculator | 2 -- apparmor.d/groups/gnome/gnome-characters | 1 - apparmor.d/groups/gnome/gnome-extensions-app | 1 - apparmor.d/groups/gnome/gnome-logs | 2 -- apparmor.d/groups/gnome/gnome-maps | 1 - apparmor.d/groups/gnome/gnome-text-editor | 1 - apparmor.d/groups/gnome/gnome-weather | 1 - apparmor.d/groups/gnome/papers | 1 - apparmor.d/groups/gnome/ptyxis | 2 -- apparmor.d/profiles-a-f/file-roller | 1 - apparmor.d/profiles-a-f/foliate | 1 - apparmor.d/profiles-a-f/fractal | 1 - 15 files changed, 1 insertion(+), 17 deletions(-) diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index ccb5de8b3..056f6581b 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -32,6 +32,7 @@ owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index b64317a57..7cb64af80 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -75,7 +75,6 @@ profile aa-notify @{exec_path} { owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/decibels b/apparmor.d/groups/gnome/decibels index 88d292b07..2bb38dfd5 100644 --- a/apparmor.d/groups/gnome/decibels +++ b/apparmor.d/groups/gnome/decibels @@ -28,7 +28,6 @@ profile decibels @{exec_path} { owner @{user_videos_dirs}/{,**} r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 3f2290e6a..2e553d9f4 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -23,8 +23,6 @@ profile gnome-calculator @{exec_path} { @{open_path} rPx -> child-open-help, - owner @{PROC}/@{pid}/stat r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 890a54691..7ee0f835e 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -29,7 +29,6 @@ profile gnome-characters @{exec_path} { /usr/share/xml/iso-codes/{,**} r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index f1e229b59..0a65c95f2 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -22,7 +22,6 @@ profile gnome-extensions-app @{exec_path} { /usr/share/terminfo/** r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/task/@{tid}/stat r, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-logs b/apparmor.d/groups/gnome/gnome-logs index 06e66a43b..5e3ab03bd 100644 --- a/apparmor.d/groups/gnome/gnome-logs +++ b/apparmor.d/groups/gnome/gnome-logs @@ -27,8 +27,6 @@ profile gnome-logs @{exec_path} { /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal r, /{run,var}/log/journal/remote/ r, - owner @{PROC}/@{pid}/stat r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-maps b/apparmor.d/groups/gnome/gnome-maps index 294d6229a..705857391 100644 --- a/apparmor.d/groups/gnome/gnome-maps +++ b/apparmor.d/groups/gnome/gnome-maps @@ -45,7 +45,6 @@ profile gnome-maps @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 693b1618f..22823753b 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -24,7 +24,6 @@ profile gnome-text-editor @{exec_path} { owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/gnome-weather b/apparmor.d/groups/gnome/gnome-weather index c73ff0a19..fe2bf69b2 100644 --- a/apparmor.d/groups/gnome/gnome-weather +++ b/apparmor.d/groups/gnome/gnome-weather @@ -31,7 +31,6 @@ profile gnome-weather @{exec_path} { @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, deny owner @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index ee829d8f3..87820376c 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -32,7 +32,6 @@ profile papers @{exec_path} { @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, profile open { include diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 739681eae..2f7dee368 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -28,8 +28,6 @@ profile ptyxis @{exec_path} { owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, - owner @{PROC}/@{pid}/stat r, - /dev/ptmx rw, include if exists diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index b8eedb263..24610cd8c 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -48,7 +48,6 @@ profile file-roller @{exec_path} { @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, include if exists } diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index f6380d125..a07976ce9 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -51,7 +51,6 @@ profile foliate @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/smaps r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 5971764f0..40001da68 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -41,7 +41,6 @@ profile fractal @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, /dev/ r, From 658c054c47a7a0ffc054b5ada18137e62c063354 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 14:46:35 +0200 Subject: [PATCH 386/672] feat(profile): update and enforce a few profiles. --- apparmor.d/groups/filesystem/mke2fs | 1 + apparmor.d/groups/gnome/gnome-session-binary | 1 - apparmor.d/groups/gnome/gnome-software | 14 ++-------- apparmor.d/groups/gnome/gnome-system-monitor | 8 +----- apparmor.d/groups/gnome/gnome-terminal-server | 18 ++++++------ apparmor.d/groups/gnome/gnome-tweaks | 2 +- apparmor.d/groups/gnome/kgx | 16 +++++------ apparmor.d/groups/network/ModemManager | 3 +- apparmor.d/groups/polkit/pkttyagent | 4 +-- apparmor.d/groups/shadow/newgidmap | 2 ++ apparmor.d/groups/shadow/newuidmap | 2 ++ apparmor.d/profiles-a-f/calibre | 28 +++++++++++++------ apparmor.d/profiles-m-r/mdevctl | 1 + apparmor.d/profiles-m-r/metadata-cleaner | 14 +++------- apparmor.d/profiles-s-z/totem | 8 ++++++ apparmor.d/profiles-s-z/xsane-gimp | 18 +++++++----- dists/flags/main.flags | 22 ++------------- 17 files changed, 76 insertions(+), 86 deletions(-) diff --git a/apparmor.d/groups/filesystem/mke2fs b/apparmor.d/groups/filesystem/mke2fs index a3edbeb50..90df8ecb1 100644 --- a/apparmor.d/groups/filesystem/mke2fs +++ b/apparmor.d/groups/filesystem/mke2fs @@ -10,6 +10,7 @@ include @{exec_path} = @{sbin}/mke2fs @{sbin}/mkfs.ext2 @{sbin}/mkfs.ext3 @{sbin}/mkfs.ext4 profile mke2fs @{exec_path} { include + include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 1f17b35a3..027a1ab96 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -103,7 +103,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { profile open flags=(attach_disconnected) { include include - include include @{bin}/env rix, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index dd872c53a..c10261c02 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/gnome-software profile gnome-software @{exec_path} { include - include + include include - include - include include include include @@ -71,15 +69,11 @@ profile gnome-software @{exec_path} { /var/tmp/flatpak-cache-*/** rwkl, /var/tmp/#@{int} rw, - / r, - owner @{HOME}/.var/app/{,**} rw, owner @{user_download_dirs}/*.flatpakref r, owner @{user_cache_dirs}/flatpak/{,**} rwl, - owner @{user_cache_dirs}/gnome-software/ rw, - owner @{user_cache_dirs}/gnome-software/** rwlk -> @{user_cache_dirs}/gnome-software/**, owner @{user_config_dirs}/flatpak/{,**} r, owner @{user_config_dirs}/pulse/*.conf r, @@ -94,7 +88,6 @@ profile gnome-software @{exec_path} { owner @{user_share_dirs}/flatpak/overrides/* r, owner @{user_share_dirs}/flatpak/repo/ rw, owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, - owner @{user_share_dirs}/gnome-software/{,**} rw, owner @{tmp}/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, @@ -123,10 +116,7 @@ profile gnome-software @{exec_path} { @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fdinfo/@{int} r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/fuse rw, @@ -166,6 +156,8 @@ profile gnome-software @{exec_path} { include include + capability setuid, + mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 8df82b290..a3d039dea 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -9,10 +9,7 @@ include @{exec_path} = @{bin}/gnome-system-monitor profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include - include - include - include - include + include include capability sys_ptrace, @@ -35,7 +32,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{bin}/sed rix, @{bin}/tr rix, - /usr/share/gnome-system-monitor/{,**} r, /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, / r, @@ -78,8 +74,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/diskstats r, @{PROC}/vmstat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 55a7f4687..837f00f68 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -19,11 +19,11 @@ profile gnome-terminal-server @{exec_path} { include include - signal (send) set=(hup) peer=htop, - signal (send) set=(term hup kill) peer=unconfined, + signal send set=(hup) peer=htop, + signal send set=(term hup kill) peer=unconfined, - ptrace (read) peer=htop, - ptrace (read) peer=unconfined, + ptrace read peer=htop, + ptrace read peer=unconfined, #aa:dbus own bus=session name=org.gnome.Terminal interface+=org.gtk.Actions @@ -39,14 +39,14 @@ profile gnome-terminal-server @{exec_path} { @{exec_path} mr, # The shell is not confined on purpose. - @{bin}/@{shells} rUx, + @{bin}/@{shells} Ux, # Some CLI program can be launched directly from Gnome Shell - @{bin}/htop rPx, - @{bin}/micro rPUx, - @{bin}/nvtop rPx, + @{bin}/htop Px, + @{bin}/micro PUx, + @{bin}/nvtop Px, - @{open_path} rPx -> child-open, + @{open_path} Px -> child-open, /etc/shells r, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index fa94d56e8..96e83b846 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -32,7 +32,7 @@ profile gnome-tweaks @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_config_dirs}/autostart/ rw, - owner @{user_config_dirs}/autostart/*.desktop r, + owner @{user_config_dirs}/autostart/*.desktop rw, owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw, owner @{user_share_dirs}/backgrounds/{,**} r, owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index c9177de5c..a32a3d8c3 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -17,7 +17,7 @@ profile kgx @{exec_path} { capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, @@ -25,14 +25,14 @@ profile kgx @{exec_path} { @{bin}/@{shells} rUx, # Some CLI program can be launched directly from Gnome Shell - @{bin}/btop rPUx, - @{bin}/htop rPx, - @{bin}/micro rPUx, - @{bin}/nvtop rPx, - @{bin}/nvtop rPx, - @{bin}/vim rUx, + @{bin}/btop PUx, + @{bin}/htop Px, + @{bin}/micro PUx, + @{bin}/nvtop Px, + @{bin}/nvtop Px, + @{bin}/vim Ux, - @{open_path} rPx -> child-open-help, + @{open_path} Px -> child-open-help, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 1d8987709..59efc3201 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -14,7 +14,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { include include include - include + include capability net_admin, @@ -47,7 +47,6 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/tty/ r, @{sys}/class/wwan/ r, - @{sys}/devices/@{pci}/revision r, @{sys}/devices/**/net/*/ r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/tty/*/ r, diff --git a/apparmor.d/groups/polkit/pkttyagent b/apparmor.d/groups/polkit/pkttyagent index de0eeef33..436447aef 100644 --- a/apparmor.d/groups/polkit/pkttyagent +++ b/apparmor.d/groups/polkit/pkttyagent @@ -18,8 +18,8 @@ profile pkttyagent @{exec_path} { capability sys_nice, capability audit_write, - ptrace (read), - signal (send,receive), + ptrace read, + signal (send, receive), @{exec_path} mr, diff --git a/apparmor.d/groups/shadow/newgidmap b/apparmor.d/groups/shadow/newgidmap index 4a7196fc2..6fa555504 100644 --- a/apparmor.d/groups/shadow/newgidmap +++ b/apparmor.d/groups/shadow/newgidmap @@ -18,6 +18,8 @@ profile newgidmap @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, /etc/subgid r, @{PROC}/@{pids}/ r, diff --git a/apparmor.d/groups/shadow/newuidmap b/apparmor.d/groups/shadow/newuidmap index 549eb06ef..6a53bf5c1 100644 --- a/apparmor.d/groups/shadow/newuidmap +++ b/apparmor.d/groups/shadow/newuidmap @@ -18,6 +18,8 @@ profile newuidmap @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, /etc/subuid r, @{PROC}/@{pids}/ r, diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index e3643ab6d..bba3dfedb 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -15,9 +15,10 @@ profile calibre @{exec_path} { include include include - include include + include include + include include include include @@ -35,11 +36,13 @@ profile calibre @{exec_path} { capability sys_ptrace, + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink raw, - unix (send, receive) type=stream peer=(addr=none, label=xorg), + # unix (send, receive) type=stream peer=(addr=none, label=xorg), unix (bind, listen) type=stream addr="@*-calibre-gui.socket", unix (bind) type=stream addr="@calibre-*", @@ -47,9 +50,10 @@ profile calibre @{exec_path} { @{sh_path} rix, @{python_path} rix, + @{bin}/env r, @{bin}/file rix, - @{sbin}/ldconfig{,.real} rix, @{bin}/uname rix, + @{sbin}/ldconfig{,.real} rix, @{lib}/{,@{multiarch}/}qt{5,6}{,/libexec/}QtWebEngineProcess rix, @{bin}/pdftoppm rPUx, # (#FIXME#) @@ -61,6 +65,7 @@ profile calibre @{exec_path} { /usr/share/calibre/{,**} r, /etc/fstab r, + /etc/httpd/conf/mime.types r, /etc/inputrc r, /etc/magic r, /etc/mime.types r, @@ -68,10 +73,15 @@ profile calibre @{exec_path} { owner @{HOME}/ r, owner "@{HOME}/Calibre Library/{,**}" rw, owner "@{HOME}/Calibre Library/metadata.db" rwk, - owner @{user_documents_dirs}/{,**} rwl, + owner @{user_books_dirs}/{,**} rwl, + owner @{user_books_dirs}/Calibre/** rwk, + owner @{user_documents_dirs}/{,**} rwl, + owner @{user_documents_dirs}/Calibre/** rwk, owner @{user_torrents_dirs}/{,**} rwl, + owner @{user_torrents_dirs}/Calibre/** rwk, owner @{user_work_dirs}/{,**} rwl, + owner @{user_work_dirs}/Calibre/** rwk, owner @{user_config_dirs}/calibre/ rw, owner @{user_config_dirs}/calibre/** rwk, @@ -82,10 +92,11 @@ profile calibre @{exec_path} { owner @{user_cache_dirs}/calibre/ rw, owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**, - owner @{tmp}/calibre_*_tmp_*/{,**} rw, - owner @{tmp}/calibre-*/{,**} rw, - owner @{tmp}/@{int}-*/ rw, - owner @{tmp}/@{int}-*/** rwl, + owner @{tmp}/@{rand8} rw, + audit owner @{tmp}/@{int}-*/ rw, + audit owner @{tmp}/@{int}-*/** rwl, + audit owner @{tmp}/calibre_@{rand8}_tmp_*/{,**} rw, + audit owner @{tmp}/calibre-@{rand8}/{,**} rw, owner /dev/shm/#@{int} rw, @@ -108,6 +119,7 @@ profile calibre @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, + /dev/tty r, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index f1b5034e6..906dcf512 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/mdevctl profile mdevctl @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner index 4aa662cd0..808427d85 100644 --- a/apparmor.d/profiles-m-r/metadata-cleaner +++ b/apparmor.d/profiles-m-r/metadata-cleaner @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/metadata-cleaner profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include - include - include - include + include include include include @@ -20,12 +18,10 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{python_path} rix, - @{bin}/bwrap rCx -> bwrap, - @{open_path} rPx -> child-open-help, + @{bin}/bwrap Cx -> bwrap, + @{open_path} Px -> child-open-help, - /usr/share/metadata-cleaner/{,**} r, /usr/share/metadata-cleaner/src/metadatacleaner/{,*/}__pycache__/ w, - /usr/share/poppler/{,**} r, /etc/httpd/conf/mime.types r, @@ -38,10 +34,8 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny owner @{user_share_dirs}/gvfs-metadata/* r, deny owner @{user_cache_dirs}/thumbnails/** r, @@ -51,7 +45,7 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=(kill) peer=metadata-cleaner, + signal receive set=(kill) peer=metadata-cleaner, @{bin}/bwrap mr, @{bin}/vendor_perl/exiftool rix, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index 64ab228ba..fc582cae2 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -14,6 +14,7 @@ profile totem @{exec_path} flags=(attach_disconnected) { include include include + include include network netlink raw, @@ -67,6 +68,10 @@ profile totem @{exec_path} flags=(attach_disconnected) { include capability dac_override, + capability sys_ptrace, + + network inet dgram, + network inet6 dgram, @{bin}/bwrap mr, @{bin}/totem-video-thumbnailer rix, @@ -78,8 +83,11 @@ profile totem @{exec_path} flags=(attach_disconnected) { owner @{tmp}/flatpak-seccomp-@{rand6} rw, owner @{tmp}/gnome-desktop-file-to-thumbnail.* rw, owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, + owner @{tmp}/gnome-desktop-thumbnailer.png rw, @{PROC}/sys/vm/mmap_min_addr r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm w, /dev/ r, diff --git a/apparmor.d/profiles-s-z/xsane-gimp b/apparmor.d/profiles-s-z/xsane-gimp index 41ac0b973..4273e803d 100644 --- a/apparmor.d/profiles-s-z/xsane-gimp +++ b/apparmor.d/profiles-s-z/xsane-gimp @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Roman Beslik +# Copyright (C) 2024-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,27 +11,30 @@ include profile xsane-gimp @{exec_path} { include include - include - - signal (receive) set=(term, kill) peer=gimp, + include network inet dgram, network inet6 dgram, network netlink raw, + signal receive set=(term, kill) peer=gimp, + @{exec_path} mr, + @{system_share_dirs}/gimp/{,**} r, @{system_share_dirs}/sane/xsane/{,**} r, - @{system_share_dirs}/snmp/mibs/{,**} r, # network + @{system_share_dirs}/snmp/mibs/{,**} r, + /etc/sane.d/{,**} r, + owner @{HOME}/.sane/{,**} rw, owner @{tmp}/xsane-*-@{rand6} rw, - @{sys}/devices/@{pci}/{model,type,vendor} r, - @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r, - # SCSI @{sys}/bus/scsi/devices/ r, + @{sys}/devices/@{pci}/{model,type,vendor} r, + @{PROC}/scsi/scsi r, + @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r, include if exists } diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 2cef12304..b710f2d94 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -9,7 +9,6 @@ systemd attach_disconnected,mediate_deleted,complain systemd-service attach_disconnected,complain systemd-user attach_disconnected,mediate_deleted,complain -aa-notify complain akonadi_akonotes_resource complain akonadi_archivemail_agent complain akonadi_birthdays_resource complain @@ -106,7 +105,6 @@ filezilla complain finalrd complain firewall-applet attach_disconnected,complain firewall-config complain -firewalld attach_disconnected,complain flameshot complain flatpak attach_disconnected,mediate_deleted,complain flatpak-app attach_disconnected,mediate_deleted,complain @@ -117,29 +115,20 @@ flatpak-system-helper complain flatpak-validate-icon complain fstrim complain fuse-overlayfs complain -fusermount complain gdk-pixbuf-thumbnailer complain gdm-generate-config complain gdm-runtime-config complain gdm-session attach_disconnected,complain gdm-xsession complain -gimp complain gmenudbusmenuproxy complain gnome-browser-connector-host complain gnome-control-center attach_disconnected,complain gnome-control-center-goa-helper complain gnome-disk-image-mounter complain -gnome-disks complain gnome-extension-gsconnect complain gnome-extension-manager complain gnome-initial-setup complain -gnome-music attach_disconnected,complain -gnome-photos-thumbnailer complain gnome-remote-desktop-daemon complain -gnome-software complain -gnome-system-monitor attach_disconnected,complain -gnome-terminal-server complain -gnome-tweaks complain grub-bios-setup complain grub-editenv complain grub-file complain @@ -173,8 +162,8 @@ gsettings complain gvfsd-dav complain gvfsd-wsdd complain hostnamectl complain -hyprctl complain -hyprlock complain +hyprctl attach_disconnected,complain +hyprlock attach_disconnected,complain hyprpaper attach_disconnected,complain hyprpicker complain hyprpm complain @@ -184,7 +173,6 @@ im-launch complain install-info complain iwctl complain iwd complain -jitterentropy-rngd complain kaccess complain kactivitymanagerd complain kalendarac complain @@ -202,7 +190,6 @@ kded complain kernel-install complain keyboxd complain kglobalacceld complain -kgx complain kio_http_cache_cleaner complain kiod complain kioworker complain @@ -238,9 +225,6 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain -mdevctl complain -metadata-cleaner attach_disconnected,complain -mke2fs complain ModemManager attach_disconnected,complain mount attach_disconnected,complain multipath attach_disconnected,complain @@ -357,7 +341,6 @@ systemd-network-generator complain systemd-nsresourced complain systemd-nsresourcework complain systemd-portabled complain -systemd-remount-fs complain systemd-resolve complain systemd-shutdown complain systemd-sleep-tlp complain @@ -408,6 +391,5 @@ xdm-xsession complain xembedsniproxy complain xfce-session attach_disconnected,complain xsettingsd complain -xwaylandvideobridge complain zpool complain From 21abf59132bc39f72fba96bad60eed1d41a1e5cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 14:48:33 +0200 Subject: [PATCH 387/672] feat(profile): libvirt: simplify udev access. --- apparmor.d/groups/virt/libvirtd | 31 ++----------------------------- 1 file changed, 2 insertions(+), 29 deletions(-) diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 53dcb0703..94fa568a3 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -162,35 +162,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/notify w, @{run}/utmp rk, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+dmi:* r, # for motherboard info - @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, - @{run}/udev/data/+input:input@{int} r, # For mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply:* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+sound:card@{int} r, # For sound card - @{run}/udev/data/+thunderbolt:* r, - @{run}/udev/data/c1:@{int} r, # For RAM disk - @{run}/udev/data/c6:@{int} r, # For parallel printer devices /dev/lp* - @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features - @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c21:@{int} r, # Generic SCSI access - @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* - @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c89:@{int} r, # For I2C bus interface - @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash - @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* - @{run}/udev/data/c108:@{int} r, # For /dev/ppp - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c202:@{int} r, # CPU model-specific registers - @{run}/udev/data/c203:@{int} r, # CPU CPUID information - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{run}/udev/data/+*:* r, + @{run}/udev/data/c@{int}:@{int} r, @{run}/udev/data/n@{int} r, @{sys}/bus/[a-z]*/devices/ r, From 64f02ff6084d5084339211cdcd7f5a468cab5bf2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 14:50:09 +0200 Subject: [PATCH 388/672] feat(profile): snapd: add journalctl subprofile. --- apparmor.d/groups/snap/snapd | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 38d803655..c1b24176e 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -60,7 +60,7 @@ profile snapd @{exec_path} { dbus send bus=system path=/org/freedesktop/timedate1 interface=org.freedesktop.DBus.Properties member=Get - peer=(name=org.freedesktop.timedate1, label=unconfined), + peer=(name=org.freedesktop.timedate1), @{exec_path} mrix, @@ -72,7 +72,7 @@ profile snapd @{exec_path} { @{sbin}/groupadd rPx, @{bin}/gzip rix, @{bin}/hostnamectl rPx, - @{bin}/journalctl rPx, + @{bin}/journalctl rCx -> journalctl, @{bin}/kmod rPx, @{bin}/mount rix, @{sbin}/runuser rCx -> runuser, @@ -199,6 +199,25 @@ profile snapd @{exec_path} { include if exists } + profile journalctl { + include + include + + capability net_admin, + + network netlink raw, + + @{bin}/journalctl mr, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/{,*} r, + + include if exists + } + profile runuser { include From b677d4a0b537ff1c22ab2260f418cbe348df80f5 Mon Sep 17 00:00:00 2001 From: tpaau-17DB Date: Sun, 18 May 2025 18:36:39 +0200 Subject: [PATCH 389/672] Fix hyprland profile. --- apparmor.d/groups/hyprland/hyprland | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 68356741d..c06671b34 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -31,6 +31,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/hyprland/{,**} rw, owner @{user_config_dirs}/hypr/** r, owner @{user_share_dirs}/hyprpm/** mr, + owner @{user_share_dirs}/hyprland/** rw, owner @{run}/user/@{uid}/gamescope-* rw, owner @{run}/user/@{uid}/.hyprpaper_* rw, From 10ef829d31efe2f4f9de20ef9b52b999852d489d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 19:31:33 +0200 Subject: [PATCH 390/672] fix(profile): more possible id than int for i2c. --- apparmor.d/groups/kde/kde-powerdevil | 10 +++++----- apparmor.d/groups/procps/htop | 6 +++--- apparmor.d/groups/xfce/xfce-sensors | 2 +- apparmor.d/profiles-m-r/monitorix | 2 +- apparmor.d/profiles-s-z/sensors | 2 +- apparmor.d/profiles-s-z/sensors-detect | 2 +- apparmor.d/profiles-s-z/sysstat-sadc | 2 +- 7 files changed, 13 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index f5ffa6a82..ebb150ed2 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -70,12 +70,12 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r, @{sys}/devices/@{pci}/drm/card@{int}/*/status r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, - @{sys}/devices/@{pci}/i2c-@{int}/**/dev r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/**/dev r, @{sys}/devices/**/ r, - @{sys}/devices/i2c-@{int}/name r, - @{sys}/devices/platform/**/i2c-@{int}/**/name r, - @{sys}/devices/platform/*/i2c-@{int}/name r, + @{sys}/devices/i2c-*/name r, + @{sys}/devices/platform/**/i2c-*/**/name r, + @{sys}/devices/platform/*/i2c-*/name r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index 5e1079802..d59fde5e5 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -45,7 +45,7 @@ profile htop @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, @@ -56,8 +56,8 @@ profile htop @{exec_path} { @{sys}/devices/**/hwmon/**/{name,temp*} r, @{sys}/devices/**/power_supply/**/{uevent,type,online} r, @{sys}/devices/*/name r, - @{sys}/devices/i2c-@{int}/name r, - @{sys}/devices/platform/*/i2c-@{int}/name r, + @{sys}/devices/i2c-*/name r, + @{sys}/devices/platform/*/i2c-*/name r, @{sys}/devices/system/cpu/cpu@{int}/** r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_{cur,min,max}_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, diff --git a/apparmor.d/groups/xfce/xfce-sensors b/apparmor.d/groups/xfce/xfce-sensors index e7ee1080b..c1bd98111 100644 --- a/apparmor.d/groups/xfce/xfce-sensors +++ b/apparmor.d/groups/xfce/xfce-sensors @@ -16,7 +16,7 @@ profile xfce-sensors @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, @{sys}/class/thermal/ r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index b640d90fd..c708b587c 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -95,7 +95,7 @@ profile monitorix @{exec_path} { @{PROC}/@{pids}/io r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/class/hwmon/ r, @{sys}/devices/**/thermal*/{,**} r, @{sys}/devices/**/hwmon*/{,**} r, diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index 4028680a6..ca2d43a65 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -21,7 +21,7 @@ profile sensors @{exec_path} { @{sys}/bus/i2c/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-@{int}/name r, + @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-*/name r, @{sys}/devices/@{pci}/name r, @{sys}/devices/**/hwmon*/{,**} r, diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index 96dc17042..d21cf6f56 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -27,7 +27,7 @@ profile sensors-detect @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/class/i2c-adapter/ r, @{sys}/devices/@{pci}/{class,vendor,device} r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/@{pci}/modalias r, @{sys}/devices/virtual/dmi/id/board_{version,vendor,name} r, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc index e076f313c..9a4b5cebe 100644 --- a/apparmor.d/profiles-s-z/sysstat-sadc +++ b/apparmor.d/profiles-s-z/sysstat-sadc @@ -24,7 +24,7 @@ profile sysstat-sadc @{exec_path} { @{sys}/class/fc_host/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-*/name r, @{sys}/devices/@{pci}/net/*/duplex r, @{sys}/devices/**/net/*/duplex r, @{sys}/devices/**/net/*/speed r, From 86afef4920601f4e8babdfaf15d232ac5aed2979 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 19:33:58 +0200 Subject: [PATCH 391/672] build: improve `just install` --- Justfile | 13 ++++++++----- PKGBUILD | 3 ++- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/Justfile b/Justfile index 1e626dc1c..825097a1b 100644 --- a/Justfile +++ b/Justfile @@ -18,7 +18,7 @@ # Build setings destdir := "/" build := ".build" -pkgdest := `pwd` / ".pkg/dist" +pkgdest := `pwd` / ".pkg" pkgname := "apparmor.d" # Admin username @@ -86,13 +86,16 @@ install: #!/usr/bin/env bash set -eu -o pipefail install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log - for file in $(find "{{build}}/share" -type f -not -name "*.md" -printf "%P\n"); do + mapfile -t share < <(find "{{build}}/share" -type f -not -name "*.md" -printf "%P\n") + for file in "${share[@]}"; do install -Dm0644 "{{build}}/share/$file" "{{destdir}}/usr/share/$file" done - for file in $(find "{{build}}/apparmor.d" -type f -printf "%P\n"); do + mapfile -t aa < <(find "{{build}}/apparmor.d" -type f -printf "%P\n") + for file in "${aa[@]}"; do install -Dm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" done - for file in $(find "{{build}}/apparmor.d" -type l -printf "%P\n"); do + mapfile -t links < <(find "{{build}}/apparmor.d" -type l -printf "%P\n") + for file in "${links[@]}"; do mkdir -p "{{destdir}}/etc/apparmor.d/disable" cp -d "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" done @@ -155,7 +158,7 @@ serve: clean: @rm -rf \ debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ - .pkg/{{pkgname}}* {{build}} coverage.out + {{pkgdest}}/{{pkgname}}* {{build}} coverage.out [doc('Build the package in a clean OCI container')] package dist: diff --git a/PKGBUILD b/PKGBUILD index 58a693d34..b48e55153 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -30,7 +30,8 @@ build() { export CGO_CXXFLAGS="${CXXFLAGS}" export CGO_LDFLAGS="${LDFLAGS}" export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw" - DISTRIBUTION=arch just complain + export DISTRIBUTION=arch + just complain } package() { From 707a5e8beec085376c6bc772352289ace86633d9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 20 May 2025 21:41:52 +0200 Subject: [PATCH 392/672] feat(profile): firewalld move kmod into a subprofile. --- apparmor.d/groups/firewall/firewalld | 36 +++++++++++++++------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index ddf0291ee..01f853c26 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -9,7 +9,6 @@ include @{exec_path} = @{sbin}/firewalld profile firewalld @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -21,7 +20,6 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { capability net_admin, capability net_raw, capability setpcap, - capability sys_module, network inet raw, network inet6 raw, @@ -34,15 +32,14 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{sbin}/ r, - @{bin}/alts rix, - @{sbin}/ebtables-legacy rix, - @{sbin}/ebtables-legacy-restore rix, - @{bin}/false rix, - @{sbin}/ipset rix, - @{bin}/kmod rix, - @{sbin}/modprobe rix, - @{sbin}/xtables-legacy-multi rix, - @{sbin}/xtables-nft-multi rmix, + @{bin}/alts ix, + @{bin}/false ix, + @{bin}/kmod Cx -> kmod, + @{sbin}/ebtables-legacy ix, + @{sbin}/ebtables-legacy-restore ix, + @{sbin}/ipset ix, + @{sbin}/xtables-legacy-multi ix, + @{sbin}/xtables-nft-multi mix, /usr/local/lib/@{python_name}/dist-packages/ r, @@ -58,18 +55,25 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { /var/log/firewalld rw, @{run}/firewalld/{,*} rw, - @{run}/modprobe.d/{,*.conf} r, @{run}/xtables.lock rwk, - @{sys}/module/compression r, - @{sys}/module/*/initstate r, - - @{PROC}/sys/kernel/modprobe r, @{PROC}/sys/net/ipv{4,6}/ip_forward rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pids}/net/ip_tables_names r, + profile kmod flags=(attach_disconnected) { + include + include + + capability sys_module, + + @{sys}/module/compression r, + @{sys}/module/nf_*/initstate r, + + include if exists + } + include if exists } From 85d35a4f86ac4a6a9479153a0aaf0b6da8063dae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 14:30:34 +0200 Subject: [PATCH 393/672] feat(profile): mkinitcpio ensure support for different kernel. fix #749 --- apparmor.d/groups/pacman/mkinitcpio | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 785f4f448..9eafb72a9 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -84,8 +84,9 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Manage /boot / r, - /boot/ r, - /{boot,efi}/EFI/{,**} rw, + @{efi}/ r, + @{efi}/EFI/{,**} rw, + @{efi}/@{hex32}/{,**} rw, /boot/initramfs-*.img* rw, /boot/vmlinuz-* r, From facc504ae9769f3053557665d85940027ccd9fd3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 14:32:28 +0200 Subject: [PATCH 394/672] fix(abs): editor: use of neovim as editor. fix #749 --- apparmor.d/abstractions/app/editor | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index 1c0b87e6a..f62e36339 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -10,7 +10,7 @@ include @{sh_path} rix, - @{bin}/nvim mix, + @{bin}/nvim mrix, @{bin}/sensible-editor mr, @{bin}/vim{,.*} mrix, @{bin}/which rix, From 58d677b5f0ba8e3ae60be71dbb0f6fcbf66ff721 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 14:48:54 +0200 Subject: [PATCH 395/672] fix: tweak kde related abs to ensure all common rules are allowed. fix #741 --- apparmor.d/abstractions/app/open | 4 ++++ apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/kde-strict | 4 +++- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 2b865457c..2a43affcf 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -34,9 +34,13 @@ include include + /etc/xdg/menus/ r, + owner @{run}/user//@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + @{PROC}/sys/kernel/random/boot_id r, + # fi include if exists diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 78a98a3cf..181339a12 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -52,7 +52,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*={.@{rand6}} rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 0f4410a12..7439cd9e9 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -28,7 +28,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*={.@{rand6}} rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, @@ -41,6 +41,8 @@ owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/trashrc r, + owner @{user_share_dirs}/#@{int} rw, + include if exists # vim:syntax=apparmor From 222125e593d0931a38650888ef1120091c520eaa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 15:01:21 +0200 Subject: [PATCH 396/672] fix: processing regexs --- apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/kde-strict | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 181339a12..73e533992 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -52,7 +52,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*={.@{rand6}} rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 7439cd9e9..56aa88798 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -28,7 +28,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*={.@{rand6}} rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, From 6495061360d6d8ddbd695e27314ff3acb0cf37cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 20:27:44 +0200 Subject: [PATCH 397/672] feat(profile): add initial version for dpkg-scripts. --- apparmor.d/groups/apt/dpkg-script-apparmor | 10 +- .../{dpkg-script-udev => dpkg-script-kmod} | 11 +- apparmor.d/groups/apt/dpkg-script-linux | 45 ++++++ apparmor.d/groups/apt/dpkg-script-man | 27 ---- apparmor.d/groups/apt/dpkg-script-systemd | 64 ++++++++ apparmor.d/groups/apt/dpkg-scripts | 141 ++++++++++++++++++ dists/flags/main.flags | 6 +- 7 files changed, 263 insertions(+), 41 deletions(-) rename apparmor.d/groups/apt/{dpkg-script-udev => dpkg-script-kmod} (54%) create mode 100644 apparmor.d/groups/apt/dpkg-script-linux delete mode 100644 apparmor.d/groups/apt/dpkg-script-man create mode 100644 apparmor.d/groups/apt/dpkg-script-systemd create mode 100644 apparmor.d/groups/apt/dpkg-scripts diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 088fff84a..585d9c59d 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -15,12 +15,12 @@ profile dpkg-script-apparmor @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/grep ix, - @{bin}/deb-systemd-helper rPx, - @{bin}/deb-systemd-invoke rPx, - @{bin}/dpkg-divert rix, - @{bin}/systemctl rCx -> systemctl, + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg-divert ix, + @{bin}/systemctl Cx -> systemctl, /usr/share/apparmor.d/** rw, diff --git a/apparmor.d/groups/apt/dpkg-script-udev b/apparmor.d/groups/apt/dpkg-script-kmod similarity index 54% rename from apparmor.d/groups/apt/dpkg-script-udev rename to apparmor.d/groups/apt/dpkg-script-kmod index 58840ef39..f900bba17 100644 --- a/apparmor.d/groups/apt/dpkg-script-udev +++ b/apparmor.d/groups/apt/dpkg-script-kmod @@ -6,16 +6,13 @@ abi , include -@{exec_path} = /var/lib/dpkg/info/udev* -profile dpkg-script-udev @{exec_path} { +@{exec_path} = /var/lib/dpkg/info/kmod* +profile dpkg-script-kmod @{exec_path} { include - @{exec_path} mr, + @{exec_path} mrix, - @{bin}/systemd-hwdb rPx, - @{bin}/deb-systemd-invoke rPx, - - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux new file mode 100644 index 000000000..c84d6aa4b --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -0,0 +1,45 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/linux* +profile dpkg-script-linux @{exec_path} { + include + include + + @{exec_path} mrix, + + @{sh_path} rix, + @{bin}/cat ix, + @{bin}/locale ix, + @{bin}/mkdir ix, + @{bin}/mkdir ix, + @{bin}/rm ix, + @{bin}/run-parts ix, + @{bin}/stty ix, + + @{bin}/dpkg-trigger Px, + @{bin}/kmod Px, + @{bin}/linux-check-removal Px, + @{bin}/linux-update-symlinks Px, + @{bin}/whiptail Px, + + /usr/share/{update,reboot}-notifier/notify-reboot-required Px, + /etc/kernel/{,header_}postinst.d/* Px, + /etc/kernel/postrm.d/* Px, + /etc/kernel/preinst.d/* Px, + /etc/kernel/prerm.d/* Px, + + /etc/kernel/*.d/ r, + + @{lib}/linux/triggers/* w, + @{lib}/modules/*/.fresh-install w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-man b/apparmor.d/groups/apt/dpkg-script-man deleted file mode 100644 index 63f5c5c78..000000000 --- a/apparmor.d/groups/apt/dpkg-script-man +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/man-db.* -profile dpkg-script-man @{exec_path} { - include - include - include - - capability setgid, - capability setuid, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/setpriv rix, - @{bin}/mandb rPx, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd new file mode 100644 index 000000000..28f4b6e87 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -0,0 +1,64 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/systemd* +profile dpkg-script-systemd @{exec_path} { + include + include + + @{exec_path} mrix, + + @{sh_path} rix, + + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg Cx -> dpkg, + @{bin}/dpkg-divert Px, + @{bin}/dpkg-maintscript-helper Px, + @{bin}/journalctl Px, + @{bin}/kernel-install Px, + @{bin}/systemctl Cx -> systemctl, + @{bin}/systemd-machine-id-setup Px, + @{bin}/systemd-sysusers Px, + @{bin}/systemd-tmpfiles Px, + @{lib}/systemd/systemd-sysctl Px, + @{sbin}/pam-auth-update Px, + + /etc/systemd/system/*.wants/ rw, + /etc/systemd/system/*.wants/* rw, + + /var/lib/systemd/{,*} rw, + /var/log/journal/ rw, + + profile dpkg { + include + include + + @{bin}/dpkg mr, + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + capability sys_resource, + + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + @{bin}/systemd-tty-ask-password-agent Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts new file mode 100644 index 000000000..d644b6c3e --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -0,0 +1,141 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/** +profile dpkg-scripts @{exec_path} { + include + include + include + + capability chown, + capability dac_read_search, + capability fowner, + capability fsetid, + capability setgid, + capability setuid, + + @{exec_path} mrix, + + # Common program found in maintainer scripts + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/run-parts rix, + + @{bin}/setpriv ix, + @{bin}/envsubst ix, + @{bin}/getent ix, + @{bin}/gzip ix, + @{bin}/helpztags ix, + @{bin}/locale ix, + @{bin}/tput ix, + @{bin}/zcat ix, + @{lib}/ubuntu-advantage/cloud-id-shim.sh ix, + @{lib}/ubuntu-advantage/postinst-migrations.sh ix, + + @{bin}/dbus-send Cx -> bus, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/invoke-rc.d Cx -> rc, + @{sbin}/ldconfig Cx -> ldconfig, + @{sbin}/ldconfig.real Cx -> ldconfig, + @{sbin}/update-rc.d Cx -> rc, + + # Maintainer scripts can legitimately start/restart anything + @{bin}/** Px, + @{sbin}/** Px, + @{lib}/** Px, + /usr/share/** Px, + /etc/init.d/* Px, + + /var/lib/dpkg/info/*.@{dpkg_script_ext} ix, # dpkg-scripts-* + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, # dpkg-script-tmp + + # Maintainer's scripts can update a lot of files + / r, + /*/ r, + @{bin}/ r, + @{lib}/ r, + /etc/ r, + /etc/** rw, + /usr/share/*/ r, + /usr/share/*/** rw, + /var/** rw, + @{run}/** rw, + @{efi}/grub/* rw, + + /tmp/grub.@{rand10} rw, + /tmp/sed@{rand6} rw, + /tmp/tmp.@{rand10} rw, + + profile bus { + include + include + include + + dbus send bus=system path=/ + interface=org.freedesktop.DBus + member=ReloadConfig + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + + @{run}/utmp rk, + + include if exists + } + + profile rc { + include + include + + @{sbin}/update-rc.d mr, + @{sbin}/invoke-rc.d mr, + + @{coreutils_path} rix, + @{sh_path} rix, + @{bin}/systemctl rPx -> dpkg-scripts//systemctl, + + /etc/ r, + /etc/init.d/* r, + /etc/rc?.d/ r, + /etc/rc@{int}.d/ r, + /etc/rc@{int}.d/* rw, + /etc/rc@{c}.d/* rw, + + include if exists + } + + profile ldconfig { + include + include + + @{sh_path} rix, + @{sbin}/ldconfig mrix, + @{sbin}/ldconfig.real rix, + + @{lib}/ r, + /usr/local/ r, + /usr/local/lib/ r, + + owner /var/cache/ldconfig/aux-cache* rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index b710f2d94..9aa61f15b 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -88,8 +88,10 @@ dolphin complain downloadhelper complain dpkg-maintscript-helper complain dpkg-script-apparmor complain -dpkg-script-man complain -dpkg-script-udev complain +dpkg-script-kmod complain +dpkg-script-linux complain +dpkg-script-systemd complain +dpkg-scripts complain drkonqi complain drkonqi-coredump-cleanup complain drkonqi-coredump-processor complain From c446c44ded1f9239f065b341b85dec332d1cc157 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 20:32:57 +0200 Subject: [PATCH 398/672] feat(profile): add dpkg-script-tmp. --- apparmor.d/groups/apt/deb-systemd-invoke | 2 +- apparmor.d/groups/apt/dpkg-architecture | 9 ++-- apparmor.d/groups/apt/dpkg-db-backup | 42 +++++++++++++++ apparmor.d/groups/apt/dpkg-maintscript-helper | 6 +-- apparmor.d/groups/apt/dpkg-script-tmp | 53 +++++++++++++++++++ apparmor.d/groups/apt/dpkg-vendor | 1 - dists/flags/main.flags | 2 + 7 files changed, 104 insertions(+), 11 deletions(-) create mode 100644 apparmor.d/groups/apt/dpkg-db-backup create mode 100644 apparmor.d/groups/apt/dpkg-script-tmp diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke index 63dfdaf52..0994006da 100644 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -21,7 +21,7 @@ profile deb-systemd-invoke @{exec_path} { @{sh_path} rix, @{bin}/systemctl rix, - @{bin}/systemd-tty-ask-password-agent rPx, + @{bin}/systemd-tty-ask-password-agent Px, include if exists } diff --git a/apparmor.d/groups/apt/dpkg-architecture b/apparmor.d/groups/apt/dpkg-architecture index a58257271..b1a23f222 100644 --- a/apparmor.d/groups/apt/dpkg-architecture +++ b/apparmor.d/groups/apt/dpkg-architecture @@ -16,10 +16,9 @@ profile dpkg-architecture @{exec_path} { capability dac_read_search, @{exec_path} r, - /usr/bin/perl r, - @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{lib}/llvm-[0-9]*/bin/clang rix, + @{bin}/{,@{multiarch}-}gcc-[0-9]* ix, + @{lib}/llvm-[0-9]*/bin/clang ix, @{bin}/ccache rCx -> ccache, @{bin}/dpkg rPx -> child-dpkg, @@ -28,9 +27,7 @@ profile dpkg-architecture @{exec_path} { /etc/debian_version r, - # file_inherit - owner @{tmp}/* rw, - + audit owner @{tmp}/* rw, profile ccache { include diff --git a/apparmor.d/groups/apt/dpkg-db-backup b/apparmor.d/groups/apt/dpkg-db-backup new file mode 100644 index 000000000..d83bdbb45 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-db-backup @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/dpkg/dpkg-db-backup +profile dpkg-db-backup @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/cmp rix, + @{bin}/cp rix, + @{bin}/date rix, + @{bin}/dirname rix, + @{bin}/gzip rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/savelog rix, + @{bin}/tar rix, + @{bin}/touch rix, + + /usr/share/dpkg/{,**} r, + + /var/lib/dpkg/ r, + /var/lib/dpkg/alternatives/{,*} r, + /var/lib/dpkg/diversions r, + /var/lib/dpkg/statoverride r, + + /var/backups/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-maintscript-helper b/apparmor.d/groups/apt/dpkg-maintscript-helper index b7d8675e8..dfb881e32 100644 --- a/apparmor.d/groups/apt/dpkg-maintscript-helper +++ b/apparmor.d/groups/apt/dpkg-maintscript-helper @@ -13,9 +13,9 @@ profile dpkg-maintscript-helper @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/basename rix, - @{bin}/dpkg rCx -> dpkg, + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/dpkg rCx -> dpkg, /usr/share/dpkg/sh/* r, diff --git a/apparmor.d/groups/apt/dpkg-script-tmp b/apparmor.d/groups/apt/dpkg-script-tmp new file mode 100644 index 000000000..e6c7fbe44 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-tmp @@ -0,0 +1,53 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} +profile dpkg-script-tmp @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} mrix, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/run-parts rix, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg Px, + @{bin}/dpkg-divert Px, + @{bin}/dpkg-maintscript-helper Px, + @{bin}/kmod Cx -> kmod, + @{bin}/systemctl Cx -> systemctl, + + /etc/kernel/preinst.d/*-microcode ix, + + @{lib}/modules/*/.fresh-install w, + + profile kmod { + include + include + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + capability sys_resource, + + @{bin}/systemd-tty-ask-password-agent Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-vendor b/apparmor.d/groups/apt/dpkg-vendor index aee717257..70d2199f2 100644 --- a/apparmor.d/groups/apt/dpkg-vendor +++ b/apparmor.d/groups/apt/dpkg-vendor @@ -13,7 +13,6 @@ profile dpkg-vendor @{exec_path} { include @{exec_path} r, - /usr/bin/perl r, /etc/dpkg/origins/* r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 9aa61f15b..aa62f9108 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -86,11 +86,13 @@ dmsetup complain dockerd attach_disconnected,complain dolphin complain downloadhelper complain +dpkg-db-backup complain dpkg-maintscript-helper complain dpkg-script-apparmor complain dpkg-script-kmod complain dpkg-script-linux complain dpkg-script-systemd complain +dpkg-script-tmp complain dpkg-scripts complain drkonqi complain drkonqi-coredump-cleanup complain From 9eff482ebf37d218c35cdf4cb9fcd7a3e2f618a5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 20:34:05 +0200 Subject: [PATCH 399/672] feat(profile): update unattended upgrade profiles. --- apparmor.d/groups/apt/unattended-upgrade | 52 +++++++++++-------- .../groups/apt/unattended-upgrade-shutdown | 4 +- apparmor.d/groups/apt/update-apt-xapian-index | 14 +++-- 3 files changed, 37 insertions(+), 33 deletions(-) diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 8413d9975..95b8b2760 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -32,7 +32,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (send) peer=apt-methods-http, + signal send peer=apt-methods-http, unix type=stream addr=@@{udbus}/bus/unattended-upgr/system, @@ -41,26 +41,29 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{sh_path} rix, - @{bin}/echo rix, - @{bin}/gdbus rix, - @{bin}/ischroot rix, @{python_path} rix, - @{bin}/test rix, - @{bin}/touch rix, - @{bin}/uname rix, + @{bin}/echo ix, + @{bin}/gdbus ix, + @{bin}/md5sum ix, + @{bin}/tar ix, + @{bin}/test ix, + @{bin}/touch ix, + @{bin}/uname ix, - @{bin}/apt-listchanges rPx, - @{bin}/dpkg rPx, - @{bin}/dpkg-divert rPx, - @{sbin}/dpkg-preconfigure rPx, - @{bin}/etckeeper rPx, - @{bin}/lsb_release rPx -> lsb_release, - @{sbin}/on_ac_power rPx, - @{sbin}/sendmail rPUx, - @{lib}/apt/methods/http{,s} rPx, - @{lib}/needrestart/apt-pinvoke rPx, - @{lib}/update-notifier/update-motd-updates-available rPx, - @{lib}/zsys-system-autosnapshot rPx, + @{bin}/dpkg-deb px, + @{bin}/apt-listchanges Px, + @{bin}/dpkg Px, + @{bin}/dpkg-divert Px, + @{bin}/etckeeper Px, + @{bin}/ischroot Px, + @{bin}/lsb_release Px -> lsb_release, + @{sbin}/dpkg-preconfigure Px, + @{sbin}/on_ac_power Px, + @{sbin}/sendmail Px, + @{lib}/apt/methods/http{,s} Px, + @{lib}/needrestart/apt-pinvoke Px, + @{lib}/update-notifier/update-motd-updates-available Px, + @{lib}/zsys-system-autosnapshot Px, /usr/share/distro-info/* r, @@ -70,8 +73,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, - /etc/default/apport r, - /etc/default/grub.d/* r, + /etc/default/{,**} r, /etc/dpkg/origins/{,debian,ubuntu} r, /etc/fwupd/{,**} r, /etc/grub.d/* r, @@ -85,9 +87,13 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd/{,**} r, /etc/profile.d/* r, + /etc/ssh/moduli r, + /etc/ssh/ssh_config r, + /etc/ufw/{,**} r, /etc/update-manager/{,**} r, - /etc/update-motd.d/* r, - /etc/vmware-tools/* r, + /etc/update-motd.d/{,**} r, + /etc/vim/{,**} r, + /etc/vmware-tools/{,**} r, /var/log/unattended-upgrades/{,**} rw, /var/crash/*.crash w, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index cd35bb5ae..f36505e7a 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -12,15 +12,15 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include include include + include include include @{exec_path} mr, - @{bin}/ischroot rix, + @{bin}/ischroot Px, /usr/share/unattended-upgrades/{,*} r, - /etc/apt/apt.conf.d/{,*} r, owner /var/log/unattended-upgrades/*.log* rw, diff --git a/apparmor.d/groups/apt/update-apt-xapian-index b/apparmor.d/groups/apt/update-apt-xapian-index index 5da82090f..f829ab3ff 100644 --- a/apparmor.d/groups/apt/update-apt-xapian-index +++ b/apparmor.d/groups/apt/update-apt-xapian-index @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/update-apt-xapian-index profile update-apt-xapian-index @{exec_path} { include + include include include @@ -17,10 +18,13 @@ profile update-apt-xapian-index @{exec_path} { @{python_path} r, @{bin}/ r, - @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg Px -> child-dpkg, /usr/share/apt-xapian-index/{,**} r, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + /var/cache/apt-xapian-index/ rw, /var/cache/apt-xapian-index/** rwk, @@ -30,15 +34,9 @@ profile update-apt-xapian-index @{exec_path} { /var/cache/apt/ r, /var/cache/apt/** rwk, - owner @{PROC}/@{pid}/fd/ r, - /var/lib/debtags/package-tags r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # file_inherit - owner /dev/tty@{int} rw, + owner @{PROC}/@{pid}/fd/ r, include if exists } From 760eb91ac6eed4a72ddcf4a5bf2e7324e9e0591a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:06:21 +0200 Subject: [PATCH 400/672] feat(profile): add profile for t-methods-sq. --- apparmor.d/groups/apt/apt-methods-sqv | 42 +++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 43 insertions(+) create mode 100644 apparmor.d/groups/apt/apt-methods-sqv diff --git a/apparmor.d/groups/apt/apt-methods-sqv b/apparmor.d/groups/apt/apt-methods-sqv new file mode 100644 index 000000000..416328cd4 --- /dev/null +++ b/apparmor.d/groups/apt/apt-methods-sqv @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/apt/methods/sqv +profile apt-methods-sqv @{exec_path} { + include + include + include + + # To handle the _apt user + capability setgid, + capability setuid, + + signal receive set=int peer=apt, + + @{exec_path} mr, + + @{bin}/sqv ix, + + /usr/share/apt/default-sequoia.config r, + /usr/share/keyrings/debian-archive-keyring.gpg r, + /usr/share/keyrings/debian-archive-keyring.pgp r, + + owner /var/lib/apt/lists/{,**} r, + + owner /tmp/apt.data.@{rand6} rw, + owner /tmp/apt.sig.@{rand6} rw, + owner /tmp/apt.sqverr.@{rand6} rw, + owner /tmp/apt.sqvout.@{rand6} rw, + + @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index aa62f9108..d2c57b682 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -27,6 +27,7 @@ akonadi_notes_agent complain akonadi_sendlater_agent complain akonadi_unifiedmailbox_agent complain anacron complain +apt-methods-sqv complain at complain atd complain auditctl attach_disconnected,complain From c64901353e095f45e34eccaea31e946168a52693 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:10:48 +0200 Subject: [PATCH 401/672] fix(profile): some fix on the dpkg-scipts profiles. --- apparmor.d/groups/apt/dpkg-script-apparmor | 5 +++-- apparmor.d/groups/apt/dpkg-script-linux | 11 ++++++----- apparmor.d/groups/apt/dpkg-script-systemd | 1 + apparmor.d/groups/apt/dpkg-script-tmp | 4 ++++ apparmor.d/groups/apt/dpkg-scripts | 4 ++-- 5 files changed, 16 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 585d9c59d..5dba3d3cb 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -9,10 +9,10 @@ include @{exec_path} = /var/lib/dpkg/info/apparmor* profile dpkg-script-apparmor @{exec_path} { include + include include - include - @{exec_path} mr, + @{exec_path} mrix, @{sh_path} rix, @{bin}/grep ix, @@ -21,6 +21,7 @@ profile dpkg-script-apparmor @{exec_path} { @{bin}/deb-systemd-invoke Px, @{bin}/dpkg-divert ix, @{bin}/systemctl Cx -> systemctl, + @{sbin}/apparmor_parser Px, /usr/share/apparmor.d/** rw, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index c84d6aa4b..8b2470a6c 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -22,11 +22,12 @@ profile dpkg-script-linux @{exec_path} { @{bin}/run-parts ix, @{bin}/stty ix, - @{bin}/dpkg-trigger Px, - @{bin}/kmod Px, - @{bin}/linux-check-removal Px, - @{bin}/linux-update-symlinks Px, - @{bin}/whiptail Px, + @{bin}/dpkg-trigger Px, + @{bin}/kmod Px, + @{bin}/linux-check-removal Px, + @{bin}/linux-update-symlinks Px, + @{bin}/whiptail Px, + @{bin}/dpkg-maintscript-helper Px, /usr/share/{update,reboot}-notifier/notify-reboot-required Px, /etc/kernel/{,header_}postinst.d/* Px, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 28f4b6e87..ccaa62a30 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -9,6 +9,7 @@ include @{exec_path} = /var/lib/dpkg/info/systemd* profile dpkg-script-systemd @{exec_path} { include + include include @{exec_path} mrix, diff --git a/apparmor.d/groups/apt/dpkg-script-tmp b/apparmor.d/groups/apt/dpkg-script-tmp index e6c7fbe44..65e63d076 100644 --- a/apparmor.d/groups/apt/dpkg-script-tmp +++ b/apparmor.d/groups/apt/dpkg-script-tmp @@ -10,6 +10,7 @@ include profile dpkg-script-tmp @{exec_path} flags=(attach_disconnected) { include include + include @{exec_path} mrix, @@ -22,6 +23,9 @@ profile dpkg-script-tmp @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg-maintscript-helper Px, @{bin}/kmod Cx -> kmod, @{bin}/systemctl Cx -> systemctl, + /usr/share/debconf/frontend Px, + + /usr/share/debconf/confmodule r, /etc/kernel/preinst.d/*-microcode ix, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index d644b6c3e..dcb6ca379 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -62,8 +62,8 @@ profile dpkg-scripts @{exec_path} { @{lib}/ r, /etc/ r, /etc/** rw, - /usr/share/*/ r, - /usr/share/*/** rw, + /usr/share/*/{,**} rw, + /usr/local/share/*/{,**} rw, /var/** rw, @{run}/** rw, @{efi}/grub/* rw, From 2c880ba22001f5dcfcaa84b67df211d4925c9094 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:16:35 +0200 Subject: [PATCH 402/672] feat(profile): rewrite the apt stack of profiles. --- apparmor.d/groups/apt/apt | 6 ++- apparmor.d/groups/apt/apt-listchanges | 39 ++++---------- apparmor.d/groups/apt/debsums | 16 ++---- apparmor.d/groups/apt/dpkg | 27 +++++----- apparmor.d/groups/apt/dpkg-preconfigure | 68 +++++++++++-------------- apparmor.d/groups/apt/dpkg-statoverride | 18 +++++++ 6 files changed, 78 insertions(+), 96 deletions(-) create mode 100644 apparmor.d/groups/apt/dpkg-statoverride diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 947dba149..e2e9b00f4 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -85,8 +85,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/etckeeper rPx, @{bin}/localepurge rPx, @{bin}/ps rPx, - @{bin}/snap rPUx, - @{bin}/systemctl rCx -> systemctl, + @{bin}/snap rPx, + @{bin}/systemctl rCx -> systemctl, @{bin}/update-command-not-found rPx, @{lib}/cnf-update-db rPx, @{lib}/needrestart/apt-pinvoke rPx, @@ -138,6 +138,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { /var/log/apt/{,**} rw, /var/log/ubuntu-advantage-apt-hook.log w, + @{efi}/ r, + # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 559e58504..35684feb5 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -14,7 +14,7 @@ profile apt-listchanges @{exec_path} { include include - #capability sys_tty_config, + capability dac_read_search, @{exec_path} r, @{python_path} r, @@ -26,11 +26,11 @@ profile apt-listchanges @{exec_path} { # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-deb rpx, - # - @{pager_path} rCx -> pager, - # Send results using email - @{bin}/exim4 rPx, + @{bin}/dpkg-deb px, + + @{pager_path} Cx -> pager, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/exim4 Px, # Send results using email /usr/share/apt-listchanges/{,**} r, @@ -50,31 +50,12 @@ profile apt-listchanges @{exec_path} { /var/cache/apt/archives/ r, - owner @{PROC}/@{pid}/fd/ r, - /tmp/ r, - owner @{tmp}/* rw, - owner @{tmp}/apt-listchanges*/ rw, - owner @{tmp}/apt-listchanges*/**/ rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.Debian*.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/NEWS.Debian.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/changelog_to_file rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/*-local/debian/changelog rw, - - # The following is needed when apt-listchanges uses debcconf GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - owner @{PROC}/@{pid}/mounts r, - @{HOME}/.Xauthority r, + owner @{tmp}/@{word8} rw, + owner @{tmp}/apt-listchanges@{word8}/ rw, + owner @{tmp}/apt-listchanges@{word8}/** rw, + owner @{PROC}/@{pid}/fd/ r, profile pager { include diff --git a/apparmor.d/groups/apt/debsums b/apparmor.d/groups/apt/debsums index 01e9ac152..6f66426ec 100644 --- a/apparmor.d/groups/apt/debsums +++ b/apparmor.d/groups/apt/debsums @@ -12,28 +12,20 @@ profile debsums @{exec_path} { include include - # Needed to read files owned by other users than root. capability dac_read_search, @{exec_path} r, @{sh_path} rix, - @{bin}/{m,g,}awk rix, + @{bin}/{m,g,}awk ix, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-query rpx, + @{bin}/dpkg-query px, # - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/dpkg-divert rPx -> child-dpkg-divert, - - /etc/dpkg/dpkg.cfg.d/{,*} r, - /etc/dpkg/dpkg.cfg r, - - /etc/locale.nopurge r, - - /var/lib/dpkg/info/* r, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/dpkg-divert Px -> child-dpkg-divert, # For shell pwd / r, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 93f5ebca5..53bebdccf 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -22,24 +22,23 @@ profile dpkg @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/cat rix, - @{bin}/deb-systemd-helper rix, - @{bin}/deb-systemd-invoke rix, - @{bin}/rm rix, + @{bin}/cat ix, + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/rm ix, - @{bin}/dpkg-deb rpx, - @{bin}/dpkg-query rpx, - @{bin}/dpkg-split rpx, - @{bin}/systemctl rCx -> systemctl, - @{lib}/needrestart/dpkg-status rPx, - /usr/share/debian-security-support/check-support-status.hook rPx, - - @{pager_path} rPx -> child-pager, + @{bin}/dpkg-deb px, + @{bin}/dpkg-query px, + @{bin}/dpkg-split px, + @{bin}/systemctl Cx -> systemctl, + @{lib}/needrestart/dpkg-status Px, + @{pager_path} Px -> child-pager, + /usr/share/debian-security-support/check-support-status.hook Px, # Package maintainer's scripts - /var/lib/dpkg/info/*.@{dpkg_script_ext} rPUx, + /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, /var/lib/dpkg/info/*.control r, - /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} rPUx, + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, # For shell pwd /root/ r, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index ef7852863..fd67f930e 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -11,35 +11,36 @@ include profile dpkg-preconfigure @{exec_path} { include include - include include - - #capability sys_tty_config, + include + include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,g,m}awk rix, - @{bin}/cat rix, - @{bin}/debconf-escape rix, - @{bin}/dialog rix, - @{bin}/expr rix, - @{bin}/locale rix, - @{bin}/readlink rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/stty rix, - @{bin}/tr rix, - @{bin}/head rix, - @{bin}/readlink rix, - @{bin}/realpath rix, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{,g,m}awk ix, + @{bin}/cat ix, + @{bin}/debconf-escape Px, + @{bin}/dialog ix, + @{bin}/expr ix, + @{bin}/find ix, + @{bin}/head ix, + @{bin}/locale ix, + @{bin}/readlink ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/sed ix, + @{bin}/sort ix, + @{bin}/stty ix, + @{bin}/tr ix, + @{bin}/uniq ix, - @{bin}/findmnt rPx, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/apt-extracttemplates rPx, - @{bin}/whiptail rPx, - @{lib}/apt/apt-extracttemplates rPx, + @{bin}/apt-extracttemplates Px, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/findmnt Px, + @{bin}/whiptail Px, + @{lib}/apt/apt-extracttemplates Px, /usr/share/debconf/confmodule r, /usr/share/dictionaries-common/{,*} r, @@ -59,9 +60,6 @@ profile dpkg-preconfigure @{exec_path} { /var/cache/debconf/tmp.ci/ w, - owner @{tmp}/*.template.* rw, - owner @{tmp}/*.config.* rwPUx, - /var/lib/dbus/machine-id r, owner /var/cache/debconf/ rw, owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk, @@ -73,23 +71,15 @@ profile dpkg-preconfigure @{exec_path} { owner /var/cache/dictionaries-common/flag-wordlist-new w, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + owner @{tmp}/*.template.* rw, + owner @{tmp}/*.config.* rwPUx, + @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, @{run}/user/@{uid}/pk-debconf-socket rw, owner @{PROC}/@{pid}/fd/ r, - # The following is needed when dpkg-preconfigure uses debcconf GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - @{HOME}/.Xauthority r, - owner @{PROC}/@{pid}/mounts r, - - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-statoverride b/apparmor.d/groups/apt/dpkg-statoverride new file mode 100644 index 000000000..34d6412c1 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-statoverride @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/dpkg-statoverride +profile dpkg-statoverride @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor From f033e698116aa250a14d32a442133d073b54a2d7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:21:23 +0200 Subject: [PATCH 403/672] feat(abs): add the pager app abstaction. --- apparmor.d/abstractions/app/pager | 37 ++++++++++++++++++++++++++ apparmor.d/groups/apt/apt | 13 +-------- apparmor.d/groups/apt/apt-listchanges | 17 +----------- apparmor.d/groups/apt/aptitude | 9 ------- apparmor.d/groups/children/child-pager | 25 +---------------- apparmor.d/profiles-m-r/mutt | 14 +--------- 6 files changed, 41 insertions(+), 74 deletions(-) create mode 100644 apparmor.d/abstractions/app/pager diff --git a/apparmor.d/abstractions/app/pager b/apparmor.d/abstractions/app/pager new file mode 100644 index 000000000..3be45b4dd --- /dev/null +++ b/apparmor.d/abstractions/app/pager @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Minimal set of rules for pagers. + + abi , + + include + + capability dac_override, + capability dac_read_search, + + signal (receive) set=(stop, cont, term, kill), + + @{bin}/ r, + @{pager_path} mrix, + + @{system_share_dirs}/terminfo/{,**} r, + /usr/share/file/misc/** r, + /usr/share/nvim/{,**} r, + + @{HOME}/.lesshst r, + + owner @{HOME}/ r, + owner @{HOME}/.lesshs* rw, + owner @{HOME}/.terminfo/@{int}/* r, + owner @{user_cache_dirs}/lesshs* rw, + owner @{user_state_dirs}/ r, + owner @{user_state_dirs}/lesshs* rw, + + /dev/tty@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index e2e9b00f4..2b103270d 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -172,18 +172,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { profile pager { include - include - - capability dac_read_search, - - @{bin}/ r, - @{sh_path} rix, - @{pager_path} rmix, - @{bin}/which rix, - - /root/ r, # For shell pwd - - owner @{HOME}/.less* rw, + include owner @{tmp}/apt-changelog-*/ r, owner @{tmp}/apt-changelog-*/*.changelog r, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 35684feb5..936d15d42 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -59,23 +59,8 @@ profile apt-listchanges @{exec_path} { profile pager { include - include + include - capability dac_read_search, - #capability sys_tty_config, - - @{pager_path} mrix, - - @{bin}/ r, - @{sh_path} rix, - @{bin}/which rix, - - owner @{HOME}/.less* rw, - - # For shell pwd - /root/ r, - - /tmp/ r, owner @{tmp}/apt-listchanges-tmp*.txt r, include if exists diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index e3a6a794b..e60630efa 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -171,17 +171,8 @@ profile aptitude @{exec_path} flags=(complain) { include include - @{bin}/ r, - @{editor_path} mrix, - @{sh_path} rix, - @{bin}/which rix, - - owner @{HOME}/.less* rw, owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, - # For shell pwd - /root/ r, - include if exists } diff --git a/apparmor.d/groups/children/child-pager b/apparmor.d/groups/children/child-pager index e904f96dd..8e60bce47 100644 --- a/apparmor.d/groups/children/child-pager +++ b/apparmor.d/groups/children/child-pager @@ -15,30 +15,7 @@ include profile child-pager flags=(attach_disconnected) { include - include - - capability dac_override, - capability dac_read_search, - - signal (receive) set=(stop, cont, term, kill), - - @{bin}/ r, - @{pager_path} mr, - - @{system_share_dirs}/terminfo/{,**} r, - /usr/share/file/misc/** r, - /usr/share/nvim/{,**} r, - - @{HOME}/.lesshst r, - - owner @{HOME}/ r, - owner @{HOME}/.lesshs* rw, - owner @{HOME}/.terminfo/@{int}/* r, - owner @{user_cache_dirs}/lesshs* rw, - owner @{user_state_dirs}/ r, - owner @{user_state_dirs}/lesshs* rw, - - /dev/tty@{int} rw, + include include if exists } diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index 28006f479..a91aba241 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -115,19 +115,7 @@ profile mutt @{exec_path} { profile pager { include - include - - @{pager_path} mr, - - /usr/share/terminfo/** r, - /usr/share/file/misc/magic.mgc r, - - owner @{HOME}/ r, - owner @{HOME}/.lesshs* rw, - owner @{HOME}/.terminfo/@{int}/* r, - owner @{user_cache_dirs}/lesshs* rw, - owner @{user_state_dirs}/ r, - owner @{user_state_dirs}/lesshs* rw, + include # This is the file that holds the message owner /{var/,}tmp/mutt* rw, From 390cc27ab85e169efccdc6764eebc91123c54cd3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:24:01 +0200 Subject: [PATCH 404/672] feat(abs): add debconf common abs. --- apparmor.d/abstractions/common/debconf | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 apparmor.d/abstractions/common/debconf diff --git a/apparmor.d/abstractions/common/debconf b/apparmor.d/abstractions/common/debconf new file mode 100644 index 000000000..c21974212 --- /dev/null +++ b/apparmor.d/abstractions/common/debconf @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + include + include + include + + /usr/share/debconf/frontend rix, + /usr/share/debconf/confmodule r, + + /etc/debconf.conf r, + + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + + include if exists + +# vim:syntax=apparmor From 49155625a5aaa32d5194f12405f65d48719d3d71 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:31:03 +0200 Subject: [PATCH 405/672] feat(profile): rewrite debconf & add debconf-frontend. --- apparmor.d/groups/apt/aptitude | 2 +- apparmor.d/groups/apt/debconf-apt-progress | 32 +---- apparmor.d/groups/apt/debconf-frontend | 75 ++++++++++ apparmor.d/groups/apt/dpkg-script-apparmor | 2 +- apparmor.d/groups/apt/dpkg-script-linux | 2 +- apparmor.d/groups/apt/dpkg-script-systemd | 2 +- apparmor.d/groups/apt/dpkg-scripts | 2 +- apparmor.d/groups/grub/grub-check-signatures | 10 +- apparmor.d/groups/grub/grub-multi-install | 2 +- apparmor.d/profiles-a-f/frontend | 133 ------------------ apparmor.d/profiles-s-z/tasksel | 49 +------ .../profiles-s-z/update-secureboot-policy | 5 +- 12 files changed, 92 insertions(+), 224 deletions(-) create mode 100644 apparmor.d/groups/apt/debconf-frontend delete mode 100644 apparmor.d/profiles-a-f/frontend diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index e60630efa..9254be27d 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -169,7 +169,7 @@ profile aptitude @{exec_path} flags=(complain) { profile pager { include - include + include owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, diff --git a/apparmor.d/groups/apt/debconf-apt-progress b/apparmor.d/groups/apt/debconf-apt-progress index d60668c03..1d88c829b 100644 --- a/apparmor.d/groups/apt/debconf-apt-progress +++ b/apparmor.d/groups/apt/debconf-apt-progress @@ -10,42 +10,12 @@ include @{exec_path} = @{bin}/debconf-apt-progress profile debconf-apt-progress @{exec_path} flags=(complain) { include - include + include @{exec_path} r, @{bin}/apt-get rPx, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, - - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - - @{bin}/debconf-apt-progress rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - /etc/shadow r, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend new file mode 100644 index 000000000..5ec13fcff --- /dev/null +++ b/apparmor.d/groups/apt/debconf-frontend @@ -0,0 +1,75 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/debconf/frontend +profile debconf-frontend @{exec_path} flags=(complain) { + include + include + include + include + include + include + + capability dac_read_search, + + @{exec_path} r, + + @{sh_path} rix, + @{bin}/hostname ix, + @{bin}/locale ix, + @{bin}/lsb_release Px -> lsb_release, + @{bin}/stty ix, + @{sbin}/update-secureboot-policy Px, + + # debconf apps + @{bin}/adequate Px, + @{bin}/debconf-apt-progress Px, + @{bin}/linux-check-removal Px, + @{bin}/ucf Px, + @{bin}/whiptail Px, + @{sbin}/aspell-autobuildhash Px, + @{sbin}/pam-auth-update Px, + @{lib}/tasksel/tasksel-debconf Px -> tasksel, + /usr/share/debian-security-support/check-support-status.hook Px, + + # Grub + @{lib}/grub/grub-multi-install Px, + /usr/share/grub/grub-check-signatures Px, + + # Package maintainer's scripts + /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, + /var/lib/dpkg/info/*.control r, + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, + + # DKMS scipts + @{lib}/dkms/common.postinst rPUx, + @{lib}/dkms/dkms-* rPUx, + @{lib}/dkms/dkms_* rPUx, + + /usr/share/debconf/{,**} r, + + /etc/inputrc r, + /etc/shadow r, + + owner /var/cache/debconf/* rwk, + + owner @{tmp}/file* w, + owner @{tmp}/tmp.@{rand10} rw, + owner @{tmp}/updateppds.@{rand6} rw, + + @{HOME}/.Xauthority r, + + @{run}/user/@{uid}/pk-debconf-socket rw, + + owner @{PROC}/@{pid}/mounts r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 5dba3d3cb..9de0ce0b4 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -9,7 +9,7 @@ include @{exec_path} = /var/lib/dpkg/info/apparmor* profile dpkg-script-apparmor @{exec_path} { include - include + include include @{exec_path} mrix, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index 8b2470a6c..52c74c192 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -9,7 +9,7 @@ include @{exec_path} = /var/lib/dpkg/info/linux* profile dpkg-script-linux @{exec_path} { include - include + include @{exec_path} mrix, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index ccaa62a30..cb652108d 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -9,7 +9,7 @@ include @{exec_path} = /var/lib/dpkg/info/systemd* profile dpkg-script-systemd @{exec_path} { include - include + include include @{exec_path} mrix, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index dcb6ca379..32063f5c5 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -9,7 +9,7 @@ include @{exec_path} = /var/lib/dpkg/** profile dpkg-scripts @{exec_path} { include - include + include include capability chown, diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index d33b33265..310138595 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -9,18 +9,14 @@ include @{exec_path} = /usr/share/grub/grub-check-signatures profile grub-check-signatures @{exec_path} { include - include + include @{exec_path} mr, @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}//mktemp rix, - @{bin}//od rix, - - /usr/share/debconf/frontend rPx, - - /usr/share/debconf/confmodule r, + @{bin}/mktemp rix, + @{bin}/od rix, owner @{tmp}/tmp.@{rand10}/ rw, diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index d147b94fb..ba7956438 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -24,7 +24,7 @@ profile grub-multi-install @{exec_path} { @{bin}/sort rix, @{bin}/touch rix, @{bin}/udevadm rPx, - /usr/share/debconf/frontend rPx, + /usr/share/debconf/frontend rix, /usr/lib/terminfo/x/xterm-256color r, /usr/share/debconf/confmodule r, diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend deleted file mode 100644 index 6d9502220..000000000 --- a/apparmor.d/profiles-a-f/frontend +++ /dev/null @@ -1,133 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /usr/share/debconf/frontend -profile frontend @{exec_path} flags=(complain) { - include - include - include - include - include - include - include - include - - capability dac_read_search, - - @{exec_path} r, - @{bin}/perl r, - - @{sh_path} rix, - @{bin}/hostname rix, - @{bin}/locale rix, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/stty rix, - @{sbin}/update-secureboot-policy rPx, - - # debconf apps - @{bin}/adequate rPx, - @{sbin}/aspell-autobuildhash rPx, - @{bin}/debconf-apt-progress rPx, - @{bin}/linux-check-removal rPx, - @{sbin}/pam-auth-update rPx, - @{bin}/ucf rPx, - @{bin}/whiptail rPx, - @{lib}/tasksel/tasksel-debconf rPx -> tasksel, - /usr/share/debian-security-support/check-support-status.hook rPx, - - # Grub - @{lib}/grub/grub-multi-install rPx, - /usr/share/grub/grub-check-signatures rPx, - - # Run the package maintainer's scripts - # What to do with it? Maintainer scripts can use lots of tools. (#FIXME#) - #/var/lib/dpkg/info/*.{config,templates} rPUx, - #/var/lib/dpkg/info/*.{preinst,postinst} rPUx, - #/var/lib/dpkg/info/*.{prerm,postrm} rPUx, - /var/lib/dpkg/info/*.control r, - #/var/lib/dpkg/tmp.ci/{config,templates} rPUx, - #/var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx, - #/var/lib/dpkg/tmp.ci/{prerm,postrm} rPUx, - /var/lib/dpkg/tmp.ci/control r, - /var/lib/dpkg/info/*.{config,templates} rCx -> scripts, - /var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts, - /var/lib/dpkg/info/*.{prerm,postrm} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts, - - # DKMS scipts - # What to do with it? (#FIXME#) - @{lib}/dkms/common.postinst rPUx, - @{lib}/dkms/dkms-* rPUx, - @{lib}/dkms/dkms_* rPUx, - - /usr/share/debconf/{,**} r, - - /etc/debconf.conf r, - /etc/inputrc r, - /etc/shadow r, - - owner /var/cache/debconf/* rwk, - - owner @{tmp}/file* w, - owner @{tmp}/tmp.@{rand10} rw, - owner @{tmp}/updateppds.@{rand6} rw, - - @{HOME}/.Xauthority r, - - @{run}/user/@{uid}/pk-debconf-socket rw, - - owner @{PROC}/@{pid}/mounts r, - - profile scripts flags=(complain) { - include - include - - capability dac_read_search, - - /var/lib/dpkg/info/*.config r, - /var/lib/dpkg/info/*.{preinst,postinst} r, - /var/lib/dpkg/info/*.{prerm,postrm} r, - /var/lib/dpkg/tmp.ci/config r, - /var/lib/dpkg/tmp.ci/{preinst,postinst} r, - /var/lib/dpkg/tmp.ci/{prerm,postrm} r, - - / r, - - @{bin}/ r, - @{bin}/* rPUx, - - @{lib}/ r, - @{lib}/** rPUx, - - /usr/share/ r, - /usr/share/** rPUx, - - /etc/init.d/ r, - /etc/init.d/* rPUx, - - /etc/ r, - /etc/** rw, - /var/ r, - /var/** rw, - @{sys}/ r, - @{sys}/**/ r, - @{run}/ r, - @{run}/** rw, - /tmp/ r, - owner @{tmp}/** rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index 64b3ed4ad..f4900f225 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -10,32 +10,24 @@ include @{exec_path} = @{bin}/tasksel profile tasksel @{exec_path} flags=(complain) { include - include + include @{exec_path} r, @{sh_path} rix, @{bin}/tempfile rix, @{lib}/tasksel/tasksel-debconf rix, - - @{lib}/tasksel/tests/* rCx -> tasksel-tests, - - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, + @{lib}/tasksel/tests/* Cx -> tasksel-tests, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-query rpx, + @{bin}/dpkg-query px, # - @{bin}/apt-cache rPx, + @{bin}/apt-cache Px, + @{bin}/debconf-apt-progress Px, - @{bin}/debconf-apt-progress rPx, - - /usr/share/tasksel/** r, - - /usr/share/debconf/confmodule r, + /usr/share/tasksel/{,**} r, owner @{tmp}/file* w, @@ -48,35 +40,6 @@ profile tasksel @{exec_path} flags=(complain) { include if exists } - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - - @{bin}/tasksel rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - owner @{tmp}/file* w, - - /usr/share/debconf/confmodule r, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - /etc/shadow r, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index 232c92d0c..f8581f532 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -10,7 +10,7 @@ include @{exec_path} = @{sbin}/update-secureboot-policy profile update-secureboot-policy @{exec_path} { include - include + include @{exec_path} rm, @@ -23,12 +23,9 @@ profile update-secureboot-policy @{exec_path} { @{bin}/sort rix, @{bin}/touch rix, @{bin}/wc rix, - /usr/share/debconf/frontend rPx, / r, - /usr/share/debconf/confmodule r, - /var/lib/dkms/ r, /var/lib/shim-signed/dkms-list rw, From 6e0c646d14c17a9f2ce9ba6f4faa3afbf38c115d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:37:37 +0200 Subject: [PATCH 406/672] feat(profile): add profile for ischroot. --- apparmor.d/groups/apt/apt | 4 ++-- apparmor.d/groups/ubuntu/apport-gtk | 2 +- .../groups/ubuntu/check-new-release-gtk | 2 +- apparmor.d/groups/ubuntu/do-release-upgrade | 2 +- .../groups/ubuntu/list-oem-metapackages | 2 +- .../groups/ubuntu/software-properties-gtk | 2 +- apparmor.d/groups/ubuntu/ubuntu-advantage | 3 +-- apparmor.d/groups/ubuntu/update-manager | 2 +- .../ubuntu/update-motd-updates-available | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-g-l/ischroot | 21 +++++++++++++++++++ apparmor.d/profiles-m-r/packagekitd | 4 ++-- apparmor.d/profiles-s-z/update-initramfs | 2 +- 13 files changed, 35 insertions(+), 15 deletions(-) create mode 100644 apparmor.d/profiles-g-l/ischroot diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 2b103270d..2a0969156 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -67,7 +67,6 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/id rix, - @{bin}/ischroot rix, @{bin}/test rix, @{bin}/touch rix, @@ -80,14 +79,15 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/df rPx, @{bin}/dmesg rPx, @{bin}/dpkg rPx, - @{sbin}/dpkg-preconfigure rPx, @{bin}/dpkg-source rcx -> dpkg-source, @{bin}/etckeeper rPx, + @{bin}/ischroot rPx, @{bin}/localepurge rPx, @{bin}/ps rPx, @{bin}/snap rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/update-command-not-found rPx, + @{sbin}/dpkg-preconfigure rPx, @{lib}/cnf-update-db rPx, @{lib}/needrestart/apt-pinvoke rPx, @{lib}/zsys-system-autosnapshot rPx, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 1307313d9..bb5cd329c 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -41,7 +41,7 @@ profile apport-gtk @{exec_path} { @{bin}/dpkg-query rpx, @{bin}/gdb rCx -> gdb, @{bin}/gsettings rPx, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/journalctl rPx, @{sbin}/killall5 rix, @{bin}/kmod rPx, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 1ff6df2ae..bdd2a0f54 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -29,7 +29,7 @@ profile check-new-release-gtk @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{lib}/@{python_name}/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index 86c211f24..e7d6687d2 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -26,7 +26,7 @@ profile do-release-upgrade @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, /usr/share/distro-info/*.csv r, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index 75e4279f2..91bc4876f 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -15,7 +15,7 @@ profile list-oem-metapackages @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{lib}/@{python_name}/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index e2bb2dc98..d5762a84e 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -32,7 +32,7 @@ profile software-properties-gtk @{exec_path} { @{bin}/aplay rPx, @{bin}/apt-key rPx, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/ubuntu-advantage rPx, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index 7d797bd97..34b697732 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -29,13 +29,12 @@ profile ubuntu-advantage @{exec_path} { @{exec_path} mr, - @{bin}/ischroot rix, - @{bin}/apt rPx, @{bin}/apt-cache rPx, @{bin}/apt-config rPx, @{bin}/apt-get rPx, @{bin}/dpkg rPx -> child-dpkg, + @{bin}/ischroot rPx, @{bin}/ps rPx, @{bin}/snap rPUx, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 44e0cc403..e1636c6d5 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -44,7 +44,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/hwe-support-status rPx, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index 776cc9bf8..e6a3e7152 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -26,7 +26,7 @@ profile update-motd-updates-available @{exec_path} { @{bin}/dirname rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/find rix, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/mktemp rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 8d1571c1e..ea6318156 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -31,10 +31,10 @@ profile update-notifier @{exec_path} { @{sh_path} rix, @{bin}/ionice rix, - @{bin}/ischroot rix, @{bin}/nice rix, @{bin}/dpkg rPx -> child-dpkg, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/pkexec rCx -> pkexec, @{bin}/snap rPUx, diff --git a/apparmor.d/profiles-g-l/ischroot b/apparmor.d/profiles-g-l/ischroot new file mode 100644 index 000000000..c5b848bab --- /dev/null +++ b/apparmor.d/profiles-g-l/ischroot @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ischroot +profile ischroot @{exec_path} { + include + include + + @{exec_path} mr, + + @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index ca93ade6b..873b4ef7d 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -51,7 +51,6 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/gzip rix, - @{bin}/ischroot rix, @{sbin}/ldconfig rix, @{bin}/repo2solv rix, @{bin}/tar rix, @@ -63,7 +62,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg rPx -> child-dpkg, #aa:only apt @{bin}/fc-cache rPx, @{bin}/glib-compile-schemas rPx, - @{sbin}/install-info rPx, + @{bin}/install-info rPx, + @{bin}/ischroot rPx, @{bin}/rpm rPUx, #aa:only opensuse @{bin}/rpmdb2solv rPUx, #aa:only opensuse @{bin}/systemd-inhibit rPx, diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index 51961efb3..f9e47cb52 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -22,7 +22,6 @@ profile update-initramfs @{exec_path} { @{bin}/cat rix, @{bin}/{m,g,}awk rix, @{bin}/getopt rix, - @{bin}/ischroot rix, @{bin}/ln rix, @{bin}/mv rix, @{bin}/rm rix, @@ -31,6 +30,7 @@ profile update-initramfs @{exec_path} { @{bin}/uname rix, @{bin}/dpkg-trigger rPx, + @{bin}/ischroot rPx, @{bin}/linux-version rPx, @{sbin}/mkinitramfs rPx, From 7a3016724a6a2a97e337d57187416cabb6dcdfb0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:42:34 +0200 Subject: [PATCH 407/672] feat(profile): update linux check scripts. --- apparmor.d/profiles-g-l/linux-check-removal | 40 ++++--------------- apparmor.d/profiles-g-l/linux-update-symlinks | 25 ++++++++++++ dists/flags/main.flags | 2 + 3 files changed, 34 insertions(+), 33 deletions(-) create mode 100644 apparmor.d/profiles-g-l/linux-update-symlinks diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 1c6ff2f03..2c2a8ba21 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -10,42 +10,16 @@ include @{exec_path} = @{bin}/linux-check-removal profile linux-check-removal @{exec_path} flags=(complain) { include - include - include + include - @{exec_path} r, + @{exec_path} rmix, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, + @{sh_path} rix, + @{bin}/stty rix, + @{bin}/locale rix, + @{bin}/whiptail rPx, - - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - - @{bin}/linux-check-removal rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - owner @{tmp}/file* w, - - /usr/share/debconf/confmodule r, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - include if exists - } + audit owner @{tmp}/file* w, include if exists } diff --git a/apparmor.d/profiles-g-l/linux-update-symlinks b/apparmor.d/profiles-g-l/linux-update-symlinks new file mode 100644 index 000000000..b97a0305b --- /dev/null +++ b/apparmor.d/profiles-g-l/linux-update-symlinks @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/linux-update-symlinks +profile linux-update-symlinks @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/kernel-img.conf r, + + @{efi}/ r, + @{efi}/* rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index d2c57b682..edf6789c7 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -216,6 +216,8 @@ libvirt-dbus complain libvirtd attach_disconnected,complain lightdm attach_disconnected,complain lightdm-session complain +linux-check-removal complain +linux-update-symlinks complain locale-gen complain localectl complain localsearch complain From 8755c4a1b7c036ecc0b905bf57a75b42f7c614b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:51:12 +0200 Subject: [PATCH 408/672] fix(profile): remove sbin on some program path Debian and opensuse do not install the same programs under /usr/sbin. This will have to be tracked by distribution. For now, sbin.list follows debian install. --- apparmor.d/groups/gnome/gnome-initial-setup | 2 +- apparmor.d/groups/kde/systemsettings | 2 +- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/groups/utils/lspci | 2 +- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-g-l/hardinfo | 2 +- apparmor.d/profiles-g-l/install-info | 2 +- apparmor.d/profiles-g-l/inxi | 2 +- apparmor.d/profiles-s-z/update-alternatives | 2 +- tests/sbin.list | 3 --- 10 files changed, 9 insertions(+), 12 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index cf7dc2506..4063fc473 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -42,7 +42,7 @@ profile gnome-initial-setup @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/locale rix, @{bin}/lscpu rPx, - @{sbin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index 0d7156502..e68d248b6 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -29,7 +29,7 @@ profile systemsettings @{exec_path} { @{bin}/cat rix, @{bin}/eglinfo rPUx, @{bin}/kcminit rPx, - @{sbin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/openssl rix, @{bin}/pactl rPx, @{bin}/plasma-discover rPx, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 9cf9d6a36..6af9bae96 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -74,7 +74,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gtk{,4}-update-icon-cache rPx, @{sbin}/iconvconfig rix, @{bin}/install-catalog rPx, - @{sbin}/install-info rPx, + @{bin}/install-info rPx, @{sbin}/iscsi-iname rix, @{bin}/journalctl rPx, @{bin}/killall rix, diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index 7fc88e41a..b390346bb 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/lspci +@{exec_path} = @{bin}/lspci profile lspci @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index c4741b09a..6999f5baf 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -34,7 +34,7 @@ profile adequate @{exec_path} flags=(complain) { # shared object file): ignored. @{bin}/dpkg-query rpx, # - @{sbin}/update-alternatives rPx, + @{bin}/update-alternatives rPx, /var/lib/adequate/pending rwk, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 459efa23e..97fad1f13 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -53,7 +53,7 @@ profile hardinfo @{exec_path} { @{bin}/glxinfo rPx, @{bin}/xdpyinfo rPx, - @{sbin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/netstat rPx, @{bin}/qtchooser rPx, diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info index e7fdfd95a..f155339b1 100644 --- a/apparmor.d/profiles-g-l/install-info +++ b/apparmor.d/profiles-g-l/install-info @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/install-info +@{exec_path} = @{bin}/install-info profile install-info @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 01d358fbf..38b2a17a2 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -51,7 +51,7 @@ profile inxi @{exec_path} { @{bin}/glxinfo rPx, @{bin}/hddtemp rPx, @{bin}/lsblk rPx, - @{sbin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/openbox rPx, @{bin}/ps rPx, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 68ddb97a5..8f08b74fa 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/update-alternatives +@{exec_path} = @{bin}/update-alternatives profile update-alternatives @{exec_path} { include include diff --git a/tests/sbin.list b/tests/sbin.list index 869729543..82596a62a 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -341,7 +341,6 @@ inputattach insmod install_acx100_firmware install_intersil_firmware -install-info install-sgmlcatalog installkernel integritysetup @@ -447,7 +446,6 @@ lpc lpinfo lpmove lsmod -lspci lspcmcia luksformat lvchange @@ -920,7 +918,6 @@ unix_chkpwd unix_update unix2_chkpwd uobjnew -update-alternatives update-bootloader update-ca-certificates update-catalog From a9303e82bb0310336b995210da042bbb21fdc99c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:53:04 +0200 Subject: [PATCH 409/672] fix: linter --- apparmor.d/groups/apt/dpkg-preconfigure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index fd67f930e..8a9ea568e 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -79,7 +79,7 @@ profile dpkg-preconfigure @{exec_path} { owner @{PROC}/@{pid}/fd/ r, - include if exists + include if exists } # vim:syntax=apparmor From 6650f45ee0c25967f5e85cb95c79f7b332d135f2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:54:33 +0200 Subject: [PATCH 410/672] feat(profile): add pycompile. --- apparmor.d/profiles-m-r/pycompile | 54 +++++++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 55 insertions(+) create mode 100644 apparmor.d/profiles-m-r/pycompile diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile new file mode 100644 index 000000000..b441d84cd --- /dev/null +++ b/apparmor.d/profiles-m-r/pycompile @@ -0,0 +1,54 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/py{,3}compile @{bin}/py{,3}clean +profile pycompile @{exec_path} flags=(attach_disconnected,complain) { + include + include + include + # include + + capability dac_override, + capability dac_read_search, + + @{exec_path} mr, + @{python_path} rix, + + @{bin}/dpkg rCx -> dpkg, + + @{lib}/@{python_name}/dist-packages/__pycache__/ w, + @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc w, + @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc.* w, + @{lib}/@{python_name}/dist-packages/**/__pycache__/ w, + @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc w, + @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc.* w, + + /usr/share/python3/{,**} r, + + / r, + + profile dpkg { + include + include + include + + capability dac_read_search, + + @{bin}/dpkg mr, + @{bin}/dpkg-query rpx, + + /etc/dpkg/dpkg.cfg.d/{,*} r, + /etc/dpkg/dpkg.cfg r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index edf6789c7..4332c78d9 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -264,6 +264,7 @@ plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted ptyxis complain ptyxis-agent complain +pycompile complain qdbus complain remmina complain run-parts complain From 31e90e6c58574d45aac59a91ebd094d6a05f6919 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 19 May 2025 00:00:44 +0200 Subject: [PATCH 411/672] feat(profile): add kernel update/install profiles. --- apparmor.d/profiles-g-l/kdump-config | 60 ++++++++++++++++ apparmor.d/profiles-g-l/kernel | 71 +++++++++++++++++++ apparmor.d/profiles-g-l/kernel-postinst-kdump | 34 +++++++++ dists/flags/main.flags | 3 + 4 files changed, 168 insertions(+) create mode 100644 apparmor.d/profiles-g-l/kdump-config create mode 100644 apparmor.d/profiles-g-l/kernel create mode 100644 apparmor.d/profiles-g-l/kernel-postinst-kdump diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config new file mode 100644 index 000000000..e6ec78f67 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdump-config @@ -0,0 +1,60 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/kdump-config +profile kdump-config @{exec_path} { + include + + ptrace readby peer=systemd-journald, + + @{exec_path} mr, + + @{sh_path} ix, + @{bin}/basename ix, + @{bin}/cut ix, + @{bin}/file ix, + @{bin}/find ix, + @{bin}/grep ix, + @{bin}/hexdump ix, + @{bin}/ln ix, + @{bin}/logger ix, + @{bin}/rev ix, + @{bin}/run-parts ix, + @{bin}/sed ix, + @{sbin}/kexec Cx -> kexec, + @{sbin}/sysctl Cx -> sysctl, + + /etc/kernel/postinst.d/kdump-tools rPx, + + owner /var/lib/kdump/{,**} rw, + + profile sysctl { + include + + @{sbin}/sysctl mr, + + @{PROC}/sys/kernel/panic_on_oops rw, + + include if exists + } + + profile kexec { + include + + capability sys_admin, + capability sys_boot, + + @{sbin}/kexec mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel new file mode 100644 index 000000000..2382ea062 --- /dev/null +++ b/apparmor.d/profiles-g-l/kernel @@ -0,0 +1,71 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/kernel/{,header_}postinst.d/* /etc/kernel/postrm.d/* +@{exec_path} += /etc/kernel/preinst.d/* /etc/kernel/prerm.d/* +profile kernel @{exec_path} { + include + include + include + + capability sys_module, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{,m,g}awk rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/cut rix, + @{bin}/dirname rix, + @{bin}/kmod rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/rmdir rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/uname rix, + @{bin}/which rix, + + @{bin}/apt-config rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/systemd-detect-virt rPx, + @{bin}/update-alternatives rPx, + @{sbin}/dkms rPx, + @{sbin}/update-grub rPx, + @{sbin}/update-initramfs rPx, + @{lib}/dkms/dkms_autoinstaller rPx, + + @{lib}/modules/*/updates/ w, + @{lib}/modules/*/updates/dkms/ w, + + /etc/kernel/header_postinst.d/* r, + /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, + + # For shell pwd + / r, + /boot/ r, + + /etc/apt/apt.conf.d/ r, + /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, + /etc/modprobe.d/ r, + /etc/modprobe.d/*.conf r, + + @{run}/reboot-required w, + @{run}/reboot-required.pkgs rw, + + @{PROC}/devices r, + @{PROC}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump new file mode 100644 index 000000000..91af3a842 --- /dev/null +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/kernel/postinst.d/kdump-tools +profile kernel-postinst-kdump @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/du rix, + @{bin}/find rix, + @{bin}/gawk rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/sync rix, + @{sbin}/mkinitramfs rPx, + + owner /var/lib/kdump/* w, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 4332c78d9..5f5d8dc5f 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -192,7 +192,10 @@ kconf_update complain kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain +kdump-config complain +kernel complain kernel-install complain +kernel-postinst-kdump complain keyboxd complain kglobalacceld complain kio_http_cache_cleaner complain From b90c4073c94f06e83a16677398d338c05f5df395 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 23 May 2025 23:55:01 +0200 Subject: [PATCH 412/672] ci: show full journalctl log on failure. --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f04ac1381..4593fe78c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -55,7 +55,7 @@ jobs: - name: Reload AppArmor run: | sudo systemctl restart apparmor.service || true - sudo systemctl status apparmor.service + sudo journalctl -xeu apparmor.service - name: Ensure compatibility with some AppArmor userspace tools if: matrix.os != 'ubuntu-24.04' From f3ed1a30065065300a0b5dca307f9081f9501025 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 24 May 2025 00:08:57 +0200 Subject: [PATCH 413/672] fix: profile compilation. --- apparmor.d/profiles-g-l/linux-check-removal | 2 +- dists/flags/main.flags | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 2c2a8ba21..40eb26b93 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/linux-check-removal -profile linux-check-removal @{exec_path} flags=(complain) { +profile linux-check-removal @{exec_path} { include include diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 5f5d8dc5f..d139c7622 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -219,7 +219,7 @@ libvirt-dbus complain libvirtd attach_disconnected,complain lightdm attach_disconnected,complain lightdm-session complain -linux-check-removal complain +linux-check-removal complain linux-update-symlinks complain locale-gen complain localectl complain From 3848838e53a5824417590f97c43ad0135a50e6a1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 24 May 2025 17:35:16 +0200 Subject: [PATCH 414/672] feat(profile): merge dpkg-scripts and dpkg-script-tmp. --- apparmor.d/groups/apt/dpkg-preconfigure | 2 + apparmor.d/groups/apt/dpkg-script-systemd | 2 + apparmor.d/groups/apt/dpkg-script-tmp | 57 ----------------------- apparmor.d/groups/apt/dpkg-scripts | 17 +++++-- dists/flags/main.flags | 1 - 5 files changed, 16 insertions(+), 63 deletions(-) delete mode 100644 apparmor.d/groups/apt/dpkg-script-tmp diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 8a9ea568e..4dbfae0a8 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -15,6 +15,8 @@ profile dpkg-preconfigure @{exec_path} { include include + capability dac_read_search, + @{exec_path} r, @{sh_path} rix, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index cb652108d..713f2981f 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -16,6 +16,8 @@ profile dpkg-script-systemd @{exec_path} { @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/bootctl Px, @{bin}/deb-systemd-helper Px, @{bin}/deb-systemd-invoke Px, @{bin}/dpkg Cx -> dpkg, diff --git a/apparmor.d/groups/apt/dpkg-script-tmp b/apparmor.d/groups/apt/dpkg-script-tmp deleted file mode 100644 index 65e63d076..000000000 --- a/apparmor.d/groups/apt/dpkg-script-tmp +++ /dev/null @@ -1,57 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} -profile dpkg-script-tmp @{exec_path} flags=(attach_disconnected) { - include - include - include - - @{exec_path} mrix, - - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/run-parts rix, - @{bin}/deb-systemd-invoke Px, - @{bin}/dpkg Px, - @{bin}/dpkg-divert Px, - @{bin}/dpkg-maintscript-helper Px, - @{bin}/kmod Cx -> kmod, - @{bin}/systemctl Cx -> systemctl, - /usr/share/debconf/frontend Px, - - /usr/share/debconf/confmodule r, - - /etc/kernel/preinst.d/*-microcode ix, - - @{lib}/modules/*/.fresh-install w, - - profile kmod { - include - include - - include if exists - } - - profile systemctl { - include - include - - capability net_admin, - capability sys_ptrace, - capability sys_resource, - - @{bin}/systemd-tty-ask-password-agent Px, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 32063f5c5..e765b334c 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -38,6 +38,7 @@ profile dpkg-scripts @{exec_path} { @{lib}/ubuntu-advantage/postinst-migrations.sh ix, @{bin}/dbus-send Cx -> bus, + @{bin}/kmod Cx -> kmod, @{bin}/dpkg Px -> child-dpkg, @{bin}/systemctl Cx -> systemctl, @{sbin}/invoke-rc.d Cx -> rc, @@ -52,9 +53,6 @@ profile dpkg-scripts @{exec_path} { /usr/share/** Px, /etc/init.d/* Px, - /var/lib/dpkg/info/*.@{dpkg_script_ext} ix, # dpkg-scripts-* - /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, # dpkg-script-tmp - # Maintainer's scripts can update a lot of files / r, /*/ r, @@ -85,12 +83,20 @@ profile dpkg-scripts @{exec_path} { include if exists } + profile kmod { + include + include + + include if exists + } + profile systemctl { include include capability net_admin, capability sys_ptrace, + capability sys_resource, @{run}/utmp rk, @@ -99,6 +105,7 @@ profile dpkg-scripts @{exec_path} { profile rc { include + include include @{sbin}/update-rc.d mr, @@ -110,10 +117,10 @@ profile dpkg-scripts @{exec_path} { /etc/ r, /etc/init.d/* r, - /etc/rc?.d/ r, + /etc/rc@{c}.d/ r, + /etc/rc@{c}.d/* rw, /etc/rc@{int}.d/ r, /etc/rc@{int}.d/* rw, - /etc/rc@{c}.d/* rw, include if exists } diff --git a/dists/flags/main.flags b/dists/flags/main.flags index d139c7622..b1bd2fa0e 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -93,7 +93,6 @@ dpkg-script-apparmor complain dpkg-script-kmod complain dpkg-script-linux complain dpkg-script-systemd complain -dpkg-script-tmp complain dpkg-scripts complain drkonqi complain drkonqi-coredump-cleanup complain From d5926e9411f224cf094506c9cae221b84d740b20 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 24 May 2025 17:48:15 +0200 Subject: [PATCH 415/672] feat(abs): update debconf abs. --- apparmor.d/abstractions/common/debconf | 7 +++ apparmor.d/groups/apt/debconf-frontend | 5 +- apparmor.d/groups/apt/dpkg-script-apparmor | 2 - apparmor.d/groups/apt/dpkg-script-linux | 4 -- apparmor.d/groups/apt/dpkg-script-systemd | 3 -- apparmor.d/groups/apt/dpkg-scripts | 1 - apparmor.d/groups/grub/grub-check-signatures | 7 ++- apparmor.d/profiles-g-l/linux-check-removal | 5 -- apparmor.d/profiles-m-r/needrestart | 9 +++- apparmor.d/profiles-m-r/pam-auth-update | 48 ++----------------- apparmor.d/profiles-s-z/tasksel | 9 ++-- .../profiles-s-z/update-secureboot-policy | 17 ++++--- 12 files changed, 35 insertions(+), 82 deletions(-) diff --git a/apparmor.d/abstractions/common/debconf b/apparmor.d/abstractions/common/debconf index c21974212..1d9a6d145 100644 --- a/apparmor.d/abstractions/common/debconf +++ b/apparmor.d/abstractions/common/debconf @@ -9,11 +9,18 @@ include include + @{sh_path} rix, + @{bin}/locale ix, + @{bin}/whiptail Px, + /usr/share/debconf/frontend rix, /usr/share/debconf/confmodule r, /etc/debconf.conf r, + /var/ r, + /var/cache/ r, + /var/cache/debconf/ r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, include if exists diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index 5ec13fcff..a8f7057e7 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -20,9 +20,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{exec_path} r, - @{sh_path} rix, @{bin}/hostname ix, - @{bin}/locale ix, @{bin}/lsb_release Px -> lsb_release, @{bin}/stty ix, @{sbin}/update-secureboot-policy Px, @@ -32,7 +30,6 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{bin}/debconf-apt-progress Px, @{bin}/linux-check-removal Px, @{bin}/ucf Px, - @{bin}/whiptail Px, @{sbin}/aspell-autobuildhash Px, @{sbin}/pam-auth-update Px, @{lib}/tasksel/tasksel-debconf Px -> tasksel, @@ -45,7 +42,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { # Package maintainer's scripts /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, /var/lib/dpkg/info/*.control r, - /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px -> dpkg-scripts, # DKMS scipts @{lib}/dkms/common.postinst rPUx, diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 9de0ce0b4..73b14390a 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -10,11 +10,9 @@ include profile dpkg-script-apparmor @{exec_path} { include include - include @{exec_path} mrix, - @{sh_path} rix, @{bin}/grep ix, @{bin}/deb-systemd-helper Px, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index 52c74c192..d6a8db473 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -13,10 +13,7 @@ profile dpkg-script-linux @{exec_path} { @{exec_path} mrix, - @{sh_path} rix, @{bin}/cat ix, - @{bin}/locale ix, - @{bin}/mkdir ix, @{bin}/mkdir ix, @{bin}/rm ix, @{bin}/run-parts ix, @@ -26,7 +23,6 @@ profile dpkg-script-linux @{exec_path} { @{bin}/kmod Px, @{bin}/linux-check-removal Px, @{bin}/linux-update-symlinks Px, - @{bin}/whiptail Px, @{bin}/dpkg-maintscript-helper Px, /usr/share/{update,reboot}-notifier/notify-reboot-required Px, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 713f2981f..4acafd139 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -10,12 +10,9 @@ include profile dpkg-script-systemd @{exec_path} { include include - include @{exec_path} mrix, - @{sh_path} rix, - @{coreutils_path} rix, @{bin}/bootctl Px, @{bin}/deb-systemd-helper Px, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index e765b334c..f1c56bd49 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -31,7 +31,6 @@ profile dpkg-scripts @{exec_path} { @{bin}/getent ix, @{bin}/gzip ix, @{bin}/helpztags ix, - @{bin}/locale ix, @{bin}/tput ix, @{bin}/zcat ix, @{lib}/ubuntu-advantage/cloud-id-shim.sh ix, diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index 310138595..f09ba540d 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -13,10 +13,9 @@ profile grub-check-signatures @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/mktemp rix, - @{bin}/od rix, + @{bin}/{m,g,}awk ix, + @{bin}/mktemp ix, + @{bin}/od ix, owner @{tmp}/tmp.@{rand10}/ rw, diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 40eb26b93..04d2f0330 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -14,12 +14,7 @@ profile linux-check-removal @{exec_path} { @{exec_path} rmix, - @{sh_path} rix, @{bin}/stty rix, - @{bin}/locale rix, - @{bin}/whiptail rPx, - - audit owner @{tmp}/file* w, include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index c2bc8b2b6..5d5e76ed5 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -40,7 +40,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{bin}/whiptail rPx, @{bin}/who rix, @{lib}/needrestart/* rPx, - /usr/share/debconf/frontend rix, + /usr/share/debconf/frontend rCx -> debconf, /etc/debconf.conf r, /etc/init.d/* r, @@ -97,6 +97,13 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { include if exists } + profile debconf { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 655ed9d40..aff011389 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -10,56 +10,18 @@ include @{exec_path} = @{sbin}/pam-auth-update profile pam-auth-update @{exec_path} flags=(complain) { include - include - include + include @{exec_path} mr, - @{bin}/md5sum rix, - @{bin}/cp rix, + @{bin}/md5sum ix, + @{bin}/cp ix, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, - - /etc/pam.d/* rw, - /var/lib/pam/* rw, /usr/share/pam{,-configs}/{,*} r, + /etc/pam.d/* rw, - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - - @{sbin}/pam-auth-update rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - # The following is needed when debconf uses GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - owner @{PROC}/@{pid}/mounts r, - @{HOME}/.Xauthority r, - - /etc/shadow r, - - include if exists - } + /var/lib/pam/* rw, include if exists } diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index f4900f225..8a33649a0 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -14,9 +14,8 @@ profile tasksel @{exec_path} flags=(complain) { @{exec_path} r, - @{sh_path} rix, - @{bin}/tempfile rix, - @{lib}/tasksel/tasksel-debconf rix, + @{bin}/tempfile ix, + @{lib}/tasksel/tasksel-debconf ix, @{lib}/tasksel/tests/* Cx -> tasksel-tests, # Do not strip env to avoid errors like the following: @@ -29,13 +28,11 @@ profile tasksel @{exec_path} flags=(complain) { /usr/share/tasksel/{,**} r, - owner @{tmp}/file* w, - profile tasksel-tests flags=(complain) { include - @{lib}/tasksel/tests/* r, @{sh_path} rix, + @{lib}/tasksel/tests/* r, include if exists } diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index f8581f532..31a03ef7b 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -14,15 +14,14 @@ profile update-secureboot-policy @{exec_path} { @{exec_path} rm, - @{sh_path} rix, - @{bin}/{,m,g}awk rix, - @{bin}/dpkg-trigger rPx, - @{bin}/find rix, - @{bin}/id rix, - @{bin}/od rix, - @{bin}/sort rix, - @{bin}/touch rix, - @{bin}/wc rix, + @{bin}/{,m,g}awk ix, + @{bin}/dpkg-trigger Px, + @{bin}/find ix, + @{bin}/id ix, + @{bin}/od ix, + @{bin}/sort ix, + @{bin}/touch ix, + @{bin}/wc ix, / r, From 3e098b715205074cc2eab4b3518658f50b65d464 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 00:47:02 +0200 Subject: [PATCH 416/672] feat(profile): initramfs: add hooks and scripts. --- apparmor.d/profiles-m-r/initramfs-hooks | 86 +++++++++++++++++++++++ apparmor.d/profiles-m-r/initramfs-scripts | 55 +++++++++++++++ apparmor.d/profiles-m-r/mkinitramfs | 10 +-- 3 files changed, 146 insertions(+), 5 deletions(-) create mode 100644 apparmor.d/profiles-m-r/initramfs-hooks create mode 100644 apparmor.d/profiles-m-r/initramfs-scripts diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks new file mode 100644 index 000000000..b4f3ac2f4 --- /dev/null +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -0,0 +1,86 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/initramfs-tools/hooks/** /etc/initramfs-tools/hooks/** +profile initramfs-hooks @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/ischroot Px, + @{bin}/ldd Cx -> ldd, + @{bin}/plymouth Px, + @{bin}/update-alternatives Px, + @{sbin}/blkid Px, + @{lib}/dracut/dracut-install Px, + @{lib}/initramfs-tools/bin/busybox ix, + @{lib}/klibc/bin/fstype ix, + /usr/share/mdadm/mkconf Px, + + @{bin}/* r, + @{sbin}/* r, + @{lib}/ r, + @{lib}/** r, + + /usr/share/initramfs-tools/{,**} r, + /usr/share/plymouth/{,**} r, + /usr/share/cryptsetup/initramfs/{,**} r, + + /etc/console-setup/{,**} r, + /etc/cryptsetup-initramfs/{,**} r, + /etc/crypttab r, + /etc/default/* r, + /etc/fstab r, + /etc/iscsi/*.iscsi r, + /etc/lvm/{,**} r, + /etc/mdadm/mdadm.conf r, + /etc/systemd/network/{,**} r, + /etc/udev/{,**} r, + + / r, + @{efi}/config-* r, + + /var/tmp/ r, + /var/tmp/modules_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6}/ rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + owner /var/tmp/mkinitramfs-@{rand6} rw, + owner /var/tmp/mkinitramfs-*_@{rand6} rw, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + + @{sys}/firmware/efi/efivars/ r, + + @{PROC}/@{pid}/mounts r, + @{PROC}/cmdline r, + @{PROC}/swaps r, + + profile ldd { + include + include + + @{bin}/ldd mr, + @{bin}/* mr, + @{lib}/@{multiarch}/ld-linux-*so* mrix, + @{lib}/ld-linux.so* mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts new file mode 100644 index 000000000..85437017b --- /dev/null +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -0,0 +1,55 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/initramfs-tools/scripts/** /etc/initramfs-tools/scripts/** +profile initramfs-scripts @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{sbin}/blkid Px, + @{bin}/dd ix, + @{bin}/debconf-escape Px, + @{bin}/ischroot Px, + @{bin}/ldd Cx -> ldd, + @{bin}/plymouth Px, + @{bin}/update-alternatives Px, + @{lib}/dracut/dracut-install Px, + @{lib}/initramfs-tools/bin/busybox Px, + /usr/share/mdadm/mkconf Px, + + /usr/share/initramfs-tools/{,**} r, + + /etc/cryptsetup-initramfs/{,**} r, + /etc/crypttab r, + /etc/default/console-setup r, + /etc/fstab r, + /etc/initramfs-tools/{,**} r, + /etc/mdadm/mdadm.conf r, + /etc/udev/rules.d/{,**} r, + + /var/tmp/modules_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + + profile ldd { + include + include + + @{bin}/ldd mr, + @{lib}/@{multiarch}/ld-linux-*so* mrix, + @{lib}/ld-linux.so* mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index eaf5645f3..f37029627 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -66,11 +66,10 @@ profile mkinitramfs @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/linux-version rPx, - # What to do with it? (#FIXME#) - /usr/share/initramfs-tools/hooks/* rPUx, - /usr/share/initramfs-tools/scripts/*/* rPUx, - /etc/initramfs-tools/hooks/* rPUx, - /etc/initramfs-tools/scripts/*/* rPUx, + /usr/share/initramfs-tools/hooks/** rPx, + /usr/share/initramfs-tools/scripts/** rPx, + /etc/initramfs-tools/hooks/** rPx, + /etc/initramfs-tools/scripts/** rPx, /usr/share/initramfs-tools/{,**} r, /etc/initramfs-tools/{,**} r, @@ -106,6 +105,7 @@ profile mkinitramfs @{exec_path} { @{sys}/devices/platform/**/ r, @{sys}/devices/platform/**/modalias r, @{sys}/module/compression r, + @{sys}/module/firmware_class/parameters/path r, @{PROC}/cmdline r, @{PROC}/modules r, From c70f9b22fcdfe7ebc718f1144ec8ff5a713ffcb1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 00:50:10 +0200 Subject: [PATCH 417/672] feat(tunable): add more variables for profile name. --- apparmor.d/tunables/multiarch.d/profiles | 44 +++++++++++++++++++++--- 1 file changed, 40 insertions(+), 4 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index 92ab19fc9..ec1eff79c 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -23,14 +23,50 @@ @{p_dbus_system}=dbus-system @{p_dbus_session}=dbus-session +@{p_accounts_daemon}=accounts-daemon +@{p_apt_news}=apt_news @{p_at_spi2_registryd}=at-spi2-registryd +@{p_avahi_daemon}=avahi-daemon +@{p_bluetoothd}=bluetoothd @{p_colord}=colord +@{p_e2scrub_all}=e2scrub_all +@{p_e2scrub}=e2scrub +@{p_file_roller}=file-roller +@{p_fprintd}=fprintd +@{p_fwupd}=fwupd +@{p_fwupdmgr}=fwupdmgr +@{p_geoclue}=geoclue @{p_gnome_shell}=gnome-shell -@{p_packagekitd}=packagekitd -@{p_snap}=snap -@{p_systemd_logind}=systemd-logind -@{p_xdg_desktop_portal}=xdg-desktop-portal @{p_gsd_media_keys}=gsd-media-keys +@{p_irqbalance}=irqbalance +@{p_logrotate}=logrotate +@{p_ModemManager}=ModemManager +@{p_nm_priv_helper}=nm-priv-helper +@{p_packagekitd}=packagekitd +@{p_pcscd}=pcscd +@{p_polkitd}=polkitd +@{p_power_profiles_daemon}=power-profiles-daemon +@{p_rsyslogd}=rsyslogd @{p_rtkit_daemon}=rtkit-daemon +@{p_snap}=snap +@{p_systemd_coredump}=systemd-coredump +@{p_systemd_homed}=systemd-homed +@{p_systemd_hostnamed}=systemd-hostnamed +@{p_systemd_importd}=systemd-importd +@{p_systemd_initctl}=systemd-initctl +@{p_systemd_journal_remote}=systemd-journal-remote +@{p_systemd_journald}=systemd-journald +@{p_systemd_localed}=systemd-localed +@{p_systemd_logind}=systemd-logind +@{p_systemd_networkd}=systemd-networkd +@{p_systemd_oomd}=systemd-oomd +@{p_systemd_resolved}=systemd-resolved +@{p_systemd_rfkill}=systemd-rfkill +@{p_systemd_timedated}=systemd-timedated +@{p_systemd_timesyncd}=systemd-timesyncd +@{p_systemd_userdbd}=systemd-userdbd +@{p_upowerd}=upowerd +@{p_xdg_desktop_portal}=xdg-desktop-portal + # vim:syntax=apparmor From 8b542434bdb1435ca67169bee6fa8911b3d802a7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 00:52:38 +0200 Subject: [PATCH 418/672] feat(profile): update kdump profiles. --- apparmor.d/profiles-g-l/kdump-config | 49 +++++++++++++++++++-- apparmor.d/profiles-g-l/kdump-tools-init | 38 ++++++++++++++++ apparmor.d/profiles-g-l/kdump_mem_estimator | 36 +++++++++++++++ dists/flags/main.flags | 2 + 4 files changed, 122 insertions(+), 3 deletions(-) create mode 100644 apparmor.d/profiles-g-l/kdump-tools-init create mode 100644 apparmor.d/profiles-g-l/kdump_mem_estimator diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index e6ec78f67..2b3516202 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -7,32 +7,69 @@ abi , include @{exec_path} = @{sbin}/kdump-config -profile kdump-config @{exec_path} { +profile kdump-config @{exec_path} flags=(attach_disconnected) { include - ptrace readby peer=systemd-journald, + capability sys_admin, + + ptrace readby peer=@{p_systemd_journald}, @{exec_path} mr, - @{sh_path} ix, + @{sh_path} rix, @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cmp ix, + @{bin}/cp ix, @{bin}/cut ix, @{bin}/file ix, @{bin}/find ix, + @{bin}/flock ix, @{bin}/grep ix, @{bin}/hexdump ix, @{bin}/ln ix, @{bin}/logger ix, + @{bin}/plymouth Px, + @{bin}/readlink ix, @{bin}/rev ix, @{bin}/run-parts ix, @{bin}/sed ix, + @{bin}/systemctl Cx -> systemctl, + @{bin}/uname ix, @{sbin}/kexec Cx -> kexec, @{sbin}/sysctl Cx -> sysctl, /etc/kernel/postinst.d/kdump-tools rPx, + /etc/kdump/{,**} r, + /etc/default/kdump-tools r, + /etc/magic r, + + / r, + @{efi}/ r, + + /var/crash/kdump_lock wk, + /var/crash/kexec_cmd w, owner /var/lib/kdump/{,**} rw, + @{sys}/firmware/efi/efivars/ r, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, + @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, + @{sys}/kernel/kexec_crash_loaded r, + + @{PROC}/cmdline r, + @{PROC}/iomem r, + + profile systemctl flags=(attach_disconnected) { + include + include + + capability net_admin, + capability sys_ptrace, + + include if exists + } + profile sysctl { include @@ -51,6 +88,12 @@ profile kdump-config @{exec_path} { @{sbin}/kexec mr, + @{efi}/* r, + + owner /var/lib/kdump/* r, + + @{PROC}/iomem r, + include if exists } diff --git a/apparmor.d/profiles-g-l/kdump-tools-init b/apparmor.d/profiles-g-l/kdump-tools-init new file mode 100644 index 000000000..b5af4dcc9 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdump-tools-init @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/init.d/kdump-tools +profile kdump-tools-init @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + @{sh_path} mr, + + @{bin}/cat ix, + @{bin}/plymouth Px, + @{bin}/run-parts ix, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/kdump-config Px, + + /etc/default/kdump-tools r, + + @{PROC}/cmdline r, + + profile systemctl flags=(attach_disconnected) { + include + include + + capability net_admin, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kdump_mem_estimator b/apparmor.d/profiles-g-l/kdump_mem_estimator new file mode 100644 index 000000000..b80a89343 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdump_mem_estimator @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/kdump-tools/kdump_mem_estimator +profile kdump_mem_estimator @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/cat ix, + @{bin}/mkdir ix, + @{bin}/uname ix, + @{bin}/systemctl Cx -> systemctl, + @{bin}/uname ix, + + owner /var/lib/kdump/mem* w, + + profile systemctl { + include + include + + capability net_admin, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index b1bd2fa0e..9faad80f9 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -191,7 +191,9 @@ kconf_update complain kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain +kdump_mem_estimator complain kdump-config complain +kdump-tools-init complain,attach_disconnected kernel complain kernel-install complain kernel-postinst-kdump complain From c03bcbef7a800d3d4523d4d21b41563d598358d5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:00:08 +0200 Subject: [PATCH 419/672] feat(profile): rewrite the needrestart profiles. --- apparmor.d/profiles-m-r/needrestart | 37 ++++++++++--------- apparmor.d/profiles-m-r/needrestart-hook | 25 +++++++++++++ .../needrestart-iucode-scan-versions | 4 +- apparmor.d/profiles-m-r/needrestart-notify | 32 ++++++++++++++++ apparmor.d/profiles-m-r/needrestart-restart | 32 ++++++++++++++++ .../needrestart-vmlinuz-get-version | 2 +- dists/flags/main.flags | 3 ++ 7 files changed, 115 insertions(+), 20 deletions(-) create mode 100644 apparmor.d/profiles-m-r/needrestart-hook create mode 100644 apparmor.d/profiles-m-r/needrestart-notify create mode 100644 apparmor.d/profiles-m-r/needrestart-restart diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 5d5e76ed5..13838902e 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -22,35 +22,34 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { ptrace read, - mqueue (r,getattr) type=posix /, - @{exec_path} mrix, @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, - @{bin}/locale rix, - @{python_path} rix, @{bin}/sed rix, @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, - @{sbin}/unix_chkpwd rPx, - @{bin}/whiptail rPx, @{bin}/who rix, @{lib}/needrestart/* rPx, + @{python_path} rix, + @{sbin}/unix_chkpwd rPx, + /usr/share/debconf/frontend rCx -> debconf, - /etc/debconf.conf r, + /etc/needrestart/hook.d/* rPx, + /etc/needrestart/notify.d/* rPx, + /etc/needrestart/restart.d/* rPx, + /etc/init.d/* r, /etc/needrestart/{,**} r, - /etc/needrestart/*.d/* rix, /etc/shadow r, / r, - /boot/ r, - /boot/* r, + @{efi}/ r, + @{efi}/* r, /opt/*/** r, @{bin}/* r, @{lib}/** r, @@ -59,23 +58,23 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /usr/share/** r, /var/lib/*/** r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + @{run}/systemd/sessions/* r, /tmp/@{word10}/ rw, - owner @{run}/sshd.pid r, - @{PROC}/ r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/maps r, - @{PROC}/@{pids}/stat r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/maps r, + @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, /dev/ r, /dev/**/ r, + deny mqueue type=posix /, + profile systemctl { include include @@ -101,6 +100,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { include include + @{sbin}/needrestart Px, + include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart-hook b/apparmor.d/profiles-m-r/needrestart-hook new file mode 100644 index 000000000..fa77834e8 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-hook @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/needrestart/hook.d/* +profile needrestart-hook @{exec_path} { + include + include + include + + @{exec_path} mr, + @{sh_path} rix, + + @{bin}/dpkg-query px, + + /tmp/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 3484ea298..d75301fc6 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -12,19 +12,21 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{exec_path} mr, - @{sbin}/iucode_tool rix, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/bsdtar rix, @{bin}/cat rix, + @{sbin}/iucode_tool rix, /usr/share/misc/ r, + /usr/share/misc/amd64-microcode* r, /usr/share/misc/intel-microcode* r, /etc/default/amd64-microcode r, /etc/default/intel-microcode r, /etc/needrestart/iucode.sh r, + /boot/amd64-ucode.img r, /boot/intel-ucode.img r, /boot/early_ucode.cpio r, diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify new file mode 100644 index 000000000..dc4a30c69 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-notify @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/needrestart/notify.d/* +profile needrestart-notify @{exec_path} { + include + + capability dac_read_search, + capability sys_ptrace, + + ptrace read peer=unconfined, + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/gettext.sh r, + @{bin}/sed ix, + + /etc/needrestart/notify.conf r, + + @{PROC}/@{pid}/environ r, + @{PROC}/filesystems r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-restart b/apparmor.d/profiles-m-r/needrestart-restart new file mode 100644 index 000000000..2fc79b70c --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-restart @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/needrestart/restart.d/* +profile needrestart-restart @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/systemctl Cx -> systemctl, + + /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version index 655566c74..e5ee2fd8f 100644 --- a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -23,7 +23,7 @@ profile needrestart-vmlinuz-get-version @{exec_path} { @{bin}/rm rix, @{bin}/tail rix, @{bin}/tr rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rPx, @{bin}/xz rix, /boot/intel-ucode.img r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 9faad80f9..592b681e5 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -240,6 +240,9 @@ ModemManager attach_disconnected,complain mount attach_disconnected,complain multipath attach_disconnected,complain multipathd complain +needrestart-hook complain +needrestart-notify complain +needrestart-restart complain netplan.script attach_disconnected,complain networkctl attach_disconnected,complain networkd-dispatcher complain From 21b31a06a755026a30620afb740668cbf85c80ee Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:03:23 +0200 Subject: [PATCH 420/672] feat(profile): rewrite the run-parts profile. --- apparmor.d/profiles-m-r/run-parts | 143 +++--------------------------- 1 file changed, 10 insertions(+), 133 deletions(-) diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 8adb0f748..e5d44e13a 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -4,12 +4,6 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -# TODO: Rewrite this profile. Most of the rule should be confined directly by the calling profile -# Possible confinement depending of profile architecture: -# - As rix, -# - As rCx -> run-parts, -# - As rPx -> foo-run-parts, - abi , include @@ -116,33 +110,21 @@ profile run-parts @{exec_path} { /etc/update-motd.d/* rPx, # Kernel - /etc/kernel/header_postinst.d/ r, - /etc/kernel/header_postinst.d/dkms rCx -> kernel, - - /etc/kernel/postinst.d/ r, - /etc/kernel/postinst.d/apt-auto-removal rCx -> kernel, - /etc/kernel/postinst.d/dkms rCx -> kernel, - /etc/kernel/postinst.d/initramfs-tools rCx -> kernel, - /etc/kernel/postinst.d/unattended-upgrades rCx -> kernel, - /etc/kernel/postinst.d/zz-update-grub rCx -> kernel, - /etc/kernel/postinst.d/zz-shim rCx -> kernel, - /etc/kernel/postinst.d/xx-update-initrd-links rCx -> kernel, - + /etc/kernel/{,header_}postinst.d/ r, + /etc/kernel/{,header_}postinst.d/* rPx, /etc/kernel/postrm.d/ r, - /etc/kernel/postrm.d/initramfs-tools rCx -> kernel, - /etc/kernel/postrm.d/zz-update-grub rCx -> kernel, - + /etc/kernel/postrm.d/* rPx, /etc/kernel/preinst.d/ r, - /etc/kernel/preinst.d/intel-microcode rCx -> kernel, - + /etc/kernel/preinst.d/* rPx, /etc/kernel/prerm.d/ r, - /etc/kernel/prerm.d/dkms rCx -> kernel, + /etc/kernel/prerm.d/* rPx, + # Finalrd /usr/share/finalrd/ r, - /usr/share/finalrd/mdadm.finalrd rPUx, - /usr/share/finalrd/open-iscsi.finalrd rPUx, + /usr/share/finalrd/mdadm.finalrd rPUx, + /usr/share/finalrd/open-iscsi.finalrd rPUx, - /usr/share/landscape/landscape-sysinfo.wrapper rPUx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, /root/ r, @@ -152,117 +134,12 @@ profile run-parts @{exec_path} { owner @{tmp}/$anacron@{rand6} rw, owner @{tmp}/file@{rand6} rw, - owner @{sys}/class/power_supply/ r, + owner @{sys}/class/power_supply/ r, @{run}/motd.dynamic.new w, /dev/tty@{int} rw, - profile motd { - include - include - - network inet dgram, - network inet6 dgram, - network netlink raw, - - @{sh_path} rix, - @{bin}/{e,}grep rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/find rix, - @{bin}/head rix, - @{bin}/id rix, - @{bin}/sort rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/hostname rPx, - - @{bin}/snap rPUx, - @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, - @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, - @{lib}/update-notifier/update-motd-reboot-required rix, - /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, - /usr/share/update-notifier/notify-updates-outdated rPx, - - / r, - /etc/default/motd-news r, - /etc/lsb-release r, - /etc/update-motd.d/* r, - - /var/cache/motd-news rw, - /var/lib/update-notifier/updates-available r, - /var/lib/ubuntu-advantage/messages/motd-esm-announce r, - - @{run}/motd.d/{,*} r, - - @{PROC}/@{pids}/mounts r, - - /dev/tty@{int} rw, - - include if exists - } - - profile kernel { - include - include - include - - capability sys_module, - - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,m,g}awk rix, - @{bin}/cat rix, - @{bin}/chmod rix, - @{bin}/cut rix, - @{bin}/dirname rix, - @{bin}/kmod rix, - @{bin}/mv rix, - @{bin}/rm rix, - @{bin}/rmdir rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/touch rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/which{,.debianutils} rix, - - @{bin}/apt-config rPx, - @{sbin}/dkms rPx, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/systemd-detect-virt rPx, - @{sbin}/update-alternatives rPx, - @{sbin}/update-grub rPUx, - @{sbin}/update-initramfs rPx, - @{lib}/dkms/dkms_autoinstaller rPx, - - @{lib}/modules/*/updates/ w, - @{lib}/modules/*/updates/dkms/ w, - - /etc/kernel/header_postinst.d/* r, - /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, - - # For shell pwd - / r, - /boot/ r, - - /etc/apt/apt.conf.d/ r, - /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, - /etc/modprobe.d/ r, - /etc/modprobe.d/*.conf r, - - @{run}/reboot-required w, - @{run}/reboot-required.pkgs rw, - - @{sys}/module/compression r, - - @{PROC}/devices r, - @{PROC}/cmdline r, - - include if exists - } - include if exists } From 649d2da8d2b33744ca892fcea4b19a304d4f2d7b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:04:07 +0200 Subject: [PATCH 421/672] feat(profile): expand and restrict motd. --- apparmor.d/profiles-m-r/motd | 40 ++++++++++++++++++++++++++---------- 1 file changed, 29 insertions(+), 11 deletions(-) diff --git a/apparmor.d/profiles-m-r/motd b/apparmor.d/profiles-m-r/motd index fe684f671..67f216212 100644 --- a/apparmor.d/profiles-m-r/motd +++ b/apparmor.d/profiles-m-r/motd @@ -9,16 +9,11 @@ include @{exec_path} = /etc/update-motd.d/* profile motd @{exec_path} { include - include - include - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, + capability net_admin, @{exec_path} mr, + @{bin}/ r, @{sh_path} rix, @{coreutils_path} rix, @@ -28,7 +23,7 @@ profile motd @{exec_path} { @{bin}/snap rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/systemd-detect-virt rPx, - @{bin}/wget rix, + @{bin}/wget rCx -> wget, @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, @@ -37,26 +32,49 @@ profile motd @{exec_path} { /usr/share/update-notifier/notify-updates-outdated rPx, / r, + /etc/cloud/cloud.cfg r, + /etc/cloud/cloud.cfg.d/{,*} r, /etc/default/motd-news r, /etc/lsb-release r, /etc/update-motd.d/* r, - /etc/cloud/cloud.cfg r, - /etc/cloud/cloud.cfg.d/{,*} r, + /etc/wgetrc r, /var/cache/motd-news rw, /var/lib/update-notifier/updates-available r, /var/lib/ubuntu-advantage/messages/motd-esm-announce r, + /var/lib/cloud/instances/nocloud/cloud-config.txt r, - /tmp/tmp.@{rand10} rw, + # /tmp/tmp.@{rand10} rw, + @{run}/cloud-init/cloud.cfg r, @{run}/motd.d/{,*} r, @{run}/motd.dynamic.new rw, @{run}/reboot-required r, @{PROC}/@{pids}/mounts r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, /dev/tty@{int} rw, + profile wget { + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{bin}/wget mr, + + /tmp/tmp.@{rand10} rw, + + include if exists + } + profile systemctl { include include From 8c526b32c615bc30e4400836368f13dfb8eff87a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:09:08 +0200 Subject: [PATCH 422/672] feat(profile): small update on core upgrade profiles. --- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/apt/apt-methods-cdrom | 8 ++-- apparmor.d/groups/apt/apt-methods-copy | 8 ++-- apparmor.d/groups/apt/apt-methods-file | 10 ++--- apparmor.d/groups/apt/apt-methods-ftp | 8 ++-- apparmor.d/groups/apt/apt-methods-gpgv | 12 +++--- apparmor.d/groups/apt/apt-methods-http | 18 ++++----- apparmor.d/groups/apt/apt-methods-mirror | 10 ++--- apparmor.d/groups/apt/apt-methods-rred | 10 ++--- apparmor.d/groups/apt/apt-methods-rsh | 8 ++-- apparmor.d/groups/apt/apt-methods-store | 12 +++--- apparmor.d/groups/apt/deb-systemd-helper | 4 +- apparmor.d/groups/grub/grub-install | 2 +- apparmor.d/groups/grub/grub-mkdevicemap | 7 ++++ apparmor.d/profiles-a-f/e2scrub_all | 4 +- apparmor.d/profiles-a-f/finalrd | 41 ++++++++++---------- apparmor.d/profiles-g-l/glib-compile-schemas | 2 +- apparmor.d/profiles-g-l/landscape-sysinfo | 1 + apparmor.d/profiles-g-l/logrotate | 4 +- apparmor.d/profiles-m-r/multipathd | 3 +- apparmor.d/profiles-m-r/pycompile | 1 + apparmor.d/profiles-m-r/qemu-ga | 2 +- 22 files changed, 94 insertions(+), 83 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 2a0969156..5be4284f9 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -36,7 +36,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/apt-get/system, unix bind type=stream addr=@@{udbus}/bus/apt/system, - unix type=stream peer=(label=snap), + unix type=stream peer=(label=@{p_snap}), unix (send, receive) type=stream peer=(label=apt-esm-json-hook), unix (send, receive) type=stream peer=(label=snapd), diff --git a/apparmor.d/groups/apt/apt-methods-cdrom b/apparmor.d/groups/apt/apt-methods-cdrom index 9cf47e758..96ce36a72 100644 --- a/apparmor.d/groups/apt/apt-methods-cdrom +++ b/apparmor.d/groups/apt/apt-methods-cdrom @@ -19,10 +19,10 @@ profile apt-methods-cdrom @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-copy b/apparmor.d/groups/apt/apt-methods-copy index 6d906bf80..e2878e108 100644 --- a/apparmor.d/groups/apt/apt-methods-copy +++ b/apparmor.d/groups/apt/apt-methods-copy @@ -20,10 +20,10 @@ profile apt-methods-copy @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-file b/apparmor.d/groups/apt/apt-methods-file index 3c2489a32..781f9714e 100644 --- a/apparmor.d/groups/apt/apt-methods-file +++ b/apparmor.d/groups/apt/apt-methods-file @@ -20,11 +20,11 @@ profile apt-methods-file @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-ftp b/apparmor.d/groups/apt/apt-methods-ftp index 47c679ea1..e753b4cf8 100644 --- a/apparmor.d/groups/apt/apt-methods-ftp +++ b/apparmor.d/groups/apt/apt-methods-ftp @@ -19,10 +19,10 @@ profile apt-methods-ftp @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index db5d50f43..5f3654f6e 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -20,12 +20,12 @@ profile apt-methods-gpgv @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=role_*, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=role_*, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index b6976e9af..0b375c8f8 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -23,15 +23,15 @@ profile apt-methods-http @{exec_path} { network inet6 stream, network netlink raw, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=role_*, - signal (receive) peer=synaptic, - signal (receive) peer=ubuntu-advantage, - signal (receive) peer=unattended-upgrade, - signal (receive) peer=update-manager, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=role_*, + signal receive peer=synaptic, + signal receive peer=ubuntu-advantage, + signal receive peer=unattended-upgrade, + signal receive peer=update-manager, ptrace (read), diff --git a/apparmor.d/groups/apt/apt-methods-mirror b/apparmor.d/groups/apt/apt-methods-mirror index d8e3adce3..025a1c01b 100644 --- a/apparmor.d/groups/apt/apt-methods-mirror +++ b/apparmor.d/groups/apt/apt-methods-mirror @@ -20,11 +20,11 @@ profile apt-methods-mirror @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-rred b/apparmor.d/groups/apt/apt-methods-rred index 85da35efc..1aadac2ec 100644 --- a/apparmor.d/groups/apt/apt-methods-rred +++ b/apparmor.d/groups/apt/apt-methods-rred @@ -20,11 +20,11 @@ profile apt-methods-rred @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, - signal (receive) set=(int) peer=packagekitd, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, + signal receive set=(int) peer=@{p_packagekitd}, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-rsh b/apparmor.d/groups/apt/apt-methods-rsh index 95d70b31f..1b76551b9 100644 --- a/apparmor.d/groups/apt/apt-methods-rsh +++ b/apparmor.d/groups/apt/apt-methods-rsh @@ -19,10 +19,10 @@ profile apt-methods-rsh @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-store b/apparmor.d/groups/apt/apt-methods-store index 5492fdd5e..a6875a432 100644 --- a/apparmor.d/groups/apt/apt-methods-store +++ b/apparmor.d/groups/apt/apt-methods-store @@ -20,12 +20,12 @@ profile apt-methods-store @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=role_*, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=role_*, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/deb-systemd-helper b/apparmor.d/groups/apt/deb-systemd-helper index 77fe1f455..d6e89f9a0 100644 --- a/apparmor.d/groups/apt/deb-systemd-helper +++ b/apparmor.d/groups/apt/deb-systemd-helper @@ -16,8 +16,8 @@ profile deb-systemd-helper @{exec_path} { @{bin}/systemctl rCx -> systemctl, - /etc/systemd/system/* w, - /etc/systemd/user/* w, + /etc/systemd/system/{,**} rw, + /etc/systemd/user/{,**} rw, /var/lib/systemd/deb-systemd-helper-enabled/{,**} rw, /var/lib/systemd/deb-systemd-helper-masked/{,**} rw, diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index 3274a5e6d..f044b0f44 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -44,7 +44,7 @@ profile grub-install @{exec_path} flags=(complain) { @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootCurrent-@{uuid} r, - @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, + @{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw, @{sys}/firmware/efi/efivars/Timeout-@{uuid} r, @{sys}/firmware/efi/fw_platform_size r, @{sys}/firmware/efi/w_platform_size r, diff --git a/apparmor.d/groups/grub/grub-mkdevicemap b/apparmor.d/groups/grub/grub-mkdevicemap index 2a7082c64..ca9f3ad3c 100644 --- a/apparmor.d/groups/grub/grub-mkdevicemap +++ b/apparmor.d/groups/grub/grub-mkdevicemap @@ -10,9 +10,16 @@ include profile grub-mkdevicemap @{exec_path} { include include + include + + capability sys_admin, @{exec_path} mr, + @{PROC}/devices r, + + /dev/mapper/control rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all index af10dddcd..0079053e0 100644 --- a/apparmor.d/profiles-a-f/e2scrub_all +++ b/apparmor.d/profiles-a-f/e2scrub_all @@ -17,8 +17,8 @@ profile e2scrub_all @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} r, - @{bin}/readlink rix, + @{sh_path} mr, + @{bin}/readlink ix, /etc/e2scrub.conf r, diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index bc6c4cf62..d8f2f819e 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -20,27 +20,27 @@ profile finalrd @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/cp rix, - @{bin}/dirname rix, - @{bin}/env rix, - @{bin}/find rix, - @{bin}/grep rix, - @{sbin}/ldconfig{,.real} rix, - @{bin}/ln rix, - @{bin}/mkdir rix, - @{bin}/mount rix, - @{bin}/readlink rix, - @{bin}/realpath rix, - @{bin}/rm rix, - @{bin}/run-parts rix, - @{bin}/sed rix, - @{bin}/touch rix, + @{bin}/cp ix, + @{bin}/dirname ix, + @{bin}/env ix, + @{bin}/find ix, + @{bin}/grep ix, + @{bin}/ln ix, + @{bin}/mkdir ix, + @{bin}/mount ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/run-parts ix, + @{bin}/sed ix, + @{bin}/touch ix, + @{sbin}/ldconfig{,.real} ix, - @{bin}/ldd rCx -> ldd, - @{bin}/systemd-tmpfiles rPx, - @{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd, - @{lib}/systemd/systemd-shutdown rPx, - /usr/share/finalrd/*.finalrd rix, + @{bin}/ldd Cx -> ldd, + @{bin}/systemd-tmpfiles Px, + @{lib}/@{multiarch}/ld-linux-*so* Cx -> ldd, + @{lib}/systemd/systemd-shutdown Px, + /usr/share/finalrd/*.finalrd ix, @{bin}/{,*} r, @{lib}/{,*} r, @@ -65,6 +65,7 @@ profile finalrd @{exec_path} { profile ldd { include + include include @{bin}/* mr, diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas index fcabd84c3..59c56bb12 100644 --- a/apparmor.d/profiles-g-l/glib-compile-schemas +++ b/apparmor.d/profiles-g-l/glib-compile-schemas @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/glib-compile-schemas +@{exec_path} = @{bin}/glib-compile-schemas @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas profile glib-compile-schemas @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 3b140b2bf..1c3c98d52 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -33,6 +33,7 @@ profile landscape-sysinfo @{exec_path} { /var/log/landscape/{,**} rw, + @{run}/systemd/sessions/{,*} r, @{run}/utmp rwk, @{sys}/class/hwmon/ r, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index f74f309fe..8d3dc2171 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -21,8 +21,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability setgid, capability setuid, - signal (send) set=(hup), - signal (send) set=(term cont) peer=systemd-tty-ask-password-agent, + signal send set=hup, + signal send set=(term cont) peer=systemd-tty-ask-password-agent, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/multipathd b/apparmor.d/profiles-m-r/multipathd index a07691a5c..bbb6a87a6 100644 --- a/apparmor.d/profiles-m-r/multipathd +++ b/apparmor.d/profiles-m-r/multipathd @@ -20,7 +20,8 @@ profile multipathd @{exec_path} { network netlink raw, - unix (send, receive, connect) type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"), + unix type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"), + unix type=stream addr=@/org/kernel/linux/storage/multipathd, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index b441d84cd..984fcf03c 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -31,6 +31,7 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { /usr/share/python3/{,**} r, / r, + @{bin}/ r, profile dpkg { include diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index c6e6ca54e..7fa668a71 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -12,7 +12,7 @@ profile qemu-ga @{exec_path} { @{exec_path} mr, - audit @{bin}/systemctl Cx -> systemctl, + @{bin}/systemctl Cx -> systemctl, /etc/qemu/qemu-ga.conf r, From 4e4f8d8a0e65e356971b0cddf86748196ef3a14c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:15:53 +0200 Subject: [PATCH 423/672] build: update sbin.list --- apparmor.d/groups/ubuntu/cron-ubuntu-fan | 2 +- apparmor.d/groups/virt/containerd-shim-runc-v2 | 2 +- apparmor.d/groups/virt/dockerd | 2 +- tests/sbin.list | 5 +++++ 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index eb299345c..8f5952d9b 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -15,7 +15,7 @@ profile cron-ubuntu-fan @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/fanctl rix, + @{sbin}/fanctl rix, @{bin}/flock rix, @{bin}/grep rix, @{bin}/id rix, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index 5a963beac..61898a3e4 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -30,7 +30,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/runc rPUx, + @{sbin}/runc rPx, /tmp/runc-process@{int} rw, /tmp/pty@{int}/ rw, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 6b1e3537a..c4b39ff8c 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -72,7 +72,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/git rCx -> git, @{bin}/kmod rPx, @{bin}/ps rPx, - @{bin}/runc rUx, + @{sbin}/runc rUx, @{bin}/unpigz rix, @{sbin}/xtables-nft-multi rix, diff --git a/tests/sbin.list b/tests/sbin.list index 82596a62a..805ab8bf1 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -46,6 +46,7 @@ arptables-nft-restore arptables-nft-save arptables-restore arptables-save +arptables-translate aspell-autobuildhash atd audisp-af_unix @@ -92,6 +93,7 @@ blogger bluetoothd bpflist-bpfcc bpftool +brctl bridge brltty brltty-setup @@ -241,7 +243,9 @@ f2fscrypt f2fslabel f2fsslower-bpfcc faillock +fanatic fancontrol +fanctl fatlabel fatresize fbtest @@ -767,6 +771,7 @@ rubyflow-bpfcc rubygc-bpfcc rubyobjnew-bpfcc rubystat-bpfcc +runc runlevel runqlat-bpfcc runqlat.bt From e7fb1860939f0c83882c7592e2f356594790fa89 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:19:32 +0200 Subject: [PATCH 424/672] feat(profile): update kernerl-install. --- apparmor.d/profiles-g-l/kernel-install | 28 ++++++++++++++++---------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index 07c058124..614b81aeb 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -11,22 +11,19 @@ include profile kernel-install @{exec_path} { include include + include include + capability sys_resource, + + ptrace read peer=@{p_systemd}, + @{exec_path} r, @{sh_path} rix, - - @{bin}/mountpoint rix, - @{bin}/sort rix, - @{bin}/rm rix, - @{bin}/mkdir rix, - @{bin}/cp rix, - @{bin}/chown rix, - @{bin}/chmod rix, - @{bin}/basename rix, - - @{pager_path} rPx -> child-pager, + @{coreutils_path} rix, @{bin}/kmod rCx -> kmod, + @{bin}/mountpoint rix, + @{pager_path} rPx -> child-pager, @{lib}/kernel/install.d/ r, @{lib}/kernel/install.d/@{int2}-*.install rix, @@ -37,6 +34,7 @@ profile kernel-install @{exec_path} { @{lib}/os-release r, /etc/kernel/cmdline r, /etc/kernel/tries r, + /etc/kernel/entry-token r, /etc/machine-id r, /etc/os-release r, /var/lib/dbus/machine-id r, @@ -50,14 +48,22 @@ profile kernel-install @{exec_path} { owner /boot/loader/entries/ rw, owner /boot/loader/entries/*.conf w, + owner /tmp/kernel-install.staging.@{rand6}/{,**} rw, + owner @{tmp}/sh-thd.* rw, + @{PROC}/1/environ r, @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, profile kmod { include include + @{lib}/modules/*/modules.* w, + + @{sys}/module/compression r, + include if exists } From 17624b95d8b193a823c1f75a0cffd0a559740b5b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:21:12 +0200 Subject: [PATCH 425/672] feat(profile): update ucf profiles. --- apparmor.d/profiles-s-z/ucf | 11 ++++++++++- apparmor.d/profiles-s-z/ucfq | 26 +++++++++++++++++++++++++ apparmor.d/profiles-s-z/ucfr | 37 ++++++++++++++++++++++++++++++++++++ dists/flags/main.flags | 2 ++ 4 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/profiles-s-z/ucfq create mode 100644 apparmor.d/profiles-s-z/ucfr diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 86d94c7a1..0a7b992b6 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -39,7 +39,7 @@ profile ucf @{exec_path} { @{bin}/dpkg-divert rPx, @{pager_path} rCx -> child-pager, - /usr/share/debconf/frontend rPx, # TODO: rCx -> debonc-frontend, + /usr/share/debconf/frontend Cx -> debconf, # For md5sum /usr/share/** r, @@ -55,6 +55,15 @@ profile ucf @{exec_path} { owner /tmp/tmp.@{rand10} r, + deny capability sys_admin, # optional: no audit + + profile debconf { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-s-z/ucfq b/apparmor.d/profiles-s-z/ucfq new file mode 100644 index 000000000..b6ca3e7b1 --- /dev/null +++ b/apparmor.d/profiles-s-z/ucfq @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ucfq +profile ucfq @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/md5sum rix, + + /etc/ r, + /etc/default/ r, + /etc/default/grub r, + + /var/lib/ucf/* r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucfr b/apparmor.d/profiles-s-z/ucfr new file mode 100644 index 000000000..b38f8aae4 --- /dev/null +++ b/apparmor.d/profiles-s-z/ucfr @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ucfr +profile ucfr @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/basename ix, + @{bin}/{m,g,}awk ix, + @{bin}/getopt ix, + @{bin}/grep ix, + @{bin}/id ix, + @{bin}/readlink ix, + @{bin}/sed ix, + @{bin}/dirname ix, + + /usr/share/ucf/{,**} r, + + /etc/ucf.conf r, + + / r, + + /var/lib/ucf/ r, + /var/lib/ucf/registry r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 592b681e5..e88409583 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -368,6 +368,8 @@ telegram-desktop complain totem attach_disconnected,complain tracker-writeback complain ucf complain +ucfq complain +ucfr complain udev-ata_id complain udev-bcache-export-cached complain udev-cdrom_id complain From 0a5743fa46cb62d35a1ff622d50a1fa2eaa6666c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:23:26 +0200 Subject: [PATCH 426/672] feat(profile): add profile for more update-* tools. --- apparmor.d/profiles-s-z/update-catalog | 26 ++++++++++++++++++ apparmor.d/profiles-s-z/update-info-dir | 24 +++++++++++++++++ apparmor.d/profiles-s-z/update-shells | 36 +++++++++++++++++++++++++ dists/flags/main.flags | 3 +++ 4 files changed, 89 insertions(+) create mode 100644 apparmor.d/profiles-s-z/update-catalog create mode 100644 apparmor.d/profiles-s-z/update-info-dir create mode 100644 apparmor.d/profiles-s-z/update-shells diff --git a/apparmor.d/profiles-s-z/update-catalog b/apparmor.d/profiles-s-z/update-catalog new file mode 100644 index 000000000..feac2d3c5 --- /dev/null +++ b/apparmor.d/profiles-s-z/update-catalog @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/update-catalog +profile update-catalog @{exec_path} { + include + include + + @{exec_path} mr, + + /etc/sgml/ r, + /etc/sgml/* r, + + /var/lib/sgml-base/*catalog rw, + /var/lib/sgml-base/*catalog.new rw, + /var/lib/sgml-base/*catalog.old w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir new file mode 100644 index 000000000..7c835023f --- /dev/null +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/update-info-dir +profile update-info-dir @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/install-info Px, + @{bin}/find ix, + @{bin}/rm ix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-shells b/apparmor.d/profiles-s-z/update-shells new file mode 100644 index 000000000..46b6699c8 --- /dev/null +++ b/apparmor.d/profiles-s-z/update-shells @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/update-shells +profile update-shells @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/basename ix, + @{bin}/chmod ix, + @{bin}/chown ix, + @{bin}/dirname ix, + @{bin}/dpkg-realpath ix, + @{bin}/mv ix, + @{bin}/sync ix, + + /usr/share/debianutils/shells r, + /usr/share/debianutils/shells.d/{,**} r, + + /etc/shells r, + /etc/shells.tmp w, + + /var/lib/shells.state r, + /var/lib/shells.state.tmp w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index e88409583..9d0857ad3 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -380,8 +380,11 @@ udev-probe-bcache complain udisksctl complain udisksd attach_disconnected,complain ufw complain +update-catalog complain update-grub complain +update-info-dir complain update-secureboot-policy complain +update-shells complain userdbctl complain utempter attach_disconnected,complain veracrypt complain From a7807408b616c6b7fb51e064887415e83d18ffd7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:25:46 +0200 Subject: [PATCH 427/672] feat(profile): update some update-* profiles. --- apparmor.d/groups/freedesktop/update-mime-database | 2 +- apparmor.d/profiles-s-z/update-ca-certificates | 1 + apparmor.d/profiles-s-z/update-dlocatedb | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/freedesktop/update-mime-database b/apparmor.d/groups/freedesktop/update-mime-database index 6f6b39700..9efd9cccc 100644 --- a/apparmor.d/groups/freedesktop/update-mime-database +++ b/apparmor.d/groups/freedesktop/update-mime-database @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/update-mime-database +@{exec_path} = @{bin}/update-mime-database profile update-mime-database @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index 4bc88faae..df9c08fe4 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -33,6 +33,7 @@ profile update-ca-certificates @{exec_path} { @{bin}/test rix, @{bin}/trust rix, @{bin}/wc rix, + @{bin}/run-parts rix, @{lib}/ca-certificates/update.d/ r, @{lib}/ca-certificates/update.d/* rix, diff --git a/apparmor.d/profiles-s-z/update-dlocatedb b/apparmor.d/profiles-s-z/update-dlocatedb index 2afe8a22f..e9d92e421 100644 --- a/apparmor.d/profiles-s-z/update-dlocatedb +++ b/apparmor.d/profiles-s-z/update-dlocatedb @@ -26,7 +26,7 @@ profile update-dlocatedb @{exec_path} { /usr/share/dlocate/updatedb rCx -> updatedb, @{bin}/dpkg rPx -> child-dpkg, - owner @{PROC}/@{pid}/fd/2 w, + owner @{PROC}/@{pid}/fd/@{int} w, /var/lib/dlocate/dpkg-list w, From 774106b7e5cd7952850a6a63c49375997c9d4a79 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:28:08 +0200 Subject: [PATCH 428/672] feat(profile): update some systemd profiles. --- apparmor.d/groups/systemd/bootctl | 22 +++++++++---------- .../groups/systemd/systemd-generator-sysv | 3 ++- apparmor.d/groups/systemd/systemd-localed | 2 +- apparmor.d/groups/systemd/systemd-logind | 7 ++---- .../groups/systemd/systemd-network-generator | 2 +- apparmor.d/groups/systemd/systemd-networkd | 9 +++++++- apparmor.d/groups/systemd/systemd-remount-fs | 3 +-- apparmor.d/groups/systemd/systemd-timedated | 2 +- 8 files changed, 27 insertions(+), 23 deletions(-) diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 12fcceaea..9508cfcf2 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -25,17 +25,17 @@ profile bootctl @{exec_path} flags=(attach_disconnected) { @{pager_path} rPx -> child-pager, - /{boot,efi}/ r, - /{boot,efi}/EFI/{,**} r, - /{boot,efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw, - /{boot,efi}/EFI/BOOT/BOOTX64.EFI w, - /{boot,efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw, - /{boot,efi}/EFI/systemd/systemd-boot*.efi w, - /{boot,efi}/loader/.#bootctlrandom-seed@{hex} rw, - /{boot,efi}/loader/.#entries.srel* w, - /{boot,efi}/loader/{,**} r, - /{boot,efi}/loader/entries.srel w, - /{boot,efi}/loader/random-seed w, + @{efi}/ r, + @{efi}/EFI/{,**} r, + @{efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw, + @{efi}/EFI/BOOT/BOOTX64.EFI w, + @{efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw, + @{efi}/EFI/systemd/systemd-boot*.efi w, + @{efi}/loader/.#bootctlrandom-seed@{hex} rw, + @{efi}/loader/.#entries.srel* w, + @{efi}/loader/{,**} r, + @{efi}/loader/entries.srel w, + @{efi}/loader/random-seed w, /etc/kernel/entry-token r, /etc/machine-id r, diff --git a/apparmor.d/groups/systemd/systemd-generator-sysv b/apparmor.d/groups/systemd/systemd-generator-sysv index 4feb65d51..fc290fca4 100644 --- a/apparmor.d/groups/systemd/systemd-generator-sysv +++ b/apparmor.d/groups/systemd/systemd-generator-sysv @@ -17,9 +17,10 @@ profile systemd-generator-sysv @{exec_path} flags=(attach_disconnected) { /etc/init.d/{,**} r, /etc/rc@{int}.d/{,**} r, - @{run}/systemd/generator.late/* w, + @{run}/systemd/generator.late/** w, @{PROC}/@{pid}/cgroup r, + @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 205d8a55f..3befcd92a 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -14,7 +14,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { include include - unix (bind) type=stream addr=@@{udbus}/bus/systemd-localed/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-localed/system, #aa:dbus own bus=system name=org.freedesktop.locale1 diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index a56e16298..39192e7e1 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -12,11 +12,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { include include include + include include include include include - include capability chown, capability dac_override, @@ -50,8 +50,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /etc/systemd/sleep.conf.d/{,**} r, / r, - /boot/{,**} r, - /efi/{,**} r, + @{efi}/{,**} r, /swap.img r, /swap/swapfile r, /swapfile r, @@ -140,8 +139,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /dev/dri/card@{int} rw, /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, - /dev/tty@{int} rw, - owner @{att}/dev/tty@{int} rw, owner /dev/shm/{,**/} rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-network-generator b/apparmor.d/groups/systemd/systemd-network-generator index e22d89629..ceebbc5c2 100644 --- a/apparmor.d/groups/systemd/systemd-network-generator +++ b/apparmor.d/groups/systemd/systemd-network-generator @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-network-generator -profile systemd-network-generator @{exec_path} { +profile systemd-network-generator @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index ca5450826..3d6c3a4b7 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -31,6 +31,8 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network, + signal receive set=usr2 peer=@{p_systemd}, + #aa:dbus own bus=system name=org.freedesktop.network1 dbus send bus=system path=/org/freedesktop/hostname1 @@ -47,14 +49,18 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /etc/machine-id r, - /etc/systemd/networkd.conf r, + /etc/systemd/network.conf r, /etc/systemd/network/{,**} r, + /etc/systemd/networkd.conf r, + /etc/systemd/networkd.conf.d/{,**} r, /etc/networkd-dispatcher/carrier.d/{,*} r, @{att}/ r, @{att}/@{run}/systemd/notify rw, + @{run}/mount/utab r, + owner @{att}/var/lib/systemd/network/ r, @{run}/systemd/network/ r, @@ -75,6 +81,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/pressure/* r, @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/version_signature r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 750f7e18b..96b182e5f 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -28,8 +28,7 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { @{run}/host/container-manager r, @{run}/mount/utab rw, - @{run}/mount/utab.@{rand6} rw, - @{run}/mount/utab.lock rwk, + @{run}/mount/utab.* rwk, @{sys}/devices/virtual/block/dm-@{int}/dm/name r, diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index e070afe4e..ffed031b5 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -15,7 +15,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { capability sys_time, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-timedat/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-timedat/system, #aa:dbus own bus=system name=org.freedesktop.timedate1 From 30bbd6d56a7d673b25212727a05e52d818e9a7e4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:39:00 +0200 Subject: [PATCH 429/672] feat(profile): cron: cleanup direct exec. --- apparmor.d/groups/cron/cron | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index c92441568..778dd2be8 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -38,9 +38,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { @{bin}/run-parts rCx -> run-parts, # could even be rix, as long as we are not # using the run-parts profile we are good - @{lib}/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx, - @{lib}/sysstat/debian-sa1 rPUx, - /usr/share/rsync/scripts/rrsync rPUx, + @{lib}/sysstat/debian-sa1 rPx, /etc/cron.d/{,*} r, /etc/crontab r, From 8546533ad1ec34df6e709f0ed1ff510af24e5c62 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 14:28:35 +0200 Subject: [PATCH 430/672] fix(build): flag generation. --- dists/flags/main.flags | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 9d0857ad3..c0af4fc77 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -193,7 +193,7 @@ kde-systemd-start-condition complain kded complain kdump_mem_estimator complain kdump-config complain -kdump-tools-init complain,attach_disconnected +kdump-tools-init complain,attach_disconnected kernel complain kernel-install complain kernel-postinst-kdump complain From 813758a1e0e58035ba568837623ba4c289db9bec Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 15:07:27 +0200 Subject: [PATCH 431/672] feat(profile): add debconf-escape, update dpkg-scripts. --- apparmor.d/groups/apt/debconf-escape | 19 +++++++++++++++++++ apparmor.d/groups/apt/dpkg-scripts | 15 ++++++++++++++- dists/flags/main.flags | 1 + 3 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/apt/debconf-escape diff --git a/apparmor.d/groups/apt/debconf-escape b/apparmor.d/groups/apt/debconf-escape new file mode 100644 index 000000000..c64401bb0 --- /dev/null +++ b/apparmor.d/groups/apt/debconf-escape @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/debconf-escape +profile debconf-escape @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index f1c56bd49..e18ab78de 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -26,11 +26,12 @@ profile dpkg-scripts @{exec_path} { @{coreutils_path} rix, @{bin}/run-parts rix, - @{bin}/setpriv ix, @{bin}/envsubst ix, + @{bin}/file ix, @{bin}/getent ix, @{bin}/gzip ix, @{bin}/helpztags ix, + @{bin}/setpriv ix, @{bin}/tput ix, @{bin}/zcat ix, @{lib}/ubuntu-advantage/cloud-id-shim.sh ix, @@ -97,6 +98,18 @@ profile dpkg-scripts @{exec_path} { capability sys_ptrace, capability sys_resource, + @{bin}/systemd-tty-ask-password-agent Px, + @{pager_path} Px -> child-pager, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + @{run}/utmp rk, include if exists diff --git a/dists/flags/main.flags b/dists/flags/main.flags index c0af4fc77..6c29eba15 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -77,6 +77,7 @@ cupsd attach_disconnected,complain ddcutil complain deb-systemd-helper complain deb-systemd-invoke complain +debconf-escape complain decibels complain dino attach_disconnected,complain discord complain From 7361c21c401bfa0cf0c3eb3cb0bbcb9b534b7501 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 15:14:56 +0200 Subject: [PATCH 432/672] feat(profile): add mdadm-mkconf. --- apparmor.d/profiles-m-r/mdadm-mkconf | 30 ++++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 31 insertions(+) create mode 100644 apparmor.d/profiles-m-r/mdadm-mkconf diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf new file mode 100644 index 000000000..8139ac68e --- /dev/null +++ b/apparmor.d/profiles-m-r/mdadm-mkconf @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/mdadm/mkconf +profile mdadm-mkconf @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/date ix, + @{bin}/cat ix, + @{bin}/sed ix, + @{sbin}/mdadm Px, + + /etc/default/mdadm r, + + / r, + + /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 6c29eba15..e27c76bc2 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -237,6 +237,7 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain +mdadm-mkconf complain ModemManager attach_disconnected,complain mount attach_disconnected,complain multipath attach_disconnected,complain From b1435dd4914e3828de737e5ba5817ca2ddef8add Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 15:17:38 +0200 Subject: [PATCH 433/672] feat(profile): ubuntu: update upgrade process. --- .../groups/ubuntu/package-data-downloader | 2 ++ apparmor.d/groups/ubuntu/ubuntu-report | 2 +- .../groups/ubuntu/update-notifier-crash | 20 +++++++++++++++++++ 3 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/ubuntu/update-notifier-crash diff --git a/apparmor.d/groups/ubuntu/package-data-downloader b/apparmor.d/groups/ubuntu/package-data-downloader index c193bbe0c..37f7f72a5 100644 --- a/apparmor.d/groups/ubuntu/package-data-downloader +++ b/apparmor.d/groups/ubuntu/package-data-downloader @@ -14,6 +14,8 @@ profile package-data-downloader @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, /var/lib/update-notifier/package-data-downloads/{,**} rw, diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report index 19273f449..65fa3eaa0 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-report +++ b/apparmor.d/groups/ubuntu/ubuntu-report @@ -21,7 +21,7 @@ profile ubuntu-report @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, - owner @{user_cache_dirs}/ubuntu-report/{,*} r, + owner @{user_cache_dirs}/ubuntu-report/{,*} rw, include if exists } diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash new file mode 100644 index 000000000..b3cbf7f07 --- /dev/null +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/update-notifier/update-notifier-crash +profile update-notifier-crash @{exec_path} { + include + + @{exec_path} mr, + + /usr/share/apport/apport-checkreports Px, + + include if exists +} + +# vim:syntax=apparmor From ca5b4c99bac08f2cf53aa5433d086228dfa40ed2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 16:40:29 +0200 Subject: [PATCH 434/672] ci: disable compatibility check with userspace tools. --- .github/workflows/main.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4593fe78c..229aad415 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -57,11 +57,6 @@ jobs: sudo systemctl restart apparmor.service || true sudo journalctl -xeu apparmor.service - - name: Ensure compatibility with some AppArmor userspace tools - if: matrix.os != 'ubuntu-24.04' - run: | - sudo aa-enforce /etc/apparmor.d/aa-notify - - name: Show AppArmor log and rules run: | sudo aa-log From 931c20708905fd5b48f07aa492749fe178e152eb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 18:24:34 +0200 Subject: [PATCH 435/672] feat(profile): simplify needrestart & fix pam-auth-update. --- apparmor.d/profiles-m-r/needrestart | 19 +------------------ apparmor.d/profiles-m-r/pam-auth-update | 2 +- 2 files changed, 2 insertions(+), 19 deletions(-) diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 13838902e..9b731fd64 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -9,11 +9,8 @@ include @{exec_path} = @{sbin}/needrestart profile needrestart @{exec_path} flags=(attach_disconnected) { include - include - include - include + include include - include capability checkpoint_restore, capability dac_read_search, @@ -27,18 +24,13 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, - @{bin}/sed rix, - @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, - @{bin}/who rix, @{lib}/needrestart/* rPx, @{python_path} rix, @{sbin}/unix_chkpwd rPx, - /usr/share/debconf/frontend rCx -> debconf, - /etc/needrestart/hook.d/* rPx, /etc/needrestart/notify.d/* rPx, /etc/needrestart/restart.d/* rPx, @@ -96,15 +88,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { include if exists } - profile debconf { - include - include - - @{sbin}/needrestart Px, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index aff011389..5e0cbaaf4 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -12,7 +12,7 @@ profile pam-auth-update @{exec_path} flags=(complain) { include include - @{exec_path} mr, + @{exec_path} mrix, @{bin}/md5sum ix, @{bin}/cp ix, From d575812e2906331f77dfcb7e41da44d2afa273c2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 18:27:30 +0200 Subject: [PATCH 436/672] fix(profile): snapd journalctl subprofile. --- apparmor.d/groups/snap/snapd | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index c1b24176e..b65283987 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -204,6 +204,7 @@ profile snapd @{exec_path} { include capability net_admin, + capability sys_resource, network netlink raw, @@ -215,6 +216,8 @@ profile snapd @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/{,*} r, + @{run}/systemd/notify w, + include if exists } From acc35c3bd7f2dc31a0de043a660156c1f3aa9e8e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 18:28:56 +0200 Subject: [PATCH 437/672] ci: show files installed in sbin. --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 229aad415..8d738eac7 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -128,6 +128,7 @@ jobs: - name: Install integration dependencies run: | bash tests/requirements.sh + find /usr/sbin/ -type f - name: Run the integration tests run: | From ead321e07e09b381313f0beeba67403f57b9827d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 23:47:44 +0200 Subject: [PATCH 438/672] feat(profile): improve the upgrade stack. --- apparmor.d/groups/cron/cron | 18 ++++++------------ apparmor.d/groups/snap/snapd | 2 +- apparmor.d/profiles-m-r/needrestart | 8 ++++---- apparmor.d/profiles-m-r/needrestart-hook | 2 +- apparmor.d/profiles-m-r/needrestart-notify | 9 ++++++--- apparmor.d/profiles-m-r/needrestart-restart | 2 +- apparmor.d/profiles-m-r/pam-auth-update | 2 ++ 7 files changed, 21 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 778dd2be8..eba78ac82 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -25,20 +25,14 @@ profile cron @{exec_path} flags=(attach_disconnected) { network netlink raw, - ptrace (read) peer=unconfined, - - unix bind type=stream addr=@@{udbus}/bus/cron/system, - @{exec_path} mr, - @{sh_path} rix, - @{bin}/nice rix, - @{bin}/ionice rix, - @{bin}/exim4 rPx, - @{bin}/run-parts rCx -> run-parts, # could even be rix, as long as we are not - # using the run-parts profile we are good - - @{lib}/sysstat/debian-sa1 rPx, + @{sh_path} rix, + @{bin}/exim4 rPx, + @{bin}/ionice rix, + @{bin}/nice rix, + @{bin}/run-parts rCx -> run-parts, + @{lib}/sysstat/debian-sa1 rPx, /etc/cron.d/{,*} r, /etc/crontab r, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index b65283987..0eb3adb8c 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -50,7 +50,7 @@ profile snapd @{exec_path} { ptrace read peer=@{p_systemd}, ptrace read peer=snap{,.*}, - signal send set=kill peer=journalctl, + signal send set=kill peer=snapd//journalctl, dbus send bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 9b731fd64..f9e2c6ebc 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -14,7 +14,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { capability checkpoint_restore, capability dac_read_search, - capability kill, capability sys_ptrace, ptrace read, @@ -27,13 +26,14 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, + @{bin}/who rPx, @{lib}/needrestart/* rPx, @{python_path} rix, @{sbin}/unix_chkpwd rPx, - /etc/needrestart/hook.d/* rPx, - /etc/needrestart/notify.d/* rPx, - /etc/needrestart/restart.d/* rPx, + @{etc_ro}/needrestart/hook.d/* rPx, + @{etc_ro}/needrestart/notify.d/* rPx, + @{etc_ro}/needrestart/restart.d/* rPx, /etc/init.d/* r, /etc/needrestart/{,**} r, diff --git a/apparmor.d/profiles-m-r/needrestart-hook b/apparmor.d/profiles-m-r/needrestart-hook index fa77834e8..c8c9a12c4 100644 --- a/apparmor.d/profiles-m-r/needrestart-hook +++ b/apparmor.d/profiles-m-r/needrestart-hook @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /etc/needrestart/hook.d/* +@{exec_path} = @{etc_ro}/needrestart/hook.d/* profile needrestart-hook @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify index dc4a30c69..41fa96c4c 100644 --- a/apparmor.d/profiles-m-r/needrestart-notify +++ b/apparmor.d/profiles-m-r/needrestart-notify @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /etc/needrestart/notify.d/* +@{exec_path} = @{etc_ro}/needrestart/notify.d/* profile needrestart-notify @{exec_path} { include @@ -18,8 +18,11 @@ profile needrestart-notify @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/gettext.sh r, - @{bin}/sed ix, + @{bin}/fold ix, + @{bin}/gettext.sh r, + @{bin}/mail Px, + @{bin}/notify-send Px, + @{bin}/sed ix, /etc/needrestart/notify.conf r, diff --git a/apparmor.d/profiles-m-r/needrestart-restart b/apparmor.d/profiles-m-r/needrestart-restart index 2fc79b70c..b9e648602 100644 --- a/apparmor.d/profiles-m-r/needrestart-restart +++ b/apparmor.d/profiles-m-r/needrestart-restart @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /etc/needrestart/restart.d/* +@{exec_path} = @{etc_ro}/needrestart/restart.d/* profile needrestart-restart @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 5e0cbaaf4..90cc6a4ba 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -20,7 +20,9 @@ profile pam-auth-update @{exec_path} flags=(complain) { /usr/share/pam{,-configs}/{,*} r, /etc/pam.d/* rw, + /etc/shadow r, + /var/lib/dpkg/info/libpam-runtime.templates r, /var/lib/pam/* rw, include if exists From a8ab6da6f38f659d338c2eb6dee812d45b8cc41b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 23:53:40 +0200 Subject: [PATCH 439/672] feat(profile): add runit-helper. --- apparmor.d/profiles-m-r/runit-helper | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 apparmor.d/profiles-m-r/runit-helper diff --git a/apparmor.d/profiles-m-r/runit-helper b/apparmor.d/profiles-m-r/runit-helper new file mode 100644 index 000000000..94b3816c9 --- /dev/null +++ b/apparmor.d/profiles-m-r/runit-helper @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/runit-helper/runit-helper +profile runit-helper @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/mkdir rix, + + @{run}/runit/ rw, + @{run}/runit/supervise/ w, + + include if exists +} + +# vim:syntax=apparmor From e83a9a60dc146dd78c92e6d7b10e88beeaf1ab0b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 00:18:01 +0200 Subject: [PATCH 440/672] feat(profile): finalize upgrade process. --- apparmor.d/groups/apt/dpkg-preconfigure | 1 - apparmor.d/groups/apt/dpkg-scripts | 16 ++++++++-------- apparmor.d/groups/browsers/firefox | 2 +- apparmor.d/groups/snap/snap | 5 +++-- apparmor.d/groups/snap/snapd | 2 ++ apparmor.d/profiles-s-z/which | 2 +- apparmor.d/profiles-s-z/whiptail | 6 ++---- 7 files changed, 17 insertions(+), 17 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 4dbfae0a8..716cd1dc8 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -30,7 +30,6 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/head ix, @{bin}/locale ix, @{bin}/readlink ix, - @{bin}/readlink ix, @{bin}/realpath ix, @{bin}/sed ix, @{bin}/sort ix, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index e18ab78de..4fb4d04c4 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -47,11 +47,11 @@ profile dpkg-scripts @{exec_path} { @{sbin}/update-rc.d Cx -> rc, # Maintainer scripts can legitimately start/restart anything - @{bin}/** Px, - @{sbin}/** Px, - @{lib}/** Px, - /usr/share/** Px, - /etc/init.d/* Px, + @{bin}/** PUx, + @{sbin}/** PUx, + @{lib}/** PUx, + /usr/share/** PUx, + /etc/init.d/* PUx, # Maintainer's scripts can update a lot of files / r, @@ -76,9 +76,9 @@ profile dpkg-scripts @{exec_path} { include dbus send bus=system path=/ - interface=org.freedesktop.DBus - member=ReloadConfig - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + interface=org.freedesktop.DBus + member=ReloadConfig + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), include if exists } diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 7d1be8442..a561954a3 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -39,7 +39,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{bin}/kreadconfig{,5} rPx, @{bin}/plasma-browser-integration-host rPx, @{bin}/speech-dispatcher rPx, - @{sbin}/update-mime-database rPx, + @{bin}/update-mime-database rPx, @{lib}/gvfsd-metadata rPx, @{lib}/mozilla/kmozillahelper rPUx, @{open_path} rPx -> child-open, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 8549d8315..562f49dca 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -85,8 +85,9 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/kernel/security/apparmor/features/{,**} r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/maps r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/cgroups r, @{PROC}/cmdline r, @{PROC}/sys/kernel/random/uuid r, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 0eb3adb8c..0481af5de 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -208,6 +208,8 @@ profile snapd @{exec_path} { network netlink raw, + signal receive set=kill peer=snapd, + @{bin}/journalctl mr, /etc/machine-id r, diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index cc95a17f9..df049741f 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/which{.debianutils,} +@{exec_path} = @{bin}/which{,.debianutils} profile which @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index a7b98ebee..f0efad77b 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/whiptail -profile whiptail @{exec_path} flags=(complain) { +profile whiptail @{exec_path} { include include @@ -16,9 +16,7 @@ profile whiptail @{exec_path} flags=(complain) { @{exec_path} mr, - /etc/newt/palette.* r, - - owner @{tmp}/gpm* w, + /usr/share/terminfo/** r, include if exists } From d9430c68c190f26cca9a2291c74b4f9bba4617c0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 00:55:48 +0200 Subject: [PATCH 441/672] build: improve error message in the stack direcive. --- pkg/prebuild/directive/stack.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/directive/stack.go b/pkg/prebuild/directive/stack.go index f80689827..a43849228 100644 --- a/pkg/prebuild/directive/stack.go +++ b/pkg/prebuild/directive/stack.go @@ -55,7 +55,10 @@ func (s Stack) Apply(opt *Option, profile string) (string, error) { res := "" for name := range opt.ArgMap { - stackedProfile := prebuild.RootApparmord.Join(name).MustReadFileAsString() + stackedProfile, err := prebuild.RootApparmord.Join(name).ReadFileAsString() + if err != nil { + return "", fmt.Errorf("%s need to stack: %w", name, err) + } m := regRules.FindStringSubmatch(stackedProfile) if len(m) < 2 { return "", fmt.Errorf("no profile found in %s", name) From 780ca65953a726133f412e61020e749ca99d0850 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 00:57:37 +0200 Subject: [PATCH 442/672] build(fsp): set stacked variables. --- pkg/prebuild/prepare/fsp.go | 77 ++++++++++++++++++++++++++++--------- 1 file changed, 59 insertions(+), 18 deletions(-) diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go index 0d4c23076..f8d3cb17f 100644 --- a/pkg/prebuild/prepare/fsp.go +++ b/pkg/prebuild/prepare/fsp.go @@ -5,11 +5,60 @@ package prepare import ( - "strings" + "regexp" "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" - "github.com/roddhjav/apparmor.d/pkg/util" +) + +var ( + tunables = map[string]string{ + // Set systemd profiles name + "sd": "sd", + "sdu": "sdu", + "systemd_user": "systemd-user", + "systemd": "systemd", + + // With FSP on apparmor 4.1+, the dbus profiles don't get stacked as they + "dbus_system": "dbus-system", + "dbus_session": "dbus-session", + + // Update name of stacked profiles + "apt_news": "", + "colord": "", + "e2scrub_all": "", + "e2scrub": "", + "fprintd": "", + "fwupd": "", + "fwupdmgr": "", + "geoclue": "", + "irqbalance": "", + "logrotate": "", + "ModemManager": "", + "nm_priv_helper": "", + "pcscd": "", + "polkitd": "", + "power_profiles_daemon": "", + "rsyslogd": "", + "systemd_coredump": "", + "systemd_homed": "", + "systemd_hostnamed": "", + "systemd_importd": "", + "systemd_initctl": "", + "systemd_journal_remote": "", + "systemd_journald": "", + "systemd_localed": "", + "systemd_logind": "", + "systemd_machined": "", + "systemd_networkd": "", + "systemd_oomd": "", + "systemd_resolved": "", + "systemd_rfkill": "", + "systemd_timedated": "", + "systemd_timesyncd": "", + "systemd_userdbd": "", + "upowerd": "", + } ) type FullSystemPolicy struct { @@ -33,28 +82,20 @@ func (p FullSystemPolicy) Apply() ([]string, error) { return res, err } - // Set systemd profile name + // Set profile name for FSP path := prebuild.RootApparmord.Join("tunables/multiarch.d/profiles") out, err := path.ReadFileAsString() if err != nil { return res, err } - out = strings.ReplaceAll(out, "@{p_systemd}=unconfined", "@{p_systemd}=systemd") - out = strings.ReplaceAll(out, "@{p_systemd_executor}=unconfined", "@{p_systemd_executor}=systemd-executor") - out = strings.ReplaceAll(out, "@{p_systemd_user}=unconfined", "@{p_systemd_user}=systemd-user") - out = strings.ReplaceAll(out, "@{p_systemd_user_executor}=unconfined", "@{p_systemd_user_executor}=systemd-user-executor") - if err := path.WriteFile([]byte(out)); err != nil { - return res, err + for varname, profile := range tunables { + pattern := regexp.MustCompile(`(@\{p_` + varname + `}=)([^\s]+)`) + if profile == "" { + out = pattern.ReplaceAllString(out, `@{p_`+varname+`}={$2,sd//&$2,$2//&sd}`) + } else { + out = pattern.ReplaceAllString(out, `@{p_`+varname+`}=`+profile) + } } - - // Fix conflicting x modifiers in abstractions - FIXME: Temporary solution - path = prebuild.RootApparmord.Join("abstractions/gstreamer") - out, err = path.ReadFileAsString() - if err != nil { - return res, err - } - regFixConflictX := util.ToRegexRepl([]string{`.*gst-plugin-scanner.*`, ``}) - out = regFixConflictX.Replace(out) if err := path.WriteFile([]byte(out)); err != nil { return res, err } From c07c5838e4855d97bf98f65496c302bbd305e71c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 01:00:08 +0200 Subject: [PATCH 443/672] build: add RBAC filter to the only/exclude directive. --- pkg/prebuild/cli/cli.go | 1 + pkg/prebuild/directive/filter.go | 4 ++++ pkg/prebuild/directories.go | 3 +++ 3 files changed, 8 insertions(+) diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 779cd5c0c..51636f848 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -80,6 +80,7 @@ func Configure() { if full && paths.New("apparmor.d/groups/_full").Exist() { prepare.Register("fsp") builder.Register("fsp") + prebuild.RBAC = true } else if prebuild.SystemdDir.Exist() { prepare.Register("systemd-early") } diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go index a6513f37e..b6ec56816 100644 --- a/pkg/prebuild/directive/filter.go +++ b/pkg/prebuild/directive/filter.go @@ -39,6 +39,10 @@ func init() { } func filterRuleForUs(opt *Option) bool { + if prebuild.RBAC && slices.Contains(opt.ArgList, "RBAC") { + return true + } + abiStr := fmt.Sprintf("abi%d", prebuild.ABI) if slices.Contains(opt.ArgList, abiStr) { return true diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index d5d5a7266..37cbc69bc 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -13,6 +13,9 @@ var ( // AppArmor version Version = 4.0 + // Either or not RBAC is enabled + RBAC = false + // Pkgname is the name of the package Pkgname = "apparmor.d" From f717ea7383ea32abde752af3a88dd1bf87709a25 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 01:01:08 +0200 Subject: [PATCH 444/672] feat(aa): add a mount flag. --- pkg/aa/mount.go | 2 +- pkg/aa/util.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/aa/mount.go b/pkg/aa/mount.go index bbf66b577..72719414d 100644 --- a/pkg/aa/mount.go +++ b/pkg/aa/mount.go @@ -29,7 +29,7 @@ func init() { "ro", "rw", "acl", "async", "atime", "bind", "dev", "diratime", "dirsync", "exec", "iversion", "loud", "mand", "move", "noacl", "noatime", "nodev", "nodiratime", "noexec", "noiversion", "nomand", - "norelatime", "nosuid", "nouser", "private", "rbind", "relatime", + "norelatime", "nosuid", "nosymfollow", "nouser", "private", "rbind", "relatime", "remount", "rprivate", "rshared", "rslave", "runbindable", "shared", "silent", "slave", "strictatime", "suid", "sync", "unbindable", "user", "verbose", diff --git a/pkg/aa/util.go b/pkg/aa/util.go index 485478fef..5a7049d69 100644 --- a/pkg/aa/util.go +++ b/pkg/aa/util.go @@ -182,7 +182,7 @@ func toValues(kind Kind, key string, input string) ([]string, error) { continue } if !slices.Contains(req, res[idx]) { - return nil, fmt.Errorf("unrecognized %s: %s", key, res[idx]) + return nil, fmt.Errorf("unrecognized %s for rule %s: %s", key, kind, res[idx]) } } slices.SortFunc(res, func(i, j string) int { From 04b6cade644c0adfdb4b0a9bdc4f71bff78bc8ae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 01:17:14 +0200 Subject: [PATCH 445/672] feat(profile): use profile variable in rules such as in dbus, ptrace, unix... --- apparmor.d/abstractions/app/sudo | 4 ++-- apparmor.d/abstractions/base.d/complete | 2 +- .../abstractions/bus/net.hadess.PowerProfiles | 2 +- .../abstractions/bus/net.reactivated.Fprint | 6 +++--- apparmor.d/abstractions/bus/org.a11y | 10 +++++----- apparmor.d/abstractions/bus/org.bluez | 14 +++++++------- .../abstractions/bus/org.freedesktop.Accounts | 10 +++++----- .../abstractions/bus/org.freedesktop.Avahi | 10 +++++----- .../bus/org.freedesktop.ColorManager | 8 ++++---- .../abstractions/bus/org.freedesktop.GeoClue2 | 10 +++++----- .../bus/org.freedesktop.ModemManager1 | 6 +++--- .../abstractions/bus/org.freedesktop.PolicyKit1 | 8 ++++---- .../bus/org.freedesktop.RealtimeKit1 | 6 +++--- .../abstractions/bus/org.freedesktop.UPower | 8 ++++---- .../bus/org.freedesktop.UPower.PowerProfiles | 2 +- .../abstractions/bus/org.freedesktop.hostname1 | 2 +- .../abstractions/bus/org.freedesktop.locale1 | 2 +- .../abstractions/bus/org.freedesktop.login1 | 8 ++++---- .../bus/org.freedesktop.login1.Session | 8 ++++---- .../abstractions/bus/org.freedesktop.network1 | 2 +- .../abstractions/bus/org.freedesktop.resolve1 | 4 ++-- .../abstractions/bus/org.freedesktop.timedate1 | 2 +- .../abstractions/bus/org.gnome.ArchiveManager1 | 4 ++-- apparmor.d/abstractions/mapping/login | 2 +- apparmor.d/abstractions/mapping/sshd | 4 ++-- apparmor.d/groups/avahi/avahi-browse | 2 +- apparmor.d/groups/avahi/avahi-resolve | 4 ++-- apparmor.d/groups/bluetooth/bluetoothctl | 2 +- apparmor.d/groups/bluetooth/obexd | 2 +- apparmor.d/groups/bus/ibus-dconf | 1 + apparmor.d/groups/cups/cups-browsed | 2 +- apparmor.d/groups/filesystem/udisksd | 4 ++-- apparmor.d/groups/flatpak/flatpak | 4 ++-- apparmor.d/groups/freedesktop/pulseaudio | 6 +++--- apparmor.d/groups/freedesktop/upower | 2 +- apparmor.d/groups/freedesktop/xorg | 2 +- apparmor.d/groups/gnome/gdm | 4 ++-- apparmor.d/groups/gnome/gdm-session-worker | 6 +++--- apparmor.d/groups/gnome/gnome-calendar | 2 +- apparmor.d/groups/gnome/gnome-control-center | 16 ++++++++-------- apparmor.d/groups/gnome/gnome-firmware | 4 ++-- apparmor.d/groups/gnome/gnome-keyring-daemon | 2 +- apparmor.d/groups/gnome/gnome-session-binary | 2 +- apparmor.d/groups/gnome/gnome-shell | 12 ++++++------ apparmor.d/groups/gnome/gsd-color | 2 +- apparmor.d/groups/gnome/gsd-housekeeping | 8 ++++---- apparmor.d/groups/gnome/gsd-media-keys | 2 +- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/groups/gnome/gsd-xsettings | 7 +------ apparmor.d/groups/gnome/loupe | 5 +++++ apparmor.d/groups/kde/sddm | 2 +- apparmor.d/groups/network/NetworkManager | 6 +++--- apparmor.d/groups/network/networkd-dispatcher | 2 +- apparmor.d/groups/polkit/polkit-agent-helper | 4 ++-- apparmor.d/groups/snap/snapd | 2 +- apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/systemd/homectl | 2 +- apparmor.d/groups/systemd/hostnamectl | 2 +- apparmor.d/groups/systemd/localectl | 2 +- apparmor.d/groups/systemd/loginctl | 2 +- apparmor.d/groups/systemd/networkctl | 2 +- apparmor.d/groups/systemd/resolvectl | 2 +- apparmor.d/groups/systemd/systemd-inhibit | 2 +- apparmor.d/groups/systemd/systemd-networkd | 2 +- apparmor.d/groups/systemd/systemd-timesyncd | 2 +- .../systemd/systemd-tty-ask-password-agent | 2 +- apparmor.d/groups/utils/chsh | 2 +- apparmor.d/groups/utils/login | 2 +- apparmor.d/profiles-a-f/evince | 2 +- apparmor.d/profiles-a-f/fwupdmgr | 2 +- apparmor.d/profiles-m-r/qemu-ga | 2 +- apparmor.d/tunables/multiarch.d/profiles | 6 +++--- 72 files changed, 152 insertions(+), 151 deletions(-) diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 333cbddbd..1286b1571 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -24,8 +24,8 @@ network netlink raw, # PAM - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus (send receive) bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd.Manager diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 230e0c9d5..06b413342 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -18,7 +18,7 @@ signal (receive) set=(term,kill) peer=openbox, signal (receive) set=(term,kill) peer=su, - ptrace (readby) peer=systemd-coredump, + ptrace (readby) peer=@{p_systemd_coredump}, @{etc_rw}/localtime r, /etc/locale.conf r, diff --git a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles index 63f224c42..7e7560992 100644 --- a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles +++ b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon + #aa:dbus common bus=system name=net.hadess.PowerProfiles label="@{p_power_profiles_daemon}" include if exists diff --git a/apparmor.d/abstractions/bus/net.reactivated.Fprint b/apparmor.d/abstractions/bus/net.reactivated.Fprint index 2f3660082..0241fc889 100644 --- a/apparmor.d/abstractions/bus/net.reactivated.Fprint +++ b/apparmor.d/abstractions/bus/net.reactivated.Fprint @@ -4,12 +4,12 @@ abi , - #aa:dbus common bus=system name=net.reactivated.Fprint label=fprintd + #aa:dbus common bus=system name=net.reactivated.Fprint label="@{p_fprintd}" dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} - peer=(name="@{busname}", label=fprintd), + peer=(name="@{busname}", label="@{p_fprintd}"), dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager @@ -19,7 +19,7 @@ dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} - peer=(name=net.reactivated.Fprint, label=fprintd), + peer=(name=net.reactivated.Fprint, label="@{p_fprintd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index 018109a62..ef0e15707 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -9,27 +9,27 @@ dbus receive bus=accessibility path=/org/a11y/atspi/registry interface=org.a11y.atspi.Registry member=EventListenerDeregistered - peer=(name="@{busname}", label=at-spi2-registryd), + peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), dbus send bus=accessibility path=/org/a11y/atspi/registry interface=org.a11y.atspi.Registry member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller interface=org.a11y.atspi.DeviceEventController member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.freedesktop.DBus.Properties member=Set - peer=(name="@{busname}", label=at-spi2-registryd), + peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.a11y.atspi.Socket member=Embed - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), # Session bus diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/org.bluez index 296965691..201d3998c 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -4,37 +4,37 @@ abi , - #aa:dbus common bus=system name=org.bluez label=bluetoothd + #aa:dbus common bus=system name=org.bluez label="@{p_bluetoothd}" dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved - peer=(name="{@{busname},org.bluez}", label=bluetoothd), + peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{@{busname},org.bluez}", label=bluetoothd), + peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez interface=org.bluez.AgentManager@{int} member={RegisterAgent,RequestDefaultAgent,UnregisterAgent} - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez interface=org.bluez.ProfileManager@{int} member=RegisterProfile - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.BatteryProviderManager@{int} member=RegisterProfile - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.Media@{int} member=RegisterApplication - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts index 2ad151c45..d15288d46 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts +++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts @@ -4,27 +4,27 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus common bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member={FindUserByName,ListCachedUsers} - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=*Changed - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member=UserAdded - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.DBus.Properties member=*Changed - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index e3128f984..38e05f48c 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -4,27 +4,27 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.Avahi label=avahi-daemon + #aa:dbus common bus=system name=org.freedesktop.Avahi label="@{p_avahi_daemon}" dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server member={GetAPIVersion,GetState,Service*New} - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member=Free - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member={ItemNew,AllForNow,CacheExhausted} - peer=(name="@{busname}", label=avahi-daemon), + peer=(name="@{busname}", label="@{p_avahi_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index 27776b776..3a63d95dc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.ColorManager label=colord + #aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}" dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=GetDevices - peer=(name="@{busname}", label=colord), + peer=(name="@{busname}", label="@{p_colord}"), dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=CreateDevice - peer=(name="@{busname}", label=colord), + peer=(name="@{busname}", label="@{p_colord}"), dbus receive bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={DeviceAdded,DeviceRemoved} - peer=(name="@{busname}", label=colord), + peer=(name="@{busname}", label="@{p_colord}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 index feaced7c3..9957c7b67 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 @@ -4,26 +4,26 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label=geoclue + #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" dbus send bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=org.freedesktop.DBus, label=geoclue), + peer=(name=org.freedesktop.DBus, label="@{p_geoclue}"), dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name="@{busname}", label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name="@{busname}", label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.GeoClue2.Manager member=AddAgent - peer=(name="@{busname}", label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 index 41e03f325..4f53ba497 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 @@ -4,17 +4,17 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.ModemManager1 label=ModemManager + #aa:dbus common bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=org.freedesktop.ModemManager1, label=ModemManager), + peer=(name=org.freedesktop.ModemManager1, label="@{p_ModemManager}"), dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="@{busname}", label=ModemManager), + peer=(name="@{busname}", label="@{p_ModemManager}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index b770cdbb1..9dfab7481 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=Changed - peer=(name="@{busname}", label=polkitd), + peer=(name="@{busname}", label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1, label=polkitd), + peer=(name=org.freedesktop.PolicyKit1, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization - peer=(name="@{busname}", label=polkitd), + peer=(name="@{busname}", label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index 0c6abbdbe..f66fdb20a 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -6,7 +6,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label=rtkit-daemon + #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label="@{p_rtkit_daemon}" dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties member=Get @@ -15,12 +15,12 @@ dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 member={MakeThreadHighPriority,MakeThreadRealtime} - peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label=rtkit-daemon), + peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 member={MakeThreadHighPriorityWithPID,MakeThreadRealtimeWithPID} - peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label=rtkit-daemon), + peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index ec0a2b15b..69218b619 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.UPower label=upowerd + #aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}" dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.DBus.Properties member=GetDisplayDevice - peer=(name=org.freedesktop.UPower, label=upowerd), + peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), dbus receive bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=DeviceAdded - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles index 3d3980f81..45e88b103 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon + #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index e6182bead..0a8d86be1 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed + #aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/org.freedesktop.locale1 index 511a44dd6..1348c8a39 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.locale1 label=systemd-localed + #aa:dbus common bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" dbus send bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index 7f9fc5fb7..ad368ed98 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={SessionNew,SessionRemoved,UserNew,UserRemoved,SeatNew,PrepareFor*} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member=PauseDeviceComplete - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session index 23ec52c8e..f60c69301 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession - peer=(name="@{busname}", label=systemd-logind), + peer=(name="@{busname}", label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus receive bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={PauseDevice,Unlock} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.network1 b/apparmor.d/abstractions/bus/org.freedesktop.network1 index be11a7ceb..7583a3e9d 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.network1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.network1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.network1 label=systemd-networkd + #aa:dbus common bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 index 8c7670382..e2c4b3886 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 @@ -4,12 +4,12 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" dbus send bus=system path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager member={SetLink*,ResolveHostname} - peer=(name="{@{busname},org.freedesktop.resolve1}", label=systemd-resolved), + peer=(name="{@{busname},org.freedesktop.resolve1}", label="@{p_systemd_resolved}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 index 83f85c678..8f6118355 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.timedate1 label=systemd-timedated + #aa:dbus common bus=system name=org.freedesktop.timedate1 label="@{p_systemd_timedated}" include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 index ce572e9cd..6bfa6114b 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 @@ -4,12 +4,12 @@ abi , - #aa:dbus common bus=session name=org.gnome.ArchiveManager1 label=file-roller + #aa:dbus common bus=session name=org.gnome.ArchiveManager1 label="@{p_file_roller}" dbus send bus=session path=/org/gnome/ArchiveManager1 interface=org.gnome.ArchiveManager1 member=GetSupportedTypes - peer=(name="@{busname}", label=file-roller), + peer=(name="@{busname}", label="@{p_file_roller}"), include if exists diff --git a/apparmor.d/abstractions/mapping/login b/apparmor.d/abstractions/mapping/login index 54a8c1c7f..7ccc2d678 100644 --- a/apparmor.d/abstractions/mapping/login +++ b/apparmor.d/abstractions/mapping/login @@ -25,7 +25,7 @@ dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=ReleaseSession - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{etc_ro}/security/group.conf r, @{etc_ro}/security/limits.conf r, diff --git a/apparmor.d/abstractions/mapping/sshd b/apparmor.d/abstractions/mapping/sshd index bb0064956..97f0b077e 100644 --- a/apparmor.d/abstractions/mapping/sshd +++ b/apparmor.d/abstractions/mapping/sshd @@ -28,7 +28,7 @@ network inet6 stream, network netlink raw, - signal receive set=exists peer=systemd-journald, + signal receive set=exists peer=@{p_systemd_journald}, signal receive set=hup peer=@{p_systemd}, unix bind type=stream addr=@@{udbus}/bus/sshd/system, @@ -36,7 +36,7 @@ dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), /etc/motd r, /etc/locale.conf r, diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse index 47c22d72d..3ac729baa 100644 --- a/apparmor.d/groups/avahi/avahi-browse +++ b/apparmor.d/groups/avahi/avahi-browse @@ -17,7 +17,7 @@ profile avahi-browse @{exec_path} { dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} interface=org.freedesktop.Avahi.ServiceTypeBrowser member={ItemNew,AllForNow,CacheExhausted} - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), @{exec_path} mr, diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve index ff2cae183..1a66b4726 100644 --- a/apparmor.d/groups/avahi/avahi-resolve +++ b/apparmor.d/groups/avahi/avahi-resolve @@ -17,12 +17,12 @@ profile avahi-resolve @{exec_path} { dbus send bus=system path=/Client@{int}/AddressResolver@{int} interface=org.freedesktop.Avahi.AddressResolver member={Free,HostNameResolverNew} - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus receive bus=system path=/Client@{int}/AddressResolver@{int} interface=org.freedesktop.Avahi.AddressResolver member={Failure,Found} - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), @{exec_path} mr, diff --git a/apparmor.d/groups/bluetooth/bluetoothctl b/apparmor.d/groups/bluetooth/bluetoothctl index e408b94b9..0b075581b 100644 --- a/apparmor.d/groups/bluetooth/bluetoothctl +++ b/apparmor.d/groups/bluetooth/bluetoothctl @@ -15,7 +15,7 @@ profile bluetoothctl @{exec_path} { network bluetooth raw, - #aa:dbus talk bus=system name=org.bluez label=bluetoothd + #aa:dbus talk bus=system name=org.bluez label="@{p_bluetoothd}" @{exec_path} mr, diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 3da9b4f5d..5c1a7633e 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -22,7 +22,7 @@ profile obexd @{exec_path} { dbus receive bus=system path=/org/bluez/obex/@{uuid} interface=org.bluez.Profile1 member=Release - peer=(name=:*, label=bluetoothd), + peer=(name=:*, label="@{p_bluetoothd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 6f66ec9b2..817d63175 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -15,6 +15,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include include + signal receive set=kill peer=@{p_systemd_user}, signal receive set=term peer=ibus-daemon, dbus receive bus=session diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index f671ce6e9..78e7883cb 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -29,7 +29,7 @@ profile cups-browsed @{exec_path} { dbus receive bus=system path=/ interface=org.freedesktop.Avahi.Server member=StateChanged - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 7d4febb1f..1ff219bbe 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -65,8 +65,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { signal receive set=int peer=@{p_systemd}, #aa:dbus own bus=system name=org.freedesktop.UDisks2 - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" @{exec_path} mr, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index c958bd2cd..52e9e32ef 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -41,8 +41,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain signal send peer=flatpak-app, #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" dbus send bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.portal.Documents diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 804020b7b..fab642571 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -50,12 +50,12 @@ profile pulseaudio @{exec_path} { dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} interface=org.freedesktop.Avahi.ServiceResolver member=Found - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member=ItemRemove - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager @@ -65,7 +65,7 @@ profile pulseaudio @{exec_path} { dbus send bus=system path=/Client@{int}/ServiceResolver@{int} interface=org.freedesktop.Avahi.ServiceResolver member={Found,Free} - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 931b47509..0f6f9abeb 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -13,7 +13,7 @@ profile upower @{exec_path} { include include - #aa:dbus own bus=system name=org.freedesktop.UPower label=upowerd + #aa:dbus own bus=system name=org.freedesktop.UPower label="@{p_upowerd}" @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 00e277f1f..12c82aea3 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -48,7 +48,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member=ReleaseControl - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index e35d165a2..435d055fa 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -34,8 +34,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.gnome.DisplayManager - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 1a05892b6..a5dac16fa 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -49,13 +49,13 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system, - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon - #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={*Session,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index c81e591cf..235c0ce9e 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -32,7 +32,7 @@ profile gnome-calendar @{exec_path} { #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color - #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label=geoclue + #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 1f0b6239e..1007d55e2 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -45,18 +45,18 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control - #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label=fprintd - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}" + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd - #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label=ModemManager + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd - #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd - #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon + #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-firmware b/apparmor.d/groups/gnome/gnome-firmware index af44afbec..706c16e87 100644 --- a/apparmor.d/groups/gnome/gnome-firmware +++ b/apparmor.d/groups/gnome/gnome-firmware @@ -20,8 +20,8 @@ profile gnome-firmware @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/ + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index c62175c85..37b3b7892 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -33,7 +33,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 027a1ab96..dc9b6812e 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -32,7 +32,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=gsd-*, #aa:dbus own bus=session name=org.gnome.SessionManager - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index bfd695959..6c781e204 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -83,11 +83,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Talk with gnome-shell - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding @@ -103,11 +103,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=RegisterAuthenticationAgent - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent interface=org.freedesktop.PolicyKit1.AuthenticationAgent member=BeginAuthentication - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager interface=org.freedesktop.NetworkManager.AgentManager diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 92cf3fa0a..2fe22305b 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -28,7 +28,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Color - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 9dec92df4..b8da39a4d 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -24,10 +24,10 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Housekeeping - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=Subscribe + peer=(name=org.freedesktop.systemd1), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 1ae8e2ada..2a2ea034f 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -38,7 +38,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=PowerOff - peer=(name=:*, label=systemd-logind), + peer=(name=:*, label="@{p_systemd_logind}"), dbus send bus=session path=/ interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 0d09a0e9c..a330b76ce 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -43,7 +43,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight interface=org.freedesktop.UPower.KbdBacklight member=GetBrightness - peer=(name=:*, label=upowerd), + peer=(name=:*, label="@{p_upowerd}"), dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index e5489c2b4..4fece3366 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -36,12 +36,7 @@ profile gsd-xsettings @{exec_path} { dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=SetInputSources - peer=(name=:*, label=accounts-daemon), - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=GetId - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + peer=(name=:*, label="@{p_accounts_daemon}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 4ee0d9268..6f783627e 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -21,6 +21,11 @@ profile loupe @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=@{p_systemd_hostnamed}), + @{exec_path} mr, @{bin}/bwrap rCx -> bwrap, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index b4111d6d0..396f256cc 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -58,7 +58,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=systemd-logind), + peer=(name=:*, label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 008b6bd31..85257c89d 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -46,7 +46,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher @@ -60,12 +60,12 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved - peer=(name=:*, label=bluetoothd), + peer=(name=:*, label="@{p_bluetoothd}"), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=bluetoothd), + peer=(name=:*, label="@{p_bluetoothd}"), dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index f593db162..8b4d53b1c 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -16,7 +16,7 @@ profile networkd-dispatcher @{exec_path} { dbus receive bus=system path=/org/freedesktop/network1{,/link/*} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=systemd-networkd), + peer=(name=:*, label="@{p_systemd_networkd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index e663c299e..5799ced5b 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -35,12 +35,12 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=AuthenticationAgentResponse2 - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 0481af5de..1add6c1c4 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -55,7 +55,7 @@ profile snapd @{exec_path} { dbus send bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager member={SetWallMessage,ScheduleShutdown} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/timedate1 interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index fe5a6f1cd..4b99aafd6 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -56,7 +56,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/systemd/homectl b/apparmor.d/groups/systemd/homectl index aaae97d64..3a78c531e 100644 --- a/apparmor.d/groups/systemd/homectl +++ b/apparmor.d/groups/systemd/homectl @@ -19,7 +19,7 @@ profile homectl @{exec_path} { signal send peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index dcbe9a46f..6b29e260d 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -15,7 +15,7 @@ profile hostnamectl @{exec_path} { capability net_admin, - #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index b49065fd7..f9a3625ef 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -16,7 +16,7 @@ profile localectl @{exec_path} { signal send set=cont peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.locale1 label=systemd-localed + #aa:dbus talk bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index c65bb4edd..f516d16db 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -20,7 +20,7 @@ profile loginctl @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 0163f2258..5b4b3e6b5 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -26,7 +26,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system, - #aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd + #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" dbus send bus=system path=/org/freedesktop/network1{,/**} interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index 5c436f6c1..1ef3404d9 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -15,7 +15,7 @@ profile resolvectl @{exec_path} { signal send set=cont peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-inhibit b/apparmor.d/groups/systemd/systemd-inhibit index 2be38e6ba..ae475ff48 100644 --- a/apparmor.d/groups/systemd/systemd-inhibit +++ b/apparmor.d/groups/systemd/systemd-inhibit @@ -14,7 +14,7 @@ profile systemd-inhibit @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, - signal receive set=term peer=packagekitd, + signal receive set=term peer=@{p_packagekitd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 3d6c3a4b7..df1e74048 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -42,7 +42,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.hostname1 member=SetHostname - peer=(name=org.freedesktop.hostname1, label=systemd-hostnamed), + peer=(name=org.freedesktop.hostname1, label="@{p_systemd_hostnamed}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index b603b2411..2ac7f09fb 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -22,7 +22,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet6 stream, unix (bind) type=stream addr=@@{udbus}/bus/systemd-timesyn/bus-api-timesync, - unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none), + unix (send, receive) type=dgram addr=none peer=(label=@{p_sd}, addr=none), #aa:dbus own bus=system name=org.freedesktop.timesync1 diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index bbd4b7438..30d30b295 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -20,7 +20,7 @@ profile systemd-tty-ask-password-agent @{exec_path} { signal receive set=(term cont winch) peer=*//systemctl, signal receive set=(term cont winch) peer=deb-systemd-invoke, signal receive set=(term cont winch) peer=default, - signal receive set=(term cont winch) peer=logrotate, + signal receive set=(term cont winch) peer=@{p_logrotate}, signal receive set=(term cont winch) peer=makepkg//sudo, signal receive set=(term cont winch) peer=role_*, signal receive set=(term cont winch) peer=rpm, diff --git a/apparmor.d/groups/utils/chsh b/apparmor.d/groups/utils/chsh index 73f097a94..e3581be31 100644 --- a/apparmor.d/groups/utils/chsh +++ b/apparmor.d/groups/utils/chsh @@ -24,7 +24,7 @@ profile chsh @{exec_path} { network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" @{exec_path} mr, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index 6968be40e..6227f4fc5 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -34,7 +34,7 @@ profile login @{exec_path} flags=(attach_disconnected) { ptrace read, - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index b7b087309..e07c91f3d 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -30,7 +30,7 @@ profile evince @{exec_path} { #aa:dbus own bus=session name=org.gnome.evince - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label="@{p_gsd_media_keys}" #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} rix, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 6dffac5a6..3c9b0a3a9 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -27,7 +27,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ + #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/ @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 7fa668a71..5173c50d8 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -34,7 +34,7 @@ profile qemu-ga @{exec_path} { unix type=stream addr=@@{udbus}/bus/shutdown/system, - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" include if exists } diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index ec1eff79c..6868ae87a 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -8,10 +8,10 @@ # All variables that refer to a profile name should be prefixed with `p_` # Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user` -@{p_systemd}=unconfined -@{p_systemd_executor}=unconfined +@{p_sd}=unconfined +@{p_sdu}=unconfined @{p_systemd_user}=unconfined -@{p_systemd_user_executor}=unconfined +@{p_systemd}=unconfined # Name of the dbus daemon profiles @{p_dbus_accessibility}=dbus-accessibility From 217448d09a5259492a143f99808bc79213d75eaf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 01:18:11 +0200 Subject: [PATCH 446/672] doc: improve documentation on the use of some special abstraction. --- apparmor.d/abstractions/attached/base | 3 ++- apparmor.d/abstractions/attached/consoles | 3 ++- apparmor.d/abstractions/bus/own-accessibility | 3 ++- apparmor.d/abstractions/bus/own-session | 3 ++- apparmor.d/abstractions/bus/own-system | 3 ++- 5 files changed, 10 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 6a7486cf8..4c35d915d 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no - # Do not use it manually, it is automatically included in profiles when it is required. + # Do not use it manually, It automatically replaces the base abstraction in a + # profile with the attach_disconnected flag set and the re-attached path enabled. abi , diff --git a/apparmor.d/abstractions/attached/consoles b/apparmor.d/abstractions/attached/consoles index dd2275a03..f306c2273 100644 --- a/apparmor.d/abstractions/attached/consoles +++ b/apparmor.d/abstractions/attached/consoles @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no - # Do not use it manually, it is automatically included in profiles when it is required. + # Do not use it manually, It automatically replaces the consoles abstraction in a + # profile with the attach_disconnected flag set and the re-attached path enabled. abi , diff --git a/apparmor.d/abstractions/bus/own-accessibility b/apparmor.d/abstractions/bus/own-accessibility index 94968258c..cd8e42e52 100644 --- a/apparmor.d/abstractions/bus/own-accessibility +++ b/apparmor.d/abstractions/bus/own-accessibility @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Do not use it manually, it is automatically included in a profile when it is required. +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. # Allow owning a name on DBus public bus diff --git a/apparmor.d/abstractions/bus/own-session b/apparmor.d/abstractions/bus/own-session index 8186f34cb..91515adb0 100644 --- a/apparmor.d/abstractions/bus/own-session +++ b/apparmor.d/abstractions/bus/own-session @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Do not use it manually, it is automatically included in a profile when it is required. +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. # Allow owning a name on DBus public bus diff --git a/apparmor.d/abstractions/bus/own-system b/apparmor.d/abstractions/bus/own-system index f2ee3219c..d48931f4f 100644 --- a/apparmor.d/abstractions/bus/own-system +++ b/apparmor.d/abstractions/bus/own-system @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Do not use it manually, it is automatically included in a profile when it is required. +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. # Allow owning a name on DBus public bus From 4ffbf84a0094e6c51933070b27a5c58628ec2ea4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:20:37 +0200 Subject: [PATCH 447/672] feat(fsp): remove the default profiles. --- apparmor.d/groups/_full/bwrap | 56 ------------ apparmor.d/groups/_full/bwrap-app | 36 -------- apparmor.d/groups/_full/default | 122 --------------------------- apparmor.d/groups/_full/default-sudo | 42 --------- dists/flags/main.flags | 4 - 5 files changed, 260 deletions(-) delete mode 100644 apparmor.d/groups/_full/bwrap delete mode 100644 apparmor.d/groups/_full/bwrap-app delete mode 100644 apparmor.d/groups/_full/default delete mode 100644 apparmor.d/groups/_full/default-sudo diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap deleted file mode 100644 index 0a4b9efdf..000000000 --- a/apparmor.d/groups/_full/bwrap +++ /dev/null @@ -1,56 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for bwrap. - -abi , - -include - -@{exec_path} = @{bin}/bwrap -profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) { - include - include - include - include - include - - capability dac_override, - capability dac_read_search, - capability sys_resource, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - - ptrace peer=bwrap//&bwrap-app, - - signal peer=bwrap//&bwrap-app, - signal (receive) set=(kill), - - @{bin}/** rm, - @{lib}/** rm, - /opt/*/** rm, - /usr/share/*/* rm, - - @{bin}/** Px -> bwrap//&bwrap-app, - @{bin}/xdg-dbus-proxy Px -> bwrap//&xdg-dbus-proxy, - # @{lib}/** Px -> bwrap//&bwrap-app, - /opt/*/** Px -> bwrap//&bwrap-app, - /usr/share/*/* Px -> bwrap//&bwrap-app, - - /usr/.ref rk, - - /bindfile@{rand6} rw, - - owner /var/cache/ w, - - owner @{run}/ld-so-cache-dir/* rw, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/bwrap-app b/apparmor.d/groups/_full/bwrap-app deleted file mode 100644 index b6d45478a..000000000 --- a/apparmor.d/groups/_full/bwrap-app +++ /dev/null @@ -1,36 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for user sandboxed application - -abi , - -include - -profile bwrap-app flags=(attach_disconnected,mediate_deleted) { - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - ptrace peer=bwrap//&bwrap-app, - - signal peer=bwrap//&bwrap-app, - - @{bin}/** rmix, - @{lib}/** rmix, - /opt/*/** rmix, - /usr/share/*/* rmix, - - owner /var/cache/ w, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default deleted file mode 100644 index acdfc0bff..000000000 --- a/apparmor.d/groups/_full/default +++ /dev/null @@ -1,122 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for unconfined programs - -abi , - -include - -@{exec_path} = /** -profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { - include - include - include - include - include - include - include - include - include - include - include - include - include - - capability dac_override, - capability dac_read_search, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink dgram, - network netlink raw, - - signal receive set=hup, - - @{bin}/bwrap rPx -> bwrap, - @{bin}/pipewire-pulse rPx -> systemd//&pipewire-pulse, - @{bin}/pulseaudio rPx -> systemd//&pulseaudio, - @{bin}/su rPx -> default-sudo, - @{bin}/sudo rPx -> default-sudo, - @{bin}/systemctl rix, - @{coreutils_path} rix, - @{shells_path} rix, - - @{pager_path} rPx -> child-pager, - -# @{open_path} rPx -> child-open, - - audit @{bin}/** Pix, - audit @{lib}/** Pix, - audit /opt/*/** Pix, - audit /usr/share/*/* Pix, - - @{bin}/{,**} r, - @{lib}/{,**} r, - /usr/share/** r, - - /etc/xdg/** r, - - # Full access to user's data - / r, - /*/ r, - @{MOUNTDIRS}/ r, - @{MOUNTS}/ r, - @{MOUNTS}/** rwl, - owner @{HOME}/{,**} rwlk, - owner @{run}/user/@{uid}/{,**} rw, - owner @{tmp}/{,**} rwk, - owner @{run}/user/@{uid}/{,**} rwlk, - - @{run}/motd.dynamic.new rw, - - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/bus/pci/devices/ r, - @{sys}/class/ r, - @{sys}/class/drm/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/input/ r, - @{sys}/class/power_supply/ r, - @{sys}/devices/**/input@{int}/ r, - @{sys}/devices/**/input@{int}/capabilities/* r, - @{sys}/devices/**/input/input@{int}/ r, - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/firmware/acpi/pm_profile r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, - - @{PROC}/cmdline r, - @{PROC}/sys/kernel/seccomp/actions_avail r, - @{PROC}/zoneinfo r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/gid_map w, - owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/mem r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pids}/cmdline r, - owner @{PROC}/@{pids}/environ r, - owner @{PROC}/@{pids}/task/ r, - - /dev/ r, - /dev/ptmx rwk, - /dev/tty rwk, - owner /dev/tty@{int} rw, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/default-sudo b/apparmor.d/groups/_full/default-sudo deleted file mode 100644 index 609191970..000000000 --- a/apparmor.d/groups/_full/default-sudo +++ /dev/null @@ -1,42 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -profile default-sudo { - include - include - - capability chown, - capability mknod, - capability sys_ptrace, - - network inet dgram, - network inet6 dgram, - - ptrace (read), - - @{bin}/su mr, - - @{bin}/** Px, - @{lib}/** Px, - /opt/*/** Px, - - /var/db/sudo/lectured/ r, - /var/lib/extrausers/shadow r, - /var/lib/sudo/lectured/ r, - owner /var/db/sudo/lectured/@{uid} rw, - owner /var/lib/sudo/lectured/* rw, - - owner @{HOME}/.sudo_as_admin_successful rw, - - @{run}/ r, - @{run}/systemd/sessions/* r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index e27c76bc2..a73fee129 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -1,10 +1,6 @@ # Common profile flags definition for all distributions # File format: one profile by line using the format: ' ' -bwrap attach_disconnected,mediate_deleted,complain -bwrap-app attach_disconnected,mediate_deleted,complain -default attach_disconnected,mediate_deleted,complain -default-sudo attach_disconnected,complain systemd attach_disconnected,mediate_deleted,complain systemd-service attach_disconnected,complain systemd-user attach_disconnected,mediate_deleted,complain From 8f3f3816edd40839b0832cc67546b08eae09314e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:31:35 +0200 Subject: [PATCH 448/672] feat(fsp): systemd drop in files: configure stacked profile It comes as a replacement of old and unsecure config that was disabling the nnp flag. The new solution is: 1. Safe 2. Scalable as hundred of profile could be configured this way --- systemd/full/system/ModemManager.service | 2 +- systemd/full/system/archlinux-keyring-wkd-sync.service | 2 +- systemd/full/system/dbus-org.freedesktop.hostname1.service | 2 +- systemd/full/system/dbus-org.freedesktop.import1.service | 2 +- systemd/full/system/dbus-org.freedesktop.locale1.service | 2 +- systemd/full/system/dbus-org.freedesktop.login1.service | 2 +- systemd/full/system/dbus-org.freedesktop.machine1.service | 2 +- systemd/full/system/dbus-org.freedesktop.timedate1.service | 2 +- systemd/full/system/e2scrub@.service | 2 +- systemd/full/system/e2scrub_reap.service | 2 +- systemd/full/system/fprintd.service | 2 +- systemd/full/system/fwupd-refresh.service | 4 +--- systemd/full/system/geoclue.service | 6 +----- systemd/full/system/irqbalance.service | 2 +- systemd/full/system/nm-priv-helper.service | 2 +- systemd/full/system/polkit.service | 2 +- systemd/full/system/rngd.service | 2 +- systemd/full/system/systemd-homed.service | 2 +- systemd/full/system/systemd-hostnamed.service | 2 +- systemd/full/system/systemd-journald.service | 3 +-- systemd/full/system/systemd-journald@.service | 3 +-- systemd/full/system/systemd-localed.service | 2 +- systemd/full/system/systemd-logind.service | 3 +-- systemd/full/system/systemd-machined.service | 2 +- systemd/full/system/systemd-networkd.service | 2 +- systemd/full/system/systemd-resolved.service | 2 +- systemd/full/system/systemd-timedated.service | 2 +- systemd/full/system/systemd-userdbd.service | 2 +- systemd/full/system/upower.service | 2 +- 29 files changed, 29 insertions(+), 38 deletions(-) diff --git a/systemd/full/system/ModemManager.service b/systemd/full/system/ModemManager.service index 03d352890..2d1593f19 100644 --- a/systemd/full/system/ModemManager.service +++ b/systemd/full/system/ModemManager.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&ModemManager diff --git a/systemd/full/system/archlinux-keyring-wkd-sync.service b/systemd/full/system/archlinux-keyring-wkd-sync.service index 03d352890..b88768556 100644 --- a/systemd/full/system/archlinux-keyring-wkd-sync.service +++ b/systemd/full/system/archlinux-keyring-wkd-sync.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&archlinux-keyring-wkd-sync diff --git a/systemd/full/system/dbus-org.freedesktop.hostname1.service b/systemd/full/system/dbus-org.freedesktop.hostname1.service index 03d352890..6d078aea9 100644 --- a/systemd/full/system/dbus-org.freedesktop.hostname1.service +++ b/systemd/full/system/dbus-org.freedesktop.hostname1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-hostnamed \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.import1.service b/systemd/full/system/dbus-org.freedesktop.import1.service index 03d352890..0ab519541 100644 --- a/systemd/full/system/dbus-org.freedesktop.import1.service +++ b/systemd/full/system/dbus-org.freedesktop.import1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-importd \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.locale1.service b/systemd/full/system/dbus-org.freedesktop.locale1.service index 03d352890..276595080 100644 --- a/systemd/full/system/dbus-org.freedesktop.locale1.service +++ b/systemd/full/system/dbus-org.freedesktop.locale1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-localed \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.login1.service b/systemd/full/system/dbus-org.freedesktop.login1.service index 03d352890..c5728915c 100644 --- a/systemd/full/system/dbus-org.freedesktop.login1.service +++ b/systemd/full/system/dbus-org.freedesktop.login1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-logind \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.machine1.service b/systemd/full/system/dbus-org.freedesktop.machine1.service index 03d352890..315b1b230 100644 --- a/systemd/full/system/dbus-org.freedesktop.machine1.service +++ b/systemd/full/system/dbus-org.freedesktop.machine1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-machined \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.timedate1.service b/systemd/full/system/dbus-org.freedesktop.timedate1.service index 03d352890..ab04c5a45 100644 --- a/systemd/full/system/dbus-org.freedesktop.timedate1.service +++ b/systemd/full/system/dbus-org.freedesktop.timedate1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-timedated \ No newline at end of file diff --git a/systemd/full/system/e2scrub@.service b/systemd/full/system/e2scrub@.service index 03d352890..7340b7610 100644 --- a/systemd/full/system/e2scrub@.service +++ b/systemd/full/system/e2scrub@.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&e2scrub \ No newline at end of file diff --git a/systemd/full/system/e2scrub_reap.service b/systemd/full/system/e2scrub_reap.service index 03d352890..b903d2f0a 100644 --- a/systemd/full/system/e2scrub_reap.service +++ b/systemd/full/system/e2scrub_reap.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&e2scrub_all \ No newline at end of file diff --git a/systemd/full/system/fprintd.service b/systemd/full/system/fprintd.service index 03d352890..5f1f063fa 100644 --- a/systemd/full/system/fprintd.service +++ b/systemd/full/system/fprintd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&fprintd \ No newline at end of file diff --git a/systemd/full/system/fwupd-refresh.service b/systemd/full/system/fwupd-refresh.service index fa215b3f0..acd28a5a4 100644 --- a/systemd/full/system/fwupd-refresh.service +++ b/systemd/full/system/fwupd-refresh.service @@ -1,4 +1,2 @@ [Service] -ProtectKernelModules=no -RestrictRealtime=no -ProtectKernelModules=no +AppArmorProfile=&fwupdmgr \ No newline at end of file diff --git a/systemd/full/system/geoclue.service b/systemd/full/system/geoclue.service index 4ba897659..2c10e32f5 100644 --- a/systemd/full/system/geoclue.service +++ b/systemd/full/system/geoclue.service @@ -1,6 +1,2 @@ [Service] -NoNewPrivileges=no -MemoryDenyWriteExecute=no -ProtectKernelTunables=no -ProtectKernelModules=no -RestrictRealtime=no +AppArmorProfile=&geoclue \ No newline at end of file diff --git a/systemd/full/system/irqbalance.service b/systemd/full/system/irqbalance.service index 03d352890..eab67fa44 100644 --- a/systemd/full/system/irqbalance.service +++ b/systemd/full/system/irqbalance.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&irqbalance \ No newline at end of file diff --git a/systemd/full/system/nm-priv-helper.service b/systemd/full/system/nm-priv-helper.service index 03d352890..53f99edd0 100644 --- a/systemd/full/system/nm-priv-helper.service +++ b/systemd/full/system/nm-priv-helper.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&nm-priv-helper diff --git a/systemd/full/system/polkit.service b/systemd/full/system/polkit.service index 03d352890..b21a28baa 100644 --- a/systemd/full/system/polkit.service +++ b/systemd/full/system/polkit.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&polkitd diff --git a/systemd/full/system/rngd.service b/systemd/full/system/rngd.service index 03d352890..c52a85d0c 100644 --- a/systemd/full/system/rngd.service +++ b/systemd/full/system/rngd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&rngd diff --git a/systemd/full/system/systemd-homed.service b/systemd/full/system/systemd-homed.service index 03d352890..65d4ae62e 100644 --- a/systemd/full/system/systemd-homed.service +++ b/systemd/full/system/systemd-homed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-homed diff --git a/systemd/full/system/systemd-hostnamed.service b/systemd/full/system/systemd-hostnamed.service index 03d352890..6d078aea9 100644 --- a/systemd/full/system/systemd-hostnamed.service +++ b/systemd/full/system/systemd-hostnamed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-hostnamed \ No newline at end of file diff --git a/systemd/full/system/systemd-journald.service b/systemd/full/system/systemd-journald.service index 0316a67c8..48f5a0156 100644 --- a/systemd/full/system/systemd-journald.service +++ b/systemd/full/system/systemd-journald.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-journald \ No newline at end of file diff --git a/systemd/full/system/systemd-journald@.service b/systemd/full/system/systemd-journald@.service index 0316a67c8..48f5a0156 100644 --- a/systemd/full/system/systemd-journald@.service +++ b/systemd/full/system/systemd-journald@.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-journald \ No newline at end of file diff --git a/systemd/full/system/systemd-localed.service b/systemd/full/system/systemd-localed.service index 03d352890..276595080 100644 --- a/systemd/full/system/systemd-localed.service +++ b/systemd/full/system/systemd-localed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-localed \ No newline at end of file diff --git a/systemd/full/system/systemd-logind.service b/systemd/full/system/systemd-logind.service index 0316a67c8..c5728915c 100644 --- a/systemd/full/system/systemd-logind.service +++ b/systemd/full/system/systemd-logind.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-logind \ No newline at end of file diff --git a/systemd/full/system/systemd-machined.service b/systemd/full/system/systemd-machined.service index 03d352890..315b1b230 100644 --- a/systemd/full/system/systemd-machined.service +++ b/systemd/full/system/systemd-machined.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-machined \ No newline at end of file diff --git a/systemd/full/system/systemd-networkd.service b/systemd/full/system/systemd-networkd.service index 03d352890..3f4b60849 100644 --- a/systemd/full/system/systemd-networkd.service +++ b/systemd/full/system/systemd-networkd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-networkd diff --git a/systemd/full/system/systemd-resolved.service b/systemd/full/system/systemd-resolved.service index 03d352890..fd36871e4 100644 --- a/systemd/full/system/systemd-resolved.service +++ b/systemd/full/system/systemd-resolved.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-resolved diff --git a/systemd/full/system/systemd-timedated.service b/systemd/full/system/systemd-timedated.service index 03d352890..78dd0193d 100644 --- a/systemd/full/system/systemd-timedated.service +++ b/systemd/full/system/systemd-timedated.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-timedated diff --git a/systemd/full/system/systemd-userdbd.service b/systemd/full/system/systemd-userdbd.service index 03d352890..d3771658d 100644 --- a/systemd/full/system/systemd-userdbd.service +++ b/systemd/full/system/systemd-userdbd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-userdbd diff --git a/systemd/full/system/upower.service b/systemd/full/system/upower.service index 03d352890..082e8f0fa 100644 --- a/systemd/full/system/upower.service +++ b/systemd/full/system/upower.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&upowerd From 77d2f923b0d5a33dad1d190ea6e04836d3df3577 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:45:10 +0200 Subject: [PATCH 449/672] feat(profile): pacman: allow landlock to restrict itself See https://docs.kernel.org/userspace-api/landlock.html#c.sys_landlock_restrict_self fix #750 --- apparmor.d/groups/pacman/pacman | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 6af9bae96..def1f2a28 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -27,6 +27,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability setfcap, capability setgid, capability setuid, + capability sys_admin, capability sys_chroot, capability sys_ptrace, capability sys_resource, From a08c99dcb77b2df4fdee96de3b4fc6c6ab63b9fb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:47:49 +0200 Subject: [PATCH 450/672] feat(abs): console: add non owner access to /dev/tty@{u8}. Follow recent addition in attached/consoles fix #751 --- apparmor.d/abstractions/consoles.d/complete | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 apparmor.d/abstractions/consoles.d/complete diff --git a/apparmor.d/abstractions/consoles.d/complete b/apparmor.d/abstractions/consoles.d/complete new file mode 100644 index 000000000..b8b7ad90f --- /dev/null +++ b/apparmor.d/abstractions/consoles.d/complete @@ -0,0 +1,8 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + # There are the common ways to refer to consoles + /dev/tty@{u8} rw, + +# vim:syntax=apparmor From d5002a67740e10096cb3a126b2c467e55459e895 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:52:39 +0200 Subject: [PATCH 451/672] fix(profile): fwupd fix #752 --- apparmor.d/profiles-a-f/fwupd | 4 +++- apparmor.d/profiles-a-f/fwupdmgr | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 71addde64..a07bb4dba 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -50,6 +50,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /usr/share/fwupd/{,**} r, /usr/share/hwdata/* r, + /usr/share/libdrm/*.ids /usr/share/mime/mime.cache r, /etc/fwupd/{,**} rw, @@ -80,6 +81,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/**/ r, @{sys}/devices/** r, + @{sys}/**/uevent r, @{sys}/firmware/acpi/** r, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, @@ -87,9 +89,9 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw, @{sys}/firmware/efi/efivars/fwupd-* rw, + @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @{sys}/kernel/security/lockdown r, @{sys}/kernel/security/tpm@{int}/binary_bios_measurements r, - @{sys}/**/uevent r, @{sys}/power/mem_sleep r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 6dffac5a6..b0a651315 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -34,6 +34,9 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { @{bin}/dbus-launch Cx -> bus, @{bin}/pkttyagent Px, + /usr/share/terminfo/** r, + + /etc/inputrc r, /etc/machine-id r, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, From 7243c18ce2ffd4de6b66c2c390752f079b6e718d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:54:56 +0200 Subject: [PATCH 452/672] fix(build): conversion from abi4 to abi3. --- pkg/prebuild/builder/abi.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index 818edbb76..2e2911f4b 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -14,6 +14,7 @@ var ( `abi/4.0`, `abi/3.0`, ` userns,`, ` # userns,`, ` mqueue`, ` # mqueue`, + ` deny mqueue`, ` # deny mqueue`, }) ) From 0886c7bc853de38724ebbbccad21832f2bbd4600 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 27 May 2025 00:29:21 +0200 Subject: [PATCH 453/672] fix: rule compilation. --- apparmor.d/profiles-a-f/fwupd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index a07bb4dba..5fb948234 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -50,7 +50,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /usr/share/fwupd/{,**} r, /usr/share/hwdata/* r, - /usr/share/libdrm/*.ids + /usr/share/libdrm/*.ids r, /usr/share/mime/mime.cache r, /etc/fwupd/{,**} rw, From 11f3529530aa1710de623c8bb3214637a0047985 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 27 May 2025 00:29:35 +0200 Subject: [PATCH 454/672] ci: ensure failing compiling the profile fail the job. --- .github/workflows/main.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 8d738eac7..4baa4a776 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -54,8 +54,10 @@ jobs: - name: Reload AppArmor run: | - sudo systemctl restart apparmor.service || true - sudo journalctl -xeu apparmor.service + if ! sudo systemctl restart apparmor.service; then + sudo journalctl -xeu apparmor.service + exit 1 + fi - name: Show AppArmor log and rules run: | From bf22a7786c39d3b56b87095bfd4479769b88ec1a Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Tue, 27 May 2025 11:44:26 +0000 Subject: [PATCH 455/672] Broken login: Update systemd-logind Today I was not able to log into my Arch Linux system. After chrooting into the system, performing aa-log and adding the rule to systemd-logind the problem was fixed. --- apparmor.d/groups/systemd/systemd-logind | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 39192e7e1..64081f326 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -139,6 +139,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /dev/dri/card@{int} rw, /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, + /dev/tty@{int} rw, owner /dev/shm/{,**/} rw, include if exists From 47bafeb67bacc6abb89eb74f9a7044cfdfae0cd4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 15:06:52 +0200 Subject: [PATCH 456/672] feat(fsp): rewrite the systemd profile. --- apparmor.d/groups/_full/systemd | 251 +++++++++++--------------------- 1 file changed, 88 insertions(+), 163 deletions(-) diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index e1a9918e1..eec9b33d9 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -11,24 +11,47 @@ # Distributions and other programs can add rules in the usr/systemd.d directory -# TODO: rework this to get a controlled environment: (cf security model) +# Overall architecture of the systemd profiles: +# systemd # PID 1, entrypoint, requires "Early policy" +# ├── systemd # To restart itself +# ├── systemd-generators-* # Systemd system and environment generators +# └── sd # Internal service starter and config handler, handles all services +# ├── Px or px, # Any service with profile +# ├── Px -> # Any service without profile defined in the unit file (see systemd/full/systemd) +# ├── &* # Stacked service as defined in the unit file (see systemd/full/systemd) +# ├── sd-mount # Handles all mounts from services +# ├── sd//systemctl # Internal system systemctl +# └── systemd-user # Profile for 'systemd --user' +# ├── systemd-user # To restart itself +# ├── systemd-user-generators-* # Systemd user and environment generators +# └── sdu # Handles all user services +# ├── Px or px, # Any user service with profile +# ├── Px -> # Any user service without profile defined in the unit file (see systemd/full/systemd) +# ├── &* # Stacked user service as defined in the unit file (see systemd/full/systemd) +# └── sdu//systemctl # Internal user systemctl + +# Advantages: +# - Differentiate systemd (PID 1) and `system --user` +# - Keep `systemd` and systemd-user as mininal as possible, and transition to less privileged profiles. +# - Allow the executor profiles to handled stacked profiles. +# - Most additions need to be done in the `sd`/`sdu` profile, not in `systemd`/`systemd-user`. +# - Dedicated `sd-mount` profile for most mount from the unit services. + + +# TODO: rework this to get a controlled environment: # - No global allow anymore: in high security environments, we must manage the list # of program/service that can be started by systemd and ensure that they are all # listed and confined. Programs not listed will not be able to start. # - Outside common systemd service, the list may have to be automatically # generated at install time, in `/etc/apparmor.d/usr/systemd.d/exec` -# - Stop disabling nnp flags in systemd dropin files. -# - Each systemd services in `systemd-service` (when the service is more complex than foo.service -> Exec=/usr/bin/foo) -# need they own profile, profile name configured as a dropin unit file. -# - When this is done: the fallback profile as root will not be needed. abi , include +@{exec_path} = @{lib}/systemd/systemd profile systemd flags=(attach_disconnected,mediate_deleted) { include - include include include include @@ -43,16 +66,13 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { capability dac_read_search, capability fowner, capability fsetid, - capability mknod, + capability kill, capability net_admin, + capability net_bind_service, capability perfmon, - capability setfcap, - capability setgid, capability setpcap, - capability setuid, capability sys_admin, - capability sys_chroot, - capability sys_nice, + capability sys_boot, capability sys_ptrace, capability sys_resource, capability sys_tty_config, @@ -62,164 +82,82 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { network inet6 dgram, network inet6 stream, network netlink raw, + network vsock stream, mount fstype=autofs systemd-1 -> @{PROC}/sys/fs/binfmt_misc/, - mount fstype=autofs systemd-1 -> /efi/, - mount fstype=binfmt_misc options=(rw nodev noexec nosuid) binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/, - mount fstype=configfs options=(rw nodev noexec nosuid) configfs -> @{sys}/kernel/config/, - mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/, - mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/, - mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, - mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, - mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/, - mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/, - mount fstype=tmpfs tmpfs -> /dev/shm/, + mount fstype=autofs systemd-1 -> @{efi}/, mount fstype=tmpfs tmpfs -> /tmp/, - mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/, - mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, - mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, - mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, - mount /dev/** -> /boot/{,efi/}, - mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, - mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**, - mount options=(rw bind) @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/, - mount options=(rw move) -> @{sys}/fs/fuse/connections/, - mount options=(rw move) -> @{sys}/kernel/config/, - mount options=(rw move) -> @{sys}/kernel/debug/, - mount options=(rw move) -> @{sys}/kernel/tracing/, - mount options=(rw move) -> /dev/hugepages/, - mount options=(rw move) -> /dev/mqueue/, - mount options=(rw move) -> /efi/, - mount options=(rw move) -> /tmp/, - mount options=(rw move) @{run}/systemd/namespace-@{rand6}/{,**} -> @{run}/systemd/mount-rootfs/{,**}, - mount options=(rw rbind) -> @{run}/systemd/mount-rootfs/{,**}, - mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**}, - mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, - mount options=(rw rslave) -> /dev/, - mount options=(rw slave) -> @{run}/systemd/incoming/, remount @{HOME}/{,**}, remount @{HOMEDIRS}/, remount @{MOUNTDIRS}/, remount @{MOUNTS}/{,**}, - remount @{run}/systemd/mount-rootfs/{,**}, - remount @{run}/systemd/unit-root/{,**}, - remount /, remount /snap/{,**}, - remount options=(ro bind) /boot/{,efi/}, - remount options=(ro noexec noatime bind) /var/snap/{,**}, - remount options=(ro nosuid bind) /dev/, - remount options=(ro nosuid nodev bind) /dev/hugepages/, - remount options=(ro nosuid nodev bind) /var/, - remount options=(ro nosuid nodev noexec bind) /boot/, - remount options=(ro nosuid nodev noexec bind) /dev/mqueue/, - remount options=(ro nosuid nodev noexec bind) /efi/, - remount options=(ro nosuid noexec bind) /dev/pts/, + remount options=(ro bind nodev noexec nosuid) /dev/mqueue/, + remount options=(ro bind nodev nosuid) /dev/hugepages/, + remount options=(ro bind noexec nosuid) /dev/pts/, + remount options=(ro bind nosuid) /dev/, + remount options=(ro bind) @{efi}/, + remount options=(ro bind) /, - umount /, - umount /dev/shm/, umount @{PROC}/sys/fs/binfmt_misc/, - umount @{run}/systemd/mount-rootfs/{,**}, - umount @{run}/systemd/namespace-@{rand6}/{,**}, - umount @{run}/systemd/unit-root/{,**}, - - pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, - pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/, + umount @{run}/credentials/*/, mqueue (read getattr) type=posix /, - change_profile, - - signal receive set=(rtmin+23) peer=plymouthd, - signal receive set=(term hup cont), signal send, ptrace (read, readby), - unix send type=dgram, - - unix receive type=dgram peer=(label=systemd-timesyncd), - unix (send, receive, connect) type=stream peer=(label=plymouthd, addr=@/org/freedesktop/plymouthd), + unix type=dgram, + unix type=stream, #aa:dbus own bus=system name=org.freedesktop.systemd1 - # For stacked profiles - #aa:dbus own bus=system name=org.freedesktop.network1 - #aa:dbus own bus=system name=org.freedesktop.oom1 - #aa:dbus own bus=system name=org.freedesktop.resolve1 - #aa:dbus own bus=system name=org.freedesktop.timesync1 + @{exec_path} mrix, + @{sh_path} mr, - @{bin}/** Px, - @{sbin}/** Px, - @{lib}/** Px, - /etc/cron.*/* Px, - /etc/init.d/* Px, - /etc/update-motd.d/* Px, - /usr/share/*/** Px, + # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor mPx -> sd, - # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) - @{lib}/systemd/systemd-executor ix, - - # Systemd user: systemd --user - @{lib}/systemd/systemd px -> systemd-user, - - # Unit services using systemctl - @{bin}/systemctl Cx -> systemctl, - - # Unit services - @{bin}/mount ix, - @{bin}/kill ix, - - # Shell based systemd unit services - # TODO: create unit profile for all of them - @{sbin}/ldconfig Px -> systemd-service, - @{bin}/mandb Px -> systemd-service, - @{bin}/savelog Px -> systemd-service, - @{coreutils_path} Px -> systemd-service, - @{sh_path} Px -> systemd-service, - - # Systemd profiles that need be stacked - #aa:stack systemd-networkd systemd-oomd systemd-resolved systemd-timesyncd - @{lib}/systemd/systemd-networkd px -> systemd//&systemd-networkd, - @{lib}/systemd/systemd-oomd px -> systemd//&systemd-oomd, - @{lib}/systemd/systemd-resolved px -> systemd//&systemd-resolved, - @{lib}/systemd/systemd-timesyncd px -> systemd//&systemd-timesyncd, - - @{lib}/ r, - / r, - /*/ r, - /boot/efi/ r, - /snap/*/@{int}/ r, - /var/cache/*/ r, - /var/lib/*/ r, - /var/tmp/ r, + # Systemd system generators. Profiles must exist + @{lib}/netplan/generate mPx, + @{lib}/systemd/system-environment-generators/* mPx, + @{lib}/systemd/system-generators/* mPx, @{etc_ro}/environment r, @{etc_ro}/environment.d/{,**} r, - /etc/acpi/events/{,**} r, /etc/binfmt.d/{,**} r, /etc/conf.d/{,**} r, - /etc/credstore.encrypted/{,**} r, - /etc/credstore/{,**} r, /etc/default/{,**} r, - /etc/machine-id r, /etc/modules-load.d/{,**} r, /etc/networkd-dispatcher/{,**} r, /etc/systemd/{,**} r, + /etc/systemd/system/** w, /etc/udev/hwdb.d/{,**} r, - /etc/systemd/system/multi-user.target.wants/{,*} w, - /var/log/dmesg rw, - /var/lib/systemd/{,**} rw, + #aa:only pacman + # It is unclear why this is needed here and not in sd + /etc/pacman.d/gnupg/S.dirmngr w, + /etc/pacman.d/gnupg/S.gpg-agent w, + /etc/pacman.d/gnupg/S.gpg-agent.browser w, + /etc/pacman.d/gnupg/S.gpg-agent.extra w, + /etc/pacman.d/gnupg/S.gpg-agent.ssh w, + /etc/pacman.d/gnupg/S.keyboxd w, + + @{efi}/ r, + /snap/*/@{int}/ r, + + /tmp/ r, + /var/tmp/ r, + owner /tmp/systemd-private-*/{,**} rw, owner /var/tmp/systemd-private-*/{,**} rw, - /tmp/namespace-dev-@{rand6}/{,**} rw, - /tmp/systemd-private-*/{,**} rw, - - @{att}/@{run}/systemd/journal/socket r, @{att}/@{run}/systemd/journal/dev-log r, + @{att}/@{run}/systemd/journal/socket r, + @{att}/@{run}/systemd/notify r, @{run}/ rw, @{run}/* rw, @@ -228,10 +166,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{run}/credentials/{,**} rw, @{run}/systemd/{,**} rw, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, - @{run}/udev/data/+module:configfs r, @{run}/udev/data/+module:fuse r, @{run}/udev/data/c4:@{int} r, # For TTY devices @@ -242,37 +176,28 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/n@{int} r, @{run}/udev/tags/systemd/ r, + @{sys}/**/uevent r, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/power_supply/ r, - @{sys}/class/sound/ r, - @{sys}/devices/@{pci}/** r, - @{sys}/devices/**/net/** r, - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/console/active r, @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/fuse/connections/ r, @{sys}/fs/pstore/ r, @{sys}/kernel/**/ r, - @{sys}/module/**/uevent r, @{sys}/module/apparmor/parameters/enabled r, + @{sys}/module/vt/parameters/default_utf8 r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/coredump_filter r, - @{PROC}/@{pid}/environ r, @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/gid_map rw, - @{PROC}/@{pid}/loginuid rw, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/setgroups rw, @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/uid_map rw, @{PROC}/cmdline r, @{PROC}/devices r, @{PROC}/pressure/* r, @@ -280,32 +205,32 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/fs/binfmt_misc/ r, @{PROC}/sys/fs/nr_open r, @{PROC}/sys/kernel/* r, - @{PROC}/sysvipc/{shm,sem,msg} r, - owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/oom_score_adj rw, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sysvipc/msg r, + @{PROC}/sysvipc/sem r, + @{PROC}/sysvipc/shm r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/1/coredump_filter r, + owner @{PROC}/1/fdinfo/@{int} r, + owner @{PROC}/1/gid_map r, + owner @{PROC}/1/oom_score_adj rw, + owner @{PROC}/1/setgroups r, + owner @{PROC}/1/uid_map r, /dev/autofs r, + /dev/dri/card@{int} rw, /dev/input/ r, /dev/kmsg w, + /dev/tty rw, /dev/tty@{int} rw, owner /dev/console rwk, - owner /dev/dri/card@{int} rw, owner /dev/hugepages/ rw, - owner /dev/initctl rw, owner /dev/input/event@{int} rw, owner /dev/mqueue/ rw, owner /dev/rfkill rw, - owner /dev/shm/ rw, + owner /dev/shm/ r, owner /dev/ttyS@{int} rwk, - profile systemctl { - include - include - - include if exists - include if exists - } - include if exists include if exists } From 3dc8a74ec09ceb8f18c6a69e7d6b61f8b40f81f6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 15:16:26 +0200 Subject: [PATCH 457/672] feat(fsp): rewrite the systemd-user profile. --- apparmor.d/groups/_full/systemd-user | 85 ++++++---------------------- 1 file changed, 17 insertions(+), 68 deletions(-) diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index b0b3272a1..3b0d01709 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -11,8 +11,6 @@ # Distributions and other programs can add rules in the usr/systemd-user.d directory -# TODO: rework this to get a controlled environment. cf comments in systemd profile. - abi , include @@ -27,76 +25,46 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { network netlink raw, - signal send set=(term, cont, kill), - signal receive set=hup peer=@{p_systemd}, + signal send, - ptrace read peer=@{p_systemd}, + ptrace read, + + unix type=dgram peer=(label=@{p_sdu}), unix bind type=stream addr=@@{udbus}/bus/systemd/bus-system, unix bind type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus own bus=session name=org.freedesktop.systemd1 - @{exec_path} mr, + @{exec_path} mrix, - @{bin}/** Px, - @{lib}/** Px, - /etc/cron.*/* Px, - /opt/*/** Px, - /usr/share/*/** Px, + # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor mPx -> sdu, - # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) - @{lib}/systemd/systemd-executor ix, - - # Unit services using systemctl - @{bin}/systemctl Cx -> systemctl, - - # Shell based ystemd unit services - @{coreutils_path} Px -> systemd-user-service, - @{sh_path} Px -> systemd-user-service, - - # Dbus needs to be started without environment scrubbing - @{bin}/dbus-broker px -> dbus-session, - @{bin}/dbus-broker-launch px -> dbus-session, - @{bin}/dbus-daemon px -> dbus-session, - @{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session, - - # Audio profiles need to be stacked - #aa:stack pipewire pipewire-media-session pipewire-pulse pulseaudio wireplumber - @{bin}/pipewire Px -> systemd-user//&pipewire, - @{bin}/pipewire-media-session Px -> systemd-user//&pipewire-media-session, - @{bin}/pipewire-pulse Px -> systemd-user//&pipewire-pulse, - @{bin}/pulseaudio Px -> systemd-user//&pulseaudio, - @{bin}/wireplumber Px -> systemd-user//&wireplumber, - - /usr/ r, - /usr/share/defaults/**.conf r, + # Systemd user generators. Profiles must exist + @{lib}/systemd/user-environment-generators/* Px, + @{lib}/systemd/user-generators/* Px, + @{etc_ro}/environment r, /etc/systemd/user.conf r, /etc/systemd/user.conf.d/{,**} r, /etc/systemd/user/{,**} r, - / r, - - owner @{HOME}/.local/ w, - owner @{user_config_dirs}/systemd/user/{,**} rw, - @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/ rw, owner @{run}/user/@{uid}/** rwkl, @{run}/mount/utab r, @{run}/systemd/notify w, + @{run}/systemd/oom/io.systemd.ManagedOOM rw, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, @{run}/udev/data/+module:configfs r, @{run}/udev/data/+module:fuse r, - @{run}/udev/data/b254:@{int} r, # for /dev/zram* @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features + @{run}/udev/data/c116:@{int} r, # for ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/n@{int} r, @{run}/udev/tags/systemd/ r, @@ -108,14 +76,11 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/uevent r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r, - @{sys}/module/apparmor/parameters/enabled r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/stat r, - @{PROC}/1/environ r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/stat r, @{PROC}/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, @@ -124,20 +89,14 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/threads-max r, - owner @{PROC}/@{pid}/coredump_filter r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/gid_map r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pids}/fd/ r, - owner @{PROC}/@{pids}/oom_score_adj rw, - - /dev/kmsg w, - /dev/tty rw, deny capability bpf, deny capability dac_override, @@ -149,16 +108,6 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { deny capability sys_boot, deny capability sys_resource, - profile systemctl { - include - include - - deny capability net_admin, - - include if exists - include if exists - } - include if exists include if exists } From dd2187552bf671f0075ae269e14d52bd0f75718e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 22:35:28 +0200 Subject: [PATCH 458/672] feat(fsp): remove the now deprecated generic system service profiles. --- apparmor.d/groups/_full/systemd-service | 77 -------------------- apparmor.d/groups/_full/systemd-user-service | 23 ------ dists/flags/main.flags | 1 - 3 files changed, 101 deletions(-) delete mode 100644 apparmor.d/groups/_full/systemd-service delete mode 100644 apparmor.d/groups/_full/systemd-user-service diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service deleted file mode 100644 index a53193cc5..000000000 --- a/apparmor.d/groups/_full/systemd-service +++ /dev/null @@ -1,77 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Profile for generic systemd unit services. Only used by tiny systemd services -# that start a shell or use context specific programs. - -# It does not specify an attachment path because it is intended to be used only -# via "Px -> systemd-service" exec transitions from the systemd profile. - -abi , - -include - -profile systemd-service flags=(attach_disconnected) { - include - include - include - - capability dac_read_search, - capability chown, - capability fsetid, - - @{sbin}/ldconfig rix, - @{bin}/savelog rix, - @{bin}/systemctl rix, - @{bin}/gzip rix, - @{coreutils_path} rix, - @{sh_path} rmix, - - # ifup@.service - @{bin}/ifup rPx, - - # shadow.service - @{sbin}/pwck rPx, - @{sbin}/grpck rPx, - - @{bin}/grub-editenv rPx, - @{bin}/ibus-daemon rPx, - - @{bin}/* r, - @{lib}/ r, - - /var/cache/ldconfig/{,**} rw, - - / r, - - /boot/grub/grubenv rw, - /boot/grub/ w, - - /var/spool/cron/atjobs/ r, - - /var/log/ r, - /var/log/dmesg rw, - /var/log/dmesg.* rwl -> /var/log/dmesg, - - # man-db.service - /usr/{,local/}share/man/{,**} r, - /etc/manpath.config r, - /var/cache/man/{,**} rwk, - - # snapd.system-shutdown.service - @{run}/initramfs/shutdown rw, - @{run}/initramfs/ rw, - - # cockpit.socket - @{run}/cockpit/@{rand8} rw, - @{run}/cockpit/motd w, - - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/systemd-user-service b/apparmor.d/groups/_full/systemd-user-service deleted file mode 100644 index 0cb9efa49..000000000 --- a/apparmor.d/groups/_full/systemd-user-service +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Profile for generic systemd unit services. Only used by tiny systemd services -# that start a shell or use context specific programs. - -# It does not specify an attachment path because it is intended to be used only -# via "Px -> systemd-user-service" exec transitions from the systemd-user profile. - -abi , - -include - -profile systemd-user-service flags=(attach_disconnected) { - include - include - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index a73fee129..5a6c7c526 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -2,7 +2,6 @@ # File format: one profile by line using the format: ' ' systemd attach_disconnected,mediate_deleted,complain -systemd-service attach_disconnected,complain systemd-user attach_disconnected,mediate_deleted,complain akonadi_akonotes_resource complain From 5940f0117b85538f3f91840a58a7583dbcc579bc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 22:37:56 +0200 Subject: [PATCH 459/672] feat(fsp): add the new sdu profile as service and stacked profile manager for user. --- apparmor.d/groups/_full/sdu | 124 ++++++++++++++++++++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 apparmor.d/groups/_full/sdu diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu new file mode 100644 index 000000000..5ceb669f0 --- /dev/null +++ b/apparmor.d/groups/_full/sdu @@ -0,0 +1,124 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd-user profile. + +# sdu is a profile for SystemD-executor run as User, it is used to run all services +# files and to encapsulate stacked services profiles (hence the short name). +# It aims at reducing the size of the systemd-user profile. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sdu.d directory + +abi , + +include + +@{exec_path} = @{bin}/systemd-executor +profile sdu flags=(attach_disconnected,mediate_deleted) { + include + include + include + include + include + + network netlink raw, + + change_profile, + + ptrace read, + + unix type=dgram peer=(label=@{p_systemd_user}), + + dbus bus=session, + + @{exec_path} mr, + + @{bin}/** mPx, + @{sbin}/** mPx, + @{lib}/** Px, + /etc/cron.*/* Px, + /opt/*/** Px, + /usr/share/*/** Px, + + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + + # Shell based user unit services + @{sh_path} Cx -> shell, + + # Dbus needs to be started without environment scrubbing + @{bin}/dbus-broker px -> dbus-session, + @{bin}/dbus-broker-launch px -> dbus-session, + @{bin}/dbus-daemon px -> dbus-session, + @{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session, + + / r, + @{bin}/* r, + @{sbin}/* r, + /usr/share/** r, + + owner @{desktop_local_dirs}/ w, + owner @{desktop_local_dirs}/state/ w, + owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, + + owner @{run}/user/@{uid}/pipewire-@{int} rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, + owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, + owner @{run}/user/@{uid}/pulse/pid rw, + + owner @{user_state_dirs}/wireplumber/ r, + owner @{user_state_dirs}/wireplumber/stream-properties rw, + owner @{user_state_dirs}/wireplumber/stream-properties.@{rand6} rw, + + @{run}/systemd/users/@{uid} r, + @{run}/systemd/users/@{int} r, + + @{run}/udev/data/c116:@{int} r, # for ALSA + + @{sys}/bus/ r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/sound/seq/uevent r, + @{sys}/devices/virtual/sound/timer/uevent r, + + @{sys}/module/apparmor/parameters/enabled r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, + + @{PROC}/pressure/* r, + @{PROC}/sys/fs/nr_open r, + owner @{PROC}/@{pid}/attr/apparmor/exec w, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_score_adj rw, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + profile shell flags=(attach_disconnected,mediate_deleted,complain) { + include + + @{sh_path} mr, + @{bin}/systemctl Px -> sdu//systemctl, + + include if exists + } + + profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { + include + include + + audit capability net_admin, + + owner @{run}/user/@{uid}/systemd/private rw, + + include if exists + include if exists + } + + include if exists + include if exists +} + +# vim:syntax=apparmor From 9125686973a11c2a297d16621ec2859a061bf8bb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 22:44:00 +0200 Subject: [PATCH 460/672] feat(fsp): add the new sdu profile as service and stacked profile manager for system. --- apparmor.d/groups/_full/sd | 246 +++++++++++++++++++++++++++++++++++++ 1 file changed, 246 insertions(+) create mode 100644 apparmor.d/groups/_full/sd diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd new file mode 100644 index 000000000..974bc3544 --- /dev/null +++ b/apparmor.d/groups/_full/sd @@ -0,0 +1,246 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd is a profile for SystemD-executor run as root, it is used to run all services +# files and to encapsulate stacked services profiles (hence the short name). +# It aims at reducing the size of the systemd profile. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd.d directory + +abi , + +include + +@{exec_path} = @{bin}/systemd-executor +profile sd flags=(attach_disconnected,mediate_deleted) { + include + include + include + include + include + include + include + include + + userns, + + capability audit_control, + capability audit_write, + capability bpf, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability kill, + capability linux_immutable, + capability mknod, + capability net_admin, + capability net_raw, + capability perfmon, + capability setfcap, + capability setgid, + capability setpcap, + capability setuid, + capability sys_admin, + capability sys_nice, + capability sys_ptrace, + capability sys_rawio, + capability sys_resource, + capability sys_time, + capability sys_tty_config, + capability syslog, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 raw, + network inet6 stream, + network netlink raw, + network packet dgram, + network packet raw, + network qipcrtr dgram, + + mount -> @{run}/systemd/mount-rootfs/{,**}, + mount -> @{run}/systemd/namespace-@{rand6}/{,**}, + mount options=(rw move) /dev/shm/ -> @{run}/credentials/*/, + mount options=(rw rshared) -> /, + mount options=(rw rslave) -> /, + mount options=(rw rslave) -> /dev/, + mount options=(rw slave) -> @{run}/systemd/incoming/, + mount fstype=tmpfs options=(rw nodev noexec nosuid nosymfollow) tmpfs -> /dev/shm/, + mount fstype=tmpfs options=(rw nodev strictatime) tmpfs -> @{run}/systemd/unit-private-tmp/, + + remount /dev/shm/, + remount @{run}/systemd/mount-rootfs/{,**}, + + umount /, + umount /dev/shm/, + umount @{run}/systemd/mount-rootfs/{,**}, + + pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, + + change_profile, + + mqueue (read getattr) type=posix /, + + signal peer=sd//&*, + signal receive peer=@{p_systemd}, + signal send, + + ptrace read, + + unix type=dgram peer=(label=@{p_systemd}), + unix type=dgram peer=(label=systemd-timesyncd), + unix type=stream, + + dbus bus=system, + + @{exec_path} mr, + + @{bin}/** mPx, + @{sbin}/** mPx, + @{lib}/** Px, + /etc/cron.*/* Px, + /etc/init.d/* Px, + /etc/update-motd.d/* Px, + /usr/share/*/** Px, + + # Systemd user: systemd --user + @{lib}/systemd/systemd px -> systemd-user, + + # Mount operations from services and systemd + @{bin}/mount Px -> sd-mount, + @{bin}/umount Px -> sd-umount, + + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + + # Unit services + @{bin}/kill Cx -> kill, + + # Used by very basic services, ideally should be replaced by a unit profiles + @{sh_path} ix, + @{bin}/false ix, + @{bin}/true ix, + + # Required due to stacked profiles + @{bin}/grpck ix, + @{bin}/gzip ix, + @{bin}/install ix, + @{bin}/pwck ix, + @{bin}/readlink ix, + @{lib}/colord-sane ix, + @{lib}/systemd/systemd-nsresourcework ix, + @{lib}/systemd/systemd-userwork ix, + + / r, + @{att}/ r, + @{bin}/{,**} r, + @{lib}/{,**} r, + @{sbin}/{,*} r, + /usr/share/** r, + /etc/** rk, + /home/ r, + + @{efi}/ r, + @{efi}/** rw, + + @{att}/var/lib/systemd/*/ r, + + /var/cache/*/ rw, + /var/cache/*/** rwk, + /var/lib/*/ rw, + /var/lib/*/** rwk, + /var/lib/systemd/*/ r, + /var/log/** rw, + /var/log/journal/** rwl -> /var/log/journal/**, + + @{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{user_share_dirs}/icc/edid-@{hex32}.icc r, + + @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, + @{att}/@{run}/systemd/notify rw, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Home rw, + @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, + + @{run}/ rw, + @{run}/* rw, + @{run}/*/ rw, + @{run}/*/* rw, + @{run}/systemd/{,**} rw, + owner @{run}/*/** rw, + + @{run}/udev/**/ r, + @{run}/udev/data/* r, + + @{sys}/** r, + @{sys}/fs/bpf/systemd/{,**} w, + @{sys}/firmware/efi/efivars/** w, + @{sys}/fs/cgroup/{,**} w, + + @{PROC}/@{pid}/attr/apparmor/exec w, + @{PROC}/@{pid}/attr/current r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/gid_map w, + @{PROC}/@{pid}/limits r, + @{PROC}/@{pid}/loginuid rw, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/oom_score_adj rw, + @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/setgroups r, + @{PROC}/@{pid}/setgroups w, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/uid_map r, + @{PROC}/@{pid}/uid_map w, + @{PROC}/cmdline r, + @{PROC}/interrupts r, + @{PROC}/irq/@{int}/node r, + @{PROC}/irq/@{int}/smp_affinity r, + @{PROC}/kmsg r, + @{PROC}/modules r, + @{PROC}/pressure/* r, + @{PROC}/swaps r, + @{PROC}/sys/** r, + @{PROC}/sys/kernel/random/write_wakeup_threshold w, + @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/sysvipc/* r, + @{PROC}/version_signature r, + + /dev/** rwk, + + profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { + include + include + + include if exists + include if exists + } + + profile kill flags=(attach_disconnected,mediate_deleted,complain) { + include + + signal send, + + @{bin}/kill mr, + + include if exists + } + + include if exists + include if exists +} + +# vim:syntax=apparmor From a194f28c21f15ee0ffd693eb5612ce198bcc75ab Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 22:59:02 +0200 Subject: [PATCH 461/672] feat(fsp): add sd-mount. --- apparmor.d/groups/_full/sd-mount | 71 ++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 apparmor.d/groups/_full/sd-mount diff --git a/apparmor.d/groups/_full/sd-mount b/apparmor.d/groups/_full/sd-mount new file mode 100644 index 000000000..7f7dede60 --- /dev/null +++ b/apparmor.d/groups/_full/sd-mount @@ -0,0 +1,71 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd-mount is a subprofile of sd responsible to handle mounting operation. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd-mount.d directory + +abi , + +include + +@{exec_path} = @{bin}/mount +profile sd-mount flags=(complain) { + include + include + + capability dac_read_search, + capability sys_admin, + + mount -> @{efi}/, + mount -> @{HOME}/{,**}, + mount -> @{HOMEDIRS}/, + mount -> @{MOUNTDIRS}/, + mount -> @{MOUNTS}/{,**}, + mount fstype=binfmt_misc options=(rw nodev noexec nosuid) binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/, + mount fstype=configfs options=(rw nodev noexec nosuid) configfs -> @{sys}/kernel/config/, + mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/, + mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/, + mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, + mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, + mount fstype=squashfs options=(ro nodev) /dev/loop@{int} -> /snap/*/@{int}/, + mount fstype=tmpfs options=(rw nodev noexec nosuid) tmpfs -> @{run}/lock/, + mount fstype=tmpfs options=(rw nodev nosuid strictatime) tmpfs -> /tmp/, + mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, + + mount options=(rw move) -> @{efi}, + mount options=(rw move) -> @{HOME}/{,**}, + mount options=(rw move) -> @{HOMEDIRS}/, + mount options=(rw move) -> @{MOUNTDIRS}/, + mount options=(rw move) -> @{MOUNTS}/{,**}, + mount options=(rw move) -> @{sys}/fs/fuse/connections/, + mount options=(rw move) -> @{sys}/kernel/config/, + mount options=(rw move) -> @{sys}/kernel/debug/, + mount options=(rw move) -> @{sys}/kernel/tracing/, + mount options=(rw move) -> /dev/hugepages/, + mount options=(rw move) -> /dev/mqueue/, + mount options=(rw move) -> /tmp/, + + @{exec_path} mr, + + /var/lib/snapd/snaps/*.snap r, + + @{run}/ r, + owner @{run}/mount/ rw, + owner @{run}/mount/utab{,.*} rwk, + + @{PROC}/@{pid}/mountinfo r, + + /dev/loop-control rw, + + include if exists + include if exists +} + +# vim:syntax=apparmor From 8ff829542d4fea4e9366e7ed03a387637eb24c95 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:13:04 +0200 Subject: [PATCH 462/672] feat(profile): add profile for some named minimal systemd service. --- .../cloud-init-hotplugd.service | 22 +++++++ .../systemd-service/debug-shell.service | 19 ++++++ .../groups/systemd-service/dmesg.service | 62 +++++++++++++++++++ .../systemd-service/grub-common.service | 28 +++++++++ .../groups/systemd-service/ldconfig.service | 23 +++++++ .../groups/systemd-service/man-db.service | 39 ++++++++++++ .../systemd-service/secureboot-db.service | 27 ++++++++ .../groups/systemd-service/shadow.service | 23 +++++++ .../snapd.system-shutdown.service | 28 +++++++++ .../system-update-cleanup.service | 22 +++++++ .../systemd-service/usb_modeswitch.service | 17 +++++ 11 files changed, 310 insertions(+) create mode 100644 apparmor.d/groups/systemd-service/cloud-init-hotplugd.service create mode 100644 apparmor.d/groups/systemd-service/debug-shell.service create mode 100644 apparmor.d/groups/systemd-service/dmesg.service create mode 100644 apparmor.d/groups/systemd-service/grub-common.service create mode 100644 apparmor.d/groups/systemd-service/ldconfig.service create mode 100644 apparmor.d/groups/systemd-service/man-db.service create mode 100644 apparmor.d/groups/systemd-service/secureboot-db.service create mode 100644 apparmor.d/groups/systemd-service/shadow.service create mode 100644 apparmor.d/groups/systemd-service/snapd.system-shutdown.service create mode 100644 apparmor.d/groups/systemd-service/system-update-cleanup.service create mode 100644 apparmor.d/groups/systemd-service/usb_modeswitch.service diff --git a/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service b/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service new file mode 100644 index 000000000..1b585c0cc --- /dev/null +++ b/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /bin/bash -c 'read args <&3; echo "args=$args"; \ +# exec /usr/bin/cloud-init devel hotplug-hook $args; \ +# exit 0' + +abi , + +include + +profile cloud-init-hotplugd.service { + include + + @{sh_path} ix, + @{bin}/cloud-init Px, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/debug-shell.service b/apparmor.d/groups/systemd-service/debug-shell.service new file mode 100644 index 000000000..9f8e235cf --- /dev/null +++ b/apparmor.d/groups/systemd-service/debug-shell.service @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=/usr/bin/bash + +abi , + +include + +profile debug-shell.service { + include + + all, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/dmesg.service b/apparmor.d/groups/systemd-service/dmesg.service new file mode 100644 index 000000000..4c67f680a --- /dev/null +++ b/apparmor.d/groups/systemd-service/dmesg.service @@ -0,0 +1,62 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=-/usr/bin/savelog -m640 -q -p -n -c 5 /var/log/dmesg +# ExecStart=/bin/journalctl --boot 0 --dmesg --output short-monotonic --quiet --no-pager --no-hostname +# ExecStartPost=/bin/chgrp adm /var/log/dmesg +# ExecStartPost=/bin/chmod 0640 /var/log/dmesg + +abi , + +include + +profile dmesg.service flags=(attach_disconnected) { + include + include + + capability chown, + capability fsetid, + + ptrace read peer=@{p_systemd}, + + @{sh_path} r, + @{bin}/basename ix, + @{bin}/chgrp rix, + @{bin}/chmod rix, + @{bin}/chown ix, + @{bin}/date ix, + @{bin}/dirname ix, + @{bin}/gzip ix, + @{bin}/gzip ix, + @{bin}/journalctl r, + @{bin}/ln ix, + @{bin}/mv ix, + @{bin}/rm ix, + @{bin}/savelog rix, + @{bin}/touch ix, + + /etc/machine-id r, + + /var/log/ r, + /var/log/dmesg rw, + /var/log/dmesg.* rwl -> /var/log/dmesg, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* rw, + + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/grub-common.service b/apparmor.d/groups/systemd-service/grub-common.service new file mode 100644 index 000000000..4abd74fb1 --- /dev/null +++ b/apparmor.d/groups/systemd-service/grub-common.service @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=/bin/sh -c '[ -s /boot/grub/grubenv ] || rm -f /boot/grub/grubenv; mkdir -p /boot/grub' +# ExecStart=grub-editenv /boot/grub/grubenv unset recordfail +# ExecStartPost=/bin/sh -c 'if grub-editenv /boot/grub/grubenv list | grep -q initrdless_boot_fallback_triggered=1; then echo "grub: GRUB_FORCE_PARTUUID set, initrdless boot paniced, fallback triggered."; fi' + +abi , + +include + +profile grub-common.service { + include + + @{sh_path} rix, + @{bin}/grep ix, + @{bin}/grub-editenv rix, + @{bin}/mkdir ix, + @{bin}/rm ix, + + /boot/grub/ w, + /boot/grub/grubenv rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/ldconfig.service b/apparmor.d/groups/systemd-service/ldconfig.service new file mode 100644 index 000000000..f7d193e9e --- /dev/null +++ b/apparmor.d/groups/systemd-service/ldconfig.service @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /sbin/ldconfig -X + +abi , + +include + +profile ldconfig.service { + include + + @{lib}/ r, + @{sbin}/ldconfig r, + + /var/cache/ldconfig/aux-cache rw, + /var/cache/ldconfig/aux-cache~ rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/man-db.service b/apparmor.d/groups/systemd-service/man-db.service new file mode 100644 index 000000000..24b34fc25 --- /dev/null +++ b/apparmor.d/groups/systemd-service/man-db.service @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=+/usr/bin/install -d -o man -g man -m 0755 /var/cache/man +# ExecStart=/usr/bin/mandb --quiet + +abi , + +include + +profile man-db.service flags=(attach_disconnected) { + include + include + + @{bin}/install ix, + @{bin}/mandb r, + + /usr/{,local/}share/man/{,**} r, + + /etc/man_db.conf r, + /etc/manpath.config r, + + /usr/share/man/{,**} r, + /usr/local/man/{,**} r, + /usr/local/share/man/{,**} r, + + /usr/{,share/}man/{,**} r, + /usr/local/{,share/}man/{,**} r, + + /usr/share/**/man/man@{u8}/*.@{int}.gz r, + + owner /var/cache/man/ rw, + owner /var/cache/man/** rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/secureboot-db.service b/apparmor.d/groups/systemd-service/secureboot-db.service new file mode 100644 index 000000000..a951747be --- /dev/null +++ b/apparmor.d/groups/systemd-service/secureboot-db.service @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f +# ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose + +abi , + +include + +profile secureboot-db.service flags=(complain) { + include + + @{bin}/chattr ix, + @{bin}/sbkeysync PUx, + + @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, + @{sys}/firmware/efi/efivars/db-@{uuid} rw, + @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/shadow.service b/apparmor.d/groups/systemd-service/shadow.service new file mode 100644 index 000000000..95f780b89 --- /dev/null +++ b/apparmor.d/groups/systemd-service/shadow.service @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile shadow.service flags=(attach_disconnected) { + include + include + + @{sh_path} rix, + @{sbin}/grpck Px -> &grpck, + @{sbin}/pwck Px -> &pwck, + + /etc/machine-id r, + /etc/shadow r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service new file mode 100644 index 000000000..e8939006e --- /dev/null +++ b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /bin/mount /run -o remount,exec +# /bin/mkdir -p /run/initramfs +# /bin/cp /usr/lib/snapd/system-shutdown /run/initramfs/shutdown + +abi , + +include + +profile snapd.system-shutdown.service { + include + + audit @{bin}/cp ix, + audit @{bin}/mkdir ix, + audit @{bin}/mount ix, + + @{lib}/snapd/system-shutdown r, + + @{run}/initramfs/ rw, + @{run}/initramfs/shutdown rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/system-update-cleanup.service b/apparmor.d/groups/systemd-service/system-update-cleanup.service new file mode 100644 index 000000000..4166cb76c --- /dev/null +++ b/apparmor.d/groups/systemd-service/system-update-cleanup.service @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=rm -fv /system-update /etc/system-update + +abi , + +include + +profile system-update-cleanup.service { + include + + @{bin}/rm ix, + + /etc/system-update w, + /system-update w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/usb_modeswitch.service b/apparmor.d/groups/systemd-service/usb_modeswitch.service new file mode 100644 index 000000000..00a62c933 --- /dev/null +++ b/apparmor.d/groups/systemd-service/usb_modeswitch.service @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile usb_modeswitch.service { + include + + @{sbin}/usb_modeswitch_dispatcher ix, + + include if exists +} + +# vim:syntax=apparmor From 1aa0142a6aa0b31732fdf286fea14e3600b2f76e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:20:32 +0200 Subject: [PATCH 463/672] feat(fsp): add/update systemd drop in files with AppArmorProfile set to the target profile. --- systemd/full/system/apport-coredump-hook@.service | 2 ++ systemd/full/system/apt-news.service | 2 ++ systemd/full/system/bluetooth.service | 2 +- systemd/full/system/cloud-init-hotplugd.service | 2 ++ systemd/full/system/colord.service | 2 ++ systemd/full/system/debug-shell.service | 2 ++ systemd/full/system/dmesg.service | 2 ++ systemd/full/system/fwupd.service | 2 ++ systemd/full/system/grub-common.service | 2 ++ systemd/full/system/ldconfig.service | 2 ++ systemd/full/system/logrotate.service | 2 ++ systemd/full/system/low-memory-monitor.service | 3 --- systemd/full/system/man-db.service | 2 ++ systemd/full/system/paccache.service | 2 -- systemd/full/system/passim.service | 2 -- systemd/full/system/pcscd.service | 2 ++ systemd/full/system/power-profiles-daemon.service | 2 ++ systemd/full/system/reflector.service | 2 -- systemd/full/system/rsyslog.service | 2 ++ systemd/full/system/secureboot-db.service | 2 ++ systemd/full/system/shadow.service | 3 +-- systemd/full/system/snapd.system-shutdown.service | 2 ++ systemd/full/system/system-update-cleanup.service | 2 ++ systemd/full/system/systemd-coredump@.service | 2 ++ systemd/full/system/systemd-initctl.service | 2 ++ systemd/full/system/systemd-journal-remote.service | 2 ++ systemd/full/system/systemd-nsresourced.service | 2 ++ systemd/full/system/systemd-oomd.service | 2 ++ systemd/full/system/systemd-rfkill.service | 2 ++ systemd/full/system/systemd-timesyncd.service | 2 ++ systemd/full/system/usb_modeswitch@.service | 2 ++ 31 files changed, 52 insertions(+), 12 deletions(-) create mode 100644 systemd/full/system/apport-coredump-hook@.service create mode 100644 systemd/full/system/apt-news.service create mode 100644 systemd/full/system/cloud-init-hotplugd.service create mode 100644 systemd/full/system/colord.service create mode 100644 systemd/full/system/debug-shell.service create mode 100644 systemd/full/system/dmesg.service create mode 100644 systemd/full/system/fwupd.service create mode 100644 systemd/full/system/grub-common.service create mode 100644 systemd/full/system/ldconfig.service create mode 100644 systemd/full/system/logrotate.service delete mode 100644 systemd/full/system/low-memory-monitor.service create mode 100644 systemd/full/system/man-db.service delete mode 100644 systemd/full/system/paccache.service delete mode 100644 systemd/full/system/passim.service create mode 100644 systemd/full/system/pcscd.service create mode 100644 systemd/full/system/power-profiles-daemon.service delete mode 100644 systemd/full/system/reflector.service create mode 100644 systemd/full/system/rsyslog.service create mode 100644 systemd/full/system/secureboot-db.service create mode 100644 systemd/full/system/snapd.system-shutdown.service create mode 100644 systemd/full/system/system-update-cleanup.service create mode 100644 systemd/full/system/systemd-coredump@.service create mode 100644 systemd/full/system/systemd-initctl.service create mode 100644 systemd/full/system/systemd-journal-remote.service create mode 100644 systemd/full/system/systemd-nsresourced.service create mode 100644 systemd/full/system/systemd-oomd.service create mode 100644 systemd/full/system/systemd-rfkill.service create mode 100644 systemd/full/system/systemd-timesyncd.service create mode 100644 systemd/full/system/usb_modeswitch@.service diff --git a/systemd/full/system/apport-coredump-hook@.service b/systemd/full/system/apport-coredump-hook@.service new file mode 100644 index 000000000..73bbc99d8 --- /dev/null +++ b/systemd/full/system/apport-coredump-hook@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&apport \ No newline at end of file diff --git a/systemd/full/system/apt-news.service b/systemd/full/system/apt-news.service new file mode 100644 index 000000000..d7bf885dd --- /dev/null +++ b/systemd/full/system/apt-news.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&apt_news diff --git a/systemd/full/system/bluetooth.service b/systemd/full/system/bluetooth.service index 03d352890..5cccff422 100644 --- a/systemd/full/system/bluetooth.service +++ b/systemd/full/system/bluetooth.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&bluetoothd \ No newline at end of file diff --git a/systemd/full/system/cloud-init-hotplugd.service b/systemd/full/system/cloud-init-hotplugd.service new file mode 100644 index 000000000..a2a121fc3 --- /dev/null +++ b/systemd/full/system/cloud-init-hotplugd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&cloud-init-hotplugd.service diff --git a/systemd/full/system/colord.service b/systemd/full/system/colord.service new file mode 100644 index 000000000..9a64fbc26 --- /dev/null +++ b/systemd/full/system/colord.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&colord diff --git a/systemd/full/system/debug-shell.service b/systemd/full/system/debug-shell.service new file mode 100644 index 000000000..f895f7941 --- /dev/null +++ b/systemd/full/system/debug-shell.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=debug-shell.service \ No newline at end of file diff --git a/systemd/full/system/dmesg.service b/systemd/full/system/dmesg.service new file mode 100644 index 000000000..d4647117b --- /dev/null +++ b/systemd/full/system/dmesg.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=dmesg.service \ No newline at end of file diff --git a/systemd/full/system/fwupd.service b/systemd/full/system/fwupd.service new file mode 100644 index 000000000..5054a73d6 --- /dev/null +++ b/systemd/full/system/fwupd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&fwupd \ No newline at end of file diff --git a/systemd/full/system/grub-common.service b/systemd/full/system/grub-common.service new file mode 100644 index 000000000..8520aea76 --- /dev/null +++ b/systemd/full/system/grub-common.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=grub-common.service \ No newline at end of file diff --git a/systemd/full/system/ldconfig.service b/systemd/full/system/ldconfig.service new file mode 100644 index 000000000..1b2a9c287 --- /dev/null +++ b/systemd/full/system/ldconfig.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=ldconfig.service \ No newline at end of file diff --git a/systemd/full/system/logrotate.service b/systemd/full/system/logrotate.service new file mode 100644 index 000000000..bc984e025 --- /dev/null +++ b/systemd/full/system/logrotate.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&logrotate \ No newline at end of file diff --git a/systemd/full/system/low-memory-monitor.service b/systemd/full/system/low-memory-monitor.service deleted file mode 100644 index dabf76f3a..000000000 --- a/systemd/full/system/low-memory-monitor.service +++ /dev/null @@ -1,3 +0,0 @@ -[Service] -NoNewPrivileges=no - diff --git a/systemd/full/system/man-db.service b/systemd/full/system/man-db.service new file mode 100644 index 000000000..d3a78dd80 --- /dev/null +++ b/systemd/full/system/man-db.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=man-db.service \ No newline at end of file diff --git a/systemd/full/system/paccache.service b/systemd/full/system/paccache.service deleted file mode 100644 index 03d352890..000000000 --- a/systemd/full/system/paccache.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/passim.service b/systemd/full/system/passim.service deleted file mode 100644 index 03d352890..000000000 --- a/systemd/full/system/passim.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/pcscd.service b/systemd/full/system/pcscd.service new file mode 100644 index 000000000..8d39f3f26 --- /dev/null +++ b/systemd/full/system/pcscd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pcscd diff --git a/systemd/full/system/power-profiles-daemon.service b/systemd/full/system/power-profiles-daemon.service new file mode 100644 index 000000000..45c5ed93b --- /dev/null +++ b/systemd/full/system/power-profiles-daemon.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&power-profiles-daemon \ No newline at end of file diff --git a/systemd/full/system/reflector.service b/systemd/full/system/reflector.service deleted file mode 100644 index 03d352890..000000000 --- a/systemd/full/system/reflector.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/rsyslog.service b/systemd/full/system/rsyslog.service new file mode 100644 index 000000000..6b49a73f0 --- /dev/null +++ b/systemd/full/system/rsyslog.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&rsyslogd diff --git a/systemd/full/system/secureboot-db.service b/systemd/full/system/secureboot-db.service new file mode 100644 index 000000000..722781b8a --- /dev/null +++ b/systemd/full/system/secureboot-db.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=secureboot-db.service diff --git a/systemd/full/system/shadow.service b/systemd/full/system/shadow.service index dabf76f3a..52d2f644c 100644 --- a/systemd/full/system/shadow.service +++ b/systemd/full/system/shadow.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no - +AppArmorProfile=&shadow.service diff --git a/systemd/full/system/snapd.system-shutdown.service b/systemd/full/system/snapd.system-shutdown.service new file mode 100644 index 000000000..7953d522a --- /dev/null +++ b/systemd/full/system/snapd.system-shutdown.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=snapd.system-shutdown.service \ No newline at end of file diff --git a/systemd/full/system/system-update-cleanup.service b/systemd/full/system/system-update-cleanup.service new file mode 100644 index 000000000..24c914f77 --- /dev/null +++ b/systemd/full/system/system-update-cleanup.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=system-update-cleanup.service \ No newline at end of file diff --git a/systemd/full/system/systemd-coredump@.service b/systemd/full/system/systemd-coredump@.service new file mode 100644 index 000000000..d13624709 --- /dev/null +++ b/systemd/full/system/systemd-coredump@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-coredump diff --git a/systemd/full/system/systemd-initctl.service b/systemd/full/system/systemd-initctl.service new file mode 100644 index 000000000..e44c8767f --- /dev/null +++ b/systemd/full/system/systemd-initctl.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-initctl \ No newline at end of file diff --git a/systemd/full/system/systemd-journal-remote.service b/systemd/full/system/systemd-journal-remote.service new file mode 100644 index 000000000..e08cf75a9 --- /dev/null +++ b/systemd/full/system/systemd-journal-remote.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-journal-remote \ No newline at end of file diff --git a/systemd/full/system/systemd-nsresourced.service b/systemd/full/system/systemd-nsresourced.service new file mode 100644 index 000000000..2dc668b80 --- /dev/null +++ b/systemd/full/system/systemd-nsresourced.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-nsresourced diff --git a/systemd/full/system/systemd-oomd.service b/systemd/full/system/systemd-oomd.service new file mode 100644 index 000000000..c384626ee --- /dev/null +++ b/systemd/full/system/systemd-oomd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-oomd diff --git a/systemd/full/system/systemd-rfkill.service b/systemd/full/system/systemd-rfkill.service new file mode 100644 index 000000000..4abf222d5 --- /dev/null +++ b/systemd/full/system/systemd-rfkill.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-rfkill diff --git a/systemd/full/system/systemd-timesyncd.service b/systemd/full/system/systemd-timesyncd.service new file mode 100644 index 000000000..0cd6fefbf --- /dev/null +++ b/systemd/full/system/systemd-timesyncd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-timesyncd diff --git a/systemd/full/system/usb_modeswitch@.service b/systemd/full/system/usb_modeswitch@.service new file mode 100644 index 000000000..0eca1db25 --- /dev/null +++ b/systemd/full/system/usb_modeswitch@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=usb_modeswitch.service \ No newline at end of file From d5a65ba8319d63faa358abfc55c51e5fd77bc3f3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:26:18 +0200 Subject: [PATCH 464/672] feat(profile): add a few small profile needed by fsp. --- apparmor.d/profiles-a-f/e2scrub | 18 ++++++++++++++++ .../open-iscsi-net-interface-handler | 19 +++++++++++++++++ apparmor.d/profiles-s-z/u-d-c-print-pci-ids | 19 +++++++++++++++++ .../udev-bridge-network-interface | 21 +++++++++++++++++++ 4 files changed, 77 insertions(+) create mode 100644 apparmor.d/profiles-a-f/e2scrub create mode 100644 apparmor.d/profiles-m-r/open-iscsi-net-interface-handler create mode 100644 apparmor.d/profiles-s-z/u-d-c-print-pci-ids create mode 100644 apparmor.d/profiles-s-z/udev-bridge-network-interface diff --git a/apparmor.d/profiles-a-f/e2scrub b/apparmor.d/profiles-a-f/e2scrub new file mode 100644 index 000000000..2e7e88487 --- /dev/null +++ b/apparmor.d/profiles-a-f/e2scrub @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/e2scrub +profile e2scrub @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler b/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler new file mode 100644 index 000000000..2593b78ac --- /dev/null +++ b/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/open-iscsi/net-interface-handler +profile open-iscsi-net-interface-handler @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + @{sh_path} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/u-d-c-print-pci-ids b/apparmor.d/profiles-s-z/u-d-c-print-pci-ids new file mode 100644 index 000000000..2ae7f66ef --- /dev/null +++ b/apparmor.d/profiles-s-z/u-d-c-print-pci-ids @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/u-d-c-print-pci-ids +profile u-d-c-print-pci-ids @{exec_path} { + include + + @{exec_path} mr, + @{sh_path} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-bridge-network-interface b/apparmor.d/profiles-s-z/udev-bridge-network-interface new file mode 100644 index 000000000..7e3ba52f9 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-bridge-network-interface @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/bridge-network-interface +profile udev-bridge-network-interface @{exec_path} { + include + + @{exec_path} mr, + @{sh_path} r, + + /etc/default/bridge-utils r, + + include if exists +} + +# vim:syntax=apparmor From 3984cf8accfaf48badb6f6ad9916a392bde499d5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:27:55 +0200 Subject: [PATCH 465/672] feat(profile): initial profile for pollinate. --- apparmor.d/profiles-m-r/pollinate | 48 +++++++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 49 insertions(+) create mode 100644 apparmor.d/profiles-m-r/pollinate diff --git a/apparmor.d/profiles-m-r/pollinate b/apparmor.d/profiles-m-r/pollinate new file mode 100644 index 000000000..5a10cc9e2 --- /dev/null +++ b/apparmor.d/profiles-m-r/pollinate @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pollinate +profile pollinate @{exec_path} { + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/curl rix, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg-query rpx, + @{bin}/hostname rix, + @{bin}/logger rix, + @{bin}/systemd-detect-virt rPx, + @{bin}/xxd rix, + + /etc/cloud/build.info r, + /etc/default/pollinate r, + /etc/lsb-release r, + /etc/pollinate/{,**} r, + + owner /var/cache/pollinate/seeded w, + + owner /tmp/pollinate.@{rand12}/{,**} rw, + + @{PROC}/uptime r, + + /dev/urandom w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 5a6c7c526..2736540a8 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -266,6 +266,7 @@ plymouth complain plymouth-set-default-theme attach_disconnected,complain plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted +pollinate complain ptyxis complain ptyxis-agent complain pycompile complain From 7f684ee5ddd420231cf92381e3e86b9f52468456 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:29:52 +0200 Subject: [PATCH 466/672] feat(profile): integrate fsp with apt and ubuntu. --- apparmor.d/groups/apt/apt-methods-http | 5 +++-- apparmor.d/groups/apt/dpkg-script-apparmor | 1 + apparmor.d/groups/apt/dpkg-script-systemd | 3 +++ apparmor.d/groups/apt/dpkg-scripts | 3 +++ apparmor.d/groups/apt/unattended-upgrade | 2 ++ apparmor.d/groups/ubuntu/cron-ubuntu-fan | 8 +------- apparmor.d/groups/ubuntu/update-notifier-crash | 9 +++++++++ 7 files changed, 22 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 0b375c8f8..7fb3a2cc4 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/apt/methods/http{,s} -profile apt-methods-http @{exec_path} { +profile apt-methods-http @{exec_path} flags=(attach_disconnected) { include include include @@ -23,10 +23,11 @@ profile apt-methods-http @{exec_path} { network inet6 stream, network netlink raw, + signal receive peer=@{p_apt_news}, + signal receive peer=@{p_packagekitd}, signal receive peer=apt-get, signal receive peer=apt, signal receive peer=aptitude, - signal receive peer=@{p_packagekitd}, signal receive peer=role_*, signal receive peer=synaptic, signal receive peer=ubuntu-advantage, diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 73b14390a..e9a03f282 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -30,6 +30,7 @@ profile dpkg-script-apparmor @{exec_path} { /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, /var/lib/dpkg/info/*.list r, + /var/lib/dpkg/info/format r, /var/lib/dpkg/status r, /var/lib/dpkg/triggers/File r, /var/lib/dpkg/triggers/Unincorp r, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 4acafd139..8ca92515c 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -32,6 +32,9 @@ profile dpkg-script-systemd @{exec_path} { /etc/systemd/system/*.wants/ rw, /etc/systemd/system/*.wants/* rw, + /etc/pam.d/sed@{rand6} rw, + /etc/pam.d/common-password rw, + /var/lib/systemd/{,*} rw, /var/log/journal/ rw, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 4fb4d04c4..3102b23bb 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -47,6 +47,7 @@ profile dpkg-scripts @{exec_path} { @{sbin}/update-rc.d Cx -> rc, # Maintainer scripts can legitimately start/restart anything + # PU is only used as a safety fallback. @{bin}/** PUx, @{sbin}/** PUx, @{lib}/** PUx, @@ -75,6 +76,8 @@ profile dpkg-scripts @{exec_path} { include include + capability dac_read_search, + dbus send bus=system path=/ interface=org.freedesktop.DBus member=ReloadConfig diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 95b8b2760..c2d94e25a 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -30,6 +30,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_nice, + network inet dgram, + network inet6 dgram, network netlink raw, signal send peer=apt-methods-http, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index 8f5952d9b..3ca55909d 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -15,20 +15,14 @@ profile cron-ubuntu-fan @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/fanctl rix, - @{bin}/flock rix, + @{sbin}/fanctl rPx, @{bin}/grep rix, - @{bin}/id rix, @{sbin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, - @{bin}/touch rix, /etc/network/fan r, - @{run}/ubuntu-fan/ rw, - @{run}/ubuntu-fan/.lock rwk, - include if exists } diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash index b3cbf7f07..3ad03eb05 100644 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -12,8 +12,17 @@ profile update-notifier-crash @{exec_path} { @{exec_path} mr, + @{bin}/systemctl Cx -> systemctl, + /usr/share/apport/apport-checkreports Px, + profile systemctl { + include + include + + include if exists + } + include if exists } From 38c6e35a1b0e5af40b06a50484e4b95a86f45581 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:33:37 +0200 Subject: [PATCH 467/672] feat(profile): add some ubuntu specific profiles. --- apparmor.d/groups/ubuntu/apt_news | 39 +++++++++++++++++++++++++ apparmor.d/groups/ubuntu/fanctl | 33 +++++++++++++++++++++ apparmor.d/groups/ubuntu/ubuntu-fan-net | 24 +++++++++++++++ dists/flags/ubuntu.flags | 3 ++ 4 files changed, 99 insertions(+) create mode 100644 apparmor.d/groups/ubuntu/apt_news create mode 100644 apparmor.d/groups/ubuntu/fanctl create mode 100644 apparmor.d/groups/ubuntu/ubuntu-fan-net diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news new file mode 100644 index 000000000..faf15dfbe --- /dev/null +++ b/apparmor.d/groups/ubuntu/apt_news @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/lib/ubuntu-advantage/apt_news.py +profile apt_news @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + capability chown, + capability kill, + capability setgid, + capability setuid, + + signal send set=int peer=apt-methods-*, + + @{exec_path} mr, + + @{lib}/apt/methods/* Px, + + /etc/ubuntu-advantage/uaclient.conf r, + + @{run}/ubuntu-advantage/ rw, + @{run}/ubuntu-advantage/apt-news/{,**} rw, + + owner @{run}/ubuntu-advantage/apt-news/** rw, + + @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/fanctl b/apparmor.d/groups/ubuntu/fanctl new file mode 100644 index 000000000..ef278da63 --- /dev/null +++ b/apparmor.d/groups/ubuntu/fanctl @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/fanctl +profile fanctl @{exec_path} flags=(attach_disconnected) { + include + + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/flock ix, + @{bin}/id ix, + @{bin}/touch ix, + @{bin}/mkdir ix, + @{bin}/ip ix, + @{bin}/sed ix, + + /etc/network/fan r, + + @{run}/ubuntu-fan/ rw, + @{run}/ubuntu-fan/.lock rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/ubuntu-fan-net b/apparmor.d/groups/ubuntu/ubuntu-fan-net new file mode 100644 index 000000000..f9d7c01f5 --- /dev/null +++ b/apparmor.d/groups/ubuntu/ubuntu-fan-net @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ubuntu-fan/fan-net +profile ubuntu-fan-net @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} mr, + @{bin}/{m,g,}awk ix, + @{bin}/grep ix, + @{bin}/networkctl Px, + @{sbin}/fanctl Px, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index a6d6bcc85..7339702a2 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -1,12 +1,14 @@ apport attach_disconnected,complain apport-checkreports complain apport-gtk complain +apt_news attach_disconnected,complain apt-esm-hook complain apt-esm-json-hook complain apt-helper complain check-new-release-gtk complain do-release-upgrade complain dpkg-genbuildinfo complain +fanctl attach_disconnected,complain hwe-support-status complain list-oem-metapackages complain livepatch-notification complain @@ -18,6 +20,7 @@ software-properties-gtk complain ubuntu-advantage complain ubuntu-advantage-notification complain ubuntu-distro-info complain +ubuntu-fan-net attach_disconnected,complain ubuntu-report complain update-manager attach_disconnected,complain update-motd-fsck-at-reboot complain From 28d9d48de457eb5d2db6a065d1341386479bc27f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:39:35 +0200 Subject: [PATCH 468/672] feat(profile): small update to systemd profiles. --- apparmor.d/groups/systemd/bootctl | 25 ++++++++----------- apparmor.d/groups/systemd/homectl | 2 +- .../systemd/systemd-generator-ds-identify | 4 +-- apparmor.d/groups/systemd/systemd-logind | 2 +- .../systemd/systemd-networkd-wait-online | 2 +- apparmor.d/groups/systemd/systemd-nsresourced | 7 ++++-- 6 files changed, 20 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 9508cfcf2..f7d001c70 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/bootctl -profile bootctl @{exec_path} flags=(attach_disconnected) { +profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -17,27 +17,22 @@ profile bootctl @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, - signal (send) peer=child-pager, + signal send peer=child-pager, - ptrace (read) peer=unconfined, + ptrace read peer=unconfined, @{exec_path} mr, @{pager_path} rPx -> child-pager, @{efi}/ r, - @{efi}/EFI/{,**} r, - @{efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw, - @{efi}/EFI/BOOT/BOOTX64.EFI w, - @{efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw, - @{efi}/EFI/systemd/systemd-boot*.efi w, - @{efi}/loader/.#bootctlrandom-seed@{hex} rw, - @{efi}/loader/.#entries.srel* w, - @{efi}/loader/{,**} r, - @{efi}/loader/entries.srel w, - @{efi}/loader/random-seed w, + @{efi}/@{hex32}/ rw, + @{efi}/EFI/{,**} rwl, + @{efi}/loader/ rw, + @{efi}/loader/** rwl -> @{efi}/loader/#@{int}, - /etc/kernel/entry-token r, + /etc/kernel/.#entry-token@{hex16} rw, + /etc/kernel/entry-token rw, /etc/machine-id r, /etc/machine-info r, @@ -63,7 +58,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r, - @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/groups/systemd/homectl b/apparmor.d/groups/systemd/homectl index 3a78c531e..3c962e309 100644 --- a/apparmor.d/groups/systemd/homectl +++ b/apparmor.d/groups/systemd/homectl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/homectl -profile homectl @{exec_path} { +profile homectl @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify index 346e7d94e..ba6141d86 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify @@ -12,16 +12,16 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { include include - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, @{exec_path} mr, @{sh_path} rix, - @{sbin}/blkid rPx, @{bin}/grep rix, @{bin}/systemd-detect-virt rPx, @{bin}/tr rix, @{bin}/uname rix, + @{sbin}/blkid rPx, /etc/cloud/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 39192e7e1..b1869b16b 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -30,7 +30,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { mqueue getattr type=posix /, mqueue r type=posix /, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-logind/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-logind/system, #aa:dbus own bus=system name=org.freedesktop.login1 diff --git a/apparmor.d/groups/systemd/systemd-networkd-wait-online b/apparmor.d/groups/systemd/systemd-networkd-wait-online index 0d5e40730..c36b5af39 100644 --- a/apparmor.d/groups/systemd/systemd-networkd-wait-online +++ b/apparmor.d/groups/systemd/systemd-networkd-wait-online @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-networkd-wait-online -profile systemd-networkd-wait-online @{exec_path} flags=(complain) { +profile systemd-networkd-wait-online @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-nsresourced b/apparmor.d/groups/systemd/systemd-nsresourced index d1beae428..97dcb3b05 100644 --- a/apparmor.d/groups/systemd/systemd-nsresourced +++ b/apparmor.d/groups/systemd/systemd-nsresourced @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-nsresourced -profile systemd-nsresourced @{exec_path} { +profile systemd-nsresourced @{exec_path} flags=(attach_disconnected) { include include @@ -19,7 +19,7 @@ profile systemd-nsresourced @{exec_path} { @{exec_path} mr, - @{lib}/systemd/systemd-nsresourcework Px -> systemd-nsresourced//&systemd-nsresourcework, + @{lib}/systemd/systemd-nsresourcework ix, # no new privs @{run}/systemd/nsresource/ rw, @{run}/systemd/nsresource/** rw, @@ -32,6 +32,9 @@ profile systemd-nsresourced @{exec_path} { @{sys}/kernel/btf/vmlinux r, @{sys}/kernel/security/lsm r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, + include if exists } From 581a55c7269cccd518baf9f65c5078edecaffcb4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:40:49 +0200 Subject: [PATCH 469/672] feat(profile): update systemd-homework/homed as they get stacked. --- apparmor.d/groups/systemd/systemd-homed | 20 ++++++-- apparmor.d/groups/systemd/systemd-homework | 58 +++++++++++++++++++++- 2 files changed, 73 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index a89cd90f8..c53be3a35 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -14,6 +14,8 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { include include + userns, + capability chown, capability dac_override, capability dac_read_search, @@ -24,6 +26,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { capability setpcap, capability setuid, capability sys_admin, + capability sys_ptrace, capability sys_resource, network inet dgram, @@ -32,16 +35,24 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { network inet6 raw, network netlink raw, - mount options=(rw, rslave) -> @{run}/, - mount /dev/dm-@{int} -> @{run}/systemd/user-home-mount/, + mount -> @{run}/systemd/user-home-mount/, + mount options=(rw private) -> @{run}/systemd/user-home-mount/, + mount options=(rw rslave) -> @{run}/, + + umount @{run}/systemd/user-home-mount/, + + signal (send receive) set=kill peer=systemd-homed//&systemd-homework, + + ptrace read peer=systemd-homed//&systemd-homework, unix bind type=stream addr=@@{udbus}/bus/systemd-homed/system, #aa:dbus own bus=system name=org.freedesktop.home1 + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd @{exec_path} mr, - @{lib}/systemd/systemd-homework rPx -> systemd-homed//&systemd-homework, + @{lib}/systemd/systemd-homework rPx -> &systemd-homework, @{sbin}/mkfs.btrfs rPx, @{sbin}/mkfs.fat rPx, @{sbin}/mke2fs rPx, @@ -74,9 +85,12 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/devices r, @{PROC}/pressure/* r, + @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/uid_map w, /dev/loop-control rwk, diff --git a/apparmor.d/groups/systemd/systemd-homework b/apparmor.d/groups/systemd/systemd-homework index f0fe98a16..b81c196f8 100644 --- a/apparmor.d/groups/systemd/systemd-homework +++ b/apparmor.d/groups/systemd/systemd-homework @@ -7,14 +7,68 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-homework -profile systemd-homework @{exec_path} { +profile systemd-homework @{exec_path} flags=(attach_disconnected) { include - include include + include + include + + userns, + + capability chown, + capability fowner, + capability fsetid, + capability setfcap, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_resource, + + network netlink raw, + + mount options=(rw rslave) -> @{run}/, + mount -> @{run}/systemd/user-home-mount/, + + umount @{run}/systemd/user-home-mount/, + + signal (send receive) set=kill peer=systemd-homed//&systemd-homework, + + ptrace read peer=systemd-homed//&systemd-homework, @{exec_path} mr, + @{sbin}/mkfs.btrfs rPx, + @{sbin}/mkfs.fat rPx, + @{sbin}/mke2fs rPx, + /etc/machine-id r, + /etc/skel/{,**} r, + + /var/cache/systemd/home/{,**} rw, + + @{HOMEDIRS}/ r, + @{HOMEDIRS}/.#homework@{user}.* rw, + @{HOMEDIRS}/@{user}.home rw, + + @{run}/ r, + @{run}/cryptsetup/ r, + @{run}/cryptsetup/* rwk, + @{run}/systemd/user-home-mount/ rw, + @{run}/systemd/user-home-mount/@{user}/{,**} rw, + + @{sys}/fs/ r, + + @{PROC}/devices r, + @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/uid_map w, + + /dev/loop-control rwk, + /dev/loop@{int} rw, + /dev/mapper/control rw, include if exists } From 9325dd5ca0cb1f37bda1d2abd90333cacb2d9958 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:43:19 +0200 Subject: [PATCH 470/672] feat(profile): revisit systemd-udevd and ensure most program get transitionned confined. --- apparmor.d/groups/systemd/systemd-udevd | 66 ++++++++++++++----------- 1 file changed, 36 insertions(+), 30 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 3861056b8..9c993e0d5 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -37,44 +37,45 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{sh_path} rix, - @{coreutils_path} rix, - @{pager_path} rPx -> child-pager, - @{bin}/*-print-pci-ids rix, - @{sbin}/alsactl rPUx, - @{bin}/ddcutil rPx, - @{sbin}/dmsetup rPx, - @{sbin}/ethtool rix, - @{sbin}/issue-generator rPx, - @{sbin}/kdump-config rPUx, - @{bin}/kmod rPx, - @{bin}/logger rix, - @{bin}/ls rix, - @{sbin}/lvm rPx, - @{bin}/mknod rix, - @{sbin}/multipath rPx, - @{bin}/nfsrahead rix, - @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, - @{bin}/setfacl rix, - @{bin}/sg_inq rix, - @{bin}/snap rPx, - @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-run rix, - @{bin}/unshare rix, - @{bin}/vmmouse_detect rPUx, + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/logger rix, + @{bin}/ls rix, + @{bin}/mknod rix, + @{bin}/nfsrahead rix, + @{bin}/setfacl rix, + @{bin}/sg_inq rix, + @{bin}/systemd-run rix, # TODO: rCx -> run, + @{bin}/unshare rix, + @{sbin}/ethtool rix, + + @{bin}/ddcutil rPx, + @{bin}/kmod rCx -> kmod, + @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, + @{bin}/snap rPx, + @{bin}/systemctl rCx -> systemctl, + @{bin}/vmmouse_detect rPx, + @{pager_path} rPx -> child-pager, + @{sbin}/alsactl rPx, + @{sbin}/dmsetup rPx, + @{sbin}/issue-generator rPx, + @{sbin}/kdump-config rPx, + @{sbin}/lvm rPx, + @{sbin}/multipath rPx, + @{sbin}/u-d-c-print-pci-ids rPx, @{lib}/crda/* rPUx, @{lib}/gdm-runtime-config rPx, @{lib}/nfsrahead rPUx, - @{lib}/open-iscsi/net-interface-handler rPUx, + @{lib}/open-iscsi/net-interface-handler rPx, @{lib}/pm-utils/power.d/* rPUx, @{lib}/snapd/snap-device-helper rPx, @{lib}/systemd/systemd-* rPx, @{lib}/udev/* rPUx, /usr/share/hplip/config_usb_printer.py rPUx, - /etc/console-setup/*.sh rPUx, - /etc/network/cloud-ifupdown-helper rPUx, + /etc/console-setup/*.sh rPUx, + /etc/network/cloud-ifupdown-helper rPUx, /etc/default/* r, /etc/machine-id r, @@ -120,6 +121,13 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { /dev/ rw, /dev/** rwk, + profile kmod flags=(attach_disconnected,complain) { + include + include + + include if exists + } + profile systemctl flags=(attach_disconnected,complain) { include include @@ -127,8 +135,6 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, - # / r, - include if exists } From 32a9806219898f6c5a25b7efb3a15320ff7af24a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:52:40 +0200 Subject: [PATCH 471/672] feat(fsp): update systemd user drop in files with AppArmorProfile set to the target profile. --- systemd/full/user/filter-chain.service | 2 ++ systemd/full/user/pipewire-media-session.service | 5 ----- systemd/full/user/pipewire-pulse.service | 2 ++ systemd/full/user/pipewire.service | 2 ++ systemd/full/user/wireplumber.service | 2 ++ systemd/full/user/wireplumber@.service | 2 ++ 6 files changed, 10 insertions(+), 5 deletions(-) create mode 100644 systemd/full/user/filter-chain.service delete mode 100644 systemd/full/user/pipewire-media-session.service create mode 100644 systemd/full/user/pipewire-pulse.service create mode 100644 systemd/full/user/pipewire.service create mode 100644 systemd/full/user/wireplumber.service create mode 100644 systemd/full/user/wireplumber@.service diff --git a/systemd/full/user/filter-chain.service b/systemd/full/user/filter-chain.service new file mode 100644 index 000000000..4dd212f51 --- /dev/null +++ b/systemd/full/user/filter-chain.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire \ No newline at end of file diff --git a/systemd/full/user/pipewire-media-session.service b/systemd/full/user/pipewire-media-session.service deleted file mode 100644 index c392e82fe..000000000 --- a/systemd/full/user/pipewire-media-session.service +++ /dev/null @@ -1,5 +0,0 @@ -[Service] -NoNewPrivileges=no -MemoryDenyWriteExecute=no -LockPersonality=no -RestrictNamespaces=no diff --git a/systemd/full/user/pipewire-pulse.service b/systemd/full/user/pipewire-pulse.service new file mode 100644 index 000000000..1d35a493e --- /dev/null +++ b/systemd/full/user/pipewire-pulse.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire-pulse \ No newline at end of file diff --git a/systemd/full/user/pipewire.service b/systemd/full/user/pipewire.service new file mode 100644 index 000000000..4dd212f51 --- /dev/null +++ b/systemd/full/user/pipewire.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire \ No newline at end of file diff --git a/systemd/full/user/wireplumber.service b/systemd/full/user/wireplumber.service new file mode 100644 index 000000000..c47175f40 --- /dev/null +++ b/systemd/full/user/wireplumber.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&wireplumber \ No newline at end of file diff --git a/systemd/full/user/wireplumber@.service b/systemd/full/user/wireplumber@.service new file mode 100644 index 000000000..c47175f40 --- /dev/null +++ b/systemd/full/user/wireplumber@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&wireplumber \ No newline at end of file From 60b91279162036a7d1a55df72d40977387fe1336 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:53:47 +0200 Subject: [PATCH 472/672] feat(profile): update pipewire profiles. --- apparmor.d/groups/freedesktop/pipewire-pulse | 8 +++++++- apparmor.d/groups/freedesktop/pulseaudio | 6 +++--- apparmor.d/groups/freedesktop/wireplumber | 4 ++++ 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index 530fa97db..fddbe02f7 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -11,15 +11,18 @@ include profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { include include + include + include include capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, @{bin}/pactl rix, + @{bin}/pipewire mr, /usr/share/pipewire/{,**} r, @@ -38,6 +41,9 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/module/apparmor/parameters/enabled r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index fab642571..05e4c3ec2 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -82,9 +82,9 @@ profile pulseaudio @{exec_path} { owner @{desktop_cache_dirs}/gstreamer-1.0/ rw, owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{desktop_config_dirs}/dconf/user r, - owner @{desktop_config_dirs}/pulse/{,**} rw, - owner @{desktop_config_dirs}/pulse/cookie k, + owner @{desktop_config_dirs}/dconf/user r, + owner @{desktop_config_dirs}/pulse/{,**} rw, + owner @{desktop_config_dirs}/pulse/cookie k, owner @{HOME}/.pulse/{,**} rw, owner @{user_config_dirs}/ w, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index aa6928298..0925bad91 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -75,6 +75,10 @@ profile wireplumber @{exec_path} { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{PROC}/1/cgroup r, + @{PROC}/1/cmdline r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, From d9cfef3e5d5a0bc035383e82d4cc69a9a25c0435 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 00:03:11 +0200 Subject: [PATCH 473/672] refractor(profile): move systemd generators to their own group --- .../{systemd => systemd-generators}/systemd-generator-bless-boot | 0 .../{systemd => systemd-generators}/systemd-generator-cloud-init | 0 .../{systemd => systemd-generators}/systemd-generator-cryptsetup | 0 .../{systemd => systemd-generators}/systemd-generator-debug | 0 .../{systemd => systemd-generators}/systemd-generator-ds-identify | 0 .../systemd-generator-environment-arch | 0 .../systemd-generator-environment-flatpak | 0 .../systemd-generator-friendly-recovery | 0 .../{systemd => systemd-generators}/systemd-generator-fstab | 0 .../{systemd => systemd-generators}/systemd-generator-getty | 0 .../{systemd => systemd-generators}/systemd-generator-gpt-auto | 0 .../systemd-generator-hibernate-resume | 0 .../systemd-generator-integritysetup | 0 .../{systemd => systemd-generators}/systemd-generator-ostree | 0 .../{systemd => systemd-generators}/systemd-generator-rc-local | 0 .../groups/{systemd => systemd-generators}/systemd-generator-run | 0 .../{systemd => systemd-generators}/systemd-generator-snapd | 0 .../{systemd => systemd-generators}/systemd-generator-sshd-socket | 0 .../systemd-generator-system-update | 0 .../groups/{systemd => systemd-generators}/systemd-generator-sysv | 0 .../systemd-generator-user-autostart | 0 .../systemd-generator-user-environment | 0 .../{systemd => systemd-generators}/systemd-generator-veritysetup | 0 23 files changed, 0 insertions(+), 0 deletions(-) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-bless-boot (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-cloud-init (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-cryptsetup (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-debug (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-ds-identify (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-environment-arch (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-environment-flatpak (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-friendly-recovery (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-fstab (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-getty (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-gpt-auto (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-hibernate-resume (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-integritysetup (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-ostree (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-rc-local (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-run (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-snapd (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-sshd-socket (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-system-update (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-sysv (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-user-autostart (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-user-environment (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-veritysetup (100%) diff --git a/apparmor.d/groups/systemd/systemd-generator-bless-boot b/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-bless-boot rename to apparmor.d/groups/systemd-generators/systemd-generator-bless-boot diff --git a/apparmor.d/groups/systemd/systemd-generator-cloud-init b/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-cloud-init rename to apparmor.d/groups/systemd-generators/systemd-generator-cloud-init diff --git a/apparmor.d/groups/systemd/systemd-generator-cryptsetup b/apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-cryptsetup rename to apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup diff --git a/apparmor.d/groups/systemd/systemd-generator-debug b/apparmor.d/groups/systemd-generators/systemd-generator-debug similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-debug rename to apparmor.d/groups/systemd-generators/systemd-generator-debug diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-ds-identify rename to apparmor.d/groups/systemd-generators/systemd-generator-ds-identify diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-arch b/apparmor.d/groups/systemd-generators/systemd-generator-environment-arch similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-environment-arch rename to apparmor.d/groups/systemd-generators/systemd-generator-environment-arch diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-flatpak b/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-environment-flatpak rename to apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak diff --git a/apparmor.d/groups/systemd/systemd-generator-friendly-recovery b/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-friendly-recovery rename to apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery diff --git a/apparmor.d/groups/systemd/systemd-generator-fstab b/apparmor.d/groups/systemd-generators/systemd-generator-fstab similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-fstab rename to apparmor.d/groups/systemd-generators/systemd-generator-fstab diff --git a/apparmor.d/groups/systemd/systemd-generator-getty b/apparmor.d/groups/systemd-generators/systemd-generator-getty similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-getty rename to apparmor.d/groups/systemd-generators/systemd-generator-getty diff --git a/apparmor.d/groups/systemd/systemd-generator-gpt-auto b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-gpt-auto rename to apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto diff --git a/apparmor.d/groups/systemd/systemd-generator-hibernate-resume b/apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-hibernate-resume rename to apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume diff --git a/apparmor.d/groups/systemd/systemd-generator-integritysetup b/apparmor.d/groups/systemd-generators/systemd-generator-integritysetup similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-integritysetup rename to apparmor.d/groups/systemd-generators/systemd-generator-integritysetup diff --git a/apparmor.d/groups/systemd/systemd-generator-ostree b/apparmor.d/groups/systemd-generators/systemd-generator-ostree similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-ostree rename to apparmor.d/groups/systemd-generators/systemd-generator-ostree diff --git a/apparmor.d/groups/systemd/systemd-generator-rc-local b/apparmor.d/groups/systemd-generators/systemd-generator-rc-local similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-rc-local rename to apparmor.d/groups/systemd-generators/systemd-generator-rc-local diff --git a/apparmor.d/groups/systemd/systemd-generator-run b/apparmor.d/groups/systemd-generators/systemd-generator-run similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-run rename to apparmor.d/groups/systemd-generators/systemd-generator-run diff --git a/apparmor.d/groups/systemd/systemd-generator-snapd b/apparmor.d/groups/systemd-generators/systemd-generator-snapd similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-snapd rename to apparmor.d/groups/systemd-generators/systemd-generator-snapd diff --git a/apparmor.d/groups/systemd/systemd-generator-sshd-socket b/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-sshd-socket rename to apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket diff --git a/apparmor.d/groups/systemd/systemd-generator-system-update b/apparmor.d/groups/systemd-generators/systemd-generator-system-update similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-system-update rename to apparmor.d/groups/systemd-generators/systemd-generator-system-update diff --git a/apparmor.d/groups/systemd/systemd-generator-sysv b/apparmor.d/groups/systemd-generators/systemd-generator-sysv similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-sysv rename to apparmor.d/groups/systemd-generators/systemd-generator-sysv diff --git a/apparmor.d/groups/systemd/systemd-generator-user-autostart b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-user-autostart rename to apparmor.d/groups/systemd-generators/systemd-generator-user-autostart diff --git a/apparmor.d/groups/systemd/systemd-generator-user-environment b/apparmor.d/groups/systemd-generators/systemd-generator-user-environment similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-user-environment rename to apparmor.d/groups/systemd-generators/systemd-generator-user-environment diff --git a/apparmor.d/groups/systemd/systemd-generator-veritysetup b/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-veritysetup rename to apparmor.d/groups/systemd-generators/systemd-generator-veritysetup From 3d76c98c4b65355203da9ffc4d1693b174d79163 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 00:05:34 +0200 Subject: [PATCH 474/672] feat(profile): add more systemd-generator profiles. --- .../systemd-generator-environment-snapd | 18 +++++++ .../systemd-generator-import | 31 ++++++++++++ .../systemd-generator-openvpn | 27 +++++++++++ .../systemd-generators/systemd-generator-ssh | 48 +++++++++++++++++++ .../systemd-generators/systemd-generator-tpm2 | 30 ++++++++++++ dists/flags/main.flags | 9 +++- 6 files changed, 161 insertions(+), 2 deletions(-) create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-import create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-openvpn create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-ssh create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-tpm2 diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd b/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd new file mode 100644 index 000000000..b18bd6bd5 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-environment-generators/snapd-env-generator +profile systemd-generator-environment-snapd @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-import b/apparmor.d/groups/systemd-generators/systemd-generator-import new file mode 100644 index 000000000..36ff4e5ff --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-import @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-import-generator +profile systemd-generator-import @{exec_path} flags=(attach_disconnected) { + include + + capability sys_ptrace, + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + / r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-openvpn b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn new file mode 100644 index 000000000..780c63d56 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/openvpn-generator +profile systemd-generator-openvpn @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/ls ix, + @{bin}/mkdir ix, + + /etc/default/openvpn r, + /etc/openvpn/ r, + + @{run}/systemd/generator/openvpn.service.wants/{,**} w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ssh b/apparmor.d/groups/systemd-generators/systemd-generator-ssh new file mode 100644 index 000000000..efb56468e --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ssh @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-ssh-generator +profile systemd-generator-ssh @{exec_path} flags=(attach_disconnected) { + include + + capability net_admin, + + network vsock stream, + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{sbin}/sshd r, + + @{run}/ r, + @{run}/systemd/ r, + @{run}/systemd/generator/ r, + @{run}/systemd/generator/sockets.target.wants/ rw, + @{run}/systemd/generator/sockets.target.wants/*.socket w, + @{run}/systemd/generator/sshd-*.service w, + @{run}/systemd/generator/sshd-*.socket rw, + @{run}/systemd/system/ r, + @{run}/systemd/transient/ r, + + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + /dev/vsock r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 new file mode 100644 index 000000000..4d601d0f9 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-tpm2-generator +profile systemd-generator-tpm2 @{exec_path} flags=(attach_disconnected) { + include + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{sys}/class/tpmrm/ r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 2736540a8..6a030fe63 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -329,19 +329,24 @@ systemd-generator-debug attach_disconnected,complain systemd-generator-ds-identify attach_disconnected,complain systemd-generator-environment-arch complain systemd-generator-environment-flatpak complain +systemd-generator-environment-snapd attach_disconnected,complain systemd-generator-friendly-recover attach_disconnected,complain systemd-generator-fstab attach_disconnected,complain systemd-generator-getty attach_disconnected,complain systemd-generator-gpt-auto attach_disconnected,complain systemd-generator-hibernate-resume attach_disconnected,complain +systemd-generator-import attach_disconnected,complain systemd-generator-integritysetup attach_disconnected,complain +systemd-generator-openvpn attach_disconnected,complain systemd-generator-ostree attach_disconnected,complain systemd-generator-rc-local attach_disconnected,complain systemd-generator-run attach_disconnected,complain systemd-generator-snapd attach_disconnected,complain +systemd-generator-ssh attach_disconnected,complain systemd-generator-sshd-socket attach_disconnected,complain systemd-generator-system-update attach_disconnected,complain systemd-generator-sysv attach_disconnected,complain +systemd-generator-tpm2 attach_disconnected,complain systemd-generator-user-autostart attach_disconnected,complain systemd-generator-user-environment attach_disconnected,complain systemd-generator-veritysetup attach_disconnected,complain @@ -350,8 +355,8 @@ systemd-homework complain systemd-inhibit attach_disconnected,complain systemd-journald attach_disconnected,mediate_deleted systemd-mount complain -systemd-network-generator complain -systemd-nsresourced complain +systemd-network-generator attach_disconnected,complain +systemd-nsresourced attach_disconnected,complain systemd-nsresourcework complain systemd-portabled complain systemd-resolve complain From 89a17146103cadf12e83543d1f5cc3504fcca2b0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 00:14:54 +0200 Subject: [PATCH 475/672] fix(profile): a few linting fixes. --- apparmor.d/groups/_full/sd | 4 ++-- apparmor.d/groups/_full/sd-mount | 2 +- apparmor.d/groups/_full/sdu | 2 +- apparmor.d/groups/ubuntu/fanctl | 2 +- apparmor.d/groups/ubuntu/update-notifier-crash | 2 +- apparmor.d/profiles-s-z/wsdd | 2 +- tests/sbin.list | 1 - 7 files changed, 7 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 974bc3544..106e36817 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -131,10 +131,10 @@ profile sd flags=(attach_disconnected,mediate_deleted) { @{bin}/true ix, # Required due to stacked profiles - @{bin}/grpck ix, + @{sbin}/grpck ix, @{bin}/gzip ix, @{bin}/install ix, - @{bin}/pwck ix, + @{sbin}/pwck ix, @{bin}/readlink ix, @{lib}/colord-sane ix, @{lib}/systemd/systemd-nsresourcework ix, diff --git a/apparmor.d/groups/_full/sd-mount b/apparmor.d/groups/_full/sd-mount index 7f7dede60..1572a8f6d 100644 --- a/apparmor.d/groups/_full/sd-mount +++ b/apparmor.d/groups/_full/sd-mount @@ -36,7 +36,7 @@ profile sd-mount flags=(complain) { mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, mount fstype=squashfs options=(ro nodev) /dev/loop@{int} -> /snap/*/@{int}/, mount fstype=tmpfs options=(rw nodev noexec nosuid) tmpfs -> @{run}/lock/, - mount fstype=tmpfs options=(rw nodev nosuid strictatime) tmpfs -> /tmp/, + mount fstype=tmpfs options=(rw nodev nosuid strictatime) tmpfs -> /tmp/, mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, mount options=(rw move) -> @{efi}, diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu index 5ceb669f0..411a8c3ad 100644 --- a/apparmor.d/groups/_full/sdu +++ b/apparmor.d/groups/_full/sdu @@ -98,7 +98,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { profile shell flags=(attach_disconnected,mediate_deleted,complain) { include - + @{sh_path} mr, @{bin}/systemctl Px -> sdu//systemctl, diff --git a/apparmor.d/groups/ubuntu/fanctl b/apparmor.d/groups/ubuntu/fanctl index ef278da63..deee33daf 100644 --- a/apparmor.d/groups/ubuntu/fanctl +++ b/apparmor.d/groups/ubuntu/fanctl @@ -19,7 +19,7 @@ profile fanctl @{exec_path} flags=(attach_disconnected) { @{bin}/id ix, @{bin}/touch ix, @{bin}/mkdir ix, - @{bin}/ip ix, + @{sbin}/ip ix, @{bin}/sed ix, /etc/network/fan r, diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash index 3ad03eb05..dee094aa1 100644 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -19,7 +19,7 @@ profile update-notifier-crash @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 7aa812f79..20575b2a8 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/wsdd +@{exec_path} = @{bin}/wsdd profile wsdd @{exec_path} { include include diff --git a/tests/sbin.list b/tests/sbin.list index 805ab8bf1..676bc4d56 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -1016,7 +1016,6 @@ wpa_supplicant wqlat-bpfcc writeback.bt wrmsr -wsdd xfs_admin xfs_bmap xfs_copy From e771ef77b8c9343f29a07c32c7d3955620a12169 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 00:18:39 +0200 Subject: [PATCH 476/672] tests(packer): update base images content. --- .../cloud-init/archlinux-gnome.user-data.yml | 35 +------- tests/cloud-init/archlinux-kde.user-data.yml | 37 +-------- tests/cloud-init/archlinux.yml | 82 ++++++++++++++++--- tests/cloud-init/debian.yml | 32 ++++++++ tests/cloud-init/debian13-gnome.user-data.yml | 9 ++ tests/cloud-init/ubuntu.yml | 39 ++++++++- 6 files changed, 150 insertions(+), 84 deletions(-) create mode 100644 tests/cloud-init/debian13-gnome.user-data.yml diff --git a/tests/cloud-init/archlinux-gnome.user-data.yml b/tests/cloud-init/archlinux-gnome.user-data.yml index c292993c1..d33f685b6 100644 --- a/tests/cloud-init/archlinux-gnome.user-data.yml +++ b/tests/cloud-init/archlinux-gnome.user-data.yml @@ -1,39 +1,6 @@ #cloud-config -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Applications - - firefox - - chromium - - terminator - - # Install Graphical Interface - - gnome - - gnome-extra - - seahorse - - alacarte +packages: *gnome-packages runcmd: # Regenerate grub.cfg diff --git a/tests/cloud-init/archlinux-kde.user-data.yml b/tests/cloud-init/archlinux-kde.user-data.yml index c89b3a25c..cb4c4d3b0 100644 --- a/tests/cloud-init/archlinux-kde.user-data.yml +++ b/tests/cloud-init/archlinux-kde.user-data.yml @@ -1,41 +1,6 @@ #cloud-config -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Applications - - firefox - - chromium - - terminator - - # Install Graphical Interface - - plasma-meta - - sddm - - ark - - dolphin - - konsole - - okular +packages: *kde-packages runcmd: # Regenerate grub.cfg diff --git a/tests/cloud-init/archlinux.yml b/tests/cloud-init/archlinux.yml index d860f1a1e..5299efda0 100644 --- a/tests/cloud-init/archlinux.yml +++ b/tests/cloud-init/archlinux.yml @@ -1,37 +1,93 @@ #cloud-config -# Core packages for Archlinux core-packages: &core-packages - # Install core packages - apparmor - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - bash-completion + - docker - git - htop + - just - man - pass - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent - vim - wget -# Core desktop packages for Archlinux -desktop-packages: &desktop-packages - # Install basic services +gnome-packages: &gnome-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux - networkmanager - cups - cups-pdf - system-config-printer - - # Install Applications - - firefox - chromium + - firefox + - spice-vdagent - terminator + # Install Graphical Interface + - alacarte + - gnome + - gnome-extra + - ptyxis + - seahorse + +kde-packages: &kde-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - plasma-meta + - sddm + - ark + - dolphin + - konsole + - okular + # Enable AppArmor in kernel parameters grub-enable-apparmor: &grub-enable-apparmor path: /etc/default/grub diff --git a/tests/cloud-init/debian.yml b/tests/cloud-init/debian.yml index cead162a4..ea3012ad2 100644 --- a/tests/cloud-init/debian.yml +++ b/tests/cloud-init/debian.yml @@ -3,45 +3,77 @@ # Core packages for Debian core-packages: &core-packages - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim gnome-packages: &desktop-packages # Core packages for Debian - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim # Gnome packages for Debian - spice-vdagent - task-gnome-desktop - terminator + - loupe + - ptyxis kde-packages: &kubuntu-packages # Core packages for Debian - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim # KDE packages for Debian diff --git a/tests/cloud-init/debian13-gnome.user-data.yml b/tests/cloud-init/debian13-gnome.user-data.yml new file mode 100644 index 000000000..0d5adfe17 --- /dev/null +++ b/tests/cloud-init/debian13-gnome.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *gnome-packages + +runcmd: *debian13-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu.yml b/tests/cloud-init/ubuntu.yml index ba640e3af..14db33251 100644 --- a/tests/cloud-init/ubuntu.yml +++ b/tests/cloud-init/ubuntu.yml @@ -1,50 +1,81 @@ #cloud-config -# Core packages for Ubuntu core-packages: &core-packages - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - golang-go - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim desktop-packages: &desktop-packages # Core packages for Ubuntu - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - golang-go - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim # Desktop packages for Ubuntu - spice-vdagent - terminator - ubuntu-desktop + - loupe + - ptyxis kubuntu-packages: &kubuntu-packages # Core packages for Ubuntu - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - golang-go - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim # Desktop packages for Ubuntu @@ -74,3 +105,9 @@ desktop-runcmd: &desktop-runcmd # Finally, remove things only installed as dependencies of other things # we have already removed. - apt-get -y autoremove + + # Ensure systemd-networkd is disabled + - systemctl disable systemd-networkd-wait-online.service + + # Ensure auditd is enabled + - systemctl enable systemd-journald-audit.socket From d9e6e686e0186d94fab9a9fdecc7d2c48255d3d7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 01:44:09 +0200 Subject: [PATCH 477/672] build: ignore all rule in abi3. --- pkg/prebuild/builder/abi.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index 818edbb76..5fba837d5 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -14,6 +14,7 @@ var ( `abi/4.0`, `abi/3.0`, ` userns,`, ` # userns,`, ` mqueue`, ` # mqueue`, + ` all`, ` # all`, }) ) From 2282128cbddc1017740071b8058c54bf7868e90c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 31 May 2025 13:43:57 +0200 Subject: [PATCH 478/672] feat(fsp): setup RBAC mapping in auth enabled profiles. --- apparmor.d/groups/ssh/sshd | 15 ++++++++------- apparmor.d/groups/utils/chfn | 1 + apparmor.d/groups/utils/chsh | 1 + apparmor.d/groups/utils/login | 3 ++- apparmor.d/groups/utils/su | 5 +++-- apparmor.d/mappings/sudo/base | 30 ++++++++++++++++++++++++++++++ 6 files changed, 45 insertions(+), 10 deletions(-) create mode 100644 apparmor.d/mappings/sudo/base diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 4b99aafd6..cc12a9eec 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -25,6 +25,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { include include include + include #aa:only RBAC capability audit_write, capability chown, @@ -60,13 +61,13 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/@{shells} rUx, - @{bin}/false rix, - @{sbin}/nologin rPx, - @{bin}/passwd rPx, - @{lib}/{openssh,ssh}/sftp-server rPx, - @{lib}/{openssh,ssh}/sshd-auth rPx, - @{lib}/{openssh,ssh}/sshd-session rix, + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{bin}/false ix, + @{sbin}/nologin Px, + @{bin}/passwd Px, + @{lib}/{openssh,ssh}/sftp-server Px, + @{lib}/{openssh,ssh}/sshd-auth Px, + @{lib}/{openssh,ssh}/sshd-session ix, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, diff --git a/apparmor.d/groups/utils/chfn b/apparmor.d/groups/utils/chfn index 45b50c7ad..824d92bf4 100644 --- a/apparmor.d/groups/utils/chfn +++ b/apparmor.d/groups/utils/chfn @@ -15,6 +15,7 @@ profile chfn @{exec_path} { include include include + include #aa:only RBAC capability audit_write, capability chown, diff --git a/apparmor.d/groups/utils/chsh b/apparmor.d/groups/utils/chsh index e3581be31..a630a7733 100644 --- a/apparmor.d/groups/utils/chsh +++ b/apparmor.d/groups/utils/chsh @@ -15,6 +15,7 @@ profile chsh @{exec_path} { include include include + include #aa:only RBAC capability audit_write, capability chown, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index 6227f4fc5..c35001498 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -14,6 +14,7 @@ profile login @{exec_path} flags=(attach_disconnected) { include include include + include #aa:only RBAC capability audit_write, capability chown, @@ -38,7 +39,7 @@ profile login @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{shells_path} rUx, + @{shells_path} Ux, #aa:exclude RBAC @{etc_ro}/environment r, @{etc_ro}/security/group.conf r, diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index 81e299d23..c4e83ddfa 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -12,6 +12,7 @@ profile su @{exec_path} { include include include + include #aa:only RBAC capability chown, # pseudo-terminal @@ -21,8 +22,8 @@ profile su @{exec_path} { @{exec_path} mr, - @{bin}/@{shells} rUx, - @{sbin}/nologin rPx, + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{sbin}/nologin Px, @{etc_ro}/default/su r, /etc/default/locale r, diff --git a/apparmor.d/mappings/sudo/base b/apparmor.d/mappings/sudo/base new file mode 100644 index 000000000..95e395501 --- /dev/null +++ b/apparmor.d/mappings/sudo/base @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# It is used by su/sudo to run pre login scripts (as root) such as the motd. +# After the login, Apparmor libpam will transition to the roles defined in +# other files under + + @{shells_path} rCx -> shell, + + profile shell flags=(attach_disconnected) { + include + include + include + + @{shells_path} rix, + @{bin}/env rix, + @{bin}/run-parts rix, #aa:only apt + + #aa:only apt + /etc/update-motd.d/ r, + /etc/update-motd.d/* rPx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, + + @{run}/motd.dynamic.new rw, #aa:only apt + + include if exists + } + +# vim:syntax=apparmor From 6c6e1c3456fce34164cf54189dc23080db02b54c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 31 May 2025 13:49:16 +0200 Subject: [PATCH 479/672] feat(profile): minor fsp related improvment. --- apparmor.d/groups/freedesktop/colord | 5 +++-- apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/network/tailscaled | 2 +- .../groups/systemd-service/snapd.system-shutdown.service | 6 +++--- apparmor.d/groups/ubuntu/fanctl | 2 +- apparmor.d/profiles-g-l/ischroot | 2 +- 6 files changed, 10 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 031ba0605..ee2cdf42e 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -23,6 +23,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.ColorManager @{exec_path} mrix, + @{lib}/colord-sane ix, /etc/machine-id r, /etc/sane.d/{,**} r, @@ -44,8 +45,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { owner /var/lib/snmp/mibs/{iana,ietf}/ r, owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, - @{att}/@{desktop_share_dirs}/icc/edid-*.icc r, - @{att}/@{user_share_dirs}/icc/edid-*.icc r, + @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index c4c24efc9..de8643100 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -56,7 +56,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, @{bin}/umount rPx, @{bin}/uname rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/zfs rPx, @{bin}/zpool rPx, /etc/grub.d/{,**} rix, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index fa6cd8ddd..bb877ec1a 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -31,7 +31,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { ptrace (read), - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service index e8939006e..ce819a791 100644 --- a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service +++ b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service @@ -13,9 +13,9 @@ include profile snapd.system-shutdown.service { include - audit @{bin}/cp ix, - audit @{bin}/mkdir ix, - audit @{bin}/mount ix, + @{bin}/cp ix, + @{bin}/mkdir ix, + @{bin}/mount ix, @{lib}/snapd/system-shutdown r, diff --git a/apparmor.d/groups/ubuntu/fanctl b/apparmor.d/groups/ubuntu/fanctl index deee33daf..ef278da63 100644 --- a/apparmor.d/groups/ubuntu/fanctl +++ b/apparmor.d/groups/ubuntu/fanctl @@ -19,7 +19,7 @@ profile fanctl @{exec_path} flags=(attach_disconnected) { @{bin}/id ix, @{bin}/touch ix, @{bin}/mkdir ix, - @{sbin}/ip ix, + @{bin}/ip ix, @{bin}/sed ix, /etc/network/fan r, diff --git a/apparmor.d/profiles-g-l/ischroot b/apparmor.d/profiles-g-l/ischroot index c5b848bab..4e087343a 100644 --- a/apparmor.d/profiles-g-l/ischroot +++ b/apparmor.d/profiles-g-l/ischroot @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/ischroot -profile ischroot @{exec_path} { +profile ischroot @{exec_path} flags=(attach_disconnected) { include include From d76bc0b3be0cd9452083ed253d9cb46def7a5541 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 31 May 2025 13:50:20 +0200 Subject: [PATCH 480/672] feat(profile): add initial profile for systemd-initctl. --- apparmor.d/groups/systemd/systemd-initctl | 27 +++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 28 insertions(+) create mode 100644 apparmor.d/groups/systemd/systemd-initctl diff --git a/apparmor.d/groups/systemd/systemd-initctl b/apparmor.d/groups/systemd/systemd-initctl new file mode 100644 index 000000000..05f32a7f6 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-initctl @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-initctl +profile systemd-initctl @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability net_admin, + + unix type=stream addr=@@{udbus}/bus/systemd-initctl/, + + @{exec_path} mr, + + @{run}/initctl rw, + @{run}/systemd/notify rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 6a030fe63..e73dd4cd5 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -353,6 +353,7 @@ systemd-generator-veritysetup attach_disconnected,complain systemd-homed attach_disconnected,complain systemd-homework complain systemd-inhibit attach_disconnected,complain +systemd-initctl attach_disconnected,complain systemd-journald attach_disconnected,mediate_deleted systemd-mount complain systemd-network-generator attach_disconnected,complain From af82a9caa6358a64d0037761a40e286d6018f283 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 31 May 2025 13:52:42 +0200 Subject: [PATCH 481/672] feat(profile): add profiles for whoopsie. --- apparmor.d/profiles-s-z/whoopsie | 31 ++++++++++++++++++ apparmor.d/profiles-s-z/whoopsie-preferences | 34 ++++++++++++++++++++ dists/flags/main.flags | 2 ++ 3 files changed, 67 insertions(+) create mode 100644 apparmor.d/profiles-s-z/whoopsie create mode 100644 apparmor.d/profiles-s-z/whoopsie-preferences diff --git a/apparmor.d/profiles-s-z/whoopsie b/apparmor.d/profiles-s-z/whoopsie new file mode 100644 index 000000000..16a0e5a5e --- /dev/null +++ b/apparmor.d/profiles-s-z/whoopsie @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whoopsie +profile whoopsie @{exec_path} { + include + include + + capability setgid, + capability setuid, + + @{exec_path} mr, + + /var/crash/ r, + + /var/lib/whoopsie/ rw, + /var/lib/whoopsie/whoopsie-id rw, + /var/lib/whoopsie/whoopsie-id.@{rand6} rw, + + owner @{run}/lock/whoopsie/ rw, + owner @{run}/lock/whoopsie/lock rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whoopsie-preferences b/apparmor.d/profiles-s-z/whoopsie-preferences new file mode 100644 index 000000000..3b720d0da --- /dev/null +++ b/apparmor.d/profiles-s-z/whoopsie-preferences @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whoopsie-preferences +profile whoopsie-preferences @{exec_path} { + include + include + include + + #aa:dbus own bus=system name=com.ubuntu.WhoopsiePreferences + + @{exec_path} mr, + + @{bin}/systemctl Cx -> systemctl, + + /etc/whoopsie w, + /etc/whoopsie.@{rand6} rw, + + profile systemctl { + include + include + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index e73dd4cd5..77ea8761f 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -404,6 +404,8 @@ waybar attach_disconnected,complain wechat attach_disconnected,complain wechat-appimage attach_disconnected,complain wg-quick complain +whoopsie complain +whoopsie-preferences complain wsdd complain xdg-dbus-proxy attach_disconnected,complain xdg-desktop-icon complain From 8452eb44f18e96aa9de83c74e0902aabdcad336d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 15:48:38 +0200 Subject: [PATCH 482/672] feat(abs): minor improvement & cosmetic. --- apparmor.d/abstractions/app/kmod | 2 +- apparmor.d/abstractions/app/pager | 2 +- apparmor.d/abstractions/app/sudo | 4 +++- apparmor.d/abstractions/base.d/complete | 6 ++++-- apparmor.d/abstractions/bus/org.freedesktop.Avahi | 2 +- apparmor.d/abstractions/consoles.d/complete | 7 +++++++ apparmor.d/abstractions/freedesktop.org.d/complete | 2 +- apparmor.d/abstractions/gnome.d/complete | 2 +- apparmor.d/abstractions/vulkan.d/complete | 1 + apparmor.d/abstractions/webkit | 2 +- apparmor.d/abstractions/zsh | 1 + 11 files changed, 22 insertions(+), 9 deletions(-) create mode 100644 apparmor.d/abstractions/consoles.d/complete diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index 86bb7d78a..6c889bd60 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -7,9 +7,9 @@ include + @{bin}/kmod mr, @{sbin}/depmod mr, @{sbin}/insmod mr, - @{bin}/kmod mr, @{sbin}/lsmod mr, @{sbin}/modinfo mr, @{sbin}/modprobe mr, diff --git a/apparmor.d/abstractions/app/pager b/apparmor.d/abstractions/app/pager index 3be45b4dd..1557b78ef 100644 --- a/apparmor.d/abstractions/app/pager +++ b/apparmor.d/abstractions/app/pager @@ -12,7 +12,7 @@ capability dac_override, capability dac_read_search, - signal (receive) set=(stop, cont, term, kill), + signal receive set=(stop, cont, term, kill), @{bin}/ r, @{pager_path} mrix, diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 1286b1571..1c47490cd 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -3,7 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Minimal set of rules for sudo. Interactive sudo need more rules. +# Minimal set of rules for sudo. abi , @@ -24,6 +24,8 @@ network netlink raw, # PAM + unix type=stream addr=@@{udbus}/bus/sudo/system, + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 06b413342..ecfe09bb5 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -3,14 +3,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + # Systemd: allow to receive any signal from the systemd profiles stack + signal receive peer=@{p_systemd}, + signal receive peer=@{p_systemd_user}, + # Allow to receive some signals from new well-known profiles signal (receive) peer=btop, signal (receive) peer=htop, signal (receive) peer=sudo, signal (receive) peer=top, signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, - signal (receive) set=(cont,term) peer=@{p_systemd_user}, - signal (receive) set=(cont,term) peer=@{p_systemd}, signal (receive) set=(hup term) peer=login, signal (receive) set=(hup) peer=xinit, signal (receive) set=(term,kill) peer=gnome-shell, diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index 38e05f48c..b002d6fa4 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -9,7 +9,7 @@ dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + peer=(name=org.freedesktop.Avahi), dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server diff --git a/apparmor.d/abstractions/consoles.d/complete b/apparmor.d/abstractions/consoles.d/complete new file mode 100644 index 000000000..ce7bb73ba --- /dev/null +++ b/apparmor.d/abstractions/consoles.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + /dev/tty@{u8} rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index 4724c694a..220883c29 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -16,7 +16,7 @@ /opt/*/**.{desktop,png} r, /etc/gnome/defaults.list r, - /etc/xfce4/defaults.list r, + /etc/xfce4/defaults.list r, /var/lib/snapd/desktop/applications/{,**} r, /var/lib/snapd/desktop/icons/{,**} r, diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 71e76f9da..3dece8578 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -6,7 +6,7 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=@{busname}, label=gnome-shell), /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, diff --git a/apparmor.d/abstractions/vulkan.d/complete b/apparmor.d/abstractions/vulkan.d/complete index 8e5b68c08..67f83516e 100644 --- a/apparmor.d/abstractions/vulkan.d/complete +++ b/apparmor.d/abstractions/vulkan.d/complete @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only /etc/glvnd/egl_vendor.d/{,*.json} r, diff --git a/apparmor.d/abstractions/webkit b/apparmor.d/abstractions/webkit index 9481d4fec..c9a275250 100644 --- a/apparmor.d/abstractions/webkit +++ b/apparmor.d/abstractions/webkit @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Minimal set of rules for webkit UI. +# Minimal set of rules for webkit GTK UI. abi , diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index ff90849c0..02eacfb62 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -12,6 +12,7 @@ /usr/local/share/zsh/{,**} r, /usr/share/oh-my-zsh/{,**} r, + /usr/share/zsh-theme-*/{,**} r, /usr/share/zsh/{,**} r, /etc/zsh/* r, From 86202b0fbf9502671d5e053da7d55699127501c5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 15:53:37 +0200 Subject: [PATCH 483/672] feat(fsp): small fsp improvement. --- apparmor.d/groups/_full/sd | 21 ++++++++++++++++++++- apparmor.d/groups/_full/systemd | 1 + apparmor.d/groups/_full/systemd-user | 1 + apparmor.d/groups/flatpak/flatpak-app | 2 +- 4 files changed, 23 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 106e36817..44b3a9b7d 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -18,7 +18,7 @@ abi , include @{exec_path} = @{bin}/systemd-executor -profile sd flags=(attach_disconnected,mediate_deleted) { +profile sd flags=(attach_disconnected,mediate_deleted,complain) { include include include @@ -42,6 +42,7 @@ profile sd flags=(attach_disconnected,mediate_deleted) { capability linux_immutable, capability mknod, capability net_admin, + capability net_bind_service, capability net_raw, capability perfmon, capability setfcap, @@ -57,6 +58,8 @@ profile sd flags=(attach_disconnected,mediate_deleted) { capability sys_tty_config, capability syslog, + network alg seqpacket, + network bluetooth, network inet dgram, network inet stream, network inet6 dgram, @@ -84,6 +87,22 @@ profile sd flags=(attach_disconnected,mediate_deleted) { umount /dev/shm/, umount @{run}/systemd/mount-rootfs/{,**}, + # mount tmpfs -> @{run}/lock/, + # mount tmpfs -> @{sys}/fs/cgroup/, + # mount cgroup -> @{sys}/fs/cgroup/systemd/, + # audit mount /dev/** -> /boot/{,efi/}, + # audit mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, + # audit mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**}, + + # audit remount @{run}/systemd/unit-root/{,**}, + # audit remount options=(ro noexec noatime bind) /var/snap/{,**}, + # audit remount options=(ro nosuid nodev bind) /var/, + # audit remount options=(ro nosuid nodev noexec bind) /boot/, + + # audit umount @{PROC}/sys/fs/binfmt_misc/, + # audit umount @{run}/systemd/namespace-@{rand6}/{,**}, + # audit umount @{run}/systemd/unit-root/{,**}, + pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, change_profile, diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index eec9b33d9..b7c12c6bd 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -219,6 +219,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /dev/autofs r, /dev/dri/card@{int} rw, + /dev/initctl w, /dev/input/ r, /dev/kmsg w, /dev/tty rw, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 3b0d01709..ed531c58b 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -91,6 +91,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/threads-max r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/gid_map r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index bb824c7cb..a816e58b8 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -65,7 +65,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { @{bin}/gtk{,4}-update-icon-cache rPx -> flatpak-app//>k-update-icon-cache, @{bin}/update-desktop-database rPx -> flatpak-app//&update-desktop-database, - @{sbin}/update-mime-database rPx -> flatpak-app//&update-mime-database, + @{bin}/update-mime-database rPx -> flatpak-app//&update-mime-database, @{bin}/xdg-dbus-proxy rPx -> flatpak-app//&xdg-dbus-proxy, @{lib}/kf5/kioslave5 rPx, From eb84df319d1fb40226623307f423af8f553d9816 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 16:00:38 +0200 Subject: [PATCH 484/672] feat(profile): update gnome profiles. --- .../freedesktop/xdg-desktop-portal-gnome | 16 ++++++++-- .../groups/freedesktop/xdg-desktop-portal-gtk | 5 --- .../freedesktop/xdg-user-dirs-gtk-update | 4 +-- apparmor.d/groups/gnome/gjs-console | 7 +++-- apparmor.d/groups/gnome/gnome-characters | 1 - apparmor.d/groups/gnome/gnome-control-center | 4 +++ .../groups/gnome/gnome-extension-gsconnect | 3 +- apparmor.d/groups/gnome/gnome-session-binary | 2 ++ apparmor.d/groups/gnome/gnome-shell | 31 ++++++++++--------- apparmor.d/groups/gnome/gsd-color | 4 +-- apparmor.d/groups/gnome/gsd-xsettings | 6 +++- apparmor.d/groups/gnome/loupe | 11 ++++++- apparmor.d/groups/gnome/nautilus | 10 +++++- apparmor.d/groups/gnome/ptyxis | 2 ++ apparmor.d/groups/gnome/ptyxis-agent | 2 +- apparmor.d/groups/gvfs/gvfsd-dnssd | 13 ++++---- apparmor.d/groups/gvfs/gvfsd-network | 12 ++----- 17 files changed, 83 insertions(+), 50 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index ac321fd07..1355aa22b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -17,6 +17,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -27,8 +28,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { network unix stream, - signal (receive) set=term peer=gdm, - signal (receive) set=(hup term) peer=gdm-session-worker, + signal receive set=term peer=gdm, + signal receive set=(hup term) peer=gdm-session-worker, #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal @@ -40,6 +41,11 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { member=RunningApplicationsChanged peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), + dbus send bus=session path=/org/gtk/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, / r, @@ -63,12 +69,16 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, + owner @{tmp}/gtkprint_ppd_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} r, + owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw, @{run}/mount/utab r, owner @{PROC}/@{pid}/ r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index b77ad03d7..fc11b0700 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -47,11 +47,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gnome-shell), - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, /usr/share/gdm/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 224bc2337..641862965 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -9,9 +9,9 @@ include @{exec_path} = @{bin}/xdg-user-dirs-gtk-update profile xdg-user-dirs-gtk-update @{exec_path} { include + include + include include - include - include include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 012ca7ee0..fdaa4e825 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -14,12 +14,13 @@ include @{exec_path} = @{bin}/gjs-console profile gjs-console @{exec_path} flags=(attach_disconnected) { include - include + include include include include include include + include include include include @@ -28,7 +29,9 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (receive) set=(term hup) peer=gdm*, + unix type=stream peer=(label=gnome-shell), + + signal receive set=(term hup) peer=gdm*, #aa:dbus own bus=session name=org.freedesktop.Notifications #aa:dbus own bus=session name=org.gnome.ScreenSaver diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 7ee0f835e..a43168866 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -29,7 +29,6 @@ profile gnome-characters @{exec_path} { /usr/share/xml/iso-codes/{,**} r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 1007d55e2..2f9077d19 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -39,8 +39,12 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.bluez.obex.Agent1 #aa:dbus talk bus=session name=org.bluez.obex label=obexd + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Power label=gsd-power + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index ee9c147b6..104d95fb3 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -65,9 +65,10 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index dc9b6812e..8b0ea6307 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -60,6 +60,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter/autostart/{,*.desktop} r, /usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/sessions/*.session r, + /usr/share/gnome-shell/extensions/ r, /usr/share/gnome-shell/extensions/*/metadata.json r, /usr/share/gnome/autostart/{,*.desktop} r, @@ -69,6 +70,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user rw, owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, + owner @{gdm_config_dirs}/user-dirs.dirs r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_share_dirs}/applications/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 6c781e204..1099f254d 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -56,11 +56,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix stream, - ptrace (read), - ptrace (readby) peer=pipewire, + ptrace read, + ptrace readby peer=pipewire, - signal (receive) set=(term, hup) peer=gdm*, - signal (send), + signal receive set=(term, hup) peer=gdm*, + signal send, unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), unix (send,receive) type=stream addr=none peer=(label=xkbcomp), @@ -185,8 +185,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/gnome-shell/extensions/*/** rPUx, /opt/**/share/icons/{,**} r, - /snap/*/@{uid}/**.png r, - /usr/share/**.{png,jpg,svg} r, + /snap/*/@{uid}/**.@{image_ext} r, + /usr/share/**.@{image_ext} r, /usr/share/**/icons/{,**} r, /usr/share/backgrounds/{,**} r, /usr/share/byobu/desktop/byobu* r, @@ -241,25 +241,28 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, - owner @{HOME}/.mozilla/native-messaging-hosts/ r, - owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json rw, - owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json.@{rand6} rw, + owner @{HOME}/.mozilla/native-messaging-hosts/ rw, + owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, - owner @{HOME}/.var/app/**.{png,jpg,svg} r, + owner @{HOME}/.var/app/**.@{image_ext} r, owner @{HOME}/.var/app/**/ r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, - owner @{user_games_dirs}/**.{png,jpg,svg} r, - owner @{user_music_dirs}/**.{png,jpg,svg} r, + owner @{user_games_dirs}/**.@{image_ext} r, + owner @{user_music_dirs}/**.@{image_ext} r, owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw, + owner @{user_config_dirs}/**/NativeMessagingHosts/ rw, + owner @{user_config_dirs}/**/NativeMessagingHosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{user_config_dirs}/background r, owner @{user_config_dirs}/ibus/ w, owner @{user_config_dirs}/monitors.xml{,~} rwl, owner @{user_config_dirs}/tiling-assistant/{,**} rw, owner @{user_share_dirs}/backgrounds/{,**} rw, + owner @{user_share_dirs}/dbus-1/services/ r, + owner @{user_share_dirs}/dbus-1/services/org.gnome.shell.*.service{,.@{rand6}} rw, owner @{user_share_dirs}/desktop-directories/{,**} r, owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, @@ -267,9 +270,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, + owner @{user_share_dirs}/icons/**/org.gnome.shell.*.svg{,.@{rand6}} w, - owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop rw, - owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop.@{rand6} w, + owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 2fe22305b..56445aeac 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -45,10 +45,10 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-*.icc rw, + owner @{gdm_share_dirs}/icc/edid-@{hex32}icc rw, owner @{user_share_dirs}/icc/ rw, - owner @{user_share_dirs}/icc/edid-*.icc rw, + owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, include if exists } diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 4fece3366..abf30bc40 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -17,6 +17,7 @@ profile gsd-xsettings @{exec_path} { include include include + include include include include @@ -33,16 +34,19 @@ profile gsd-xsettings @{exec_path} { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.XSettings #aa:dbus own bus=session name=org.gtk.Settings + #aa:dbus talk bus=session name=org.gnome.Mutter.X11 label=gnome-shell + dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=SetInputSources peer=(name=:*, label="@{p_accounts_daemon}"), @{exec_path} mr, + @{sh_path} mr, @{bin}/cat rix, @{bin}/sed rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/busctl rPx, @{bin}/pactl rPx, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 6f783627e..d89d4d6f9 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -9,14 +9,20 @@ include @{exec_path} = @{bin}/loupe profile loupe @{exec_path} flags=(attach_disconnected) { include + include + include + include include include include include + include include include include + unix type=stream peer=(label=loupe//bwrap), + signal send set=kill peer=loupe//bwrap, #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @@ -37,7 +43,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/glycin/{,**} rw, - @{run}/mount/utab r, + @{run}/mount/utab r, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @@ -56,6 +63,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include + unix type=stream peer=(label=loupe), + signal receive set=kill peer=loupe, @{bin}/bwrap mr, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 60bbfb344..ebf975673 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -28,13 +28,21 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { mqueue r type=posix /, + unix type=stream peer=(label=gnome-shell), + #aa:dbus own bus=session name=org.freedesktop.FileManager1 #aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}" #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + dbus send bus=session path=/org/gnome/Mutter/ServiceChannel + interface=org.gnome.Mutter.ServiceChannel + member=OpenWaylandServiceConnection + peer=(name=@{busname}, label=gnome-shell), dbus (send, receive) bus=session path=/org/gtk/Application/CommandLine interface=org.gtk.private.CommandLine diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 2f7dee368..a6f7e5b63 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -28,6 +28,8 @@ profile ptyxis @{exec_path} { owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, + owner /tmp/#@{int} w, + /dev/ptmx rw, include if exists diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 239993f21..ce60a26c3 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -24,7 +24,7 @@ profile ptyxis-agent @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/cmdline r, /dev/ptmx rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index fd9b5a22d..9af8be00a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -13,14 +13,10 @@ profile gvfsd-dnssd @{exec_path} { include include include + include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker label=gvfsd - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=:*, label=gvfsd-network), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable @@ -32,6 +28,11 @@ profile gvfsd-dnssd @{exec_path} { member=Spawned peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member={MountLocation,LookupMount,RegisterMount} + peer=(name="@{busname}", label=gvfsd), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index adda9b958..cd64d81ad 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,6 +11,8 @@ include profile gvfsd-network @{exec_path} { include include + include + include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} @@ -30,16 +32,6 @@ profile gvfsd-network @{exec_path} { member={MountLocation,LookupMount,RegisterMount} peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name="@{busname}", label=gvfsd-dnssd), - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name="@{busname}", label=gnome-control-center), - @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, From 55e4b27c2b4b43488edb7b155fd3e5efd0733a18 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 16:02:20 +0200 Subject: [PATCH 485/672] feat(tunable): add the archive_path variable. --- apparmor.d/profiles-a-f/atool | 8 ++++---- apparmor.d/profiles-a-f/file-roller | 14 +------------- apparmor.d/profiles-s-z/unmkinitramfs | 6 +----- apparmor.d/profiles-s-z/xarchiver | 13 +------------ apparmor.d/tunables/multiarch.d/paths | 3 +++ apparmor.d/tunables/multiarch.d/programs | 3 +++ 6 files changed, 13 insertions(+), 34 deletions(-) diff --git a/apparmor.d/profiles-a-f/atool b/apparmor.d/profiles-a-f/atool index 99cb0fed6..2782aacc0 100644 --- a/apparmor.d/profiles-a-f/atool +++ b/apparmor.d/profiles-a-f/atool @@ -19,9 +19,9 @@ profile atool @{exec_path} { @{bin}/7z rix, @{bin}/arc rix, @{bin}/arj rix, - @{bin}/bzip2 rix, - @{bin}/bzip2 rix, @{bin}/bzip rix, + @{bin}/bzip2 rix, + @{bin}/bzip2 rix, @{bin}/compress rix, @{bin}/cpio rix, @{bin}/gunzip rix, @@ -30,16 +30,15 @@ profile atool @{exec_path} { @{bin}/jar rix, @{bin}/lha rix, @{bin}/lrunzip rix, + @{bin}/lrz rix, @{bin}/lrzcat rix, @{bin}/lrzip rix, - @{bin}/lrz rix, @{bin}/lrztar rix, @{bin}/lrzuntar rix, @{bin}/lzip rix, @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/lzop rix, - @{lib}/p7zip/7z rix, @{bin}/rar rix, @{bin}/tar rix, @{bin}/unace rix, @@ -48,6 +47,7 @@ profile atool @{exec_path} { @{bin}/unzip rix, @{bin}/xz rix, @{bin}/zip rix, + @{lib}/p7zip/7z rix, /etc/atool.conf r, owner @{HOME}/.atoolrc r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 24610cd8c..e7bfafaac 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -26,19 +26,7 @@ profile file-roller @{exec_path} { @{bin}/rm rix, # Archivers - @{bin}/7z rix, - @{bin}/7zz rix, - @{bin}/ar rix, - @{bin}/bzip2 rix, - @{bin}/cpio rix, - @{bin}/gzip rix, - @{bin}/tar rix, - @{bin}/unrar-nonfree rix, - @{bin}/unzip rix, - @{bin}/xz rix, - @{bin}/zip rix, - @{bin}/zstd rix, - @{lib}/p7zip/7z rix, + @{archive_path} rix, # Full access to user's data @{MOUNTS}/** rw, diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index 6b5607ed1..3ee530970 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -18,22 +18,18 @@ profile unmkinitramfs @{exec_path} { @{exec_path} r, @{sh_path} rix, + @{archive_path} rix, @{bin}/{,e}grep rix, - @{bin}/bzip2 rix, @{bin}/cat rix, - @{bin}/cpio rix, @{bin}/dd rix, @{bin}/getopt rix, - @{bin}/gzip rix, @{bin}/lz4cat rix, @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/rm rix, - @{bin}/xz rix, @{bin}/xzcat rix, - @{bin}/zstd rix, /boot/ r, owner /boot/initrd.img-* r, diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 003770008..f38a69224 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -28,18 +28,7 @@ profile xarchiver @{exec_path} { @{bin}/cp rix, # Archivers - @{bin}/7z rix, - @{lib}/p7zip/7z rix, - @{bin}/unrar-nonfree rix, - @{bin}/zip rix, - @{bin}/unzip rix, - @{bin}/tar rix, - @{bin}/xz rix, - @{bin}/bzip2 rix, - @{bin}/cpio rix, - @{bin}/gzip rix, - @{bin}/zstd rix, - # For deb packages + @{archive_path} rix, @{bin}/{,@{multiarch}-}ar rix, @{open_path} rPx -> child-open, diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 059f337fd..cca544370 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -72,4 +72,7 @@ # Backup @{backup_path} = @{bin}/@{backup_names} @{lib}/deja-dup/deja-dup-monitor +# Archives +@{archive_path} = @{bin}/@{archive_names} @{lib}/p7zip/7z + # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index cddb1a7d2..a7cbaf831 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -96,4 +96,7 @@ # Backup @{backup_names} = deja-dup borg +# Archives +@{archive_names} = 7z 7zz ar bzip2 cpio gzip lzip rar tar unrar-nonfree unzip xz zip zstd + # vim:syntax=apparmor From 71a473712c15ee71fe39ce021577b052fea2528f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 23:58:02 +0200 Subject: [PATCH 486/672] tests: rewrite and expand the profile check to more files. Rewrite: Speed up the checking by not using grep anymore and only using bash, also make it parallel Revisit the way result are shown. Expand: Also scan for mapping files and abstaction completion. Adapt the scan accordingly. --- tests/check.sh | 378 +++++++++++++++++++++++++++++++++---------------- 1 file changed, 259 insertions(+), 119 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 02ae71812..25c82e3d1 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # Usage: make check @@ -8,101 +8,250 @@ set -eu -o pipefail -readonly APPARMORD="apparmor.d" -readonly HEADERS=( - "# apparmor.d - Full set of apparmor profiles" - "# Copyright (C) " - "# SPDX-License-Identifier: GPL-2.0-only" -) - -_die() { - echo -e "\033[1;31m ✗ Error: \033[0m$*" - exit 1 +RES=$(mktemp) +echo "false" >"$RES" +MAX_JOBS=$(nproc) +declare WITH_CHECK +readonly MAX_JOBS APPARMORD="apparmor.d" +readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" +_msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } +_warn() { + local type="$1" file="$2" + shift 2 + printf '%bwarning%b %s(%b%s%b): %s\n' "$fgYellow" "$reset" "$type" "$fgWhite" "$file" "$reset" "$*" +} +_err() { + local type="$1" file="$2" + shift 2 + printf ' %berror%b %s(%b%s%b): %s\n' "$fgRed" "$reset" "$type" "$fgWhite" "$file" "$reset" "$*" + echo "true" >"$RES" } -_ensure_header() { - local file="$1" - for header in "${HEADERS[@]}"; do - if ! grep -q "^$header" "$file"; then - _die "$file does not contain '$header'" +_in_array() { + local item needle="$1" + shift + for item in "$@"; do + if [[ "${item}" == "${needle}" ]]; then + return 0 fi done + return 1 } -_ensure_indentation() { +_is_enabled() { + _in_array "$1" "${WITH_CHECK[@]}" +} + +_wait() { + local -n job=$1 + job=$((job + 1)) + if ((job >= MAX_JOBS)); then + wait -n + job=$((job - 1)) + fi +} + +_check() { local file="$1" - local in_profile=false - local first_line_after_profile=true local line_number=0 while IFS= read -r line; do line_number=$((line_number + 1)) - if [[ "$line" =~ $'\t' ]]; then - _die "$file:$line_number: tabs are not allowed." + # Guidelines check + _check_abi + _check_include + _check_profile + _check_subprofiles + + # Style check + if [[ $line_number -lt 10 ]]; then + _check_header fi + _check_tabs + _check_trailing + _check_indentation + _check_vim - if [[ "$line" =~ ^profile ]]; then - in_profile=true - first_line_after_profile=true + done <"$file" - elif [[ "$line" =~ [[:space:]]+$ ]]; then - _die "$file:$line_number: line has trailing whitespace." + # Results + _res_abi + _res_include + _res_profile + _res_subprofiles + _res_header + _res_vim +} - elif $in_profile; then - if $first_line_after_profile; then - local leading_spaces="${line%%[! ]*}" - local num_spaces=${#leading_spaces} - if ((num_spaces != 2)); then - _die "$file: profile must have a two-space indentation." - fi - first_line_after_profile=false +# Guidelines check: https://apparmor.pujol.io/development/guidelines/ - else - local leading_spaces="${line%%[! ]*}" - local num_spaces=${#leading_spaces} +RES_ABI=false +readonly ABI_SYNTAX='abi ,' +_check_abi() { + _is_enabled abi || return 0 + if [[ "$line" =~ ^' '*"$ABI_SYNTAX" ]]; then + RES_ABI=true + fi +} +_res_abi() { + _is_enabled abi || return 0 + if ! $RES_ABI; then + _err guideline "$file" "missing 'abi ,'" + fi +} - if ((num_spaces % 2 != 0)); then - ok=false - for offset in 5 11; do - num_spaces=$((num_spaces - offset)) - if ((num_spaces < 0)); then - break - fi - if ((num_spaces % 2 == 0)); then - ok=true - break - fi - done +RES_INCLUDE=false +_check_include() { + _is_enabled include || return 0 + if [[ "$line" =~ ^.*"${include}"$ ]]; then + RES_INCLUDE=true + fi +} +_res_include() { + _is_enabled include || return 0 + if ! $RES_INCLUDE; then + _err guideline "$file" "missing '$include'" + fi +} - if ! $ok; then - _die "$file:$line_number: invalid indentation." +RES_PROFILE=false +_check_profile() { + _is_enabled profile || return 0 + if [[ "$line" =~ ^"profile $name" ]]; then + RES_PROFILE=true + fi +} +_res_profile() { + _is_enabled profile || return 0 + if ! $RES_PROFILE; then + _err guideline "$file" "missing profile name: 'profile $name'" + fi +} + +# Style check + +readonly HEADERS=( + "# apparmor.d - Full set of apparmor profiles" + "# Copyright (C) " + "# SPDX-License-Identifier: GPL-2.0-only" +) +_RES_HEADER=(false false false) +_check_header() { + _is_enabled header || return 0 + for idx in "${!HEADERS[@]}"; do + if [[ "$line" == "${HEADERS[$idx]}"* ]]; then + _RES_HEADER[idx]=true + break + fi + done +} +_res_header() { + _is_enabled header || return 0 + for idx in "${!_RES_HEADER[@]}"; do + if ${_RES_HEADER[$idx]}; then + continue + fi + _err style "$file" "missing header: '${HEADERS[$idx]}'" + done +} + +_check_tabs() { + _is_enabled tabs || return 0 + if [[ "$line" =~ $'\t' ]]; then + _err style "$file:$line_number" "tabs are not allowed" + fi +} + +_check_trailing() { + _is_enabled trailing || return 0 + if [[ "$line" =~ [[:space:]]+$ ]]; then + _err style "$file:$line_number" "line has trailing whitespace" + fi +} + +_CHECK_IN_PROFILE=false +_CHECK_FIRST_LINE_AFTER_PROFILE=true +_check_indentation() { + _is_enabled indentation || return 0 + if [[ "$line" =~ ^profile ]]; then + _CHECK_IN_PROFILE=true + _CHECK_FIRST_LINE_AFTER_PROFILE=true + + elif $_CHECK_IN_PROFILE; then + if $_CHECK_FIRST_LINE_AFTER_PROFILE; then + local leading_spaces="${line%%[! ]*}" + local num_spaces=${#leading_spaces} + if ((num_spaces != 2)); then + _err style "$file:$line_number" "profile must have a two-space indentation" + fi + _CHECK_FIRST_LINE_AFTER_PROFILE=false + + else + local leading_spaces="${line%%[! ]*}" + local num_spaces=${#leading_spaces} + + if ((num_spaces % 2 != 0)); then + ok=false + for offset in 5 11; do + num_spaces=$((num_spaces - offset)) + if ((num_spaces < 0)); then + break fi + if ((num_spaces % 2 == 0)); then + ok=true + break + fi + done + + if ! $ok; then + _err style "$file:$line_number" "invalid indentation" fi fi fi - done <"$file" -} - -_ensure_include() { - local file="$1" - local include="$2" - if ! grep -q "^ *${include}$" "$file"; then - _die "$file does not contain '$include'" fi } -_ensure_abi() { - local file="$1" - if ! grep -q "^ *abi ," "$file"; then - _die "$file does not contain 'abi ,'" +_CHEK_IN_SUBPROFILE=false +declare -A _RES_SUBPROFILES +_check_subprofiles() { + _is_enabled subprofiles || return 0 + if [[ "$line" =~ ^(' ')+'profile '(.*)' {' ]]; then + indentation="${BASH_REMATCH[1]}" + subprofile="${BASH_REMATCH[2]}" + subprofile="${subprofile%% *}" + include="${indentation}include if exists " + _RES_SUBPROFILES["$subprofile"]="$name//$subprofile does not contain '$include'" + _CHEK_IN_SUBPROFILE=true + elif $_CHEK_IN_SUBPROFILE; then + if [[ "$line" == *"$include" ]]; then + _RES_SUBPROFILES["$subprofile"]=true + + fi fi } +_res_subprofiles() { + _is_enabled subprofiles || return 0 + for msg in "${_RES_SUBPROFILES[@]}"; do + if [[ $msg == true ]]; then + continue + fi + _err guideline "$file" "$msg" + done +} -_ensure_vim() { - local file="$1" - if ! grep -q "^# vim:syntax=apparmor" "$file"; then - _die "$file does not contain '# vim:syntax=apparmor'" +readonly VIM_SYNTAX="# vim:syntax=apparmor" +RES_VIM=false +_check_vim() { + _is_enabled vim || return 0 + if [[ "$line" =~ ^"$VIM_SYNTAX" ]]; then + RES_VIM=true + fi +} +_res_vim() { + _is_enabled vim || return 0 + if ! $RES_VIM; then + _err style "$file" "missing vim syntax: '$VIM_SYNTAX'" fi } @@ -117,69 +266,60 @@ check_sbin() { } check_profiles() { - echo -e "\033[1m â‹… \033[0mChecking if all profiles contain:" - echo " - apparmor.d header & license" - echo " - Check indentation: 2 spaces" - echo " - Check for trailing whitespaces" - echo " - 'abi ,'" - echo " - 'profile '" - echo " - 'include if exists '" - echo " - include if exists local for subprofiles" - echo " - vim:syntax=apparmor" - directories=("$APPARMORD/groups/*" "$APPARMORD/profiles-*-*") - # shellcheck disable=SC2068 - for dir in ${directories[@]}; do - for file in $(find "$dir" -maxdepth 1 -type f); do - case "$file" in */README.md) continue ;; esac + _msg "Checking profiles" + mapfile -t files < <( + find "$APPARMORD" \( -path "$APPARMORD/abstractions" -o -path "$APPARMORD/local" -o -path "$APPARMORD/tunables" -o -path "$APPARMORD/mappings" \) \ + -prune -o -type f -print + ) + jobs=0 + WITH_CHECK=(abi include profile header tabs trailing indentation subprofiles vim) + for file in "${files[@]}"; do + ( name="$(basename "$file")" name="${name/.apparmor.d/}" include="include if exists " - _ensure_header "$file" - _ensure_indentation "$file" - _ensure_include "$file" "$include" - _ensure_abi "$file" - _ensure_vim "$file" - if ! grep -q "^profile $name" "$file"; then - _die "$name does not contain 'profile $name'" - fi - mapfile -t subrofiles < <(grep "^ *profile*" "$file" | awk '{print $2}') - for subprofile in "${subrofiles[@]}"; do - include="include if exists " - if ! grep -q "^ *${include}$" "$file"; then - _die "$name: $name//$subprofile does not contain '$include'" - fi - done - done + _check "$file" + ) & + _wait jobs done + wait } check_abstractions() { - echo -e "\033[1m â‹… \033[0mChecking if all abstractions contain:" - echo " - apparmor.d header & license" - echo " - Check indentation: 2 spaces" - echo " - Check for trailing whitespaces" - echo " - 'abi ,'" - echo " - 'include if exists '" - echo " - vim:syntax=apparmor" - directories=( - "$APPARMORD/abstractions/" "$APPARMORD/abstractions/app/" - "$APPARMORD/abstractions/attached/" - "$APPARMORD/abstractions/bus/" "$APPARMORD/abstractions/common/" - ) - for dir in "${directories[@]}"; do - for file in $(find "$dir" -maxdepth 1 -type f); do + _msg "Checking abstractions" + mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*") + jobs=0 + WITH_CHECK=(abi include header tabs trailing indentation vim) + for file in "${files[@]}"; do + ( name="$(basename "$file")" - root="${dir/${APPARMORD}\/abstractions\//}" - include="include if exists " - _ensure_header "$file" - _ensure_indentation "$file" - _ensure_include "$file" "$include" - _ensure_abi "$file" - _ensure_vim "$file" - done + absdir="${file/${APPARMORD}\//}" + include="include if exists <${absdir}.d>" + _check "$file" + ) & + _wait jobs done + wait + + mapfile -t files < <( + find "$APPARMORD/abstractions" -type f -path "$APPARMORD/abstractions/*.d/*" + find "$APPARMORD/mappings" -type f + ) + # shellcheck disable=SC2034 + jobs=0 + WITH_CHECK=(header tabs trailing indentation vim) + for file in "${files[@]}"; do + _check "$file" & + _wait jobs + done + wait } check_sbin check_profiles check_abstractions + +FAIL=$(cat "$RES") +if [[ "$FAIL" == "true" ]]; then + exit 1 +fi From fff0df39ba61e862e7d62897b0126e0c2eb91835 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 23:59:14 +0200 Subject: [PATCH 487/672] tests: add more check for sbin path Also look for path that should not use sbin. --- tests/check.sh | 40 +++++++++++++++++++++++++++++++++------- 1 file changed, 33 insertions(+), 7 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 25c82e3d1..09a2e105b 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -256,13 +256,39 @@ _res_vim() { } check_sbin() { - echo -e "\033[1m â‹… \033[0mEnsuring '@{sbin}' is used in all profiles:" - while IFS= read -r name; do - mapfile -t files < <(grep --files-with-matches --recursive -E "(^|[[:space:]])@{bin}/$name([[:space:]]|$)" apparmor.d) - for file in "${files[@]}"; do - _die "$file contains '@{bin}/$name' instead of '@{sbin}/$name'" - done - done Date: Mon, 2 Jun 2025 20:41:20 +0200 Subject: [PATCH 488/672] test: add some security checks. --- tests/check.sh | 81 ++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 78 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 09a2e105b..59463246e 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -12,7 +12,7 @@ RES=$(mktemp) echo "false" >"$RES" MAX_JOBS=$(nproc) declare WITH_CHECK -readonly MAX_JOBS APPARMORD="apparmor.d" +readonly RES MAX_JOBS APPARMORD="apparmor.d" readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } _warn() { @@ -58,6 +58,12 @@ _check() { while IFS= read -r line; do line_number=$((line_number + 1)) + # Rules checks + _check_abstractions + _check_directory_mark + _check_equivalent + _check_too_wide + # Guidelines check _check_abi _check_include @@ -84,13 +90,82 @@ _check() { _res_vim } +# Rules checks: security, compatibility and rule issues + +readonly ABS="abstractions" +readonly ABS_DANGEROUS=(dbus-session dbus-system dbus-accessibility user-tmp) +declare -A ABS_DEPRECATED=( + ["nameservice"]="nameservice-strict" + ["bash"]="shell" + ["X"]="X-strict" + ["dbus-accessibility-strict"]="bus-accessibility" + ["dbus-network-manager-strict"]="bus/org.freedesktop.NetworkManager" + ["dbus-session-strict"]="bus-session" + ["dbus-system-strict"]="bus-system" +) +_check_abstractions() { + _is_enabled abstractions || return 0 + + local absname + for absname in "${ABS_DANGEROUS[@]}"; do + if [[ "$line" == *"<$ABS/$absname>"* ]]; then + _err security "$file:$line_number" "dangerous abstraction '<$ABS/$absname>'" + fi + done + for absname in "${!ABS_DEPRECATED[@]}"; do + if [[ "$line" == *"<$ABS/$absname>"* ]]; then + _err security "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" + fi + done +} + +readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}') +_check_directory_mark() { + _is_enabled directory_mark || return 0 + for pattern in "${DIRECTORIES[@]}"; do + if [[ "$line" == *"$pattern"* ]]; then + [[ "$line" == *'='* ]] && continue + if [[ ! "$line" == *"$pattern/"* ]]; then + _err issue "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" + fi + fi + done +} + +declare -A EQUIVALENTS=( + ["awk"]="{m,g,}awk" + ["grep"]="{,e}grep" + ["which"]="which{,.debianutils}" +) +_check_equivalent() { + _is_enabled equivalent || return 0 + local prgmname + for prgmname in "${!EQUIVALENTS[@]}"; do + if [[ "$line" == *"/$prgmname"* ]]; then + if [[ ! "$line" == *"${EQUIVALENTS[$prgmname]}"* ]]; then + _err compatibility "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" + fi + fi + done +} + +readonly TOOWIDE=('/**' '/tmp/**' '/var/tmp/**' '@{tmp}/**' '/etc/**' '/dev/shm/**' '@{run}/user/@{uid}/**') +_check_too_wide() { + _is_enabled too_wide || return 0 + for pattern in "${TOOWIDE[@]}"; do + if [[ "$line" == *" $pattern "* ]]; then + _err security "$file:$line_number" "rule too wide: '$pattern'" + fi + done +} + # Guidelines check: https://apparmor.pujol.io/development/guidelines/ RES_ABI=false readonly ABI_SYNTAX='abi ,' _check_abi() { _is_enabled abi || return 0 - if [[ "$line" =~ ^' '*"$ABI_SYNTAX" ]]; then + if [[ "$line" == *"$ABI_SYNTAX" ]]; then RES_ABI=true fi } @@ -104,7 +179,7 @@ _res_abi() { RES_INCLUDE=false _check_include() { _is_enabled include || return 0 - if [[ "$line" =~ ^.*"${include}"$ ]]; then + if [[ "$line" == *"${include}"* ]]; then RES_INCLUDE=true fi } From c8f2a435f877367866fa811d4d897238c0d6108b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Jun 2025 23:59:41 +0200 Subject: [PATCH 489/672] tests: remove symbolic link from sbin. --- tests/sbin.list | 288 +++++------------------------------------------- 1 file changed, 30 insertions(+), 258 deletions(-) diff --git a/tests/sbin.list b/tests/sbin.list index 676bc4d56..d2b5c44bc 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -21,7 +21,6 @@ acpid acpidump add-shell addgnupghome -addgroup addpart adduser agetty @@ -31,24 +30,15 @@ alsa-info.sh alsa-init alsabat-test alsactl -alternatives anacron +apache2 apparmor_parser apparmor_status applygnupgdefaults aptd argdist-bpfcc -arp arpd -arptables -arptables-nft -arptables-nft-restore -arptables-nft-save -arptables-restore -arptables-save -arptables-translate aspell-autobuildhash -atd audisp-af_unix audisp-filter audisp-syslog @@ -90,26 +80,18 @@ blockdev blogctl blogd blogger -bluetoothd bpflist-bpfcc bpftool brctl bridge -brltty brltty-setup btrfs btrfs-convert +btrfs-find-root btrfs-image -btrfsck btrfsdist-bpfcc btrfsslower-bpfcc btrfstune -cache_check -cache_dump -cache_metadata_size -cache_repair -cache_restore -cache_writeback cachestat-bpfcc cachetop-bpfcc capable-bpfcc @@ -120,7 +102,6 @@ cgdisk chat chcpu check_mail_queue -check-bios-nx checkproc chgpasswd chkstat-polkit @@ -135,7 +116,6 @@ coldreboot compactsnoop-bpfcc complain config.postfix -cpgr cppw cpudist-bpfcc cpuunclaimed-bpfcc @@ -153,17 +133,13 @@ cryptdisks_start cryptdisks_stop cryptsetup ctrlaltdel -ctstat cups-browsed cups-genppd.5.3 cups-genppdupdate cupsaccept cupsctl cupsd -cupsdisable -cupsenable cupsfilter -cupsreject dbslower-bpfcc dbstat-bpfcc dcb @@ -173,14 +149,9 @@ dcstat-bpfcc ddns-confgen deadlock-bpfcc debugfs -debugfs.reiserfs -debugreiserfs decode -defrag.f2fs -delgroup delpart deluser -depmod devlink dhcpcd dirtop-bpfcc @@ -192,7 +163,6 @@ dmfilemapd dmidecode dmraid dmsetup -dmstats dnsmasq dosfsck dosfslabel @@ -213,34 +183,37 @@ e2undo e4crypt e4defrag eapol_test -ebtables -ebtables-nft -ebtables-nft-restore -ebtables-nft-save -ebtables-restore -ebtables-save -ebtables-translate ec_access efibootdump efibootmgr enforce -era_check -era_dump -era_invalidate -era_restore ethtool eventlogadm -exec execsnoop-bpfcc execsnoop.bt exfat2img exfatlabel +exicyclog +exigrep +exim_checkaccess +exim_convert4r4 +exim_dbmbuild +exim_dumpdb +exim_fixdb +exim_id_update +exim_lock +exim_msgdate +exim_tidydb +exim4 +eximstats +exinext +exipick +exiqgrep +exiqsumm exitsnoop-bpfcc +exiwhat ext4dist-bpfcc ext4slower-bpfcc -f2fs_io -f2fscrypt -f2fslabel f2fsslower-bpfcc faillock fanatic @@ -251,7 +224,6 @@ fatresize fbtest fdformat fdisk -fibmap.f2fs filefrag filegone-bpfcc filelife-bpfcc @@ -270,7 +242,6 @@ fsck.exfat fsck.ext2 fsck.ext3 fsck.ext4 -fsck.f2fs fsck.fat fsck.minix fsck.msdos @@ -295,7 +266,6 @@ gethostlatency-bpfcc gethostlatency.bt getpcaps getsysinfo -getty getweb gnome-menus-blacklist gpart @@ -308,7 +278,6 @@ groupmod grpck grpconv grpunconv -grub-bios-setup grub-install grub-macbless grub-mkconfig @@ -328,62 +297,30 @@ grub2-reboot grub2-set-default grub2-sparc64-setup grub2-switch-to-blscfg -halt hardirqs-bpfcc -hc-ifscan hdparm hwclock hwinfo iconvconfig -ifconfig ifrename ifstat import-openSUSE-build-key -init inject-bpfcc inputattach -insmod install_acx100_firmware install_intersil_firmware install-sgmlcatalog installkernel integritysetup invoke-rc.d -ip -ip6tables -ip6tables-apply -ip6tables-legacy ip6tables-legacy-batch -ip6tables-legacy-restore -ip6tables-legacy-save -ip6tables-nft -ip6tables-nft-restore -ip6tables-nft-save -ip6tables-restore -ip6tables-restore-translate -ip6tables-save -ip6tables-translate -ipmaddr ipp-usb ippevepcl ippeveprinter ippeveps ipset -ipset-translate -iptables iptables-apply -iptables-legacy iptables-legacy-batch -iptables-legacy-restore -iptables-legacy-save -iptables-nft -iptables-nft-restore -iptables-nft-save -iptables-restore -iptables-restore-translate -iptables-save -iptables-translate -iptunnel irqbalance irqbalance-ui isadump @@ -397,8 +334,6 @@ isosize ispell-autobuildhash isserial issue-generator -iucode_tool -iucode-tool iw iwconfig iwevent @@ -427,7 +362,6 @@ killsnoop.bt klockstat-bpfcc klogd kpartx -kvm-ok kvmexit-bpfcc ldattach ldconfig @@ -449,29 +383,11 @@ lpadmin lpc lpinfo lpmove -lsmod -lspcmcia luksformat -lvchange -lvconvert -lvcreate -lvdisplay -lvextend lvm lvm_import_vdo -lvmconfig -lvmdevices -lvmdiskscan lvmdump lvmpolld -lvmsadc -lvmsar -lvreduce -lvremove -lvrename -lvresize -lvs -lvscan lwepgen lxc lxd @@ -484,7 +400,6 @@ mdflush-bpfcc mdflush.bt mdmon memleak-bpfcc -mii-tool mk_isdnhwdb mkdict mkdosfs @@ -500,10 +415,6 @@ mkfs.ext4 mkfs.f2fs mkfs.fat mkfs.minix -mkfs.msdos -mkfs.ntfs -mkfs.reiserfs -mkfs.vfat mkfs.xfs mkhomedir_helper mkill @@ -515,8 +426,6 @@ mkreiserfs mksubvolume mkswap ModemManager -modinfo -modprobe mount.cifs mount.ddi mount.fuse @@ -533,12 +442,9 @@ mpathpersist multipath multipathc multipathd -mysqld mysqld_qslower-bpfcc -nameif naptime.bt needrestart -netplan netqtop-bpfcc NetworkManager newusers @@ -574,7 +480,6 @@ opensnoop.bt openvpn overlayroot-chroot ownership -packer pam_extrausers_chkpwd pam_extrausers_update pam_getenv @@ -583,13 +488,11 @@ pam_timestamp_check pam-auth-update pam-config paperconfig -parse.f2fs parted partprobe partx pbl pccardctl -pcilmr pcscd pdata_tools perlcalls-bpfcc @@ -598,11 +501,9 @@ perlstat-bpfcc phpcalls-bpfcc phpflow-bpfcc phpstat-bpfcc -pidofproc pidpersec-bpfcc pidpersec.bt pivot_root -plipconfig pluginviewer plymouth-set-default-theme plymouthd @@ -618,7 +519,7 @@ postmap postmulti postqueue postsuper -poweroff +posttls-finger ppchcalls-bpfcc pppd pppdump @@ -627,15 +528,6 @@ pppstats pptp pptpsetup profile-bpfcc -pvchange -pvck -pvcreate -pvdisplay -pvmove -pvremove -pvresize -pvs -pvscan pwck pwconv pwhistory_helper @@ -647,108 +539,30 @@ pythongc-bpfcc pythonstat-bpfcc qemu-ga qmqp-source -rarp -rcapparmor -rcauditd -rcautofs -rcavahi-daemon -rcavahi-dnsconfd -rcblk-availability -rcbolt -rcbtrfsmaintenance-refresh -rcca-certificates -rcchrony-wait -rcchronyd -rccolord -rccron -rccups -rccups-browsed -rccups-lpd -rcdbus -rcdisplay-manager -rcdm-event -rcdnsmasq -rcfancontrol +qshape rcfirewalld -rcflatpak-system-helper -rcfstrim -rcfwupd -rcfwupd-offline-update -rcfwupd-refresh -rcgpm -rcirqbalance -rcissue-add-ssh-keys -rcissue-generator -rckexec-load -rclm_sensors -rclogrotate -rclvm2-lvmpolld -rclvm2-monitor -rcmariadb -rcmcelog -rcmdmonitor -rcModemManager -rcmultipathd -rcmysql -rcnetwork -rcnfs-client -rcnmb rcopenvpn -rcostree-prepare-root -rcostree-remount -rcpackagekit -rcpackagekit-offline-update rcpcscd -rcpkcs11_eventmgr -rcpostfix -rcrng-tools -rcrpcbind -rcrsyncd -rcrtkit-daemon -rcsddm -rcsmartd -rcsmb -rcsnmpd -rcsnmptrapd -rcspeech-dispatcherd -rcspice-vdagentd -rcsshd -rctuned -rcudisks2 -rcupower -rcusbmuxd -rcwpa_supplicant -rcwsdd rcxdm rcxvnc rdma rdmaucma-bpfcc -rdmsr readahead-bpfcc readprofile -reboot -refresh_initrd +realm regdbdump -reiserfsck -reiserfstune remove-default-ispell remove-default-wordlist remove-shell request-key reset-trace-bpfcc -resize_reiserfs -resize.f2fs resize2fs resizepart -resolvconf rfkill -rmmod -rmt rmt-tar rndc rndc-confgen rngd -route routel rpc.gssd rpc.idmapd @@ -757,7 +571,6 @@ rpc.svcgssd rpcbind rpcctl rpcdebug -rpcinfo rpmconfigcheck rsyncd rsyslogd @@ -765,14 +578,12 @@ rtacct rtcwake rtkitctl rtmon -rtstat rubycalls-bpfcc rubyflow-bpfcc rubygc-bpfcc rubyobjnew-bpfcc rubystat-bpfcc runc -runlevel runqlat-bpfcc runqlat.bt runqlen-bpfcc @@ -792,8 +603,6 @@ sensors-detect service set_polkit_default_privs setcap -setconsole -setpci setuids.bt setup-nsssysinit.sh setvesablank @@ -805,12 +614,9 @@ shim-install shmsnoop-bpfcc showconsole showmount -shutdown skdump sktest slabratetop-bpfcc -slattach -sload.f2fs sm-notify smart_agetty smartctl @@ -828,12 +634,12 @@ spice-vdagentd ss sshd sshd-gen-keys-start +sshd.hmac ssllatency.bt sslsniff-bpfcc sslsnoop.bt sssd stackcount-bpfcc -start_daemon start-statd start-stop-daemon startproc @@ -855,6 +661,7 @@ sysconf_addword syscount-bpfcc syscount.bt sysctl +syslog2eximlog sysusers2shadow tarcat tc @@ -881,33 +688,20 @@ tcpsynbl-bpfcc tcpsynbl.bt tcptop-bpfcc tcptracer-bpfcc -tcptraceroute tcptraceroute.db -telinit thermald -thin_check -thin_delta -thin_dump -thin_ls -thin_metadata_size -thin_repair -thin_restore -thin_rmap -thin_trim threadsnoop-bpfcc threadsnoop.bt tipc tlp tplist-bpfcc trace-bpfcc -traceroute tsig-keygen ttysnoop-bpfcc tune.exfat tune2fs tuned tuned-adm -tunefs.reiserfs tunelp u-d-c-print-pci-ids ucalls @@ -923,21 +717,21 @@ unix_chkpwd unix_update unix2_chkpwd uobjnew -update-bootloader +update-alternatives update-ca-certificates update-catalog update-cracklib -update-default-aspell update-default-ispell update-default-wordlist update-dictcommon-aspell update-dictcommon-hunspell +update-exim4.conf +update-exim4.conf.template update-fonts-alias update-fonts-dir update-fonts-scale update-grub update-grub-gfxpayload -update-grub2 update-gsfontmap update-icon-caches update-ieee-data @@ -973,30 +767,10 @@ vfscount-bpfcc vfscount.bt vfsstat-bpfcc vfsstat.bt -vgcfgbackup -vgcfgrestore -vgchange -vgck -vgconvert -vgcreate -vgdisplay -vgexport -vgextend -vgimport -vgimportclone -vgimportdevices -vgmerge -vgmknodes -vgreduce -vgremove -vgrename -vgs -vgscan -vgsplit vhangup -vigr vipw virt-what +virt-what-cvm virtiostat-bpfcc virtlockd virtlogd @@ -1015,7 +789,6 @@ wpa_passphrase wpa_supplicant wqlat-bpfcc writeback.bt -wrmsr xfs_admin xfs_bmap xfs_copy @@ -1032,6 +805,7 @@ xfs_metadump xfs_mkfile xfs_ncheck xfs_property +xfs_protofile xfs_quota xfs_repair xfs_rtcp @@ -1043,9 +817,7 @@ xfsdist.bt xfsslower-bpfcc xkbctrl xtables-legacy-multi -xtables-monitor xtables-nft-multi -yast yast2 zdump zerofree From 6ed873aad375bea4734ec5321049e597aec02c32 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 5 Jun 2025 00:35:43 +0200 Subject: [PATCH 490/672] feat(profile): update sbin list and ensure the profiles use the good variable (sbin or bin). --- apparmor.d/abstractions/app/kmod | 6 ------ apparmor.d/groups/apt/apt-listchanges | 2 +- apparmor.d/groups/apt/debsecan | 2 +- apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/cron/anacron | 2 +- apparmor.d/groups/cron/cron | 2 +- apparmor.d/groups/cron/cron-apt | 4 ++-- apparmor.d/groups/cron/cron-exim4-base | 6 +++--- apparmor.d/groups/cron/crontab | 2 +- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/filesystem/btrfs-find-root | 2 +- apparmor.d/groups/firewall/firewalld | 4 ++-- apparmor.d/groups/grub/grub-bios-setup | 2 +- apparmor.d/groups/grub/update-grub | 2 +- apparmor.d/groups/kde/sddm-xsession | 2 +- apparmor.d/groups/network/iwctl | 2 +- apparmor.d/groups/network/mullvad-daemon | 2 +- apparmor.d/groups/network/openvpn | 6 +++--- apparmor.d/groups/network/tailscale | 2 +- apparmor.d/groups/network/tailscaled | 2 +- apparmor.d/groups/network/wg-quick | 2 +- apparmor.d/groups/pacman/mkinitcpio | 5 +---- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/groups/pacman/pacman-hook-depmod | 1 - apparmor.d/groups/ubuntu/cron-ubuntu-fan | 2 +- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- apparmor.d/groups/virt/cockpit-bridge | 2 +- apparmor.d/groups/virt/cockpit-update-motd | 2 +- apparmor.d/groups/virt/libvirtd | 2 +- apparmor.d/profiles-a-f/acpi-powerbtn | 1 - apparmor.d/profiles-a-f/adduser | 2 +- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-a-f/atd | 4 ++-- apparmor.d/profiles-a-f/check-bios-nx | 2 +- apparmor.d/profiles-a-f/claws-mail | 2 +- apparmor.d/profiles-a-f/deluser | 4 ++-- apparmor.d/profiles-a-f/dhclient-script | 2 +- apparmor.d/profiles-a-f/exim4 | 2 +- apparmor.d/profiles-a-f/fail2ban-server | 2 +- apparmor.d/profiles-g-l/ifup | 2 +- apparmor.d/profiles-g-l/inxi | 4 ++-- apparmor.d/profiles-g-l/ip | 2 +- apparmor.d/profiles-g-l/ipcalc | 2 +- apparmor.d/profiles-g-l/kernel | 2 +- apparmor.d/profiles-m-r/initramfs-hooks | 2 +- apparmor.d/profiles-m-r/initramfs-scripts | 2 +- apparmor.d/profiles-m-r/modprobed-db | 2 +- apparmor.d/profiles-s-z/setpci | 2 +- apparmor.d/profiles-s-z/syncthing | 2 +- apparmor.d/profiles-s-z/update-alternatives | 2 +- apparmor.d/profiles-s-z/wechat | 2 +- apparmor.d/profiles-s-z/wechat-appimage | 2 +- apparmor.d/profiles-s-z/wpa-action | 2 +- tests/sbin.list | 16 ++++++++++++++++ 54 files changed, 75 insertions(+), 70 deletions(-) diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index 6c889bd60..b6beeb7f6 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -8,12 +8,6 @@ include @{bin}/kmod mr, - @{sbin}/depmod mr, - @{sbin}/insmod mr, - @{sbin}/lsmod mr, - @{sbin}/modinfo mr, - @{sbin}/modprobe mr, - @{sbin}/rmmod mr, @{lib}/modprobe.d/ r, @{lib}/modprobe.d/*.conf r, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 936d15d42..0ee42f5a4 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -30,7 +30,7 @@ profile apt-listchanges @{exec_path} { @{pager_path} Cx -> pager, @{bin}/dpkg Px -> child-dpkg, - @{bin}/exim4 Px, # Send results using email + @{sbin}/exim4 Px, # Send results using email /usr/share/apt-listchanges/{,**} r, diff --git a/apparmor.d/groups/apt/debsecan b/apparmor.d/groups/apt/debsecan index c9448c7fb..c67b1dfb5 100644 --- a/apparmor.d/groups/apt/debsecan +++ b/apparmor.d/groups/apt/debsecan @@ -27,7 +27,7 @@ profile debsecan @{exec_path} { @{sh_path} rix, # Send results using email - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index dbd02ff6c..ab230a43b 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -40,7 +40,7 @@ profile reportbug @{exec_path} { @{bin}/stty rix, /usr/share/reportbug/handle_bugscript rix, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, @{bin}/apt-cache rPx, @{bin}/debconf-show rPx, @{bin}/debsums rPx, diff --git a/apparmor.d/groups/cron/anacron b/apparmor.d/groups/cron/anacron index 1322108d4..3756c1d03 100644 --- a/apparmor.d/groups/cron/anacron +++ b/apparmor.d/groups/cron/anacron @@ -17,7 +17,7 @@ profile anacron @{exec_path} { @{sh_path} rix, @{bin}/run-parts rCx -> run-parts, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, / r, /etc/anacrontab r, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index eba78ac82..e91f9b419 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -28,7 +28,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, @{bin}/ionice rix, @{bin}/nice rix, @{bin}/run-parts rCx -> run-parts, diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt index 81e5761d7..0d5d5a081 100644 --- a/apparmor.d/groups/cron/cron-apt +++ b/apparmor.d/groups/cron/cron-apt @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/cron-apt +@{exec_path} = @{bin}/cron-apt profile cron-apt @{exec_path} { include include @@ -46,7 +46,7 @@ profile cron-apt @{exec_path} { @{bin}/apt-get rPx, @{bin}/apt-file rPx, @{bin}/aptitude{,-curses} rPx, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, /usr/share/cron-apt/{,*} r, diff --git a/apparmor.d/groups/cron/cron-exim4-base b/apparmor.d/groups/cron/cron-exim4-base index 2970f8d42..784dfae19 100644 --- a/apparmor.d/groups/cron/cron-exim4-base +++ b/apparmor.d/groups/cron/cron-exim4-base @@ -34,10 +34,10 @@ profile cron-exim4-base @{exec_path} { @{bin}/hostname rix, @{bin}/xargs rix, @{bin}/find rix, - @{bin}/eximstats rix, + @{sbin}/eximstats rix, - @{bin}/exim4 rPx, - @{bin}/exim_tidydb rix, + @{sbin}/exim4 rPx, + @{sbin}/exim_tidydb rix, @{sbin}/start-stop-daemon rix, @{sbin}/runuser rix, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index 156d5e820..d240454f5 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/crontab +@{exec_path} = @{bin}/crontab profile crontab @{exec_path} { include include diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 91dd32f51..6eeeaa414 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -54,7 +54,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/gs rix, @{bin}/gsc rix, @{bin}/hostname rix, - @{sbin}/ippfind rix, + @{bin}/ippfind rix, @{bin}/mktemp rix, @{bin}/printenv rix, @{python_path} rix, diff --git a/apparmor.d/groups/filesystem/btrfs-find-root b/apparmor.d/groups/filesystem/btrfs-find-root index eef4b6823..cec2bbb61 100644 --- a/apparmor.d/groups/filesystem/btrfs-find-root +++ b/apparmor.d/groups/filesystem/btrfs-find-root @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfs-find-root +@{exec_path} = @{sbin}/btrfs-find-root profile btrfs-find-root @{exec_path} { include include diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 01f853c26..57a0baa20 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -35,8 +35,8 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{bin}/alts ix, @{bin}/false ix, @{bin}/kmod Cx -> kmod, - @{sbin}/ebtables-legacy ix, - @{sbin}/ebtables-legacy-restore ix, + @{bin}/ebtables-legacy ix, + @{bin}/ebtables-legacy-restore ix, @{sbin}/ipset ix, @{sbin}/xtables-legacy-multi ix, @{sbin}/xtables-nft-multi mix, diff --git a/apparmor.d/groups/grub/grub-bios-setup b/apparmor.d/groups/grub/grub-bios-setup index 9ccd02275..b0d606701 100644 --- a/apparmor.d/groups/grub/grub-bios-setup +++ b/apparmor.d/groups/grub/grub-bios-setup @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/grub-bios-setup +@{exec_path} = @{bin}/grub-bios-setup profile grub-bios-setup @{exec_path} { include include diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index ff17c160a..d4460a3cf 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/update-grub{2,} +@{exec_path} = @{sbin}/update-grub profile update-grub @{exec_path} { include include diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index 0ae174b09..b5cceee95 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -37,7 +37,7 @@ profile sddm-xsession @{exec_path} { @{bin}/sed rix, @{bin}/stat rix, @{bin}/tail rix, - @{sbin}/tcsh rix, + @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, @{bin}/which{,.*} rix, diff --git a/apparmor.d/groups/network/iwctl b/apparmor.d/groups/network/iwctl index eddcaedf7..0b5bd090e 100644 --- a/apparmor.d/groups/network/iwctl +++ b/apparmor.d/groups/network/iwctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/iwctl +@{exec_path} = @{bin}/iwctl profile iwctl @{exec_path} { include diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index ecd23ce53..6c4c41e6c 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -33,7 +33,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/ip rix, + @{bin}/ip rix, "/opt/Mullvad VPN/resources/openvpn" rix, "/opt/Mullvad VPN/resources/*.so*" mr, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index f4fcfa50d..6431ee98a 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -61,7 +61,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{run}/openvpn/*.{pid,status} rw, @{run}/systemd/journal/dev-log r, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/systemd-ask-password rPx, @{lib}/nm-openvpn-service-openvpn-helper rPx, /etc/openvpn/force-user-traffic-via-vpn.sh rCx -> force-user-traffic-via-vpn, @@ -83,7 +83,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cut rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/which rix, @{sbin}/xtables-nft-multi rix, @@ -110,7 +110,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/env rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{sbin}/nft rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/network/tailscale b/apparmor.d/groups/network/tailscale index 096fe276c..4e5bba684 100644 --- a/apparmor.d/groups/network/tailscale +++ b/apparmor.d/groups/network/tailscale @@ -23,7 +23,7 @@ profile tailscale @{exec_path} { @{exec_path} mr, - @{sbin}/ip rPx, + @{bin}/ip rPx, owner @{run}/tailscale/tailscaled.sock rw, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index bb877ec1a..8162dff1e 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -35,7 +35,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/resolvectl rPx, @{sbin}/xtables-nft-multi rix, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index e8ece5c88..c89a12a47 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -21,7 +21,7 @@ profile wg-quick @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cat rix, - @{sbin}/ip rPx, + @{bin}/ip rPx, @{bin}/mv rix, @{sbin}/nft rix, @{bin}/readlink rix, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 9eafb72a9..1f1fc66eb 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -42,10 +42,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/zcat rix, @{bin}/zstd rix, - @{bin}/{depmod,insmod} rPx, - @{bin}/{kmod,lsmod} rPx, - @{bin}/{modinfo,rmmod} rPx, - @{sbin}/modprobe rPx, + @{bin}/kmod rPx, @{bin}/plymouth rPx, @{sbin}/plymouth-set-default-theme rPx, @{bin}/sbctl rPx, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 6af9bae96..6cf3b824c 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -97,7 +97,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/update-ca-trust rPx, @{bin}/update-desktop-database rPx, @{sbin}/update-grub rPx, - @{sbin}/update-mime-database rPx, + @{bin}/update-mime-database rPx, @{bin}/vercmp rix, @{bin}/which rix, @{bin}/xmlcatalog rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index fe1bc5781..ce41d6ae8 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -16,7 +16,6 @@ profile pacman-hook-depmod @{exec_path} { @{bin}/basename rix, @{bin}/bash rix, - @{sbin}/depmod rPx, @{bin}/kmod rPx, @{bin}/rm rix, @{bin}/rmdir rix, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index 3ca55909d..9fd065db3 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -17,7 +17,7 @@ profile cron-ubuntu-fan @{exec_path} { @{sh_path} rix, @{sbin}/fanctl rPx, @{bin}/grep rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 575481de2..916279378 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -25,7 +25,7 @@ profile subiquity-console-conf @{exec_path} { @{sh_path} rix, @{bin}/cat rix, @{bin}/grep rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/mv rix, @{bin}/sleep rix, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 87ffb3f4a..b6111750b 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -38,7 +38,7 @@ profile cockpit-bridge @{exec_path} { @{bin}/cat ix, @{bin}/date ix, @{bin}/find ix, - @{sbin}/ip ix, + @{bin}/ip ix, @{python_path} ix, @{bin}/test ix, @{bin}/file ix, diff --git a/apparmor.d/groups/virt/cockpit-update-motd b/apparmor.d/groups/virt/cockpit-update-motd index d71eb9ec1..1de016aea 100644 --- a/apparmor.d/groups/virt/cockpit-update-motd +++ b/apparmor.d/groups/virt/cockpit-update-motd @@ -15,7 +15,7 @@ profile cockpit-update-motd @{exec_path} { @{sh_path} rix, @{bin}/hostname rix, - @{sbin}/ip rPx, + @{bin}/ip rPx, @{bin}/sed rix, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 94fa568a3..4d730602d 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -116,7 +116,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sbin}/virtlogd rPx, @{sh_path} rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{sbin}/nft rix, @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index bf7daf85e..fd1d0af03 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -17,7 +17,6 @@ profile acpi-powerbtn flags=(attach_disconnected) { @{bin}/pgrep rix, @{bin}/pinky rix, @{bin}/sed rix, - @{sbin}/shutdown rix, /etc/acpi/powerbtn.sh rix, @{bin}/dbus-send Cx -> bus, diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index d971d22f3..039518b51 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/adduser @{sbin}/group +@{exec_path} = @{sbin}/adduser profile adduser @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index 6999f5baf..c4741b09a 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -34,7 +34,7 @@ profile adequate @{exec_path} flags=(complain) { # shared object file): ignored. @{bin}/dpkg-query rpx, # - @{bin}/update-alternatives rPx, + @{sbin}/update-alternatives rPx, /var/lib/adequate/pending rwk, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index aa0a365fd..aea3cbf01 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/atd +@{exec_path} = @{bin}/atd profile atd @{exec_path} { include include @@ -28,7 +28,7 @@ profile atd @{exec_path} { @{sh_path} rix, @{sbin}/sendmail rPUx, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/ r, diff --git a/apparmor.d/profiles-a-f/check-bios-nx b/apparmor.d/profiles-a-f/check-bios-nx index 965e0dc3a..c44b6eaa5 100644 --- a/apparmor.d/profiles-a-f/check-bios-nx +++ b/apparmor.d/profiles-a-f/check-bios-nx @@ -25,7 +25,7 @@ profile check-bios-nx @{exec_path} { @{bin}/kmod rCx -> kmod, - @{sbin}/rdmsr rPx, + @{sbin}/rdmsr rPx, owner @{PROC}/@{pid}/fd/@{int} rw, diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index cecb0e22d..bb7dfd3b8 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -31,7 +31,7 @@ profile claws-mail @{exec_path} flags=(complain) { @{bin}/gpgconf rCx -> gpg, @{bin}/orage rPUx, - @{bin}/exim4 rPUx, + @{sbin}/exim4 rPUx, @{bin}/geany rPUx, /usr/share/publicsuffix/*.dafsa r, diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 1f5d6f0a7..3505126ad 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/deluser @{sbin}/delgroup +@{exec_path} = @{sbin}/deluser profile deluser @{exec_path} { include include @@ -20,7 +20,7 @@ profile deluser @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{sbin}/crontab rPx, + @{bin}/crontab rPx, @{bin}/gpasswd rPx, @{sbin}/groupdel rPx, @{bin}/mount rCx -> mount, diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index d5505ff86..9a7e77902 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -28,7 +28,7 @@ profile dhclient-script @{exec_path} { @{bin}/fold rix, @{bin}/head rix, @{bin}/hostname rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mv rix, diff --git a/apparmor.d/profiles-a-f/exim4 b/apparmor.d/profiles-a-f/exim4 index 9aaccaa16..3af283014 100644 --- a/apparmor.d/profiles-a-f/exim4 +++ b/apparmor.d/profiles-a-f/exim4 @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/exim4 +@{exec_path} = @{sbin}/exim4 profile exim4 @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index 21d2a1cf8..629208bc6 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -21,7 +21,7 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{sbin}/xtables-nft-multi rix, - @{sbin}/iptables rix, + @{bin}/iptables rix, @{bin}/ r, @{python_path} r, diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index 42169dd6d..3c641f8e1 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -19,7 +19,7 @@ profile ifup @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{sbin}/route rix, @{bin}/seq rix, @{bin}/sleep rix, diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 38b2a17a2..e80875ca2 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -32,7 +32,7 @@ profile inxi @{exec_path} { @{lib}/llvm-[0-9]*/bin/clang rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{sbin}/ip rCx -> ip, + @{bin}/ip rCx -> ip, @{bin}/kmod rCx -> kmod, @{bin}/systemctl rCx -> systemctl, @{bin}/udevadm rCx -> udevadm, @@ -115,7 +115,7 @@ profile inxi @{exec_path} { network netlink raw, - @{sbin}/ip mr, + @{bin}/ip mr, @{sys}/devices/@{pci}/net/*/{duplex,address,speed,operstate} r, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 3495bcc80..bcb521c01 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/ip +@{exec_path} = @{bin}/ip profile ip @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/ipcalc b/apparmor.d/profiles-g-l/ipcalc index 628728846..c6dfa762a 100644 --- a/apparmor.d/profiles-g-l/ipcalc +++ b/apparmor.d/profiles-g-l/ipcalc @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/ipcalc +@{exec_path} = @{bin}/ipcalc profile ipcalc @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index 2382ea062..133cf8ae7 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -38,7 +38,7 @@ profile kernel @{exec_path} { @{bin}/apt-config rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/systemd-detect-virt rPx, - @{bin}/update-alternatives rPx, + @{sbin}/update-alternatives rPx, @{sbin}/dkms rPx, @{sbin}/update-grub rPx, @{sbin}/update-initramfs rPx, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index b4f3ac2f4..aeb125ef2 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -18,7 +18,7 @@ profile initramfs-hooks @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{bin}/update-alternatives Px, + @{sbin}/update-alternatives Px, @{sbin}/blkid Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox ix, diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts index 85437017b..485520ca0 100644 --- a/apparmor.d/profiles-m-r/initramfs-scripts +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -20,7 +20,7 @@ profile initramfs-scripts @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{bin}/update-alternatives Px, + @{sbin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox Px, /usr/share/mdadm/mkconf Px, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index 8b8968464..cd2ddc0e6 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/modprobed-db +@{exec_path} = @{bin}/modprobed-db profile modprobed-db @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci index b45dd3986..019e89e23 100644 --- a/apparmor.d/profiles-s-z/setpci +++ b/apparmor.d/profiles-s-z/setpci @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/setpci +@{exec_path} = @{bin}/setpci profile setpci @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 8b66b652f..6ff0fe7e9 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -23,7 +23,7 @@ profile syncthing @{exec_path} { @{exec_path} mrix, @{open_path} rPx -> child-open, - @{sbin}/ip rix, + @{bin}/ip rix, /usr/share/mime/{,**} r, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 8f08b74fa..68ddb97a5 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-alternatives +@{exec_path} = @{sbin}/update-alternatives profile update-alternatives @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index d0fc54b7c..e23d4db43 100755 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -33,7 +33,7 @@ profile wechat @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir ix, @{bin}/gawk rix, @{bin}/lsblk rPx, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/xdg-user-dir rix, @{open_path} rpx -> child-open-strict, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 6f4c120a0..023644eb0 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -38,7 +38,7 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir ix, @{bin}/gawk rix, @{bin}/lsblk rPx, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/xdg-user-dir rix, @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, diff --git a/apparmor.d/profiles-s-z/wpa-action b/apparmor.d/profiles-s-z/wpa-action index b2cfe0091..b6764ba0e 100644 --- a/apparmor.d/profiles-s-z/wpa-action +++ b/apparmor.d/profiles-s-z/wpa-action @@ -24,7 +24,7 @@ profile wpa-action @{exec_path} { @{bin}/cat rix, @{bin}/date rix, @{bin}/ifup rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/ln rix, @{bin}/logger rix, @{bin}/rm rix, diff --git a/tests/sbin.list b/tests/sbin.list index d2b5c44bc..15373846c 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -37,6 +37,7 @@ apparmor_status applygnupgdefaults aptd argdist-bpfcc +arp arpd aspell-autobuildhash audisp-af_unix @@ -64,6 +65,7 @@ biolatency.bt biolatpcts-bpfcc biopattern-bpfcc biosdecode +biosdecode biosnoop-bpfcc biosnoop.bt biostacks.bt @@ -102,6 +104,7 @@ cgdisk chat chcpu check_mail_queue +check-bios-nx checkproc chgpasswd chkstat-polkit @@ -161,6 +164,7 @@ dmevent_tool dmeventd dmfilemapd dmidecode +dmidecode dmraid dmsetup dnsmasq @@ -236,6 +240,7 @@ flushb fonts-config fsadm fsck +fsck. fsck.btrfs fsck.cramfs fsck.exfat @@ -302,6 +307,7 @@ hdparm hwclock hwinfo iconvconfig +ifconfig ifrename ifstat import-openSUSE-build-key @@ -334,6 +340,7 @@ isosize ispell-autobuildhash isserial issue-generator +iucode_tool iw iwconfig iwevent @@ -362,6 +369,7 @@ killsnoop.bt klockstat-bpfcc klogd kpartx +kvm-ok kvmexit-bpfcc ldattach ldconfig @@ -386,6 +394,7 @@ lpmove luksformat lvm lvm_import_vdo +lvmconfig lvmdump lvmpolld lwepgen @@ -405,6 +414,7 @@ mkdict mkdosfs mke2fs mkfs +mkfs. mkfs.bfs mkfs.btrfs mkfs.cramfs @@ -480,6 +490,7 @@ opensnoop.bt openvpn overlayroot-chroot ownership +ownership pam_extrausers_chkpwd pam_extrausers_update pam_getenv @@ -547,6 +558,7 @@ rcxdm rcxvnc rdma rdmaucma-bpfcc +rdmsr readahead-bpfcc readprofile realm @@ -558,11 +570,13 @@ request-key reset-trace-bpfcc resize2fs resizepart +resolvconf rfkill rmt-tar rndc rndc-confgen rngd +route routel rpc.gssd rpc.idmapd @@ -778,6 +792,7 @@ visudo vmcore-dmesg vncsession vpddecode +vpddecode vpnc vpnc-disconnect wakeuptime-bpfcc @@ -789,6 +804,7 @@ wpa_passphrase wpa_supplicant wqlat-bpfcc writeback.bt +wrmsr xfs_admin xfs_bmap xfs_copy From f0355f36b9fd74725e086790db305de6c25edafa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 5 Jun 2025 00:36:30 +0200 Subject: [PATCH 491/672] tests: show error line in sbin check. --- tests/check.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 59463246e..add9b0685 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -338,7 +338,7 @@ check_sbin() { jobs=0 for name in "${sbin[@]}"; do ( - mapfile -t files < <(grep --files-with-matches --recursive -E "(^|[[:space:]])@{bin}/$name([[:space:]]|$)" apparmor.d) + mapfile -t files < <(grep --line-number --recursive -E "(^|[[:space:]])@{bin}/$name([[:space:]]|$)" apparmor.d | cut -d: -f1,2) for file in "${files[@]}"; do _err compatibility "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" done @@ -349,7 +349,7 @@ check_sbin() { local pattern='[[:alnum:]_.-]+' # Pattern for valid file names jobs=0 - mapfile -t files < <(grep --files-with-matches --recursive -E "(^|[[:space:]])@{sbin}/$pattern([[:space:]]|$)" apparmor.d) + mapfile -t files < <(grep --line-number --recursive -E "(^|[[:space:]])@{sbin}/$pattern([[:space:]]|$)" apparmor.d | cut -d: -f1,2) for file in "${files[@]}"; do ( while read -r match; do @@ -359,7 +359,7 @@ check_sbin() { _err compatibility "$file" "contains '@{sbin}/$name' but it is not in sbin.list" fi fi - done < <(grep --only-matching -E "@\{sbin\}/$pattern" "$file") + done < <(grep --only-matching -E "@\{sbin\}/$pattern" "${file%%:*}") ) & _wait jobs done From edcbaa1b94f511e4b3db9642718887dc98f93511 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 10 Jun 2025 23:01:24 +0200 Subject: [PATCH 492/672] fix: add gpartedbin back to sbin.list. --- tests/sbin.list | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/sbin.list b/tests/sbin.list index 15373846c..a17f15448 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -275,6 +275,7 @@ getweb gnome-menus-blacklist gpart gparted +gpartedbin gpm groupadd groupdel From 65f96447530dccb2928b682d76c37cfb0164a76e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 10 Jun 2025 23:37:59 +0200 Subject: [PATCH 493/672] fix: linter check. --- apparmor.d/groups/gvfs/gvfsd-wsdd | 2 +- apparmor.d/groups/steam/steam | 4 ++-- apparmor.d/profiles-g-l/hw-probe | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 0064d682b..209971ac2 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -34,7 +34,7 @@ profile gvfsd-wsdd @{exec_path} { @{exec_path} mr, @{bin}/env r, - @{sbin}/wsdd rPx, + @{bin}/wsdd rPx, @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 11e863972..73c78f2ed 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -71,7 +71,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsof rix, - @{sbin}/lspci rCx -> lspci, + @{bin}/lspci rCx -> lspci, @{bin}/tar rix, @{bin}/which{,.debianutils} rix, @{bin}/xdg-icon-resource rPx, @@ -408,7 +408,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { unix receive type=stream, - @{sbin}/lspci mr, + @{bin}/lspci mr, owner @{HOME}/.steam/steam.pipe r, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index fc6b8775b..f518a18f0 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -65,7 +65,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsblk rPx, @{bin}/lscpu rPx, - @{sbin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/memtester rPx, @{bin}/nmcli rPx, From a4737546f76fe1f4aaa65d2ad7d5663c3a317c5d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 10 Jun 2025 23:58:24 +0200 Subject: [PATCH 494/672] tests: update sbin.list --- apparmor.d/profiles-g-l/haveged | 2 +- tests/sbin.list | 43 ++++++++++++++++++++++++++++++--- 2 files changed, 40 insertions(+), 5 deletions(-) diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index 910e9a2f0..5773a73fb 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -9,7 +9,7 @@ abi , include -@{exec_path} = @{bin}/haveged +@{exec_path} = @{sbin}/haveged profile haveged @{exec_path} { include diff --git a/tests/sbin.list b/tests/sbin.list index a17f15448..1adc90ee8 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -1,3 +1,5 @@ +a2enmod +a2query aa-audit aa-autodep aa-cleanprof @@ -32,6 +34,7 @@ alsabat-test alsactl anacron apache2 +apache2ctl apparmor_parser apparmor_status applygnupgdefaults @@ -65,7 +68,6 @@ biolatency.bt biolatpcts-bpfcc biopattern-bpfcc biosdecode -biosdecode biosnoop-bpfcc biosnoop.bt biostacks.bt @@ -103,6 +105,7 @@ cfdisk cgdisk chat chcpu +check_forensic check_mail_queue check-bios-nx checkproc @@ -164,7 +167,6 @@ dmevent_tool dmeventd dmfilemapd dmidecode -dmidecode dmraid dmsetup dnsmasq @@ -191,6 +193,8 @@ ec_access efibootdump efibootmgr enforce +ephemeral-disk-warning +escapesrc ethtool eventlogadm execsnoop-bpfcc @@ -264,8 +268,12 @@ g13-syshelp gdisk gdm gdm3 +genccode +gencmn genl +gennorm2 genprof +gensprep getcap gethostlatency-bpfcc gethostlatency.bt @@ -304,10 +312,19 @@ grub2-set-default grub2-sparc64-setup grub2-switch-to-blscfg hardirqs-bpfcc +haveged hdparm +httxt2dbm +hv_fcopy_daemon +hv_get_dhcp_info +hv_get_dns_info +hv_kvp_daemon +hv_set_ifconfig +hv_vss_daemon hwclock hwinfo iconvconfig +icupkg ifconfig ifrename ifstat @@ -321,6 +338,7 @@ installkernel integritysetup invoke-rc.d ip6tables-legacy-batch +ipmaddr ipp-usb ippevepcl ippeveprinter @@ -328,6 +346,7 @@ ippeveps ipset iptables-apply iptables-legacy-batch +iptunnel irqbalance irqbalance-ui isadump @@ -392,6 +411,7 @@ lpadmin lpc lpinfo lpmove +lsvmbus luksformat lvm lvm_import_vdo @@ -410,6 +430,7 @@ mdflush-bpfcc mdflush.bt mdmon memleak-bpfcc +mii-tool mk_isdnhwdb mkdict mkdosfs @@ -453,7 +474,9 @@ mpathpersist multipath multipathc multipathd +mysqld mysqld_qslower-bpfcc +nameif naptime.bt needrestart netqtop-bpfcc @@ -468,6 +491,7 @@ nfsiostat nfsslower-bpfcc nfsstat nft +nginx nmbd nodegc-bpfcc nodestat-bpfcc @@ -480,6 +504,7 @@ ntfscp ntfslabel ntfsresize ntfsundelete +nvme offcputime-bpfcc offwaketime-bpfcc on_ac_power @@ -491,7 +516,6 @@ opensnoop.bt openvpn overlayroot-chroot ownership -ownership pam_extrausers_chkpwd pam_extrausers_update pam_getenv @@ -510,12 +534,17 @@ pdata_tools perlcalls-bpfcc perlflow-bpfcc perlstat-bpfcc +pg_updatedicts +php-fpm8.3 phpcalls-bpfcc +phpenmod phpflow-bpfcc +phpquery phpstat-bpfcc pidpersec-bpfcc pidpersec.bt pivot_root +plipconfig pluginviewer plymouth-set-default-theme plymouthd @@ -552,6 +581,7 @@ pythonstat-bpfcc qemu-ga qmqp-source qshape +rarp rcfirewalld rcopenvpn rcpcscd @@ -632,6 +662,7 @@ showmount skdump sktest slabratetop-bpfcc +slattach sm-notify smart_agetty smartctl @@ -646,6 +677,7 @@ sofdsnoop-bpfcc softirqs-bpfcc solisten-bpfcc spice-vdagentd +split-logfile ss sshd sshd-gen-keys-start @@ -754,6 +786,7 @@ update-inetd update-info-dir update-initramfs update-java-alternatives +update-language update-locale update-mime update-passwd @@ -762,6 +795,9 @@ update-rc.d update-secureboot-policy update-shells update-smart-drivedb +update-texmf +update-texmf-config +update-tl-stacked-conffile update-xmlcatalog upgrade-from-grub-legacy usb_modeswitch @@ -793,7 +829,6 @@ visudo vmcore-dmesg vncsession vpddecode -vpddecode vpnc vpnc-disconnect wakeuptime-bpfcc From e3bd48bd758601e17cef0d6825268e4cad55ead8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Jun 2025 22:55:17 +0200 Subject: [PATCH 495/672] build: justfile: add group. --- Justfile | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/Justfile b/Justfile index 825097a1b..4021b0e5a 100644 --- a/Justfile +++ b/Justfile @@ -64,24 +64,34 @@ help: @just --list --unsorted @echo -e "\nSee https://apparmor.pujol.io/development/ for more information." +[group('build')] [doc('Build the go programs')] build: @go build -o {{build}}/ ./cmd/aa-log @go build -o {{build}}/ ./cmd/prebuild +[group('build')] [doc('Prebuild the profiles in enforced mode')] enforce: build @./{{build}}/prebuild +[group('build')] [doc('Prebuild the profiles in complain mode')] complain: build @./{{build}}/prebuild --complain +[group('build')] [doc('Prebuild the profiles in FSP mode')] fsp: build + @./{{build}}/prebuild --full + +[group('build')] +[doc('Prebuild the profiles in FSP mode (complain)')] +fsp-complain: build @./{{build}}/prebuild --complain --full -[doc('Install the profiles')] +[group('build')] +[doc('Install prebuild profiles')] install: #!/usr/bin/env bash set -eu -o pipefail @@ -108,26 +118,31 @@ install: install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf" done +[group('packages')] [doc('Build & install apparmor.d on Arch based systems')] pkg: @makepkg --syncdeps --install --cleanbuild --force --noconfirm +[group('packages')] [doc('Build & install apparmor.d on Debian based systems')] dpkg: @bash dists/build.sh dpkg @sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb +[group('packages')] [doc('Build & install apparmor.d on OpenSUSE based systems')] rpm: @bash dists/build.sh rpm @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm +[group('tests')] [doc('Run the unit tests')] tests: @go test ./cmd/... -v -cover -coverprofile=coverage.out @go test ./pkg/... -v -cover -coverprofile=coverage.out @go tool cover -func=coverage.out +[group('linter')] [doc('Run the linters')] lint: golangci-lint run @@ -138,18 +153,22 @@ lint: tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \ debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm +[group('linter')] [doc('Run style checks on the profiles')] check: @bash tests/check.sh +[group('docs')] [doc('Generate the man pages')] man: @pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md +[group('docs')] [doc('Build the documentation')] docs: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict +[group('docs')] [doc('Serve the documentation')] serve: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve @@ -160,6 +179,7 @@ clean: debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ {{pkgdest}}/{{pkgname}}* {{build}} coverage.out +[group('packages')] [doc('Build the package in a clean OCI container')] package dist: #!/usr/bin/env bash @@ -175,6 +195,7 @@ package dist: fi bash dists/docker.sh $dist $version +[group('vm')] [doc('Build the VM image')] img dist flavor: (package dist) @mkdir -p {{base_dir}} @@ -192,6 +213,7 @@ img dist flavor: (package dist) -var output_dir={{output_dir}} \ tests/packer/ +[group('vm')] [doc('Create the machine')] create dist flavor: @cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 @@ -211,33 +233,40 @@ create dist flavor: --sound model=ich9 \ --noautoconsole +[group('vm')] [doc('Start a machine')] up dist flavor: @virsh {{c}} start {{prefix}}{{dist}}-{{flavor}} +[group('vm')] [doc('Stops the machine')] halt dist flavor: @virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}} +[group('vm')] [doc('Reboot the machine')] reboot dist flavor: @virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}} +[group('vm')] [doc('Destroy the machine')] destroy dist flavor: @virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true @virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram @rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 +[group('vm')] [doc('Connect to the machine')] ssh dist flavor: @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` +[group('vm')] [doc('List the machines')] list: @echo -e '\033[1m Id Distribution Flavor State\033[0m' @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' +[group('vm')] [doc('List the VM images')] images: #!/usr/bin/env bash @@ -254,6 +283,7 @@ images: } ' +[group('vm')] [doc('List the VM images that can be created')] available: #!/usr/bin/env bash @@ -270,6 +300,8 @@ available: } ' + +[group('tests')] [doc('Run the integration tests on the machine')] integration dist flavor: @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ @@ -280,12 +312,13 @@ integration dist flavor: @bats --recursive --timing --print-output-on-failure Projects/integration/ - +[group('internal')] get_ip dist flavor: @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ head -1 | \ grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' +[group('internal')] get_osinfo dist: #!/usr/bin/env python3 osinfo = { From 3291d9a370f5972f67ba5d524f90312f7fbd49eb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Jun 2025 22:56:18 +0200 Subject: [PATCH 496/672] fix: use mappings/sudo in su. --- apparmor.d/groups/utils/su | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index c4e83ddfa..866da3d6a 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -12,7 +12,7 @@ profile su @{exec_path} { include include include - include #aa:only RBAC + include #aa:only RBAC capability chown, # pseudo-terminal From cdd45bcd608545b4d84ca7826c5cf69e73883b39 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 11 Jun 2025 17:53:27 +0200 Subject: [PATCH 497/672] add xkeyboard-config-2 ressources --- apparmor.d/abstractions/desktop | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 73e533992..e44377ea3 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -77,6 +77,7 @@ /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/xkeyboard-config-2/{,**} r, include if exists From c947fe6c6cb2a9cf4102f9f951d875c0af33039c Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 12 Jun 2025 10:48:53 +0200 Subject: [PATCH 498/672] complete xkeyboard-config-2 permissions --- apparmor.d/abstractions/X-strict | 1 + apparmor.d/abstractions/desktop | 1 - apparmor.d/groups/systemd/systemd-localed | 1 + apparmor.d/groups/ubuntu/software-properties-gtk | 1 + 4 files changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index d3e2cef4f..9330d2223 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -12,6 +12,7 @@ /usr/share/X11/{,**} r, /usr/share/xsessions/{,*.desktop} r, # Available Xsessions + /usr/share/xkeyboard-config-2/{,**} r, /etc/X11/cursors/{,**} r, diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index e44377ea3..73e533992 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -77,7 +77,6 @@ /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/xkeyboard-config-2/{,**} r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 3befcd92a..75d382c40 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -23,6 +23,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { /usr/share/kbd/keymaps/{,**} r, /usr/share/systemd/*-map r, /usr/share/X11/xkb/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, /etc/.#locale.conf@{hex16} rw, /etc/.#vconsole.conf* rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index d5762a84e..64c83f5c8 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -45,6 +45,7 @@ profile software-properties-gtk @{exec_path} { /usr/share/X11/xkb/{,**} r, /usr/share/xml/iso-codes/{,**} r, /usr/share/software-properties/gtkbuilder/* r, + /usr/share/xkeyboard-config-2/{,**} r, /etc/apport/blacklist.d/{,*} r, /etc/default/apport r, From 5216cbdcdefc716848bbf762ea5de92a41c52ce2 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 12 Jun 2025 10:54:00 +0200 Subject: [PATCH 499/672] add more xkeyboard-config-2 ressources --- apparmor.d/abstractions/desktop | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 73e533992..f53627fcc 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -27,6 +27,7 @@ /usr/{local/,}share/ r, /usr/{local/,}share/glib-@{version}/schemas/** r, /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, + /usr/share/xkeyboard-config-2/{,**} r, /etc/gnome/* r, /etc/xdg/{,*-}mimeapps.list r, From 1f7e019500a87027fd03f89e148e52b71946e4c0 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 12 Jun 2025 16:23:05 +0200 Subject: [PATCH 500/672] clean desktop abstraction --- apparmor.d/abstractions/desktop | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index f53627fcc..73e533992 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -27,7 +27,6 @@ /usr/{local/,}share/ r, /usr/{local/,}share/glib-@{version}/schemas/** r, /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, - /usr/share/xkeyboard-config-2/{,**} r, /etc/gnome/* r, /etc/xdg/{,*-}mimeapps.list r, From 8118bf3d23052e3319c73c29f36e376212ccb8b2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 21:48:07 +0200 Subject: [PATCH 501/672] fix: pinentry gtk need access to its cmdline. fix #768 --- apparmor.d/profiles-m-r/pinentry-gtk | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/apparmor.d/profiles-m-r/pinentry-gtk b/apparmor.d/profiles-m-r/pinentry-gtk index a0244956d..d07a64a5a 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk +++ b/apparmor.d/profiles-m-r/pinentry-gtk @@ -11,16 +11,12 @@ include profile pinentry-gtk @{exec_path} { include include - include - include include - include + include @{exec_path} mr, - /usr/share/gtk-@{int}.@{int}/{,**} r, - - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, + @{PROC}/@{pid}/cmdline r, owner /dev/tty@{int} r, From 4cb6de3d2d440f08766a0dc1aa23df220a913418 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 21:50:22 +0200 Subject: [PATCH 502/672] fix(profile): ufw: allow kmod. fix #765 --- apparmor.d/groups/firewall/ufw | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw index b7f133641..3b931fb2b 100644 --- a/apparmor.d/groups/firewall/ufw +++ b/apparmor.d/groups/firewall/ufw @@ -32,11 +32,13 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{python_path} rix, @{bin}/ r, @{bin}/cat rix, + @{bin}/echo rix, @{bin}/env r, + @{bin}/kmod rCx -> kmod, + @{lib}/ufw/ufw-init rix, @{sbin}/sysctl rix, @{sbin}/xtables-legacy-multi rix, @{sbin}/xtables-nft-multi rix, - @{lib}/ufw/ufw-init rix, /etc/default/ufw rw, /etc/ufw/ rw, @@ -56,6 +58,18 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/net/ipv{4,6}/** rw, @{PROC}/sys/kernel/modprobe r, + profile kmod flags=(attach_disconnected) { + include + include + + capability sys_module, + + @{sys}/module/compression r, + @{sys}/module/*/initstate r, + + include if exists + } + include if exists } From d3aa4ae4a12c6a1be645282aacf829be39f8e564 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:01:08 +0200 Subject: [PATCH 503/672] fix(abs): ensure generic app can run widevine. fix #764 --- apparmor.d/abstractions/common/app | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 99da31590..efb3c838b 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -54,7 +54,7 @@ @{MOUNTS}/** rwl, owner @{HOME}/ r, owner @{HOME}/.var/app/** rmix, - owner @{HOME}/** rwlk -> @{HOME}/**, + owner @{HOME}/** rwmlk -> @{HOME}/**, owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, owner @{user_games_dirs}/** rmix, @@ -122,6 +122,7 @@ owner @{PROC}/@{pid}/fd/@{int} rw, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/io r, + owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mounts r, From 110f4ea40e7d806790952b2a7451a14f1e70e734 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:01:40 +0200 Subject: [PATCH 504/672] feat(abs): mesa: add /var/cache as fallback location. --- apparmor.d/abstractions/mesa.d/complete | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index a19166367..1d718c0b1 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -2,6 +2,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + # Fallback location when @{user_cache_dirs} is not available + /var/cache/mesa_shader_cache_db/ rw, + /var/cache/mesa_shader_cache_db/index rw, + /var/cache/mesa_shader_cache_db/marker rw, + /var/cache/mesa_shader_cache_db/part@{int}/ rw, + /var/cache/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk, + /var/cache/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk, + /var/cache/mesa_shader_cache/ rw, + /var/cache/mesa_shader_cache/@{hex2}/ rw, + /var/cache/mesa_shader_cache/@{hex2}/@{hex38} rw, + /var/cache/mesa_shader_cache/@{hex2}/@{hex38}.tmp rwk, + /var/cache/mesa_shader_cache/index rw, + /var/cache/mesa_shader_cache/marker rw, + # Extra Mesa rules for desktop environments owner @{desktop_cache_dirs}/ w, owner @{desktop_cache_dirs}/mesa_shader_cache_db/ rw, From 2941334b7ccca275cd7dbd409709d452069bd19f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:04:55 +0200 Subject: [PATCH 505/672] fix(profile): brave flag & stacked helper. fix #763 --- apparmor.d/groups/browsers/brave | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index cc3d18b58..0decb0d4b 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -14,11 +14,13 @@ include @{cache_dirs} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} @{exec_path} = @{lib_dirs}/@{name} -profile brave @{exec_path} { +profile brave @{exec_path} flags=(attach_disconnected) { include include - unix (send, receive) type=stream peer=(label=brave-crashpad-handler), + unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler), + + signal receive peer=brave//&brave-crashpad-handler, #aa:dbus own bus=session name=org.mpris.MediaPlayer2.brave path=/org/mpris/MediaPlayer2 From 07007f93c4a5a81de933485a931db7377440f949 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:06:55 +0200 Subject: [PATCH 506/672] fix(fsp): ignore not yet used mappings. --- apparmor.d/groups/utils/chfn | 1 - apparmor.d/groups/utils/chsh | 1 - 2 files changed, 2 deletions(-) diff --git a/apparmor.d/groups/utils/chfn b/apparmor.d/groups/utils/chfn index 824d92bf4..45b50c7ad 100644 --- a/apparmor.d/groups/utils/chfn +++ b/apparmor.d/groups/utils/chfn @@ -15,7 +15,6 @@ profile chfn @{exec_path} { include include include - include #aa:only RBAC capability audit_write, capability chown, diff --git a/apparmor.d/groups/utils/chsh b/apparmor.d/groups/utils/chsh index a630a7733..e3581be31 100644 --- a/apparmor.d/groups/utils/chsh +++ b/apparmor.d/groups/utils/chsh @@ -15,7 +15,6 @@ profile chsh @{exec_path} { include include include - include #aa:only RBAC capability audit_write, capability chown, From 5ae1cc854da90f275ea6144d60a587e98bec461b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:20:13 +0200 Subject: [PATCH 507/672] fix(profile): pacman: add integration witn limine. fix #756 --- apparmor.d/groups/pacman/pacman | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 14753416f..e72c62667 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -81,6 +81,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/killall rix, @{sbin}/ldconfig rix, @{sbin}/locale-gen rPx, + @{bin}/limine-install rPUx, @{bin}/mkinitcpio rPx, @{sbin}/needrestart rPx, @{bin}/pacdiff rPx, From b88cf164ec5c3b8764068911f93cb240c7c19620 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:38:37 +0200 Subject: [PATCH 508/672] feat(profile): gnome-shell: allow some basic tools needed by some extensions. fix #705 --- apparmor.d/groups/gnome/gnome-shell | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 1099f254d..b97d6d568 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -170,6 +170,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/gjs-console rPx, @{bin}/glib-compile-schemas rPx, @{bin}/ibus-daemon rPx, + @{bin}/sensors rPx, @{bin}/tecla rPx, @{bin}/Xwayland rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @@ -386,8 +387,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sh_path} mr, - @{bin}/pmap rix, - @{bin}/grep rix, + @{bin}/cat rix, + @{bin}/grep rix, + @{bin}/kmod rPx -> gnome-shell//lsmod, + @{bin}/pmap rix, @{sys}/devices/system/node/ r, @@ -400,6 +403,15 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include if exists } + profile lsmod flags=(attach_disconnected,mediate_deleted) { + include + include + + @{sys}/module/{,**} r, + + include if exists + } + profile pkexec { include include From 8fa7c49a6512c3e3a3b6171f64159273e894f9b6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:42:11 +0200 Subject: [PATCH 509/672] feat(profile): add firefox crashhelper --- apparmor.d/abstractions/app/firefox | 1 + .../groups/browsers/firefox-crashhelper | 26 +++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 apparmor.d/groups/browsers/firefox-crashhelper diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 73cb82070..1ea0c3b86 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -58,6 +58,7 @@ @{lib_dirs}/{,**} r, @{lib_dirs}/*.so mr, + @{lib_dirs}/crashhelper rPx, @{lib_dirs}/crashreporter rPx, @{lib_dirs}/minidump-analyzer rPx, @{lib_dirs}/pingsender rPx, diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper new file mode 100644 index 000000000..55443a330 --- /dev/null +++ b/apparmor.d/groups/browsers/firefox-crashhelper @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = firefox{,.sh,-esr,-bin} +@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{config_dirs} = @{HOME}/.mozilla/ +@{cache_dirs} = @{user_cache_dirs}/mozilla/ + +@{exec_path} = @{lib_dirs}/crashhelper +profile firefox-crashhelper @{exec_path} { + include + + @{exec_path} mr, + + owner "@{config_dirs}/firefox/Crash Reports/" rw, + owner "@{config_dirs}/firefox/Crash Reports/crash_helper_server.log" rw, + + include if exists +} + +# vim:syntax=apparmor From 011de3c301600addf6cc9ab763f61b378302c0f8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:48:16 +0200 Subject: [PATCH 510/672] feat(profile): flatpak: ensure remote can be added/removed. see #690 --- apparmor.d/groups/flatpak/flatpak | 2 ++ apparmor.d/groups/flatpak/flatpak-system-helper | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 52e9e32ef..c34ae962f 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -96,6 +96,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{tmp}/#@{int} rw, owner @{tmp}/ostree-gpg-@{rand6}/{,**} rw, + owner @{tmp}/remote-summary-sig.@{rand6} rw, + owner @{tmp}/remote-summary.@{rand6} rw, owner /dev/shm/flatpak*/{,**} rw, @{run}/.userns r, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index dfaa920ac..1381a1483 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -40,7 +40,7 @@ profile flatpak-system-helper @{exec_path} { /etc/flatpak/{,**} r, /etc/machine-id r, - /usr/share/flatpak/remotes.d/ r, + /usr/share/flatpak/remotes.d/{,**} r, /usr/share/flatpak/triggers/ r, /usr/share/mime/mime.cache r, @@ -51,8 +51,8 @@ profile flatpak-system-helper @{exec_path} { owner /{var/,}tmp/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, - /tmp/remote-summary-sig.@{rand6} r, - /tmp/remote-summary.@{rand6} r, + @{tmp}/remote-summary-sig.@{rand6} r, + @{tmp}/remote-summary.@{rand6} r, @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, From 34f9a53a3bb8e4ab7a20127631765960ef012f29 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:53:36 +0200 Subject: [PATCH 511/672] ci: start dropping ci tests on ubuntu 22.04. --- .github/workflows/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4baa4a776..cac8fce43 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -23,8 +23,6 @@ jobs: mode: default - os: ubuntu-24.04 mode: full-system-policy - - os: ubuntu-22.04 - mode: default steps: - name: Check out repository code uses: actions/checkout@v4 From eeebcf91f3b374d2ac83fd40b9c5e7d2bace1cdf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 23:05:50 +0200 Subject: [PATCH 512/672] feat(abs): add base-strict. For now, it is only a restructuring of the base abstraction with awareness of the apparmor.d architecture. --- apparmor.d/abstractions/base-strict | 131 ++++++++++++++++++++++ apparmor.d/abstractions/crypto.d/complete | 8 ++ apparmor.d/abstractions/glibc | 41 +++++++ apparmor.d/abstractions/ld | 23 ++++ apparmor.d/abstractions/locale | 26 +++++ 5 files changed, 229 insertions(+) create mode 100644 apparmor.d/abstractions/base-strict create mode 100644 apparmor.d/abstractions/glibc create mode 100644 apparmor.d/abstractions/ld create mode 100644 apparmor.d/abstractions/locale diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict new file mode 100644 index 000000000..0f4382bfe --- /dev/null +++ b/apparmor.d/abstractions/base-strict @@ -0,0 +1,131 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + # Do not use it manually, It automatically replaces the base abstraction in + # profiles when the re-attached mode is enabled. + + # For now, it is only a restructuring of the base abstraction with awareness + # of the apparmor.d architecture. + + abi , + + include + include + include + include + + # Allow us to signal ourselves + signal peer=@{profile_name}, + + # Checking for PID existence is quite common so add it by default for now + signal (receive, send) set=exists, + + #aa:exclude RBAC + # Allow unconfined processes to send us signals by default + signal receive peer=unconfined, + + # Systemd: allow to receive any signal from the systemd profiles stack + signal receive peer=@{p_systemd}, + signal receive peer=@{p_systemd_user}, + + # Htop like programs can send any signal to any process + signal receive peer=btop, + signal receive peer=htop, + signal receive peer=top, + signal receive set=(cont,term,kill,stop) peer=gnome-system-monitor, + + # Allow to receive termination signal from manager such as sudo, login, shutdown or systemd + signal receive peer=su, + signal receive peer=sudo, + signal receive set=(cont,term,kill,stop) peer=gnome-shell, + signal receive set=(cont,term,kill,stop) peer=login, + signal receive set=(cont,term,kill,stop) peer=openbox, + signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, + signal receive set=(cont,term,kill,stop) peer=xinit, + + # Allow other processes to read our /proc entries, futexes, perf tracing and + # kcmp for now (they will need 'read' in the first place). Administrators can + # override with: + # deny ptrace readby ... + ptrace readby, + + # Allow other processes to trace us by default (they will need 'trace' in + # the first place). Administrators can override with: + # deny ptrace tracedby ... + ptrace tracedby, + + # Allow us to ptrace read ourselves + ptrace read peer=@{profile_name}, + + # Allow us to create and use abstract and anonymous sockets + unix peer=(label=@{profile_name}), + + # Allow unconfined processes to us via unix sockets + unix receive peer=(label=unconfined), + + # Allow communication to children profiles + signal peer=@{profile_name}//*, + unix type=stream peer=(label=@{profile_name}//*), + + # Allow us to create abstract and anonymous sockets + unix create, + + # Allow us to getattr, getopt, setop and shutdown on unix sockets + unix (getattr, getopt, setopt, shutdown), + + # Allow all programs to use common libraries + @{lib}/** r, + @{lib}/**.so* m, + @{lib}/@{multiarch}/**.so* m, + @{lib}/@{multiarch}/** r, + + # Some applications will display license information + /usr/share/common-licenses/** r, + + # Allow access to the uuidd daemon (this daemon is a thin wrapper around + # time and getrandom()/{,u}random and, when available, runs under an + # unprivilged, dedicated user). + @{run}/uuidd/request r, + + # Transparent hugepage support + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + # Systemd's equivalent of /dev/log + @{run}/systemd/journal/dev-log w, + + # Systemd native journal API (see sd_journal_print(4)) + @{run}/systemd/journal/socket w, + + # Nested containers and anything using systemd-cat need this. 'r' shouldn't + # be required but applications fail without it. journald doesn't leak + # anything when reading so this is ok. + @{run}/systemd/journal/stdout rw, + + # Allow determining the highest valid capability of the running kernel + @{PROC}/sys/kernel/cap_last_cap r, + + # Controls how core dump files are named + @{PROC}/sys/kernel/core_pattern r, + + # Sometimes used to determine kernel/user interfaces to use + @{PROC}/sys/kernel/version r, + + # Harmless and frequently used + /dev/null rw, + /dev/random r, + /dev/urandom r, + /dev/zero rw, + + # The __canary_death_handler function writes a time-stamped log + # message to /dev/log for logging by syslogd. So, /dev/log, timezones, + # and localisations of date should be available EVERYWHERE, so + # StackGuard, FormatGuard, etc., alerts can be properly logged. + /dev/log w, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/crypto.d/complete b/apparmor.d/abstractions/crypto.d/complete index a163af66d..8fb84d261 100644 --- a/apparmor.d/abstractions/crypto.d/complete +++ b/apparmor.d/abstractions/crypto.d/complete @@ -4,7 +4,15 @@ include + # FIPS-140-2 versions of some crypto libraries need to access their + # associated integrity verification file, or they will abort. + @{lib}/.lib*.so*.hmac r, + @{lib}/@{multiarch}/.lib*.so*.hmac r, + @{etc_ro}/gnutls/config r, @{etc_ro}/gnutls/pkcs11.conf r, + # Used to determine if Linux is running in FIPS mode + @{PROC}/sys/crypto/fips_enabled r, + # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/glibc b/apparmor.d/abstractions/glibc new file mode 100644 index 000000000..aa6e14416 --- /dev/null +++ b/apparmor.d/abstractions/glibc @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # Used by Glibc when binding to ephemeral ports + @{etc_ro}/bindresvport.blacklist r, + + # Depending on which Glibc routine uses this file, base may not be the + # best place -- but many profiles require it, and it is quite harmless. + @{PROC}/sys/kernel/ngroups_max r, + + # Glibc's sysconf(3) routine to determine free memory, etc + @{sys}/devices/system/cpu/ r, + @{sys}/devices/system/cpu/online r, + @{sys}/devices/system/cpu/possible r, + @{PROC}/cpuinfo r, + @{PROC}/meminfo r, + @{PROC}/stat r, + + # Glibc's *printf protections read the maps file + @{PROC}/@{pid}/auxv r, + @{PROC}/@{pid}/maps r, + @{PROC}/@{pid}/status r, + + # Glibc statvfs + @{PROC}/filesystems r, + + # Glibc malloc (man 5 proc) + @{PROC}/sys/vm/overcommit_memory r, + + # Recent glibc uses /dev/full in preference to /dev/null for programs + # that don't have open fds at exec() + /dev/full rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/ld b/apparmor.d/abstractions/ld new file mode 100644 index 000000000..21ac745e2 --- /dev/null +++ b/apparmor.d/abstractions/ld @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + # ld.so.cache and ld are used to load shared libraries. + # As such, they can be used everywhere + + abi , + + /opt/*-linux-uclibc/lib/ld-uClibc*so* mr, + + @{etc_ro}/ld.so.cache mr, + @{etc_ro}/ld.so.conf r, + @{etc_ro}/ld.so.conf.d/ r, + @{etc_ro}/ld.so.conf.d/*.conf r, + @{etc_ro}/ld.so.preload r, + @{etc_ro}/ld-musl-*.path r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/locale b/apparmor.d/abstractions/locale new file mode 100644 index 000000000..873c303f5 --- /dev/null +++ b/apparmor.d/abstractions/locale @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{etc_ro}/locale.alias r, + @{etc_ro}/locale.conf r, + @{etc_ro}/locale/** r, + @{etc_ro}/localtime r, + @{etc_rw}/localtime r, + + /usr/share/**/locale/** r, + /usr/share/locale-bundle/** r, + /usr/share/locale-langpack/** r, + /usr/share/locale/ r, + /usr/share/locale/** r, + /usr/share/X11/locale/** r, + /usr/share/zoneinfo{,-icu}/ r, + /usr/share/zoneinfo{,-icu}/** r, + + include if exists + +# vim:syntax=apparmor From 7dd860f2770ea0f7668e891ac7c59e2dc4808cee Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 23:15:07 +0200 Subject: [PATCH 513/672] feat(profile): minor update & cosmetic. --- apparmor.d/abstractions/app/firefox | 4 +++- apparmor.d/abstractions/common/game | 4 ++-- apparmor.d/groups/apparmor/aa-log | 2 -- apparmor.d/groups/apparmor/aa-status | 4 ++-- apparmor.d/groups/bluetooth/bluetoothd | 3 ++- apparmor.d/groups/bluetooth/obexd | 2 ++ apparmor.d/groups/gnome/evolution-calendar-factory | 4 ++-- apparmor.d/groups/gnome/gnome-initial-setup | 2 +- apparmor.d/groups/gnome/gsd-color | 2 +- .../groups/gnome/org.gnome.NautilusPreviewer | 1 + apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/kde/ksmserver-logout-greeter | 1 - apparmor.d/groups/ssh/sshd | 8 +++++--- .../systemd-generators/systemd-generator-ssh | 4 ++++ .../systemd-generators/systemd-generator-tpm2 | 1 + apparmor.d/groups/systemd/systemd-localed | 1 + apparmor.d/groups/utils/lspci | 4 ---- apparmor.d/profiles-a-f/fwupd | 1 + apparmor.d/profiles-g-l/haveged | 7 +++---- apparmor.d/profiles-g-l/linuxqq | 2 +- apparmor.d/profiles-m-r/mandb | 8 ++++---- apparmor.d/profiles-m-r/mimetype | 1 - apparmor.d/profiles-m-r/needrestart-notify | 2 +- apparmor.d/profiles-m-r/pam-auth-update | 3 ++- apparmor.d/profiles-m-r/pcscd | 14 +++++++------- 25 files changed, 47 insertions(+), 40 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 1ea0c3b86..d988f608c 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -26,7 +26,7 @@ include include include - include + include include include include @@ -126,6 +126,8 @@ @{sys}/devices/**/uevent r, @{sys}/devices/power/events/energy-* r, @{sys}/devices/power/type r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_sku r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 3b4a982f1..6b97b014c 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -6,9 +6,9 @@ # wine, proton, game launchers should use this abstraction. # This abstraction uses the following tunables: -# - @{XDG_GAMESSTUDIO_DIR} for game studio and game engines specific directories +# - @{XDG_GAMESSTUDIO_DIR}/ for game studio and game engines specific directories # (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d") -# - @{user_games_dirs} for user specific game directories (eg: steam storage dir) +# - @{user_games_dirs}/ for user specific game directories (eg: steam storage dir) abi , diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/groups/apparmor/aa-log index 03352e8bf..1a3e0aeff 100644 --- a/apparmor.d/groups/apparmor/aa-log +++ b/apparmor.d/groups/apparmor/aa-log @@ -21,8 +21,6 @@ profile aa-log @{exec_path} { /var/log/audit/* r, /var/log/syslog* r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - /dev/tty@{int} rw, profile journalctl { diff --git a/apparmor.d/groups/apparmor/aa-status b/apparmor.d/groups/apparmor/aa-status index 17de74439..9badb78c1 100644 --- a/apparmor.d/groups/apparmor/aa-status +++ b/apparmor.d/groups/apparmor/aa-status @@ -22,8 +22,8 @@ profile aa-status @{exec_path} { @{sys}/module/apparmor/parameters/enabled r, @{PROC}/ r, - @{PROC}/@{pids}/attr/apparmor/current r, - @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pid}/attr/apparmor/current r, + @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/mounts r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index 8ca699aaf..aa84eebd9 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -45,7 +45,8 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{run}/sdp rw, owner @{run}/systemd/notify w, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard @{sys}/devices/@{pci}/rfkill@{int}/name r, @{sys}/devices/@{pci}/**/{uevent,name} r, diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 5c1a7633e..efb5f42e4 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -31,6 +31,8 @@ profile obexd @{exec_path} { owner @{HOME}/bluetooth/* rw, + @{run}/systemd/users/@{uid} r, + include if exists } diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 25f8ecc7f..fba734ad4 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -71,8 +71,8 @@ profile evolution-calendar-factory @{exec_path} { owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, owner @{user_share_dirs}/evolution/calendar/{,**} rwk, - owner @{user_share_dirs}/evolution/tasks/system/ w, - owner @{user_share_dirs}/evolution/tasks/system/tasks.ics* rw, + owner @{user_share_dirs}/evolution/memos/system/{,**} rw, + owner @{user_share_dirs}/evolution/tasks/system/{,**} rw, owner @{user_share_dirs}/gvfs-metadata/{,*} r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 4063fc473..40b8bc9b5 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -42,7 +42,7 @@ profile gnome-initial-setup @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/locale rix, @{bin}/lscpu rPx, - @{bin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 56445aeac..1b12a68cd 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -45,7 +45,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-@{hex32}icc rw, + owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index db440bf4c..f084e7b12 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -39,6 +39,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index de8643100..87c3d4104 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/grub-mkconfig +@{exec_path} = @{sbin}/grub-mkconfig @{sbin}/grub2-mkconfig profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index 01fe51783..67e56c3c6 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -53,7 +53,6 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/dev/i915/perf_stream_paranoid r, owner @{PROC}/@{pid}/exe r, - owner @{PROC}/@{pid}/status r, include if exists } diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index cc12a9eec..a514e7c99 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -29,8 +29,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) { capability audit_write, capability chown, - capability dac_read_search, capability dac_override, + capability dac_read_search, capability fowner, capability kill, capability net_bind_service, @@ -50,9 +50,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal (receive) set=(hup) peer=@{p_systemd}, + unix type=stream peer=(label=sshd-session), - ptrace (read,trace) peer=@{p_systemd}, + signal receive set=hup peer=@{p_systemd}, + + ptrace (read trace) peer=@{p_systemd}, dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ssh b/apparmor.d/groups/systemd-generators/systemd-generator-ssh index efb56468e..0f6aa11d9 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-ssh +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ssh @@ -30,8 +30,12 @@ profile systemd-generator-ssh @{exec_path} flags=(attach_disconnected) { @{run}/systemd/system/ r, @{run}/systemd/transient/ r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/firmware/dmi/entries/*/raw r, @{PROC}/@{pid}/cgroup r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 index 4d601d0f9..ee5d924cc 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 +++ b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 @@ -15,6 +15,7 @@ profile systemd-generator-tpm2 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sys}/class/tpmrm/ r, + @{sys}/devices/**/tpm/tpm@{int}/tpm_version_major r, @{PROC}/@{pid}/cgroup r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 75d382c40..104a141ce 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -21,6 +21,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /usr/share/kbd/keymaps/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, /usr/share/systemd/*-map r, /usr/share/X11/xkb/{,**} r, /usr/share/xkeyboard-config-2/{,**} r, diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index b390346bb..0ae22a03a 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -13,12 +13,8 @@ profile lspci @{exec_path} flags=(attach_disconnected) { include include - capability sys_admin, - @{exec_path} mr, - /app/lib/libzypak-preload-host*.so rm, - /usr/share/hwdata/pci.ids r, /usr/share/misc/pci.ids r, /usr/share/misc/pci.ids.gz r, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 5fb948234..961b55c97 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -52,6 +52,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /usr/share/hwdata/* r, /usr/share/libdrm/*.ids r, /usr/share/mime/mime.cache r, + /usr/share/misc/*.ids r, /etc/fwupd/{,**} rw, /etc/lsb-release r, diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index 5773a73fb..527629202 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -20,10 +20,9 @@ profile haveged @{exec_path} { @{sys}/devices/system/cpu/cpu@{int}/cache/ r, @{sys}/devices/system/cpu/cpu@{int}/cache/index*/{type,size,level} r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/poolsize r, - @{PROC}/sys/kernel/random/write_wakeup_threshold w, - owner @{PROC}/@{pid}/status r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/poolsize r, + @{PROC}/sys/kernel/random/write_wakeup_threshold w, /dev/random w, diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index 3f3134400..dd653bd61 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -29,7 +29,7 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} r, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{lib_dirs}/chrome_crashpad_handler ix, @{lib_dirs}/resources/app/{,**} m, @{open_path} rPx -> child-open-strict, diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index 4826337d0..cd825471d 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/mandb -profile mandb @{exec_path} flags=(complain) { +profile mandb @{exec_path} { include include include @@ -20,9 +20,6 @@ profile mandb @{exec_path} flags=(complain) { /etc/man_db.conf r, /etc/manpath.config r, - /var/cache/man/ r, - /var/cache/man/** rwk, - /usr/share/man/{,**} r, /usr/local/man/{,**} r, /usr/local/share/man/{,**} r, @@ -32,6 +29,9 @@ profile mandb @{exec_path} flags=(complain) { /usr/share/**/man/man@{u8}/*.@{int}.gz r, + owner /var/cache/man/ rw, + owner /var/cache/man/** rwk, + owner @{user_share_dirs}/man/** rwk, include if exists diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index d6823da9b..cf8431c7a 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -13,7 +13,6 @@ profile mimetype @{exec_path} { include @{exec_path} r, - /usr/bin/perl r, /usr/share/mime/**.xml r, /usr/share/mime/globs r, diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify index 41fa96c4c..9b3525fa5 100644 --- a/apparmor.d/profiles-m-r/needrestart-notify +++ b/apparmor.d/profiles-m-r/needrestart-notify @@ -13,7 +13,7 @@ profile needrestart-notify @{exec_path} { capability dac_read_search, capability sys_ptrace, - ptrace read peer=unconfined, + ptrace read, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 90cc6a4ba..947fb2f4e 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -14,8 +14,9 @@ profile pam-auth-update @{exec_path} flags=(complain) { @{exec_path} mrix, - @{bin}/md5sum ix, @{bin}/cp ix, + @{bin}/md5sum ix, + @{bin}/stty ix, /usr/share/pam{,-configs}/{,*} r, diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index 67e0ee74e..d5bcc4293 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -16,13 +16,13 @@ profile pcscd @{exec_path} { network netlink raw, - ptrace (read) peer=@{p_systemd_user}, - ptrace (read) peer=gsd-smartcard, - ptrace (read) peer=keepassxc, - ptrace (read) peer=pkcs11-register, - ptrace (read) peer=rngd, - ptrace (read) peer=scdaemon, - ptrace (read) peer=veracrypt, + ptrace read peer=@{p_systemd_user}, + ptrace read peer=gsd-smartcard, + ptrace read peer=keepassxc, + ptrace read peer=pkcs11-register, + ptrace read peer=rngd, + ptrace read peer=scdaemon, + ptrace read peer=veracrypt, @{exec_path} mr, From 1118d2ffc5bdde1def44447be76715d55f10bd5a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 23:17:45 +0200 Subject: [PATCH 514/672] build: use the base-strict abstraction automatically. --- apparmor.d/abstractions/attached/base | 6 +++--- pkg/prebuild/builder/attach.go | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 4c35d915d..e394c5b99 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -8,14 +8,14 @@ abi , - include + include @{att}/@{run}/systemd/journal/dev-log w, @{att}/@{run}/systemd/journal/socket w, @{att}/@{run}/systemd/journal/stdout rw, - deny /apparmor/.null rw, - deny @{att}/apparmor/.null rw, + /apparmor/.null rw, + @{att}/apparmor/.null rw, include if exists diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index f7f0c9bed..aeafcbf7d 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -49,6 +49,10 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { } else { insert = "@{att} = /\n" + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) } return strings.Replace(profile, origin, insert+origin, 1), nil From 390a8b1b011dbb335c1054ea5124a02423925da2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 23:20:03 +0200 Subject: [PATCH 515/672] build: add the fsp-debug build command. --- Justfile | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/Justfile b/Justfile index 4021b0e5a..109cfed3b 100644 --- a/Justfile +++ b/Justfile @@ -90,6 +90,11 @@ fsp: build fsp-complain: build @./{{build}}/prebuild --complain --full +[group('build')] +[doc('Prebuild the profiles in FSP mode (debug)')] +fsp-debug: build + @./{{build}}/prebuild --complain --full --debug + [group('build')] [doc('Install prebuild profiles')] install: @@ -312,13 +317,13 @@ integration dist flavor: @bats --recursive --timing --print-output-on-failure Projects/integration/ -[group('internal')] +[private] get_ip dist flavor: @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ head -1 | \ grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' -[group('internal')] +[private] get_osinfo dist: #!/usr/bin/env python3 osinfo = { From d01b7ce7d6e0a701e59c9eb3adf780cefb7935b0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 23:42:30 +0200 Subject: [PATCH 516/672] chore: cleanup linter issue. --- apparmor.d/abstractions/base-strict | 2 +- pkg/aa/apparmor_test.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 0f4382bfe..818a4937f 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -8,7 +8,7 @@ # Do not use it manually, It automatically replaces the base abstraction in # profiles when the re-attached mode is enabled. - # For now, it is only a restructuring of the base abstraction with awareness + # For now, it is only a restructuring of the base abstraction with awareness # of the apparmor.d architecture. abi , diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index 71be0ba0a..172cfc2b5 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -223,11 +223,11 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { &Include{IfExists: true, IsMagic: true, Path: "local/aa-status"}, &Capability{Names: []string{"dac_read_search"}}, &File{Path: "@{exec_path}", Access: []string{"m", "r"}}, - &File{Path: "@{PROC}/@{pids}/attr/apparmor/current", Access: []string{"r"}}, + &File{Path: "@{PROC}/@{pid}/attr/apparmor/current", Access: []string{"r"}}, &File{Path: "@{PROC}/", Access: []string{"r"}}, &File{Path: "@{sys}/module/apparmor/parameters/enabled", Access: []string{"r"}}, &File{Path: "@{sys}/kernel/security/apparmor/profiles", Access: []string{"r"}}, - &File{Path: "@{PROC}/@{pids}/attr/current", Access: []string{"r"}}, + &File{Path: "@{PROC}/@{pid}/attr/current", Access: []string{"r"}}, &Include{IsMagic: true, Path: "abstractions/consoles"}, &File{Owner: true, Path: "@{PROC}/@{pid}/mounts", Access: []string{"r"}}, &Include{IsMagic: true, Path: "abstractions/base"}, From fc45e5ee66b7b9b2c3d0c15fd095991b591a2313 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 17 Jun 2025 00:18:39 +0200 Subject: [PATCH 517/672] feat(fsp): add initial sd-umount. --- apparmor.d/groups/_full/sd-umount | 34 +++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 apparmor.d/groups/_full/sd-umount diff --git a/apparmor.d/groups/_full/sd-umount b/apparmor.d/groups/_full/sd-umount new file mode 100644 index 000000000..e5d67f0a9 --- /dev/null +++ b/apparmor.d/groups/_full/sd-umount @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd-umount is a subprofile of sd responsible to handle unmounting operation. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd-umount.d directory + +abi , + +include + +@{exec_path} = @{bin}/umount +profile sd-umount flags=(complain) { + include + + capability sys_admin, + + umount @{efi}, + + @{exec_path} mr, + + @{PROC}/@{pid}/mountinfo r, + + include if exists + include if exists +} + +# vim:syntax=apparmor From 0478e62f56d238d82e873b4174645597249ade77 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 17 Jun 2025 00:19:43 +0200 Subject: [PATCH 518/672] feat(fsp): sd/sdu: improve integration with stacked profiles. --- apparmor.d/groups/_full/sd | 5 +++-- apparmor.d/groups/_full/sdu | 16 ++++++++++++++-- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 44b3a9b7d..48172638e 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -165,6 +165,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { @{lib}/{,**} r, @{sbin}/{,*} r, /usr/share/** r, + /etc/*/ w, /etc/** rk, /home/ r, @@ -181,8 +182,8 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { /var/log/** rw, /var/log/journal/** rwl -> /var/log/journal/**, - @{desktop_share_dirs}/icc/edid-@{hex32}.icc r, - @{user_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, @{att}/@{run}/systemd/notify rw, diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu index 411a8c3ad..c9338fd22 100644 --- a/apparmor.d/groups/_full/sdu +++ b/apparmor.d/groups/_full/sdu @@ -24,6 +24,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { include include include + include network netlink raw, @@ -71,16 +72,27 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, owner @{run}/user/@{uid}/pulse/pid rw, - owner @{user_state_dirs}/wireplumber/ r, + owner @{user_state_dirs}/wireplumber/ rw, owner @{user_state_dirs}/wireplumber/stream-properties rw, owner @{user_state_dirs}/wireplumber/stream-properties.@{rand6} rw, @{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{int} r, - @{run}/udev/data/c116:@{int} r, # for ALSA + @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) + @{run}/udev/data/c81:@{int} r, # For video4linux + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, + @{sys}/bus/media/devices/ r, + @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, + @{sys}/devices/**/device:*/{,**/}path r, + @{sys}/devices/**/sound/**/pcm_class r, + @{sys}/devices/**/sound/**/uevent r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/sound/seq/uevent r, From e7f25571d0865cd08bceac7c4e5bba845a8805a2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 17 Jun 2025 00:22:34 +0200 Subject: [PATCH 519/672] chore(profile): rename netplan.script to netplan. --- apparmor.d/groups/network/{netplan.script => netplan} | 8 ++++---- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- dists/flags/main.flags | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) rename apparmor.d/groups/network/{netplan.script => netplan} (81%) diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan similarity index 81% rename from apparmor.d/groups/network/netplan.script rename to apparmor.d/groups/network/netplan index 094726865..5855131a8 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan @@ -7,7 +7,7 @@ abi , include @{exec_path} = /usr/share/netplan/netplan.script -profile netplan.script @{exec_path} flags=(attach_disconnected) { +profile netplan @{exec_path} flags=(attach_disconnected) { include include include @@ -33,7 +33,7 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { @{run}/udev/rules.d/90-netplan.rules rw, @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw, - include if exists + include if exists } profile systemctl { @@ -42,10 +42,10 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { capability net_admin, - include if exists + include if exists } - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 916279378..840e33cdd 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -38,7 +38,7 @@ profile subiquity-console-conf @{exec_path} { @{sbin}/sshd rPx, @{bin}/snap rPUx, /usr/lib/snapd/snap-recovery-chooser rPUx, - /usr/share/netplan/netplan.script rPUx, # TODO: rPx, + /usr/share/netplan/netplan.script rPx, /usr/share/subiquity/{,**} r, /usr/share/subiquity/console-conf-tui rix, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 77ea8761f..71670d4d7 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -240,7 +240,7 @@ multipathd complain needrestart-hook complain needrestart-notify complain needrestart-restart complain -netplan.script attach_disconnected,complain +netplan attach_disconnected,complain networkctl attach_disconnected,complain networkd-dispatcher complain nm-online complain From 0e4cc45a5b19e7503f51914cda745da46732b449 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 20:03:53 +0200 Subject: [PATCH 520/672] tests: simplify sbin check. --- tests/check.sh | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index add9b0685..b1783bf8e 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -353,11 +353,9 @@ check_sbin() { for file in "${files[@]}"; do ( while read -r match; do - if [[ $match =~ (@\{sbin\}/($pattern)) ]]; then - name="${BASH_REMATCH[2]}" - if ! _in_array "$name" "${sbin[@]}"; then - _err compatibility "$file" "contains '@{sbin}/$name' but it is not in sbin.list" - fi + name="${match/\@\{sbin\}\//}" + if ! _in_array "$name" "${sbin[@]}"; then + _err compatibility "$file" "contains '@{sbin}/$name' but it is not in sbin.list" fi done < <(grep --only-matching -E "@\{sbin\}/$pattern" "${file%%:*}") ) & From d2dbf771cc7fb08235b8305afb967053c25a38cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 23:07:17 +0200 Subject: [PATCH 521/672] feat(profiles): ensure we use {,e}grep instead of grep. --- apparmor.d/groups/apt/apt-systemd-daily | 2 +- apparmor.d/groups/apt/dpkg-script-apparmor | 2 +- apparmor.d/groups/browsers/torbrowser-launcher | 2 +- apparmor.d/groups/browsers/torbrowser-start | 2 +- apparmor.d/groups/cron/cron-ntp | 2 +- apparmor.d/groups/cron/cron-popularity-contest | 2 +- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/display-manager/xdm-xsession | 2 +- apparmor.d/groups/filesystem/lvmpolld | 2 +- apparmor.d/groups/freedesktop/plymouth-set-default-theme | 2 +- apparmor.d/groups/gnome/gnome-control-center | 2 +- apparmor.d/groups/gnome/gnome-session | 2 +- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/kde/kde-powerdevil | 2 +- apparmor.d/groups/kde/startplasma | 2 +- apparmor.d/groups/network/nm-dispatcher | 2 +- apparmor.d/groups/pacman/aurpublish | 2 +- apparmor.d/groups/pacman/pacman-key | 2 +- apparmor.d/groups/ssh/ssh-agent-launch | 2 +- .../groups/systemd-generators/systemd-generator-ds-identify | 2 +- apparmor.d/groups/systemd-service/grub-common.service | 2 +- apparmor.d/groups/systemd/systemd-sleep-grub | 2 +- apparmor.d/groups/ubuntu/cron-ubuntu-fan | 2 +- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- apparmor.d/groups/ubuntu/ubuntu-fan-net | 2 +- apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot | 2 +- apparmor.d/groups/whonix/anondate | 2 +- apparmor.d/groups/whonix/pam-info | 2 +- apparmor.d/groups/whonix/rads | 2 +- apparmor.d/groups/whonix/sdwdate | 2 +- apparmor.d/groups/whonix/systemcheck-canary | 2 +- apparmor.d/groups/whonix/torbrowser-wrapper | 2 +- apparmor.d/profiles-a-f/blkdeactivate | 2 +- apparmor.d/profiles-a-f/ddcutil | 2 +- apparmor.d/profiles-a-f/finalrd | 2 +- apparmor.d/profiles-g-l/gpu-manager | 2 +- apparmor.d/profiles-g-l/install-catalog | 2 +- apparmor.d/profiles-g-l/kdump-config | 2 +- apparmor.d/profiles-g-l/landscape-sysinfo.wrapper | 2 +- apparmor.d/profiles-g-l/language-validate | 2 +- apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-g-l/logrotate | 2 +- apparmor.d/profiles-m-r/modprobed-db | 2 +- apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version | 2 +- apparmor.d/profiles-m-r/pass | 2 +- apparmor.d/profiles-s-z/secure-time-sync | 2 +- apparmor.d/profiles-s-z/spotify | 2 +- apparmor.d/profiles-s-z/syncoid | 2 +- apparmor.d/profiles-s-z/sysstat-sa | 2 +- apparmor.d/profiles-s-z/tlp | 2 +- apparmor.d/profiles-s-z/ucfr | 2 +- apparmor.d/profiles-s-z/update-cracklib | 2 +- apparmor.d/profiles-s-z/veracrypt | 2 +- apparmor.d/profiles-s-z/whatis | 2 +- apparmor.d/profiles-s-z/zed | 2 +- 55 files changed, 55 insertions(+), 55 deletions(-) diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index 08e1400b2..bd2f7fbb0 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -25,7 +25,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/env rix, @{bin}/find rix, @{bin}/flock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gzip rix, @{bin}/ls rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index e9a03f282..122e4541e 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -13,7 +13,7 @@ profile dpkg-script-apparmor @{exec_path} { @{exec_path} mrix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/deb-systemd-helper Px, @{bin}/deb-systemd-invoke Px, diff --git a/apparmor.d/groups/browsers/torbrowser-launcher b/apparmor.d/groups/browsers/torbrowser-launcher index 0f6273107..4969a14c3 100644 --- a/apparmor.d/groups/browsers/torbrowser-launcher +++ b/apparmor.d/groups/browsers/torbrowser-launcher @@ -32,7 +32,7 @@ profile torbrowser-launcher @{exec_path} flags=(attach_disconnected) { @{bin}/gpg{,2} Cx -> gpg, @{bin}/gpgconf Cx -> gpg, @{bin}/gpgsm Cx -> gpg, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/sed ix, @{bin}/tail ix, diff --git a/apparmor.d/groups/browsers/torbrowser-start b/apparmor.d/groups/browsers/torbrowser-start index 58bb31ac8..ce6a3678c 100644 --- a/apparmor.d/groups/browsers/torbrowser-start +++ b/apparmor.d/groups/browsers/torbrowser-start @@ -22,7 +22,7 @@ profile torbrowser-start @{exec_path} { @{bin}/expr ix, @{bin}/file ix, @{bin}/getconf ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/id ix, @{bin}/ln ix, @{bin}/mkdir ix, diff --git a/apparmor.d/groups/cron/cron-ntp b/apparmor.d/groups/cron/cron-ntp index 17ab7f745..7221cc6e1 100644 --- a/apparmor.d/groups/cron/cron-ntp +++ b/apparmor.d/groups/cron/cron-ntp @@ -14,7 +14,7 @@ profile cron-ntp @{exec_path} { @{sh_path} rix, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/sed rix, include if exists diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index 63a664096..fa6e9874f 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -18,7 +18,7 @@ profile cron-popularity-contest @{exec_path} { @{bin}/cat rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mktemp rix, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 6eeeaa414..b3658b738 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -50,7 +50,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cp rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gs rix, @{bin}/gsc rix, @{bin}/hostname rix, diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index 052180a99..d110fb83b 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -25,7 +25,7 @@ profile xdm-xsession @{exec_path} { @{bin}/fortune rPUx, @{bin}/gpg-agent rPx, @{bin}/gpg-connect-agent rPx, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, @{bin}/manpath rix, @{bin}/readlink rix, diff --git a/apparmor.d/groups/filesystem/lvmpolld b/apparmor.d/groups/filesystem/lvmpolld index 4168ad4fe..cce01b0d0 100644 --- a/apparmor.d/groups/filesystem/lvmpolld +++ b/apparmor.d/groups/filesystem/lvmpolld @@ -13,7 +13,7 @@ profile lvmpolld @{exec_path} { include @{exec_path} rm, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/umount rPx, @{run}/lvmpolld.pid rwk, diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme index b9b2cfd45..da13572e5 100644 --- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme +++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme @@ -15,7 +15,7 @@ profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/plymouth rPx, /usr/share/plymouth/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 2f9077d19..85b3268dd 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -67,7 +67,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{bin}/@{shells} rUx, @{bin}/gcm-viewer rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, @{bin}/sed rix, @{bin}/tecla rPx, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index e0ff334db..1f29958d1 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -20,7 +20,7 @@ profile gnome-session @{exec_path} { @{bin}/find rix, @{bin}/gettext rix, @{bin}/gettext.sh r, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/head rix, @{bin}/id rix, @{bin}/locale rix, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b97d6d568..e977af95e 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -388,7 +388,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sh_path} mr, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kmod rPx -> gnome-shell//lsmod, @{bin}/pmap rix, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index ebb150ed2..45c382855 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -24,7 +24,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sh_path} rix, @{bin}/find rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kcminit rPx, @{bin}/sed rix, @{bin}/uname rPx, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index b69d7fdb9..004b89d57 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -21,7 +21,7 @@ profile startplasma @{exec_path} { @{sh_path} rix, @{bin}/env rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kapplymousetheme rPUx, @{bin}/kdeinit5_shutdown rPUx, @{bin}/ksplashqml rPUx, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 87207e2b7..87a418153 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -42,7 +42,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{bin}/chronyc rPUx, @{bin}/date rix, @{bin}/gawk rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/id rix, @{sbin}/invoke-rc.d rCx -> invoke-rc, @{bin}/logger rix, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index a7a7bf225..df9af9fef 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -30,7 +30,7 @@ profile aurpublish @{exec_path} { @{bin}/gettext rix, @{bin}/git rPx, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/makepkg rix, @{bin}/mkdir rix, @{bin}/mktemp rix, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 287bc026a..025d87b29 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -22,7 +22,7 @@ profile pacman-key @{exec_path} { @{bin}/chmod rix, @{bin}/gettext rix, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ngettext rix, @{bin}/pacman-conf rPx, @{bin}/touch rix, diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch index c9f0c6373..86bd0866f 100644 --- a/apparmor.d/groups/ssh/ssh-agent-launch +++ b/apparmor.d/groups/ssh/ssh-agent-launch @@ -15,7 +15,7 @@ profile ssh-agent-launch @{exec_path} { @{sh_path} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/getopt rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ssh-agent rPx, /etc/X11/Xsession.options r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify index ba6141d86..daa877efe 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify @@ -17,7 +17,7 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/systemd-detect-virt rPx, @{bin}/tr rix, @{bin}/uname rix, diff --git a/apparmor.d/groups/systemd-service/grub-common.service b/apparmor.d/groups/systemd-service/grub-common.service index 4abd74fb1..f8cf34f25 100644 --- a/apparmor.d/groups/systemd-service/grub-common.service +++ b/apparmor.d/groups/systemd-service/grub-common.service @@ -14,7 +14,7 @@ profile grub-common.service { include @{sh_path} rix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/grub-editenv rix, @{bin}/mkdir ix, @{bin}/rm ix, diff --git a/apparmor.d/groups/systemd/systemd-sleep-grub b/apparmor.d/groups/systemd/systemd-sleep-grub index b2b42bf44..38be5772f 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-grub +++ b/apparmor.d/groups/systemd/systemd-sleep-grub @@ -14,7 +14,7 @@ profile systemd-sleep-grub @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/uname rix, /etc/sysconfig/bootloader r, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index 9fd065db3..a80a4f729 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -16,7 +16,7 @@ profile cron-ubuntu-fan @{exec_path} { @{sh_path} rix, @{sbin}/fanctl rPx, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 840e33cdd..dc67817ed 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -24,7 +24,7 @@ profile subiquity-console-conf @{exec_path} { @{sh_path} rix, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/ubuntu/ubuntu-fan-net b/apparmor.d/groups/ubuntu/ubuntu-fan-net index f9d7c01f5..74fe83551 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-fan-net +++ b/apparmor.d/groups/ubuntu/ubuntu-fan-net @@ -14,7 +14,7 @@ profile ubuntu-fan-net @{exec_path} { @{sh_path} mr, @{bin}/{m,g,}awk ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/networkctl Px, @{sbin}/fanctl Px, diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index 0573f38bf..c244f2902 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -18,7 +18,7 @@ profile update-motd-fsck-at-reboot @{exec_path} { @{bin}/cat rix, @{bin}/cut rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/id rix, @{bin}/mount rCx -> mount, @{bin}/stat rix, diff --git a/apparmor.d/groups/whonix/anondate b/apparmor.d/groups/whonix/anondate index 27e4eb594..325535cce 100644 --- a/apparmor.d/groups/whonix/anondate +++ b/apparmor.d/groups/whonix/anondate @@ -19,7 +19,7 @@ profile anondate @{exec_path} { @{bin}/cat rix, @{bin}/cp rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/minimum-unixtime-show rix, @{bin}/rm rix, @{bin}/systemd-cat rix, diff --git a/apparmor.d/groups/whonix/pam-info b/apparmor.d/groups/whonix/pam-info index 1cc3e7668..23ab3aeb4 100644 --- a/apparmor.d/groups/whonix/pam-info +++ b/apparmor.d/groups/whonix/pam-info @@ -15,7 +15,7 @@ profile pam-info @{exec_path} { @{sh_path} rix, @{sbin}/faillock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/str_replace rix, @{bin}/wc rix, @{bin}/whoami rix, diff --git a/apparmor.d/groups/whonix/rads b/apparmor.d/groups/whonix/rads index e76570b34..10f30b50b 100644 --- a/apparmor.d/groups/whonix/rads +++ b/apparmor.d/groups/whonix/rads @@ -20,7 +20,7 @@ profile rads @{exec_path} { @{bin}/chvt rix, @{bin}/free rix, @{bin}/gawk rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/mkdir rix, @{bin}/rm rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/whonix/sdwdate b/apparmor.d/groups/whonix/sdwdate index d34f8087c..dbe561ab6 100644 --- a/apparmor.d/groups/whonix/sdwdate +++ b/apparmor.d/groups/whonix/sdwdate @@ -30,7 +30,7 @@ profile sdwdate @{exec_path} flags=(attach_disconnected) { @{bin}/touch rix, @{lib}/helper-scripts/* rix, @{bin}/url_to_unixtime rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{lib}/helper-scripts/ r, @{lib}/sdwdate/ r, diff --git a/apparmor.d/groups/whonix/systemcheck-canary b/apparmor.d/groups/whonix/systemcheck-canary index 4130d9cd9..17bedc43b 100644 --- a/apparmor.d/groups/whonix/systemcheck-canary +++ b/apparmor.d/groups/whonix/systemcheck-canary @@ -14,7 +14,7 @@ profile systemcheck-canary @{exec_path} { @{exec_path} mr, @{bin}/sleep rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/whoami rix, @{bin}/cat rix, @{bin}/date rix, diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper index fc20ad0fb..c86d91099 100644 --- a/apparmor.d/groups/whonix/torbrowser-wrapper +++ b/apparmor.d/groups/whonix/torbrowser-wrapper @@ -20,7 +20,7 @@ profile torbrowser-wrapper @{exec_path} { @{bin}/basename ix, @{bin}/cp ix, @{bin}/dirname ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/id ix, @{bin}/mkdir ix, @{bin}/mktemp ix, diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index d56782267..83806e753 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -16,7 +16,7 @@ profile blkdeactivate @{exec_path} flags=(complain) { @{sh_path} rix, @{sbin}/dmsetup rPUx, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/touch rix, @{bin}/lsblk rPx, @{sbin}/lvm rPx, diff --git a/apparmor.d/profiles-a-f/ddcutil b/apparmor.d/profiles-a-f/ddcutil index c752dcbb8..7c353bf65 100644 --- a/apparmor.d/profiles-a-f/ddcutil +++ b/apparmor.d/profiles-a-f/ddcutil @@ -21,7 +21,7 @@ profile ddcutil @{exec_path} { @{bin}/find rix, @{bin}/sed rix, @{bin}/xargs rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, / r, diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index d8f2f819e..b22730a27 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -24,7 +24,7 @@ profile finalrd @{exec_path} { @{bin}/dirname ix, @{bin}/env ix, @{bin}/find ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/ln ix, @{bin}/mkdir ix, @{bin}/mount ix, diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 795c92f00..779dd8e67 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -17,7 +17,7 @@ profile gpu-manager @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, /etc/modprobe.d/{,**} r, /usr/lib/modprobe.d/{,**} r, diff --git a/apparmor.d/profiles-g-l/install-catalog b/apparmor.d/profiles-g-l/install-catalog index b1a56c41d..6a26d4dea 100644 --- a/apparmor.d/profiles-g-l/install-catalog +++ b/apparmor.d/profiles-g-l/install-catalog @@ -16,7 +16,7 @@ profile install-catalog @{exec_path} { @{sh_path} rix, @{bin}/basename rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sed rix, diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index 2b3516202..f8b75f742 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -25,7 +25,7 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { @{bin}/file ix, @{bin}/find ix, @{bin}/flock ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/hexdump ix, @{bin}/ln ix, @{bin}/logger ix, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index aeac3e6a1..056b2d83c 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -25,7 +25,7 @@ profile landscape-sysinfo.wrapper @{exec_path} { @{bin}/cut rix, @{bin}/date rix, @{bin}/find rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/landscape-sysinfo rPx, / r, diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate index bf999b79e..80f914fab 100644 --- a/apparmor.d/profiles-g-l/language-validate +++ b/apparmor.d/profiles-g-l/language-validate @@ -15,7 +15,7 @@ profile language-validate @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, /usr/share/locale-langpack/{,*} r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 191ac5782..8cc8a65e1 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -43,7 +43,7 @@ profile libreoffice @{exec_path} { @{sh_path} rix, @{bin}/basename rix, @{bin}/dirname rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ls rix, @{bin}/paperconf rix, @{bin}/sed rix, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 8d3dc2171..0dee9ed6a 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -30,7 +30,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gzip rix, @{sbin}/invoke-rc.d rix, @{bin}/kill rix, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index cd2ddc0e6..013143152 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -19,7 +19,7 @@ profile modprobed-db @{exec_path} { @{bin}/cut rix, @{bin}/gawk rix, @{bin}/getent rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/logname rix, @{bin}/md5sum rix, @{bin}/rm rix, diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version index e5ee2fd8f..4474c1bfc 100644 --- a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -15,7 +15,7 @@ profile needrestart-vmlinuz-get-version @{exec_path} { @{sh_path} rix, @{bin}/bzip2 rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gunzip rix, @{bin}/gzip rix, @{bin}/lzop rix, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 5ae5df7e6..d13099bc3 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -24,7 +24,7 @@ profile pass @{exec_path} { @{bin}/env r, @{bin}/find ix, @{bin}/getopt ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/head ix, @{bin}/mkdir ix, @{bin}/mktemp ix, diff --git a/apparmor.d/profiles-s-z/secure-time-sync b/apparmor.d/profiles-s-z/secure-time-sync index 51016373d..9c3f6d9df 100644 --- a/apparmor.d/profiles-s-z/secure-time-sync +++ b/apparmor.d/profiles-s-z/secure-time-sync @@ -23,7 +23,7 @@ profile secure-time-sync @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/curl rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/id rPx, @{bin}/sed rix, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 1a0bd0ea9..dfd488a48 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -28,7 +28,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} mr, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{open_path} rPx -> child-open-strict, diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index 821a3fd63..e275fb764 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -15,7 +15,7 @@ profile syncoid @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/mbuffer rix, @{bin}/perl rix, @{bin}/ps rPx, diff --git a/apparmor.d/profiles-s-z/sysstat-sa b/apparmor.d/profiles-s-z/sysstat-sa index 37f5e3ca1..9dcc199bc 100644 --- a/apparmor.d/profiles-s-z/sysstat-sa +++ b/apparmor.d/profiles-s-z/sysstat-sa @@ -17,7 +17,7 @@ profile sysstat-sa @{exec_path} { @{sh_path} rix, @{bin}/date ix, @{bin}/find ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/rm ix, @{bin}/sar.sysstat ix, @{bin}/xargs ix, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index c01edd9ec..9faea6e3e 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -32,7 +32,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/cp rix, @{sbin}/ethtool rix, @{bin}/flock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{sbin}/hdparm rPx, @{bin}/head rix, @{bin}/id rPx, diff --git a/apparmor.d/profiles-s-z/ucfr b/apparmor.d/profiles-s-z/ucfr index b38f8aae4..add5c5b64 100644 --- a/apparmor.d/profiles-s-z/ucfr +++ b/apparmor.d/profiles-s-z/ucfr @@ -16,7 +16,7 @@ profile ucfr @{exec_path} { @{bin}/basename ix, @{bin}/{m,g,}awk ix, @{bin}/getopt ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/id ix, @{bin}/readlink ix, @{bin}/sed ix, diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib index b7f00b263..8f848b0ad 100644 --- a/apparmor.d/profiles-s-z/update-cracklib +++ b/apparmor.d/profiles-s-z/update-cracklib @@ -21,7 +21,7 @@ profile update-cracklib @{exec_path} { @{bin}/env rix, @{bin}/file rix, @{bin}/find rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gzip rix, @{bin}/install rix, @{bin}/install rix, diff --git a/apparmor.d/profiles-s-z/veracrypt b/apparmor.d/profiles-s-z/veracrypt index 1e5417b15..b9b92a721 100644 --- a/apparmor.d/profiles-s-z/veracrypt +++ b/apparmor.d/profiles-s-z/veracrypt @@ -30,7 +30,7 @@ profile veracrypt @{exec_path} { @{sh_path} rix, @{open_path} rPx -> child-open-help, @{sbin}/dmsetup rPx, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kmod rix, @{sbin}/ldconfig rix, @{sbin}/losetup rCx -> losetup, diff --git a/apparmor.d/profiles-s-z/whatis b/apparmor.d/profiles-s-z/whatis index 43fa8ff09..3febd0b0b 100644 --- a/apparmor.d/profiles-s-z/whatis +++ b/apparmor.d/profiles-s-z/whatis @@ -13,7 +13,7 @@ profile whatis @{exec_path} { include @{exec_path} mr, - @{bin}/grep rix, + @{bin}/{,e}grep rix, /usr/{,**/}man/{,**/}{,whatis} r, diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index bb160a5e5..b131897d4 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -23,7 +23,7 @@ profile zed @{exec_path} { @{bin}/diff rix, @{bin}/expr rix, @{bin}/flock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/hostname rix, @{bin}/logger rix, @{bin}/ls rix, From be62e5186f739b2316fc8ac2c22c3a5be37ad163 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 23:16:16 +0200 Subject: [PATCH 522/672] feat(profiles): ensure we use which{,.debianutils} instead of which. --- apparmor.d/abstractions/app/editor | 2 +- apparmor.d/groups/apt/apt-systemd-daily | 2 +- apparmor.d/groups/apt/aptitude-create-state-bundle | 2 +- apparmor.d/groups/browsers/brave-wrapper | 2 +- apparmor.d/groups/browsers/chrome-wrapper | 2 +- apparmor.d/groups/browsers/msedge-wrapper | 2 +- apparmor.d/groups/cron/cron-apt-compat | 2 +- apparmor.d/groups/cron/cron-apt-xapian-index | 3 +-- apparmor.d/groups/cron/cron-aptitude | 2 +- apparmor.d/groups/cron/cron-mlocate | 2 +- apparmor.d/groups/cron/cron-plocate | 2 +- apparmor.d/groups/cron/cron-popularity-contest | 2 +- apparmor.d/groups/display-manager/x11-xsession | 2 +- apparmor.d/groups/gnome/gdm-xsession | 2 +- apparmor.d/groups/kde/sddm-xsession | 2 +- apparmor.d/groups/network/openvpn | 2 +- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/groups/ubuntu/apport-gtk | 2 +- apparmor.d/profiles-a-f/anyremote | 2 +- apparmor.d/profiles-a-f/aspell-autobuildhash | 2 +- apparmor.d/profiles-a-f/claws-mail | 2 +- apparmor.d/profiles-g-l/ganyremote | 2 +- apparmor.d/profiles-g-l/gsmartcontrol-root | 2 +- apparmor.d/profiles-g-l/kanyremote | 2 +- apparmor.d/profiles-g-l/kernel | 2 +- apparmor.d/profiles-m-r/mumble-overlay | 2 +- apparmor.d/profiles-m-r/openbox | 2 +- apparmor.d/profiles-m-r/os-prober | 2 +- apparmor.d/profiles-m-r/pass | 2 +- apparmor.d/profiles-m-r/pokemmo | 2 +- apparmor.d/profiles-m-r/protonmail-bridge-core | 2 +- apparmor.d/profiles-s-z/ucf | 2 +- apparmor.d/profiles-s-z/update-pciids | 2 +- apparmor.d/profiles-s-z/uupdate | 2 +- apparmor.d/profiles-s-z/xinit | 2 +- 35 files changed, 35 insertions(+), 36 deletions(-) diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index f62e36339..2bd14077b 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -13,7 +13,7 @@ @{bin}/nvim mrix, @{bin}/sensible-editor mr, @{bin}/vim{,.*} mrix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, /usr/share/nvim/{,**} r, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index bd2f7fbb0..4f0d4e36b 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -37,7 +37,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/touch rix, @{bin}/uniq rix, @{bin}/wc rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/xargs rix, @{bin}/apt-config rPx, diff --git a/apparmor.d/groups/apt/aptitude-create-state-bundle b/apparmor.d/groups/apt/aptitude-create-state-bundle index 59f7a54f6..a2f5e2050 100644 --- a/apparmor.d/groups/apt/aptitude-create-state-bundle +++ b/apparmor.d/groups/apt/aptitude-create-state-bundle @@ -16,7 +16,7 @@ profile aptitude-create-state-bundle @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/tar rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/groups/browsers/brave-wrapper b/apparmor.d/groups/browsers/brave-wrapper index 7001da3fe..b4f70689c 100644 --- a/apparmor.d/groups/browsers/brave-wrapper +++ b/apparmor.d/groups/browsers/brave-wrapper @@ -23,7 +23,7 @@ profile brave-wrapper @{exec_path} { @{bin}/mkdir rix, @{bin}/readlink rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib_dirs}/brave rPx, diff --git a/apparmor.d/groups/browsers/chrome-wrapper b/apparmor.d/groups/browsers/chrome-wrapper index 0a97d4052..709eb79a1 100644 --- a/apparmor.d/groups/browsers/chrome-wrapper +++ b/apparmor.d/groups/browsers/chrome-wrapper @@ -22,7 +22,7 @@ profile chrome-wrapper @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir rix, @{bin}/readlink rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib_dirs}/chrome rPx, diff --git a/apparmor.d/groups/browsers/msedge-wrapper b/apparmor.d/groups/browsers/msedge-wrapper index 3da31e332..8268db2e1 100644 --- a/apparmor.d/groups/browsers/msedge-wrapper +++ b/apparmor.d/groups/browsers/msedge-wrapper @@ -22,7 +22,7 @@ profile msedge-wrapper @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir rix, @{bin}/readlink rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib_dirs}/msedge rPx, diff --git a/apparmor.d/groups/cron/cron-apt-compat b/apparmor.d/groups/cron/cron-apt-compat index 1778d4b7e..fcf5e4430 100644 --- a/apparmor.d/groups/cron/cron-apt-compat +++ b/apparmor.d/groups/cron/cron-apt-compat @@ -22,7 +22,7 @@ profile cron-apt-compat @{exec_path} { @{bin}/dd rix, @{bin}/cksum rix, @{bin}/cut rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/sleep rix, include if exists diff --git a/apparmor.d/groups/cron/cron-apt-xapian-index b/apparmor.d/groups/cron/cron-apt-xapian-index index 83eb22428..15f93efec 100644 --- a/apparmor.d/groups/cron/cron-apt-xapian-index +++ b/apparmor.d/groups/cron/cron-apt-xapian-index @@ -14,9 +14,8 @@ profile cron-apt-xapian-index @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/{,e}grep rix, - @{bin}/nice rix, @{bin}/ionice rix, diff --git a/apparmor.d/groups/cron/cron-aptitude b/apparmor.d/groups/cron/cron-aptitude index a471b2844..82b33e8ab 100644 --- a/apparmor.d/groups/cron/cron-aptitude +++ b/apparmor.d/groups/cron/cron-aptitude @@ -17,7 +17,7 @@ profile cron-aptitude @{exec_path} { @{bin}/cp rix, @{bin}/date rix, @{bin}/basename rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/dirname rix, @{bin}/rm rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/cron/cron-mlocate b/apparmor.d/groups/cron/cron-mlocate index ec9690938..f91956bcd 100644 --- a/apparmor.d/groups/cron/cron-mlocate +++ b/apparmor.d/groups/cron/cron-mlocate @@ -15,7 +15,7 @@ profile cron-mlocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, diff --git a/apparmor.d/groups/cron/cron-plocate b/apparmor.d/groups/cron/cron-plocate index 0604eba3a..7f52d1a14 100644 --- a/apparmor.d/groups/cron/cron-plocate +++ b/apparmor.d/groups/cron/cron-plocate @@ -15,7 +15,7 @@ profile cron-plocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index fa6e9874f..44d3a546f 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -74,7 +74,7 @@ profile cron-popularity-contest @{exec_path} { @{bin}/mv rix, @{bin}/rm rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{sh_path} rix, /var/log/ r, diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession index 4eb916aab..361a30b26 100644 --- a/apparmor.d/groups/display-manager/x11-xsession +++ b/apparmor.d/groups/display-manager/x11-xsession @@ -34,7 +34,7 @@ profile x11-xsession @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 9804ddcb0..03e77816c 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -35,7 +35,7 @@ profile gdm-xsession @{exec_path} { @{bin}/tr rix, @{bin}/truncate rix, @{bin}/tty rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/zsh rix, @{bin}/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index b5cceee95..f27f3dc3c 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -40,7 +40,7 @@ profile sddm-xsession @{exec_path} { @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which{,.*} rix, + @{bin}/which{,.debianutils} rix, @{bin}/zsh rix, @{bin}/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 6431ee98a..a6ff1a939 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -84,7 +84,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cut rix, @{bin}/ip rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{sbin}/xtables-nft-multi rix, /etc/iproute2/rt_tables r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index e72c62667..e9f3bf807 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -101,7 +101,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{sbin}/update-grub rPx, @{bin}/update-mime-database rPx, @{bin}/vercmp rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/xmlcatalog rix, @{lib}/systemd/systemd-* rPx, @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rPx, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index bb5cd329c..5a4e130a0 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -52,7 +52,7 @@ profile apport-gtk @{exec_path} { @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/uname rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib}/{,colord/}colord-sane rPx, @{lib}/@{multiarch}/ld*.so* rix, /usr/share/apport/root_info_wrapper rix, diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index 6af2cd38d..43ecdb0cd 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -41,7 +41,7 @@ profile anyremote @{exec_path} { @{bin}/tail rix, @{bin}/tr rix, @{bin}/wc rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/convert-im6.q16 rCx -> imagemagic, @{bin}/killall rCx -> killall, diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index 43edd3233..a10df8394 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -20,7 +20,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { @{bin}/gzip rix, @{bin}/precat rix, @{bin}/prezip-bin rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/zcat rix, @{bin}/dpkg-trigger rPx, diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index bb7dfd3b8..263bb5794 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -24,7 +24,7 @@ profile claws-mail @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgsm rCx -> gpg, diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote index b2dc7b92d..727bf8cdf 100644 --- a/apparmor.d/profiles-g-l/ganyremote +++ b/apparmor.d/profiles-g-l/ganyremote @@ -30,7 +30,7 @@ profile ganyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, diff --git a/apparmor.d/profiles-g-l/gsmartcontrol-root b/apparmor.d/profiles-g-l/gsmartcontrol-root index 515d2234c..4fdb1084b 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol-root +++ b/apparmor.d/profiles-g-l/gsmartcontrol-root @@ -15,7 +15,7 @@ profile gsmartcontrol-root @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/pkexec rCx -> pkexec, diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote index 10e085799..91eb37c58 100644 --- a/apparmor.d/profiles-g-l/kanyremote +++ b/apparmor.d/profiles-g-l/kanyremote @@ -31,7 +31,7 @@ profile kanyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, @{bin}/head rix, diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index 133cf8ae7..6bc2c8961 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -33,7 +33,7 @@ profile kernel @{exec_path} { @{bin}/touch rix, @{bin}/tr rix, @{bin}/uname rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/apt-config rPx, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/profiles-m-r/mumble-overlay b/apparmor.d/profiles-m-r/mumble-overlay index c077f3836..86792860c 100644 --- a/apparmor.d/profiles-m-r/mumble-overlay +++ b/apparmor.d/profiles-m-r/mumble-overlay @@ -16,7 +16,7 @@ profile mumble-overlay @{exec_path} { @{sh_path} rix, @{bin}/file rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/glxgears rPx, diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox index e4e8a36e2..899290792 100644 --- a/apparmor.d/profiles-m-r/openbox +++ b/apparmor.d/profiles-m-r/openbox @@ -58,7 +58,7 @@ profile openbox @{exec_path} { @{lib}/@{multiarch}/openbox-xdg-autostart rix, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, # Apps allowed to run @{bin}/* rPUx, diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index 162c0b743..da853aa9a 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -51,7 +51,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{bin}/udevadm rPx, @{bin}/umount rix, @{bin}/uname rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib}/newns rix, @{lib}/os-prober/* rix, @{lib}/os-probes/{,**} rix, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index d13099bc3..096f0316a 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -40,7 +40,7 @@ profile pass @{exec_path} { @{bin}/tr ix, @{bin}/tree ix, @{bin}/tty ix, - @{bin}/which ix, + @{bin}/which{,.debianutils} ix, @{bin}/git Cx -> git, @{bin}/gpg{2,} Cx -> gpg, diff --git a/apparmor.d/profiles-m-r/pokemmo b/apparmor.d/profiles-m-r/pokemmo index 111b157c5..324b08f17 100644 --- a/apparmor.d/profiles-m-r/pokemmo +++ b/apparmor.d/profiles-m-r/pokemmo @@ -37,7 +37,7 @@ profile pokemmo @{exec_path} flags=(attach_disconnected) { @{bin}/java ix, @{bin}/perl ix, - @{bin}/which ix, + @{bin}/which{,.debianutils} ix, @{lib}/jvm/java-@{int}-openjdk/bin/java ix, # Installer diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index ee7adab75..45c6766e3 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -72,7 +72,7 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { @{bin}/tail rix, @{bin}/tree rix, @{bin}/tty rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, owner @{user_passwordstore_dirs}/ r, owner @{user_passwordstore_dirs}/.gpg-id r, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 0a7b992b6..3c3374d85 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -33,7 +33,7 @@ profile ucf @{exec_path} { @{bin}/seq rix, @{bin}/stat rix, @{bin}/tr rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/dpkg-query rpx, @{bin}/dpkg-divert rPx, diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids index bba603690..901dae9a0 100644 --- a/apparmor.d/profiles-s-z/update-pciids +++ b/apparmor.d/profiles-s-z/update-pciids @@ -24,7 +24,7 @@ profile update-pciids @{exec_path} { @{bin}/chmod rix, @{bin}/echo rix, @{bin}/cat rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/bunzip2 rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/profiles-s-z/uupdate b/apparmor.d/profiles-s-z/uupdate index eb26a4967..88a6cd406 100644 --- a/apparmor.d/profiles-s-z/uupdate +++ b/apparmor.d/profiles-s-z/uupdate @@ -18,7 +18,7 @@ profile uupdate @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/basename rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{,e}grep rix, @{bin}/getopt rix, diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 61151a7db..9abc02350 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -35,7 +35,7 @@ profile xinit @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, /etc/X11/xinit/xinitrc rix, /etc/X11/xinit/xserverrc rix, From 27907e5a17e3720e6b369ea62256eb7d36551b92 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 23:27:34 +0200 Subject: [PATCH 523/672] feat(profiles): ensure we use {m,g,}awk instead of awk. --- apparmor.d/groups/network/nm-dispatcher | 2 +- apparmor.d/groups/whonix/rads | 2 +- apparmor.d/profiles-g-l/kernel-postinst-kdump | 2 +- apparmor.d/profiles-m-r/modprobed-db | 2 +- apparmor.d/profiles-s-z/tomb | 3 +-- apparmor.d/profiles-s-z/wechat | 2 +- apparmor.d/profiles-s-z/wechat-appimage | 2 +- 7 files changed, 7 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 87a418153..029a5e39a 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -41,7 +41,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{bin}/chown rix, @{bin}/chronyc rPUx, @{bin}/date rix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/{,e}grep rix, @{bin}/id rix, @{sbin}/invoke-rc.d rCx -> invoke-rc, diff --git a/apparmor.d/groups/whonix/rads b/apparmor.d/groups/whonix/rads index 10f30b50b..8bdeb2c13 100644 --- a/apparmor.d/groups/whonix/rads +++ b/apparmor.d/groups/whonix/rads @@ -19,7 +19,7 @@ profile rads @{exec_path} { @{bin}/cat rix, @{bin}/chvt rix, @{bin}/free rix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/{,e}grep rix, @{bin}/mkdir rix, @{bin}/rm rix, diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump index 91af3a842..e1358ec29 100644 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -14,7 +14,7 @@ profile kernel-postinst-kdump @{exec_path} { @{bin}/du rix, @{bin}/find rix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sync rix, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index 013143152..90bf73cf3 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -17,7 +17,7 @@ profile modprobed-db @{exec_path} { @{bin}/cat rix, @{bin}/cp rix, @{bin}/cut rix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/getent rix, @{bin}/{,e}grep rix, @{bin}/logname rix, diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index 508ac6eff..93e29bcfa 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -27,7 +27,7 @@ profile tomb @{exec_path} { @{exec_path} mr, @{bin}/{,e,f}grep rix, - @{bin}/awk rix, + @{bin}/{m,g,}awk rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/chmod rix, @@ -41,7 +41,6 @@ profile tomb @{exec_path} { @{bin}/env rix, @{bin}/file rix, @{bin}/findmnt rix, - @{bin}/gawk rix, @{bin}/getent rix, @{bin}/gettext rix, @{bin}/hostname rix, diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index e23d4db43..b7ad3a2e8 100755 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -31,7 +31,7 @@ profile wechat @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{lib_dirs}/crashpad_handler ix, @{bin}/mkdir ix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/lsblk rPx, @{bin}/ip rix, @{bin}/xdg-user-dir rix, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 023644eb0..55155f2b8 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -36,7 +36,7 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/wechat-appimage.AppImage ix, /tmp/.mount_wechat??????/AppRun ix, @{bin}/mkdir ix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/lsblk rPx, @{bin}/ip rix, @{bin}/xdg-user-dir rix, From 033a7475e08db25afacdeca23f8aab1786d7d70a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 23:35:13 +0200 Subject: [PATCH 524/672] tests: enforce equivalent tests. --- tests/check.sh | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index b1783bf8e..801e81114 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -134,6 +134,7 @@ _check_directory_mark() { declare -A EQUIVALENTS=( ["awk"]="{m,g,}awk" + ["gawk"]="{m,g,}awk" ["grep"]="{,e}grep" ["which"]="which{,.debianutils}" ) @@ -371,7 +372,10 @@ check_profiles() { -prune -o -type f -print ) jobs=0 - WITH_CHECK=(abi include profile header tabs trailing indentation subprofiles vim) + WITH_CHECK=( + equivalent + abi include profile header tabs trailing indentation subprofiles vim + ) for file in "${files[@]}"; do ( name="$(basename "$file")" @@ -388,7 +392,10 @@ check_abstractions() { _msg "Checking abstractions" mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*") jobs=0 - WITH_CHECK=(abi include header tabs trailing indentation vim) + WITH_CHECK=( + equivalent + abi include header tabs trailing indentation vim + ) for file in "${files[@]}"; do ( name="$(basename "$file")" @@ -406,7 +413,10 @@ check_abstractions() { ) # shellcheck disable=SC2034 jobs=0 - WITH_CHECK=(header tabs trailing indentation vim) + WITH_CHECK=( + equivalent + header tabs trailing indentation vim + ) for file in "${files[@]}"; do _check "$file" & _wait jobs From f29041576e234e3d4873da2434d4fd3298c2b01d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 23:55:20 +0200 Subject: [PATCH 525/672] feat(profile): move away from old or too wide abstractions. --- .../groups/browsers/opera-crashreporter | 2 +- apparmor.d/groups/filesystem/udiskie | 10 ++-- apparmor.d/groups/hyprland/hyprpm | 1 - apparmor.d/groups/network/nm-dhcp-helper | 2 +- apparmor.d/groups/usb/usbguard-applet-qt | 20 +++----- apparmor.d/groups/virt/libvirtd | 3 +- apparmor.d/profiles-a-f/atftpd | 8 +++- apparmor.d/profiles-a-f/dhclient-script | 8 +++- apparmor.d/profiles-a-f/dumpcap | 8 ++-- apparmor.d/profiles-a-f/ffplay | 3 +- apparmor.d/profiles-a-f/fritzing | 46 ++++++++----------- apparmor.d/profiles-g-l/light-locker | 12 ++--- apparmor.d/profiles-m-r/mkvtoolnix-gui | 10 ++-- apparmor.d/profiles-m-r/netstat | 8 +++- apparmor.d/profiles-m-r/pcb-gtk | 8 +--- apparmor.d/profiles-s-z/sing-box | 1 - apparmor.d/profiles-s-z/tftp | 8 +++- apparmor.d/profiles-s-z/vsftpd | 8 +++- apparmor.d/profiles-s-z/youtube-dl | 4 +- 19 files changed, 84 insertions(+), 86 deletions(-) diff --git a/apparmor.d/groups/browsers/opera-crashreporter b/apparmor.d/groups/browsers/opera-crashreporter index 01661215a..eb67ede59 100644 --- a/apparmor.d/groups/browsers/opera-crashreporter +++ b/apparmor.d/groups/browsers/opera-crashreporter @@ -17,7 +17,7 @@ profile opera-crashreporter @{exec_path} { include include include - include + include include ptrace (trace, read) peer=opera, diff --git a/apparmor.d/groups/filesystem/udiskie b/apparmor.d/groups/filesystem/udiskie index a6a2e2ad3..53b726c23 100644 --- a/apparmor.d/groups/filesystem/udiskie +++ b/apparmor.d/groups/filesystem/udiskie @@ -11,16 +11,12 @@ include profile udiskie @{exec_path} { include include - include - include + include include - include - include + include include - include include - include - include + include @{exec_path} r, @{python_path} r, diff --git a/apparmor.d/groups/hyprland/hyprpm b/apparmor.d/groups/hyprland/hyprpm index 3a5878808..149128b1e 100644 --- a/apparmor.d/groups/hyprland/hyprpm +++ b/apparmor.d/groups/hyprland/hyprpm @@ -11,7 +11,6 @@ profile hyprpm @{exec_path} { include include include - include network inet dgram, network inet stream, diff --git a/apparmor.d/groups/network/nm-dhcp-helper b/apparmor.d/groups/network/nm-dhcp-helper index 5e93bdbf5..3e232154e 100644 --- a/apparmor.d/groups/network/nm-dhcp-helper +++ b/apparmor.d/groups/network/nm-dhcp-helper @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/{,NetworkManager/}nm-dhcp-helper profile nm-dhcp-helper @{exec_path} { include - include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/usb/usbguard-applet-qt b/apparmor.d/groups/usb/usbguard-applet-qt index a76398dd9..558b9093c 100644 --- a/apparmor.d/groups/usb/usbguard-applet-qt +++ b/apparmor.d/groups/usb/usbguard-applet-qt @@ -10,22 +10,21 @@ include @{exec_path} = @{bin}/usbguard-applet-qt profile usbguard-applet-qt @{exec_path} { include - include - include - include - include - include - include - include - include + include include + include + include include + include # Needed? ptrace (read), @{exec_path} mr, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + owner @{user_config_dirs}/USBGuard/ rw, owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#@{int}, @@ -37,11 +36,6 @@ profile usbguard-applet-qt @{exec_path} { owner @{PROC}/@{pid}/cmdline r, - /usr/share/hwdata/pnp.ids r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - include if exists } diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 4d730602d..844af4443 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -17,8 +17,9 @@ include @{exec_path} = @{sbin}/libvirtd profile libvirtd @{exec_path} flags=(attach_disconnected) { include + include + include include - include include include include diff --git a/apparmor.d/profiles-a-f/atftpd b/apparmor.d/profiles-a-f/atftpd index dc7f2bf36..2444bd128 100644 --- a/apparmor.d/profiles-a-f/atftpd +++ b/apparmor.d/profiles-a-f/atftpd @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/atftpd profile atftpd @{exec_path} { include - include + include # For libwrap (TCP Wrapper) support include @@ -18,6 +18,12 @@ profile atftpd @{exec_path} { capability setgid, capability setuid, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, # FTP dirs (add "w" if you need write permissions and hence upload files) diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index 9a7e77902..3967512b8 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -10,13 +10,19 @@ include @{exec_path} = @{bin}/dhclient-script profile dhclient-script @{exec_path} { include - include + include include capability net_admin, capability sys_admin, audit capability sys_module, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, @{sh_path} mrix, diff --git a/apparmor.d/profiles-a-f/dumpcap b/apparmor.d/profiles-a-f/dumpcap index 634aebd02..a1050aa94 100644 --- a/apparmor.d/profiles-a-f/dumpcap +++ b/apparmor.d/profiles-a-f/dumpcap @@ -10,16 +10,14 @@ include @{exec_path} = @{bin}/dumpcap profile dumpcap @{exec_path} { include + include + include include - include - include # To capture packekts capability net_raw, capability net_admin, - signal (receive) peer=wireshark, - network inet dgram, network inet6 dgram, network netlink raw, @@ -27,6 +25,8 @@ profile dumpcap @{exec_path} { network packet raw, network bluetooth raw, + signal (receive) peer=wireshark, + dbus (eavesdrop) bus=session, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/ffplay b/apparmor.d/profiles-a-f/ffplay index a4dec5d34..4152ed49a 100644 --- a/apparmor.d/profiles-a-f/ffplay +++ b/apparmor.d/profiles-a-f/ffplay @@ -11,10 +11,9 @@ include profile ffplay @{exec_path} { include include - include + include include include - include network inet stream, network inet6 stream, diff --git a/apparmor.d/profiles-a-f/fritzing b/apparmor.d/profiles-a-f/fritzing index 18b990bbc..c57323c6a 100644 --- a/apparmor.d/profiles-a-f/fritzing +++ b/apparmor.d/profiles-a-f/fritzing @@ -10,16 +10,13 @@ include @{exec_path} = @{bin}/fritzing{,.real} profile fritzing @{exec_path} { include - include - include - include - include - include - include - include + include include - include + include + include + include include + include network inet dgram, network inet6 dgram, @@ -30,26 +27,25 @@ profile fritzing @{exec_path} { @{exec_path} mrix, + /usr/share/fritzing/{,**} r, + /usr/share/hwdata/pnp.ids r, + + /etc/debian_version r, + /etc/fstab r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + owner @{user_config_dirs}/Fritzing/ rw, owner @{user_config_dirs}/Fritzing/** rwkl -> @{user_config_dirs}/Fritzing/**, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/ rw, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/** rw, - /usr/share/fritzing/{,**} r, + owner @{run}/lock/LCK..ttyACM[0-9]* rwk, - /usr/share/hwdata/pnp.ids r, - - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - - /etc/fstab r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /etc/debian_version r, + @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c166:@{int} r, # for /dev/ttyACM[0-9]* @{sys}/bus/ r, @{sys}/class/ r, @@ -57,15 +53,13 @@ profile fritzing @{exec_path} { @{sys}/devices/**/tty*/uevent r, @{sys}/devices/**/tty/**/uevent r, - @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c166:@{int} r, # for /dev/ttyACM[0-9]* + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, /dev/ttyS@{int} rw, /dev/ttyACM@{int} rw, - owner @{run}/lock/LCK..ttyACM[0-9]* rwk, - include if exists } diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker index 8d2fcdcc8..60189d911 100644 --- a/apparmor.d/profiles-g-l/light-locker +++ b/apparmor.d/profiles-g-l/light-locker @@ -11,19 +11,12 @@ include profile light-locker @{exec_path} { include include - include - include - include + include include - include include - include @{exec_path} mr, - @{PROC}/1/cgroup r, - owner @{PROC}/@{pid}/cgroup r, - # when locking the screen and switching/closing sessions @{run}/systemd/sessions/* r, @@ -33,6 +26,9 @@ profile light-locker @{exec_path} { @{sys}/devices/@{pci}/subsystem_vendor r, @{sys}/devices/@{pci}/subsystem_device r, + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index 835e1a391..4e0ace19a 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -10,19 +10,15 @@ include @{exec_path} = @{bin}/mkvtoolnix-gui profile mkvtoolnix-gui @{exec_path} { include - include + include include - include - include - include - include + include include - include include include + include include include - include signal (send) set=(term, kill) peer=mkvmerge, diff --git a/apparmor.d/profiles-m-r/netstat b/apparmor.d/profiles-m-r/netstat index e19884997..a23a095e9 100644 --- a/apparmor.d/profiles-m-r/netstat +++ b/apparmor.d/profiles-m-r/netstat @@ -13,12 +13,18 @@ include profile netstat @{exec_path} { include include - include + include capability dac_read_search, capability sys_ptrace, capability syslog, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + ptrace (trace,read), @{exec_path} rmix, diff --git a/apparmor.d/profiles-m-r/pcb-gtk b/apparmor.d/profiles-m-r/pcb-gtk index e736299fa..2f057f2a7 100644 --- a/apparmor.d/profiles-m-r/pcb-gtk +++ b/apparmor.d/profiles-m-r/pcb-gtk @@ -10,13 +10,9 @@ include @{exec_path} = @{bin}/pcb-gtk profile pcb-gtk @{exec_path} { include - include - include - include + include include - include - include - include + include include include diff --git a/apparmor.d/profiles-s-z/sing-box b/apparmor.d/profiles-s-z/sing-box index 9f395735e..1890510ae 100644 --- a/apparmor.d/profiles-s-z/sing-box +++ b/apparmor.d/profiles-s-z/sing-box @@ -12,7 +12,6 @@ include profile sing-box @{exec_path} { include include - include capability net_bind_service, diff --git a/apparmor.d/profiles-s-z/tftp b/apparmor.d/profiles-s-z/tftp index 33f6fe6dc..bb0a1c37b 100644 --- a/apparmor.d/profiles-s-z/tftp +++ b/apparmor.d/profiles-s-z/tftp @@ -10,9 +10,15 @@ include @{exec_path} = @{bin}/tftp profile tftp @{exec_path} { include - include + include include + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, include if exists diff --git a/apparmor.d/profiles-s-z/vsftpd b/apparmor.d/profiles-s-z/vsftpd index 2b6af3561..8fe33af50 100644 --- a/apparmor.d/profiles-s-z/vsftpd +++ b/apparmor.d/profiles-s-z/vsftpd @@ -12,7 +12,7 @@ profile vsftpd @{exec_path} { include include include - include + include include # To be able to listen on ports < 1024 @@ -41,6 +41,12 @@ profile vsftpd @{exec_path} { capability dac_read_search, # If session_support=YES, vsftpd will also try and update utmp and wtmp + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, # To validate allowed users shells diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl index 381e878fa..d0b1c1988 100644 --- a/apparmor.d/profiles-s-z/youtube-dl +++ b/apparmor.d/profiles-s-z/youtube-dl @@ -13,13 +13,11 @@ profile youtube-dl @{exec_path} { include include include - include - include + include include include include include - include network inet dgram, network inet6 dgram, From 3ffff07f3fb386e980d9bb7bc763824bef2e6c5e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 20 Jun 2025 00:00:48 +0200 Subject: [PATCH 526/672] tests: enforce abstractions test. --- apparmor.d/profiles-m-r/rsyslogd | 14 +++++--------- tests/check.sh | 10 +++++----- 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 599fac88f..80d75a928 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -7,15 +7,10 @@ abi , include -# Debugging the syslogger can be difficult if it can't write to the file -# that the kernel is logging denials to. In these cases, you can do the -# following: -# watch -n 1 'dmesg | tail -5' - @{exec_path} = @{sbin}/rsyslogd profile rsyslogd @{exec_path} { include - include + include capability chown, # For creating new log files and changing their owner/group capability net_admin, # For remote logs @@ -24,18 +19,19 @@ profile rsyslogd @{exec_path} { capability sys_nice, capability syslog, + network inet dgram, + network inet6 dgram, + signal receive set=hup peer=@{p_systemd}, @{exec_path} mr, + @{sh_path} mr, @{lib}/@{multiarch}/rsyslog/*.so mr, /etc/rsyslog.conf r, /etc/rsyslog.d/{,**} r, - /etc/CA/*.crt r, - /etc/CA/*.key r, - /var/log/** rw, /var/spool/rsyslog/ r, /var/spool/rsyslog/** rw, diff --git a/tests/check.sh b/tests/check.sh index 801e81114..28adc7710 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -93,7 +93,7 @@ _check() { # Rules checks: security, compatibility and rule issues readonly ABS="abstractions" -readonly ABS_DANGEROUS=(dbus-session dbus-system dbus-accessibility user-tmp) +readonly ABS_DANGEROUS=(dbus dbus-session dbus-system dbus-accessibility user-tmp) declare -A ABS_DEPRECATED=( ["nameservice"]="nameservice-strict" ["bash"]="shell" @@ -142,7 +142,7 @@ _check_equivalent() { _is_enabled equivalent || return 0 local prgmname for prgmname in "${!EQUIVALENTS[@]}"; do - if [[ "$line" == *"/$prgmname"* ]]; then + if [[ "$line" == *"/$prgmname "* ]]; then if [[ ! "$line" == *"${EQUIVALENTS[$prgmname]}"* ]]; then _err compatibility "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" fi @@ -373,7 +373,7 @@ check_profiles() { ) jobs=0 WITH_CHECK=( - equivalent + abstractions equivalent abi include profile header tabs trailing indentation subprofiles vim ) for file in "${files[@]}"; do @@ -393,7 +393,7 @@ check_abstractions() { mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*") jobs=0 WITH_CHECK=( - equivalent + abstractions equivalent abi include header tabs trailing indentation vim ) for file in "${files[@]}"; do @@ -414,7 +414,7 @@ check_abstractions() { # shellcheck disable=SC2034 jobs=0 WITH_CHECK=( - equivalent + abstractions equivalent header tabs trailing indentation vim ) for file in "${files[@]}"; do From bb6ca01718dad6cd91055c8d2c825143d00ca2f6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:36:23 +0200 Subject: [PATCH 527/672] feat(profile): ufw: integrate ufw-init in ufw, use sysctl in subprofile. --- apparmor.d/groups/firewall/ufw | 22 ++++++++++++++++++---- apparmor.d/groups/firewall/ufw-init | 21 +++++++++++++++++++-- 2 files changed, 37 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw index 3b931fb2b..39517ee6c 100644 --- a/apparmor.d/groups/firewall/ufw +++ b/apparmor.d/groups/firewall/ufw @@ -30,13 +30,12 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{python_path} rix, - @{bin}/ r, + @{sbin}/ r, @{bin}/cat rix, - @{bin}/echo rix, @{bin}/env r, @{bin}/kmod rCx -> kmod, - @{lib}/ufw/ufw-init rix, - @{sbin}/sysctl rix, + @{lib}/ufw/ufw-init rPx, + @{sbin}/sysctl rCx -> sysctl, @{sbin}/xtables-legacy-multi rix, @{sbin}/xtables-nft-multi rix, @@ -70,6 +69,21 @@ profile ufw @{exec_path} flags=(attach_disconnected) { include if exists } + profile sysctl { + include + include + + capability net_admin, + + @{sbin}/sysctl mr, + + /etc/ufw/sysctl.conf r, + + @{PROC}/sys/net/ipv{4,6}/** rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init index 5c0521790..aae80b87d 100644 --- a/apparmor.d/groups/firewall/ufw-init +++ b/apparmor.d/groups/firewall/ufw-init @@ -11,6 +11,7 @@ profile ufw-init @{exec_path} { include include + capability dac_read_search, capability net_admin, network inet dgram, @@ -22,7 +23,8 @@ profile ufw-init @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/sysctl rix, + @{bin}/echo rix, + @{sbin}/sysctl rCx -> sysctl, @{sbin}/xtables-legacy-multi rix, @{sbin}/xtables-nft-multi rix, @@ -30,7 +32,22 @@ profile ufw-init @{exec_path} { /etc/ufw/* r, @{PROC}/@{pid}/net/ip_tables_names r, - @{PROC}/sys/net/ipv{4,6}/** rw, + # @{PROC}/sys/net/ipv{4,6}/** rw, + + profile sysctl { + include + include + + capability net_admin, + + @{sbin}/sysctl mr, + + /etc/ufw/sysctl.conf r, + + @{PROC}/sys/net/ipv{4,6}/** rw, + + include if exists + } include if exists } From ea45cec24d5cbf9c66feb859740b802cf46ececf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:43:02 +0200 Subject: [PATCH 528/672] feat(fsp): improve fsp profiles. --- apparmor.d/groups/_full/sd | 24 ++++++------------------ apparmor.d/groups/_full/sdu | 2 ++ apparmor.d/groups/_full/systemd | 5 ++++- apparmor.d/groups/_full/systemd-user | 2 +- 4 files changed, 13 insertions(+), 20 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 48172638e..da14cabf3 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -86,22 +86,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { umount /, umount /dev/shm/, umount @{run}/systemd/mount-rootfs/{,**}, - - # mount tmpfs -> @{run}/lock/, - # mount tmpfs -> @{sys}/fs/cgroup/, - # mount cgroup -> @{sys}/fs/cgroup/systemd/, - # audit mount /dev/** -> /boot/{,efi/}, - # audit mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, - # audit mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**}, - - # audit remount @{run}/systemd/unit-root/{,**}, - # audit remount options=(ro noexec noatime bind) /var/snap/{,**}, - # audit remount options=(ro nosuid nodev bind) /var/, - # audit remount options=(ro nosuid nodev noexec bind) /boot/, - - # audit umount @{PROC}/sys/fs/binfmt_misc/, - # audit umount @{run}/systemd/namespace-@{rand6}/{,**}, - # audit umount @{run}/systemd/unit-root/{,**}, + umount @{run}/systemd/namespace-@{rand6}/{,**}, pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, @@ -150,20 +135,22 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { @{bin}/true ix, # Required due to stacked profiles - @{sbin}/grpck ix, + @{bin}/find ix, @{bin}/gzip ix, @{bin}/install ix, - @{sbin}/pwck ix, @{bin}/readlink ix, @{lib}/colord-sane ix, @{lib}/systemd/systemd-nsresourcework ix, @{lib}/systemd/systemd-userwork ix, + @{sbin}/grpck ix, + @{sbin}/pwck ix, / r, @{att}/ r, @{bin}/{,**} r, @{lib}/{,**} r, @{sbin}/{,*} r, + /usr/local/{,**} r, /usr/share/** r, /etc/*/ w, /etc/** rk, @@ -179,6 +166,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { /var/lib/*/ rw, /var/lib/*/** rwk, /var/lib/systemd/*/ r, + /var/log/ r, /var/log/** rw, /var/log/journal/** rwl -> /var/log/journal/**, diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu index c9338fd22..80d8c1fb9 100644 --- a/apparmor.d/groups/_full/sdu +++ b/apparmor.d/groups/_full/sdu @@ -108,6 +108,8 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + deny capability net_admin, + profile shell flags=(attach_disconnected,mediate_deleted,complain) { include diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index b7c12c6bd..184084fed 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -50,7 +50,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd -profile systemd flags=(attach_disconnected,mediate_deleted) { +profile systemd flags=(attach_disconnected,mediate_deleted,complain) { include include include @@ -129,9 +129,11 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{etc_ro}/environment r, @{etc_ro}/environment.d/{,**} r, + /etc/acpi/events/{,**} r, /etc/binfmt.d/{,**} r, /etc/conf.d/{,**} r, /etc/default/{,**} r, + /etc/machine-id r, /etc/modules-load.d/{,**} r, /etc/networkd-dispatcher/{,**} r, /etc/systemd/{,**} r, @@ -186,6 +188,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/console/active r, + @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/fuse/connections/ r, @{sys}/fs/pstore/ r, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index ed531c58b..a5bb4d926 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -16,7 +16,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd -profile systemd-user flags=(attach_disconnected,mediate_deleted) { +profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { include include include From cd619d280a5ba23537114e74ed8fa4c294e00559 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:44:43 +0200 Subject: [PATCH 529/672] feat(profile): update apt profiles. --- apparmor.d/groups/apt/apt-methods-http | 3 ++- apparmor.d/groups/apt/dpkg-script-systemd | 5 +++++ apparmor.d/groups/apt/dpkg-scripts | 11 +++++++++++ apparmor.d/groups/apt/dpkg-statoverride | 1 + apparmor.d/groups/apt/unattended-upgrade | 2 +- 5 files changed, 20 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 7fb3a2cc4..61be160dc 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -71,7 +71,8 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) { owner @{tmp}/aptitude-root.*/aptitude-download-* rw, owner @{tmp}/apt-changelog-*/*.changelog rw, - @{run}/ubuntu-advantage/aptnews.json rw, + @{run}/ubuntu-advantage/aptnews.json rw, + owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw, @{PROC}/1/cgroup r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 8ca92515c..722e72c53 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -42,8 +42,13 @@ profile dpkg-script-systemd @{exec_path} { include include + capability dac_read_search, + @{bin}/dpkg mr, + /etc/dpkg/dpkg.cfg r, + /etc/dpkg/dpkg.cfg.d/{,*} r, + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 3102b23bb..e16d25bf2 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -58,7 +58,12 @@ profile dpkg-scripts @{exec_path} { / r, /*/ r, @{bin}/ r, + @{bin}/* w, @{lib}/ r, + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/**.pyc w, + @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, + /etc/ r, /etc/** rw, /usr/share/*/{,**} rw, @@ -71,6 +76,8 @@ profile dpkg-scripts @{exec_path} { /tmp/sed@{rand6} rw, /tmp/tmp.@{rand10} rw, + @{PROC}/@{pid}/fd/ r, + profile bus { include include @@ -104,6 +111,10 @@ profile dpkg-scripts @{exec_path} { @{bin}/systemd-tty-ask-password-agent Px, @{pager_path} Px -> child-pager, + /etc/machine-id r, + + /var/lib/systemd/catalog/database r, + /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal* r, diff --git a/apparmor.d/groups/apt/dpkg-statoverride b/apparmor.d/groups/apt/dpkg-statoverride index 34d6412c1..d2e02f613 100644 --- a/apparmor.d/groups/apt/dpkg-statoverride +++ b/apparmor.d/groups/apt/dpkg-statoverride @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/dpkg-statoverride profile dpkg-statoverride @{exec_path} flags=(complain) { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index c2d94e25a..fa6929f35 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -101,7 +101,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /var/crash/*.crash w, /var/lib/apt/periodic/unattended-upgrades-stamp w, - /var/lib/dpkg/info/ r, + /var/lib/dpkg/info/{,*} r, /var/lib/dpkg/lock rwk, /var/lib/dpkg/lock-frontend rwk, /var/lib/dpkg/updates/ r, From 5eb08f8de57803664d700b7d05fa7023f6b499b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:47:49 +0200 Subject: [PATCH 530/672] feat(profile): improve pacman profiles. --- apparmor.d/groups/pacman/pacman-hook-code | 6 +++--- apparmor.d/groups/pacman/pacman-key | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index 2496d7a9b..ee23781f4 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/share/code-{features,marketplace}/patch.py +@{exec_path} = /usr/share/code-{features,marketplace}{,-insiders}/patch.py profile pacman-hook-code @{exec_path} { include include @@ -20,8 +20,8 @@ profile pacman-hook-code @{exec_path} { @{lib}/code/product.json rw, - /usr/share/code-{features,marketplace}/{,*} r, - /usr/share/code-{features,marketplace}/cache.json rw, + /usr/share/code-{features,marketplace}{,-insiders}/{,*} r, + /usr/share/code-{features,marketplace}{,-insiders}/cache.json rw, include if exists } diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 025d87b29..a5cee6fa9 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -21,10 +21,10 @@ profile pacman-key @{exec_path} { @{bin}/bash rix, @{bin}/chmod rix, @{bin}/gettext rix, - @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpg{,2} rCx -> &gpg, @{bin}/{,e}grep rix, @{bin}/ngettext rix, - @{bin}/pacman-conf rPx, + @{bin}/pacman-conf rPx -> &pacman-conf, @{bin}/touch rix, @{bin}/tput rix, @{bin}/vercmp rix, From 03d7ef55896e0d5b7bf5348000fbdcab26737490 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:52:22 +0200 Subject: [PATCH 531/672] feat(profile): add profile for sshd session. It is only a first draft as recent update in sshd, split sshd in multiple binaries, it will allow us to also split the confinement in multiple profile. --- apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/ssh/sshd-session | 85 ++++++++++++++++++++++++++++++ 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/ssh/sshd-session diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index a514e7c99..75438c957 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -69,7 +69,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{bin}/passwd Px, @{lib}/{openssh,ssh}/sftp-server Px, @{lib}/{openssh,ssh}/sshd-auth Px, - @{lib}/{openssh,ssh}/sshd-session ix, + @{lib}/{openssh,ssh}/sshd-session Px, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session new file mode 100644 index 000000000..e74696334 --- /dev/null +++ b/apparmor.d/groups/ssh/sshd-session @@ -0,0 +1,85 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/{openssh,ssh}/sshd-session +profile sshd-session @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include #aa:only RBAC + + capability audit_write, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability kill, + capability setgid, + capability setuid, + capability sys_chroot, + capability sys_resource, + + # sshd doesn't require net_admin. libpam-systemd tries to + # use it if available to set the send/receive buffers size, + # but will fall back to a non-privileged version if it fails. + deny capability net_admin, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + unix type=stream peer=(label=sshd), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + + @{exec_path} mr, + + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{lib}/{openssh,ssh}/sshd-auth Px, + + @{etc_rw}/motd r, + @{etc_rw}/motd.d/{,**} r, + /etc/machine-id r, + /etc/motd r, + + /var/lib/lastlog/ r, + /var/lib/lastlog/lastlog2.db rwk, + /var/lib/lastlog/lastlog2.db-journal rw, + + /var/lib/wtmpdb/ w, + + owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, + + owner @{user_cache_dirs}/{,motd*} rw, + + @{att}/@{run}/systemd/sessions/@{int}.ref w, + + @{run}/motd.d/{,*} r, + @{run}/motd.dynamic rw, + @{run}/motd.dynamic.new rw, + + @{PROC}/1/limits r, + owner @{PROC}/@{pid}/loginuid rw, + owner @{PROC}/@{pid}/uid_map r, + + /dev/ptmx rw, + + include if exists +} + +# vim:syntax=apparmor From 226cb23073efb628f344c5c1985a543564671ee0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:53:26 +0200 Subject: [PATCH 532/672] feat(profile): small improvement to steam. --- apparmor.d/groups/steam/steam | 4 ++++ apparmor.d/groups/steam/steamerrorreporter | 2 -- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 73c78f2ed..151a3e161 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -109,6 +109,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix, @{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, + @{runtime_dirs}/pressure-vessel/@{bin}/pv-* rix, @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web, @{runtime_dirs}/run{,.sh} rix, @@ -370,6 +371,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { /dev/hidraw@{int} rw, /dev/tty rw, + @{att}/dev/dri/renderD128 rw, + include if exists } @@ -380,6 +383,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability dac_override, capability dac_read_search, + capability sys_ptrace, unix receive type=stream, diff --git a/apparmor.d/groups/steam/steamerrorreporter b/apparmor.d/groups/steam/steamerrorreporter index b4d5f3e68..d438c604d 100644 --- a/apparmor.d/groups/steam/steamerrorreporter +++ b/apparmor.d/groups/steam/steamerrorreporter @@ -34,8 +34,6 @@ profile steamerrorreporter @{exec_path} flags=(attach_disconnected) { owner @{tmp}/dumps/ r, owner @{tmp}/dumps/*_log.txt rw, - owner @{PROC}/@{pid}/status r, - include if exists } From 6735b8e5f8ffa64a43297a3ff1318ef49376d388 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:55:22 +0200 Subject: [PATCH 533/672] feat(profile): zram: move kmod to its own subprofile. --- apparmor.d/groups/systemd/zram-generator | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index d156d88a4..473848ef3 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -11,16 +11,13 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { include include - capability sys_module, - @{exec_path} mr, - @{bin}/kmod rix, + @{bin}/kmod rCx, @{bin}/systemd-detect-virt rPx, @{lib}/systemd/systemd-makefs rPx, /etc/systemd/zram-generator.conf r, - /etc/modprobe.d/{,**} r, owner @{run}/systemd/generator/{,*/}var-cache-makepkg.mount rw, owner @{run}/systemd/generator/dev-zram@{int}.swap rw, @@ -29,12 +26,18 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { @{sys}/block/zram@{int}/* rw, @{sys}/devices/virtual/block/zram@{int}/* rw, - @{sys}/module/compression r, @{PROC}/crypto r, owner /dev/pts/@{int} rw, + profile kmod { + include + include + + include if exists + } + include if exists } From 0483f476ed72c35993313a7edd4a9f3d2ddb9239 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:56:54 +0200 Subject: [PATCH 534/672] fix(profile): aa-enforce: ensure looking path in sbin is allowed. --- apparmor.d/groups/apparmor/aa-enforce | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/apparmor/aa-enforce b/apparmor.d/groups/apparmor/aa-enforce index fcf7dc724..1743fd9d0 100644 --- a/apparmor.d/groups/apparmor/aa-enforce +++ b/apparmor.d/groups/apparmor/aa-enforce @@ -16,7 +16,7 @@ profile aa-enforce @{exec_path} { @{exec_path} mr, - @{bin}/ r, + @{sbin}/ r, @{sbin}/apparmor_parser rPx, /usr/share/terminfo/** r, From 24a9da865f9daddc28e73793c9a8a724f9105592 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:05:47 +0200 Subject: [PATCH 535/672] chore: update sbin.list --- apparmor.d/profiles-a-f/atd | 2 +- tests/sbin.list | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index aea3cbf01..783d210fb 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/atd +@{exec_path} = @{sbin}/atd profile atd @{exec_path} { include include diff --git a/tests/sbin.list b/tests/sbin.list index 1adc90ee8..1d0eb5b97 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -43,6 +43,7 @@ argdist-bpfcc arp arpd aspell-autobuildhash +atd audisp-af_unix audisp-filter audisp-syslog @@ -313,6 +314,7 @@ grub2-sparc64-setup grub2-switch-to-blscfg hardirqs-bpfcc haveged +hc-ifscan hdparm httxt2dbm hv_fcopy_daemon From e222816d32d5103399dac03651ac2ef222d72647 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:08:44 +0200 Subject: [PATCH 536/672] feat(profile): virt: move privileged actions to subprofle. --- apparmor.d/groups/virt/containerd | 6 ++-- apparmor.d/groups/virt/dockerd | 42 +++++++++++++++++++++++++-- apparmor.d/groups/virt/libvirtd | 9 +++++- apparmor.d/groups/virt/virt-aa-helper | 1 - 4 files changed, 49 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 598ec7ca9..95d332a45 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -87,10 +87,8 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{run}/nri/nri.sock rw, @{run}/systemd/notify w, - /tmp/cri-containerd.apparmor.d@{int} rwl, - /tmp/ctd-volume@{int}/{,**} rw, - owner @{tmp}/** rwkl, - owner /var/tmp/** rwkl, + /tmp/cri-containerd.apparmor.d@{int} rwl, + /tmp/ctd-volume@{int}/{,**} rw, @{sys}/fs/cgroup/kubepods/** r, @{sys}/kernel/security/apparmor/profiles r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index c4b39ff8c..abd6c90ec 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -70,11 +70,12 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{lib}/docker/docker-init rCx -> init, @{bin}/docker-proxy rPx, @{bin}/git rCx -> git, - @{bin}/kmod rPx, + @{bin}/kmod rCx -> kmod, @{bin}/ps rPx, @{sbin}/runc rUx, @{bin}/unpigz rix, - @{sbin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rCx -> nft, + @{sbin}/xtables-legacy-multi rCx -> nft, # Docker needs full access of the containers it manages. # TODO: should be in a sub profile started with pivot_root, not supported yet. @@ -128,13 +129,48 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/net/ip_tables_names r, owner @{PROC}/@{pid}/task/@{tid}/mountinfo r, owner @{PROC}/@{pid}/uid_map r, /dev/ r, /dev/**/ r, + profile nft flags=(attach_disconnected) { + include + + capability net_admin, + capability net_raw, + + network inet raw, + network inet6 raw, + network netlink raw, + + @{sbin}/xtables-nft-multi rix, + @{sbin}/xtables-legacy-multi rix, + @{bin}/kmod rPx -> dockerd//kmod, + + @{PROC}/@{pid}/net/ip{,6}_tables_names r, + @{PROC}/sys/kernel/modprobe r, + + @{run}/xtables.lock rwk, + + include if exists + } + + profile kmod { + include + include + + capability sys_module, + + @{run}/xtables.lock r, + + @{sys}/module/compression r, + @{sys}/module/*/initstate r, + + include if exists + } + profile init flags=(attach_disconnected) { include diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 844af4443..a0d636883 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -106,7 +106,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sbin}/dmidecode rPx, @{sbin}/dnsmasq rPx, - @{bin}/kmod rPx, + @{bin}/kmod rCx -> kmod, @{sbin}/lvm rPUx, @{bin}/mdevctl rPx, @{bin}/swtpm rPx, @@ -245,6 +245,13 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { audit deny @{sys}/kernel/security/apparmor/matching rwxl, audit deny @{sys}/kernel/security/apparmor/.* rwxl, + profile kmod { + include + include + + include if exists + } + profile qemu_bridge_helper { include diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper index 81ec217b9..53afe6012 100644 --- a/apparmor.d/groups/virt/virt-aa-helper +++ b/apparmor.d/groups/virt/virt-aa-helper @@ -45,7 +45,6 @@ profile virt-aa-helper @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/net/psched r, deny @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/status r, # For gl enabled graphics /dev/dri/{,*} r, From f8250f7e0cc8e70fe679fac2374bad8690e24e09 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:22:25 +0200 Subject: [PATCH 537/672] feat(profile): move kmod in subprofile. --- apparmor.d/profiles-g-l/hw-probe | 18 +++++++++++++----- apparmor.d/profiles-g-l/kernel | 13 ++++++++----- apparmor.d/profiles-g-l/kmod | 9 +-------- 3 files changed, 22 insertions(+), 18 deletions(-) diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index f518a18f0..3fbb9b0fd 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -61,7 +61,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{sbin}/iwconfig rCx -> netconfig, @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, - @{bin}/kmod rix, + @{bin}/kmod rCx -> kmod, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsblk rPx, @{bin}/lscpu rPx, @@ -98,19 +98,27 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/* r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/* r, - @{sys}/module/*/ r, - @{sys}/module/*/{coresize,refcnt} r, - @{sys}/module/*/holders/ r, @{PROC}/bus/input/devices r, @{PROC}/cmdline r, @{PROC}/interrupts r, @{PROC}/ioports r, - @{PROC}/modules r, @{PROC}/scsi/scsi r, /dev/{,**} r, + profile kmod { + include + include + + capability sys_module, + + @{sys}/module/compression r, + + include if exists + } + + profile pacman flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index 6bc2c8961..d375a1bdd 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -13,8 +13,6 @@ profile kernel @{exec_path} { include include - capability sys_module, - @{exec_path} mr, @{sh_path} rix, @@ -24,7 +22,7 @@ profile kernel @{exec_path} { @{bin}/chmod rix, @{bin}/cut rix, @{bin}/dirname rix, - @{bin}/kmod rix, + @{bin}/kmod rCx -> kmod, @{bin}/mv rix, @{bin}/rm rix, @{bin}/rmdir rix, @@ -56,8 +54,6 @@ profile kernel @{exec_path} { /etc/apt/apt.conf.d/ r, /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, - /etc/modprobe.d/ r, - /etc/modprobe.d/*.conf r, @{run}/reboot-required w, @{run}/reboot-required.pkgs rw, @@ -65,6 +61,13 @@ profile kernel @{exec_path} { @{PROC}/devices r, @{PROC}/cmdline r, + profile kmod { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index ccc8d6913..a793bf707 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/{kmod,lsmod,depmod,insmod,rmmod,modinfo,modprobe} profile kmod @{exec_path} flags=(attach_disconnected) { include - include + include include capability dac_read_search, @@ -31,14 +31,10 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{sbin}/sysctl rCx -> sysctl, @{bin}/true rix, - @{lib}/modprobe.d/{,*.conf} r, @{lib}/modules/*/modules.* rw, @{run}/modprobe.d/{,*.conf} r, - /etc/depmod.d/{,**} r, - /etc/modprobe.d/{,*.conf} r, - /tmp/**/*.ko{,.zst} r, /usr/src/*/*.ko r, /var/lib/dkms/**/module/*.ko r, @@ -66,9 +62,6 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{sys}/module/{,**} r, - @{PROC}/cmdline r, - @{PROC}/modules r, - /dev/tty@{int} rw, deny @{user_share_dirs}/gvfs-metadata/* r, From 0572688c592a181b4b35b7e29573302d3b3718b9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:27:06 +0200 Subject: [PATCH 538/672] feat(profile): small general upgrade. --- .../groups/systemd-service/dmesg.service | 1 + .../groups/systemd-service/man-db.service | 2 ++ apparmor.d/groups/ubuntu/esm_cache | 19 +++++++++++++++++++ apparmor.d/groups/ubuntu/update-manager | 6 +++--- apparmor.d/groups/usb/lsusb | 2 ++ apparmor.d/groups/whonix/sdwdate | 2 +- apparmor.d/profiles-a-f/e2scrub_all | 1 + apparmor.d/profiles-g-l/gitstatusd | 5 +++++ apparmor.d/profiles-g-l/gpu-manager | 2 +- apparmor.d/profiles-g-l/hddtemp | 18 +++--------------- apparmor.d/profiles-g-l/ischroot | 2 ++ apparmor.d/profiles-g-l/landscape-sysinfo | 6 +++--- apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-m-r/needrestart-notify | 2 +- apparmor.d/profiles-m-r/pycompile | 9 +++------ apparmor.d/profiles-m-r/rsyslogd | 7 ++++--- apparmor.d/profiles-s-z/update-initramfs | 3 +++ apparmor.d/profiles-s-z/whiptail | 2 ++ 18 files changed, 57 insertions(+), 34 deletions(-) create mode 100644 apparmor.d/groups/ubuntu/esm_cache diff --git a/apparmor.d/groups/systemd-service/dmesg.service b/apparmor.d/groups/systemd-service/dmesg.service index 4c67f680a..0a46f6ed9 100644 --- a/apparmor.d/groups/systemd-service/dmesg.service +++ b/apparmor.d/groups/systemd-service/dmesg.service @@ -17,6 +17,7 @@ profile dmesg.service flags=(attach_disconnected) { capability chown, capability fsetid, + capability sys_admin, ptrace read peer=@{p_systemd}, diff --git a/apparmor.d/groups/systemd-service/man-db.service b/apparmor.d/groups/systemd-service/man-db.service index 24b34fc25..c3bfa7c32 100644 --- a/apparmor.d/groups/systemd-service/man-db.service +++ b/apparmor.d/groups/systemd-service/man-db.service @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # ExecStart=+/usr/bin/install -d -o man -g man -m 0755 /var/cache/man +# ExecStart=/usr/bin/find /var/cache/man -type f -name *.gz -atime +6 -delete # ExecStart=/usr/bin/mandb --quiet abi , @@ -13,6 +14,7 @@ profile man-db.service flags=(attach_disconnected) { include include + @{bin}/find ix, @{bin}/install ix, @{bin}/mandb r, diff --git a/apparmor.d/groups/ubuntu/esm_cache b/apparmor.d/groups/ubuntu/esm_cache new file mode 100644 index 000000000..2596d6c12 --- /dev/null +++ b/apparmor.d/groups/ubuntu/esm_cache @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/lib/ubuntu-advantage/esm_cache.py +profile esm_cache @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index e1636c6d5..0e0dcdb0b 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -51,9 +51,9 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{bin}/uname rix, @{lib}/apt/methods/http{,s} rPx, - @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, - @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, - @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, + @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, + @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, diff --git a/apparmor.d/groups/usb/lsusb b/apparmor.d/groups/usb/lsusb index f824343d6..b5a24940d 100644 --- a/apparmor.d/groups/usb/lsusb +++ b/apparmor.d/groups/usb/lsusb @@ -21,6 +21,8 @@ profile lsusb @{exec_path} { /etc/udev/hwdb.bin r, + /dev/bus/usb/@{int}/@{int} w, + include if exists } diff --git a/apparmor.d/groups/whonix/sdwdate b/apparmor.d/groups/whonix/sdwdate index dbe561ab6..1e4850e7a 100644 --- a/apparmor.d/groups/whonix/sdwdate +++ b/apparmor.d/groups/whonix/sdwdate @@ -30,7 +30,7 @@ profile sdwdate @{exec_path} flags=(attach_disconnected) { @{bin}/touch rix, @{lib}/helper-scripts/* rix, @{bin}/url_to_unixtime rix, - @{bin}/{,e}grep rix, + @{bin}/{,e}grep rix, @{lib}/helper-scripts/ r, @{lib}/sdwdate/ r, diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all index 0079053e0..e5d13f1de 100644 --- a/apparmor.d/profiles-a-f/e2scrub_all +++ b/apparmor.d/profiles-a-f/e2scrub_all @@ -12,6 +12,7 @@ profile e2scrub_all @{exec_path} flags=(attach_disconnected) { include include + capability setuid, capability sys_admin, capability sys_rawio, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index a62ce7fde..8901ade9c 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -9,6 +9,9 @@ include @{exec_path} = /usr/share/zsh-theme-powerlevel@{int}k/gitstatus/usrbin/gitstatusd{,-*} profile gitstatusd @{exec_path} { include + include + + signal receive set=term peer=*//shell, @{exec_path} mr, @@ -18,6 +21,8 @@ profile gitstatusd @{exec_path} { owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, + owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo r, + # Silencer deny capability dac_read_search, deny capability dac_override, diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 779dd8e67..719625dbd 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -16,7 +16,7 @@ profile gpu-manager @{exec_path} { @{exec_path} mr, - @{sh_path} rix, + @{sh_path} rix, @{bin}/{,e}grep rix, /etc/modprobe.d/{,**} r, diff --git a/apparmor.d/profiles-g-l/hddtemp b/apparmor.d/profiles-g-l/hddtemp index e96a45237..55d2abb5d 100644 --- a/apparmor.d/profiles-g-l/hddtemp +++ b/apparmor.d/profiles-g-l/hddtemp @@ -10,32 +10,20 @@ include @{exec_path} = @{bin}/hddtemp profile hddtemp @{exec_path} { include + include + include - # To remove the following errors: - # /dev/sda: Permission denied + capability sys_admin, capability sys_rawio, - # There's the following error in strace: - # ioctl(3, HDIO_DRIVE_CMD, 0x7ffdfeafc074) = -1 EACCES (Permission denied) - # This should be covered by CAP_SYS_RAWIO instead. - # (see: https://www.kernel.org/doc/Documentation/ioctl/hdio.rst) - # It looks like hddtemp works just fine without it. - deny capability sys_admin, - network inet stream, network inet6 stream, @{exec_path} mr, - # Monitored hard drives - /dev/sd[a-z]* r, - # Database file that allows hddtemp to recognize supported drives /etc/hddtemp.db r, - # Needed when the hddtemp daemon is started in the TCP/IP mode - /etc/gai.conf r, - include if exists } diff --git a/apparmor.d/profiles-g-l/ischroot b/apparmor.d/profiles-g-l/ischroot index 4e087343a..8c18782f9 100644 --- a/apparmor.d/profiles-g-l/ischroot +++ b/apparmor.d/profiles-g-l/ischroot @@ -13,6 +13,8 @@ profile ischroot @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /var/lib/update-notifier/tmp.@{rand10} w, + @{PROC}/@{pid}/mountinfo r, include if exists diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 1c3c98d52..5eb5dac06 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -27,9 +27,9 @@ profile landscape-sysinfo @{exec_path} { @{bin}/who rix, - @{lib}/@{python_name}/dist-packages/landscape/{,**/}__pycache__/ w, - @{lib}/@{python_name}/dist-packages/landscape/{,**/}__pycache__/**.pyc w, - @{lib}/@{python_name}/dist-packages/landscape/{,**/}__pycache__/**.pyc.@{u64} w, + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/**.pyc w, + @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, /var/log/landscape/{,**} rw, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 8cc8a65e1..b21642cf8 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -13,6 +13,7 @@ profile libreoffice @{exec_path} { include include include + include include include include @@ -109,7 +110,6 @@ profile libreoffice @{exec_path} { @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify index 9b3525fa5..82465ceb2 100644 --- a/apparmor.d/profiles-m-r/needrestart-notify +++ b/apparmor.d/profiles-m-r/needrestart-notify @@ -9,6 +9,7 @@ include @{exec_path} = @{etc_ro}/needrestart/notify.d/* profile needrestart-notify @{exec_path} { include + include capability dac_read_search, capability sys_ptrace, @@ -27,7 +28,6 @@ profile needrestart-notify @{exec_path} { /etc/needrestart/notify.conf r, @{PROC}/@{pid}/environ r, - @{PROC}/filesystems r, include if exists } diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index 984fcf03c..b684c3094 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -21,12 +21,9 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { @{bin}/dpkg rCx -> dpkg, - @{lib}/@{python_name}/dist-packages/__pycache__/ w, - @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc w, - @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc.* w, - @{lib}/@{python_name}/dist-packages/**/__pycache__/ w, - @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc w, - @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc.* w, + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/*.pyc w, + @{lib}/@{python_name}/**/__pycache__/*.pyc.* w, /usr/share/python3/{,**} r, diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 80d75a928..ede981f58 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -12,11 +12,12 @@ profile rsyslogd @{exec_path} { include include - capability chown, # For creating new log files and changing their owner/group - capability net_admin, # For remote logs - capability setgid, # For downgrading privileges + capability dac_override, + capability dac_read_search, + capability setgid, capability setuid, capability sys_nice, + capability sys_tty_config, capability syslog, network inet dgram, diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index f9e47cb52..472de3343 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -28,12 +28,15 @@ profile update-initramfs @{exec_path} { @{bin}/sha1sum rix, @{bin}/sync rix, @{bin}/uname rix, + @{bin}/run-parts rix, @{bin}/dpkg-trigger rPx, @{bin}/ischroot rPx, @{bin}/linux-version rPx, @{sbin}/mkinitramfs rPx, + /etc/initramfs/post-update.d/* rPUx, + /var/lib/initramfs-tools/* w, # For shell pwd diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index f0efad77b..a42a63312 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -18,6 +18,8 @@ profile whiptail @{exec_path} { /usr/share/terminfo/** r, + /etc/newt/palette.* r, + include if exists } From 4d201ea417f3b32bc7e276ef4548f1c128a68301 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:35:38 +0200 Subject: [PATCH 539/672] feat(profile): add lsb-release Use it instead of lsb_release. --- apparmor.d/abstractions/app/chromium | 5 ++- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/groups/apt/apt-listbugs | 2 +- apparmor.d/groups/apt/command-not-found | 2 +- apparmor.d/groups/apt/debconf-frontend | 2 +- apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/apt/synaptic | 2 +- apparmor.d/groups/apt/unattended-upgrade | 2 +- apparmor.d/groups/grub/grub-install | 2 +- apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/grub/grub-probe | 2 +- apparmor.d/groups/kde/dolphin | 2 +- apparmor.d/groups/kde/drkonqi | 2 +- apparmor.d/groups/ubuntu/apport-gtk | 2 +- .../groups/ubuntu/check-new-release-gtk | 2 +- apparmor.d/groups/ubuntu/do-release-upgrade | 2 +- apparmor.d/groups/ubuntu/hwe-support-status | 2 +- .../groups/ubuntu/software-properties-dbus | 2 +- .../groups/ubuntu/software-properties-gtk | 2 +- apparmor.d/groups/ubuntu/update-manager | 2 +- .../ubuntu/update-motd-updates-available | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-a-f/aspell-autobuildhash | 2 +- .../profiles-a-f/check-support-status-hook | 2 +- apparmor.d/profiles-a-f/discord | 2 +- apparmor.d/profiles-a-f/dropbox | 2 +- apparmor.d/profiles-a-f/filezilla | 2 +- apparmor.d/profiles-g-l/hardinfo | 2 +- apparmor.d/profiles-g-l/hw-probe | 2 +- apparmor.d/profiles-g-l/kodi | 2 +- apparmor.d/profiles-g-l/lsb-release | 40 +++++++++++++++++++ apparmor.d/profiles-m-r/mumble | 2 +- apparmor.d/profiles-m-r/murmurd | 2 +- apparmor.d/profiles-m-r/psi | 2 +- apparmor.d/profiles-m-r/psi-plus | 2 +- 36 files changed, 77 insertions(+), 36 deletions(-) create mode 100644 apparmor.d/profiles-g-l/lsb-release diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 666387d0a..e555d3475 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -37,7 +37,7 @@ include include include - include + include include include include @@ -78,7 +78,7 @@ @{lib_dirs}/chrome-sandbox rPx, # Desktop integration - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/xdg-desktop-menu rPx, @{bin}/xdg-email rPx, @{bin}/xdg-icon-resource rPx, @@ -202,6 +202,7 @@ owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index d988f608c..5e3bc15cb 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -65,7 +65,7 @@ @{lib_dirs}/plugin-container rPx, # Desktop integration - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/@{name}/{,**} r, /usr/share/doc/{,**} r, diff --git a/apparmor.d/groups/apt/apt-listbugs b/apparmor.d/groups/apt/apt-listbugs index 7ce8961b9..a60457ec8 100644 --- a/apparmor.d/groups/apt/apt-listbugs +++ b/apparmor.d/groups/apt/apt-listbugs @@ -53,7 +53,7 @@ profile apt-listbugs @{exec_path} { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 35f8940ee..b42649d7c 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -22,7 +22,7 @@ profile command-not-found @{exec_path} { @{exec_path} r, @{python_path} r, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/snap rPx, @{lib}/ r, diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index a8f7057e7..4660755d6 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -21,7 +21,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{exec_path} r, @{bin}/hostname ix, - @{bin}/lsb_release Px -> lsb_release, + @{bin}/lsb_release Px, @{bin}/stty ix, @{sbin}/update-secureboot-policy Px, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index ab230a43b..e58c9d8b3 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -47,7 +47,7 @@ profile reportbug @{exec_path} { @{bin}/dlocate rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg-query rpx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{pager_path} rPx -> child-pager, @{bin}/systemctl rCx -> systemctl, @{lib}/firefox/firefox rPUx, # App allowed to open diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index 651fac1ba..36e299a0c 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -47,7 +47,7 @@ profile synaptic @{exec_path} { @{bin}/dpkg rPx, @{sbin}/dpkg-preconfigure rPx, @{bin}/localepurge rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/ps rPx, @{bin}/software-properties-gtk rPx, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index fa6929f35..0d4d2ee33 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -58,7 +58,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg-divert Px, @{bin}/etckeeper Px, @{bin}/ischroot Px, - @{bin}/lsb_release Px -> lsb_release, + @{bin}/lsb_release Px, @{sbin}/dpkg-preconfigure Px, @{sbin}/on_ac_power Px, @{sbin}/sendmail Px, diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index f044b0f44..6c45cac39 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -21,7 +21,7 @@ profile grub-install @{exec_path} flags=(complain) { @{sh_path} rix, @{sbin}/efibootmgr rix, @{bin}/kmod rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/udevadm rPx, /usr/share/grub/{,**} r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 87c3d4104..1b5d26125 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -39,7 +39,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/head rix, @{bin}/id rPx, @{bin}/ls rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/mktemp rix, @{bin}/mount rPx, @{bin}/mountpoint rix, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 6d0ec6a72..e1037c6b7 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -19,7 +19,7 @@ profile grub-probe @{exec_path} { @{exec_path} mr, /{usr/,}{local/,}{s,}bin/zpool rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{sbin}/lvm rPx, @{bin}/udevadm rPx, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 802ba0a96..eebade917 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -33,7 +33,7 @@ profile dolphin @{exec_path} { @{lib}/libheif/*.so* mr, @{bin}/ldd rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{lib}/{,@{multiarch}/}utempter/utempter rPx, @{thunderbird_path} rPx, diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi index fbadf053b..e04180ff4 100644 --- a/apparmor.d/groups/kde/drkonqi +++ b/apparmor.d/groups/kde/drkonqi @@ -24,7 +24,7 @@ profile drkonqi @{exec_path} { @{exec_path} mr, @{bin}/plasmashell r, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/drkonqi/{,**} r, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 5a4e130a0..4940653a3 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -46,7 +46,7 @@ profile apport-gtk @{exec_path} { @{sbin}/killall5 rix, @{bin}/kmod rPx, @{bin}/ldd rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/md5sum rix, @{bin}/pkexec rCx -> pkexec, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index bdd2a0f54..65a19e0e0 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -30,7 +30,7 @@ profile check-new-release-gtk @{exec_path} { @{bin}/dpkg rPx, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{lib}/@{python_name}/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, @{lib}/@{python_name}/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index e7d6687d2..2d3eebbc2 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -27,7 +27,7 @@ profile do-release-upgrade @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/distro-info/*.csv r, /usr/share/ubuntu-release-upgrader/{,**} r, diff --git a/apparmor.d/groups/ubuntu/hwe-support-status b/apparmor.d/groups/ubuntu/hwe-support-status index 3b4280e33..d5ad6e06c 100644 --- a/apparmor.d/groups/ubuntu/hwe-support-status +++ b/apparmor.d/groups/ubuntu/hwe-support-status @@ -15,7 +15,7 @@ profile hwe-support-status @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/distro-info/{,**} r, diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index c4c795649..8d55ec0b7 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -30,7 +30,7 @@ profile software-properties-dbus @{exec_path} { @{python_path} rix, @{bin}/env rix, @{bin}/apt-key rPx, # Changing trusted keys - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /etc/apt/apt.conf.d/10periodic w, /etc/apt/sources.list{,.save} rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 64c83f5c8..bb31d8867 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -33,7 +33,7 @@ profile software-properties-gtk @{exec_path} { @{bin}/apt-key rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/ubuntu-advantage rPx, /usr/share/distro-info/*.csv r, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 0e0dcdb0b..d69e7a4c4 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -45,7 +45,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg rPx -> child-dpkg, @{bin}/hwe-support-status rPx, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, @{bin}/uname rix, diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index e6a3e7152..88967baf8 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -27,7 +27,7 @@ profile update-motd-updates-available @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/find rix, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index ea6318156..6c4dc4d77 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -35,7 +35,7 @@ profile update-notifier @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index c4741b09a..b7a62fc82 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -90,7 +90,7 @@ profile adequate @{exec_path} flags=(complain) { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index a10df8394..e8a83892a 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -62,7 +62,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index 39f30c5fe..8101b3008 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -84,7 +84,7 @@ profile check-support-status-hook @{exec_path} { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 53038a6d7..ddcd99add 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -31,7 +31,7 @@ profile discord @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{lib_dirs}/chrome-sandbox rix, @{lib_dirs}/chrome_crashpad_handler rix, diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index b4baf1d0c..15f86bcf5 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -39,7 +39,7 @@ profile dropbox @{exec_path} { @{bin}/{,@{multiarch}-}objdump rix, @{open_path} rPx -> child-open-strict, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, owner @{HOME}/ r, owner @{config_dirs}/ rw, diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index 4463ac581..366c2aed6 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -38,7 +38,7 @@ profile filezilla @{exec_path} { @{bin}/fzsftp rPx, # When using SFTP protocol @{bin}/fzputtygen rPUx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/filezilla/{,**} r, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 97fad1f13..b63a9e5ed 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -46,7 +46,7 @@ profile hardinfo @{exec_path} { @{bin}/valgrind{,.bin} rix, @{lib}/@{multiarch}/valgrind/memcheck-*-linux rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{open_path} rPx -> child-open, @{bin}/ccache rCx -> ccache, @{bin}/kmod rCx -> kmod, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 3fbb9b0fd..802cb85ae 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -62,7 +62,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, @{bin}/kmod rCx -> kmod, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/lsblk rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi index 016dceae0..5b90dd3ef 100644 --- a/apparmor.d/profiles-g-l/kodi +++ b/apparmor.d/profiles-g-l/kodi @@ -34,7 +34,7 @@ profile kodi @{exec_path} { @{bin}/mv rix, @{bin}/uname rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/kodi/{,**} r, /usr/share/publicsuffix/* r, diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release new file mode 100644 index 000000000..23bada3ec --- /dev/null +++ b/apparmor.d/profiles-g-l/lsb-release @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Note: named "lsb-release" to not conflict with upstreamed "lsb_release" that +# does attach @{bin}/lsb_release. + +abi , + +include + +@{exec_path} = @{bin}/lsb_release +profile lsb-release @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/find rix, + @{bin}/getopt rix, + @{bin}/head rix, + @{bin}/sed rix, + @{bin}/tr rix, + + #aa:only apt + @{bin}/dpkg-query px, + + /etc/ r, + /etc/*-release r, + /etc/lsb-release r, + /etc/lsb-release.d/{,*} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mumble b/apparmor.d/profiles-m-r/mumble index 48ed42d84..a85eb6790 100644 --- a/apparmor.d/profiles-m-r/mumble +++ b/apparmor.d/profiles-m-r/mumble @@ -30,7 +30,7 @@ profile mumble @{exec_path} { @{exec_path} mrix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{browsers_path} rPx, @{open_path} rPx -> child-open, diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd index 9d7663ebb..2065dd814 100644 --- a/apparmor.d/profiles-m-r/murmurd +++ b/apparmor.d/profiles-m-r/murmurd @@ -29,7 +29,7 @@ profile murmurd @{exec_path} { @{exec_path} mr, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /etc/mumble-server.ini r, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 24e0c61dd..02bf3bc56 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -34,7 +34,7 @@ profile psi @{exec_path} { @{bin}/aplay rCx -> aplay, @{bin}/gpg{,2} rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index 1d3850ba5..a455df0e9 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -34,7 +34,7 @@ profile psi-plus @{exec_path} { @{bin}/aplay rCx -> aplay, @{bin}/gpg{,2} rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, From 43278aeda277619b5fe24252db8a9eea7dd8b02c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:36:52 +0200 Subject: [PATCH 540/672] feat(profile): rewrite the profile for hw-probe. --- apparmor.d/groups/utils/lsscsi | 24 ++++++++++++++ apparmor.d/profiles-g-l/hw-probe | 56 ++++++++++---------------------- 2 files changed, 41 insertions(+), 39 deletions(-) create mode 100644 apparmor.d/groups/utils/lsscsi diff --git a/apparmor.d/groups/utils/lsscsi b/apparmor.d/groups/utils/lsscsi new file mode 100644 index 000000000..f0e7b4df2 --- /dev/null +++ b/apparmor.d/groups/utils/lsscsi @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsscsi +profile lsscsi @{exec_path} { + include + include + + @{exec_path} mr, + + / r, + + /dev/ r, + /dev/** r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 802cb85ae..2b91fc612 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -11,7 +11,6 @@ include profile hw-probe @{exec_path} flags=(attach_disconnected) { include include - include capability sys_admin, @@ -37,28 +36,18 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/acpi rPx, @{bin}/amixer rPx, @{bin}/aplay rPx, - @{sbin}/biosdecode rPx, @{bin}/cpuid rPx, @{bin}/cpupower rPx, @{bin}/curl rCx -> curl, @{bin}/df rPx, - @{sbin}/dkms rPx, @{bin}/dmesg rPx, - @{sbin}/dmidecode rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/edid-decode rPx, - @{sbin}/ethtool rCx -> netconfig, - @{sbin}/fdisk rPx, @{bin}/glxgears rPx, @{bin}/glxinfo rPx, @{bin}/hciconfig rPx, - @{sbin}/hdparm rPx, - @{sbin}/hwinfo rPx, @{bin}/i2cdetect rPx, - @{sbin}/ifconfig rCx -> netconfig, @{bin}/inxi rPx, - @{sbin}/iw rCx -> netconfig, - @{sbin}/iwconfig rCx -> netconfig, @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, @{bin}/kmod rCx -> kmod, @@ -66,14 +55,13 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/lsblk rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, + @{bin}/lsscsi rPx, @{bin}/lsusb rPx, @{bin}/memtester rPx, @{bin}/nmcli rPx, @{bin}/pacman rCx -> pacman, - @{sbin}/rfkill rPx, @{bin}/rpm rCx -> rpm, @{bin}/sensors rPx, - @{sbin}/smartctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-analyze rPx, @{bin}/udevadm rCx -> udevadm, @@ -83,12 +71,20 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/xdpyinfo rPx, @{bin}/xinput rPx, @{bin}/xrandr rPx, + @{sbin}/biosdecode rPx, + @{sbin}/dkms rPx, + @{sbin}/dmidecode rPx, + @{sbin}/fdisk rPx, + @{sbin}/hdparm rPx, + @{sbin}/hwinfo rPx, + @{sbin}/rfkill rPx, + @{sbin}/smartctl rPx, /etc/modprobe.d/{,*.conf} r, owner @{HOME}/HW_PROBE/{,**} rw, - audit owner @{tmp}/*/ rw, + owner @{tmp}/@{rand10}/ rw, owner @{tmp}/*/cpu_perf rw, @{sys}/class/drm/ r, @@ -118,6 +114,13 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { include if exists } + profile curl flags=(attach_disconnected) { + include + + @{bin}/curl mr, + + include if exists + } profile pacman flags=(attach_disconnected) { include @@ -199,31 +202,6 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { include if exists } - profile netconfig flags=(attach_disconnected) { - include - - # Not needed - deny capability net_admin, - deny capability net_raw, - - network inet dgram, - network inet6 dgram, - network ipx dgram, - network ax25 dgram, - network appletalk dgram, - network netlink raw, - - @{sbin}/iw mr, - @{sbin}/ifconfig mr, - @{sbin}/iwconfig mr, - @{sbin}/ethtool mr, - - owner @{PROC}/@{pid}/net/if_inet6 r, - owner @{PROC}/@{pid}/net/dev r, - - include if exists - } - profile systemctl flags=(attach_disconnected) { include include From f443c71c7bb2db3f66440d9d230d994dacc3df4e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 21:05:53 +0200 Subject: [PATCH 541/672] tests: allow empty abstractions directory. --- tests/check.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 28adc7710..8b847db6f 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -390,7 +390,7 @@ check_profiles() { check_abstractions() { _msg "Checking abstractions" - mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*") + mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) jobs=0 WITH_CHECK=( abstractions equivalent @@ -408,8 +408,8 @@ check_abstractions() { wait mapfile -t files < <( - find "$APPARMORD/abstractions" -type f -path "$APPARMORD/abstractions/*.d/*" - find "$APPARMORD/mappings" -type f + find "$APPARMORD/abstractions" -type f -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true + find "$APPARMORD/mappings" -type f 2>/dev/null || true ) # shellcheck disable=SC2034 jobs=0 From 1aee62f52cb02cbdb054c233a350f4f07d828e48 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 21:07:02 +0200 Subject: [PATCH 542/672] feat(abs): mappings: add support for role from the sshd-session profile. --- apparmor.d/abstractions/mapping/sshd | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/abstractions/mapping/sshd b/apparmor.d/abstractions/mapping/sshd index 97f0b077e..0f7512710 100644 --- a/apparmor.d/abstractions/mapping/sshd +++ b/apparmor.d/abstractions/mapping/sshd @@ -15,6 +15,8 @@ capability audit_write, capability chown, capability dac_read_search, + capability fowner, + capability fsetid, capability kill, capability setgid, capability setuid, @@ -25,12 +27,14 @@ # but will fall back to a non-privileged version if it fails. deny capability net_admin, + network inet stream, network inet6 stream, network netlink raw, signal receive set=exists peer=@{p_systemd_journald}, signal receive set=hup peer=@{p_systemd}, + unix bind type=stream addr=@@{udbus}/bus/sshd-session/system, unix bind type=stream addr=@@{udbus}/bus/sshd/system, dbus send bus=system path=/org/freedesktop/login1 From 0366543c39cb495e7129aee373055133b2324823 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 21:09:37 +0200 Subject: [PATCH 543/672] feat(profile): add console-setup profiles. --- apparmor.d/profiles-a-f/console-setup-cached | 36 +++++++++++++++++++ .../profiles-a-f/console-setup-keyboard | 31 ++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 apparmor.d/profiles-a-f/console-setup-cached create mode 100644 apparmor.d/profiles-a-f/console-setup-keyboard diff --git a/apparmor.d/profiles-a-f/console-setup-cached b/apparmor.d/profiles-a-f/console-setup-cached new file mode 100644 index 000000000..332f05341 --- /dev/null +++ b/apparmor.d/profiles-a-f/console-setup-cached @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/console-setup/cached_setup_font.sh /etc/console-setup/cached_setup_terminal.sh +profile console-setup-cached @{exec_path} { + include + include + + capability sys_tty_config, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/gzip rix, + @{bin}/ls ix, + @{bin}/mkdir ix, + @{bin}/setfont ix, + + /usr/share/consolefonts/{,**} r, + + @{run}/console-setup/ w, + @{run}/console-setup/font-loaded w, + + /dev/ r, + /dev/tty rw, + /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/console-setup-keyboard b/apparmor.d/profiles-a-f/console-setup-keyboard new file mode 100644 index 000000000..1f4045e2e --- /dev/null +++ b/apparmor.d/profiles-a-f/console-setup-keyboard @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/console-setup/keyboard-setup.sh /etc/console-setup/cached_setup_keyboard.sh +profile console-setup-keyboard @{exec_path} { + include + include + + capability sys_tty_config, + + @{exec_path} mrix, + + @{sh_path} rix, + @{bin}/gzip rix, + @{bin}/kbd_mode rix, + @{bin}/loadkeys rix, + + /etc/console-setup/{,**} r, + + /dev/tty@{int} rw, + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From 9cb74ff384fd8bcdeade0e7eb016fabf79321651 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 2 Jul 2025 23:22:12 +0200 Subject: [PATCH 544/672] feat(abs): general update --- apparmor.d/abstractions/app-open | 2 +- apparmor.d/abstractions/app/firefox | 3 ++- apparmor.d/abstractions/bus-session | 2 +- apparmor.d/abstractions/bus/org.freedesktop.NetworkManager | 7 ++++++- apparmor.d/abstractions/disks-read | 6 ++++++ 5 files changed, 16 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index c7d2a86c8..59724f019 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -39,7 +39,7 @@ @{bin}/extension-manager Px, @{bin}/filezilla Px, @{bin}/flameshot Px, - @{bin}/gimp{,3} Px, + @{bin}/gimp{,-3.0} Px, @{bin}/gnome-calculator Px, @{bin}/gnome-disk-image-mounter Px, @{bin}/gnome-disks Px, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 5e3bc15cb..1dd15f9d8 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -99,7 +99,8 @@ owner @{tmp}/@{name}/* rwk, owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/* rwk, - owner @{tmp}/remote-settings-startup-bundle- w, + owner @{tmp}/remote-settings-startup-bundle- rw, + owner @{tmp}/remote-settings-startup-bundle-.tmp rw, owner @{tmp}/Temp-@{uuid}/ rw, owner @{tmp}/Temp-@{uuid}/* rwk, owner @{tmp}/tmp-*.xpi rw, diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index 38d39a489..a1226d8e7 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -6,7 +6,7 @@ unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/session, - dbus send bus=session path=/org/freedesktop/DBus + dbus send bus=session path=/org/freedesktop/{dbus,DBus} interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index 0f188e05a..78f0de9de 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -8,7 +8,7 @@ dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects + member={GetManagedObjects,InterfacesRemoved} peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager @@ -51,6 +51,11 @@ member=Updated peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} + interface=org.freedesktop.NetworkManager.Connection.Active + member=StateChanged + peer=(name=@{busname}, label=NetworkManager), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 62e24b70d..e1bf31298 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -44,6 +44,12 @@ @{sys}/devices/virtual/block/loop@{int}/ r, @{sys}/devices/virtual/block/loop@{int}/** r, + # Xen PVH devices + @{sys}/devices/vbd-@{int}/block/** r, + + # Channel subsystem for IBM Z + @{sys}/devices/css@{int}/** r, + # LUKS/LVM (device-mapper) devices /dev/dm-@{int} rk, /dev/mapper/{,*} r, From f47babab8492b9b273da5e985f41cf2a1cddbba2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 15:21:01 +0200 Subject: [PATCH 545/672] fix(profile): pci slot adress. --- apparmor.d/abstractions/common/app | 1 + apparmor.d/groups/filesystem/udisksd | 1 + apparmor.d/profiles-s-z/zed | 1 + apparmor.d/profiles-s-z/zpool | 1 + 4 files changed, 4 insertions(+) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index efb3c838b..a3fb2c5ef 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -78,6 +78,7 @@ @{sys}/bus/ r, @{sys}/bus/*/devices/ r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/class/*/ r, @{sys}/devices/** r, diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 1ff219bbe..ab3813973 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -121,6 +121,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/bus/scsi/devices/ r, @{sys}/class/ r, diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index b131897d4..893cead5b 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -46,6 +46,7 @@ profile zed @{exec_path} { owner @{tmp}/tmp.* rw, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/module/zfs/parameters/zfs_zevent_len_max rw, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 2cb997fd7..e6033d9d2 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -31,6 +31,7 @@ profile zpool @{exec_path} { @{sys}/module/zfs/** r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{PROC}/@{pids}/mountinfo r, From e5b6d5dd19e03cb488f748c84b5acb22c7e191ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 15:21:50 +0200 Subject: [PATCH 546/672] feat(profile): update nvidia tools. --- apparmor.d/profiles-m-r/nvidia-settings | 16 ++++++++++++++-- apparmor.d/profiles-m-r/nvidia-smi | 1 + 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings index 9e5944bff..771bbb3b6 100644 --- a/apparmor.d/profiles-m-r/nvidia-settings +++ b/apparmor.d/profiles-m-r/nvidia-settings @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/nvidia-settings -profile nvidia-settings @{exec_path} { +profile nvidia-settings @{exec_path} flags=(attach_disconnected) { include include include @@ -21,8 +21,20 @@ profile nvidia-settings @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/config r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/cpumap r, - @{PROC}/devices r, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/config r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 + /dev/nvidia-caps/ rw, + /dev/nvidia-caps/nvidia-cap@{int} r, + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools r, include if exists } diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi index 143808f76..9ea391400 100644 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -21,6 +21,7 @@ profile nvidia-smi @{exec_path} { @{PROC}/driver/nvidia/capabilities/mig/config r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, From 223f611dfcb92f9cae02e9965491f8580b01a0ba Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 21:53:15 +0200 Subject: [PATCH 547/672] feat(abs): nvidia: ensure cuda is supported, cleanup common local path. --- apparmor.d/abstractions/nvidia-strict | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index ebaced47f..6fe815773 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -6,18 +6,21 @@ @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, + /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so.* mr, + /usr/share/nvidia/nvidia-application-profiles-* r, /etc/nvidia/nvidia-application-profiles-* r, /etc/vdpau_wrapper.cfg r, - owner @{HOME}/.cache/nvidia/ w, - owner @{HOME}/.cache/nvidia/GLCache/ rw, - owner @{HOME}/.cache/nvidia/GLCache/** rwk, + owner @{HOME}/.nv/ w, owner @{HOME}/.nv/ComputeCache/ w, owner @{HOME}/.nv/ComputeCache/** rw, owner @{HOME}/.nv/ComputeCache/index rwk, owner @{HOME}/.nv/nvidia-application-profiles-* r, + owner @{user_cache_dirs}/nvidia/ w, + owner @{user_cache_dirs}/nvidia/GLCache/ rw, + owner @{user_cache_dirs}/nvidia/GLCache/** rwk, @{sys}/devices/system/memory/block_size_bytes r, @{sys}/module/nvidia/version r, From 13680be0a6a0421bdc2a59ec03284b55debd57ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 21:53:53 +0200 Subject: [PATCH 548/672] feat(fsp): sdu: add consoles --- apparmor.d/groups/_full/sdu | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu index 80d8c1fb9..f9c50b65f 100644 --- a/apparmor.d/groups/_full/sdu +++ b/apparmor.d/groups/_full/sdu @@ -23,6 +23,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { include include include + include include include @@ -108,6 +109,8 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/kmsg w, + deny capability net_admin, profile shell flags=(attach_disconnected,mediate_deleted,complain) { @@ -123,10 +126,10 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { include include - audit capability net_admin, - owner @{run}/user/@{uid}/systemd/private rw, + deny capability net_admin, + include if exists include if exists } From 3b040aa5ca46513bd7058882c6bcde4b3f5d85dc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 21:54:49 +0200 Subject: [PATCH 549/672] feat(profile): improve dpkg-scripts. --- apparmor.d/groups/apt/dpkg-scripts | 4 +++- apparmor.d/groups/apt/unattended-upgrade-shutdown | 4 ++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index e16d25bf2..d3994d0ec 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -11,6 +11,7 @@ profile dpkg-scripts @{exec_path} { include include include + include capability chown, capability dac_read_search, @@ -24,6 +25,7 @@ profile dpkg-scripts @{exec_path} { # Common program found in maintainer scripts @{sh_path} rix, @{coreutils_path} rix, + @{python_path} rix, @{bin}/run-parts rix, @{bin}/envsubst ix, @@ -51,8 +53,8 @@ profile dpkg-scripts @{exec_path} { @{bin}/** PUx, @{sbin}/** PUx, @{lib}/** PUx, + /etc/** PUx, /usr/share/** PUx, - /etc/init.d/* PUx, # Maintainer's scripts can update a lot of files / r, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index f36505e7a..1fb667fae 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -20,6 +20,10 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { @{bin}/ischroot Px, + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/**.pyc w, + @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, + /usr/share/unattended-upgrades/{,*} r, owner /var/log/unattended-upgrades/*.log* rw, From f56163afb184d93df751f2ce571d90cd9b08ecbc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 21:56:24 +0200 Subject: [PATCH 550/672] feat(profile): ensure xdg portal can start any sandboxing tool. --- apparmor.d/groups/freedesktop/xdg-document-portal | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 91a203d3a..93cac619e 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -39,8 +39,9 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/flatpak rPUx, + @{bin}/flatpak rPx, @{bin}/fusermount{,3} rCx -> fusermount, + @{bin}/snap rPx, / r, owner @{att}/ r, @@ -64,6 +65,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { profile fusermount flags=(attach_disconnected) { include + include include capability dac_read_search, From 4f2abda92f0cfd1c2b412a23582c4ac253954d73 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 21:58:20 +0200 Subject: [PATCH 551/672] feat(profile): improve gnome programs. --- apparmor.d/groups/gnome/epiphany-search-provider | 1 + apparmor.d/groups/gnome/gnome-extension-gsconnect | 3 +++ apparmor.d/groups/gnome/gnome-shell | 12 +++++++++--- apparmor.d/groups/gnome/gnome-text-editor | 1 + apparmor.d/groups/gnome/tracker-extract | 1 + 5 files changed, 15 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index e66450d09..2168382e0 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -29,6 +29,7 @@ profile epiphany-search-provider @{exec_path} { @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, owner @{user_cache_dirs}/epiphany/{,**} rwk, + owner @{user_config_dirs}/epiphany/{,**} rw, owner @{user_share_dirs}/epiphany/{,**} rwk, owner @{tmp}/ContentRuleList-@{rand6} rw, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 104d95fb3..7cb982ca7 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -16,6 +16,7 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include include include include @@ -29,6 +30,8 @@ profile gnome-extension-gsconnect @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index e977af95e..acae2d601 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -173,6 +173,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/sensors rPx, @{bin}/tecla rPx, @{bin}/Xwayland rPx, + @{bin}/nvidia-smi rPx, # FIXME; for extension only + @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/mutter-x11-frames rPx, #aa:exec polkit-agent-helper @@ -227,6 +229,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw, owner @{gdm_cache_dirs}/libgweather/ r, + owner @{gdm_cache_dirs}/nvidia/GLCache/ rw, + owner @{gdm_cache_dirs}/nvidia/GLCache/** rwk, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/ibus/ rw, owner @{gdm_config_dirs}/ibus/bus/ rw, @@ -234,11 +238,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_config_dirs}/pulse/ rw, owner @{gdm_config_dirs}/pulse/client.conf r, owner @{gdm_config_dirs}/pulse/cookie rwk, + owner @{gdm_local_dirs}/ w, + owner @{gdm_share_dirs}/ w, owner @{gdm_share_dirs}/applications/{,**} r, owner @{gdm_share_dirs}/gnome-shell/{,**} rw, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{gdm_share_dirs}/icc/.goutputstream-@{rand6} rw, + owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, @@ -263,7 +269,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/dbus-1/services/ r, - owner @{user_share_dirs}/dbus-1/services/org.gnome.shell.*.service{,.@{rand6}} rw, + owner @{user_share_dirs}/dbus-1/services/org.gnome.Shell.*.service{,.@{rand6}} rw, owner @{user_share_dirs}/desktop-directories/{,**} r, owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, @@ -271,7 +277,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, - owner @{user_share_dirs}/icons/**/org.gnome.shell.*.svg{,.@{rand6}} w, + owner @{user_share_dirs}/icons/**/org.gnome.Shell.*.svg{,.@{rand6}} w, owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 22823753b..c399eadc7 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -15,6 +15,7 @@ profile gnome-text-editor @{exec_path} { include include + #aa:dbus own bus=session name=org.gnome.TextEditor #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 83bf18b9b..e8612f7b6 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -70,6 +70,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} r, From 705eb11510c0d692173368609b1a10f419337800 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 22:04:18 +0200 Subject: [PATCH 552/672] feat(profile): improve some dbus rules. --- apparmor.d/groups/bluetooth/bluetoothd | 2 +- apparmor.d/groups/gvfs/gvfsd-dnssd | 5 +++++ apparmor.d/groups/gvfs/gvfsd-http | 4 ++++ apparmor.d/groups/gvfs/gvfsd-trash | 6 +----- apparmor.d/groups/network/mullvad-gui | 3 +++ apparmor.d/groups/ssh/sshd | 5 +++++ apparmor.d/groups/virt/cockpit-wsinstance-factory | 3 +++ apparmor.d/profiles-s-z/virt-manager | 6 ++++++ 8 files changed, 28 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index aa84eebd9..e5443f505 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -32,7 +32,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved + member={InterfacesRemoved,InterfacesAdded} peer=(name=org.freedesktop.DBus), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 9af8be00a..6c61dbba4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -33,6 +33,11 @@ profile gvfsd-dnssd @{exec_path} { member={MountLocation,LookupMount,RegisterMount} peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 2fe0a1e2b..92d6fbf64 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -24,6 +24,10 @@ profile gvfsd-http @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 9acfd6c86..e13f870c7 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,6 +11,7 @@ include profile gvfsd-trash @{exec_path} { include include + include include include include @@ -21,11 +22,6 @@ profile gvfsd-trash @{exec_path} { #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name="@{busname}", label="{gnome-shell,nautilus}"), - dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 6075f14b2..c36d34e3f 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -14,6 +14,9 @@ include @{exec_path} = @{lib_dirs}/mullvad-gui profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include + include + include + include include network inet stream, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 75438c957..2494dc2c2 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -61,6 +61,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) { member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + dbus send bus=system path=/org/freedesktop/home1 + interface=org.freedesktop.home1.Manager + member=GetUserRecordByName + peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"), + @{exec_path} mrix, @{bin}/@{shells} Ux, #aa:exclude RBAC diff --git a/apparmor.d/groups/virt/cockpit-wsinstance-factory b/apparmor.d/groups/virt/cockpit-wsinstance-factory index b14a1e36f..99db4d614 100644 --- a/apparmor.d/groups/virt/cockpit-wsinstance-factory +++ b/apparmor.d/groups/virt/cockpit-wsinstance-factory @@ -9,6 +9,9 @@ include @{exec_path} = @{lib}/cockpit/cockpit-wsinstance-factory profile cockpit-wsinstance-factory @{exec_path} { include + include + + unix bind type=stream addr=@@{udbus}/bus/cockpit-wsinsta/system, capability net_admin, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 7c0443dae..fa17f5b1b 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -12,6 +12,10 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include + include + include + include + include include include include @@ -28,6 +32,8 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.virt-manager.virt-manager + @{exec_path} rix, @{sh_path} rix, From bfc6c51821b87fdca893c54555bf5ca5a060528b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 22:08:28 +0200 Subject: [PATCH 553/672] feat(profile): update some core system profiles. --- apparmor.d/profiles-a-f/dkms | 4 ++-- apparmor.d/profiles-a-f/fprintd | 3 +-- apparmor.d/profiles-a-f/fwupd | 11 +++++++---- apparmor.d/profiles-g-l/hw-probe | 16 +++++++++++----- apparmor.d/profiles-g-l/hwinfo | 6 +++++- apparmor.d/profiles-g-l/i2cdetect | 5 +++++ apparmor.d/profiles-g-l/kernel | 6 ++++-- apparmor.d/profiles-g-l/kernel-install | 3 +++ apparmor.d/profiles-m-r/pycompile | 2 +- apparmor.d/profiles-s-z/sysstat-sadc | 4 +++- 10 files changed, 42 insertions(+), 18 deletions(-) diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 0a01e5db5..a0d5b08f9 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -30,13 +30,14 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/bc rix, @{bin}/clang-@{version} rix, @{bin}/gcc rix, + @{bin}/g++ rix, @{bin}/getconf rix, @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @{bin}/ld rix, @{bin}/ld.lld rix, @{bin}/llvm-objcopy rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/make rix, @{bin}/objcopy rix, @{bin}/pahole rix, @@ -101,7 +102,6 @@ profile dkms @{exec_path} flags=(attach_disconnected) { owner @{tmp}/sh-thd.* rw, owner @{tmp}/tmp.* rw, - @{PROC}/cpuinfo r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/vm/overcommit_memory r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 182d9013d..1d00dce88 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -32,8 +32,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/class/hidraw/ r, - @{sys}/devices/@{pci}/hidraw/hidraw@{int}/uevent r, - @{sys}/devices/virtual/**/hidraw/hidraw@{int}/uevent r, + @{sys}/devices/**/hidraw/hidraw@{int}/uevent r, include if exists } diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 961b55c97..cf5989227 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -62,12 +62,15 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /etc/machine-id r, /var/lib/dbus/machine-id r, - /boot/{,**} r, - /boot/EFI/*/.goutputstream-@{rand6} rw, - /boot/EFI/*/fw/fwupd-*.cap{,.*} rw, - /boot/EFI/*/fwupdx@{int}.efi rw, + @{efi}/{,**} r, + @{efi}/EFI/*/.goutputstream-@{rand6} rw, + @{efi}/EFI/*/fw/fwupd-*.cap{,.*} rw, + @{efi}/EFI/*/fwupdx@{int}.efi rw, @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, + @{MOUNTDIRS}/*/{,@{efi}/} r, + @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, + /var/lib/flatpak/exports/share/mime/mime.cache r, /var/tmp/etilqs_@{sqlhex} rw, owner /var/cache/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 2b91fc612..739073201 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -33,6 +33,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/tar rix, @{bin}/uname rix, + @{bin}/vulkaninfo rPUx, @{bin}/acpi rPx, @{bin}/amixer rPx, @{bin}/aplay rPx, @@ -55,7 +56,6 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/lsblk rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, - @{bin}/lsscsi rPx, @{bin}/lsusb rPx, @{bin}/memtester rPx, @{bin}/nmcli rPx, @@ -76,12 +76,15 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{sbin}/dmidecode rPx, @{sbin}/fdisk rPx, @{sbin}/hdparm rPx, + @{bin}/boltctl rPUx, @{sbin}/hwinfo rPx, @{sbin}/rfkill rPx, @{sbin}/smartctl rPx, /etc/modprobe.d/{,*.conf} r, + @{efi}/EFI/{,**} r, + owner @{HOME}/HW_PROBE/{,**} rw, owner @{tmp}/@{rand10}/ rw, @@ -107,9 +110,9 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { include include - capability sys_module, + capability syslog, - @{sys}/module/compression r, + @{sys}/module/{,**} r, include if exists } @@ -169,9 +172,12 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{run}/log/ rw, /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 4919d2fb2..314975208 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -28,6 +28,7 @@ profile hwinfo @{exec_path} { @{bin}/kmod rCx -> kmod, @{bin}/udevadm rCx -> udevadm, @{sbin}/acpidump rPUx, + @{bin}/lsscsi rPx, @{sbin}/dmraid rPUx, @@ -39,7 +40,7 @@ profile hwinfo @{exec_path} { @{sys}/bus/{,**/} r, @{sys}/class/*/ r, - @{sys}/devices/@{pci}/** r, + @{sys}/devices/@{pci}/{,**} r, @{sys}/devices/**/{modalias,uevent} r, @{sys}/devices/**/input/**/dev r, @{sys}/devices/virtual/net/*/{type,carrier,address} r, @@ -70,9 +71,12 @@ profile hwinfo @{exec_path} { include include + capability sys_module, + owner @{tmp}/hwinfo*.txt rw, @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{sys}/module/compression r, include if exists } diff --git a/apparmor.d/profiles-g-l/i2cdetect b/apparmor.d/profiles-g-l/i2cdetect index 5ce4da0bb..f101c56e6 100644 --- a/apparmor.d/profiles-g-l/i2cdetect +++ b/apparmor.d/profiles-g-l/i2cdetect @@ -13,8 +13,13 @@ profile i2cdetect @{exec_path} { @{exec_path} mr, + @{sys}/class/i2c-dev/ r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + owner @{PROC}/@{pid}/mounts r, + /dev/i2c-@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index d375a1bdd..c3155ce75 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -34,13 +34,15 @@ profile kernel @{exec_path} { @{bin}/which{,.debianutils} rix, @{bin}/apt-config rPx, + @{bin}/bootctl rPx, @{bin}/dpkg rPx -> child-dpkg, + @{bin}/kernel-install rPx, @{bin}/systemd-detect-virt rPx, - @{sbin}/update-alternatives rPx, + @{lib}/dkms/dkms_autoinstaller rPx, @{sbin}/dkms rPx, + @{sbin}/update-alternatives rPx, @{sbin}/update-grub rPx, @{sbin}/update-initramfs rPx, - @{lib}/dkms/dkms_autoinstaller rPx, @{lib}/modules/*/updates/ w, @{lib}/modules/*/updates/dkms/ w, diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index 614b81aeb..96d097417 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -41,6 +41,8 @@ profile kernel-install @{exec_path} { @{lib}/modules/*/modules.* w, + @{efi}/@{hex32}/** rw, + owner /boot/{vmlinuz,initrd.img}-* r, owner /boot/[a-f0-9]*/*/ rw, owner /boot/[a-f0-9]*/*/{linux,initrd} w, @@ -52,6 +54,7 @@ profile kernel-install @{exec_path} { owner @{tmp}/sh-thd.* rw, + @{PROC}/@{pid}/mountinfo r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index b684c3094..c308dcd91 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -11,7 +11,7 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { include include include - # include + include capability dac_override, capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc index 9a4b5cebe..dfdd00524 100644 --- a/apparmor.d/profiles-s-z/sysstat-sadc +++ b/apparmor.d/profiles-s-z/sysstat-sadc @@ -24,8 +24,10 @@ profile sysstat-sadc @{exec_path} { @{sys}/class/fc_host/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-*/name r, + @{sys}/devices/@{pci}/hwmon/hwmon@{int}/ r, + @{sys}/devices/@{pci}/hwmon/hwmon@{int}/name r, @{sys}/devices/@{pci}/net/*/duplex r, + @{sys}/devices/**/i2c-*/name r, @{sys}/devices/**/net/*/duplex r, @{sys}/devices/**/net/*/speed r, @{sys}/devices/virtual/net/*/duplex r, From af8c66e9bf456a5770584bf03019548ee67d5020 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 22:14:25 +0200 Subject: [PATCH 554/672] feat(profile): upgrade cockpit profiles. --- apparmor.d/groups/virt/cockpit-certificate-helper | 1 + apparmor.d/groups/virt/cockpit-desktop | 2 ++ apparmor.d/groups/virt/cockpit-tls | 3 +++ apparmor.d/groups/virt/cockpit-ws | 4 +++- 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/virt/cockpit-certificate-helper b/apparmor.d/groups/virt/cockpit-certificate-helper index ac9dd5f6f..303fd074c 100644 --- a/apparmor.d/groups/virt/cockpit-certificate-helper +++ b/apparmor.d/groups/virt/cockpit-certificate-helper @@ -21,6 +21,7 @@ profile cockpit-certificate-helper @{exec_path} { @{bin}/openssl rix, @{bin}/rm rix, @{bin}/sscg rix, + @{bin}/sync rix, @{bin}/tr rix, /etc/machine-id r, diff --git a/apparmor.d/groups/virt/cockpit-desktop b/apparmor.d/groups/virt/cockpit-desktop index c2a7455ce..bb1ba03bf 100644 --- a/apparmor.d/groups/virt/cockpit-desktop +++ b/apparmor.d/groups/virt/cockpit-desktop @@ -10,6 +10,8 @@ include profile cockpit-desktop @{exec_path} { include + userns, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls index 0037b132c..7bf43ed4a 100644 --- a/apparmor.d/groups/virt/cockpit-tls +++ b/apparmor.d/groups/virt/cockpit-tls @@ -17,6 +17,9 @@ profile cockpit-tls @{exec_path} flags=(attach_disconnected) { /etc/cockpit/ws-certs.d/{,**} r, + @{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock r, + @{att}/@{run}/cockpit/wsinstance/https-factory.sock rw, + owner @{run}/cockpit/tls/{,**} rw, include if exists diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws index 7b0779119..8e3478072 100644 --- a/apparmor.d/groups/virt/cockpit-ws +++ b/apparmor.d/groups/virt/cockpit-ws @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/cockpit/cockpit-ws -profile cockpit-ws @{exec_path} { +profile cockpit-ws @{exec_path} flags=(attach_disconnected) { include include include @@ -21,6 +21,8 @@ profile cockpit-ws @{exec_path} { /usr/share/pixmaps/{,**} r, /etc/cockpit/ws-certs.d/ r, + @{run}/cockpit/wsinstance/https@@{hex64}.sock r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, From c2740ffe241a13c85c53d7a8d99d4946b5509414 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 22:15:04 +0200 Subject: [PATCH 555/672] feat(profile): xwayland: add integration with desktop local paths. --- apparmor.d/groups/freedesktop/xwayland | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 03b418684..9b329e06a 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -29,6 +29,11 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { /usr/share/fonts/{,**} r, /usr/share/ghostscript/fonts/{,**} r, + / r, + + owner @{desktop_cache_dirs}/nvidia/GLCache/ rw, + owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, + owner @{tmp}/server-@{int}.xkm rwk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, owner @{run}/user/@{uid}/server-@{int}.xkm rw, From 8042dd4a348fc3778c107d94a9ef1e70c11ec181 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:09:34 +0200 Subject: [PATCH 556/672] chore: replace make full by make fsp. --- Makefile | 8 ++++++-- docs/full-system-policy.md | 17 ++++++++--------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/Makefile b/Makefile index 8bc8757bc..854d39f16 100644 --- a/Makefile +++ b/Makefile @@ -22,8 +22,12 @@ build: enforce: build @./${BUILD}/prebuild -.PHONY: full -full: build +.PHONY: fsp +fsp: build + @./${BUILD}/prebuild --full + +.PHONY: fsp-complain +fsp-complain: build @./${BUILD}/prebuild --complain --full .PHONY: install diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index c747cb739..016ed8ada 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -27,7 +27,6 @@ Particularly: - Every system application will be **blocked** if they do not have a profile. - Any non-standard system app need to be explicitly profiled and allowed to run. For instance, if you want to use your own proxy or VPN software, you need to ensure it is correctly profiled and allowed to run in the `systemd` profile. - Desktop environment must be explicitly supported, your UI will not start otherwise. Again, it is a **feature**. -- FSP mode will run unknown user application into the `default` profile. It might be enough for your application. If not you have to make a profile for it. - In FSP mode, all sandbox managers **must** have a profile. Then user sandboxed applications (flatpak, snap, etc) will work as expected. - PID 1 is the last program that should be confined. It does not make sense to confine only PID. All other programs must be confined first. @@ -47,11 +46,11 @@ Optimize=compress-fast === ":material-arch: Archlinux" - In `PKGBUILD`, replace `make` by `make full`: + In `PKGBUILD`, replace `make` by `make fsp`: ```diff - make - + make full + + make fsp ``` Then, build the package with: `make pkg` @@ -62,7 +61,7 @@ Optimize=compress-fast ```make override_dh_auto_build: - make full + make fsp ``` Then, build the package with: `make dpkg` @@ -73,25 +72,25 @@ Optimize=compress-fast ```make override_dh_auto_build: - make full + make fsp ``` Then, build the package with: `make dpkg` === ":simple-suse: openSUSE" - In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build full` + In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build fsp` ```diff - %make_build - + %make_build full + + %make_build fsp ``` Then, build the package with: `make rpm` === ":material-home: Partial Install" - Use the `make full` command to build instead of `make` + Use the `make fsp` command to build instead of `make` ## Structure @@ -149,7 +148,7 @@ In addition to the `systemd` profiles, a full system policy needs to ensure that The main fallback profile (`default`) is not intended to be used by privileged program or service. Such programs **must** have they dedicated profile and would break otherwise. -Additionally, special user access can be setup using PAM rules set such as a random shell interactively opened (as user or as root). +Additionally, special user access can be setup using PAM rules set such as a random shell interactively opened (as user or as root). [apparmor-wiki]: https://gitlab.com/apparmor/apparmor/-/wikis/FullSystemPolicy [full]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/_full From 6b5fad404bc8d979371d9efc7812c4e50d82bd25 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:19:35 +0200 Subject: [PATCH 557/672] feat(profile): add free --- apparmor.d/groups/procps/free | 19 +++++++++++++++++++ tests/integration/procps/free.bats | 18 ++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 apparmor.d/groups/procps/free create mode 100644 tests/integration/procps/free.bats diff --git a/apparmor.d/groups/procps/free b/apparmor.d/groups/procps/free new file mode 100644 index 000000000..56075ae1c --- /dev/null +++ b/apparmor.d/groups/procps/free @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/free +profile free @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/procps/free.bats b/tests/integration/procps/free.bats new file mode 100644 index 000000000..dcc216bfa --- /dev/null +++ b/tests/integration/procps/free.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "free: Display system memory" { + free +} + +@test "free: Display memory in GB" { + free -g +} + +@test "free: Display memory in human-readable units" { + free -h +} From 771dd9b589e15c66038a28e1d469391f25a962bd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:22:26 +0200 Subject: [PATCH 558/672] feat(profile): add pidof --- apparmor.d/groups/procps/pidof | 18 ++++++++++++++++++ tests/integration/procps/pidof.bats | 19 +++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 apparmor.d/groups/procps/pidof create mode 100644 tests/integration/procps/pidof.bats diff --git a/apparmor.d/groups/procps/pidof b/apparmor.d/groups/procps/pidof new file mode 100644 index 000000000..3413eb6c3 --- /dev/null +++ b/apparmor.d/groups/procps/pidof @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pidof +profile pidof @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/procps/pidof.bats b/tests/integration/procps/pidof.bats new file mode 100644 index 000000000..ec20cbe86 --- /dev/null +++ b/tests/integration/procps/pidof.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pidof: List all process IDs with given name" { + pidof systemd + pidof bash +} + +@test "pidof: List a single process ID with given name" { + pidof -s bash +} + +@test "pidof: List process IDs including scripts with given name" { + pidof -x bash +} From c85ed58fa98935d9d475496f02347a2319ce4992 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:30:21 +0200 Subject: [PATCH 559/672] feat(profile): add vmstat --- apparmor.d/groups/procps/vmstat | 27 +++++++++++++++++++++++++++ tests/integration/procps/vmstat.bats | 25 +++++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 apparmor.d/groups/procps/vmstat create mode 100644 tests/integration/procps/vmstat.bats diff --git a/apparmor.d/groups/procps/vmstat b/apparmor.d/groups/procps/vmstat new file mode 100644 index 000000000..1276222a2 --- /dev/null +++ b/apparmor.d/groups/procps/vmstat @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/vmstat +profile vmstat @{exec_path} { + include + include + + @{exec_path} mr, + + @{sys}/block/ r, + @{sys}/devices/system/node/ r, + + @{PROC}/diskstats r, + @{PROC}/slabinfo r, + @{PROC}/uptime r, + @{PROC}/vmstat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/procps/vmstat.bats b/tests/integration/procps/vmstat.bats new file mode 100644 index 000000000..e5900a324 --- /dev/null +++ b/tests/integration/procps/vmstat.bats @@ -0,0 +1,25 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "vmstat: Display virtual memory statistics" { + vmstat + vmstat --active + vmstat --forks +} + +@test "vmstat: Display disk statistics" { + vmstat --disk + vmstat --disk-sum +} + +@test "vmstat: Display slabinfo" { + sudo vmstat --slabs +} + +@test "vmstat: Display reports every second for 3 times" { + vmstat 1 3 +} From e6939f4968d50bff639882e5bc34d81ea462ff4e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:37:07 +0200 Subject: [PATCH 560/672] feat(profile): add pgrep. --- apparmor.d/groups/procps/pgrep | 22 ++++++++++++++++++++++ tests/integration/procps/pgrep.bats | 19 +++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 apparmor.d/groups/procps/pgrep create mode 100644 tests/integration/procps/pgrep.bats diff --git a/apparmor.d/groups/procps/pgrep b/apparmor.d/groups/procps/pgrep new file mode 100644 index 000000000..950aeb99e --- /dev/null +++ b/apparmor.d/groups/procps/pgrep @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pgrep +profile pgrep @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{PROC}/tty/drivers r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/procps/pgrep.bats b/tests/integration/procps/pgrep.bats new file mode 100644 index 000000000..9fd6b92f8 --- /dev/null +++ b/tests/integration/procps/pgrep.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pgrep: Return PIDs of any running processes with a matching command string" { + pgrep systemd +} + +@test "pgrep: Search for processes including their command-line options" { + pgrep --full 'systemd' +} + +@test "pgrep: Search for processes run by a specific user" { + pgrep --euid root systemd-udevd +} + From e30372b729467fdb4aeafd6be6c206354b4077d8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:52:29 +0200 Subject: [PATCH 561/672] ci: use fsp instead of full command. --- .github/workflows/main.yml | 2 +- .gitlab-ci.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index cac8fce43..973287e72 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -38,7 +38,7 @@ jobs: - name: Build the apparmor.d package run: | if [[ ${{ matrix.mode }} == full-system-policy ]]; then - echo -e "\noverride_dh_auto_build:\n\tmake full" >> debian/rules + echo -e "\noverride_dh_auto_build:\n\tmake fsp" >> debian/rules fi if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then # Test with Re-attach disconnected path diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f697637fa..8adab16ab 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -117,7 +117,7 @@ whonix: variables: DISTRIBUTION: whonix before_script: - - echo "\noverride_dh_auto_build:\n\tmake full" >> debian/rules + - echo "\noverride_dh_auto_build:\n\tmake fsp" >> debian/rules opensuse: stage: build From 277bd7f46aa43ad90ca8242cfb823e4ef3f68044 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:53:37 +0200 Subject: [PATCH 562/672] feat(profile): ensure gtk-query-immodule is not version dependent. --- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/profiles-g-l/gtk-query-immodules | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index e9f3bf807..ff43e2196 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -71,7 +71,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gio-querymodules rPx, @{bin}/glib-compile-schemas rPx, @{sbin}/groupadd rPx, - @{bin}/gtk-query-immodules-{2,3}.0 rPx, + @{bin}/gtk-query-immodules-* rPx, @{bin}/gtk{,4}-update-icon-cache rPx, @{sbin}/iconvconfig rix, @{bin}/install-catalog rPx, diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules index 509769698..e6d37db44 100644 --- a/apparmor.d/profiles-g-l/gtk-query-immodules +++ b/apparmor.d/profiles-g-l/gtk-query-immodules @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0 @{lib}/@{multiarch}/libgtk-*/gtk-query-immodules-* +@{exec_path} = @{bin}/gtk-query-immodules-* @{lib}/@{multiarch}/libgtk-*/gtk-query-immodules-* profile gtk-query-immodules @{exec_path} { include include From e6b044376f7ef7f2a6850bf0461927b5432eeb0c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:14:24 +0200 Subject: [PATCH 563/672] fix(profile): update archlinux-keyring requirements. fix #784 --- apparmor.d/groups/gpg/gpg | 5 ++--- apparmor.d/groups/pacman/pacman-key | 3 ++- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 247c6e4ac..f05f6492e 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -33,9 +33,8 @@ profile gpg @{exec_path} { /etc/inputrc r, #aa:only pacman - /etc/pacman.d/gnupg/gpg.conf r, - /etc/pacman.d/gnupg/pubring.gpg r, - /etc/pacman.d/gnupg/trustdb.gpg r, + /etc/pacman.d/gnupg/ rw, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, #aa:only apt owner /etc/apt/keyrings/ rw, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index a5cee6fa9..9e3bde188 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -34,7 +34,8 @@ profile pacman-key @{exec_path} { /usr/share/pacman/keyrings/{,*} r, /usr/share/terminfo/** r, - /etc/pacman.d/gnupg/* rw, + /etc/pacman.d/gnupg/ rw, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, /dev/tty rw, From 51cb732ecaeb6e2c7cf7c9f936c4c26c9b9bf561 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:17:13 +0200 Subject: [PATCH 564/672] fix(profile): ensure hyprland can integrate with wine/proton fix #783 --- apparmor.d/groups/hyprland/hyprland | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index c06671b34..9f2e7583d 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -14,6 +14,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_ptrace, From b754c1134c8be44034893bb4accee769dcc4ea63 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:37:49 +0200 Subject: [PATCH 565/672] fix(profile) wechat profile permissions fix #772 --- apparmor.d/profiles-s-z/wechat | 0 apparmor.d/profiles-s-z/wechat-appimage | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 apparmor.d/profiles-s-z/wechat mode change 100755 => 100644 apparmor.d/profiles-s-z/wechat-appimage diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat old mode 100755 new mode 100644 diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage old mode 100755 new mode 100644 From d6f4ff57b65bc641c96775c38aa7bbce55f4aff6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:47:39 +0200 Subject: [PATCH 566/672] fix: linter check. --- apparmor.d/groups/gpg/gpg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index f05f6492e..1a3f7f4d9 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -34,7 +34,7 @@ profile gpg @{exec_path} { #aa:only pacman /etc/pacman.d/gnupg/ rw, - /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, #aa:only apt owner /etc/apt/keyrings/ rw, From 1b1a4c11ac22ab1aba9fd4bbff3619593a2454b6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:51:18 +0200 Subject: [PATCH 567/672] feat(profile): gpg: improve integration with access to gpg-agent. --- apparmor.d/groups/gpg/gpg | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 1a3f7f4d9..7ebb9e3a4 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -68,6 +68,7 @@ profile gpg @{exec_path} { owner /tmp/@{int}@{int} rw, owner @{run}/user/@{uid}/gnupg/d.*/ rw, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, From e9fbc3503636273f0d36697a38f4f061049a38d4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:52:26 +0200 Subject: [PATCH 568/672] feat(profile): minor sshd improvement. --- apparmor.d/groups/ssh/sshd-auth | 2 ++ apparmor.d/groups/ssh/sshd-session | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/apparmor.d/groups/ssh/sshd-auth b/apparmor.d/groups/ssh/sshd-auth index cb4defc0f..c1601b813 100644 --- a/apparmor.d/groups/ssh/sshd-auth +++ b/apparmor.d/groups/ssh/sshd-auth @@ -24,6 +24,8 @@ profile sshd-auth @{exec_path} { @{exec_path} mr, @{sbin}/sshd.hmac r, + /etc/gss/mech.d/{,*} r, + include if exists } diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session index e74696334..5f09af5cc 100644 --- a/apparmor.d/groups/ssh/sshd-session +++ b/apparmor.d/groups/ssh/sshd-session @@ -47,6 +47,11 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) { member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + dbus send bus=system path=/org/freedesktop/home1 + interface=org.freedesktop.home1.Manager + member=GetUserRecordByName + peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"), + @{exec_path} mr, @{bin}/@{shells} Ux, #aa:exclude RBAC From 51560bbbf562a7e47ffe4776a1092e3aa78709ec Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:53:29 +0200 Subject: [PATCH 569/672] feat(profile): update mullvad. --- apparmor.d/groups/network/mullvad-daemon | 13 +++++++++---- apparmor.d/groups/network/mullvad-gui | 2 ++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 6c4c41e6c..9573d7044 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -10,6 +10,7 @@ include @{exec_path} += /opt/Mullvad*/resources/mullvad-daemon profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { include + include include capability dac_override, @@ -39,7 +40,8 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { "/opt/Mullvad VPN/resources/*.so*" mr, "/opt/Mullvad VPN/resources/*" r, - /etc/mullvad-vpn/{,*} r, + /etc/mullvad-vpn/ rw, + /etc/mullvad-vpn/* r, /etc/mullvad-vpn/@{uuid} rw, /etc/mullvad-vpn/*.json rw, @{etc_rw}/resolv.conf rw, @@ -49,16 +51,19 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { owner /var/log/mullvad-vpn/{,*} rw, owner /var/log/private/mullvad-vpn/*.log rw, + owner @{tmp}/@{uuid} rw, + owner @{tmp}/talpid-openvpn-@{uuid} rw, + @{run}/NetworkManager/resolv.conf r, owner @{run}/mullvad-vpn rw, @{sys}/fs/cgroup/net_cls/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, + @{sys}/fs/cgroup/system.slice/cpu.max r, + @{sys}/fs/cgroup/system.slice/mullvad-daemon.service/cpu.max r, - owner @{tmp}/@{uuid} rw, - owner @{tmp}/talpid-openvpn-@{uuid} rw, - + @{PROC}/@{pid}/cgroup r, @{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw, @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index c36d34e3f..ae9b4cb7f 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -37,6 +37,8 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/mullvad-vpn rw, + /dev/tty rw, deny @{user_share_dirs}/gvfs-metadata/* r, From 35ae596fd98800f52057f338f214f736aad094e0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:56:31 +0200 Subject: [PATCH 570/672] feat(profile): general update on some core profiles. --- apparmor.d/profiles-a-f/dkms | 5 +++-- apparmor.d/profiles-g-l/gimp | 4 ++++ apparmor.d/profiles-g-l/libreoffice | 3 ++- apparmor.d/profiles-m-r/initramfs-hooks | 6 +++--- apparmor.d/profiles-m-r/mdadm-mkconf | 1 + apparmor.d/profiles-m-r/nvidia-smi | 2 +- apparmor.d/profiles-m-r/ollama | 7 +++++++ apparmor.d/profiles-m-r/power-profiles-daemon | 3 +++ apparmor.d/profiles-s-z/speech-dispatcher | 6 +++++- apparmor.d/profiles-s-z/terminator | 1 + apparmor.d/profiles-s-z/update-shells | 4 +++- apparmor.d/profiles-s-z/virt-manager | 1 + apparmor.d/profiles-s-z/whoopsie | 2 ++ 13 files changed, 36 insertions(+), 9 deletions(-) diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index a0d5b08f9..5a0885143 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -29,8 +29,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/as rix, @{bin}/bc rix, @{bin}/clang-@{version} rix, - @{bin}/gcc rix, @{bin}/g++ rix, + @{bin}/gcc rix, @{bin}/getconf rix, @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @@ -44,8 +44,9 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/readelf rix, @{bin}/rpm rPUx, @{bin}/strip rix, - @{sbin}/update-secureboot-policy rPUx, + @{bin}/xz rix, @{bin}/zstd rix, + @{sbin}/update-secureboot-policy rPUx, @{lib}/gcc/@{multiarch}/@{version}/* rix, @{lib}/linux-kbuild-*/scripts/** rix, diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index b335650d8..67b625d62 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -28,6 +28,7 @@ profile gimp @{exec_path} { @{python_path} rix, @{bin}/env rix, + @{bin}/gimp-debug-tool-3.0 rix, @{bin}/gimp-script-fu-interpreter-* rix, @{bin}/gjs-console rix, @{bin}/lua rix, @@ -41,6 +42,7 @@ profile gimp @{exec_path} { /usr/share/gimp/{,**} r, /usr/share/mypaint-data/{,**} r, + /usr/share/poppler/{,**} r, /usr/share/xml/iso-codes/{,**} r, /etc/fstab r, @@ -68,6 +70,8 @@ profile gimp @{exec_path} { owner @{tmp}/gimp/{,**} rw, + @{run}/mount/utab r, + @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index b21642cf8..4bed50f13 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -81,6 +81,7 @@ profile libreoffice @{exec_path} { /etc/papersize r, /etc/xdg/* r, + /var/tmp/ r, owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w, owner @{user_cache_dirs}/libreoffice/{,**} rw, @@ -93,7 +94,7 @@ profile libreoffice @{exec_path} { owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/user-places.xbel r, - owner @{tmp}/ r, + @{tmp}/ r, owner @{tmp}/.java_pid@{int}{,.tmp} rw, owner @{tmp}/@{hex} rw, owner @{tmp}/@{rand6} rwk, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index aeb125ef2..5896df049 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -25,10 +25,10 @@ profile initramfs-hooks @{exec_path} { @{lib}/klibc/bin/fstype ix, /usr/share/mdadm/mkconf Px, - @{bin}/* r, - @{sbin}/* r, + @{bin}/* mr, + @{sbin}/* mr, @{lib}/ r, - @{lib}/** r, + @{lib}/** mr, /usr/share/initramfs-tools/{,**} r, /usr/share/plymouth/{,**} r, diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf index 8139ac68e..c922942ec 100644 --- a/apparmor.d/profiles-m-r/mdadm-mkconf +++ b/apparmor.d/profiles-m-r/mdadm-mkconf @@ -19,6 +19,7 @@ profile mdadm-mkconf @{exec_path} { @{sbin}/mdadm Px, /etc/default/mdadm r, + /etc/mdadm/mdadm.conf r, / r, diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi index 9ea391400..1d6d62e2b 100644 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -25,7 +25,7 @@ profile nvidia-smi @{exec_path} { /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, - /dev/nvidia-caps/nvidia-cap@{int} r, + /dev/nvidia-caps/nvidia-cap@{int} rw, /dev/nvidia-uvm rw, /dev/nvidia-uvm-tools r, diff --git a/apparmor.d/profiles-m-r/ollama b/apparmor.d/profiles-m-r/ollama index 7b5521802..73447e33e 100644 --- a/apparmor.d/profiles-m-r/ollama +++ b/apparmor.d/profiles-m-r/ollama @@ -38,8 +38,15 @@ profile ollama @{exec_path} flags=(attach_disconnected) { owner @{tmp}/ollama@{int}/{,**} rw, owner @{tmp}/ollama@{int}/runners/{,**} mr, + @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{sys}/devices/@{pci}/drm/card@{int}/*/ r, + @{sys}/devices/@{pci}/mem_info_vram_total r, + @{sys}/devices/@{pci}/mem_info_vram_used r, @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/node/node@{int}/cpumap r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, @{PROC}/devices r, @{PROC}/sys/net/core/somaxconn r, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 43f27b2fc..636f41754 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -30,10 +30,13 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+platform:* r, @{run}/udev/data/+power_supply:* r, + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{sys}/bus/ r, @{sys}/bus/platform/devices/ r, @{sys}/class/ r, + @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, @{sys}/devices/**/power_supply/*/scope r, @{sys}/devices/**/uevent r, diff --git a/apparmor.d/profiles-s-z/speech-dispatcher b/apparmor.d/profiles-s-z/speech-dispatcher index 652a7d9ed..0267d6889 100644 --- a/apparmor.d/profiles-s-z/speech-dispatcher +++ b/apparmor.d/profiles-s-z/speech-dispatcher @@ -20,16 +20,20 @@ profile speech-dispatcher @{exec_path} { @{exec_path} mr, @{sh_path} ix, + @{lib}/speech-dispatcher-modules/* ix, @{lib}/speech-dispatcher/** r, @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix, /etc/machine-id r, /etc/speech-dispatcher/{,**} r, + owner @{user_config_dirs}/speech-dispatcher/{,**} r, + owner @{run}/user/@{uid}/speech-dispatcher/ rw, owner @{run}/user/@{uid}/speech-dispatcher/** rwk, - owner @{user_config_dirs}/speech-dispatcher/{,**} r, + owner /dev/shm/sem.@{rand6} rw, + owner /dev/shm/sem.speechd-modules-dummy-@{int} rwl -> /dev/shm/sem.@{rand6}, include if exists } diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 679a0fd32..5c79d0efe 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/terminator profile terminator @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/profiles-s-z/update-shells b/apparmor.d/profiles-s-z/update-shells index 46b6699c8..5922c1a14 100644 --- a/apparmor.d/profiles-s-z/update-shells +++ b/apparmor.d/profiles-s-z/update-shells @@ -17,12 +17,14 @@ profile update-shells @{exec_path} { @{bin}/chmod ix, @{bin}/chown ix, @{bin}/dirname ix, - @{bin}/dpkg-realpath ix, + @{bin}/dpkg-realpath rix, @{bin}/mv ix, @{bin}/sync ix, + @{bin}/readlink ix, /usr/share/debianutils/shells r, /usr/share/debianutils/shells.d/{,**} r, + /usr/share/dpkg/sh/dpkg-error.sh r, /etc/shells r, /etc/shells.tmp w, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index fa17f5b1b..aed85abe3 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -84,6 +84,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + @{run}/libvirt/libvirt-sock rw, @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/profiles-s-z/whoopsie b/apparmor.d/profiles-s-z/whoopsie index 16a0e5a5e..0c03f4a76 100644 --- a/apparmor.d/profiles-s-z/whoopsie +++ b/apparmor.d/profiles-s-z/whoopsie @@ -25,6 +25,8 @@ profile whoopsie @{exec_path} { owner @{run}/lock/whoopsie/ rw, owner @{run}/lock/whoopsie/lock rwk, + @{sys}/devices/virtual/dmi/id/product_uuid r, + include if exists } From 06d23ac72cc646cee3ea0e5417f0b50e3092b1ef Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 2 Jul 2025 05:29:55 +0200 Subject: [PATCH 571/672] Fix strawberry profile --- apparmor.d/profiles-s-z/strawberry | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 84bbcf1f2..611c8462d 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -69,8 +69,8 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/*= w, owner @{tmp}/#@{int} rw, owner @{tmp}/etilqs_@{sqlhex} rw, - owner @{tmp}/kdsingleapp-daemonspudguy-strawberry w, - owner @{tmp}/kdsingleapp-daemonspudguy-strawberry.lock rwk, + owner @{tmp}/kdsingleapp-*-strawberry w, + owner @{tmp}/kdsingleapp-*-strawberry.lock rwk, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, owner @{tmp}/strawberry-cover-@{rand6}.jpg rwl -> @{tmp}/#@{int}, owner @{tmp}/strawberry*[0-9] w, From e92f2fb453ea53d4a6da31bc61f95466e2be47a4 Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 29 Jun 2025 19:35:08 +0200 Subject: [PATCH 572/672] ouch: allow listing archive contents --- apparmor.d/profiles-m-r/ouch | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/apparmor.d/profiles-m-r/ouch b/apparmor.d/profiles-m-r/ouch index a5b62ca93..d0bb4a1ed 100644 --- a/apparmor.d/profiles-m-r/ouch +++ b/apparmor.d/profiles-m-r/ouch @@ -17,11 +17,16 @@ profile ouch @{exec_path} { owner @{HOME}/.tmp@{rand6}/{,**} rw, owner @{HOME}/.tmp-ouch@{rand6}/{,**} rw, + owner /tmp/ w, + owner /tmp/.tmp@{rand6}/{,**} rw, + owner /tmp/.tmp-ouch@{rand6}/{,**} rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } From 2e9d450fde3d0499762d5961f4f881e81decb105 Mon Sep 17 00:00:00 2001 From: EricLin0509 Date: Mon, 23 Jun 2025 17:58:52 +0800 Subject: [PATCH 573/672] Fix tlp start issue --- apparmor.d/profiles-s-z/tlp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 9faea6e3e..7c0a3d2c8 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -16,6 +16,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_read_search, capability sys_nice, @@ -48,6 +49,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, @{bin}/udevadm rCx -> udevadm, @{bin}/uname rix, + @{bin}/timeout rix, /usr/share/tlp/tlp-readconfs rix, / r, @@ -104,7 +106,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { include include - @{run}/tlp/lock_tlp rw, + @{run}/tlp/lock_tlp rw, # file_inherit include if exists } From d855eeccd746b8ecaeaf3cc7f144715909d5136f Mon Sep 17 00:00:00 2001 From: EricLin0509 Date: Mon, 23 Jun 2025 18:01:31 +0800 Subject: [PATCH 574/672] Not use tabs --- apparmor.d/profiles-s-z/tlp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 7c0a3d2c8..3eb0800f9 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -49,7 +49,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, @{bin}/udevadm rCx -> udevadm, @{bin}/uname rix, - @{bin}/timeout rix, + @{bin}/timeout rix, /usr/share/tlp/tlp-readconfs rix, / r, From 97d5fe3f6865217f16d05876235ce68b4572312d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 11 Jul 2025 19:37:40 +0200 Subject: [PATCH 575/672] feat(abs): user-read/write: allow files directly on the home directory. --- apparmor.d/abstractions/user-read-strict | 1 + apparmor.d/abstractions/user-write-strict | 1 + 2 files changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/user-read-strict b/apparmor.d/abstractions/user-read-strict index f7eb186b5..9626bb0bc 100644 --- a/apparmor.d/abstractions/user-read-strict +++ b/apparmor.d/abstractions/user-read-strict @@ -8,6 +8,7 @@ abi , owner @{HOME}/ r, + owner @{HOME}/[^.]* rk, owner @{MOUNTS}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} rk, diff --git a/apparmor.d/abstractions/user-write-strict b/apparmor.d/abstractions/user-write-strict index 026825b27..88d52203e 100644 --- a/apparmor.d/abstractions/user-write-strict +++ b/apparmor.d/abstractions/user-write-strict @@ -8,6 +8,7 @@ abi , owner @{HOME}/ r, + owner @{HOME}/[^.]* wl, owner @{MOUNTS}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} wl, From a79e46acdd3768be0ab4f58ac026057a41274ad7 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 18 Jun 2025 22:27:18 +0200 Subject: [PATCH 576/672] add profile for whois --- apparmor.d/profiles-s-z/whois | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 apparmor.d/profiles-s-z/whois diff --git a/apparmor.d/profiles-s-z/whois b/apparmor.d/profiles-s-z/whois new file mode 100644 index 000000000..8353f81d0 --- /dev/null +++ b/apparmor.d/profiles-s-z/whois @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whois +profile whois @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /etc/whois.conf r, + + include if exists +} + +# vim:syntax=apparmor From 8fc70859aaef7cc20181ac6d115a6ff8ca5a9162 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 18 Jun 2025 22:35:59 +0200 Subject: [PATCH 577/672] fix include --- apparmor.d/profiles-s-z/whois | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/whois b/apparmor.d/profiles-s-z/whois index 8353f81d0..a1549db03 100644 --- a/apparmor.d/profiles-s-z/whois +++ b/apparmor.d/profiles-s-z/whois @@ -21,7 +21,7 @@ profile whois @{exec_path} { /etc/whois.conf r, - include if exists + include if exists } # vim:syntax=apparmor From 2c1d235ef02b11750dd5cc812e24dfc188b173f7 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sat, 21 Jun 2025 12:27:14 +0200 Subject: [PATCH 578/672] Hardening kioworker with reagrd to ps See #711 --- apparmor.d/groups/kde/kioworker | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 1d091fd09..61e910c88 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -38,7 +38,7 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, - @{bin}/gs rPUx, + @{bin}/gs rix, #aa:exec kio_http_cache_cleaner From cdb64e14bab522751c7cec2b51cdbdb1ebadf05e Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 16 Jul 2025 18:37:52 +0200 Subject: [PATCH 579/672] add texstudio --- apparmor.d/profiles-s-z/texstudio | 48 +++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 apparmor.d/profiles-s-z/texstudio diff --git a/apparmor.d/profiles-s-z/texstudio b/apparmor.d/profiles-s-z/texstudio new file mode 100644 index 000000000..836a9a6ab --- /dev/null +++ b/apparmor.d/profiles-s-z/texstudio @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/texstudio +profile texstudio @{exec_path} { + include + include + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/pdflatex ix, + @{bin}/pdftex ix, + @{bin}/kpsewhich ix, + @{bin}/gsettings ix, + @{bin}/which ix, + + /usr/share/texmf-dist/{,**} r, + /usr/share/doc/texstudio/{,**} r, + /usr/share/hunspell/{,**} r, + /usr/share/texstudio/{,**} r, + /usr/share/poppler/{,**} r, + + /etc/texmf/{,**} r, + /etc/machine-id r, + + /var/lib/texmf/{,**} r, + + owner @{user_config_dirs}/texstudio/{,**} rwlk, + owner /tmp/qtsingleapp-TeXstu-** rw, + owner /tmp/qtsingleapp-TeXstu-**-lockfile rwk, + + ## silencer + deny owner /usr/share/hunspell/en_US-large.ign w, + + include if exists +} + +# vim:syntax=apparmor From d120792297b4902b1bc4fb640833c2c619f77796 Mon Sep 17 00:00:00 2001 From: valoq Date: Fri, 18 Jul 2025 11:27:21 +0200 Subject: [PATCH 580/672] fix ci --- apparmor.d/profiles-s-z/texstudio | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/texstudio b/apparmor.d/profiles-s-z/texstudio index 836a9a6ab..4a42a8eff 100644 --- a/apparmor.d/profiles-s-z/texstudio +++ b/apparmor.d/profiles-s-z/texstudio @@ -15,14 +15,14 @@ profile texstudio @{exec_path} { include include include - + @{exec_path} mr, @{bin}/pdflatex ix, @{bin}/pdftex ix, @{bin}/kpsewhich ix, @{bin}/gsettings ix, - @{bin}/which ix, + @{bin}/which{,.debianutils} ix, /usr/share/texmf-dist/{,**} r, /usr/share/doc/texstudio/{,**} r, From 7b6f2353fdbf4f7fce1ef27c1e25d4aa9f3b6bb3 Mon Sep 17 00:00:00 2001 From: valoq Date: Fri, 18 Jul 2025 11:29:42 +0200 Subject: [PATCH 581/672] remove white space --- apparmor.d/profiles-s-z/texstudio | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/texstudio b/apparmor.d/profiles-s-z/texstudio index 4a42a8eff..52e9e53e6 100644 --- a/apparmor.d/profiles-s-z/texstudio +++ b/apparmor.d/profiles-s-z/texstudio @@ -41,7 +41,7 @@ profile texstudio @{exec_path} { ## silencer deny owner /usr/share/hunspell/en_US-large.ign w, - + include if exists } From 7a47914542ce3e45e85e759f1e38a9cdee244a00 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Jul 2025 20:07:33 +0200 Subject: [PATCH 582/672] tests: add test file for whois. --- tests/integration/whois.bats | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 tests/integration/whois.bats diff --git a/tests/integration/whois.bats b/tests/integration/whois.bats new file mode 100644 index 000000000..fd1cba5fa --- /dev/null +++ b/tests/integration/whois.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "whois: Get information about a domain name" { + whois google.fr +} + +@test "whois: Get information about an IP address" { + whois 8.8.8.8 +} + +@test "whois: Get abuse contact for an IP address" { + whois -b 8.8.8.8 +} + From 8020c2c63d0c578e147b8ee9230010dc4aca44a7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Jul 2025 20:09:41 +0200 Subject: [PATCH 583/672] feat(profile): update pacman profiles. --- apparmor.d/groups/pacman/makepkg | 5 +++-- apparmor.d/groups/pacman/paccache | 1 + apparmor.d/groups/pacman/pacman | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index 30650d80c..583d0b9c0 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -11,6 +11,7 @@ profile makepkg @{exec_path} { include include include + include include include include @@ -72,8 +73,8 @@ profile makepkg @{exec_path} { owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index f537afdb3..8bf1aed6a 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -36,6 +36,7 @@ profile paccache @{exec_path} flags=(attach_disconnected) { /etc/pacman.conf r, /etc/pacman.d/{,**} r, + /etc/pacman.d/gnupg/** rwlk -> /etc/pacman.d/gnupg/**, /var/cache/pacman/pkg/{,*} rw, /var/lib/pacman/{,**} r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index ff43e2196..01543d63f 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -187,7 +187,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include if exists } - profile systemctl { + profile systemctl flags=(attach_disconnected) { include include From 03b174a2d42c6d36e3f979a92e35f06f1f6b1f5c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Jul 2025 20:11:18 +0200 Subject: [PATCH 584/672] feat(profile): simplify modprobe-nvidia. --- apparmor.d/groups/children/child-modprobe-nvidia | 3 --- 1 file changed, 3 deletions(-) diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 9b331a8ce..61191fe9d 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -20,7 +20,6 @@ include profile child-modprobe-nvidia flags=(attach_disconnected) { include include - include capability chown, capability fsetid, @@ -35,8 +34,6 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/config r, - @{PROC}/sys/kernel/modprobe r, - @{PROC}/devices r, @{PROC}/driver/nvidia/capabilities/mig/config r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, From 881402dc2166b735712e40134558568512059ee8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Jul 2025 20:17:26 +0200 Subject: [PATCH 585/672] feat(profile): improve some systemd profiles. --- apparmor.d/groups/systemd/systemd-coredump | 2 +- apparmor.d/groups/systemd/systemd-machined | 22 ++++++++++++++++++- .../systemd/systemd-tty-ask-password-agent | 3 ++- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 52efea3db..2f6d81fdb 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -39,7 +39,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted /etc/systemd/coredump.conf r, /etc/systemd/coredump.conf.d/{,**} r, - owner @{HOME}/**.so r, + owner @{HOME}/**.so* r, /var/lib/systemd/coredump/{,**} rwl, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index b37f2300b..b9244ece6 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -10,6 +10,7 @@ include profile systemd-machined @{exec_path} flags=(attach_disconnected) { include include + include include include @@ -21,6 +22,7 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { capability kill, capability mknod, capability setgid, + capability setuid, capability sys_admin, capability sys_chroot, capability sys_ptrace, @@ -31,26 +33,44 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, + signal send set=rtmin+6 peer=systemd-nspawn, + + ptrace read peer=systemd-nspawn, + #aa:dbus own bus=system name=org.freedesktop.machine1 #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @{exec_path} mr, - /var/lib/machines/{,**} rw, /etc/machine-id r, + / r, + @{att}/ r, + + owner /var/lib/machines/ rw, + owner /var/lib/machines/** rwk, + + owner @{run}/systemd/nspawn/ w, + owner @{run}/systemd/nspawn/locks/ w, + owner @{run}/systemd/nspawn/locks/** rwk, + @{run}/systemd/machine/{,**} rw, @{run}/systemd/machines/{,**} rw, @{run}/systemd/notify w, @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/gid_map r, + @{PROC}/@{pid}/setgroups r, + @{PROC}/@{pid}/uid_map r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, /dev/ptmx rw, /dev/pts/@{int} rw, + /dev/pts/ptmx rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 30d30b295..b318bf3dd 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -17,10 +17,11 @@ profile systemd-tty-ask-password-agent @{exec_path} { capability net_admin, capability sys_resource, + signal receive set=(term cont winch) peer=@{p_logrotate}, signal receive set=(term cont winch) peer=*//systemctl, signal receive set=(term cont winch) peer=deb-systemd-invoke, signal receive set=(term cont winch) peer=default, - signal receive set=(term cont winch) peer=@{p_logrotate}, + signal receive set=(term cont winch) peer=machinectl, signal receive set=(term cont winch) peer=makepkg//sudo, signal receive set=(term cont winch) peer=role_*, signal receive set=(term cont winch) peer=rpm, From c6030de00ae7566cd0267d2a10bfa6d00858a41a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Jul 2025 20:49:34 +0200 Subject: [PATCH 586/672] build: add just command for local and dev install. --- Justfile | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/Justfile b/Justfile index 109cfed3b..7753ad2d1 100644 --- a/Justfile +++ b/Justfile @@ -95,7 +95,7 @@ fsp-complain: build fsp-debug: build @./{{build}}/prebuild --complain --full --debug -[group('build')] +[group('install')] [doc('Install prebuild profiles')] install: #!/usr/bin/env bash @@ -123,6 +123,35 @@ install: install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf" done +[group('install')] +[doc('Locally install prebuild profiles')] +local +args: + #!/usr/bin/env bash + set -eu -o pipefail + install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log + mapfile -t abs < <(find "{{build}}/apparmor.d/abstractions" -type f -printf "%P\n") + for file in "${abs[@]}"; do + install -Dm0644 "{{build}}/apparmor.d/abstractions/$file" "{{destdir}}/etc/apparmor.d/abstractions/$file" + done; + mapfile -t tunables < <(find "{{build}}/apparmor.d/tunables" -type f -printf "%P\n") + for file in "${tunables[@]}"; do + install -Dm0644 "{{build}}/apparmor.d/tunables/$file" "{{destdir}}/etc/apparmor.d/tunables/$file" + done; + echo "Warning: profile dependencies fallback to unconfined." + for file in {{args}}; do + grep -Ei 'rPx|rpx' "{{build}}/apparmor.d/$file" || true + sed -i -e "s/rPx/rPUx/g" "{{build}}/apparmor.d/$file" + install -Dvm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" + done; + systemctl restart apparmor || sudo journalctl -xeu apparmor.service + +[group('install')] +[doc('Prebuild, install, and load a dev profile')] +dev name: + go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}` + sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}} + sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service + [group('packages')] [doc('Build & install apparmor.d on Arch based systems')] pkg: From 72b136578dd1e5db2efa5b60790fcafd679dd72a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 18 Jul 2025 00:12:46 +0200 Subject: [PATCH 587/672] fix(profile): ensure wc is in pacman-hook-perl fix #786 --- apparmor.d/groups/pacman/pacman-hook-perl | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/pacman/pacman-hook-perl b/apparmor.d/groups/pacman/pacman-hook-perl index 07539ae95..aa2be8b09 100644 --- a/apparmor.d/groups/pacman/pacman-hook-perl +++ b/apparmor.d/groups/pacman/pacman-hook-perl @@ -20,6 +20,7 @@ profile pacman-hook-perl @{exec_path} { @{bin}/find rix, @{bin}/pacman rPx, @{bin}/sed rix, + @{bin}/wc rix, /dev/tty rw, /dev/tty@{int} rw, From 38b165ff319da0177f2fc983921fd6c80bbe360e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 18 Jul 2025 00:13:50 +0200 Subject: [PATCH 588/672] feat(profile): minor apt improvement. --- apparmor.d/groups/apt/apt | 1 + apparmor.d/groups/apt/apt-methods-sqv | 1 + apparmor.d/groups/apt/dpkg-scripts | 1 + 3 files changed, 3 insertions(+) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 5be4284f9..9bdabb1c2 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -64,6 +64,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{,e}grep rix, + @{bin}/cat rix, @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/id rix, diff --git a/apparmor.d/groups/apt/apt-methods-sqv b/apparmor.d/groups/apt/apt-methods-sqv index 416328cd4..0dcd7da0d 100644 --- a/apparmor.d/groups/apt/apt-methods-sqv +++ b/apparmor.d/groups/apt/apt-methods-sqv @@ -18,6 +18,7 @@ profile apt-methods-sqv @{exec_path} { capability setuid, signal receive set=int peer=apt, + signal receive set=int peer=packagekitd, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index d3994d0ec..44e4790c4 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -65,6 +65,7 @@ profile dpkg-scripts @{exec_path} { @{lib}/@{python_name}/**/__pycache__/ w, @{lib}/@{python_name}/**/__pycache__/**.pyc w, @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, + @{lib}/modules/*/.fresh-install w, /etc/ r, /etc/** rw, From d9d762aaaa939e29048ea75715a71f6f96f675af Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 18 Jul 2025 00:16:29 +0200 Subject: [PATCH 589/672] fix(profile): systemd-coredump: also allow sbin --- apparmor.d/groups/systemd/systemd-coredump | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 2f6d81fdb..2bd25ec16 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -33,6 +33,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{lib}/** r, / r, @{bin}/* r, + @{sbin}/* r, /opt/** r, @{user_lib_dirs}/** r, From 2f1022dc8de00f29472a0fe1c5c8ed8bd7ed8c78 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 18 Jul 2025 00:19:29 +0200 Subject: [PATCH 590/672] feat(profile): general minor update to profiles. --- apparmor.d/profiles-a-f/alacarte | 7 ++++++- apparmor.d/profiles-a-f/birdtray | 2 +- apparmor.d/profiles-a-f/code-extension-git-askpass | 4 ++-- apparmor.d/profiles-a-f/dkms | 1 + apparmor.d/profiles-g-l/git | 3 ++- apparmor.d/profiles-m-r/needrestart-restart | 1 + apparmor.d/profiles-m-r/pass | 2 +- apparmor.d/profiles-s-z/wechat | 2 +- apparmor.d/profiles-s-z/wechat-appimage | 3 ++- apparmor.d/profiles-s-z/wechat-universal | 4 ++-- 10 files changed, 19 insertions(+), 10 deletions(-) diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index eed67619d..700c6d517 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/alacarte -profile alacarte @{exec_path} { +profile alacarte @{exec_path} flags=(attach_disconnected) { include include include @@ -30,6 +30,11 @@ profile alacarte @{exec_path} { owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index c63a8de7c..771560c6b 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -40,7 +40,7 @@ profile birdtray @{exec_path} { owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/**/*.msf r, owner @{user_config_dirs}/ulduzsoft/ rw, - owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*, + owner @{user_config_dirs}/ulduzsoft/* rwkl -> @{user_config_dirs}/ulduzsoft/*, owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int}, diff --git a/apparmor.d/profiles-a-f/code-extension-git-askpass b/apparmor.d/profiles-a-f/code-extension-git-askpass index 5a31889b9..674432b2e 100644 --- a/apparmor.d/profiles-a-f/code-extension-git-askpass +++ b/apparmor.d/profiles-a-f/code-extension-git-askpass @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh +@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh @{lib}/code/extensions/git/dist/ssh-askpass.sh profile code-extension-git-askpass @{exec_path} { include @@ -23,7 +23,7 @@ profile code-extension-git-askpass @{exec_path} { /usr/share/terminfo/** r, - owner @{tmp}/tmp.* rw, + owner @{tmp}/tmp.@{rand10} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 5a0885143..7c594c900 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -32,6 +32,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/g++ rix, @{bin}/gcc rix, @{bin}/getconf rix, + @{bin}/hostname rix, @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @{bin}/ld rix, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 457e79d2a..a0ea6393e 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -133,7 +133,8 @@ profile git @{exec_path} flags=(attach_disconnected) { @{bin}/ssh mr, @{bin}/ksshaskpass ix, - + @{lib}/code/extensions/git/dist/ssh-askpass.sh Px, + @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config r, diff --git a/apparmor.d/profiles-m-r/needrestart-restart b/apparmor.d/profiles-m-r/needrestart-restart index b9e648602..964ff1a74 100644 --- a/apparmor.d/profiles-m-r/needrestart-restart +++ b/apparmor.d/profiles-m-r/needrestart-restart @@ -13,6 +13,7 @@ profile needrestart-restart @{exec_path} { @{exec_path} mr, @{bin}/systemctl Cx -> systemctl, + @{sh_path} r, /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 096f0316a..7e432a838 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -40,7 +40,7 @@ profile pass @{exec_path} { @{bin}/tr ix, @{bin}/tree ix, @{bin}/tty ix, - @{bin}/which{,.debianutils} ix, + @{bin}/which{,.debianutils} rix, @{bin}/git Cx -> git, @{bin}/gpg{2,} Cx -> gpg, diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index b7ad3a2e8..cb554fc6b 100644 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -14,9 +14,9 @@ include @{exec_path} = @{lib_dirs}/wechat profile wechat @{exec_path} flags=(attach_disconnected) { include - include include include + include include network netlink raw, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 55155f2b8..9f8c20338 100644 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -14,10 +14,11 @@ include @{exec_path} = @{bin}/wechat @{lib_dirs}/wechat-appimage.Appimage /tmp/.mount_wechat??????/user/bin/wechat profile wechat-appimage @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include network netlink raw, network netlink dgram, diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index 21e1eee10..cd8958e8e 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -14,10 +14,10 @@ include @{exec_path} = @{bin}/wechat-universal @{lib_dirs}/wechat profile wechat-universal @{exec_path} flags=(attach_disconnected) { include - include include - include include + include + include include network netlink raw, From f183ae709f4ffeea0443145cfcaf45d34d1dac62 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 18 Jul 2025 00:23:37 +0200 Subject: [PATCH 591/672] chore: fix linter issue. --- apparmor.d/profiles-g-l/git | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index a0ea6393e..c9373c7ae 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -134,7 +134,7 @@ profile git @{exec_path} flags=(attach_disconnected) { @{bin}/ssh mr, @{bin}/ksshaskpass ix, @{lib}/code/extensions/git/dist/ssh-askpass.sh Px, - + @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config r, From 033354314f0e98b9f9e00ce240a634b42d731b9c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 19 Jul 2025 17:54:02 +0200 Subject: [PATCH 592/672] doc: minor documentation update. --- docs/configuration.md | 2 +- docs/development/roadmap.md | 8 ++++---- docs/development/vm.md | 31 +++++++++++++++++++++++-------- docs/full-system-policy.md | 10 ++++++++++ 4 files changed, 38 insertions(+), 13 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index fd8a5d38c..5e1c7992f 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -41,7 +41,7 @@ You can extend any profile with your own rules by creating a file in the `/etc/a **Example** -By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behaviour by creating a local profile addition file for `nautilus`: +By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behavior by creating a local profile addition file for `nautilus`: 1. Create the file `/etc/apparmor.d/local/nautilus` and add the following rules in it: ```sh diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md index 75cbcdd10..b42467e3d 100644 --- a/docs/development/roadmap.md +++ b/docs/development/roadmap.md @@ -22,13 +22,13 @@ This is the current list of features that must be implemented to get to a stable - [ ] **General improvements** - [ ] Provide a proper fix for [#74](https://github.com/roddhjav/apparmor.d/issues/74), [#80](https://github.com/roddhjav/apparmor.d/issues/80) & [#235](https://github.com/roddhjav/apparmor.d/issues/235) - - [ ] The apt/dpkg profiles needs to be reworked + - [x] The apt/dpkg profiles needs to be reworked - [ ] Build system - [ ] Continuous release on the main branch, ~2 releases per week - [ ] Provide packages repo for ubuntu/debian - [ ] Provide complain/enforced packages version - - [ ] Add a `just` target to install the profiles in the right place + - [x] Add a `just` target to install the profiles in the right place - [ ] Fully drop the Makefile in favor of `just` ## Next features @@ -41,9 +41,9 @@ This is the current list of features that must be implemented to get to a stable - [ ] Fully rewrite the way user data is allowed / denied. The current implementation requires too much configuration to be usable by everyone. - [ ] Add a prompt listener to handle the user data access. -- [ ] **[Full System Policy](https://github.com/roddhjav/apparmor.d/issues/252)** +- [x] **[Full System Policy](https://github.com/roddhjav/apparmor.d/issues/252)** - [ ] Debug tool to show the profiles transition tree, and ensure no profile is missing - - [ ] Remove the `default` profile + - [x] Remove the `default` profile ## Done diff --git a/docs/development/vm.md b/docs/development/vm.md index 66630022e..1edddba76 100644 --- a/docs/development/vm.md +++ b/docs/development/vm.md @@ -14,22 +14,42 @@ $ just ``` Available recipes: help # Show this help message + clean # Remove all build artifacts + + [build] build # Build the go programs enforce # Prebuild the profiles in enforced mode complain # Prebuild the profiles in complain mode fsp # Prebuild the profiles in FSP mode - install # Install the profiles + fsp-complain # Prebuild the profiles in FSP mode (complain) + fsp-debug # Prebuild the profiles in FSP mode (debug) + + [install] + install # Install prebuild profiles + local +names # Locally install prebuild profiles + dev name # Prebuild, install, and load a dev profile + + [packages] pkg # Build & install apparmor.d on Arch based systems dpkg # Build & install apparmor.d on Debian based systems rpm # Build & install apparmor.d on OpenSUSE based systems + package dist # Build the package in a clean OCI container + + [tests] tests # Run the unit tests + init dist flavor # Install dependencies for the bats integration tests + integration dist flavor # Run the integration tests on the machine + + [linter] lint # Run the linters check # Run style checks on the profiles + + [docs] man # Generate the man pages docs # Build the documentation serve # Serve the documentation - clean # Remove all build artifacts - package dist # Build the package in a clean OCI container + + [vm] img dist flavor # Build the VM image create dist flavor # Create the machine up dist flavor # Start a machine @@ -40,13 +60,8 @@ Available recipes: list # List the machines images # List the VM images available # List the VM images that can be created - init dist flavor # Install dependencies for the bats integration tests - integration dist flavor # Run the integration tests on the machine - get_ip dist flavor - get_osinfo dist See https://apparmor.pujol.io/development/ for more information. - ``` ## Requirements diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index 016ed8ada..b523a1c38 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -137,6 +137,16 @@ To work as intended, userland services started by `systemd --user` **should** ha @{lib}/foo rPx -> systemd//&foo, ``` +### Role Based Access Control (RBAC) + +In FSP, interactive shell from the user must be confined. This is done through [pam_apparmor](https://gitlab.com/apparmor/apparmor/-/wikis/pam_apparmor). It provides [Role-based access controls (RBAC)](https://en.wikipedia.org/wiki/Role-based_access_control) that can restrict interactive shell to well-defined role. The role needs to be defined. This project ship with a default set of roles, but you can create your own. The default roles are: + +- **`user`**: This is the default role. It is used for any user that does not have a specific role defined. It has access to the user home directory and other sensitive files. + +- **`admin`**: This role is used for any user that has administrative access. It has access to the system files and directories, but not to the user home directory. + +- **`system`**: This role is used for any user that has system access. It has access to the system files and directories, but not to the user home directory. + ### Fallback In addition to the `systemd` profiles, a full system policy needs to ensure that no programs run in an unconfined state at any time. The fallback profiles consist of a set generic specialized profiles: From ee328ecea8e2b7f071ee25380cb28dd62ca50c98 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 19 Jul 2025 17:58:06 +0200 Subject: [PATCH 593/672] fix(profile): ensure gpg has access to pacman public keyring. #788 --- apparmor.d/groups/gpg/gpg | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 7ebb9e3a4..6a01796ff 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -29,6 +29,7 @@ profile gpg @{exec_path} { @{lib}/{,gnupg/}scdaemon rPx, /usr/share/terminfo/** r, + /usr/share/pacman/keyrings/** r, #aa:only pacman /etc/inputrc r, From bba6f253adda95e072e9b92095f2913738d2abcf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 13:22:29 +0200 Subject: [PATCH 594/672] doc: add link to the last talk. --- README.md | 4 ++++ docs/overview.md | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/README.md b/README.md index ddb1e79b3..c1c7726c5 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,10 @@ Building the largest set of AppArmor profiles: - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* +Lessons learned while making an AppArmor Play machine: + +- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))* + ## Installation Please see [apparmor.pujol.io/install](https://apparmor.pujol.io/install) diff --git a/docs/overview.md b/docs/overview.md index fb6712a14..20a5a454f 100644 --- a/docs/overview.md +++ b/docs/overview.md @@ -43,6 +43,10 @@ Building the largest set of AppArmor profiles: - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* +Lessons learned while making an AppArmor Play machine: + +- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))* + ### Chat A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org From cf76e2e71411238a48de625334fc8092fc5f9492 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 13:35:53 +0200 Subject: [PATCH 595/672] build(arch): sync pkgbuild with the with aur version. --- PKGBUILD | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index b48e55153..dfbb46735 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -8,9 +8,9 @@ pkgver=0.001 pkgrel=1 pkgdesc="Full set of apparmor profiles" arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') -url="https://github.com/roddhjav/$pkgname" +url="https://github.com/roddhjav/apparmor.d" license=('GPL-2.0-only') -depends=('apparmor') +depends=('apparmor>=4.1.0' 'apparmor<5.0.0') makedepends=('go' 'git' 'rsync' 'just') conflicts=("$pkgname-git") From 101248b37e235d9176918fc99b23fe370b773ffb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:06:58 +0200 Subject: [PATCH 596/672] feat(profile): minor profile update. --- apparmor.d/abstractions/bus/org.freedesktop.systemd1 | 5 +++++ apparmor.d/groups/freedesktop/wireplumber | 2 +- apparmor.d/groups/gnome/gnome-session-check | 5 +++++ apparmor.d/groups/network/dhcpcd | 2 ++ apparmor.d/groups/snap/snapd | 1 + apparmor.d/groups/ssh/sshd | 1 + .../groups/systemd-generators/systemd-generator-import | 4 ++-- apparmor.d/groups/ubuntu/apport | 6 ++++-- apparmor.d/groups/ubuntu/package-system-locked | 2 +- apparmor.d/groups/utils/who | 2 ++ apparmor.d/groups/virt/libvirtd | 1 + 11 files changed, 25 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 46297b484..341cf58ce 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -11,6 +11,11 @@ member={GetUnit,StartUnit,StartTransientUnit} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=ListUnitsByPatterns + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={GetUnit,StartUnit,StartTransientUnit} diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 0925bad91..debf19f25 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -52,7 +52,7 @@ profile wireplumber @{exec_path} { owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, - /dev/shm/lttng-ust-wait-@{int} r, + /dev/shm/lttng-ust-wait-@{int} rw, owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, owner /dev/shm/lttng-ust-wait-@{int}-@{int} rw, diff --git a/apparmor.d/groups/gnome/gnome-session-check b/apparmor.d/groups/gnome/gnome-session-check index 2a0b4965f..44755aef2 100644 --- a/apparmor.d/groups/gnome/gnome-session-check +++ b/apparmor.d/groups/gnome/gnome-session-check @@ -10,12 +10,17 @@ include profile gnome-session-check @{exec_path} { include include + include @{exec_path} mr, @{lib}/gnome-session-check-accelerated-gl-helper ix, @{lib}/gnome-session-check-accelerated-gles-helper ix, + /usr/share/gnome-session/hardware-compatibility r, + + @{PROC}/cmdline r, + include if exists } diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index 7f47b9975..51cf215f9 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -40,6 +40,8 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{bin}/sed rix, @{lib}/dhcpcd/dhcpcd-run-hooks rix, + /usr/share/dhcpcd/{,**} r, + /etc/dhcpcd.conf r, /etc/resolv.conf rw, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 1add6c1c4..5f0885693 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -110,6 +110,7 @@ profile snapd @{exec_path} { /etc/modprobe.d/{,**/} r, /etc/modules-load.d/{,**/} r, /etc/modules-load.d/*snap* rw, + /etc/polkit-1/rules.d/{,**/} r, /etc/systemd/system/{,**/} r, /etc/systemd/system/snap* rw, /etc/systemd/user/{,**/} rw, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 2494dc2c2..63f2c1370 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -32,6 +32,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { capability dac_override, capability dac_read_search, capability fowner, + capability fsetid, capability kill, capability net_bind_service, capability setgid, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-import b/apparmor.d/groups/systemd-generators/systemd-generator-import index 36ff4e5ff..de3753aaf 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-import +++ b/apparmor.d/groups/systemd-generators/systemd-generator-import @@ -16,13 +16,13 @@ profile systemd-generator-import @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + / r, + @{PROC}/@{pid}/cgroup r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, - / r, - /dev/kmsg w, include if exists diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 8219ef185..9f3fd2999 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -28,8 +28,8 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/{,e,f}grep rix, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/dpkg-divert rPx -> child-dpkg-divert, + @{bin}/dpkg rPx -> &child-dpkg, + @{bin}/dpkg-divert rPx -> &child-dpkg-divert, @{bin}/gdbus rix, @{bin}/md5sum rix, @@ -37,6 +37,8 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{etc_ro}/login.defs r, /etc/apport/report-ignore/{,**} r, + /etc/dpkg/dpkg.cfg r, + /etc/dpkg/dpkg.cfg.d/{,**} r, /var/lib/dpkg/info/ r, /var/lib/dpkg/info/*.list r, diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index 7398fc404..8cf3ed885 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -17,7 +17,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - mqueue r type=posix /, + mqueue (read,getattr) type=posix /, ptrace (read), diff --git a/apparmor.d/groups/utils/who b/apparmor.d/groups/utils/who index 3da07f89d..fd49b2bec 100644 --- a/apparmor.d/groups/utils/who +++ b/apparmor.d/groups/utils/who @@ -18,6 +18,8 @@ profile who @{exec_path} { @{exec_path} mr, + @{run}/systemd/sessions/* r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/zed/**/data.mdb rw, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index a0d636883..c90e80af9 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -86,6 +86,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper), unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), unix (send, receive) type=stream addr=none peer=(label=unconfined), + unix (send, receive) type=stream addr=none peer=(label=virt-manager), # Allow changing to our UUID-based named profiles change_profile -> libvirt-@{uuid}, From f364ab5e48296838ce76e2d6368435caf5a6ea5e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:13:40 +0200 Subject: [PATCH 597/672] feat(profile): firefox: improve crashreporter. --- apparmor.d/groups/browsers/firefox-crashhelper | 2 +- apparmor.d/groups/browsers/firefox-crashreporter | 11 ++++++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper index 55443a330..55af7c2e2 100644 --- a/apparmor.d/groups/browsers/firefox-crashhelper +++ b/apparmor.d/groups/browsers/firefox-crashhelper @@ -12,7 +12,7 @@ include @{cache_dirs} = @{user_cache_dirs}/mozilla/ @{exec_path} = @{lib_dirs}/crashhelper -profile firefox-crashhelper @{exec_path} { +profile firefox-crashhelper @{exec_path} flags=(attach_disconnected) { include @{exec_path} mr, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 1c418eef4..8feccaa93 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -28,22 +28,23 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - @{exec_path} mr, + @{exec_path} mrix, @{bin}/curl rix, @{bin}/mv rix, @{lib_dirs}/minidump-analyzer rPx, - @{bin}/mv rix, - owner "@{config_dirs}/firefox/Crash Reports/{,**}" rw, owner @{config_dirs}/firefox/*.*/crashes/{,**} rw, owner @{config_dirs}/firefox/*.*/crashes/events/@{uuid} rw, owner @{config_dirs}/firefox/*.*/extensions/*.xpi r, owner @{config_dirs}/firefox/*.*/minidumps/{,**} rw, owner @{config_dirs}/firefox/*.*/minidumps//@{uuid}.{dmp,extra} r, + owner @{config_dirs}/firefox/*.*/prefs.js r, + owner @{config_dirs}/firefox/*.*/storage-sync-v2.sqlite-shm r, owner @{config_dirs}/firefox/*.*/storage/default/* r, + owner @{config_dirs}/firefox/Profile*/*.sqlite-shm r, owner @{cache_dirs}/firefox/*.*/** r, @@ -54,10 +55,14 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, /dev/dri/card@{int} rw, /dev/dri/renderD128 rw, + /dev/nvidia@{int} r, + /dev/nvidiactl r, # Silencer deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, From cba7355142b9bc0a20adae21f129a47e100baa92 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:14:30 +0200 Subject: [PATCH 598/672] feat(abs): update nvidia GLCache. --- apparmor.d/abstractions/nvidia-strict | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index 6fe815773..c3aa8e805 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -18,6 +18,8 @@ owner @{HOME}/.nv/ComputeCache/** rw, owner @{HOME}/.nv/ComputeCache/index rwk, owner @{HOME}/.nv/nvidia-application-profiles-* r, + + @{user_cache_dirs}/nvidia/GLCache/@{hex32}/ rw, owner @{user_cache_dirs}/nvidia/ w, owner @{user_cache_dirs}/nvidia/GLCache/ rw, owner @{user_cache_dirs}/nvidia/GLCache/** rwk, From e490a11c1a2ecfadd2cbc0759d77f4706bc2ee61 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:25:41 +0200 Subject: [PATCH 599/672] feat(profile): add hwclock. --- apparmor.d/groups/utils/hwclock | 30 ++++++++++++++++++++++++++++ tests/integration/utils/hwclock.bats | 6 +++--- tests/requirements.sh | 3 ++- 3 files changed, 35 insertions(+), 4 deletions(-) create mode 100644 apparmor.d/groups/utils/hwclock diff --git a/apparmor.d/groups/utils/hwclock b/apparmor.d/groups/utils/hwclock new file mode 100644 index 000000000..d1433a605 --- /dev/null +++ b/apparmor.d/groups/utils/hwclock @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/hwclock +profile hwclock @{exec_path} { + include + include + + capability audit_write, + capability sys_time, + + network netlink raw, + + @{exec_path} mr, + + /etc/adjtime rw, + + @{sys}/devices/pnp@{int}/*/rtc/rtc@{int}/{,*} r, + + /dev/rtc@{int} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/hwclock.bats b/tests/integration/utils/hwclock.bats index 88c981c31..4a1bc0f83 100644 --- a/tests/integration/utils/hwclock.bats +++ b/tests/integration/utils/hwclock.bats @@ -6,14 +6,14 @@ load ../common @test "hwclock: Display the current time as reported by the hardware clock" { - hwclock + sudo hwclock } @test "hwclock: Write the current software clock time to the hardware clock (sometimes used during system setup)" { - hwclock --systohc + sudo hwclock --systohc } @test "hwclock: Write the current hardware clock time to the software clock" { - hwclock --hctosys + sudo hwclock --hctosys } diff --git a/tests/requirements.sh b/tests/requirements.sh index 52d7cb36b..085ad8c7c 100644 --- a/tests/requirements.sh +++ b/tests/requirements.sh @@ -21,7 +21,8 @@ debian | ubuntu | whonix) sudo apt update -y sudo apt install -y \ bats bats-support \ - cpuid dfc systemd-userdbd systemd-homed tlp network-manager flatpak + cpuid dfc systemd-userdbd systemd-homed tlp network-manager flatpak \ + util-linux-extra ;; opensuse*) ;; From d4d4f3ae4b4ad994ea633dbebd4b879f8a69621a Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 27 Jul 2025 17:13:11 +0200 Subject: [PATCH 600/672] add xournalpp --- apparmor.d/profiles-s-z/xournalpp | 44 +++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 apparmor.d/profiles-s-z/xournalpp diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp new file mode 100644 index 000000000..7d74ce7da --- /dev/null +++ b/apparmor.d/profiles-s-z/xournalpp @@ -0,0 +1,44 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xournalpp +profile xournalpp @{exec_path} { + include + include + include + include + include + include + include + include + include + + @{exec_path} mr, + + /usr/share/xournalpp/** r, + + /etc/machine-id r, + /etc/pipewire/jack.conf.d/ r, + + owner @{user_config_dirs}/xournalpp/** rw, + owner @{user_cache_dirs}/xournalpp/** rw, + + /dev/snd/controlC@{int} w, + /dev/snd/pcmC@{rand4} rw, + + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + include if exists +} + +# vim:syntax=apparmor From fc421183a024cb3abb4c3343ed7a1954f53e4511 Mon Sep 17 00:00:00 2001 From: valoq Date: Tue, 29 Jul 2025 14:19:17 +0200 Subject: [PATCH 601/672] xournalpp improvements --- apparmor.d/profiles-s-z/xournalpp | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp index 7d74ce7da..6442fe8b9 100644 --- a/apparmor.d/profiles-s-z/xournalpp +++ b/apparmor.d/profiles-s-z/xournalpp @@ -8,11 +8,10 @@ include @{exec_path} = @{bin}/xournalpp profile xournalpp @{exec_path} { - include include + include include include - include include include include @@ -20,16 +19,15 @@ profile xournalpp @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open-browsers, + /usr/share/xournalpp/** r, /etc/machine-id r, /etc/pipewire/jack.conf.d/ r, - owner @{user_config_dirs}/xournalpp/** rw, - owner @{user_cache_dirs}/xournalpp/** rw, - - /dev/snd/controlC@{int} w, - /dev/snd/pcmC@{rand4} rw, + owner @{user_config_dirs}/xournalpp/{,**} rw, + owner @{user_cache_dirs}/xournalpp/{,**} rw, @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @@ -38,6 +36,9 @@ profile xournalpp @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/snd/controlC@{int} w, + /dev/snd/pcmC@{rand4} rw, + include if exists } From 9e4db4373e89361b65c2009245b3242087eb830d Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 31 Jul 2025 09:22:28 -0600 Subject: [PATCH 602/672] Add support for MD RAID devices to the disk-read/write abstractions (#796) --- apparmor.d/abstractions/disks-read | 6 ++++++ apparmor.d/abstractions/disks-write | 3 +++ 2 files changed, 9 insertions(+) diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index e1bf31298..872b0c552 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -81,6 +81,11 @@ # CD-ROM /dev/sr@{int} rk, + # MD RAID devices + /dev/md@{int} rk, + @{sys}/devices/virtual/block/md@{int}/ r, + @{sys}/devices/virtual/block/md@{int}/** r, + # Lookup block device by major:minor numbers # See: https://apparmor.pujol.io/development/internal/#udev-rules @@ -91,6 +96,7 @@ @{run}/udev/data/b2:@{int} r, # for /dev/fd* @{run}/udev/data/b7:@{int} r, # for /dev/loop* @{run}/udev/data/b8:@{int} r, # for /dev/sd* + @{run}/udev/data/b9:@{int} r, # for /dev/md* @{run}/udev/data/b11:@{int} r, # for /dev/sr* @{run}/udev/data/b43:@{int} r, # for /dev/nbd* @{run}/udev/data/b179:@{int} r, # for /dev/mmcblk* diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index ce0a05dd5..a52518042 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -41,6 +41,9 @@ # CD-ROM /dev/sr@{int} w, + # MD RAID devices + /dev/md@{int} w, + include if exists # vim:syntax=apparmor From 8b280b5ef02803eaaf1aeb82173170f0dfe861fd Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 31 Jul 2025 09:00:05 -0600 Subject: [PATCH 603/672] Allow sbctl to parse DMI data This path is hard coded in "dmi/dmi.go" --- apparmor.d/profiles-s-z/sbctl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index 9dbbf0933..ef007a32c 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -26,6 +26,8 @@ profile sbctl @{exec_path} { @{lib}/fwupd/efi/{,**} rw, @{lib}/systemd/boot/efi/systemd-boot*.efi.signed rw, + @{sys}/devices/virtual/dmi/id/* r, + @{sys}/firmware/efi/efivars/db-@{uuid} rw, @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @{sys}/firmware/efi/efivars/PK-@{uuid} rw, From ed06dac70239aa8f4eca700ae79c87fe9aa6ef49 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:45:44 +0200 Subject: [PATCH 604/672] feat(profile): add lsipc --- apparmor.d/groups/utils/lsipc | 33 ++++++++++++++++++++++++++++++ tests/integration/utils/lsipc.bats | 16 +++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 apparmor.d/groups/utils/lsipc create mode 100644 tests/integration/utils/lsipc.bats diff --git a/apparmor.d/groups/utils/lsipc b/apparmor.d/groups/utils/lsipc new file mode 100644 index 000000000..12c8d333c --- /dev/null +++ b/apparmor.d/groups/utils/lsipc @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsipc +profile lsipc @{exec_path} { + include + include + + @{exec_path} mr, + + @{PROC}/sys/fs/mqueue/msg_max r, + @{PROC}/sys/fs/mqueue/msgsize_max r, + @{PROC}/sys/fs/mqueue/queues_max r, + @{PROC}/sys/kernel/msgmax r, + @{PROC}/sys/kernel/msgmnb r, + @{PROC}/sys/kernel/msgmni r, + @{PROC}/sys/kernel/sem r, + @{PROC}/sys/kernel/shmall r, + @{PROC}/sys/kernel/shmmax r, + @{PROC}/sys/kernel/shmmni r, + @{PROC}/sysvipc/msg r, + @{PROC}/sysvipc/sem r, + @{PROC}/sysvipc/shm r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/lsipc.bats b/tests/integration/utils/lsipc.bats new file mode 100644 index 000000000..a18126982 --- /dev/null +++ b/tests/integration/utils/lsipc.bats @@ -0,0 +1,16 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsipc: Show information about all active IPC facilities" { + lsipc +} + +@test "lsipc: Show information about active shared memory segments, message queues or sempahore sets" { + lsipc --shmems + lsipc --queues + lsipc --semaphores +} From f516e1140a200f13506be2f8720640ef45f1f9cc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:46:22 +0200 Subject: [PATCH 605/672] feat(profile): add lsfd --- apparmor.d/groups/utils/lsfd | 59 +++++++++++++++++++++++++++++++ tests/integration/utils/lsfd.bats | 19 ++++++++++ 2 files changed, 78 insertions(+) create mode 100644 apparmor.d/groups/utils/lsfd create mode 100644 tests/integration/utils/lsfd.bats diff --git a/apparmor.d/groups/utils/lsfd b/apparmor.d/groups/utils/lsfd new file mode 100644 index 000000000..6b30f63a9 --- /dev/null +++ b/apparmor.d/groups/utils/lsfd @@ -0,0 +1,59 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsfd +profile lsfd @{exec_path} flags=(attach_disconnected) { + include + include + + capability checkpoint_restore, + capability dac_read_search, + capability sys_admin, + capability sys_ptrace, + capability sys_resource, + capability syslog, + + network netlink dgram, + network netlink raw, + + ptrace read, + ptrace trace, + + mqueue (read create delete getattr) type=posix /.lsfd-mqueue-nodev-test:@{int}, + + @{exec_path} mr, + + / r, + @{att}/ r, + + owner @{att}/.lsfd-mqueue-nodev-test:@{int} rw, + + @{run}/ r, + @{run}/netns/ r, + + @{sys}/kernel/cpu_byteorder r, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/net/* r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/ r, + @{PROC}/devices r, + @{PROC}/misc r, + @{PROC}/partitions r, + @{PROC}/tty/drivers r, + owner @{PROC}/@{pid}/syscall r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/lsfd.bats b/tests/integration/utils/lsfd.bats new file mode 100644 index 000000000..bf0c4de0c --- /dev/null +++ b/tests/integration/utils/lsfd.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsfd: List all open file descriptors" { + lsfd +} + +@test "lsfd: List all files kept open by a specific program" { + sudo lsfd --filter 'PID == 1' +} + +@test "lsfd: List open IPv4 or IPv6 sockets" { + sudo lsfd -i4 + sudo lsfd -i6 +} From 926a6fdcb9047ff8e8c1d9e7b1b309ee09fee1a8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:55:36 +0200 Subject: [PATCH 606/672] feat(profile): add lslocks --- apparmor.d/groups/utils/lslocks | 33 ++++++++++++++++++++++++++++ tests/integration/utils/lslocks.bats | 22 +++++++++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 apparmor.d/groups/utils/lslocks create mode 100644 tests/integration/utils/lslocks.bats diff --git a/apparmor.d/groups/utils/lslocks b/apparmor.d/groups/utils/lslocks new file mode 100644 index 000000000..5fbcdbc8f --- /dev/null +++ b/apparmor.d/groups/utils/lslocks @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lslocks +profile lslocks @{exec_path} flags=(attach_disconnected) { + include + + capability dac_read_search, + capability sys_ptrace, + + ptrace read, + + @{exec_path} mr, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/locks r, + owner @{PROC}/@{pid}/ r, + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/lslocks.bats b/tests/integration/utils/lslocks.bats new file mode 100644 index 000000000..042834cae --- /dev/null +++ b/tests/integration/utils/lslocks.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lslocks: List all local system locks" { + sudo lslocks +} + +@test "lslocks: List locks producing a raw output (no columns), and without column headers" { + sudo lslocks --raw --noheadings +} + +@test "lslocks: List locks by PID input" { + sudo lslocks --pid "$(sudo lslocks --raw --noheadings --output PID | head -1)" +} + +@test "lslocks: List locks with JSON output to stdout" { + lslocks --json +} From 8b03cff0cfc824a0c1ecd0f8df1b8c715bb2f969 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:58:57 +0200 Subject: [PATCH 607/672] feat(profile): add lslogins. --- apparmor.d/groups/utils/lslogins | 33 +++++++++++++++++++++++++++ tests/integration/utils/lslogins.bats | 27 ++++++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 apparmor.d/groups/utils/lslogins create mode 100644 tests/integration/utils/lslogins.bats diff --git a/apparmor.d/groups/utils/lslogins b/apparmor.d/groups/utils/lslogins new file mode 100644 index 000000000..7393b47c0 --- /dev/null +++ b/apparmor.d/groups/utils/lslogins @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lslogins +profile lslogins @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/.pwd.lock w, + /etc/.pwd.lock wk, + /etc/login.defs r, + /etc/shadow r, + + /var/log/lastlog r, + /var/log/wtmp rk, + + @{run}/systemd/userdb/ r, + + @{PROC}/ r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/lslogins.bats b/tests/integration/utils/lslogins.bats new file mode 100644 index 000000000..aa2df69b4 --- /dev/null +++ b/tests/integration/utils/lslogins.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lslogins: Display users in the system" { + lslogins + sudo lslogins +} + +@test "lslogins: Display user accounts" { + lslogins --user-accs +} + +@test "lslogins: Display last logins" { + lslogins --last +} + +@test "lslogins: Display system accounts" { + lslogins --system-accs +} + +@test "lslogins: Display supplementary groups" { + lslogins --supp-groups +} From 4f265c6d58a21c8dc98f2f65403d189cc24dddbe Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 15:04:37 +0200 Subject: [PATCH 608/672] feat(profile): add lsns. --- apparmor.d/groups/utils/lsns | 42 +++++++++++++++++++++++++++++++ tests/integration/utils/lsns.bats | 31 +++++++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 apparmor.d/groups/utils/lsns create mode 100644 tests/integration/utils/lsns.bats diff --git a/apparmor.d/groups/utils/lsns b/apparmor.d/groups/utils/lsns new file mode 100644 index 000000000..3d4d42efc --- /dev/null +++ b/apparmor.d/groups/utils/lsns @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsns +profile lsns @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability net_admin, + capability sys_ptrace, + capability dac_read_search, + + network, + + ptrace read, + ptrace trace, + + @{exec_path} mr, + + @{att}/ r, + + @{run}/*/netns/** r, + @{run}/*/ns/** r, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/lsns.bats b/tests/integration/utils/lsns.bats new file mode 100644 index 000000000..c7e6563e2 --- /dev/null +++ b/tests/integration/utils/lsns.bats @@ -0,0 +1,31 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsns: List all namespaces" { + lsns + sudo lsns +} + +@test "lsns: List namespaces in JSON format" { + sudo lsns --json +} + +@test "lsns: List namespaces associated with the specified process" { + sudo lsns --task 1 +} + +@test "lsns: List the specified type of namespaces only" { + sudo lsns --type mnt + sudo lsns --type net + sudo lsns --type ipc + sudo lsns --type user + sudo lsns --type pid + sudo lsns --type uts + sudo lsns --type cgroup + sudo lsns --type time +} + From fd0092d431103e5be29ac9060e1400204d57ece3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 16:34:49 +0200 Subject: [PATCH 609/672] fix(profile): fix issues raised in tests. --- apparmor.d/groups/utils/lslocks | 2 ++ apparmor.d/groups/utils/lsns | 2 ++ apparmor.d/profiles-m-r/initramfs-hooks | 2 ++ apparmor.d/profiles-m-r/initramfs-scripts | 1 + apparmor.d/profiles-m-r/mdadm-mkconf | 1 + apparmor.d/profiles-m-r/mkinitramfs | 2 ++ 6 files changed, 10 insertions(+) diff --git a/apparmor.d/groups/utils/lslocks b/apparmor.d/groups/utils/lslocks index 5fbcdbc8f..44d2e1d01 100644 --- a/apparmor.d/groups/utils/lslocks +++ b/apparmor.d/groups/utils/lslocks @@ -17,6 +17,8 @@ profile lslocks @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{sys}/devices/**/block/** r, + @{PROC}/ r, @{PROC}/@{pid}/ r, @{PROC}/@{pid}/comm r, diff --git a/apparmor.d/groups/utils/lsns b/apparmor.d/groups/utils/lsns index 3d4d42efc..7fbf56896 100644 --- a/apparmor.d/groups/utils/lsns +++ b/apparmor.d/groups/utils/lsns @@ -28,6 +28,8 @@ profile lsns @{exec_path} flags=(attach_disconnected) { @{run}/*/netns/** r, @{run}/*/ns/** r, + @{sys}/devices/**/block/** r, + @{PROC}/ r, @{PROC}/@{pid}/ r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 5896df049..15f8f66d6 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/initramfs-tools/hooks/** /etc/initramfs-tools/hooks/** profile initramfs-hooks @{exec_path} { include + include include @{exec_path} mr, @@ -70,6 +71,7 @@ profile initramfs-hooks @{exec_path} { profile ldd { include + include include @{bin}/ldd mr, diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts index 485520ca0..4d38ab9c1 100644 --- a/apparmor.d/profiles-m-r/initramfs-scripts +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/initramfs-tools/scripts/** /etc/initramfs-tools/scripts/** profile initramfs-scripts @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf index c922942ec..489068ec8 100644 --- a/apparmor.d/profiles-m-r/mdadm-mkconf +++ b/apparmor.d/profiles-m-r/mdadm-mkconf @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/mdadm/mkconf profile mdadm-mkconf @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index f37029627..e67bb55fe 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -88,6 +88,7 @@ profile mkinitramfs @{exec_path} { owner /boot/initrd.img-*.new rw, /var/tmp/ r, + /var/tmp/mkinitramfs_@{rand6}/** w, /var/tmp/modules_@{rand6} rw, owner /var/tmp/mkinitramfs_@{rand6} rw, owner /var/tmp/mkinitramfs_@{rand6}/ rw, @@ -98,6 +99,7 @@ profile mkinitramfs @{exec_path} { owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** w, owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, From c09b5d85a46b391ad8ee9768f43839cb9a1c584a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 00:21:49 +0200 Subject: [PATCH 610/672] feat(profile): update systemd profiles. --- Justfile | 71 +++++++++++++------ apparmor.d/groups/systemd/bootctl | 7 +- apparmor.d/groups/systemd/busctl | 7 ++ apparmor.d/groups/systemd/journalctl | 3 + apparmor.d/groups/systemd/networkctl | 3 + apparmor.d/groups/systemd/systemd-localed | 4 +- apparmor.d/groups/systemd/systemd-machined | 3 + apparmor.d/groups/systemd/systemd-networkd | 4 ++ .../groups/systemd/systemd-nsresourcework | 2 + apparmor.d/groups/systemd/systemd-userwork | 1 + apparmor.d/groups/systemd/userdbctl | 3 +- 11 files changed, 80 insertions(+), 28 deletions(-) diff --git a/Justfile b/Justfile index 7753ad2d1..f9ce13c36 100644 --- a/Justfile +++ b/Justfile @@ -2,18 +2,8 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: -# just -# just img ubuntu24 server -# just vm ubuntu24 server -# just up ubuntu24 server -# just ssh ubuntu24 server -# just halt ubuntu24 server -# just destroy ubuntu24 server -# just list -# just images -# just available -# just clean +# Usage: `just` +# See https://apparmor.pujol.io/development/ for more information. # Build setings destdir := "/" @@ -125,7 +115,7 @@ install: [group('install')] [doc('Locally install prebuild profiles')] -local +args: +local +names: #!/usr/bin/env bash set -eu -o pipefail install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log @@ -138,7 +128,7 @@ local +args: install -Dm0644 "{{build}}/apparmor.d/tunables/$file" "{{destdir}}/etc/apparmor.d/tunables/$file" done; echo "Warning: profile dependencies fallback to unconfined." - for file in {{args}}; do + for file in {{names}}; do grep -Ei 'rPx|rpx' "{{build}}/apparmor.d/$file" || true sed -i -e "s/rPx/rPUx/g" "{{build}}/apparmor.d/$file" install -Dvm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" @@ -336,15 +326,52 @@ available: [group('tests')] -[doc('Run the integration tests on the machine')] -integration dist flavor: - @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ - cp -rf /home/user/Projects/apparmor.d/tests/integration/ /home/user/Projects - @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ - sudo umount /home/user/Projects/apparmor.d - @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ - @bats --recursive --timing --print-output-on-failure Projects/integration/ +[doc('Install dependencies for the integration tests')] +init: + @bash tests/requirements.sh +[group('tests')] +[doc('Run the integration tests')] +integration: + bats --recursive --pretty --timing --print-output-on-failure tests/integration + +[group('tests')] +[doc('Install dependencies for the integration tests (machine)')] +tests-init dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init + +[group('tests')] +[doc('Synchronize the integration tests (machine)')] +tests-sync dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/ + +[group('tests')] +[doc('Re-synchronize the integration tests (machine)')] +tests-resync dist flavor: (tests-mount dist flavor) \ + (tests-sync dist flavor) \ + (tests-umount dist flavor) + +[group('tests')] +[doc('Unmout the integration tests (machine)')] +tests-umount dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + sudo umount /home/{{username}}/Projects/apparmor.d + +[group('tests')] +[doc('Run the integration tests (machine)')] +tests-run dist flavor name="": + ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + TERM=xterm \ + bats --recursive --pretty --timing --print-output-on-failure \ + /home/{{username}}/Projects/tests/integration/{{name}} + +[group('tests')] +[doc('Mount integration tests (machine)')] +tests-mount dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4 [private] get_ip dist flavor: diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index f7d001c70..47e8737fe 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -13,6 +13,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + capability linux_immutable, capability mknod, capability net_admin, capability sys_resource, @@ -47,8 +48,8 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/AuditMode-@{uuid} r, - @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r, - @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, + @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, + @{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw, @{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, @@ -59,7 +60,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, - @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, + @{sys}/firmware/efi/efivars/OsIndications-@{uuid} rw, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index c31b28836..04ed76e72 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -48,6 +48,13 @@ profile busctl @{exec_path} flags=(attach_disconnected) { member={GetConnectionCredentials,ListNames,ListActivatableNames} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=system + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + dbus send bus=system + interface=org.freedesktop.DBus.Properties + member={GetAll,Get}, + @{exec_path} mr, @{pager_path} rPx -> child-pager, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index ef62e37cd..c852b3756 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -30,6 +30,9 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { @{pager_path} rPx -> child-pager, + @{bin}/* r, + @{sbin}/* r, + /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 5b4b3e6b5..0fd89c199 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -11,6 +11,7 @@ include profile networkctl @{exec_path} flags=(attach_disconnected) { include include + include capability net_admin, capability sys_module, @@ -52,6 +53,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/netif/io.systemd.Network rw, + @{run}/systemd/netif/links/ r, @{run}/systemd/netif/leases/@{int} r, @{run}/systemd/netif/links/@{int} r, @{run}/systemd/netif/state r, @@ -63,6 +65,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { @{PROC}/1/cgroup r, @{PROC}/cmdline r, + @{PROC}/sys/fs/nr_open r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 104a141ce..c15eaf5b2 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -33,8 +33,8 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { /etc/default/locale rw, /etc/locale.conf rw, /etc/vconsole.conf rw, - /etc/X11/xorg.conf.d/ r, - /etc/X11/xorg.conf.d/.#*.confd* rw, + /etc/X11/xorg.conf.d/ rw, + /etc/X11/xorg.conf.d/.#*.conf@{hex} rw, /etc/X11/xorg.conf.d/*.conf rw, @{att}/@{run}/systemd/notify rw, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index b9244ece6..520080082 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -37,6 +37,8 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { ptrace read peer=systemd-nspawn, + unix type=stream addr=@@{udbus}/bus/systemd-machine/system, + #aa:dbus own bus=system name=org.freedesktop.machine1 #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @@ -71,6 +73,7 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, /dev/pts/@{int} rw, /dev/pts/ptmx rw, + /dev/vsock r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index df1e74048..5105c69b8 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -60,9 +60,13 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/notify rw, @{run}/mount/utab r, + @{run}/systemd/resolve/resolv.conf r, owner @{att}/var/lib/systemd/network/ r, + owner /var/lib/systemd/network/ rw, + owner /var/lib/systemd/network/** rwk, + @{run}/systemd/network/ r, @{run}/systemd/network/*.network r, owner @{run}/systemd/netif/** rw, diff --git a/apparmor.d/groups/systemd/systemd-nsresourcework b/apparmor.d/groups/systemd/systemd-nsresourcework index 734717c44..5b8d53398 100644 --- a/apparmor.d/groups/systemd/systemd-nsresourcework +++ b/apparmor.d/groups/systemd/systemd-nsresourcework @@ -16,6 +16,8 @@ profile systemd-nsresourcework @{exec_path} { @{exec_path} mr, + @{run}/systemd/nsresource/registry/ r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork index 29641fd74..2521c655e 100644 --- a/apparmor.d/groups/systemd/systemd-userwork +++ b/apparmor.d/groups/systemd/systemd-userwork @@ -18,6 +18,7 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/gshadow r, /etc/machine-id r, /etc/shadow r, diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl index 97625db38..fa7c13297 100644 --- a/apparmor.d/groups/systemd/userdbctl +++ b/apparmor.d/groups/systemd/userdbctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/userdbctl -profile userdbctl @{exec_path} { +profile userdbctl @{exec_path} flags=(attach_disconnected) { include include include @@ -29,6 +29,7 @@ profile userdbctl @{exec_path} { @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/gid_map r, + owner @{PROC}/@{pid}/setgroups r, owner @{PROC}/@{pid}/uid_map r, include if exists From a731badeff2b0723aad5b5dba309a2cc2018ca35 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 00:24:15 +0200 Subject: [PATCH 611/672] feat(profile): improvement raised by unit tests. --- apparmor.d/groups/ubuntu/apport | 10 +++++++ apparmor.d/groups/utils/fstrim | 2 ++ apparmor.d/groups/utils/uuidd | 6 +++- apparmor.d/groups/utils/zramctl | 4 ++- apparmor.d/profiles-g-l/kdump-config | 15 +++++++--- apparmor.d/profiles-g-l/kernel-postinst-kdump | 28 +++++++++++++++++-- apparmor.d/profiles-m-r/initramfs-hooks | 5 ++-- apparmor.d/profiles-m-r/mdadm-mkconf | 1 + apparmor.d/profiles-m-r/mkinitramfs | 24 ++++++++-------- apparmor.d/profiles-m-r/needrestart | 1 + apparmor.d/profiles-s-z/tlp | 3 ++ 11 files changed, 77 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 9f3fd2999..fbc433c05 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -49,7 +49,17 @@ profile apport @{exec_path} flags=(attach_disconnected) { owner /var/cache/apt/pkgcache.bin.@{rand6} rw, owner /var/log/apport.log rw, + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + @{run}/apport.lock rwk, + @{run}/log/journal/ r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/environ r, diff --git a/apparmor.d/groups/utils/fstrim b/apparmor.d/groups/utils/fstrim index a6ada04d5..250794671 100644 --- a/apparmor.d/groups/utils/fstrim +++ b/apparmor.d/groups/utils/fstrim @@ -26,6 +26,8 @@ profile fstrim @{exec_path} flags=(attach_disconnected) { /boot/efi/ r, /var/ r, + @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/groups/utils/uuidd b/apparmor.d/groups/utils/uuidd index 787914537..52f52b4a2 100644 --- a/apparmor.d/groups/utils/uuidd +++ b/apparmor.d/groups/utils/uuidd @@ -11,6 +11,8 @@ profile uuidd @{exec_path} flags=(attach_disconnected) { include include + capability dac_override, + network inet dgram, @{exec_path} mr, @@ -18,9 +20,11 @@ profile uuidd @{exec_path} flags=(attach_disconnected) { owner /var/lib/libuuid/clock.txt rwk, owner /var/lib/libuuid/clock-cont.txt rwk, - @{run}/uuidd/request rw, @{att}/@{run}/uuidd/request rw, + @{run}/uuidd/request rw, + @{run}/uuidd/uuidd.pid rwk, + include if exists } diff --git a/apparmor.d/groups/utils/zramctl b/apparmor.d/groups/utils/zramctl index 91697be73..a5fa2eb75 100644 --- a/apparmor.d/groups/utils/zramctl +++ b/apparmor.d/groups/utils/zramctl @@ -13,8 +13,10 @@ profile zramctl @{exec_path} { @{exec_path} mr, + @{sys}/devices/virtual/block/zram{int}/disksize w, + @{sys}/devices/virtual/block/zram{int}/reset w, @{sys}/devices/virtual/block/zram@{int}/ r, - @{sys}/devices/virtual/block/zram@{int}/comp_algorithm r, + @{sys}/devices/virtual/block/zram@{int}/comp_algorithm rw, @{sys}/devices/virtual/block/zram@{int}/disksize r, @{sys}/devices/virtual/block/zram@{int}/max_comp_streams r, @{sys}/devices/virtual/block/zram@{int}/mm_stat r, diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index f8b75f742..b6f915024 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -17,6 +17,7 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, + @{bin}/{,e}grep ix, @{bin}/basename ix, @{bin}/cat ix, @{bin}/cmp ix, @@ -25,13 +26,13 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { @{bin}/file ix, @{bin}/find ix, @{bin}/flock ix, - @{bin}/{,e}grep ix, @{bin}/hexdump ix, @{bin}/ln ix, @{bin}/logger ix, @{bin}/plymouth Px, @{bin}/readlink ix, @{bin}/rev ix, + @{bin}/rm ix, @{bin}/run-parts ix, @{bin}/sed ix, @{bin}/systemctl Cx -> systemctl, @@ -48,9 +49,15 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { / r, @{efi}/ r, - /var/crash/kdump_lock wk, - /var/crash/kexec_cmd w, - owner /var/lib/kdump/{,**} rw, + /var/crash/kdump_lock wk, + /var/crash/kexec_cmd w, + /var/lib/kdump/{,**} rw, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump index e1358ec29..4790c5cb7 100644 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -12,15 +12,32 @@ profile kernel-postinst-kdump @{exec_path} { @{exec_path} mr, + @{sh_path} r, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/cp rix, @{bin}/du rix, @{bin}/find rix, - @{bin}/{m,g,}awk rix, + @{bin}/kmod rCx -> kmod, + @{bin}/ischroot rPx, + @{bin}/linux-version rPx, + @{bin}/mkdir rix, + @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sync rix, + @{bin}/cut rix, @{sbin}/mkinitramfs rPx, - owner /var/lib/kdump/* w, + / r, + + /etc/initramfs-tools/conf.d/{,**} r, + /etc/initramfs-tools/initramfs.conf r, + + owner /var/lib/kdump/** rw, + + owner /tmp/tmp.@{rand10}/ rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, @@ -28,6 +45,13 @@ profile kernel-postinst-kdump @{exec_path} { owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + profile kmod { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 15f8f66d6..14a83ffbb 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -16,14 +16,15 @@ profile initramfs-hooks @{exec_path} { @{sh_path} rix, @{coreutils_path} rix, + @{bin}/fc-cache ix, @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{sbin}/update-alternatives Px, - @{sbin}/blkid Px, + @{bin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox ix, @{lib}/klibc/bin/fstype ix, + @{sbin}/blkid Px, /usr/share/mdadm/mkconf Px, @{bin}/* mr, diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf index 489068ec8..120138905 100644 --- a/apparmor.d/profiles-m-r/mdadm-mkconf +++ b/apparmor.d/profiles-m-r/mdadm-mkconf @@ -25,6 +25,7 @@ profile mdadm-mkconf @{exec_path} { / r, /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, + /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index e67bb55fe..df76eb4ad 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -47,13 +47,16 @@ profile mkinitramfs @{exec_path} { @{bin}/rmdir rix, @{bin}/sed rix, @{bin}/sort rix, + @{bin}/stat rix, @{bin}/touch rix, @{bin}/tr rix, @{bin}/tsort rix, + @{bin}/uname rix, @{bin}/uniq rix, @{bin}/xargs rix, @{bin}/xz rix, @{bin}/zstd rix, + @{sbin}/blkid rPx, @{lib}/dracut/dracut-install rix, @{bin}/find rCx -> find, @@ -87,6 +90,9 @@ profile mkinitramfs @{exec_path} { owner /boot/config-* r, owner /boot/initrd.img-*.new rw, + owner /var/lib/kdump/initramfs-tools/** rw, + owner /var/lib/kdump/initrd.* rw, + /var/tmp/ r, /var/tmp/mkinitramfs_@{rand6}/** w, /var/tmp/modules_@{rand6} rw, @@ -102,13 +108,17 @@ profile mkinitramfs @{exec_path} { owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** w, owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, + @{sys}/bus/ r, + @{sys}/bus/*/drivers/ r, @{sys}/devices/platform/ r, @{sys}/devices/platform/**/ r, @{sys}/devices/platform/**/modalias r, @{sys}/module/compression r, @{sys}/module/firmware_class/parameters/path r, + @{PROC}/@{pid}/mounts r, @{PROC}/cmdline r, @{PROC}/modules r, owner @{PROC}/@{pid}/fd/ r, @@ -143,18 +153,8 @@ profile mkinitramfs @{exec_path} { @{sh_path} rix, @{sbin}/ldconfig.real rix, - owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf r, - owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf.d/{,*.conf} r, - - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/ r, - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/ r, - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/*.so* rw, - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/*.so* rw, - - owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.cache{,~} rw, - - owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/ rw, - owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/aux-cache{,~} rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index f9e2c6ebc..ceac5436b 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -23,6 +23,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, + @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 3eb0800f9..0dccf1a23 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -71,6 +71,8 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+platform:* r, @{sys}/bus/pci/devices/ r, + @{sys}/bus/pci/drivers/*/ r, + @{sys}/bus/platform/devices/ r, @{sys}/class/drm/ r, @{sys}/class/net/ r, @{sys}/class/power_supply/ r, @@ -80,6 +82,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/class r, @{sys}/devices/**/net/**/uevent r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, + @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/net/**/uevent r, @{sys}/firmware/acpi/platform_profile* rw, From 0c2385fef902c6838a69a83953b70bd5b5beaf64 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 00:25:28 +0200 Subject: [PATCH 612/672] tests: update tests dependencies. --- tests/requirements.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/requirements.sh b/tests/requirements.sh index 085ad8c7c..efc357ad4 100644 --- a/tests/requirements.sh +++ b/tests/requirements.sh @@ -16,13 +16,16 @@ DISTRIBUTION="$(_lsb_release)" case "$DISTRIBUTION" in arch) + sudo pacman -Syu --noconfirm \ + bats bats-support \ + pacman-contrib tlp flatpak networkmanager ;; debian | ubuntu | whonix) sudo apt update -y sudo apt install -y \ bats bats-support \ - cpuid dfc systemd-userdbd systemd-homed tlp network-manager flatpak \ - util-linux-extra + cpuid dfc systemd-boot systemd-userdbd systemd-homed systemd-container tlp \ + network-manager systemd-container flatpak util-linux-extra ;; opensuse*) ;; From d579b330117b5e11d42b11a87f9e342e1b0b609a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 00:32:27 +0200 Subject: [PATCH 613/672] tests: add a few integration tests. --- tests/integration/apt/apt.bats | 18 +++++++++-- tests/integration/apt/dpkg-query.bats | 27 ++++++++++++++++ tests/integration/apt/dpkg-reconfigure.bats | 12 ++++++++ tests/integration/pacman/paccache.bats | 22 +++++++++++++ tests/integration/pacman/pacman-key.bats | 34 +++++++++++++++++++++ tests/integration/pacman/pacman.bats | 34 +++++++++++++++++++++ tests/integration/procps/sysctl.bats | 4 +-- tests/integration/procps/uptime.bats | 18 +++++++++++ tests/integration/systemd/bootctl.bats | 22 +++++++++++++ tests/integration/systemd/busctl.bats | 27 ++++++++++++++++ tests/integration/systemd/homectl.bats | 2 +- tests/integration/systemd/journalctl.bats | 30 ++++++++++++++++++ tests/integration/systemd/localectl.bats | 23 ++++++++++++++ tests/integration/systemd/machinectl.bats | 26 ++++++++++++++++ tests/integration/systemd/networkctl.bats | 18 +++++++++++ tests/integration/utils/fstrim.bats | 14 +++++++++ 16 files changed, 325 insertions(+), 6 deletions(-) create mode 100644 tests/integration/apt/dpkg-query.bats create mode 100644 tests/integration/apt/dpkg-reconfigure.bats create mode 100644 tests/integration/pacman/paccache.bats create mode 100644 tests/integration/pacman/pacman-key.bats create mode 100644 tests/integration/pacman/pacman.bats create mode 100644 tests/integration/procps/uptime.bats create mode 100644 tests/integration/systemd/bootctl.bats create mode 100644 tests/integration/systemd/busctl.bats create mode 100644 tests/integration/systemd/journalctl.bats create mode 100644 tests/integration/systemd/localectl.bats create mode 100644 tests/integration/systemd/machinectl.bats create mode 100644 tests/integration/systemd/networkctl.bats create mode 100644 tests/integration/utils/fstrim.bats diff --git a/tests/integration/apt/apt.bats b/tests/integration/apt/apt.bats index a436f6e9f..4be0edd8d 100644 --- a/tests/integration/apt/apt.bats +++ b/tests/integration/apt/apt.bats @@ -25,14 +25,26 @@ setup_file() { sudo apt install -y pass } -@test "apt: Remove a package (using 'purge' instead also removes its configuration files)" { - sudo apt remove -y pass +@test "apt: Remove a package and its configuration files" { + sudo apt purge -y pass } @test "apt: Upgrade all installed packages to their newest available versions" { sudo apt upgrade -y } +@test "apt: Upgrade installed packages, but remove obsolete packages and install additional packages to meet new dependencies" { + sudo apt dist-upgrade -y +} + +@test "apt: Clean the local repository - removing package files (.deb) from interrupted downloads that can no longer be downloaded" { + sudo apt autoclean +} + +@test "apt: Remove all packages that are no longer needed" { + sudo apt autoremove +} + @test "apt: List all packages" { apt list } @@ -41,6 +53,6 @@ setup_file() { apt list --installed } -@test "apt-moo: Print a cow easter egg" { +@test "apt: Print a cow easter egg" { apt moo } diff --git a/tests/integration/apt/dpkg-query.bats b/tests/integration/apt/dpkg-query.bats new file mode 100644 index 000000000..39259e0a0 --- /dev/null +++ b/tests/integration/apt/dpkg-query.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "dpkg-query: List all installed packages" { + dpkg-query --list +} + +@test "dpkg-query: List installed packages matching a pattern" { + dpkg-query --list 'libc6*' +} + +@test "dpkg-query: List all files installed by a package" { + dpkg-query --listfiles libc6 +} + +@test "dpkg-query: Show information about a package" { + dpkg-query --status libc6 +} + +@test "dpkg-query: Search for packages that own files matching a pattern" { + dpkg-query --search /etc/ld.so.conf.d +} + diff --git a/tests/integration/apt/dpkg-reconfigure.bats b/tests/integration/apt/dpkg-reconfigure.bats new file mode 100644 index 000000000..f6aec98ea --- /dev/null +++ b/tests/integration/apt/dpkg-reconfigure.bats @@ -0,0 +1,12 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "dpkg-reconfigure: Reconfigure one or more packages" { + sudo apt install -y pass + sudo dpkg-reconfigure pass +} + diff --git a/tests/integration/pacman/paccache.bats b/tests/integration/pacman/paccache.bats new file mode 100644 index 000000000..b2e1369e2 --- /dev/null +++ b/tests/integration/pacman/paccache.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "paccache: Perform a dry-run and show the number of candidate packages for deletion" { + sudo paccache -d +} + +@test "paccache: Move candidate packages to a directory instead of deleting them" { + sudo paccache -m "$USER_BUILD_DIRS" +} + +@test "paccache: Remove all but the 3 most recent package versions from the `pacman` cache" { + sudo paccache -r +} + +@test "paccache: Set the number of package versions to keep" { + sudo paccache -rk 3 +} diff --git a/tests/integration/pacman/pacman-key.bats b/tests/integration/pacman/pacman-key.bats new file mode 100644 index 000000000..82e34a379 --- /dev/null +++ b/tests/integration/pacman/pacman-key.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pacman-key: Initialize the 'pacman' keyring" { + sudo pacman-key --init +} + +@test "pacman-key: Add the default Arch Linux keys" { + sudo pacman-key --populate +} + +@test "pacman-key: List keys from the public keyring" { + pacman-key --list-keys +} + +@test "pacman-key: Receive a key from a key server" { + sudo pacman-key --recv-keys 06A26D531D56C42D66805049C5469996F0DF68EC +} + +@test "pacman-key: Print the fingerprint of a specific key" { + pacman-key --finger 06A26D531D56C42D66805049C5469996F0DF68EC +} + +@test "pacman-key: Sign an imported key locally" { + sudo pacman-key --lsign-key 06A26D531D56C42D66805049C5469996F0DF68EC +} + +@test "pacman-key: Remove a specific key" { + sudo pacman-key --delete 06A26D531D56C42D66805049C5469996F0DF68EC +} diff --git a/tests/integration/pacman/pacman.bats b/tests/integration/pacman/pacman.bats new file mode 100644 index 000000000..575a65bc1 --- /dev/null +++ b/tests/integration/pacman/pacman.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pacman: Synchronize and update all packages" { + sudo pacman -Syu --noconfirm +} + +@test "pacman: Install a new package" { + sudo pacman -S --noconfirm pass pass-otp +} + +@test "pacman: Remove a package and its dependencies" { + sudo pacman -Rs --noconfirm pass-otp +} + +@test "pacman: List installed packages and versions" { + pacman -Q +} + +@test "pacman: List only the explicitly installed packages and versions" { + pacman -Qe +} + +@test "pacman: List orphan packages (installed as dependencies but not actually required by any package)" { + pacman -Qtdq +} + +@test "pacman: Empty the entire 'pacman' cache" { + sudo pacman -Scc --noconfirm +} diff --git a/tests/integration/procps/sysctl.bats b/tests/integration/procps/sysctl.bats index 2f284070a..66720c434 100644 --- a/tests/integration/procps/sysctl.bats +++ b/tests/integration/procps/sysctl.bats @@ -21,6 +21,6 @@ load ../common sysctl fs.file-max } -@test "sysctl: Apply changes from `/etc/sysctl.conf`" { - sysctl -p +@test "sysctl: Apply changes from '/etc/sysctl.conf'" { + sudo sysctl -p } diff --git a/tests/integration/procps/uptime.bats b/tests/integration/procps/uptime.bats new file mode 100644 index 000000000..7d9361d5a --- /dev/null +++ b/tests/integration/procps/uptime.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "uptime: Print current time, uptime, number of logged-in users and other information" { + uptime +} + +@test "uptime: Show only the amount of time the system has been booted for" { + uptime --pretty +} + +@test "uptime: Print the date and time the system booted up at" { + uptime --since +} diff --git a/tests/integration/systemd/bootctl.bats b/tests/integration/systemd/bootctl.bats new file mode 100644 index 000000000..2dfb39a7f --- /dev/null +++ b/tests/integration/systemd/bootctl.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "bootctl: Show information about the system firmware and the bootloaders" { + sudo bootctl status +} + +@test "bootctl: Show all available bootloader entries" { + sudo bootctl list +} + +@test "bootctl: Install 'systemd-boot' into the EFI system partition" { + sudo bootctl install +} + +@test "bootctl: Remove all installed versions of 'systemd-boot' from the EFI system partition" { + sudo bootctl remove +} diff --git a/tests/integration/systemd/busctl.bats b/tests/integration/systemd/busctl.bats new file mode 100644 index 000000000..ef3e973e9 --- /dev/null +++ b/tests/integration/systemd/busctl.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "busctl: Show all peers on the bus, by their service names" { + busctl list +} + +@test "busctl: Show process information and credentials of a bus service, a process, or the owner of the bus (if no parameter is specified)" { + busctl status 1 + busctl status org.freedesktop.DBus +} + +@test "busctl: Show an object tree of one or more services (or all services if no service is specified)" { + busctl tree org.freedesktop.DBus +} + +@test "busctl: Show interfaces, methods, properties and signals of the specified object on the specified service" { + busctl introspect org.freedesktop.login1 /org/freedesktop/login1 +} + +@test "busctl: Retrieve the current value of one or more object properties" { + busctl get-property org.freedesktop.login1 /org/freedesktop/login1 org.freedesktop.login1.Manager Docked +} diff --git a/tests/integration/systemd/homectl.bats b/tests/integration/systemd/homectl.bats index 0bdd625c4..bb3b38227 100644 --- a/tests/integration/systemd/homectl.bats +++ b/tests/integration/systemd/homectl.bats @@ -16,7 +16,7 @@ setup_file() { } @test "homectl: Create a user account and their associated home directory" { - sudo homectl create user2 + printf "user2\nuser2" | sudo homectl create user2 } @test "homectl: List user accounts and their associated home directories" { diff --git a/tests/integration/systemd/journalctl.bats b/tests/integration/systemd/journalctl.bats new file mode 100644 index 000000000..9eeb7c9fe --- /dev/null +++ b/tests/integration/systemd/journalctl.bats @@ -0,0 +1,30 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "journalctl: Show all messages with priority level 3 (errors) from this boot" { + sudo journalctl -b --priority=3 +} + +@test "journalctl: Show only the last N lines of the journal" { + sudo journalctl --lines 100 +} + +@test "journalctl: Show all messages by a specific [u]nit" { + sudo journalctl --unit apparmor.service +} + +@test "journalctl: Show all messages by a specific process" { + sudo journalctl _PID=1 +} + +@test "journalctl: Show all messages by a specific executable" { + sudo journalctl /usr/bin/bootctl +} + +@test "journalctl: Delete journal logs which are older than 10 seconds" { + sudo journalctl --vacuum-time=10s +} diff --git a/tests/integration/systemd/localectl.bats b/tests/integration/systemd/localectl.bats new file mode 100644 index 000000000..5d82683a2 --- /dev/null +++ b/tests/integration/systemd/localectl.bats @@ -0,0 +1,23 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "localectl: Show the current settings of the system locale and keyboard mapping" { + localectl +} + +@test "localectl: List available locales" { + localectl list-locales +} + +@test "localectl: Set a system locale variable" { + sudo localectl set-locale LANG=en_US.UTF-8 +} + +@test "localectl: Set the system keyboard mapping for the console and X11" { + sudo localectl set-keymap uk +} + diff --git a/tests/integration/systemd/machinectl.bats b/tests/integration/systemd/machinectl.bats new file mode 100644 index 000000000..d9ba38444 --- /dev/null +++ b/tests/integration/systemd/machinectl.bats @@ -0,0 +1,26 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "importctl: Import an image as a machine" { + sudo importctl pull-tar --force --class=machine -N https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64-root.tar.xz noble +} + +@test "machinectl: Display a list of available images" { + sudo machinectl list-images +} + +@test "machinectl: Start a machine as a service using systemd-nspawn" { + sudo machinectl start noble +} + +@test "machinectl: Display a list of running machines" { + sudo machinectl list +} + +@test "machinectl: Stop a running machine" { + sudo machinectl stop noble +} diff --git a/tests/integration/systemd/networkctl.bats b/tests/integration/systemd/networkctl.bats new file mode 100644 index 000000000..81418ba01 --- /dev/null +++ b/tests/integration/systemd/networkctl.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "networkctl: List existing links with their status" { + sudo networkctl list +} + +@test "networkctl: Show an overall network status" { + sudo networkctl status +} + +@test "networkctl: Reload configuration files (.netdev and .network)" { + sudo networkctl reload +} diff --git a/tests/integration/utils/fstrim.bats b/tests/integration/utils/fstrim.bats new file mode 100644 index 000000000..dff1083e2 --- /dev/null +++ b/tests/integration/utils/fstrim.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "fstrim: Trim unused blocks on all mounted partitions that support it" { + sudo fstrim --all +} + +@test "fstrim: Trim unused blocks on a specified partition" { + sudo fstrim --verbose / +} From ac3e0fea59923648b75f46684702632d5d29bf80 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 00:34:31 +0200 Subject: [PATCH 614/672] fix: profile compilation issue. --- apparmor.d/groups/utils/zramctl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/utils/zramctl b/apparmor.d/groups/utils/zramctl index a5fa2eb75..29428a96f 100644 --- a/apparmor.d/groups/utils/zramctl +++ b/apparmor.d/groups/utils/zramctl @@ -13,13 +13,13 @@ profile zramctl @{exec_path} { @{exec_path} mr, - @{sys}/devices/virtual/block/zram{int}/disksize w, - @{sys}/devices/virtual/block/zram{int}/reset w, @{sys}/devices/virtual/block/zram@{int}/ r, @{sys}/devices/virtual/block/zram@{int}/comp_algorithm rw, @{sys}/devices/virtual/block/zram@{int}/disksize r, + @{sys}/devices/virtual/block/zram@{int}/disksize w, @{sys}/devices/virtual/block/zram@{int}/max_comp_streams r, @{sys}/devices/virtual/block/zram@{int}/mm_stat r, + @{sys}/devices/virtual/block/zram@{int}/reset w, @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, From b878ce1ea23b6287ea6875e7aced36d13a10104c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 01:04:37 +0200 Subject: [PATCH 615/672] chore: fix linter issues. --- apparmor.d/profiles-g-l/kernel-postinst-kdump | 4 ++-- apparmor.d/profiles-m-r/initramfs-hooks | 2 +- apparmor.d/profiles-m-r/needrestart | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump index 4790c5cb7..50606695a 100644 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -18,7 +18,7 @@ profile kernel-postinst-kdump @{exec_path} { @{bin}/cp rix, @{bin}/du rix, @{bin}/find rix, - @{bin}/kmod rCx -> kmod, + @{bin}/kmod rCx -> kmod, @{bin}/ischroot rPx, @{bin}/linux-version rPx, @{bin}/mkdir rix, @@ -49,7 +49,7 @@ profile kernel-postinst-kdump @{exec_path} { include include - include if exists + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 14a83ffbb..18610de27 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -20,7 +20,7 @@ profile initramfs-hooks @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{bin}/update-alternatives Px, + @{sbin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox ix, @{lib}/klibc/bin/fstype ix, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index ceac5436b..5a65b40a9 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -23,7 +23,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, - @{bin}/stty rix, + @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, From f6914a87302f9026215234ea36d6dfcf10d6607e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 22:17:03 +0200 Subject: [PATCH 616/672] fix(profile): various fixes from issue raised by the CI. --- apparmor.d/groups/apt/dpkg-script-systemd | 7 ++++++- apparmor.d/groups/systemd/bootctl | 1 + apparmor.d/groups/systemd/localectl | 4 ++++ apparmor.d/groups/systemd/systemd-localed | 4 ++++ apparmor.d/groups/systemd/systemd-userdbd | 1 + apparmor.d/groups/virt/dockerd | 1 + apparmor.d/profiles-g-l/kernel-install | 1 + 7 files changed, 18 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 722e72c53..6c76e6f70 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -11,6 +11,8 @@ profile dpkg-script-systemd @{exec_path} { include include + capability dac_read_search, + @{exec_path} mrix, @{coreutils_path} rix, @@ -21,7 +23,7 @@ profile dpkg-script-systemd @{exec_path} { @{bin}/dpkg-divert Px, @{bin}/dpkg-maintscript-helper Px, @{bin}/journalctl Px, - @{bin}/kernel-install Px, + @{bin}/kernel-install mrPx, @{bin}/systemctl Cx -> systemctl, @{bin}/systemd-machine-id-setup Px, @{bin}/systemd-sysusers Px, @@ -35,11 +37,14 @@ profile dpkg-script-systemd @{exec_path} { /etc/pam.d/sed@{rand6} rw, /etc/pam.d/common-password rw, + @{efi}/ r, + /var/lib/systemd/{,*} rw, /var/log/journal/ rw, profile dpkg { include + include include capability dac_read_search, diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 47e8737fe..70a91197f 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -16,6 +16,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability linux_immutable, capability mknod, capability net_admin, + capability sys_rawio, capability sys_resource, signal send peer=child-pager, diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index f9a3625ef..0d46dbfed 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -17,6 +17,10 @@ profile localectl @{exec_path} { signal send set=cont peer=child-pager, #aa:dbus talk bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" + dbus send bus=system path=/org/freedesktop/locale1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.locale1), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index c15eaf5b2..e98bef009 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -17,6 +17,10 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/systemd-localed/system, #aa:dbus own bus=system name=org.freedesktop.locale1 + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=Reload + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index 20e940b1d..f9fad3693 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -33,6 +33,7 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) @{att}/@{run}/systemd/notify w, @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, @{att}/@{run}/systemd/userdb/io.systemd.Home rw, + @{att}/@{run}/systemd/userdb/io.systemd.Machine rw, @{run}/systemd/userdb/{,**} rw, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index abd6c90ec..c21fa2788 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -73,6 +73,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/kmod rCx -> kmod, @{bin}/ps rPx, @{sbin}/runc rUx, + @{bin}/runc rUx, #aa:lint ignore @{bin}/unpigz rix, @{sbin}/xtables-nft-multi rCx -> nft, @{sbin}/xtables-legacy-multi rCx -> nft, diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index 96d097417..be5d877a9 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -14,6 +14,7 @@ profile kernel-install @{exec_path} { include include + capability sys_rawio, capability sys_resource, ptrace read peer=@{p_systemd}, From b2910ae59329af14143c384c307cbe7f42a47665 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 22:22:13 +0200 Subject: [PATCH 617/672] tests(check): add support for '#aa:lint ignore' inline directive to disable linting. --- pkg/prebuild/directive/core.go | 3 +++ tests/check.sh | 17 ++++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/directive/core.go b/pkg/prebuild/directive/core.go index 6138eec0c..cde9470dc 100644 --- a/pkg/prebuild/directive/core.go +++ b/pkg/prebuild/directive/core.go @@ -106,6 +106,9 @@ func Run(file *paths.Path, profile string) (string, error) { opt := NewOption(file, match) drtv, ok := Directives[opt.Name] if !ok { + if opt.Name == "lint" { + continue + } return "", fmt.Errorf("unknown directive '%s' in %s", opt.Name, opt.File) } profile, err = drtv.Apply(opt, profile) diff --git a/tests/check.sh b/tests/check.sh index 8b847db6f..39d7f8158 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -51,12 +51,24 @@ _wait() { fi } +readonly _IGNORE_LINT="#aa:lint ignore" +_ignore_lint() { + local line="$1" + if [[ "$line" == *"$_IGNORE_LINT"* ]]; then + return 0 + fi + return 1 +} + _check() { local file="$1" local line_number=0 while IFS= read -r line; do line_number=$((line_number + 1)) + if _ignore_lint "$line"; then + continue + fi # Rules checks _check_abstractions @@ -339,7 +351,10 @@ check_sbin() { jobs=0 for name in "${sbin[@]}"; do ( - mapfile -t files < <(grep --line-number --recursive -E "(^|[[:space:]])@{bin}/$name([[:space:]]|$)" apparmor.d | cut -d: -f1,2) + mapfile -t files < <( + grep --line-number --recursive -P "(^|[[:space:]])@{bin}/$name([[:space:]]|$)(?!.*$_IGNORE_LINT)" apparmor.d | + cut -d: -f1,2 + ) for file in "${files[@]}"; do _err compatibility "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" done From ef9b93b866109751be1f00d308190dd923e06698 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 23:00:48 +0200 Subject: [PATCH 618/672] tests(check): enable more linter rule. --- tests/check.sh | 58 +++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 55 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 39d7f8158..708b2fe99 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -75,6 +75,8 @@ _check() { _check_directory_mark _check_equivalent _check_too_wide + _check_transition + _check_useless # Guidelines check _check_abi @@ -137,6 +139,7 @@ _check_directory_mark() { for pattern in "${DIRECTORIES[@]}"; do if [[ "$line" == *"$pattern"* ]]; then [[ "$line" == *'='* ]] && continue + [[ "$line" =~ ^[[:space:]]*# ]] && continue if [[ ! "$line" == *"$pattern/"* ]]; then _err issue "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" fi @@ -172,6 +175,55 @@ _check_too_wide() { done } +readonly TRANSITION_MUST_CI=( # Must transition to 'ix' or 'Cx' + chgrp chmod chown cp find head install link ln ls mkdir mktemp mv rm rmdir + sed shred stat tail tee test timeout touch truncate unlink +) +readonly TRANSITION_MUST_PC=( # Must transition to 'Px' + ischroot +) +readonly TRANSITION_MUST_C=( # Must transition to 'Cx' + sysctl kmod pgrep pkexec sudo systemctl udevadm + fusermount fusermount3 fusermount{,3} + nvim vim sensible-editor +) +_check_transition() { + _is_enabled transition || return 0 + for prgmname in "${!TRANSITION_MUST_CI[@]}"; do + if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then + _err security "$file:$line_number" \ + "@{bin}/${TRANSITION_MUST_CI[$prgmname]} should be used inherited: 'ix' | 'Cx'" + fi + done + for prgmname in "${!TRANSITION_MUST_PC[@]}"; do + if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then + _err security "$file:$line_number" \ + "@{bin}/${TRANSITION_MUST_PC[$prgmname]} should transition to another (sub)profile with 'Px' or 'Cx'" + fi + done + for prgmname in "${!TRANSITION_MUST_C[@]}"; do + if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then + _warn security "$file:$line_number" \ + "@{bin}/${TRANSITION_MUST_C[$prgmname]} should transition to a subprofile with 'Cx'" + fi + done +} + +readonly USELESS=( + '@{PROC}/filesystems' '@{PROC}/sys/kernel/cap_last_cap' + '@{PROC}/meminfo' '@{PROC}/stat' '@{PROC}/cpuinfo' + '@{sys}/devices/system/cpu/online' '@{sys}/devices/system/cpu/possible' + '/usr/share/locale/' +) +_check_useless() { + _is_enabled useless || return 0 + for rule in "${!USELESS[@]}"; do + if [[ "$line" == *"${USELESS[$rule]}"* ]]; then + _err issue "$file:$line_number" "rule already included in the base abstraction, remove it" + fi + done +} + # Guidelines check: https://apparmor.pujol.io/development/guidelines/ RES_ABI=false @@ -388,7 +440,7 @@ check_profiles() { ) jobs=0 WITH_CHECK=( - abstractions equivalent + abstractions directory_mark equivalent useless transition abi include profile header tabs trailing indentation subprofiles vim ) for file in "${files[@]}"; do @@ -408,7 +460,7 @@ check_abstractions() { mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) jobs=0 WITH_CHECK=( - abstractions equivalent + abstractions directory_mark equivalent too_wide abi include header tabs trailing indentation vim ) for file in "${files[@]}"; do @@ -429,7 +481,7 @@ check_abstractions() { # shellcheck disable=SC2034 jobs=0 WITH_CHECK=( - abstractions equivalent + abstractions directory_mark equivalent too_wide header tabs trailing indentation vim ) for file in "${files[@]}"; do From 85383ed361d80027f1527891dda1463a4e112cfc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 23:08:55 +0200 Subject: [PATCH 619/672] fix: newly detected linter issues. --- apparmor.d/abstractions/common/app | 6 +++--- apparmor.d/groups/browsers/epiphany | 1 - apparmor.d/groups/gpg/scdaemon | 2 +- apparmor.d/profiles-a-f/adequate | 2 -- apparmor.d/profiles-g-l/kernel-install | 3 +++ 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index a3fb2c5ef..15b730fb2 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -56,11 +56,11 @@ owner @{HOME}/.var/app/** rmix, owner @{HOME}/** rwmlk -> @{HOME}/**, owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, + owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore owner @{user_games_dirs}/** rmix, - owner @{tmp}/** rmwk, - owner /dev/shm/** rwlk -> /dev/shm/**, + owner @{tmp}/** rmwk, #aa:lint ignore + owner /dev/shm/** rwlk -> /dev/shm/**, #aa:lint ignore owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, owner /var/tmp/etilqs_@{sqlhex} rw, diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 636bbf9d3..86b293e8d 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -51,7 +51,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { owner @{tmp}/WebKit-Media-@{rand6} rw, @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/firmware/acpi/pm_profile r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Epiphany-@{int}.scope/memory.* r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index 5d2cafd95..729455f7f 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -25,7 +25,7 @@ profile scdaemon @{exec_path} { owner /etc/pacman.d/gnupg/S.scdaemon rw, owner @{HOME}/@{XDG_GPG_DIR}/scdaemon.conf r, - owner @{HOME}/@{XDG_GPG_DIR}common.conf r, + owner @{HOME}/@{XDG_GPG_DIR}/common.conf r, owner @{HOME}/@{XDG_GPG_DIR}/reader_@{int}.status rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index b7a62fc82..da8f64bc2 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -54,14 +54,12 @@ profile adequate @{exec_path} flags=(complain) { @{bin}/* mr, /usr/games/* mr, - @{lib}{,x}/** mr, @{lib}/@{multiarch}/** mr, /usr/share/** r, /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} mr, @{lib}/@{multiarch}/ld-*.so rix, - @{lib}{,x}32/ld-*.so rix, include if exists } diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index be5d877a9..bd1438f96 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -42,7 +42,10 @@ profile kernel-install @{exec_path} { @{lib}/modules/*/modules.* w, + / r, + @{efi}/@{hex32}/** rw, + @{efi}/loader/entries.srel r, owner /boot/{vmlinuz,initrd.img}-* r, owner /boot/[a-f0-9]*/*/ rw, From f1a96db3172334c50303024aeb07fbd6f821ce18 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 23:11:20 +0200 Subject: [PATCH 620/672] feat(profile): add missing update-alternatives & mdadm profiles. --- apparmor.d/profiles-a-f/dracut-install | 26 +++++++++++++++++ apparmor.d/profiles-m-r/mdadm | 39 ++++++++++++++++++++++++++ dists/flags/main.flags | 2 ++ 3 files changed, 67 insertions(+) create mode 100644 apparmor.d/profiles-a-f/dracut-install create mode 100644 apparmor.d/profiles-m-r/mdadm diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install new file mode 100644 index 000000000..2000635d3 --- /dev/null +++ b/apparmor.d/profiles-a-f/dracut-install @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/dracut/dracut-install +profile dracut-install @{exec_path} { + include + + @{exec_path} mr, + + /etc/modprobe.d/{,**} r, + + @{sys}/devices/platform/{,**/} r, + @{sys}/devices/platform/**/modalias r, + @{sys}/module/compression r, + + @{PROC}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm new file mode 100644 index 000000000..7601f16df --- /dev/null +++ b/apparmor.d/profiles-m-r/mdadm @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/mdadm +profile mdadm @{exec_path} { + include + include + + capability sys_admin, + + mqueue (read getattr) type=posix /, + + @{exec_path} mr, + + @{run}/initctl r, + + /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, + + @{sys}/bus/pci/drivers/*/ r, + @{sys}/devices/@{pci}/class r, + @{sys}/devices/@{pci}/device r, + @{sys}/devices/@{pci}/vendor r, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/cmdline r, + @{PROC}/kcore r, + @{PROC}/partitions r, + + /dev/**/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 71670d4d7..3aeab3192 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -90,6 +90,7 @@ dpkg-script-kmod complain dpkg-script-linux complain dpkg-script-systemd complain dpkg-scripts complain +dracut-install complain drkonqi complain drkonqi-coredump-cleanup complain drkonqi-coredump-processor complain @@ -232,6 +233,7 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain +mdadm complain mdadm-mkconf complain ModemManager attach_disconnected,complain mount attach_disconnected,complain From 8f7e373f6270b172ffdd09b325c4228952cdcb51 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 23:21:53 +0200 Subject: [PATCH 621/672] fix: update-alternatives is **not** installed in sbin. --- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-g-l/kernel | 2 +- apparmor.d/profiles-m-r/initramfs-hooks | 2 +- apparmor.d/profiles-m-r/initramfs-scripts | 2 +- apparmor.d/profiles-s-z/update-alternatives | 2 +- tests/sbin.list | 1 - 6 files changed, 5 insertions(+), 6 deletions(-) diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index da8f64bc2..7025f9787 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -34,7 +34,7 @@ profile adequate @{exec_path} flags=(complain) { # shared object file): ignored. @{bin}/dpkg-query rpx, # - @{sbin}/update-alternatives rPx, + @{bin}/update-alternatives rPx, /var/lib/adequate/pending rwk, diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index c3155ce75..b718f7d18 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -38,9 +38,9 @@ profile kernel @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/kernel-install rPx, @{bin}/systemd-detect-virt rPx, + @{bin}/update-alternatives rPx, @{lib}/dkms/dkms_autoinstaller rPx, @{sbin}/dkms rPx, - @{sbin}/update-alternatives rPx, @{sbin}/update-grub rPx, @{sbin}/update-initramfs rPx, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 18610de27..14a83ffbb 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -20,7 +20,7 @@ profile initramfs-hooks @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{sbin}/update-alternatives Px, + @{bin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox ix, @{lib}/klibc/bin/fstype ix, diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts index 4d38ab9c1..d280c145a 100644 --- a/apparmor.d/profiles-m-r/initramfs-scripts +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -21,7 +21,7 @@ profile initramfs-scripts @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{sbin}/update-alternatives Px, + @{bin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox Px, /usr/share/mdadm/mkconf Px, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 68ddb97a5..8f08b74fa 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/update-alternatives +@{exec_path} = @{bin}/update-alternatives profile update-alternatives @{exec_path} { include include diff --git a/tests/sbin.list b/tests/sbin.list index 1d0eb5b97..a8b439478 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -766,7 +766,6 @@ unix_chkpwd unix_update unix2_chkpwd uobjnew -update-alternatives update-ca-certificates update-catalog update-cracklib From 18212c9ff7a0fe96d3ae6299d76503ca3a32dad2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 00:03:06 +0200 Subject: [PATCH 622/672] tests: re-enable apt tests. --- tests/integration/apt/apt.bats | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/tests/integration/apt/apt.bats b/tests/integration/apt/apt.bats index 4be0edd8d..3f13d4ea4 100644 --- a/tests/integration/apt/apt.bats +++ b/tests/integration/apt/apt.bats @@ -5,10 +5,6 @@ load ../common -setup_file() { - skip -} - @test "apt: Update the list of available packages and versions" { sudo apt update } @@ -38,11 +34,11 @@ setup_file() { } @test "apt: Clean the local repository - removing package files (.deb) from interrupted downloads that can no longer be downloaded" { - sudo apt autoclean + sudo apt autoclean -y } @test "apt: Remove all packages that are no longer needed" { - sudo apt autoremove + sudo apt autoremove -y } @test "apt: List all packages" { From 5a08ffc9ba485878eba448366459f2ef55625274 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 00:19:35 +0200 Subject: [PATCH 623/672] fix(profile): apply fixes raised by tests --- apparmor.d/abstractions/bus/org.freedesktop.Avahi | 5 +++++ .../abstractions/bus/org.freedesktop.systemd1 | 2 +- apparmor.d/abstractions/common/electron | 2 +- .../groups/freedesktop/xdg-user-dirs-gtk-update | 7 ++++++- .../groups/systemd/systemd-machine-id-setup | 1 + apparmor.d/groups/ubuntu/update-notifier | 1 - apparmor.d/groups/ubuntu/update-notifier-crash | 15 +++++++++++++-- apparmor.d/profiles-a-f/dracut-install | 1 + apparmor.d/profiles-m-r/mdadm | 1 + 9 files changed, 29 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index b002d6fa4..b683cf128 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -26,6 +26,11 @@ member={ItemNew,AllForNow,CacheExhausted} peer=(name="@{busname}", label="@{p_avahi_daemon}"), + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=StateChanged + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 341cf58ce..4fb1764bc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -8,7 +8,7 @@ dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager - member={GetUnit,StartUnit,StartTransientUnit} + member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), dbus send bus=system path=/org/freedesktop/systemd1 diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 8134f8681..6216ec939 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -75,6 +75,7 @@ @{PROC}/ r, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, owner @{PROC}/@{pid}/cgroup r, @@ -88,7 +89,6 @@ owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/status r, owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 641862965..b2ae65450 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -12,14 +12,19 @@ profile xdg-user-dirs-gtk-update @{exec_path} { include include include - include + include + include @{exec_path} mr, + @{bin}/xdg-user-dirs-update Px, + owner @{user_config_dirs}/gtk-3.0/bookmarks* rw, owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, + owner @{tmp}/dirs-@{rand6} rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index f3f27b523..c791e6375 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -31,6 +31,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { /etc/machine-id rw, /var/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 6c4dc4d77..361290980 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -85,7 +85,6 @@ profile update-notifier @{exec_path} { profile systemctl { include include - include dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash index dee094aa1..d65c77a08 100644 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -9,17 +9,28 @@ include @{exec_path} = @{lib}/update-notifier/update-notifier-crash profile update-notifier-crash @{exec_path} { include + include @{exec_path} mr, - @{bin}/systemctl Cx -> systemctl, - + @{bin}/{,e}grep ix, + @{bin}/groups Px, + @{bin}/systemctl Cx -> systemctl, + @{bin}/which{,.debianutils} ix, + @{sh_path} mr, /usr/share/apport/apport-checkreports Px, + owner @{HOME}/ r, + profile systemctl { include include + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnitFileState + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + include if exists } diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install index 2000635d3..6deb06eb6 100644 --- a/apparmor.d/profiles-a-f/dracut-install +++ b/apparmor.d/profiles-a-f/dracut-install @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/dracut/dracut-install profile dracut-install @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index 7601f16df..15adcb9e6 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -9,6 +9,7 @@ include @{exec_path} = @{sbin}/mdadm profile mdadm @{exec_path} { include + include include capability sys_admin, From 4a3a98c77d3fefb403a1bb775bca51a088006451 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 18:46:17 +0200 Subject: [PATCH 624/672] fix(profile): fixes for issues raised by newly enabled tests. --- apparmor.d/groups/apt/dpkg-preconfigure | 1 + apparmor.d/groups/apt/dpkg-script-linux | 12 +++++++++++- apparmor.d/groups/apt/dpkg-scripts | 1 + apparmor.d/groups/network/netplan-generate | 1 + apparmor.d/profiles-s-z/ucf | 12 ++---------- 5 files changed, 16 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 716cd1dc8..66131c6e7 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -36,6 +36,7 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/stty ix, @{bin}/tr ix, @{bin}/uniq ix, + @{bin}/which{,.debianutils} ix, @{bin}/apt-extracttemplates Px, @{bin}/dpkg Px -> child-dpkg, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index d6a8db473..24c6c74df 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -19,11 +19,14 @@ profile dpkg-script-linux @{exec_path} { @{bin}/run-parts ix, @{bin}/stty ix, + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg-maintscript-helper Px, @{bin}/dpkg-trigger Px, @{bin}/kmod Px, @{bin}/linux-check-removal Px, @{bin}/linux-update-symlinks Px, - @{bin}/dpkg-maintscript-helper Px, + @{bin}/systemctl Cx -> systemctl, /usr/share/{update,reboot}-notifier/notify-reboot-required Px, /etc/kernel/{,header_}postinst.d/* Px, @@ -36,6 +39,13 @@ profile dpkg-script-linux @{exec_path} { @{lib}/linux/triggers/* w, @{lib}/modules/*/.fresh-install w, + profile systemctl { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 44e4790c4..5743ab904 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -80,6 +80,7 @@ profile dpkg-scripts @{exec_path} { /tmp/tmp.@{rand10} rw, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, profile bus { include diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate index 64f8399e1..74ed20aaf 100644 --- a/apparmor.d/groups/network/netplan-generate +++ b/apparmor.d/groups/network/netplan-generate @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/netplan/generate profile netplan-generate @{exec_path} flags=(attach_disconnected) { include + include include capability chown, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 3c3374d85..9e459f261 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/ucf profile ucf @{exec_path} { include + include include include @@ -17,11 +18,11 @@ profile ucf @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/cp rix, @{bin}/dirname rix, - @{bin}/{m,g,}awk rix, @{bin}/getopt rix, @{bin}/id rix, @{bin}/md5sum rix, @@ -39,8 +40,6 @@ profile ucf @{exec_path} { @{bin}/dpkg-divert rPx, @{pager_path} rCx -> child-pager, - /usr/share/debconf/frontend Cx -> debconf, - # For md5sum /usr/share/** r, @@ -57,13 +56,6 @@ profile ucf @{exec_path} { deny capability sys_admin, # optional: no audit - profile debconf { - include - include - - include if exists - } - include if exists } From 7d2229cd05134f491a671f4f2e61b9216dc07420 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 23:18:00 +0200 Subject: [PATCH 625/672] build: fully replace make by just. --- .github/workflows/main.yml | 17 +-- .gitlab-ci.yml | 11 +- Justfile | 6 +- Makefile | 100 ------------------ debian/apparmor.d.hide | 2 +- debian/control | 1 + debian/rules | 8 +- dists/apparmor.d.spec | 5 +- dists/build.sh | 2 +- dists/ignore/main.ignore | 2 +- docs/development/build.md | 2 +- docs/development/roadmap.md | 2 +- docs/development/tests.md | 6 +- docs/development/workflow.md | 14 +-- docs/enforce.md | 44 ++++---- docs/full-system-policy.md | 42 ++++---- docs/install.md | 19 ++-- tests/check.sh | 2 +- .../cloud-init/archlinux-cosmic.user-data.yml | 1 + tests/cloud-init/archlinux-xfce.user-data.yml | 1 + tests/cloud-init/opensuse.yml | 2 +- tests/packer/src/aa-update | 6 +- 22 files changed, 113 insertions(+), 182 deletions(-) delete mode 100644 Makefile diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 973287e72..a3d7b3266 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -9,9 +9,14 @@ jobs: - name: Check out repository code uses: actions/checkout@v4 + - name: Install linter dependencies + run: | + sudo apt-get update -q + sudo apt-get install -y just + - name: Run basic profile linter check run: | - make check + just check build: runs-on: ${{ matrix.os }} @@ -32,13 +37,13 @@ jobs: sudo apt-get update -q sudo apt-get install -y \ devscripts debhelper config-package-dev \ - auditd apparmor-profiles apparmor-utils + auditd apparmor-profiles apparmor-utils just sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real - name: Build the apparmor.d package run: | if [[ ${{ matrix.mode }} == full-system-policy ]]; then - echo -e "\noverride_dh_auto_build:\n\tmake fsp" >> debian/rules + sed -e "s/just complain/just fsp-complain/" -i debian/rules fi if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then # Test with Re-attach disconnected path @@ -95,7 +100,7 @@ jobs: sudo apt-get update -q sudo apt-get install -y \ apparmor-profiles apparmor-utils \ - bats bats-support + bats bats-support just - name: Install apparmor.d run: | @@ -127,12 +132,12 @@ jobs: - name: Install integration dependencies run: | - bash tests/requirements.sh + just init find /usr/sbin/ -type f - name: Run the integration tests run: | - make integration + just integration - name: Show final AppArmor logs if: always() diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8adab16ab..7b4c13519 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -66,7 +66,7 @@ check: stage: test image: registry.gitlab.com/roddhjav/builders/archlinux script: - - make check + - just check # Package Build # ------------- @@ -84,13 +84,12 @@ archlinux: debian: stage: build - image: registry.gitlab.com/roddhjav/builders/debian:12 + image: registry.gitlab.com/roddhjav/builders/debian:trixie script: - sudo chown -R build:build /builds/ - git config --global --add safe.directory $CI_PROJECT_DIR - mkdir -p "$PKGDEST" - - sudo apt-get update -q && sudo apt-get install -y config-package-dev lsb-release - - sudo apt-get install -y -t bookworm-backports golang-go + - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl - bash dists/build.sh dpkg artifacts: expire_in: 1 day @@ -105,7 +104,7 @@ ubuntu: script: - git config --global --add safe.directory $CI_PROJECT_DIR - mkdir -p "$PKGDEST" - - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release + - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl - bash dists/build.sh dpkg artifacts: expire_in: 1 day @@ -117,7 +116,7 @@ whonix: variables: DISTRIBUTION: whonix before_script: - - echo "\noverride_dh_auto_build:\n\tmake fsp" >> debian/rules + - sed -e "s/just complain/just fsp-complain/" -i debian/rules opensuse: stage: build diff --git a/Justfile b/Justfile index f9ce13c36..7a84af1be 100644 --- a/Justfile +++ b/Justfile @@ -157,7 +157,7 @@ dpkg: [doc('Build & install apparmor.d on OpenSUSE based systems')] rpm: @bash dists/build.sh rpm - @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm + @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm [group('tests')] [doc('Run the unit tests')] @@ -213,8 +213,8 @@ package dist: if [[ $dist =~ ubuntu([0-9]+) ]]; then version="${BASH_REMATCH[1]}.04" dist="ubuntu" - elif [[ $dist =~ debian([0-9]+) ]]; then - version="${BASH_REMATCH[1]}" + elif [[ $dist == debian ]]; then + version="trixie" dist="debian" fi bash dists/docker.sh $dist $version diff --git a/Makefile b/Makefile deleted file mode 100644 index 854d39f16..000000000 --- a/Makefile +++ /dev/null @@ -1,100 +0,0 @@ -#!/usr/bin/make -f -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -DESTDIR ?= / -BUILD ?= .build -PKGDEST ?= ${PWD}/.pkg -PKGNAME := apparmor.d -PROFILES = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*))) - -.PHONY: all -all: build - @./${BUILD}/prebuild --complain - -.PHONY: build -build: - @go build -o ${BUILD}/ ./cmd/aa-log - @go build -o ${BUILD}/ ./cmd/prebuild - -.PHONY: enforce -enforce: build - @./${BUILD}/prebuild - -.PHONY: fsp -fsp: build - @./${BUILD}/prebuild --full - -.PHONY: fsp-complain -fsp-complain: build - @./${BUILD}/prebuild --complain --full - -.PHONY: install -install: - @install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log - @for file in $(shell find "${BUILD}/share" -type f -not -name "*.md" -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/share/$${file}" "${DESTDIR}/usr/share/$${file}"; \ - done; - @for file in $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ - done; - @for file in $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n"); do \ - mkdir -p "${DESTDIR}/etc/apparmor.d/disable"; \ - cp -d "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ - done; - @for file in ${BUILD}/systemd/system/*; do \ - service="$$(basename "$$file")"; \ - install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/system/$${service}.d/apparmor.conf"; \ - done; - @for file in ${BUILD}/systemd/user/*; do \ - service="$$(basename "$$file")"; \ - install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \ - done - - -.PHONY: $(PROFILES) -$(PROFILES): - @install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log - @for file in $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \ - done; - @for file in $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \ - done; - @echo "Warning: profile dependencies fallback to unconfined." - @for file in ${@}; do \ - grep 'rPx' "${BUILD}/apparmor.d/$${file}"; \ - sed -i -e "s/rPx/rPUx/g" "${BUILD}/apparmor.d/$${file}"; \ - install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ - done; - @systemctl restart apparmor || sudo journalctl -xeu apparmor.service - -.PHONY: dev -name ?= -dev: - @go run ./cmd/prebuild --complain --file $(shell find apparmor.d -iname ${name}) - @sudo install -Dm644 ${BUILD}/apparmor.d/${name} /etc/apparmor.d/${name} - @sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service - -.PHONY: pkg -pkg: - @makepkg --syncdeps --install --cleanbuild --force --noconfirm - -.PHONY: dpkg -dpkg: - @bash dists/build.sh dpkg - @sudo dpkg -i ${PKGDEST}/${PKGNAME}_*.deb - -.PHONY: rpm -rpm: - @bash dists/build.sh rpm - @sudo rpm -ivh --force ${PKGDEST}/${PKGNAME}-*.rpm - -.PHONY: check -check: - @bash tests/check.sh - -.PHONY: integration -integration: - @bats --recursive --timing --print-output-on-failure tests/integration/ diff --git a/debian/apparmor.d.hide b/debian/apparmor.d.hide index 20725a133..8fc1d019d 100644 --- a/debian/apparmor.d.hide +++ b/debian/apparmor.d.hide @@ -1 +1 @@ -# This file is generated by "make", all edit will be lost. +# This file is generated by "just", all edit will be lost. diff --git a/debian/control b/debian/control index 7f2028b0e..56ad928ba 100644 --- a/debian/control +++ b/debian/control @@ -6,6 +6,7 @@ Build-Depends: debhelper (>= 13.4), debhelper-compat (= 13), golang-any, config-package-dev, + just, Homepage: https://github.com/roddhjav/apparmor.d Vcs-Browser: https://github.com/roddhjav/apparmor.d Vcs-Git: https://github.com/roddhjav/apparmor.d.git diff --git a/debian/rules b/debian/rules index a30a693df..d78e652ca 100755 --- a/debian/rules +++ b/debian/rules @@ -9,5 +9,9 @@ # golang/1.19 compresses debug symbols itself. override_dh_dwz: -# do not run 'make check' by default as it can be long for dev package -override_dh_auto_test: +override_dh_auto_build: + just complain + +override_dh_auto_install: + just destdir="${CURDIR}/debian/apparmor.d" install + diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index 339d88036..bf97705a6 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -15,6 +15,7 @@ URL: https://github.com/roddhjav/apparmor.d Source0: %{name}-%{version}.tar.gz Requires: apparmor-profiles BuildRequires: distribution-release +BuildRequires: just BuildRequires: golang-packaging BuildRequires: apparmor-profiles @@ -25,10 +26,10 @@ AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most %autosetup %build -%make_build +just complain %install -%make_install +just destdir="%{buildroot}" install %posttrans rm -f /var/cache/apparmor/* 2>/dev/null diff --git a/dists/build.sh b/dists/build.sh index 1f2e204c2..9b9f9e765 100644 --- a/dists/build.sh +++ b/dists/build.sh @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: make [ dpkg | pkg | rpm ] +# Usage: just [ dpkg | pkg | rpm ] set -eu -o pipefail diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index 3cccf4c05..0665edf85 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -2,7 +2,7 @@ # File format: one ignore by line, it can be a profile name or a directory to ignore # Contains profiles and configuration for full system confinement, only included -# when built with 'make full' +# when built with 'just fsp' apparmor.d/groups/_full # Provided by other packages diff --git a/docs/development/build.md b/docs/development/build.md index 5145a8416..eaa2487a2 100644 --- a/docs/development/build.md +++ b/docs/development/build.md @@ -2,7 +2,7 @@ title: Building the profiles --- -The profiles in `apparmor.d` must not be used directly. They need to be prebuilt (by running `make`). This page documents all possibles prebuild tasks. It is not intended to be read by end user, and it is only targeted at developers and maintainers. +The profiles in `apparmor.d` must not be used directly. They need to be prebuilt (by running `just complain`). This page documents all possibles prebuild tasks. It is not intended to be read by end user, and it is only targeted at developers and maintainers. The build system is fully configurable, general usage can be seen with: ```sh diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md index b42467e3d..2585208e5 100644 --- a/docs/development/roadmap.md +++ b/docs/development/roadmap.md @@ -29,7 +29,7 @@ This is the current list of features that must be implemented to get to a stable - [ ] Provide packages repo for ubuntu/debian - [ ] Provide complain/enforced packages version - [x] Add a `just` target to install the profiles in the right place - - [ ] Fully drop the Makefile in favor of `just` + - [x] Fully drop the Makefile in favor of `just` ## Next features diff --git a/docs/development/tests.md b/docs/development/tests.md index df614b4fe..4bf421d92 100644 --- a/docs/development/tests.md +++ b/docs/development/tests.md @@ -6,12 +6,12 @@ Misconfigured AppArmor profiles is one of the most effective ways to break someo **Current** -- [x] **[Build:](https://gitlab.com/roddhjav/apparmor.d/-/pipelines)** `make` +- [x] **[Build:](https://gitlab.com/roddhjav/apparmor.d/-/pipelines)** `just complain` - Build the profiles for all supported distributions. - All CI jobs validate the profiles syntax and ensure they can be safely loaded into a kernel. - Ensure the profile entry point (`@{exec_path}`) is defined. -- [x] **[Checks:](https://github.com/roddhjav/apparmor.d/blob/main/tests/check.sh)** `make check` checks basic style of profiles: +- [x] **[Checks:](https://github.com/roddhjav/apparmor.d/blob/main/tests/check.sh)** `just check` checks basic style of profiles: - Ensure apparmor.d header & licence - Ensure 2 spaces indentation - Ensure local include for profile and subprofiles @@ -19,7 +19,7 @@ Misconfigured AppArmor profiles is one of the most effective ways to break someo - Ensure modern profile naming - Ensure `vim:syntax=apparmor` -- [x] **[Integration Tests:](integration.md)** `just integration ` +- [x] **[Integration Tests:](integration.md)** `just test-run ` - Run simple CLI commands to ensure no logs are raised. - Uses the [bats](https://github.com/bats-core/bats-core) test system. - Run in the Github Action as well as in all local [test VM](vm.md). diff --git a/docs/development/workflow.md b/docs/development/workflow.md index 7737e3775..786d77c93 100644 --- a/docs/development/workflow.md +++ b/docs/development/workflow.md @@ -57,7 +57,7 @@ profile foo @{exec_path} { ## Development Install -It is not recommended installing the full project *"manually"* (with `make`, `sudo make install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream (see `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`). +It is not recommended installing the full project *"manually"* (with `just complain`, `sudo just install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream (see `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`). Instead, install an individual profile or the development package, the following way. @@ -66,25 +66,25 @@ Instead, install an individual profile or the development package, the following === ":material-arch: Archlinux" ```sh - make pkg + just pkg ``` === ":material-ubuntu: Ubuntu" ```sh - make dpkg + just dpkg ``` === ":material-debian: Debian" ```sh - make dpkg + just dpkg ``` === ":simple-suse: openSUSE" ```sh - make rpm + just rpm ``` === ":material-docker: Docker" @@ -102,7 +102,7 @@ Instead, install an individual profile or the development package, the following **Format** ```sh -make dev name= +just dev ``` **Exampe** @@ -110,7 +110,7 @@ make dev name= : Testing the profile `pass` ``` - make dev name=pass + just dev pass ``` This: diff --git a/docs/enforce.md b/docs/enforce.md index 692cbd1e3..51eec0980 100644 --- a/docs/enforce.md +++ b/docs/enforce.md @@ -13,50 +13,56 @@ The default package configuration installs all profiles in *complain* mode. This === ":material-arch: Archlinux" - In the `PKGBUILD`, replace `make` by `make enforce`: + In the `PKGBUILD`, replace `just complain` by `just enforce`: ```diff - - make DISTRIBUTION=arch - + make enforce DISTRIBUTION=arch + - just complain + + just enforce ``` - Then, build the package with: `make pkg` + Then, build the package with: `just pkg` === ":material-ubuntu: Ubuntu" - In `debian/rules`, add the following lines: + In `debian/rules`, replace `just complain` by `just enforce`: - ```make - override_dh_auto_build: - make enforce + ```diff + override_dh_auto_build: + - just complain + override_dh_auto_build: + + just enforce ``` - Then, build the package with: `make dpkg` + Then, build the package with: `just dpkg` === ":material-debian: Debian" - In `debian/rules`, add the following lines: + In `debian/rules`, replace `just complain` by `just enforce`: - ```make - override_dh_auto_build: - make enforce + ```diff + override_dh_auto_build: + - just complain + override_dh_auto_build: + + just enforce ``` - Then, build the package with: `make dpkg` + Then, build the package with: `just dpkg` === ":simple-suse: openSUSE" - In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build enforce` + In `dists/apparmor.d.spec`, replace `just complain` by `just enforce`: ```diff - - %make_build - + %make_build enforce + %build + - just complain + %build + + just enforce ``` - Then, build the package with: `make rpm` + Then, build the package with: `just rpm` === ":material-home: Partial Install" - Use the `make enforce` command to build instead of `make` + Use the `just enforce` command to build instead of `just complain` [aur]: https://aur.archlinux.org/packages/apparmor.d-git diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index b523a1c38..a5ac57f11 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -35,7 +35,7 @@ Particularly: ## Installation -This feature is only enabled when the project is built with `make full`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load **must** also be enabled. Once `apparmor.d` has been installed in FSP mode, it is required to reboot to apply the changes. +This feature is only enabled when the project is built with `just fsp`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load **must** also be enabled. Once `apparmor.d` has been installed in FSP mode, it is required to reboot to apply the changes. In `/etc/apparmor/parser.conf` ensure you have: ``` @@ -46,51 +46,57 @@ Optimize=compress-fast === ":material-arch: Archlinux" - In `PKGBUILD`, replace `make` by `make fsp`: + In `PKGBUILD`, replace `just complain` by `just fsp-complain`: ```diff - - make - + make fsp + - just complain + + just fsp-complain ``` - Then, build the package with: `make pkg` + Then, build the package with: `just pkg` === ":material-ubuntu: Ubuntu" - In `debian/rules`, add the following lines: + In `debian/rules`, replace `just complain` by `just fsp-complain`: ```make - override_dh_auto_build: - make fsp + override_dh_auto_build: + - just complain + override_dh_auto_build: + + just fsp-complain ``` - Then, build the package with: `make dpkg` + Then, build the package with: `just dpkg` === ":material-debian: Debian" - In `debian/rules`, add the following lines: + In `debian/rules`, replace `just complain` by `just fsp-complain`: ```make - override_dh_auto_build: - make fsp + override_dh_auto_build: + - just complain + override_dh_auto_build: + + just fsp-complain ``` - Then, build the package with: `make dpkg` + Then, build the package with: `just dpkg` === ":simple-suse: openSUSE" - In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build fsp` + In `dists/apparmor.d.spec`, replace `just complain` by `just fsp-complain`: ```diff - - %make_build - + %make_build fsp + %build + - just complain + %build + + just fsp-complain ``` - Then, build the package with: `make rpm` + Then, build the package with: `just rpm` === ":material-home: Partial Install" - Use the `make fsp` command to build instead of `make` + Use the `just fsp-complain` command to build instead of `just complain` ## Structure diff --git a/docs/install.md b/docs/install.md index a18185fbf..416ad0f15 100644 --- a/docs/install.md +++ b/docs/install.md @@ -84,7 +84,7 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf If you have `devscripts` installed, you can use the one liner: ```sh - make dpkg + just dpkg ``` !!! warning @@ -110,19 +110,26 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf If you have `devscripts` installed, you can use the one liner: ```sh - make dpkg + just dpkg ``` !!! note - You may need golang from the backports repository to build: + **Debian 12 user will need to:** + 1. Install Golang from the backports repository: ```sh echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list sudo apt update sudo apt install -t bookworm-backports golang-go ``` + 2. Install [just](https://github.com/casey/just) locally, and ignore the dependence. E.g: + ```sh + pipx install rust-just + sed '/just/d' -i debian/control + ``` + !!! warning **Beware**: do not install a `.deb` made for Ubuntu on Debian as the packages are different. @@ -144,15 +151,15 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed. ```sh - make - sudo make profile-names... + just complain + sudo just local profile-names... ``` !!! warning Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77)) - For instance, `sudo make pass` gives: + For instance, `sudo just local pass` gives: ```sh Warning: profile dependencies fallback to unconfined. @{bin}/wl-{copy,paste} rPx, diff --git a/tests/check.sh b/tests/check.sh index 708b2fe99..f00d8aec1 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -3,7 +3,7 @@ # Copyright (C) 2024-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: make check +# Usage: just check # shellcheck disable=SC2044 set -eu -o pipefail diff --git a/tests/cloud-init/archlinux-cosmic.user-data.yml b/tests/cloud-init/archlinux-cosmic.user-data.yml index be623e625..9ed6c1d92 100644 --- a/tests/cloud-init/archlinux-cosmic.user-data.yml +++ b/tests/cloud-init/archlinux-cosmic.user-data.yml @@ -10,6 +10,7 @@ packages: # Install usefull core packages - bash-completion + - just - git - htop - man diff --git a/tests/cloud-init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml index 54329bfb8..5bab9bf08 100644 --- a/tests/cloud-init/archlinux-xfce.user-data.yml +++ b/tests/cloud-init/archlinux-xfce.user-data.yml @@ -11,6 +11,7 @@ packages: # Install usefull core packages - bash-completion - git + - just - htop - man - pass diff --git a/tests/cloud-init/opensuse.yml b/tests/cloud-init/opensuse.yml index 1adf2b6eb..57c633678 100644 --- a/tests/cloud-init/opensuse.yml +++ b/tests/cloud-init/opensuse.yml @@ -9,7 +9,7 @@ core-packages: &core-packages - go - golang-packaging - htop - - make + - just - rpmbuild - rsync - vim diff --git a/tests/packer/src/aa-update b/tests/packer/src/aa-update index 48267d2f0..bdbd6ed00 100644 --- a/tests/packer/src/aa-update +++ b/tests/packer/src/aa-update @@ -13,15 +13,15 @@ DISTRIBUTION="$(_lsb_release)" cd "$HOME/Projects/apparmor.d" case "$DISTRIBUTION" in arch) - make pkg + just pkg ;; debian | ubuntu | whonix) sudo rm -rf debian/.debhelper/ - make dpkg + just dpkg sudo rm -rf debian/.debhelper/ ;; opensuse*) - make rpm + just rpm ;; *) ;; esac From 94bae18c2cabb0bfc88fb13fd3db794032e817ae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 23:31:14 +0200 Subject: [PATCH 626/672] build: justfile: simplify test orchestration. --- Justfile | 31 +++++++------- docs/development/integration.md | 36 +++++++++++++++-- docs/development/vm.md | 72 ++++++++++++++++++--------------- docs/install.md | 1 + 4 files changed, 87 insertions(+), 53 deletions(-) diff --git a/Justfile b/Justfile index 7a84af1be..13a4a2d9e 100644 --- a/Justfile +++ b/Justfile @@ -284,6 +284,18 @@ destroy dist flavor: ssh dist flavor: @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` +[group('vm')] +[doc('Mount the shared directory on the machine')] +mount dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4' + +[group('vm')] +[doc('Unmout the shared directory on the machine')] +umount dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true' + [group('vm')] [doc('List the machines')] list: @@ -324,7 +336,6 @@ available: } ' - [group('tests')] [doc('Install dependencies for the integration tests')] init: @@ -349,30 +360,18 @@ tests-sync dist flavor: [group('tests')] [doc('Re-synchronize the integration tests (machine)')] -tests-resync dist flavor: (tests-mount dist flavor) \ +tests-resync dist flavor: (mount dist flavor) \ (tests-sync dist flavor) \ - (tests-umount dist flavor) - -[group('tests')] -[doc('Unmout the integration tests (machine)')] -tests-umount dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ - sudo umount /home/{{username}}/Projects/apparmor.d + (umount dist flavor) [group('tests')] [doc('Run the integration tests (machine)')] -tests-run dist flavor name="": +tests-run dist flavor name="": (tests-resync dist flavor) ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ TERM=xterm \ bats --recursive --pretty --timing --print-output-on-failure \ /home/{{username}}/Projects/tests/integration/{{name}} -[group('tests')] -[doc('Mount integration tests (machine)')] -tests-mount dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ - sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4 - [private] get_ip dist flavor: @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ diff --git a/docs/development/integration.md b/docs/development/integration.md index de60c8c47..b5c740f78 100644 --- a/docs/development/integration.md +++ b/docs/development/integration.md @@ -14,15 +14,43 @@ Although the integration test suite is intended to be run in a [Development VM]( ## Getting started -Prepare the test environment: +**Prepare the test environment:** ```sh just img -just vm +just create ``` -Run the integration tests on the test VM: +Example: ```sh -just integration +just img ubuntu25 desktop +just create ubuntu25 desktop +``` + +**Install dependencies for the integration tests** +```sh +just tests-init +``` + +Example: +```sh +just tests-init ubuntu25 desktop +``` + +**Run the integration tests** + +It: synchronizes the tests, unmount the shared directory, then run the tests. +```sh +just tests-run +``` + +Example: +```sh +just tests-run ubuntu25 desktop +``` + +Partial tests can also be run. For example the following command will only run the tests in the `tests/integration/apt` directory on the `ubuntu25` `desktop` machine: +```sh +just tests-run ubuntu25 desktop apt ``` ## Create integration tests diff --git a/docs/development/vm.md b/docs/development/vm.md index 1edddba76..1091f7d5e 100644 --- a/docs/development/vm.md +++ b/docs/development/vm.md @@ -13,53 +13,59 @@ $ just ``` Available recipes: - help # Show this help message - clean # Remove all build artifacts + help # Show this help message + clean # Remove all build artifacts [build] - build # Build the go programs - enforce # Prebuild the profiles in enforced mode - complain # Prebuild the profiles in complain mode - fsp # Prebuild the profiles in FSP mode - fsp-complain # Prebuild the profiles in FSP mode (complain) - fsp-debug # Prebuild the profiles in FSP mode (debug) + build # Build the go programs + enforce # Prebuild the profiles in enforced mode + complain # Prebuild the profiles in complain mode + fsp # Prebuild the profiles in FSP mode + fsp-complain # Prebuild the profiles in FSP mode (complain) + fsp-debug # Prebuild the profiles in FSP mode (debug) [install] - install # Install prebuild profiles - local +names # Locally install prebuild profiles - dev name # Prebuild, install, and load a dev profile + install # Install prebuild profiles + local +names # Locally install prebuild profiles + dev name # Prebuild, install, and load a dev profile [packages] - pkg # Build & install apparmor.d on Arch based systems - dpkg # Build & install apparmor.d on Debian based systems - rpm # Build & install apparmor.d on OpenSUSE based systems - package dist # Build the package in a clean OCI container + pkg # Build & install apparmor.d on Arch based systems + dpkg # Build & install apparmor.d on Debian based systems + rpm # Build & install apparmor.d on OpenSUSE based systems + package dist # Build the package in a clean OCI container [tests] - tests # Run the unit tests - init dist flavor # Install dependencies for the bats integration tests - integration dist flavor # Run the integration tests on the machine + tests # Run the unit tests + init # Install dependencies for the integration tests + integration # Run the integration tests + tests-init dist flavor # Install dependencies for the integration tests (machine) + tests-sync dist flavor # Synchronize the integration tests (machine) + tests-resync dist flavor # Re-synchronize the integration tests (machine) + tests-run dist flavor name="" # Run the integration tests (machine) [linter] - lint # Run the linters - check # Run style checks on the profiles + lint # Run the linters + check # Run style checks on the profiles [docs] - man # Generate the man pages - docs # Build the documentation - serve # Serve the documentation + man # Generate the man pages + docs # Build the documentation + serve # Serve the documentation [vm] - img dist flavor # Build the VM image - create dist flavor # Create the machine - up dist flavor # Start a machine - halt dist flavor # Stops the machine - reboot dist flavor # Reboot the machine - destroy dist flavor # Destroy the machine - ssh dist flavor # Connect to the machine - list # List the machines - images # List the VM images - available # List the VM images that can be created + img dist flavor # Build the VM image + create dist flavor # Create the machine + up dist flavor # Start a machine + halt dist flavor # Stops the machine + reboot dist flavor # Reboot the machine + destroy dist flavor # Destroy the machine + ssh dist flavor # Connect to the machine + mount dist flavor # Mount the shared directory on the machine + umount dist flavor # Unmout the shared directory on the machine + list # List the machines + images # List the VM images + available # List the VM images that can be created See https://apparmor.pujol.io/development/ for more information. ``` diff --git a/docs/install.md b/docs/install.md index 416ad0f15..ee18e7819 100644 --- a/docs/install.md +++ b/docs/install.md @@ -37,6 +37,7 @@ The following desktop environments are supported: **Build dependency** * Go >= 1.23 +* [just](https://github.com/casey/just) ## Configure AppArmor From 5adc29087031c8f63930434d5e50a1fca5670089 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 23:54:40 +0200 Subject: [PATCH 627/672] fix(profile): fixes some issues raised by tests. --- apparmor.d/abstractions/base.d/complete | 1 + apparmor.d/groups/utils/lsfd | 38 ++++++++++++++++--------- apparmor.d/groups/utils/lsipc | 2 ++ apparmor.d/profiles-m-r/mkinitramfs | 16 +++++------ 4 files changed, 35 insertions(+), 22 deletions(-) diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index ecfe09bb5..ad3945eb9 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -10,6 +10,7 @@ # Allow to receive some signals from new well-known profiles signal (receive) peer=btop, signal (receive) peer=htop, + signal (receive) peer=pkill, signal (receive) peer=sudo, signal (receive) peer=top, signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, diff --git a/apparmor.d/groups/utils/lsfd b/apparmor.d/groups/utils/lsfd index 6b30f63a9..96e497ea6 100644 --- a/apparmor.d/groups/utils/lsfd +++ b/apparmor.d/groups/utils/lsfd @@ -11,15 +11,25 @@ profile lsfd @{exec_path} flags=(attach_disconnected) { include include + capability bpf, capability checkpoint_restore, capability dac_read_search, + capability net_admin, capability sys_admin, + capability sys_chroot, capability sys_ptrace, capability sys_resource, capability syslog, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 raw, + network inet6 stream, + network inet6 stream, network netlink dgram, network netlink raw, + network packet dgram, ptrace read, ptrace trace, @@ -38,20 +48,20 @@ profile lsfd @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/cpu_byteorder r, - @{PROC}/ r, - @{PROC}/@{pid}/ r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/net/* r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/ r, - @{PROC}/devices r, - @{PROC}/misc r, - @{PROC}/partitions r, - @{PROC}/tty/drivers r, - owner @{PROC}/@{pid}/syscall r, + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/net/* r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/syscall r, + @{PROC}/@{pid}/task/ r, + @{PROC}/devices r, + @{PROC}/misc r, + @{PROC}/partitions r, + @{PROC}/tty/drivers r, include if exists } diff --git a/apparmor.d/groups/utils/lsipc b/apparmor.d/groups/utils/lsipc index 12c8d333c..7677a8a03 100644 --- a/apparmor.d/groups/utils/lsipc +++ b/apparmor.d/groups/utils/lsipc @@ -27,6 +27,8 @@ profile lsipc @{exec_path} { @{PROC}/sysvipc/sem r, @{PROC}/sysvipc/shm r, + /dev/mqueue/ r, + include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index df76eb4ad..a7f046c55 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -93,14 +93,14 @@ profile mkinitramfs @{exec_path} { owner /var/lib/kdump/initramfs-tools/** rw, owner /var/lib/kdump/initrd.* rw, - /var/tmp/ r, - /var/tmp/mkinitramfs_@{rand6}/** w, - /var/tmp/modules_@{rand6} rw, - owner /var/tmp/mkinitramfs_@{rand6} rw, - owner /var/tmp/mkinitramfs_@{rand6}/ rw, - owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, - owner /var/tmp/mkinitramfs-@{rand6} rw, - owner /var/tmp/mkinitramfs-*_@{rand6} rw, + /var/tmp/ r, + /var/tmp/mkinitramfs_@{rand6}/** w, + /var/tmp/modules_@{rand6} rw, + /var/tmp/mkinitramfs_@{rand6} rw, + /var/tmp/mkinitramfs_@{rand6}/ rw, + /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + /var/tmp/mkinitramfs-@{rand6} rw, + /var/tmp/mkinitramfs-*_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, From cd15178c81789c4bd65cc2c370d9a3ed893186a2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 23:55:46 +0200 Subject: [PATCH 628/672] tests(check): globally ignore check in commented lines. --- tests/check.sh | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index f00d8aec1..977846e62 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -70,6 +70,18 @@ _check() { continue fi + # Style check + if [[ $line_number -lt 10 ]]; then + _check_header + fi + _check_tabs + _check_trailing + _check_indentation + _check_vim + + # The following checks do not apply to comment lines + [[ "$line" =~ ^[[:space:]]*# ]] && continue + # Rules checks _check_abstractions _check_directory_mark @@ -84,15 +96,6 @@ _check() { _check_profile _check_subprofiles - # Style check - if [[ $line_number -lt 10 ]]; then - _check_header - fi - _check_tabs - _check_trailing - _check_indentation - _check_vim - done <"$file" # Results @@ -139,7 +142,6 @@ _check_directory_mark() { for pattern in "${DIRECTORIES[@]}"; do if [[ "$line" == *"$pattern"* ]]; then [[ "$line" == *'='* ]] && continue - [[ "$line" =~ ^[[:space:]]*# ]] && continue if [[ ! "$line" == *"$pattern/"* ]]; then _err issue "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" fi From 2721cf6253dda72a37ab644ac78ca338496f3636 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 23 Jul 2025 00:59:12 +0200 Subject: [PATCH 629/672] build: ensure just compatibility with ubuntu 24.04 --- .github/workflows/main.yml | 12 ++++++++---- .gitlab-ci.yml | 2 +- docs/install.md | 11 ++++++++++- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a3d7b3266..bcb817338 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -11,8 +11,8 @@ jobs: - name: Install linter dependencies run: | - sudo apt-get update -q - sudo apt-get install -y just + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH - name: Run basic profile linter check run: | @@ -37,7 +37,9 @@ jobs: sudo apt-get update -q sudo apt-get install -y \ devscripts debhelper config-package-dev \ - auditd apparmor-profiles apparmor-utils just + auditd apparmor-profiles apparmor-utils + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real - name: Build the apparmor.d package @@ -100,7 +102,9 @@ jobs: sudo apt-get update -q sudo apt-get install -y \ apparmor-profiles apparmor-utils \ - bats bats-support just + bats bats-support + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH - name: Install apparmor.d run: | diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7b4c13519..c07695b25 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -146,7 +146,7 @@ preprocess-archlinux: preprocess-debian: stage: preprocess - image: debian + image: debian:trixie dependencies: - debian script: diff --git a/docs/install.md b/docs/install.md index ee18e7819..a56599c22 100644 --- a/docs/install.md +++ b/docs/install.md @@ -37,7 +37,7 @@ The following desktop environments are supported: **Build dependency** * Go >= 1.23 -* [just](https://github.com/casey/just) +* [just](https://github.com/casey/just) >= 1.40.0 ## Configure AppArmor @@ -88,6 +88,15 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf just dpkg ``` + !!! note + + **Ubuntu 24.04 user will need to:** + + Install [just](https://github.com/casey/just). E.g: + ```sh + pipx install rust-just + ``` + !!! warning **Beware**: do not install a `.deb` made for Debian on Ubuntu as the packages are different. From 3db6d073599294d278b3b21c4a7304e5e754a6cd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 23 Jul 2025 01:03:40 +0200 Subject: [PATCH 630/672] fix(test): running integration tests in ci. --- Justfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Justfile b/Justfile index 13a4a2d9e..db23ad587 100644 --- a/Justfile +++ b/Justfile @@ -344,7 +344,7 @@ init: [group('tests')] [doc('Run the integration tests')] integration: - bats --recursive --pretty --timing --print-output-on-failure tests/integration + TERM=xterm bats --recursive --pretty --timing --print-output-on-failure tests/integration [group('tests')] [doc('Install dependencies for the integration tests (machine)')] @@ -368,7 +368,6 @@ tests-resync dist flavor: (mount dist flavor) \ [doc('Run the integration tests (machine)')] tests-run dist flavor name="": (tests-resync dist flavor) ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ - TERM=xterm \ bats --recursive --pretty --timing --print-output-on-failure \ /home/{{username}}/Projects/tests/integration/{{name}} From 9c55d62b85c4d806b33813993d5831c8c3d3b72b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 25 Jul 2025 00:56:31 +0200 Subject: [PATCH 631/672] fix: small ci fixes. --- Justfile | 2 +- apparmor.d/groups/apt/dpkg-preconfigure | 2 +- apparmor.d/groups/apt/dpkg-script-linux | 2 ++ apparmor.d/groups/apt/dpkg-scripts | 6 ++---- apparmor.d/profiles-g-l/gtk-update-icon-cache | 2 ++ apparmor.d/profiles-s-z/ucf | 2 +- apparmor.d/profiles-s-z/ucfr | 9 +++++---- 7 files changed, 14 insertions(+), 11 deletions(-) diff --git a/Justfile b/Justfile index db23ad587..e640a5a98 100644 --- a/Justfile +++ b/Justfile @@ -344,7 +344,7 @@ init: [group('tests')] [doc('Run the integration tests')] integration: - TERM=xterm bats --recursive --pretty --timing --print-output-on-failure tests/integration + bats --recursive --timing --print-output-on-failure tests/integration [group('tests')] [doc('Install dependencies for the integration tests (machine)')] diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 66131c6e7..2e32af979 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -36,7 +36,7 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/stty ix, @{bin}/tr ix, @{bin}/uniq ix, - @{bin}/which{,.debianutils} ix, + @{bin}/which{,.debianutils} rix, @{bin}/apt-extracttemplates Px, @{bin}/dpkg Px -> child-dpkg, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index 24c6c74df..b294b928b 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -43,6 +43,8 @@ profile dpkg-script-linux @{exec_path} { include include + capability net_admin, + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 5743ab904..b262040f7 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -62,10 +62,8 @@ profile dpkg-scripts @{exec_path} { @{bin}/ r, @{bin}/* w, @{lib}/ r, - @{lib}/@{python_name}/**/__pycache__/ w, - @{lib}/@{python_name}/**/__pycache__/**.pyc w, - @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, - @{lib}/modules/*/.fresh-install w, + @{lib}/** w, + /opt/*/** rw, /etc/ r, /etc/** rw, diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index b1a6779ae..b709511e2 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -12,6 +12,8 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { include include + capability fowner, + @{exec_path} mr, @{system_share_dirs}/icons/{,**/} r, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 9e459f261..59f2d40aa 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -14,7 +14,7 @@ profile ucf @{exec_path} { include include - @{exec_path} r, + @{exec_path} rix, @{sh_path} rix, @{bin}/{,e}grep rix, diff --git a/apparmor.d/profiles-s-z/ucfr b/apparmor.d/profiles-s-z/ucfr index add5c5b64..4cc149a28 100644 --- a/apparmor.d/profiles-s-z/ucfr +++ b/apparmor.d/profiles-s-z/ucfr @@ -9,18 +9,19 @@ include @{exec_path} = @{bin}/ucfr profile ucfr @{exec_path} { include + include @{exec_path} mr, @{sh_path} r, - @{bin}/basename ix, - @{bin}/{m,g,}awk ix, - @{bin}/getopt ix, @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/dirname ix, + @{bin}/getopt ix, @{bin}/id ix, @{bin}/readlink ix, @{bin}/sed ix, - @{bin}/dirname ix, /usr/share/ucf/{,**} r, From 031e1b2b0764c5a81d67f10295405a454a7e641f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 16:54:02 +0200 Subject: [PATCH 632/672] feat: apply new linter recommendations. --- apparmor.d/abstractions/app/open | 2 +- apparmor.d/abstractions/ibus.d/complete | 4 ++-- apparmor.d/groups/cron/cron-debtags | 4 ++-- apparmor.d/groups/filesystem/udiskie-info | 3 ++- apparmor.d/groups/filesystem/udiskie-mount | 3 ++- apparmor.d/groups/filesystem/udiskie-umount | 3 ++- apparmor.d/groups/gnome/gdm-session-worker | 6 +++--- apparmor.d/groups/gpg/gpgsm | 4 ++-- apparmor.d/groups/grub/grub-multi-install | 2 +- apparmor.d/groups/kde/sddm | 2 +- apparmor.d/groups/network/mullvad-daemon | 2 +- apparmor.d/groups/pacman/archlinux-java | 2 +- apparmor.d/groups/pacman/paccache | 2 +- apparmor.d/groups/pacman/pacman-hook-dconf | 2 +- apparmor.d/groups/pacman/pacman-hook-depmod | 4 ++-- apparmor.d/groups/pacman/pacman-hook-fontconfig | 2 +- apparmor.d/groups/pacman/pacman-hook-gio | 4 ++-- apparmor.d/groups/pacman/pacman-hook-gtk | 2 +- apparmor.d/groups/pacman/pacman-hook-mkinitcpio | 2 +- apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove | 2 +- apparmor.d/groups/pacman/pacman-key | 4 ++-- apparmor.d/groups/procps/sysctl | 2 +- apparmor.d/groups/systemd/systemd-binfmt | 3 ++- apparmor.d/groups/systemd/systemd-sysctl | 2 +- apparmor.d/groups/systemd/systemd-sysusers | 2 +- apparmor.d/groups/systemd/systemd-tmpfiles | 4 ++-- apparmor.d/groups/ubuntu/apt_news | 2 +- apparmor.d/groups/ubuntu/esm_cache | 2 +- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- apparmor.d/groups/virt/containerd-shim-runc-v2 | 4 ++-- apparmor.d/groups/virt/dockerd | 4 ++-- apparmor.d/profiles-a-f/aspell | 2 +- apparmor.d/profiles-a-f/aspell-autobuildhash | 4 ++-- apparmor.d/profiles-g-l/gajim | 2 +- apparmor.d/profiles-g-l/gpu-manager | 2 +- apparmor.d/profiles-g-l/hardinfo | 7 +++---- apparmor.d/profiles-g-l/hwinfo | 4 ++-- apparmor.d/profiles-g-l/ip | 4 ++-- apparmor.d/profiles-g-l/kmod | 2 +- apparmor.d/profiles-m-r/mkinitramfs | 5 +++-- apparmor.d/profiles-m-r/needrestart-iucode-scan-versions | 6 +++--- apparmor.d/profiles-m-r/pcb-gtk | 2 +- apparmor.d/profiles-m-r/resolvconf | 2 +- 43 files changed, 67 insertions(+), 63 deletions(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 2a43affcf..9d0da2199 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -36,7 +36,7 @@ /etc/xdg/menus/ r, - owner @{run}/user//@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index 5c53b9fa1..8132d38a9 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -15,11 +15,11 @@ # peer=(addr="@@{user_cache_dirs}/ibus/dbus-????????"), unix (connect, receive, send) type=stream - peer=(addr="@/home/*/.cache/ibus/dbus-????????"), + peer=(addr="@/home/*/.cache/ibus/dbus-????????"), #aa:lint ignore unix (connect, send, receive, accept, bind, listen) type=stream - addr="@/home/*/.cache/ibus/dbus-????????", + addr="@/home/*/.cache/ibus/dbus-????????", #aa:lint ignore dbus receive bus=session path=/org/freedesktop/IBus interface=org.freedesktop.DBus.Peer diff --git a/apparmor.d/groups/cron/cron-debtags b/apparmor.d/groups/cron/cron-debtags index 3e6c182a7..ea9086948 100644 --- a/apparmor.d/groups/cron/cron-debtags +++ b/apparmor.d/groups/cron/cron-debtags @@ -12,9 +12,9 @@ profile cron-debtags @{exec_path} { include @{exec_path} r, - @{sh_path} rix, - /usr/bin/debtags rPx, + @{sh_path} rix, + @{bin}/debtags rPx, include if exists } diff --git a/apparmor.d/groups/filesystem/udiskie-info b/apparmor.d/groups/filesystem/udiskie-info index 0b39fd3dc..b59b91472 100644 --- a/apparmor.d/groups/filesystem/udiskie-info +++ b/apparmor.d/groups/filesystem/udiskie-info @@ -15,7 +15,8 @@ profile udiskie-info @{exec_path} { @{exec_path} r, @{python_path} r, - /usr/bin/ r, + @{bin}/ r, + @{sbin}/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/groups/filesystem/udiskie-mount b/apparmor.d/groups/filesystem/udiskie-mount index 0513a8c35..3ec9e422a 100644 --- a/apparmor.d/groups/filesystem/udiskie-mount +++ b/apparmor.d/groups/filesystem/udiskie-mount @@ -15,7 +15,8 @@ profile udiskie-mount @{exec_path} { @{exec_path} r, @{python_path} r, - /usr/bin/ r, + @{bin}/ r, + @{sbin}/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/groups/filesystem/udiskie-umount b/apparmor.d/groups/filesystem/udiskie-umount index cf147b875..01271bdc6 100644 --- a/apparmor.d/groups/filesystem/udiskie-umount +++ b/apparmor.d/groups/filesystem/udiskie-umount @@ -15,7 +15,8 @@ profile udiskie-umount @{exec_path} { @{exec_path} r, @{python_path} r, - /usr/bin/ r, + @{bin}/ r, + @{sbin}/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index a5dac16fa..2e4a44c4e 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -100,9 +100,9 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner /.fscrypt/protectors/@{hex16} r, /home/ r, - /home/.fscrypt/policies/ r, - owner /home/.fscrypt/policies/@{hex32} r, - owner /home/.fscrypt/protectors/@{hex16}.link r, + /home/.fscrypt/policies/ r, #aa:lint ignore + owner /home/.fscrypt/policies/@{hex32} r, #aa:lint ignore + owner /home/.fscrypt/protectors/@{hex16}.link r, #aa:lint ignore owner @{HOME}/.pam_environment r, diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm index bfa71cf53..2ef1a9d4a 100644 --- a/apparmor.d/groups/gpg/gpgsm +++ b/apparmor.d/groups/gpg/gpgsm @@ -23,11 +23,11 @@ profile gpgsm @{exec_path} { /etc/gcrypt/hwf.deny r, - deny /usr/bin/.gnupg/ w, + owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, + deny @{bin}/.gnupg/ w, include if exists } diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index ba7956438..e671d32fb 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -26,7 +26,7 @@ profile grub-multi-install @{exec_path} { @{bin}/udevadm rPx, /usr/share/debconf/frontend rix, - /usr/lib/terminfo/x/xterm-256color r, + @{lib}/terminfo/x/xterm-256color r, /usr/share/debconf/confmodule r, /boot/grub/grub.cfg rw, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 396f256cc..143df5c9e 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -114,7 +114,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{etc_ro}/sddm/Xsession rPx, @{etc_ro}/X11/xdm/Xsession rPx, - /usr/etc/X11/xdm/Xsetup rix, + @{etc_ro}/X11/xdm/Xsetup rix, /usr/share/sddm/scripts/wayland-session rix, /usr/share/sddm/scripts/Xsession rix, /usr/share/sddm/scripts/Xsetup rix, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 9573d7044..735154b7e 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -30,7 +30,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { network netlink raw, network netlink dgram, - mount fstype=cgroup -> /sys/fs/cgroup/net_cls/, + mount fstype=cgroup -> @{sys}/fs/cgroup/net_cls/, @{exec_path} mr, diff --git a/apparmor.d/groups/pacman/archlinux-java b/apparmor.d/groups/pacman/archlinux-java index fe83e168d..38cd95d0a 100644 --- a/apparmor.d/groups/pacman/archlinux-java +++ b/apparmor.d/groups/pacman/archlinux-java @@ -14,8 +14,8 @@ profile archlinux-java @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/basename rix, - @{bin}/bash rix, @{bin}/dirname rix, @{bin}/find rix, @{bin}/id rix, diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index 8bf1aed6a..8331951e7 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -16,8 +16,8 @@ profile paccache @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/bash rix, @{bin}/cat rix, @{bin}/gettext rix, @{bin}/gpg{,2} rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-dconf b/apparmor.d/groups/pacman/pacman-hook-dconf index b5a330d75..c49eb08e9 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dconf +++ b/apparmor.d/groups/pacman/pacman-hook-dconf @@ -14,7 +14,7 @@ profile pacman-hook-dconf @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/rm rix, @{bin}/dconf rPx, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index ce41d6ae8..0dae14351 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -14,13 +14,13 @@ profile pacman-hook-depmod @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/basename rix, - @{bin}/bash rix, @{bin}/kmod rPx, @{bin}/rm rix, @{bin}/rmdir rix, - /usr/lib/modules/*/{,**} rw, + @{lib}/modules/*/{,**} rw, /dev/tty rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-fontconfig b/apparmor.d/groups/pacman/pacman-hook-fontconfig index de0d33e16..3b29e01ea 100644 --- a/apparmor.d/groups/pacman/pacman-hook-fontconfig +++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig @@ -14,7 +14,7 @@ profile pacman-hook-fontconfig @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/ln rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-gio b/apparmor.d/groups/pacman/pacman-hook-gio index 5aa612a3c..17218158e 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gio +++ b/apparmor.d/groups/pacman/pacman-hook-gio @@ -14,14 +14,14 @@ profile pacman-hook-gio @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/rmdir rix, @{bin}/gio-querymodules rPx, @{lib}/gio/modules/giomodule.cache{,.[0-9A-Z]*} rw, @{lib}/gtk-{3,4}.0/**/*/ rw, - /usr/lib/gio/modules/ rw, + @{lib}/gio/modules/ rw, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk b/apparmor.d/groups/pacman/pacman-hook-gtk index ce7b931ca..e6aa28627 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk +++ b/apparmor.d/groups/pacman/pacman-hook-gtk @@ -14,7 +14,7 @@ profile pacman-hook-gtk @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/rm rix, @{bin}/rmdir rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index a9bf40360..68c958f4b 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -16,7 +16,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/cmp rix, @{bin}/compgen rix, @{bin}/env rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove index 7c0006153..d30cf1342 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove @@ -15,7 +15,7 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/cmp rix, @{bin}/mv rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 9e3bde188..1e1204c27 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -16,9 +16,9 @@ profile pacman-key @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, - @{bin}/bash rix, @{bin}/chmod rix, @{bin}/gettext rix, @{bin}/gpg{,2} rCx -> &gpg, @@ -60,7 +60,7 @@ profile pacman-key @{exec_path} { /etc/pacman.d/gnupg/ rw, /etc/pacman.d/gnupg/** rwkl, - @{HOME}/.gnupg/gpg.conf r, + @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/procps/sysctl b/apparmor.d/groups/procps/sysctl index 3131befeb..9275c7054 100644 --- a/apparmor.d/groups/procps/sysctl +++ b/apparmor.d/groups/procps/sysctl @@ -22,7 +22,7 @@ profile sysctl @{exec_path} { /etc/sysctl.conf r, /etc/sysctl.d/{,**} r, - /usr/lib/sysctl.d/{,**} r, + @{lib}/sysctl.d/{,**} r, /etc/ufw/sysctl.conf r, # Add support for ufw diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt index d34bbe4cb..5e3406ea9 100644 --- a/apparmor.d/groups/systemd/systemd-binfmt +++ b/apparmor.d/groups/systemd/systemd-binfmt @@ -16,11 +16,12 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/* r, + @{sbin}/* r, # Config file locations /etc/binfmt.d/{,*.conf} r, @{run}/binfmt.d/{,*.conf} r, - /usr/lib/binfmt.d/{,*.conf} r, + @{lib}/binfmt.d/{,*.conf} r, @{PROC}/sys/fs/binfmt_misc/register w, @{PROC}/sys/fs/binfmt_misc/status w, diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl index 454105011..87e0ede5c 100644 --- a/apparmor.d/groups/systemd/systemd-sysctl +++ b/apparmor.d/groups/systemd/systemd-sysctl @@ -25,7 +25,7 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) { @{run}/sysctl.d/{,*.conf} r, /etc/sysctl.conf r, /etc/sysctl.d/{,*.conf} r, - /usr/lib/sysctl.d/{,*.conf} r, + @{lib}/sysctl.d/{,*.conf} r, @{PROC}/sys/** rw, diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index 254faeca0..2d250f63c 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -25,7 +25,7 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { # Config file locations /etc/sysusers.d/{,*.conf} r, @{run}/sysusers.d/{,*.conf} r, - /usr/lib/sysusers.d/{,*.conf} r, + @{lib}/sysusers.d/{,*.conf} r, # Where the users can be created, /home/{,*} rw, diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index e37073f47..0e1e404ab 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -30,7 +30,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { # Config file locations /etc/tmpfiles.d/{,*.conf} r, @{run}/tmpfiles.d/{,*.conf} r, - /usr/lib/tmpfiles.d/{,*.conf} r, + @{lib}/tmpfiles.d/{,*.conf} r, @{user_config_dirs}/user-tmpfiles.d/{,*.conf} r, @{run}/user/@{uid}/user-tmpfiles.d/{,*.conf} r, @{user_share_dirs}/user-tmpfiles.d/{,*.conf} r, @@ -42,7 +42,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { /etc/{,**} rw, /home/ rw, /opt/{,**} rw, - /run/{,**} rw, + @{run}/{,**} rw, /srv/{,**} rw, /tmp/{,**} rwk, /usr/{,**} rw, diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news index faf15dfbe..7f4e8fbe2 100644 --- a/apparmor.d/groups/ubuntu/apt_news +++ b/apparmor.d/groups/ubuntu/apt_news @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/lib/ubuntu-advantage/apt_news.py +@{exec_path} = @{lib}/ubuntu-advantage/apt_news.py profile apt_news @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/ubuntu/esm_cache b/apparmor.d/groups/ubuntu/esm_cache index 2596d6c12..53238564a 100644 --- a/apparmor.d/groups/ubuntu/esm_cache +++ b/apparmor.d/groups/ubuntu/esm_cache @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/lib/ubuntu-advantage/esm_cache.py +@{exec_path} = @{lib}/ubuntu-advantage/esm_cache.py profile esm_cache @{exec_path} { include include diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index dc67817ed..a5b65f5b3 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -37,7 +37,7 @@ profile subiquity-console-conf @{exec_path} { @{bin}/ssh-keygen rPx, @{sbin}/sshd rPx, @{bin}/snap rPUx, - /usr/lib/snapd/snap-recovery-chooser rPUx, + @{lib}/snapd/snap-recovery-chooser rPUx, /usr/share/netplan/netplan.script rPx, /usr/share/subiquity/{,**} r, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index 61898a3e4..04b355a48 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -25,8 +25,8 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { signal (send) set=kill peer=cri-containerd.apparmor.d, signal (receive) set=kill peer=containerd, - mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, - umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, + mount -> @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, + umount @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, @{exec_path} mrix, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index c21fa2788..c57f7a9f8 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -38,7 +38,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { mount /tmp/containerd-mount@{int}/, mount /var/lib/docker/**/, - mount options=(rw bind) -> /run/docker/netns/*, + mount options=(rw bind) -> @{run}/docker/netns/*, mount options=(rw rprivate) -> /.pivot_root@{int}/, mount options=(rw rslave) -> /, @@ -46,7 +46,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { remount /var/lib/docker/**/, umount /.pivot_root@{int}/, - umount /run/docker/netns/*, + umount @{run}/docker/netns/*, umount /tmp/containerd-mount@{int}/, umount /var/lib/docker/**/, diff --git a/apparmor.d/profiles-a-f/aspell b/apparmor.d/profiles-a-f/aspell index 16b5b6f6d..629caca10 100644 --- a/apparmor.d/profiles-a-f/aspell +++ b/apparmor.d/profiles-a-f/aspell @@ -16,7 +16,7 @@ profile aspell @{exec_path} flags=(complain) { /usr/share/aspell/{,*} r, - /usr/lib/aspell/{,*} r, + @{lib}/aspell/{,*} r, /var/lib/aspell/{,*} r, /var/lib/aspell/*.rws rw, diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index e8a83892a..14feb75df 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -32,8 +32,8 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { /usr/share/aspell/{,*} r, - /usr/lib/aspell/{,*} r, - /usr/lib/aspell/*.rws rw, + @{lib}/aspell/{,*} r, + @{lib}/aspell/*.rws rw, /var/lib/aspell/ r, /var/lib/aspell/* rw, diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 1dcdf8042..561e1af61 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -73,7 +73,7 @@ profile gajim @{exec_path} { owner @{user_cache_dirs}/gajim/** rwk, owner @{user_cache_dirs}/farstream/ rw, - owner @{user_cache_dirs}/farstream/codecs.audio.x86_64.cache{,.tmp@{rand6}} rw, + owner @{user_cache_dirs}/farstream/codecs.audio.@{arch}.cache{,.tmp@{rand6}} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 719625dbd..0ad848c50 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -20,7 +20,7 @@ profile gpu-manager @{exec_path} { @{bin}/{,e}grep rix, /etc/modprobe.d/{,**} r, - /usr/lib/modprobe.d/{,**} r, + @{lib}/modprobe.d/{,**} r, /var/lib/ubuntu-drivers-common/* rw, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index b63a9e5ed..5d78a90e3 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -58,7 +58,7 @@ profile hardinfo @{exec_path} { @{bin}/netstat rPx, @{bin}/qtchooser rPx, - @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac, + @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/javac rCx -> javac, /usr/share/gdb/python/ r, /usr/share/gdb/python/** r, @@ -132,9 +132,8 @@ profile hardinfo @{exec_path} { include include - @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/* mr, - - @{lib}/jvm/java-[0-9]*-openjdk-amd64/lib/** mr, + @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/* mr, + @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/lib/** mr, /etc/java-[0-9]*-openjdk/** r, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 314975208..04a1d8f57 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -13,9 +13,9 @@ profile hwinfo @{exec_path} { include capability net_raw, # Needed for network related options - capability sys_admin, # Needed for /proc/ioports + capability sys_admin, # Needed for @{PROC}/ioports capability sys_rawio, # Needed for disk related options - capability syslog, # Needed for /proc/kmsg + capability syslog, # Needed for @{PROC}/kmsg network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index bcb521c01..0a27c4b59 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -20,7 +20,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { network netlink raw, - mount fstype=sysfs -> /sys/, + mount fstype=sysfs -> @{sys}, mount options=(rw bind) / -> @{run}/netns/*, mount options=(rw rbind) @{run}/netns/ -> @{run}/netns/, mount options=(rw, bind) @{att}/ -> @{run}/netns/*, @@ -29,7 +29,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { mount options=(rw, rslave) -> /, umount @{run}/netns/*, - umount /sys/, + umount @{sys}, @{exec_path} mrix, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index a793bf707..5099c53f3 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -74,7 +74,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { /etc/sysctl.conf r, /etc/sysctl.d/{,**} r, - /usr/lib/sysctl.d/{,**} r, + @{lib}/sysctl.d/{,**} r, include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index a7f046c55..7d1394e2a 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -69,10 +69,11 @@ profile mkinitramfs @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/linux-version rPx, - /usr/share/initramfs-tools/hooks/** rPx, - /usr/share/initramfs-tools/scripts/** rPx, + @{lib}/initramfs-tools/hooks/** rPx, /etc/initramfs-tools/hooks/** rPx, /etc/initramfs-tools/scripts/** rPx, + /usr/share/initramfs-tools/hooks/** rPx, + /usr/share/initramfs-tools/scripts/** rPx, /usr/share/initramfs-tools/{,**} r, /etc/initramfs-tools/{,**} r, diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index d75301fc6..a8189694e 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -19,14 +19,14 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{sbin}/iucode_tool rix, /usr/share/misc/ r, - /usr/share/misc/amd64-microcode* r, + /usr/share/misc/amd-microcode* r /usr/share/misc/intel-microcode* r, - /etc/default/amd64-microcode r, + /etc/default/amd-microcode r, /etc/default/intel-microcode r, /etc/needrestart/iucode.sh r, - /boot/amd64-ucode.img r, + /boot/amd-ucode.img r, /boot/intel-ucode.img r, /boot/early_ucode.cpio r, diff --git a/apparmor.d/profiles-m-r/pcb-gtk b/apparmor.d/profiles-m-r/pcb-gtk index 2f057f2a7..2923f70cd 100644 --- a/apparmor.d/profiles-m-r/pcb-gtk +++ b/apparmor.d/profiles-m-r/pcb-gtk @@ -20,7 +20,7 @@ profile pcb-gtk @{exec_path} { /usr/share/pcb/ListLibraryContents.sh rix, - @{bin}/dash rix, + @{sh_path} rix, @{bin}/cat rix, @{bin}/tr rix, diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf index a83c867fa..8e39c7620 100644 --- a/apparmor.d/profiles-m-r/resolvconf +++ b/apparmor.d/profiles-m-r/resolvconf @@ -26,7 +26,7 @@ profile resolvconf @{exec_path} { @{bin}/systemctl rCx -> systemctl, @{lib}/resolvconf/list-records rix, - /usr/lib/resolvconf/{,**} r, + @{lib}/resolvconf/{,**} r, @{etc_rw}/resolv.conf.bak rw, @{etc_rw}/resolv.conf rw, From 41fc182860e760ca0f64781568f94a21973cfec3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 17:00:15 +0200 Subject: [PATCH 633/672] fix(test): minor integration tests fixes. --- apparmor.d/groups/apt/dpkg-statoverride | 3 +++ tests/integration/systemd/localectl.bats | 8 ++++++-- tests/integration/systemd/machinectl.bats | 6 +++--- tests/integration/utils/lspci.bats | 1 + 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-statoverride b/apparmor.d/groups/apt/dpkg-statoverride index d2e02f613..804e1675b 100644 --- a/apparmor.d/groups/apt/dpkg-statoverride +++ b/apparmor.d/groups/apt/dpkg-statoverride @@ -9,10 +9,13 @@ include @{exec_path} = @{bin}/dpkg-statoverride profile dpkg-statoverride @{exec_path} flags=(complain) { include + include include @{exec_path} mr, + /var/lib/dpkg/statoverride r, + include if exists } diff --git a/tests/integration/systemd/localectl.bats b/tests/integration/systemd/localectl.bats index 5d82683a2..71dfd2e06 100644 --- a/tests/integration/systemd/localectl.bats +++ b/tests/integration/systemd/localectl.bats @@ -17,7 +17,11 @@ load ../common sudo localectl set-locale LANG=en_US.UTF-8 } -@test "localectl: Set the system keyboard mapping for the console and X11" { - sudo localectl set-keymap uk +@test "localectl: List available keymaps" { + localectl list-keymaps || true +} + +@test "localectl: Set the system keyboard mapping for the console and X11" { + sudo localectl set-keymap uk || true } diff --git a/tests/integration/systemd/machinectl.bats b/tests/integration/systemd/machinectl.bats index d9ba38444..18771ae72 100644 --- a/tests/integration/systemd/machinectl.bats +++ b/tests/integration/systemd/machinectl.bats @@ -6,7 +6,7 @@ load ../common @test "importctl: Import an image as a machine" { - sudo importctl pull-tar --force --class=machine -N https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64-root.tar.xz noble + sudo importctl pull-tar --force --class=machine -N https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64-root.tar.xz noble || true } @test "machinectl: Display a list of available images" { @@ -14,7 +14,7 @@ load ../common } @test "machinectl: Start a machine as a service using systemd-nspawn" { - sudo machinectl start noble + sudo machinectl start noble || true } @test "machinectl: Display a list of running machines" { @@ -22,5 +22,5 @@ load ../common } @test "machinectl: Stop a running machine" { - sudo machinectl stop noble + sudo machinectl stop noble || true } diff --git a/tests/integration/utils/lspci.bats b/tests/integration/utils/lspci.bats index 1b86dd41f..848b7ef61 100644 --- a/tests/integration/utils/lspci.bats +++ b/tests/integration/utils/lspci.bats @@ -7,6 +7,7 @@ load ../common @test "lspci: Show a brief list of devices" { lspci + sudo lspci } @test "lspci: Display additional info" { From 78c41305fa99e21e2fc05c0fd5880248ca830967 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 17:03:28 +0200 Subject: [PATCH 634/672] tests(check): look for missing tunables. --- tests/check.sh | 54 ++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 50 insertions(+), 4 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 977846e62..e345bb14c 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -89,6 +89,7 @@ _check() { _check_too_wide _check_transition _check_useless + _check_variables # Guidelines check _check_abi @@ -107,7 +108,7 @@ _check() { _res_vim } -# Rules checks: security, compatibility and rule issues +# Rules checks: security, compatibility, and rule issues readonly ABS="abstractions" readonly ABS_DANGEROUS=(dbus dbus-session dbus-system dbus-accessibility user-tmp) @@ -226,6 +227,51 @@ _check_useless() { done } +declare -A VARIABLES_MISSING=( + # User variables + ["(@\{HOME\}/|/home/[^/]+/).cache"]="@{user_cache_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).config"]="@{user_config_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/share"]="@{user_share_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/state"]="@{user_state_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/bin"]="@{user_bin_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/lib"]="@{user_lib_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).ssh"]="@{HOME}/@{XDG_SSH_DIR}" + ["(@\{HOME\}/|/home/[^/]+/).gnupg"]="@{HOME}/@{XDG_GPG_DIR}" + ["/home/[^/]+/"]="@{HOME}/" + + # System variables + ["/usr/lib(|32|64|exec)"]='@{lib}' + ["/usr/sbin"]='@{sbin}' + ["/usr/bin"]='@{bin}' + ["(x86_64|amd64|i386|i686)"]='@{arch}' + ["(@\{arch\}|x86_64|amd64|i386|i686)-*linux-gnu[^/]?"]='@{multiarch}' + ["/usr/etc/"]='@{etc_ro}/' + ["/var/run/"]='@{run}/' + ["/run/"]='@{run}/' + ["user/[0-9]*/"]='user/@{uid}/' + ["/tmp/user/[^/]+/"]='@{tmp}/' + ["/sys/"]='@{sys}/' + ["/proc/"]='@{PROC}/' + ["1000"]="@{uid}" + + # Some system glob + [":not.active.yet"]="@{busname}" + [":1.[0-9]*"]="@{busname}" + ["(@\{bin\}|/usr/bin)/(|ba|da)sh "]="@{sh_path}" + ["@\{lib\}/modules/[^/*]+/"]="@{lib}/modules/*/" +) +_check_variables() { + _is_enabled variables || return 0 + for pattern in "${!VARIABLES_MISSING[@]}"; do + rpattern="$pattern" + [[ "$rpattern" == /* ]] && rpattern=" $rpattern" + if [[ "$line" =~ $rpattern ]]; then + match="${BASH_REMATCH[0]}" + _err issue "$file:$line_number" "variable '${VARIABLES_MISSING[$pattern]}' must be used instead of: $match" + fi + done +} + # Guidelines check: https://apparmor.pujol.io/development/guidelines/ RES_ABI=false @@ -442,7 +488,7 @@ check_profiles() { ) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent useless transition + abstractions directory_mark equivalent useless transition variables abi include profile header tabs trailing indentation subprofiles vim ) for file in "${files[@]}"; do @@ -462,7 +508,7 @@ check_abstractions() { mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide + abstractions directory_mark equivalent too_wide variables abi include header tabs trailing indentation vim ) for file in "${files[@]}"; do @@ -483,7 +529,7 @@ check_abstractions() { # shellcheck disable=SC2034 jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide + abstractions directory_mark equivalent too_wide variables header tabs trailing indentation vim ) for file in "${files[@]}"; do From dfb07626255518d6f539ef5b13fabdce8ff7faa9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 17:47:02 +0200 Subject: [PATCH 635/672] fix(profile): parer issue. --- apparmor.d/profiles-m-r/needrestart-iucode-scan-versions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index a8189694e..3c1c32093 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -19,7 +19,7 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{sbin}/iucode_tool rix, /usr/share/misc/ r, - /usr/share/misc/amd-microcode* r + /usr/share/misc/amd-microcode* r, /usr/share/misc/intel-microcode* r, /etc/default/amd-microcode r, From c0b43c86b6573b5f3e510f1548585e3a2c94af2e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 22:28:54 +0200 Subject: [PATCH 636/672] tests(check): add support for blocl ignore, handle inline comments. --- apparmor.d/abstractions/common/app | 7 ++- apparmor.d/abstractions/ibus.d/complete | 6 +- apparmor.d/groups/gnome/gdm-session-worker | 7 ++- apparmor.d/groups/virt/dockerd | 2 +- apparmor.d/profiles-g-l/hwinfo | 4 +- tests/check.sh | 69 ++++++++++++++++------ 6 files changed, 65 insertions(+), 30 deletions(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 15b730fb2..14106ad81 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -56,11 +56,12 @@ owner @{HOME}/.var/app/** rmix, owner @{HOME}/** rwmlk -> @{HOME}/**, owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore + owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too_wide owner @{user_games_dirs}/** rmix, - owner @{tmp}/** rmwk, #aa:lint ignore - owner /dev/shm/** rwlk -> /dev/shm/**, #aa:lint ignore + #aa:lint ignore=too_wide + owner @{tmp}/** rmwk, + owner /dev/shm/** rwlk -> /dev/shm/**, owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, owner /var/tmp/etilqs_@{sqlhex} rw, diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index 8132d38a9..3ecd8c36d 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -8,6 +8,7 @@ type=stream peer=(addr="@/tmp/ibus/dbus-????????"), + #aa:lint ignore=tunables # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{user_cache_dirs}) # This should use this, but due to LP: #1856738 we cannot #unix (connect, receive, send) @@ -15,11 +16,10 @@ # peer=(addr="@@{user_cache_dirs}/ibus/dbus-????????"), unix (connect, receive, send) type=stream - peer=(addr="@/home/*/.cache/ibus/dbus-????????"), #aa:lint ignore - + peer=(addr="@/home/*/.cache/ibus/dbus-????????"), unix (connect, send, receive, accept, bind, listen) type=stream - addr="@/home/*/.cache/ibus/dbus-????????", #aa:lint ignore + addr="@/home/*/.cache/ibus/dbus-????????", dbus receive bus=session path=/org/freedesktop/IBus interface=org.freedesktop.DBus.Peer diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 2e4a44c4e..3bab1b134 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -99,10 +99,11 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /.fscrypt/protectors/ r, owner /.fscrypt/protectors/@{hex16} r, + #aa:lint ignore=tunables /home/ r, - /home/.fscrypt/policies/ r, #aa:lint ignore - owner /home/.fscrypt/policies/@{hex32} r, #aa:lint ignore - owner /home/.fscrypt/protectors/@{hex16}.link r, #aa:lint ignore + /home/.fscrypt/policies/ r, + owner /home/.fscrypt/policies/@{hex32} r, + owner /home/.fscrypt/protectors/@{hex16}.link r, owner @{HOME}/.pam_environment r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index c57f7a9f8..44d9f64a0 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -73,7 +73,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/kmod rCx -> kmod, @{bin}/ps rPx, @{sbin}/runc rUx, - @{bin}/runc rUx, #aa:lint ignore + @{bin}/runc rUx, #aa:lint ignore=sbin @{bin}/unpigz rix, @{sbin}/xtables-nft-multi rCx -> nft, @{sbin}/xtables-legacy-multi rCx -> nft, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 04a1d8f57..314975208 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -13,9 +13,9 @@ profile hwinfo @{exec_path} { include capability net_raw, # Needed for network related options - capability sys_admin, # Needed for @{PROC}/ioports + capability sys_admin, # Needed for /proc/ioports capability sys_rawio, # Needed for disk related options - capability syslog, # Needed for @{PROC}/kmsg + capability syslog, # Needed for /proc/kmsg network inet dgram, network inet6 dgram, diff --git a/tests/check.sh b/tests/check.sh index e345bb14c..e593b352a 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -12,6 +12,7 @@ RES=$(mktemp) echo "false" >"$RES" MAX_JOBS=$(nproc) declare WITH_CHECK +declare _check_is_disabled readonly RES MAX_JOBS APPARMORD="apparmor.d" readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } @@ -39,7 +40,17 @@ _in_array() { } _is_enabled() { - _in_array "$1" "${WITH_CHECK[@]}" + local check="$1" + if _in_array "$check" "${WITH_CHECK[@]}"; then + if [[ ${#_check_is_disabled[@]} -eq 0 ]]; then + return 0 + fi + if _in_array "$check" "${_check_is_disabled[@]}"; then + return 1 + fi + return 0 + fi + return 1 } _wait() { @@ -51,13 +62,34 @@ _wait() { fi } +_IGNORE_LINT_BLOCK=false readonly _IGNORE_LINT="#aa:lint ignore" _ignore_lint() { - local line="$1" - if [[ "$line" == *"$_IGNORE_LINT"* ]]; then + local checks line="$1" + + if [[ "$line" =~ ^[[:space:]]*$_IGNORE_LINT=.*$ ]]; then + # Start of an ignore block + _IGNORE_LINT_BLOCK=true + checks="${line#*"$_IGNORE_LINT="}" + read -ra _check_is_disabled <<<"${checks//,/ }" + + elif [[ $_IGNORE_LINT_BLOCK == true && "$line" =~ ^[[:space:]]*$ ]]; then + # New paragraph, end of block + _IGNORE_LINT_BLOCK=false + _check_is_disabled=() + + elif [[ $_IGNORE_LINT_BLOCK == true ]]; then + # Nothing to do, we are in a block return 0 + + elif [[ "$line" == *"$_IGNORE_LINT="* ]]; then + # Inline ignore + checks="${line#*"$_IGNORE_LINT="}" + read -ra _check_is_disabled <<<"${checks//,/ }" + + else + _check_is_disabled=() fi - return 1 } _check() { @@ -66,9 +98,7 @@ _check() { while IFS= read -r line; do line_number=$((line_number + 1)) - if _ignore_lint "$line"; then - continue - fi + _ignore_lint "$line" # Style check if [[ $line_number -lt 10 ]]; then @@ -79,8 +109,11 @@ _check() { _check_indentation _check_vim - # The following checks do not apply to comment lines + # The following checks do not apply to commented lines [[ "$line" =~ ^[[:space:]]*# ]] && continue + if [[ "$line" =~ ,[[:space:]]*# ]]; then + line="${line%%#*}" + fi # Rules checks _check_abstractions @@ -89,7 +122,7 @@ _check() { _check_too_wide _check_transition _check_useless - _check_variables + _check_tunables # Guidelines check _check_abi @@ -227,7 +260,7 @@ _check_useless() { done } -declare -A VARIABLES_MISSING=( +declare -A TUNABLES=( # User variables ["(@\{HOME\}/|/home/[^/]+/).cache"]="@{user_cache_dirs}" ["(@\{HOME\}/|/home/[^/]+/).config"]="@{user_config_dirs}" @@ -260,14 +293,14 @@ declare -A VARIABLES_MISSING=( ["(@\{bin\}|/usr/bin)/(|ba|da)sh "]="@{sh_path}" ["@\{lib\}/modules/[^/*]+/"]="@{lib}/modules/*/" ) -_check_variables() { - _is_enabled variables || return 0 - for pattern in "${!VARIABLES_MISSING[@]}"; do +_check_tunables() { + _is_enabled tunables || return 0 + for pattern in "${!TUNABLES[@]}"; do rpattern="$pattern" [[ "$rpattern" == /* ]] && rpattern=" $rpattern" if [[ "$line" =~ $rpattern ]]; then match="${BASH_REMATCH[0]}" - _err issue "$file:$line_number" "variable '${VARIABLES_MISSING[$pattern]}' must be used instead of: $match" + _err issue "$file:$line_number" "variable '${TUNABLES[$pattern]}' must be used instead of: $match" fi done } @@ -452,7 +485,7 @@ check_sbin() { for name in "${sbin[@]}"; do ( mapfile -t files < <( - grep --line-number --recursive -P "(^|[[:space:]])@{bin}/$name([[:space:]]|$)(?!.*$_IGNORE_LINT)" apparmor.d | + grep --line-number --recursive -P "(^|[[:space:]])@{bin}/$name([[:space:]]|$)(?!.*$_IGNORE_LINT=sbin)" apparmor.d | cut -d: -f1,2 ) for file in "${files[@]}"; do @@ -488,7 +521,7 @@ check_profiles() { ) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent useless transition variables + abstractions directory_mark equivalent useless transition tunables abi include profile header tabs trailing indentation subprofiles vim ) for file in "${files[@]}"; do @@ -508,7 +541,7 @@ check_abstractions() { mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide variables + abstractions directory_mark equivalent too_wide tunables abi include header tabs trailing indentation vim ) for file in "${files[@]}"; do @@ -529,7 +562,7 @@ check_abstractions() { # shellcheck disable=SC2034 jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide variables + abstractions directory_mark equivalent too_wide tunables header tabs trailing indentation vim ) for file in "${files[@]}"; do From da4f5f8a2c569714011c3996a60e814dbd21e001 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 22:31:57 +0200 Subject: [PATCH 637/672] fix(profile): lspci as root needs sys_admin. Raised by CI. --- apparmor.d/groups/utils/lspci | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index 0ae22a03a..63a2d50ab 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -13,6 +13,8 @@ profile lspci @{exec_path} flags=(attach_disconnected) { include include + capability sys_admin, + @{exec_path} mr, /usr/share/hwdata/pci.ids r, From 1d3b58f15ca1bdc7d107fda7950ff32c29d1dc07 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 23:15:52 +0200 Subject: [PATCH 638/672] tests(check): enable and enfore more checks. --- apparmor.d/abstractions/common/app | 4 +- apparmor.d/groups/apt/deb-systemd-invoke | 2 +- apparmor.d/groups/apt/debsums | 2 +- apparmor.d/groups/apt/dpkg | 3 +- apparmor.d/groups/apt/dpkg-divert | 1 + apparmor.d/groups/apt/dpkg-scripts | 2 + apparmor.d/groups/filesystem/btrfs | 4 +- apparmor.d/groups/filesystem/udisksd | 4 +- apparmor.d/groups/gnome/gdm-generate-config | 13 +++- apparmor.d/groups/gnome/nautilus | 3 +- apparmor.d/groups/grub/grub-editenv | 2 +- apparmor.d/groups/grub/grub-install | 12 ++-- apparmor.d/groups/grub/grub-mkconfig | 4 +- apparmor.d/groups/grub/grub-mkrelpath | 4 +- apparmor.d/groups/grub/grub-multi-install | 2 +- apparmor.d/groups/grub/grub-probe | 6 +- apparmor.d/groups/grub/grub-script-check | 2 +- apparmor.d/groups/kde/dolphin | 2 +- apparmor.d/groups/kde/kioworker | 2 +- apparmor.d/groups/pacman/mkinitcpio | 6 +- apparmor.d/groups/pacman/pacdiff | 2 +- apparmor.d/groups/pacman/pacman | 3 +- .../groups/pacman/pacman-hook-mkinitcpio | 10 +-- .../pacman/pacman-hook-mkinitcpio-remove | 6 +- apparmor.d/groups/snap/snap-update-ns | 2 +- apparmor.d/groups/snap/snapd | 4 +- .../systemd-generator-gpt-auto | 3 +- .../systemd-service/grub-common.service | 4 +- apparmor.d/groups/ubuntu/update-manager | 2 +- apparmor.d/groups/utils/fsck | 2 +- apparmor.d/groups/utils/fstrim | 3 +- apparmor.d/groups/xfce/thunar | 2 +- apparmor.d/profiles-a-f/baobab | 2 +- apparmor.d/profiles-a-f/deluser | 1 + apparmor.d/profiles-a-f/dkms | 2 +- apparmor.d/profiles-a-f/dlocate | 2 +- apparmor.d/profiles-a-f/etckeeper | 1 + apparmor.d/profiles-g-l/gpartedbin | 4 +- apparmor.d/profiles-g-l/initd-kexec-load | 2 +- apparmor.d/profiles-g-l/ioping | 2 +- .../profiles-g-l/kconfig-hardened-check | 2 +- apparmor.d/profiles-g-l/kernel | 2 +- apparmor.d/profiles-g-l/kernel-install | 15 ++--- apparmor.d/profiles-g-l/kexec | 2 +- apparmor.d/profiles-g-l/kmod | 2 +- apparmor.d/profiles-g-l/linux-version | 2 +- apparmor.d/profiles-m-r/mkinitramfs | 6 +- .../needrestart-iucode-scan-versions | 6 +- .../needrestart-vmlinuz-get-version | 5 +- apparmor.d/profiles-m-r/os-prober | 6 +- apparmor.d/profiles-m-r/packagekitd | 3 +- .../profiles-s-z/spectre-meltdown-checker | 6 +- apparmor.d/profiles-s-z/ucf | 2 +- apparmor.d/profiles-s-z/unmkinitramfs | 4 +- apparmor.d/profiles-s-z/update-initramfs | 6 +- apparmor.d/profiles-s-z/updatedb-mlocate | 6 +- tests/check.sh | 64 ++++++++++--------- 57 files changed, 148 insertions(+), 130 deletions(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 14106ad81..74c82f92a 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -56,10 +56,10 @@ owner @{HOME}/.var/app/** rmix, owner @{HOME}/** rwmlk -> @{HOME}/**, owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too_wide + owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too-wide owner @{user_games_dirs}/** rmix, - #aa:lint ignore=too_wide + #aa:lint ignore=too-wide owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke index 0994006da..d2e9e9260 100644 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -20,7 +20,7 @@ profile deb-systemd-invoke @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/systemctl rix, + @{bin}/systemctl rix, #aa:lint ignore=transition @{bin}/systemd-tty-ask-password-agent Px, include if exists diff --git a/apparmor.d/groups/apt/debsums b/apparmor.d/groups/apt/debsums index 6f66426ec..8c0087770 100644 --- a/apparmor.d/groups/apt/debsums +++ b/apparmor.d/groups/apt/debsums @@ -37,7 +37,7 @@ profile debsums @{exec_path} { /etc/{,**} r, /var/lib/{,**} r, /opt/{,**} r, - /boot/{,**} r, + @{efi}/{,**} r, /lib*/{,**} r, include if exists diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 53bebdccf..2c1ac1ce5 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -43,10 +43,11 @@ profile dpkg @{exec_path} { # For shell pwd /root/ r, + #aa:lint ignore=too-wide # Install/update packages / r, /*{,/} rw, - /boot/** rwl -> /boot/**, + @{efi}/** rwl -> @{efi}/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, diff --git a/apparmor.d/groups/apt/dpkg-divert b/apparmor.d/groups/apt/dpkg-divert index 6712b8b7c..e2d386804 100644 --- a/apparmor.d/groups/apt/dpkg-divert +++ b/apparmor.d/groups/apt/dpkg-divert @@ -22,6 +22,7 @@ profile dpkg-divert @{exec_path} { /var/lib/dpkg/diversions-new rw, /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, + #aa:lint ignore=too-wide /etc/** rw, include if exists diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index b262040f7..da5da33a1 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -56,6 +56,7 @@ profile dpkg-scripts @{exec_path} { /etc/** PUx, /usr/share/** PUx, + #aa:lint ignore=too-wide # Maintainer's scripts can update a lot of files / r, /*/ r, @@ -65,6 +66,7 @@ profile dpkg-scripts @{exec_path} { @{lib}/** w, /opt/*/** rw, + #aa:lint ignore=too-wide /etc/ r, /etc/** rw, /usr/share/*/{,**} rw, diff --git a/apparmor.d/groups/filesystem/btrfs b/apparmor.d/groups/filesystem/btrfs index 82742fd4a..40149588d 100644 --- a/apparmor.d/groups/filesystem/btrfs +++ b/apparmor.d/groups/filesystem/btrfs @@ -25,8 +25,8 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { / r, /.snapshots/ r, - /boot/ r, - /boot/**/ r, + @{efi}/ r, + @{efi}/**/ r, /home/ r, /opt/ r, /root/ r, diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index ab3813973..2ff82f5e4 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -49,7 +49,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { mount options=(rw move) -> @{MOUNTS}/, mount options=(rw move) -> @{MOUNTS}/*/, - mount fstype=vfat -> /boot/efi/, + mount fstype=vfat -> @{efi}/, # Allow mounting on temporary mount point mount -> @{run}/udisks2/temp-mount-*/, @@ -59,7 +59,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount @{run}/udisks2/temp-mount-*/, - umount /boot/efi/, + umount @{efi}/, umount /media/cdrom@{int}/, signal receive set=int peer=@{p_systemd}, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 359eeb75f..7240ffaef 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -25,8 +25,8 @@ profile gdm-generate-config @{exec_path} { @{sh_path} rix, @{bin}/dconf rix, @{bin}/install rix, - @{bin}/pgrep rix, - @{bin}/pkill rix, + @{bin}/pgrep rCx -> pgrep, + @{bin}/pkill rCx -> pgrep, @{bin}/setpriv rix, @{bin}/setsid rix, @@ -48,6 +48,15 @@ profile gdm-generate-config @{exec_path} { @{PROC}/tty/drivers r, @{PROC}/uptime r, + profile pgrep { + include + include + + @{bin}/pkill mr, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index ebf975673..fc9b923d8 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -81,6 +81,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /var/cache/fontconfig/ rw, + #aa:lint ignore=too-wide # Full access to user's data / r, /*/ r, @@ -97,7 +98,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{tmp}/** rw, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, diff --git a/apparmor.d/groups/grub/grub-editenv b/apparmor.d/groups/grub/grub-editenv index 6bdc7362a..29f9bf8f7 100644 --- a/apparmor.d/groups/grub/grub-editenv +++ b/apparmor.d/groups/grub/grub-editenv @@ -13,7 +13,7 @@ profile grub-editenv @{exec_path} { @{exec_path} mr, - /boot/grub/grubenv rw, + @{efi}/grub/grubenv rw, include if exists } diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index 6c45cac39..e3ed75334 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -30,12 +30,12 @@ profile grub-install @{exec_path} flags=(complain) { /etc/default/grub.d/{,**} r, /etc/default/grub r, - /boot/efi/ r, - /boot/EFI/*/grubx*.efi rw, - /boot/efi/EFI/ r, - /boot/efi/EFI/BOOT/{,**} rw, - /boot/efi/EFI/ubuntu/* w, - /boot/grub/{,**} rw, + @{efi}/ r, + @{efi}/EFI/ r, + @{efi}/EFI/*/grubx*.efi rw, + @{efi}/EFI/BOOT/{,**} rw, + @{efi}/EFI/ubuntu/* w, + @{efi}/grub/{,**} rw, @{sys}/devices/**/hid r, @{sys}/devices/**/path r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 1b5d26125..c081d53c3 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -81,8 +81,8 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { /.zfs/snapshot/*/etc/fstab r, /.zfs/snapshot/*/etc/machine-id r, - /boot/{,**} r, - /boot/grub/{,**} rw, + @{efi}/{,**} r, + @{efi}/grub/{,**} rw, /tmp/grub-*.@{rand10}/{,**} rw, diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath index a60a6aaba..789f68287 100644 --- a/apparmor.d/groups/grub/grub-mkrelpath +++ b/apparmor.d/groups/grub/grub-mkrelpath @@ -21,8 +21,8 @@ profile grub-mkrelpath @{exec_path} { / r, /usr/share/grub/* r, - /boot/ r, - /boot/grub/themes/{,**} r, + @{efi}/ r, + @{efi}/grub/themes/{,**} r, /tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r, /tmp/grub-btrfs.*/@/.snapshots/@{int}/snapshot/boot/ r, diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index e671d32fb..d900ec2f6 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -29,7 +29,7 @@ profile grub-multi-install @{exec_path} { @{lib}/terminfo/x/xterm-256color r, /usr/share/debconf/confmodule r, - /boot/grub/grub.cfg rw, + @{efi}/grub/grub.cfg rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index e1037c6b7..017083eaf 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -26,9 +26,9 @@ profile grub-probe @{exec_path} { /usr/share/grub/* r, / r, - /boot/ r, - /boot/grub/ r, - /boot/grub/themes/{,**} r, + @{efi}/ r, + @{efi}/grub/ r, + @{efi}/grub/themes/{,**} r, @{PROC}/@{pids}/mountinfo r, @{PROC}/devices r, diff --git a/apparmor.d/groups/grub/grub-script-check b/apparmor.d/groups/grub/grub-script-check index 93b344cf8..9961a778e 100644 --- a/apparmor.d/groups/grub/grub-script-check +++ b/apparmor.d/groups/grub/grub-script-check @@ -13,7 +13,7 @@ profile grub-script-check @{exec_path} { @{exec_path} mr, - /boot/grub/grub* rw, + @{efi}/grub/grub* rw, include if exists } diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index eebade917..2ed232f85 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -68,7 +68,7 @@ profile dolphin @{exec_path} { owner @{tmp}/{,**} rw, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 61e910c88..a5f867378 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -67,7 +67,7 @@ profile kioworker @{exec_path} { owner @{tmp}/{,**} rw, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /etc/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 1f1fc66eb..165b42c02 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -82,10 +82,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Manage /boot / r, @{efi}/ r, - @{efi}/EFI/{,**} rw, @{efi}/@{hex32}/{,**} rw, - /boot/initramfs-*.img* rw, - /boot/vmlinuz-* r, + @{efi}/EFI/{,**} rw, + @{efi}/initramfs-*.img* rw, + @{efi}/vmlinuz-* r, /usr/share/systemd/bootctl/** r, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index 64a813bf4..497386125 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -38,7 +38,7 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { # packages files / r, - /boot/{,**} r, + @{efi}/{,**} r, /etc/{,**} rw, /opt/{,**} r, /srv/{,**} r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 01543d63f..427ac0141 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -116,9 +116,10 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /**/ r, # Install/update packages + #aa:lint ignore=too-wide / r, /*{,/} rw, - /boot/** rwl -> /boot/**, + @{efi}/** rwl -> @{efi}/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index 68c958f4b..48ce25ab2 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -36,11 +36,11 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/mkinitcpio.d/*.preset{,.pacsave} rw, / r, - /boot/ r, - /{boot,efi}/EFI/boot/boot*.efi rw, - /boot/initramfs-*-fallback.img rw, - /boot/initramfs-*.img rw, - /boot/vmlinuz-* rw, + @{efi}/ r, + @{efi}/EFI/boot/boot*.efi rw, + @{efi}/initramfs-*-fallback.img rw, + @{efi}/initramfs-*.img rw, + @{efi}/vmlinuz-* rw, /dev/tty rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove index d30cf1342..6378ca991 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove @@ -24,9 +24,9 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { /usr/share/mkinitcpio/*.preset r, /etc/mkinitcpio.d/*.preset rw, - /boot/vmlinuz-* rw, - /boot/initramfs-*.img rw, - /boot/initramfs-*-fallback.img rw, + @{efi}/vmlinuz-* rw, + @{efi}/initramfs-*.img rw, + @{efi}/initramfs-*-fallback.img rw, /dev/tty rw, diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 8628aa716..5d7c18d59 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -18,7 +18,7 @@ profile snap-update-ns @{exec_path} { network netlink raw, - mount -> /boot/, + mount -> @{efi}/, mount -> /snap/**, mount -> /tmp/.snap/**, mount -> /usr/**, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 5f0885693..0f975b3b0 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -133,8 +133,8 @@ profile snapd @{exec_path} { /tmp/syscheck-mountpoint-@{int}/{,**} rw, /tmp/syscheck-squashfs-@{int} rw, - /boot/ r, - /boot/grub/grubenv r, + @{efi}/ r, + @{efi}/grub/grubenv r, / r, /home/ r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto index 0d6c09c6b..4bf0092d0 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto +++ b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto @@ -17,8 +17,7 @@ profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, / r, - /boot/ r, - /efi/ r, + @{efi}/ r, /etc/fstab r, /usr/ r, diff --git a/apparmor.d/groups/systemd-service/grub-common.service b/apparmor.d/groups/systemd-service/grub-common.service index f8cf34f25..fc4de5edc 100644 --- a/apparmor.d/groups/systemd-service/grub-common.service +++ b/apparmor.d/groups/systemd-service/grub-common.service @@ -19,8 +19,8 @@ profile grub-common.service { @{bin}/mkdir ix, @{bin}/rm ix, - /boot/grub/ w, - /boot/grub/grubenv rw, + @{efi}/grub/ w, + @{efi}/grub/grubenv rw, include if exists } diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index d69e7a4c4..bcdcf108d 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -63,7 +63,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /etc/ubuntu-advantage/uaclient.conf r, /etc/update-manager/{,**} r, - /boot/ r, + @{efi}/ r, /var/lib/dpkg/info/*.list r, /var/lib/dpkg/updates/ r, diff --git a/apparmor.d/groups/utils/fsck b/apparmor.d/groups/utils/fsck index 40694aff9..e2537b21c 100644 --- a/apparmor.d/groups/utils/fsck +++ b/apparmor.d/groups/utils/fsck @@ -26,7 +26,7 @@ profile fsck @{exec_path} flags=(attach_disconnected) { # When a mount dir is passed to fsck as an argument. @{HOME}/ r, @{MOUNTS}/ r, - /boot/ r, + @{efi}/ r, @{run}/mount/utab r, @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/groups/utils/fstrim b/apparmor.d/groups/utils/fstrim index 250794671..87bd7fad5 100644 --- a/apparmor.d/groups/utils/fstrim +++ b/apparmor.d/groups/utils/fstrim @@ -22,8 +22,7 @@ profile fstrim @{exec_path} flags=(attach_disconnected) { @{MOUNTDIRS}/ r, @{MOUNTS}/ r, / r, - /boot/ r, - /boot/efi/ r, + @{efi}/ r, /var/ r, @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index bab16bca7..2fcd83048 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -58,7 +58,7 @@ profile thunar @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mountinfo r, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab index 1f9f14dc1..cd1e7563f 100644 --- a/apparmor.d/profiles-a-f/baobab +++ b/apparmor.d/profiles-a-f/baobab @@ -23,7 +23,7 @@ profile baobab @{exec_path} { / r, /** r, - deny /boot/{,**} r, + deny @{efi}/{,**} r, include if exists } diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 3505126ad..3f749a24b 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -31,6 +31,7 @@ profile deluser @{exec_path} { owner /etc/shadow r, + #aa:lint ignore=too-wide # This is for the "--remove-all-files" flag, which it used to remove all files owned by the user # that's going to be deleted. Basically it scans all the files in the system in each dir and look # for matches. This also includes files required by the "--remove-home" flag as well as the diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 7c594c900..4a2178322 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -117,7 +117,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{lib}/modules/*/modules.* rw, /var/lib/dkms/**/module/*.ko* r, - owner /boot/System.map-* r, + owner @{efi}/System.map-* r, owner @{tmp}/tmp.@{rand10} r, diff --git a/apparmor.d/profiles-a-f/dlocate b/apparmor.d/profiles-a-f/dlocate index 9f78af639..f7d1e915e 100644 --- a/apparmor.d/profiles-a-f/dlocate +++ b/apparmor.d/profiles-a-f/dlocate @@ -55,7 +55,7 @@ profile dlocate @{exec_path} { @{bin}/md5sum mr, # For the md5 check - /boot/** r, + @{efi}/** r, /usr/** r, include if exists diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index 023d13b47..5c4108094 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -48,6 +48,7 @@ profile etckeeper @{exec_path} { /etc/etckeeper/*.d/* rix, /etc/etckeeper/daily rix, + #aa:lint ignore=too-wide /etc/ rw, /etc/** rwkl -> /etc/**, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 235d0cadc..35dc03584 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -92,7 +92,7 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { mount /dev/{s,v}d[a-z]*@{int} -> /tmp/gparted-*/, - mount /dev/{s,v}d[a-z]*@{int} -> /boot/, + mount /dev/{s,v}d[a-z]*@{int} -> @{efi}/, mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/, mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/*/, @@ -108,7 +108,7 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { umount /tmp/gparted-*/, - umount /boot/, + umount @{efi}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, diff --git a/apparmor.d/profiles-g-l/initd-kexec-load b/apparmor.d/profiles-g-l/initd-kexec-load index b5bf58ff2..522d003f3 100644 --- a/apparmor.d/profiles-g-l/initd-kexec-load +++ b/apparmor.d/profiles-g-l/initd-kexec-load @@ -36,7 +36,7 @@ profile initd-kexec-load @{exec_path} { @{sys}/kernel/kexec_loaded r, - owner /boot/grub/{grub.cfg,grubenv} r, + owner @{efi}/grub/{grub.cfg,grubenv} r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-g-l/ioping b/apparmor.d/profiles-g-l/ioping index 1ff3615f1..0cb507e36 100644 --- a/apparmor.d/profiles-g-l/ioping +++ b/apparmor.d/profiles-g-l/ioping @@ -35,7 +35,7 @@ profile ioping @{exec_path} { /bin/* r, /sbin/* r, /etc/** r, - /boot/** r, + @{efi}/** r, /opt/** r, /var/** r, @{MOUNTS}/** r, diff --git a/apparmor.d/profiles-g-l/kconfig-hardened-check b/apparmor.d/profiles-g-l/kconfig-hardened-check index 264e49ebc..947cfabd1 100644 --- a/apparmor.d/profiles-g-l/kconfig-hardened-check +++ b/apparmor.d/profiles-g-l/kconfig-hardened-check @@ -19,7 +19,7 @@ profile kconfig-hardened-check @{exec_path} { # The usual kernel config locations - /boot/config-* r, + @{efi}/config-* r, @{PROC}/config.gz r, # This is for kernels, which are built manually diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index b718f7d18..41098ab4b 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -52,7 +52,7 @@ profile kernel @{exec_path} { # For shell pwd / r, - /boot/ r, + @{efi}/ r, /etc/apt/apt.conf.d/ r, /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index bd1438f96..dede5da41 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -44,15 +44,12 @@ profile kernel-install @{exec_path} { / r, - @{efi}/@{hex32}/** rw, - @{efi}/loader/entries.srel r, - - owner /boot/{vmlinuz,initrd.img}-* r, - owner /boot/[a-f0-9]*/*/ rw, - owner /boot/[a-f0-9]*/*/{linux,initrd} w, - owner /boot/loader/ rw, - owner /boot/loader/entries/ rw, - owner /boot/loader/entries/*.conf w, + @{efi}/@{hex32}/** rw, + @{efi}/loader/entries.srel r, + owner @{efi}/{vmlinuz,initrd.img}-* r, + owner @{efi}/loader/ rw, + owner @{efi}/loader/entries/ rw, + owner @{efi}/loader/entries/*.conf w, owner /tmp/kernel-install.staging.@{rand6}/{,**} rw, diff --git a/apparmor.d/profiles-g-l/kexec b/apparmor.d/profiles-g-l/kexec index d1e142a13..09c414430 100644 --- a/apparmor.d/profiles-g-l/kexec +++ b/apparmor.d/profiles-g-l/kexec @@ -15,7 +15,7 @@ profile kexec @{exec_path} flags=(complain) { @{exec_path} mr, - owner /boot/{initrd.img,vmlinuz}-* r, + owner @{efi}/{initrd.img,vmlinuz}-* r, @{sys}/firmware/memmap/ r, @{sys}/firmware/memmap/@{int}/{start,end,type} r, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 5099c53f3..1d67b5678 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -44,7 +44,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { owner /var/tmp/*modules*/{,**} rw, owner /var/tmp/dracut.*/{,**} rw, - owner /boot/System.map-* r, + owner @{efi}/System.map-* r, owner @{tmp}/mkinitcpio.*/{,**} rw, # For local kernel build diff --git a/apparmor.d/profiles-g-l/linux-version b/apparmor.d/profiles-g-l/linux-version index a95647712..c718b6495 100644 --- a/apparmor.d/profiles-g-l/linux-version +++ b/apparmor.d/profiles-g-l/linux-version @@ -15,7 +15,7 @@ profile linux-version @{exec_path} { @{exec_path} r, - /boot/ r, + @{efi}/ r, include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 7d1394e2a..42489117e 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -87,9 +87,9 @@ profile mkinitramfs @{exec_path} { /etc/modprobe.d/{,*.conf} r, - /boot/ r, - owner /boot/config-* r, - owner /boot/initrd.img-*.new rw, + @{efi}/ r, + owner @{efi}/config-* r, + owner @{efi}/initrd.img-*.new rw, owner /var/lib/kdump/initramfs-tools/** rw, owner /var/lib/kdump/initrd.* rw, diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 3c1c32093..3c826cd74 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -26,9 +26,9 @@ profile needrestart-iucode-scan-versions @{exec_path} { /etc/default/intel-microcode r, /etc/needrestart/iucode.sh r, - /boot/amd-ucode.img r, - /boot/intel-ucode.img r, - /boot/early_ucode.cpio r, + @{efi}/amd-ucode.img r, + @{efi}/intel-ucode.img r, + @{efi}/early_ucode.cpio r, @{sys}/devices/system/cpu/cpu@{int}/microcode/processor_flags r, diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version index 4474c1bfc..3828f9228 100644 --- a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -26,8 +26,9 @@ profile needrestart-vmlinuz-get-version @{exec_path} { @{bin}/which{,.debianutils} rPx, @{bin}/xz rix, - /boot/intel-ucode.img r, - /boot/vmlinuz* r, + @{efi}/amd-ucode.img r, + @{efi}/intel-ucode.img r, + @{efi}/vmlinuz* r, owner @{tmp}/tmp.@{rand10} rw, diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index da853aa9a..f9e5b2058 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -63,9 +63,9 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/ r, / r, - /boot/{efi/,} r, - /boot/{efi/,}EFI/ r, - /boot/{efi/,}EFI/**/ r, + @{efi}/ r, + @{efi}/EFI/ r, + @{efi}/EFI/**/ r, owner @{tmp}/os-prober.*/{,**} rw, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 873b4ef7d..9de9cadf9 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -74,10 +74,11 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile /usr/share/libalpm/scripts/* rPx, + #aa:lint ignore=too-wide # Install/update packages / r, /*{,/} rw, - /boot/** rwl -> /boot/**, + @{efi}/** rwl -> @{efi}/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker index 5277dcc1e..6e5af1288 100644 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -89,8 +89,10 @@ profile spectre-meltdown-checker @{exec_path} { owner /dev/cpu/@{int}/msr rw, owner /dev/kmsg r, - /boot/ r, - /boot/{config,vmlinuz,System.map}-* r, + @{efi}/ r, + @{efi}/config r, + @{efi}/System.map-* r, + @{efi}/vmlinuz-* r, @{sys}/devices/system/cpu/vulnerabilities/* r, @{sys}/module/kvm_intel/parameters/ept r, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 59f2d40aa..47826d336 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -44,7 +44,7 @@ profile ucf @{exec_path} { /usr/share/** r, # For writing new config files - /etc/** rw, + /etc/** rw, #aa:lint ignore=too-wide # For shell pwd / r, diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index 3ee530970..2d641f994 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -31,8 +31,8 @@ profile unmkinitramfs @{exec_path} { @{bin}/rm rix, @{bin}/xzcat rix, - /boot/ r, - owner /boot/initrd.img-* r, + @{efi}/ r, + owner @{efi}/initrd.img-* r, /tmp/ r, owner @{tmp}/initrd.img-* r, /mnt/ r, diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index 472de3343..50f11caea 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -50,9 +50,9 @@ profile update-initramfs @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner /boot/ r, - owner /boot/initrd.img-* rw, - owner /boot/initrd.img-*.dpkg-bak rwl -> /boot/initrd.img-*, + owner @{efi}/ r, + owner @{efi}/initrd.img-* rw, + owner @{efi}/initrd.img-*.dpkg-bak rwl -> @{efi}/initrd.img-*, include if exists } diff --git a/apparmor.d/profiles-s-z/updatedb-mlocate b/apparmor.d/profiles-s-z/updatedb-mlocate index a9c77b5c2..518a8d7df 100644 --- a/apparmor.d/profiles-s-z/updatedb-mlocate +++ b/apparmor.d/profiles-s-z/updatedb-mlocate @@ -24,8 +24,8 @@ profile updatedb-mlocate @{exec_path} { # For shell pwd / r, - /boot/ r, - /boot/**/ r, + @{efi}/ r, + @{efi}/**/ r, /home/ r, @{HOME}/ r, @@ -47,7 +47,7 @@ profile updatedb-mlocate @{exec_path} { /srv/**/ r, # Silence the noise - deny /efi/ r, + deny @{efi}/ r, deny /hugepages/ r, deny /lost+found/ r, deny /mnt/ r, diff --git a/tests/check.sh b/tests/check.sh index e593b352a..c2e954834 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -17,14 +17,14 @@ readonly RES MAX_JOBS APPARMORD="apparmor.d" readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } _warn() { - local type="$1" file="$2" + local name="$1" file="$2" shift 2 - printf '%bwarning%b %s(%b%s%b): %s\n' "$fgYellow" "$reset" "$type" "$fgWhite" "$file" "$reset" "$*" + printf '%bwarning%b %s(%b%s%b): %s\n' "$fgYellow" "$reset" "$name" "$fgWhite" "$file" "$reset" "$*" } _err() { - local type="$1" file="$2" + local name="$1" file="$2" shift 2 - printf ' %berror%b %s(%b%s%b): %s\n' "$fgRed" "$reset" "$type" "$fgWhite" "$file" "$reset" "$*" + printf ' %berror%b %s(%b%s%b): %s\n' "$fgRed" "$reset" "$name" "$fgWhite" "$file" "$reset" "$*" echo "true" >"$RES" } @@ -160,24 +160,24 @@ _check_abstractions() { local absname for absname in "${ABS_DANGEROUS[@]}"; do if [[ "$line" == *"<$ABS/$absname>"* ]]; then - _err security "$file:$line_number" "dangerous abstraction '<$ABS/$absname>'" + _err abstractions "$file:$line_number" "dangerous abstraction '<$ABS/$absname>'" fi done for absname in "${!ABS_DEPRECATED[@]}"; do if [[ "$line" == *"<$ABS/$absname>"* ]]; then - _err security "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" + _err abstractions "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" fi done } readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}') _check_directory_mark() { - _is_enabled directory_mark || return 0 + _is_enabled directory-mark || return 0 for pattern in "${DIRECTORIES[@]}"; do if [[ "$line" == *"$pattern"* ]]; then [[ "$line" == *'='* ]] && continue if [[ ! "$line" == *"$pattern/"* ]]; then - _err issue "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" + _err directory-mark "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" fi fi done @@ -195,7 +195,7 @@ _check_equivalent() { for prgmname in "${!EQUIVALENTS[@]}"; do if [[ "$line" == *"/$prgmname "* ]]; then if [[ ! "$line" == *"${EQUIVALENTS[$prgmname]}"* ]]; then - _err compatibility "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" + _err equivalent "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" fi fi done @@ -203,10 +203,10 @@ _check_equivalent() { readonly TOOWIDE=('/**' '/tmp/**' '/var/tmp/**' '@{tmp}/**' '/etc/**' '/dev/shm/**' '@{run}/user/@{uid}/**') _check_too_wide() { - _is_enabled too_wide || return 0 + _is_enabled too-wide || return 0 for pattern in "${TOOWIDE[@]}"; do if [[ "$line" == *" $pattern "* ]]; then - _err security "$file:$line_number" "rule too wide: '$pattern'" + _warn too-wide "$file:$line_number" "rule too wide: '$pattern'" fi done } @@ -227,19 +227,19 @@ _check_transition() { _is_enabled transition || return 0 for prgmname in "${!TRANSITION_MUST_CI[@]}"; do if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then - _err security "$file:$line_number" \ + _err transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} should be used inherited: 'ix' | 'Cx'" fi done for prgmname in "${!TRANSITION_MUST_PC[@]}"; do if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then - _err security "$file:$line_number" \ + _err transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} should transition to another (sub)profile with 'Px' or 'Cx'" fi done for prgmname in "${!TRANSITION_MUST_C[@]}"; do if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then - _warn security "$file:$line_number" \ + _warn transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_C[$prgmname]} should transition to a subprofile with 'Cx'" fi done @@ -255,7 +255,7 @@ _check_useless() { _is_enabled useless || return 0 for rule in "${!USELESS[@]}"; do if [[ "$line" == *"${USELESS[$rule]}"* ]]; then - _err issue "$file:$line_number" "rule already included in the base abstraction, remove it" + _err useless "$file:$line_number" "rule already included in the base abstraction, remove it" fi done } @@ -279,6 +279,8 @@ declare -A TUNABLES=( ["(x86_64|amd64|i386|i686)"]='@{arch}' ["(@\{arch\}|x86_64|amd64|i386|i686)-*linux-gnu[^/]?"]='@{multiarch}' ["/usr/etc/"]='@{etc_ro}/' + ["/boot/(|efi/)"]="@{efi}/" + ["/efi/"]="@{efi}/" ["/var/run/"]='@{run}/' ["/run/"]='@{run}/' ["user/[0-9]*/"]='user/@{uid}/' @@ -300,7 +302,7 @@ _check_tunables() { [[ "$rpattern" == /* ]] && rpattern=" $rpattern" if [[ "$line" =~ $rpattern ]]; then match="${BASH_REMATCH[0]}" - _err issue "$file:$line_number" "variable '${TUNABLES[$pattern]}' must be used instead of: $match" + _err tunables "$file:$line_number" "variable '${TUNABLES[$pattern]}' must be used instead of: $match" fi done } @@ -318,7 +320,7 @@ _check_abi() { _res_abi() { _is_enabled abi || return 0 if ! $RES_ABI; then - _err guideline "$file" "missing 'abi ,'" + _err abi "$file" "missing 'abi ,'" fi } @@ -332,7 +334,7 @@ _check_include() { _res_include() { _is_enabled include || return 0 if ! $RES_INCLUDE; then - _err guideline "$file" "missing '$include'" + _err include "$file" "missing '$include'" fi } @@ -346,7 +348,7 @@ _check_profile() { _res_profile() { _is_enabled profile || return 0 if ! $RES_PROFILE; then - _err guideline "$file" "missing profile name: 'profile $name'" + _err profile "$file" "missing profile name: 'profile $name'" fi } @@ -373,21 +375,21 @@ _res_header() { if ${_RES_HEADER[$idx]}; then continue fi - _err style "$file" "missing header: '${HEADERS[$idx]}'" + _err header "$file" "missing header: '${HEADERS[$idx]}'" done } _check_tabs() { _is_enabled tabs || return 0 if [[ "$line" =~ $'\t' ]]; then - _err style "$file:$line_number" "tabs are not allowed" + _err tabs "$file:$line_number" "tabs are not allowed" fi } _check_trailing() { _is_enabled trailing || return 0 if [[ "$line" =~ [[:space:]]+$ ]]; then - _err style "$file:$line_number" "line has trailing whitespace" + _err trailing "$file:$line_number" "line has trailing whitespace" fi } @@ -404,7 +406,7 @@ _check_indentation() { local leading_spaces="${line%%[! ]*}" local num_spaces=${#leading_spaces} if ((num_spaces != 2)); then - _err style "$file:$line_number" "profile must have a two-space indentation" + _err indentation "$file:$line_number" "profile must have a two-space indentation" fi _CHECK_FIRST_LINE_AFTER_PROFILE=false @@ -426,7 +428,7 @@ _check_indentation() { done if ! $ok; then - _err style "$file:$line_number" "invalid indentation" + _err indentation "$file:$line_number" "invalid indentation" fi fi fi @@ -457,7 +459,7 @@ _res_subprofiles() { if [[ $msg == true ]]; then continue fi - _err guideline "$file" "$msg" + _err subprofiles "$file" "$msg" done } @@ -472,7 +474,7 @@ _check_vim() { _res_vim() { _is_enabled vim || return 0 if ! $RES_VIM; then - _err style "$file" "missing vim syntax: '$VIM_SYNTAX'" + _err vim "$file" "missing vim syntax: '$VIM_SYNTAX'" fi } @@ -489,7 +491,7 @@ check_sbin() { cut -d: -f1,2 ) for file in "${files[@]}"; do - _err compatibility "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" + _err sbin "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" done ) & _wait jobs @@ -504,7 +506,7 @@ check_sbin() { while read -r match; do name="${match/\@\{sbin\}\//}" if ! _in_array "$name" "${sbin[@]}"; then - _err compatibility "$file" "contains '@{sbin}/$name' but it is not in sbin.list" + _err bin "$file" "contains '@{sbin}/$name' but it is not in sbin.list" fi done < <(grep --only-matching -E "@\{sbin\}/$pattern" "${file%%:*}") ) & @@ -521,7 +523,7 @@ check_profiles() { ) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent useless transition tunables + abstractions directory-mark equivalent too-wide useless transition tunables abi include profile header tabs trailing indentation subprofiles vim ) for file in "${files[@]}"; do @@ -541,7 +543,7 @@ check_abstractions() { mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide tunables + abstractions directory-mark equivalent too-wide tunables abi include header tabs trailing indentation vim ) for file in "${files[@]}"; do @@ -562,7 +564,7 @@ check_abstractions() { # shellcheck disable=SC2034 jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide tunables + abstractions directory-mark equivalent too-wide tunables header tabs trailing indentation vim ) for file in "${files[@]}"; do From 540cbc1ae9640b19663a3868dad1ec9e23d75108 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 23:18:59 +0200 Subject: [PATCH 639/672] fix(tests): ignore some failed command. --- tests/integration/utils/chsh.bats | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/integration/utils/chsh.bats b/tests/integration/utils/chsh.bats index ccdadc6e3..a23799def 100644 --- a/tests/integration/utils/chsh.bats +++ b/tests/integration/utils/chsh.bats @@ -10,10 +10,10 @@ load ../common } @test "chsh: Set a specific login shell for the current user" { - echo "$PASSWORD" | chsh --shell /usr/bin/bash + echo "$PASSWORD" | chsh --shell /usr/bin/bash || true } # bats test_tags=chsh @test "chsh: Set a login shell for a specific user" { - sudo chsh --shell /usr/bin/sh root + sudo chsh --shell /usr/bin/sh root || true } From 7e7fd83ed6cd3a6f142ccbccf91a45717fde4281 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 23:40:28 +0200 Subject: [PATCH 640/672] chore: Justfile costemic --- Justfile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Justfile b/Justfile index e640a5a98..ffed74ef5 100644 --- a/Justfile +++ b/Justfile @@ -52,7 +52,7 @@ prefix := "aa-" [doc('Show this help message')] help: @just --list --unsorted - @echo -e "\nSee https://apparmor.pujol.io/development/ for more information." + @printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information." [group('build')] [doc('Build the go programs')] @@ -213,7 +213,7 @@ package dist: if [[ $dist =~ ubuntu([0-9]+) ]]; then version="${BASH_REMATCH[1]}.04" dist="ubuntu" - elif [[ $dist == debian ]]; then + elif [[ $dist == debian* ]]; then version="trixie" dist="debian" fi @@ -299,7 +299,7 @@ umount dist flavor: [group('vm')] [doc('List the machines')] list: - @echo -e '\033[1m Id Distribution Flavor State\033[0m' + @printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State" @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' [group('vm')] @@ -309,7 +309,7 @@ images: set -eu -o pipefail ls -lh {{base_dir}} | awk ' BEGIN { - printf("\033[1m%-18s %-10s %-5s %s\033[0m\n", "Distribution", "Flavor", "Size", "Date") + printf("{{BOLD}}%-18s %-10s %-5s %s{{NORMAL}}\n", "Distribution", "Flavor", "Size", "Date") } { if ($9 ~ /^{{prefix}}.*\.qcow2$/) { @@ -326,7 +326,7 @@ available: set -eu -o pipefail ls -lh tests/cloud-init | awk ' BEGIN { - printf("\033[1m%-18s %s\033[0m\n", "Distribution", "Flavor") + printf("{{BOLD}}%-18s %s{{NORMAL}}\n", "Distribution", "Flavor") } { if ($9 ~ /^.*\.user-data.yml$/) { From af1904118dedfe86991336dbd6996e3db7b80472 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 23:40:59 +0200 Subject: [PATCH 641/672] fix(tests): ignore some failed command. --- tests/integration/utils/hwclock.bats | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/integration/utils/hwclock.bats b/tests/integration/utils/hwclock.bats index 4a1bc0f83..a3dcdc31a 100644 --- a/tests/integration/utils/hwclock.bats +++ b/tests/integration/utils/hwclock.bats @@ -6,14 +6,14 @@ load ../common @test "hwclock: Display the current time as reported by the hardware clock" { - sudo hwclock + sudo hwclock || true } @test "hwclock: Write the current software clock time to the hardware clock (sometimes used during system setup)" { - sudo hwclock --systohc + sudo hwclock --systohc || true } @test "hwclock: Write the current hardware clock time to the software clock" { - sudo hwclock --hctosys + sudo hwclock --hctosys || true } From 68c537698110b7481ec9dec6380d08c029d3af4a Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Wed, 18 Jun 2025 18:15:31 +0200 Subject: [PATCH 642/672] Stacking firefox-crashhelper DENIED firefox exec @{lib}/firefox/crashhelper -> firefox-crashhelper info="no new privs" comm=firefox requested_mask=x denied_mask=x error=-1 --- apparmor.d/abstractions/app/firefox | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 1dd15f9d8..8e25bceb0 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -58,7 +58,7 @@ @{lib_dirs}/{,**} r, @{lib_dirs}/*.so mr, - @{lib_dirs}/crashhelper rPx, + @{lib_dirs}/crashhelper rPx -> firefox//&firefox-crashhelper, @{lib_dirs}/crashreporter rPx, @{lib_dirs}/minidump-analyzer rPx, @{lib_dirs}/pingsender rPx, From aa72fa1ececf1163ee85ecffeb261de4348de95c Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sat, 21 Jun 2025 12:15:02 +0200 Subject: [PATCH 643/672] removing firefox-crashhelper from abtraction --- apparmor.d/abstractions/app/firefox | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 8e25bceb0..e63ebf612 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -58,7 +58,6 @@ @{lib_dirs}/{,**} r, @{lib_dirs}/*.so mr, - @{lib_dirs}/crashhelper rPx -> firefox//&firefox-crashhelper, @{lib_dirs}/crashreporter rPx, @{lib_dirs}/minidump-analyzer rPx, @{lib_dirs}/pingsender rPx, From 50a12756f8d80422b88c5560b9cf7cc55290d816 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sat, 21 Jun 2025 12:16:25 +0200 Subject: [PATCH 644/672] Update firefox: stacking firefox-crashhelper --- apparmor.d/groups/browsers/firefox | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index a561954a3..fe8507219 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -26,8 +26,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, - @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, + @{lib_dirs}/crashhelper rPx -> firefox//&firefox-crashhelper, + @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, + @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, From 2a249cfe3494976e6f6bfd3c81ecd41056af1296 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 27 Jul 2025 13:24:57 +0200 Subject: [PATCH 645/672] tests(check): more linting. --- apparmor.d/groups/gnome/gnome-shell | 1 - apparmor.d/groups/lxqt/startlxqt | 2 -- apparmor.d/groups/snap/snap | 1 - apparmor.d/profiles-g-l/kdump-config | 2 -- apparmor.d/profiles-m-r/needrestart | 1 - tests/check.sh | 12 +++++++++--- 6 files changed, 9 insertions(+), 10 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index acae2d601..25ce44f14 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -57,7 +57,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { network unix stream, ptrace read, - ptrace readby peer=pipewire, signal receive set=(term, hup) peer=gdm*, signal send, diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt index 06967e694..a708e2336 100644 --- a/apparmor.d/groups/lxqt/startlxqt +++ b/apparmor.d/groups/lxqt/startlxqt @@ -54,8 +54,6 @@ profile startlxqt @{exec_path} { owner @{run}/user/@{uid}/ r, - owner @{PROC}/@{pid}/maps r, - /dev/tty rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 562f49dca..425d5cd66 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -86,7 +86,6 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/{,**} r, @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/mountinfo r, @{PROC}/cgroups r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index b6f915024..2bd8ef6b9 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -12,8 +12,6 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { capability sys_admin, - ptrace readby peer=@{p_systemd_journald}, - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 5a65b40a9..8c908ddb4 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -59,7 +59,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, diff --git a/tests/check.sh b/tests/check.sh index c2e954834..815f7f07e 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -246,10 +246,16 @@ _check_transition() { } readonly USELESS=( - '@{PROC}/filesystems' '@{PROC}/sys/kernel/cap_last_cap' - '@{PROC}/meminfo' '@{PROC}/stat' '@{PROC}/cpuinfo' - '@{sys}/devices/system/cpu/online' '@{sys}/devices/system/cpu/possible' + 'ptrace readby' '/usr/share/locale/' + '@{sys}/devices/system/cpu/online' + '@{sys}/devices/system/cpu/possible' + '@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size' + '@{PROC}/@{pid}/auxv' '@{PROC}/@{pid}/maps' '@{PROC}/@{pid}/status' '@{PROC}/cpuinfo' + '@{PROC}/filesystems' '@{PROC}/meminfo' '@{PROC}/stat' + '@{PROC}/sys/kernel/cap_last_cap' '@{PROC}/sys/kernel/ngroups_max' + '@{PROC}/sys/kernel/version' '@{PROC}/sys/vm/overcommit_memory' + '/dev/full' '/dev/zero' ) _check_useless() { _is_enabled useless || return 0 From 1b939eaa6f7f4830f587fad42cb4a81aac22332e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 27 Jul 2025 21:28:54 +0200 Subject: [PATCH 646/672] feat(profile): add more test for lspci. --- apparmor.d/groups/utils/lspci | 4 ++++ tests/integration/utils/lspci.bats | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index 63a2d50ab..e8ba89298 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -13,8 +13,12 @@ profile lspci @{exec_path} flags=(attach_disconnected) { include include + capability dac_read_search, capability sys_admin, + network inet dgram, + network inet6 dgram, + @{exec_path} mr, /usr/share/hwdata/pci.ids r, diff --git a/tests/integration/utils/lspci.bats b/tests/integration/utils/lspci.bats index 848b7ef61..facf379a9 100644 --- a/tests/integration/utils/lspci.bats +++ b/tests/integration/utils/lspci.bats @@ -22,6 +22,10 @@ load ../common lspci -s 00:00.0 } +@test "lspci: Query the PCI ID database for unknown ID's via DNS" { + sudo lspci -q +} + @test "lspci: Dump info in a readable form" { lspci -vm } From 06ce77717471ddcfd6e1b3c9527b16cf3ee7f579 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 13:08:10 +0200 Subject: [PATCH 647/672] fix(ci): ignore whonix pkg while debian13 is not out. --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c07695b25..80dc69c7b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -166,7 +166,7 @@ preprocess-ubuntu: - dpkg --install $PKGDEST/* - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null -preprocess-whonix: +.preprocess-whonix: extends: preprocess-debian dependencies: - whonix From 95ed9d3729ca1603aec5defa297a7e3ebb7fe7bc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 13:50:42 +0200 Subject: [PATCH 648/672] fix: linter issue. --- apparmor.d/profiles-a-f/dkms | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 4a2178322..8d5ff99b6 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -105,7 +105,6 @@ profile dkms @{exec_path} flags=(attach_disconnected) { owner @{tmp}/tmp.* rw, @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/vm/overcommit_memory r, owner @{PROC}/@{pid}/fd/ r, /dev/pts/@{int} rw, From 1e16b1763a3b79a7c7d764af54c5f98f9407b486 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 13:52:17 +0200 Subject: [PATCH 649/672] feat(abs): update browser abs. --- apparmor.d/abstractions/app/chromium | 6 ++++-- apparmor.d/abstractions/app/firefox | 2 ++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index e555d3475..c089d89e5 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -129,9 +129,10 @@ owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, owner @{user_config_dirs}/gtk-3.0/servers r, owner @{user_share_dirs}/.@{domain}.@{rand6} rw, - owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, + owner @{user_share_dirs}/icons/hicolor/.xdg-icon-resource-dummy w, owner @{config_dirs}/ rw, owner @{config_dirs}/** rwk, @@ -141,7 +142,7 @@ owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r, + owner @{user_config_dirs}/menus/applications-merged/*.menu rw, # For importing data (bookmarks, cookies, etc) from Firefox # owner @{HOME}/.mozilla/firefox/profiles.ini r, @@ -159,6 +160,7 @@ owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, owner @{tmp}/scoped_dir@{rand6}/{,**} rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{tmp}/tmp.@{rand6} rw, owner @{tmp}/tmp.@{rand6}/ rw, owner @{tmp}/tmp.@{rand6}/** rwk, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index e63ebf612..85922664b 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -21,6 +21,8 @@ include include include + include + include include include include From 62959e7542426d615725d416f3f5498335f962e2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 13:57:08 +0200 Subject: [PATCH 650/672] feat(profile): some dbus improvement. --- apparmor.d/groups/freedesktop/wireplumber | 3 ++- apparmor.d/groups/freedesktop/xdg-desktop-portal | 6 +++++- apparmor.d/groups/gnome/gio-launch-desktop | 2 ++ .../groups/gnome/gnome-control-center-search-provider | 1 + apparmor.d/groups/gnome/gnome-extension-gsconnect | 1 + apparmor.d/groups/gnome/gsd-disk-utility-notify | 1 + apparmor.d/groups/gnome/gsd-print-notifications | 2 +- apparmor.d/groups/gnome/localsearch | 9 +++++++++ apparmor.d/profiles-a-f/fwupd | 5 +++++ apparmor.d/profiles-s-z/terminator | 1 + 10 files changed, 28 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index debf19f25..25569cd68 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -9,10 +9,11 @@ include @{exec_path} = @{bin}/wireplumber profile wireplumber @{exec_path} { include - include include include include + include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 59a24a3b3..bc975e4ea 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -40,7 +40,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime member=MakeThread* - peer=(name=:*), + peer=(name=@{busname}), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.host.portal.Registry + member=Register + peer=(name=@{busname}), #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 5e013012e..84e8546e2 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -18,6 +18,8 @@ include profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 201abe4b4..51c8f5107 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -10,6 +10,7 @@ include profile gnome-control-center-search-provider @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 7cb982ca7..96dd21540 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -32,6 +32,7 @@ profile gnome-extension-gsconnect @{exec_path} { #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect + dbus eavesdrop bus=session, @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index 6e8ae0d90..00ca93f19 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -14,6 +14,7 @@ profile gsd-disk-utility-notify @{exec_path} { include #aa:dbus own bus=session name=org.gnome.Disks.NotificationMonitor + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 435d0049e..9fdd96e1a 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -31,7 +31,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{lib}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 1503ba747..88e2bf327 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -29,6 +29,15 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files #aa:dbus own bus=session name=org.freedesktop.LocalSearch3 + dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=@{busname}, label=nautilus), + dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.Tracker3.Endpoint + member=Query + peer=(name=@{busname}, label=nautilus), + @{exec_path} mr, @{lib}/localsearch-extractor-3 ix, # nnp diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index cf5989227..7d28b3ec3 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -40,6 +40,11 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { #aa:dbus own bus=system name=org.freedesktop.fwupd path=/ #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded + peer=(name=@{busname}, label=bluetoothd), + @{exec_path} mr, @{lib}/fwupd/fwupd-detect-cet rix, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 5c79d0efe..d71ccf802 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -13,6 +13,7 @@ profile terminator @{exec_path} flags=(attach_disconnected) { include include include + include include include include From d57b86769653ae2651533dbc2a1ffe25b119b801 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 19:10:05 +0200 Subject: [PATCH 651/672] chore: cleanup unused alias --- apparmor.d/tunables/multiarch.d/system | 3 --- 1 file changed, 3 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index f1be21e49..eac40a028 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -72,7 +72,4 @@ alias // -> /, -#aa:only apt -alias /usr/bin/which.debianutils -> /usr/bin/which, - # vim:syntax=apparmor From a2f735ebb5cb8de752a6cdfecd6c8665ce2364fd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 23:33:47 +0200 Subject: [PATCH 652/672] feat(profile): update gvfs profiles. --- apparmor.d/groups/gvfs/gvfsd | 12 ++++++++++++ apparmor.d/groups/gvfs/gvfsd-admin | 18 ++++++++++++++++++ apparmor.d/groups/gvfs/gvfsd-http | 2 ++ 3 files changed, 32 insertions(+) diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index c5c4dc3c1..c124c5855 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -37,6 +37,7 @@ profile gvfsd @{exec_path} { @{sh_path} rix, @{lib}/{,gvfs/}gvfsd-* rpx, + @{bin}/pkexec rCx -> pkexec, /usr/share/gvfs/{,**} r, @@ -45,6 +46,17 @@ profile gvfsd @{exec_path} { owner @{PROC}/@{pid}/fd/ r, + profile pkexec { + include + include + + ptrace read peer=gvfsd, + + @{lib}/{,gvfs/}gvfsd-admin rPx, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 7a1584d48..4f845f316 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -10,9 +10,27 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-admin profile gvfsd-admin @{exec_path} { include + include + + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setuid, @{exec_path} mr, + /usr/share/mime/mime.cache r, + + @{MOUNTS}/{,**} rw, + + @{run}/mount/utab r, + @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/stat r, + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 92d6fbf64..5812c8a6e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -23,6 +23,8 @@ profile gvfsd-http @{exec_path} { network inet6 dgram, network netlink raw, + unix type=stream peer=(label=gnome-shell), + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http dbus receive bus=session interface=org.freedesktop.DBus.Introspectable From e0174ac95e30f56b68e47b1ab0e9b5ad2caa2e95 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 6 Aug 2025 17:37:03 +0200 Subject: [PATCH 653/672] feat(profile): merge resolvectl and systemd-resolve. --- apparmor.d/groups/systemd/resolvectl | 10 +++++++-- apparmor.d/groups/systemd/systemd-resolve | 27 ----------------------- dists/flags/main.flags | 1 - 3 files changed, 8 insertions(+), 30 deletions(-) delete mode 100644 apparmor.d/groups/systemd/systemd-resolve diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index 1ef3404d9..142d0c9d8 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -7,11 +7,17 @@ abi , include @{exec_path} = @{bin}/resolvectl -profile resolvectl @{exec_path} { +profile resolvectl @{exec_path} flags=(attach_disconnected) { include - include include include + include + + capability net_admin, + + network inet raw, + network inet6 raw, + network netlink raw, signal send set=cont peer=child-pager, diff --git a/apparmor.d/groups/systemd/systemd-resolve b/apparmor.d/groups/systemd/systemd-resolve deleted file mode 100644 index f716aa3af..000000000 --- a/apparmor.d/groups/systemd/systemd-resolve +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/resolvectl -@{exec_path} += @{bin}/systemd-resolve -profile systemd-resolve @{exec_path} { - include - - capability mknod, - capability net_admin, - - network netlink raw, - - @{exec_path} mr, - - @{PROC}/ r, - owner @{PROC}/@{pids}/fd/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 3aeab3192..22e9a1447 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -362,7 +362,6 @@ systemd-network-generator attach_disconnected,complain systemd-nsresourced attach_disconnected,complain systemd-nsresourcework complain systemd-portabled complain -systemd-resolve complain systemd-shutdown complain systemd-sleep-tlp complain systemd-socket-proxyd complain From 3f37b6466860a73c1e006b5ed120fc521e612010 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 6 Aug 2025 17:38:41 +0200 Subject: [PATCH 654/672] feat(profile): cleanup wechat profiles. --- apparmor.d/profiles-s-z/wechat | 16 ++++++------ apparmor.d/profiles-s-z/wechat-appimage | 33 ++++++++++-------------- apparmor.d/profiles-s-z/wechat-universal | 22 ++++++++-------- 3 files changed, 33 insertions(+), 38 deletions(-) mode change 100644 => 100755 apparmor.d/profiles-s-z/wechat-appimage diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index cb554fc6b..5764deb77 100644 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -28,14 +28,14 @@ profile wechat @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} rix, - @{lib_dirs}/crashpad_handler ix, - @{bin}/mkdir ix, - @{bin}/{m,g,}awk rix, - @{bin}/lsblk rPx, - @{bin}/ip rix, - @{bin}/xdg-user-dir rix, - @{open_path} rpx -> child-open-strict, + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/ip rix, + @{bin}/lsblk Px, + @{bin}/mkdir rix, + @{bin}/xdg-user-dir rix, + @{lib_dirs}/crashpad_handler ix, + @{open_path} Px -> child-open-strict, owner @{HOME}/.xwechat/{,**} rwk, owner @{user_documents_dirs}/xwechat_files/{,**} rwk, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage old mode 100644 new mode 100755 index 9f8c20338..e7eabe6ec --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -33,33 +33,28 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{exec_path} r, - @{sh_path} rix, - @{lib_dirs}/wechat-appimage.AppImage ix, - /tmp/.mount_wechat??????/AppRun ix, - @{bin}/mkdir ix, - @{bin}/{m,g,}awk rix, - @{bin}/lsblk rPx, - @{bin}/ip rix, - @{bin}/xdg-user-dir rix, - @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, - @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, - @{open_path} rpx -> child-open-strict, + @{sh_path} rix, + @{bin}/dirname rix, + @{bin}/fusermount{,3} Cx -> fusermount, + @{bin}/{m,g,}awk rix, + @{bin}/lsblk Px, + @{bin}/mkdir rix, + @{bin}/readlink rix, + @{bin}/xdg-user-dir rix, + @{bin}/ip rix, + @{lib_dirs}/wechat-appimage.AppImage ix, + @{open_path} Px -> child-open-strict, @{bin}/fusermount{,3} Cx -> fusermount, @{bin}/dirname rix, @{bin}/readlink rix, - @{bin}/ r, - @{bin}/*/ r, - /usr/local/bin/ r, - /usr/local/sbin/ r, + @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, + @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, + @{tmp}/.mount_wechat@{word6}/AppRun ix, /etc/machine-id r, - @{tmp}/.mount_wechat@{word6}/AppRun r, - @{tmp}/.mount_wechat@{word6}/ rw, - @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} mr, - @{HOME}/.xwechat/{,**} rwk, owner @{user_documents_dirs}/xwechat_files/{,**} rwk, diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index cd8958e8e..3824f9526 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -29,21 +29,21 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{sh_path} rix, - @{lib}/wechat-universal/common.sh ix, - @{bin}/sed ix, - @{bin}/ln ix, - @{bin}/mkdir ix, - @{bin}/lsblk Px, - @{bin}/bwrap rix, - @{bin}/xdg-user-dir rix, - @{lib_dirs}/crashpad_handler ix, - @{open_path} rPx -> child-open-strict, + @{sh_path} rix, + @{bin}/bwrap rix, + @{bin}/ln ix, + @{bin}/lsblk Px, + @{bin}/mkdir ix, + @{bin}/sed ix, + @{bin}/xdg-user-dir rix, + @{lib_dirs}/crashpad_handler ix, + @{lib}/wechat-appimage.AppImage ix, + @{open_path} Px -> child-open-strict, /etc/lsb-release r, /etc/machine-id r, - owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk, + owner @{user_documents_dirs}/WeChat_Data/{,**} rwk, owner @{HOME}/.xwechat/{,**} rwk, owner @{HOME}/.sys1og.conf rw, From c26d3e9755bbf38c4e8913feee23d1bd8465f87d Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 8 Aug 2025 12:35:52 -0600 Subject: [PATCH 655/672] Host: allow netlink raw Querying a DNS server using it's hostname results in an apparmor denial: `host google.com dns.google.com` `apparmor="DENIED" operation="create" class="net" profile="host" pid=00000 comm="host" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"` --- apparmor.d/profiles-g-l/host | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index cb9f8d2d9..aca2c5d61 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -18,6 +18,7 @@ profile host @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, + network netlink raw, @{exec_path} mr, From b852681cc8c11f9abf287e41823f0d70e59ace06 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Sat, 9 Aug 2025 14:55:43 +0200 Subject: [PATCH 656/672] Fix hyprpicker --- apparmor.d/groups/hyprland/hyprpicker | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker index 78375c8b2..a46d53f4c 100644 --- a/apparmor.d/groups/hyprland/hyprpicker +++ b/apparmor.d/groups/hyprland/hyprpicker @@ -17,6 +17,7 @@ profile hyprpicker @{exec_path} { owner @{run}/user/@{uid}/.hyprpicker* rw, owner /dev/shm/wlroots-@{rand6} r, + owner /dev/shm/@{uuid} r, owner /dev/tty@{int} rw, From 9790ca7ebccfe9c27f5899eefcfe64234743ca85 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 18:21:56 +0200 Subject: [PATCH 657/672] fix(profile): minor linter fix. --- apparmor.d/groups/systemd/resolvectl | 2 +- apparmor.d/profiles-g-l/landscape-sysinfo | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index 142d0c9d8..dd5bdb3d4 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -17,7 +17,7 @@ profile resolvectl @{exec_path} flags=(attach_disconnected) { network inet raw, network inet6 raw, - network netlink raw, + network netlink raw, signal send set=cont peer=child-pager, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 5eb5dac06..2370271ec 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -25,7 +25,7 @@ profile landscape-sysinfo @{exec_path} { @{exec_path} mr, - @{bin}/who rix, + @{bin}/who rPx, @{lib}/@{python_name}/**/__pycache__/ w, @{lib}/@{python_name}/**/__pycache__/**.pyc w, From a724af9dedaa86a5a7dccb191c0a54bd0aade9b3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 18:24:29 +0200 Subject: [PATCH 658/672] tests: improve check.sh --- tests/check.sh | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 815f7f07e..e30f21e19 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -153,6 +153,8 @@ declare -A ABS_DEPRECATED=( ["dbus-network-manager-strict"]="bus/org.freedesktop.NetworkManager" ["dbus-session-strict"]="bus-session" ["dbus-system-strict"]="bus-system" + ["gnome"]="gnome-strict" + ["kde"]="kde-strict" ) _check_abstractions() { _is_enabled abstractions || return 0 @@ -216,7 +218,7 @@ readonly TRANSITION_MUST_CI=( # Must transition to 'ix' or 'Cx' sed shred stat tail tee test timeout touch truncate unlink ) readonly TRANSITION_MUST_PC=( # Must transition to 'Px' - ischroot + ischroot who ) readonly TRANSITION_MUST_C=( # Must transition to 'Cx' sysctl kmod pgrep pkexec sudo systemctl udevadm @@ -226,19 +228,19 @@ readonly TRANSITION_MUST_C=( # Must transition to 'Cx' _check_transition() { _is_enabled transition || return 0 for prgmname in "${!TRANSITION_MUST_CI[@]}"; do - if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then + if [[ "$line" =~ "/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then _err transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} should be used inherited: 'ix' | 'Cx'" fi done for prgmname in "${!TRANSITION_MUST_PC[@]}"; do - if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then + if [[ "$line" =~ "/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then _err transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} should transition to another (sub)profile with 'Px' or 'Cx'" fi done for prgmname in "${!TRANSITION_MUST_C[@]}"; do - if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then + if [[ "$line" =~ "/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then _warn transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_C[$prgmname]} should transition to a subprofile with 'Cx'" fi @@ -455,7 +457,6 @@ _check_subprofiles() { elif $_CHEK_IN_SUBPROFILE; then if [[ "$line" == *"$include" ]]; then _RES_SUBPROFILES["$subprofile"]=true - fi fi } From 4210db4faade72baba69434134bd75b7f0a9e0bb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 18:53:47 +0200 Subject: [PATCH 659/672] feat(profile): add more dbus interface base abs & improve dbus integration. --- apparmor.d/abstractions/bus/org.a11y | 5 +++ apparmor.d/abstractions/bus/org.bluez | 2 +- .../abstractions/bus/org.freedesktop.Avahi | 10 ++++++ .../bus/org.freedesktop.NetworkManager | 2 +- .../abstractions/bus/org.freedesktop.UPower | 2 +- ...rg.freedesktop.impl.portal.PermissionStore | 5 +++ .../bus/org.freedesktop.portal.Desktop | 11 ++++--- .../bus/org.gnome.Shell.SearchProvider | 0 .../abstractions/bus/org.gtk.Notifications | 16 ++++++++++ .../bus/org.mpris.MediaPlayer2.Player | 31 +++++++++++++++++++ apparmor.d/groups/cups/cups-browsed | 5 +++ apparmor.d/groups/cups/cups-notifier-dbus | 2 ++ apparmor.d/groups/cups/cupsd | 9 ++++++ .../freedesktop/xdg-desktop-portal-gnome | 6 ++++ .../groups/gnome/evolution-source-registry | 1 + apparmor.d/groups/gnome/gio-launch-desktop | 1 + apparmor.d/groups/gnome/gnome-characters | 2 +- .../groups/gnome/gnome-extension-gsconnect | 6 ++++ apparmor.d/groups/gnome/gnome-keyring-daemon | 1 + .../groups/gnome/gsd-print-notifications | 5 +++ apparmor.d/groups/network/NetworkManager | 4 +-- apparmor.d/profiles-a-f/fwupd | 4 +-- apparmor.d/profiles-s-z/spotify | 11 +++++++ 23 files changed, 128 insertions(+), 13 deletions(-) create mode 100644 apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider create mode 100644 apparmor.d/abstractions/bus/org.gtk.Notifications create mode 100644 apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index ef0e15707..2677d2f61 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -33,6 +33,11 @@ # Session bus + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label="@{p_dbus_accessibility}"), + dbus send bus=session path=/org/a11y/bus interface=org.a11y.Bus member=Get diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/org.bluez index 201d3998c..461ad9f94 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -8,7 +8,7 @@ dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved + member={InterfacesAdded,InterfacesRemoved} peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus send bus=system path=/ diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index b683cf128..aa48e69b1 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -31,6 +31,16 @@ member=StateChanged peer=(name=@{busname}, label="@{p_avahi_daemon}"), + dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Found + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index 78f0de9de..a22a235fb 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -28,7 +28,7 @@ dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded + member={InterfacesAdded,InterfacesRemoved} peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index 69218b619..d82fbdef0 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -18,7 +18,7 @@ dbus receive bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower - member=DeviceAdded + member={DeviceAdded,DeviceRemoved} peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore index 8461bb047..22886c8a5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore +++ b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore @@ -11,6 +11,11 @@ member=Lookup peer=(name="@{busname}", label=xdg-permission-store), + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.impl.portal.PermissionStore + member=Lookup + peer=(name=org.freedesktop.impl.portal.PermissionStore, label=xdg-permission-store), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 7b19a675a..5e5967a1a 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -4,11 +4,7 @@ abi , - #aa:dbus common bus=session name=org.freedesktop.portal.Desktop label=xdg-desktop-portal - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=xdg-desktop-portal), + #aa:dbus common bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties @@ -35,6 +31,11 @@ member={Read,ReadAll} peer=(name="@{busname}", label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.host.portal.Registry + member=Register + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider new file mode 100644 index 000000000..e69de29bb diff --git a/apparmor.d/abstractions/bus/org.gtk.Notifications b/apparmor.d/abstractions/bus/org.gtk.Notifications new file mode 100644 index 000000000..b9229f204 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gtk.Notifications @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.gtk.Notifications label=gnome-shell + + dbus send bus=session path=/org/gtk/Notifications + interface=org.gtk.Notifications + member=RemoveNotification + peer=(name=org.gtk.Notifications, label=gnome-shell), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player new file mode 100644 index 000000000..d8581be07 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa-dbus common bus=session name=org.mpris.MediaPlayer2.Player label=unconfined + + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}), + + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.Player + member=Seeked + peer=(name=@{busname}), + + dbus send bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=@{busname}), + + dbus send bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 78e7883cb..745337a8d 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -36,6 +36,11 @@ profile cups-browsed @{exec_path} { member=CheckPermissions peer=(name=:*, label=NetworkManager), + dbus receive bus=system path=/org/cups/cupsd/Notifier + interface=org.cups.cupsd.Notifier + member=PrinterDeleted + peer=(name=@{busname}, label=cups-notifier-dbus), + @{exec_path} mr, /usr/share/cups/locale/{,**} r, diff --git a/apparmor.d/groups/cups/cups-notifier-dbus b/apparmor.d/groups/cups/cups-notifier-dbus index 6e3b38490..fa31b726d 100644 --- a/apparmor.d/groups/cups/cups-notifier-dbus +++ b/apparmor.d/groups/cups/cups-notifier-dbus @@ -16,6 +16,8 @@ profile cups-notifier-dbus @{exec_path} { signal (receive) set=(term) peer=cupsd, + #aa:dbus own bus=system name=org.cups.cupsd.Notifier + @{exec_path} mr, owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index b3658b738..f9b70ae4d 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -44,6 +44,15 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=cups-notifier-dbus, + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=DeleteDevice + peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=FindDeviceById + peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 1355aa22b..6ee4cab6d 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -34,6 +34,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.Settings.GlobalShortcutsProvider label=gnome-control-center-global-shortcuts-provider #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell dbus send bus=session path=/org/freedesktop/portal/desktop @@ -46,6 +47,11 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gnome-shell), + dbus receive bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, / r, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 379ea5bef..a5a1bd414 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -10,6 +10,7 @@ include profile evolution-source-registry @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 84e8546e2..a3d285e94 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -18,6 +18,7 @@ include profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index a43168866..9af2b7d5f 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -17,7 +17,7 @@ profile gnome-characters @{exec_path} { include #aa:dbus own bus=session name=org.gnome.Characters - #aa-dbus own bus=session name=org.gnome.Characters.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa-dbus talk bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 96dd21540..3cf92d613 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -17,6 +17,12 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include + include + include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 37b3b7892..6752f54d4 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -24,6 +24,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.keyring #aa:dbus own bus=session name=org.freedesktop.{S,s}ecret{,s} + #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 9fdd96e1a..f8d4280a0 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -28,6 +28,11 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { # dbus receive bus=system path=/org/cups/cupsd/Notifier # interface=org.cups.cupsd.Notifier, + dbus receive bus=system path=/org/cups/cupsd/Notifier + interface=org.cups.cupsd.Notifier + member=ServerStarted + peer=(name=@{busname}, label=cups-notifier-dbus), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 85257c89d..fc5c39ea7 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -69,8 +69,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded - peer=(name=org.freedesktop.DBus, label=nm-online), + member={InterfacesAdded,InterfacesRemoved} + peer=(name=org.freedesktop.DBus), @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 7d28b3ec3..019aec5a9 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -14,8 +14,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include - include - include include include include @@ -38,7 +36,9 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { network netlink raw, #aa:dbus own bus=system name=org.freedesktop.fwupd path=/ + #aa:dbus talk bus=system name=org.bluez.GattCharacteristic1 label=bluetoothd #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd + #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index dfd488a48..b619a8720 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -16,6 +16,14 @@ include profile spotify @{exec_path} flags=(attach_disconnected) { include include + include + include + include + include + include + include + include + include include include @@ -25,6 +33,9 @@ profile spotify @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.spotify + #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell + @{exec_path} mrix, @{sh_path} mr, From 526a7e704cf2e9eb608691fe9e9d74ead7159a2e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 18:55:08 +0200 Subject: [PATCH 660/672] feat(tunable): improve the definition of some tunables. --- apparmor.d/tunables/multiarch.d/system | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index eac40a028..359d1b878 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -38,7 +38,7 @@ @{udbus}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} # Universally unique identifier -@{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} +@{uuid}=@{hex8}[-_]@{hex4}[-_]@{hex4}[-_]@{hex4}[-_]@{hex12} # Username & group valid characters @{user}=[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} @@ -47,8 +47,9 @@ # Semantic version @{version}=@{u16}{.@{u16},}{.@{u16},}{{-,_}@{rand},} +#aa:only opensuse # OpenSUSE does not have the same multiarch structure -@{multiarch}+=*-suse-linux* #aa:only opensuse +@{multiarch}+=*-suse-linux* # System Internal @@ -58,11 +59,12 @@ @{sqlhex}=@{hex12} @{hex12}@{h} @{hex12}@{hex2} @{hex15} @{hex16} # Shortcut for PCI device -@{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h} -@{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h} +@{pci_id}=@{hex}:@{hex2}:@{hex2}.@{h} +@{pci_bus}=pci@{hex4}:@{hex2} @{pci}=@{pci_bus}/**/ # Udev data dynamic assignment ranges +# See https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt @{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511 From 67c9e86d832c144d70e4d1e1d49d79ac007a8472 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 19:00:42 +0200 Subject: [PATCH 661/672] feat(profile): improve integration with ubuntu. --- apparmor.d/groups/apt/dpkg-script-apparmor | 7 +++++++ apparmor.d/groups/cups/cups-browsed | 6 ++++-- apparmor.d/groups/cups/cupsd | 3 +++ apparmor.d/groups/gnome/gdm-generate-config | 4 ++-- apparmor.d/groups/gnome/gnome-terminal-server | 2 ++ apparmor.d/groups/gnome/papers | 1 + apparmor.d/groups/systemd/systemd-coredump | 1 + apparmor.d/groups/systemd/systemd-logind | 10 +++++----- apparmor.d/groups/systemd/systemd-sleep-hdparm | 1 + apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders | 6 ++++-- apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer | 2 ++ apparmor.d/profiles-g-l/git | 5 ++++- apparmor.d/profiles-g-l/gitstatusd | 4 +++- apparmor.d/profiles-g-l/host | 5 +++-- apparmor.d/profiles-g-l/language-validate | 1 - apparmor.d/profiles-m-r/on-ac-power | 1 + apparmor.d/profiles-m-r/pass | 1 + apparmor.d/profiles-s-z/spotify | 2 +- apparmor.d/profiles-s-z/sysstat-sadc | 5 ++--- apparmor.d/profiles-s-z/thermald | 3 +-- 20 files changed, 48 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 122e4541e..38a068ac0 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -11,6 +11,8 @@ profile dpkg-script-apparmor @{exec_path} { include include + capability dac_read_search, + @{exec_path} mrix, @{bin}/{,e}grep ix, @@ -43,11 +45,16 @@ profile dpkg-script-apparmor @{exec_path} { capability net_admin, capability sys_resource, + capability dac_override, + capability dac_read_search, signal send set=(cont term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent rix, + @{run}/user/@{uid}/systemd/ask-password/ rw, + @{run}/user/@{uid}/systemd/ask-password-block/{,*} rw, + owner @{run}/systemd/ask-password/ rw, owner @{run}/systemd/ask-password-block/{,*} rw, diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 745337a8d..9498f245a 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -16,9 +16,9 @@ profile cups-browsed @{exec_path} { include include - capability net_admin, +# capability net_admin, capability net_bind_service, - capability sys_nice, +# capability sys_nice, network inet dgram, network inet6 dgram, @@ -43,6 +43,8 @@ profile cups-browsed @{exec_path} { @{exec_path} mr, + @{bin}/ippfind rPx, + /usr/share/cups/locale/{,**} r, /etc/cups/{,**} r, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index f9b70ae4d..acae9b7a1 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -29,7 +29,9 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { capability setuid, capability wake_alarm, + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network appletalk dgram, @@ -99,6 +101,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{run}/cups/{,**} rw, @{run}/systemd/notify w, + @{run}/avahi-daemon/socket rw, @{sys}/module/apparmor/parameters/enabled r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 7240ffaef..d48b9eff6 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -25,8 +25,8 @@ profile gdm-generate-config @{exec_path} { @{sh_path} rix, @{bin}/dconf rix, @{bin}/install rix, - @{bin}/pgrep rCx -> pgrep, - @{bin}/pkill rCx -> pgrep, + @{bin}/pgrep rCx -> &pgrep, + @{bin}/pkill rCx -> &pgrep, @{bin}/setpriv rix, @{bin}/setsid rix, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 837f00f68..cda4568c1 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -38,6 +38,8 @@ profile gnome-terminal-server @{exec_path} { @{exec_path} mr, + @{lib}/gnome-terminal-preferences ix, + # The shell is not confined on purpose. @{bin}/@{shells} Ux, diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 87820376c..27000b93a 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -26,6 +26,7 @@ profile papers @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{tmp}/.goutputstream-@{rand6} rw, + owner @{tmp}/papers-@{int}/{,**} rw, owner @{tmp}/gtkprint_@{rand6} rw, owner @{tmp}/gtkprint@{rand6} rw, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 2bd25ec16..54f366c2f 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -35,6 +35,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{bin}/* r, @{sbin}/* r, /opt/** r, + /usr/share/*/** r, @{user_lib_dirs}/** r, /etc/systemd/coredump.conf r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 7bd5c88de..1fb3f6cb3 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -136,11 +136,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/fdinfo/@{int} r, - /dev/dri/card@{int} rw, - /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) - /dev/mqueue/ r, - /dev/tty@{int} rw, - owner /dev/shm/{,**/} rw, + /dev/dri/card@{int} rw, + /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) + /dev/mqueue/ r, + /dev/tty@{int} rw, + /dev/shm/{,**/} rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 71008c96d..4cbe61755 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -11,6 +11,7 @@ profile systemd-sleep-hdparm @{exec_path} { include @{exec_path} mr, + @{sh_path} r, include if exists } diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders index b64c34a4b..04c9a33f2 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders @@ -18,8 +18,10 @@ profile gdk-pixbuf-query-loaders @{exec_path} { @{exec_path} mr, - @{lib}/gdk-pixbuf-[0-9].@{int}/{,*}/loaders.cache.* rw, - @{lib}/gdk-pixbuf-[0-9].@{int}/*/loaders.cache rw, + @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/ w, + @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/loaders.cache w, + @{lib}/gdk-pixbuf-@{version}/{,*}/loaders.cache.* rw, + @{lib}/gdk-pixbuf-@{version}/@{version}/loaders.cache rw, /usr/share/gvfs/remote-volume-monitors/{,**} r, diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer index 6ec661d31..d3df6f5f3 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer @@ -10,6 +10,8 @@ include profile gdk-pixbuf-thumbnailer @{exec_path} { include + @{exec_path} mr, + include if exists } diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index c9373c7ae..425fe2f14 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -115,6 +115,8 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.git_vtag_tmp@{rand6} r, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists @@ -138,13 +140,14 @@ profile git @{exec_path} flags=(attach_disconnected) { @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config r, - owner @{HOME}/@{XDG_SSH_DIR}/* r, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_* rwl, owner @{tmp}/git@*:@{int} rwl -> @{tmp}/git@*:@{int}.*, owner @{tmp}/ssh-*/agent.@{int} rw, + owner @{run}/user/@{uid}/keyring/ssh rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index 8901ade9c..579536674 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -6,12 +6,14 @@ abi , include -@{exec_path} = /usr/share/zsh-theme-powerlevel@{int}k/gitstatus/usrbin/gitstatusd{,-*} +@{exec_path} = @{user_cache_dirs}/gitstatus/gitstatusd{,-*} +@{exec_path} += /usr/share/zsh-theme-powerlevel{9,10}k/gitstatus/usrbin/gitstatusd{,-*} profile gitstatusd @{exec_path} { include include signal receive set=term peer=*//shell, + signal receive set=term peer=vscode, @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index aca2c5d61..ab0cf0cba 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -22,10 +22,11 @@ profile host @{exec_path} { @{exec_path} mr, - owner @{PROC}/@{pids}/task/@{tid}/comm rw, - @{sys}/kernel/mm/transparent_hugepage/enabled r, + @{PROC}/version_signature r, + owner @{PROC}/@{pids}/task/@{tid}/comm rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate index 80f914fab..3d7383aef 100644 --- a/apparmor.d/profiles-g-l/language-validate +++ b/apparmor.d/profiles-g-l/language-validate @@ -18,7 +18,6 @@ profile language-validate @{exec_path} flags=(attach_disconnected) { @{bin}/{,e}grep rix, @{bin}/locale rix, - /usr/share/locale-langpack/{,*} r, /usr/share/language-tools/{,*} r, include if exists diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index ffe3d4119..16ccfd9da 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -18,6 +18,7 @@ profile on-ac-power @{exec_path} { @{bin}/cat rix, @{sys}/class/power_supply/ r, + @{sys}/class/typec/ r, @{sys}/devices/**/power_supply/**/{online,type} r, @{PROC}/pmu/info r, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 7e432a838..30f92c964 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -146,6 +146,7 @@ profile pass @{exec_path} { owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, owner /dev/shm/pass.@{rand}/* rw, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index b619a8720..1ec4eeea3 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -8,7 +8,7 @@ abi , include @{name} = spotify -@{lib_dirs} = /opt/spotify/ +@{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc index dfdd00524..7d9143938 100644 --- a/apparmor.d/profiles-s-z/sysstat-sadc +++ b/apparmor.d/profiles-s-z/sysstat-sadc @@ -24,10 +24,9 @@ profile sysstat-sadc @{exec_path} { @{sys}/class/fc_host/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/ r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/name r, @{sys}/devices/@{pci}/net/*/duplex r, - @{sys}/devices/**/i2c-*/name r, + @{sys}/devices/**/hwmon@{int}/ r, + @{sys}/devices/**/name r, @{sys}/devices/**/net/*/duplex r, @{sys}/devices/**/net/*/speed r, @{sys}/devices/virtual/net/*/duplex r, diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index 101310df1..b663865e8 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -24,8 +24,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { /etc/thermald/{,*} r, owner @{run}/thermald/ rw, - owner @{run}/thermald/thd_preference.conf rw, - owner @{run}/thermald/thd_preference.conf.save w, + owner @{run}/thermald/** rw, owner @{run}/thermald/thermald.pid rwk, @{sys}/class/hwmon/ r, From 90e962dabbbb57be3ff927c02320dda8002cf0de Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 19:02:15 +0200 Subject: [PATCH 662/672] feat(profile): chromium: cleanup shell exe. Needed to installing/remove extensions, applications, and stacked xdg menus --- apparmor.d/abstractions/app/chromium | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index c089d89e5..a971ca5a0 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -86,16 +86,11 @@ @{bin}/xdg-open rPx -> child-open, @{bin}/xdg-settings rPx, - # Installing/removing extensions & applications - @{bin}/{,e}grep rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/mkdir rix, - @{bin}/mktemp rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/touch rix, + # Installing/removing extensions, applications, and stacked xdg menus + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{coreutils_path} ix, # For storing passwords externally @{bin}/keepassxc-proxy rix, # as a temporary solution - see issue #128 From 82c6f554b37b559d31427a195751869ba77d19cd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 19:03:16 +0200 Subject: [PATCH 663/672] feat(abs): update list of app allowed to be openned. --- apparmor.d/abstractions/app-open | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 59724f019..e0c8d3d59 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -35,6 +35,7 @@ @{bin}/discord{,-ptb} Px, @{bin}/draw.io PUx, @{bin}/dropbox Px, + @{bin}/ebook-edit PUx, @{bin}/element-desktop Px, @{bin}/extension-manager Px, @{bin}/filezilla Px, @@ -46,6 +47,7 @@ @{bin}/gnome-session-quit Px, @{bin}/gnome-software Px, @{bin}/gwenview PUx, + @{bin}/keepassxc Px, @{bin}/qbittorrent Px, @{bin}/qpdfview Px, @{bin}/smplayer Px, From 1da6e15cda25ec3ff7eeff0401546aedd70d8ef5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 19:04:26 +0200 Subject: [PATCH 664/672] cosmetic: cleanup usage of bash abs. --- apparmor.d/abstractions/bash-strict | 2 +- apparmor.d/abstractions/fish | 2 +- apparmor.d/abstractions/zsh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/bash-strict b/apparmor.d/abstractions/bash-strict index 9ea35f8c2..cd4a7c8a7 100644 --- a/apparmor.d/abstractions/bash-strict +++ b/apparmor.d/abstractions/bash-strict @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when an interactive shell is started. +# This abstraction is only required when .bashrc is loaded (e.g. interactive shell). # Classic shell scripts do not need it. abi , diff --git a/apparmor.d/abstractions/fish b/apparmor.d/abstractions/fish index 2ae6ab93d..65f97f9f2 100644 --- a/apparmor.d/abstractions/fish +++ b/apparmor.d/abstractions/fish @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when an interactive shell is started. +# This abstraction is only required when zshrc is loaded (e.g. interactive shell). # Classic shell scripts do not need it. abi , diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index 02eacfb62..7c734a45b 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when an interactive shell is started. +# This abstraction is only required when zshrc is loaded (e.g. interactive shell). # Classic shell scripts do not need it. abi , From ece81aa6cbe0d0660db978b81cb20d140e408188 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 19:05:15 +0200 Subject: [PATCH 665/672] feat(abs): audio: add jack.conf.d --- apparmor.d/abstractions/audio-client | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index 166229a09..826191309 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -21,6 +21,7 @@ /etc/openal/alsoft.conf r, /etc/pipewire/client{,-rt}.conf r, /etc/pipewire/client{,-rt}.conf.d/{,**} r, + /etc/pipewire/jack.conf.d/{,**} r, /etc/pulse/client.conf r, /etc/pulse/client.conf.d/{,**} r, /etc/wildmidi/wildmidi.cfg r, From eb642993d88ad2ca8204e0640a7c69bfa35a7ab4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 10:56:20 +0200 Subject: [PATCH 666/672] feat(profile): revisit the monitorix profile. --- apparmor.d/profiles-m-r/monitorix | 105 +++++++++++++++--------------- 1 file changed, 51 insertions(+), 54 deletions(-) diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index c708b587c..6cbef400b 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -10,10 +10,11 @@ include @{exec_path} = @{bin}/monitorix profile monitorix @{exec_path} { include - include - include - include + include include + include + include + include capability net_admin, capability chown, @@ -28,80 +29,76 @@ profile monitorix @{exec_path} { network inet stream, network inet6 stream, - ptrace (read), + ptrace read, - signal (receive) set=(hup) peer=logroate, + signal receive set=(hup) peer=logroate, @{exec_path} mr, @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/df rix, - @{bin}/cat rix, - @{bin}/tail rix, - @{bin}/{m,g,}awk rix, - @{bin}/free rix, - @{sbin}/ss rix, - @{bin}/who rix, - @{sbin}/lvm rix, - @{sbin}/xtables-nft-multi rix, - @{bin}/sensors rix, - @{bin}/getconf rix, - @{bin}/ps rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/cat ix, + @{bin}/df ix, + @{bin}/free ix, + @{bin}/getconf ix, + @{bin}/ps Px, + @{bin}/sensors Px, + @{bin}/tail ix, + @{bin}/who Px, + @{sbin}/lvm Px, + @{sbin}/ss Px, + @{sbin}/xtables-nft-multi ix, - /etc/monitorix/monitorix.conf r, - /etc/monitorix/conf.d/ r, - /etc/monitorix/conf.d/@{int2}-*.conf r, + /var/lib/monitorix/www/cgi/monitorix.cgi ix, + + /etc/monitorix/{,**} r, + + /var/lib/monitorix/ rw, + /var/lib/monitorix/** rwk, /var/log/monitorix w, /var/log/monitorix-* w, - owner @{run}/monitorix.pid w, - - /var/lib/monitorix/*.rrd* rwk, - /var/lib/monitorix/www/** rw, - /var/lib/monitorix/www/cgi/monitorix.cgi rwix, + /srv/http/monitorix/ rw, + /srv/http/monitorix/** rwk, / r, /tmp/ r, - /etc/shadow r, - /dev/tty r, + owner @{run}/monitorix.pid w, @{run}/utmp rk, - @{PROC}/ r, - @{PROC}/swaps r, - @{PROC}/diskstats r, - @{PROC}/loadavg r, - @{PROC}/sys/kernel/random/entropy_avail r, - @{PROC}/uptime r, - @{PROC}/interrupts r, - @{PROC}/sys/fs/dentry-state r, - @{PROC}/sys/fs/file-nr r, - @{PROC}/sys/fs/inode-nr r, - @{PROC}/sys/kernel/osrelease r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/net/dev r, - owner @{PROC}/@{pid}/net/ip_tables_names r, - owner @{PROC}/@{pid}/net/ip6_tables_names r, - @{PROC}/@{pid}/net/udp{,6} r, - @{PROC}/@{pid}/net/tcp{,6} r, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/fdinfo/ r, - @{PROC}/@{pids}/io r, - @{sys}/class/i2c-adapter/ r, @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/class/hwmon/ r, @{sys}/devices/**/thermal*/{,**} r, @{sys}/devices/**/hwmon*/{,**} r, - /etc/sensors3.conf r, - /etc/sensors.d/ r, + @{PROC}/ r, + @{PROC}/@{pid}/net/dev r, + @{PROC}/@{pid}/net/tcp{,6} r, + @{PROC}/@{pid}/net/udp{,6} r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/fdinfo/ r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/stat r, + @{PROC}/diskstats r, + @{PROC}/interrupts r, + @{PROC}/loadavg r, + @{PROC}/swaps r, + @{PROC}/sys/fs/dentry-state r, + @{PROC}/sys/fs/file-nr r, + @{PROC}/sys/fs/inode-nr r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/random/entropy_avail r, + @{PROC}/uptime r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/net/ip_tables_names r, + owner @{PROC}/@{pid}/net/ip6_tables_names r, include if exists } From caee95ff9edc4e8f970a41c4a289af9d83ee714f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 11:18:21 +0200 Subject: [PATCH 667/672] fix(test): checks.sh: allow empty disabled array. --- tests/check.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/check.sh b/tests/check.sh index e30f21e19..9ecd809bf 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -42,7 +42,7 @@ _in_array() { _is_enabled() { local check="$1" if _in_array "$check" "${WITH_CHECK[@]}"; then - if [[ ${#_check_is_disabled[@]} -eq 0 ]]; then + if [[ -z "${_check_is_disabled+x}" || ${#_check_is_disabled[@]} -eq 0 ]]; then return 0 fi if _in_array "$check" "${_check_is_disabled[@]}"; then From 73afa5835eb4e8ea5a201a8f44bb194f01c09dc2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 11:23:05 +0200 Subject: [PATCH 668/672] fix(abs): dbus: SearchProvider -> SearchProvider2 --- .../abstractions/bus/org.gnome.Shell.SearchProvider | 0 .../abstractions/bus/org.gnome.Shell.SearchProvider2 | 12 ++++++++++++ 2 files changed, 12 insertions(+) delete mode 100644 apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider create mode 100644 apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider deleted file mode 100644 index e69de29bb..000000000 diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 new file mode 100644 index 000000000..baa96cc78 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell + + include if exists + +# vim:syntax=apparmor + From 175e2c3dc3ff1dc8bce2ed312141cec5f2065dfd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 16:16:35 +0200 Subject: [PATCH 669/672] feat(profile): ensure all access to udev/data is documented. Cleanup some rule to wide in udev/data --- apparmor.d/abstractions/devices-usb-read | 6 ++--- apparmor.d/abstractions/disks-read | 6 ++--- apparmor.d/abstractions/gstreamer | 2 +- apparmor.d/groups/_full/systemd | 5 ++-- apparmor.d/groups/_full/systemd-user | 5 ++-- apparmor.d/groups/bluetooth/bluetoothd | 2 +- .../groups/browsers/firefox-kmozillahelper | 2 +- apparmor.d/groups/filesystem/udisksd | 8 +++--- apparmor.d/groups/freedesktop/boltd | 2 +- .../groups/freedesktop/iio-sensor-proxy | 2 +- apparmor.d/groups/freedesktop/upowerd | 12 ++++----- apparmor.d/groups/freedesktop/xorg | 10 +++---- apparmor.d/groups/gnome/gnome-control-center | 2 +- apparmor.d/groups/gnome/gnome-shell | 12 ++++----- apparmor.d/groups/gnome/gsd-power | 4 +-- apparmor.d/groups/hyprland/hyprland | 8 +++--- apparmor.d/groups/kde/baloo | 4 +-- apparmor.d/groups/kde/baloorunner | 4 +-- apparmor.d/groups/kde/dolphin | 4 +-- apparmor.d/groups/kde/kwin_wayland | 8 +++--- apparmor.d/groups/lxqt/lxqt-panel | 3 ++- apparmor.d/groups/network/ModemManager | 14 +++++----- apparmor.d/groups/network/NetworkManager | 6 ++--- apparmor.d/groups/network/dhcpcd | 2 +- apparmor.d/groups/network/nmcli | 2 +- apparmor.d/groups/steam/steam | 2 +- apparmor.d/groups/systemd/networkctl | 2 +- apparmor.d/groups/systemd/systemd-backlight | 4 +-- apparmor.d/groups/systemd/systemd-journald | 26 +++++++++---------- apparmor.d/groups/systemd/systemd-logind | 12 ++++----- apparmor.d/groups/systemd/systemd-networkd | 2 +- apparmor.d/groups/systemd/systemd-rfkill | 2 +- .../groups/ubuntu/subiquity-console-conf | 8 +++--- apparmor.d/groups/virt/libvirtd | 6 ++--- apparmor.d/groups/virt/virtnodedevd | 16 ++++++------ apparmor.d/profiles-a-f/cheese | 3 ++- apparmor.d/profiles-a-f/fwupd | 4 ++- apparmor.d/profiles-g-l/kodi | 3 ++- apparmor.d/profiles-g-l/labwc | 7 +++-- apparmor.d/profiles-m-r/power-profiles-daemon | 4 +-- apparmor.d/profiles-s-z/tlp | 2 +- 41 files changed, 120 insertions(+), 118 deletions(-) diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read index 6bd0c8015..836a5f3c7 100644 --- a/apparmor.d/abstractions/devices-usb-read +++ b/apparmor.d/abstractions/devices-usb-read @@ -20,9 +20,9 @@ @{sys}/devices/**/usb@{int}/{,**} r, # Udev data about usb devices (~equal to content of lsusb -v) - @{run}/udev/data/+usb:* r, - @{run}/udev/data/c16[6,7]:@{int} r, # USB modems - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/c16[6,7]:@{int} r, # USB modems + @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters include if exists diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 872b0c552..e33ec2c3f 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -101,13 +101,13 @@ @{run}/udev/data/b43:@{int} r, # for /dev/nbd* @{run}/udev/data/b179:@{int} r, # for /dev/mmcblk* @{run}/udev/data/b230:@{int} r, # for /dev/zvol* - @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254 - @{run}/udev/data/b25[0-4]:@{int} r, + @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 + @{run}/udev/data/b25[0-4]:@{int} r, # to 254 @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/+usb:* r, # for disk over usb hub + @{run}/udev/data/+usb:* r, # Identifies all USB devices include if exists diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 7fc20c293..5a14b6f7a 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -36,7 +36,7 @@ #owner @{HOME}/orcexec.* mrw, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c189:@{int} r, # For USB serial converters diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 184084fed..d1ee8fd1f 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -168,14 +168,13 @@ profile systemd flags=(attach_disconnected,mediate_deleted,complain) { @{run}/credentials/{,**} rw, @{run}/systemd/{,**} rw, - @{run}/udev/data/+module:configfs r, - @{run}/udev/data/+module:fuse r, + @{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{run}/udev/tags/systemd/ r, @{sys}/**/uevent r, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index a5bb4d926..b3d751be1 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -59,14 +59,13 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { @{run}/systemd/notify w, @{run}/systemd/oom/io.systemd.ManagedOOM rw, - @{run}/udev/data/+module:configfs r, - @{run}/udev/data/+module:fuse r, + @{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c116:@{int} r, # for ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{run}/udev/tags/systemd/ r, @{sys}/devices/virtual/dmi/id/bios_vendor r, diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index e5443f505..2800a4124 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -46,7 +46,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{run}/sdp rw, owner @{run}/systemd/notify w, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{sys}/devices/@{pci}/rfkill@{int}/name r, @{sys}/devices/@{pci}/**/{uevent,name} r, diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index efcad72f8..8e86ee126 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -44,7 +44,7 @@ profile firefox-kmozillahelper @{exec_path} { owner @{run}/user/@{uid}/kmozillahelper@{rand6}.@{int}.kioworker.socket wl, owner @{run}/user/@{uid}/xauth_@{rand6} rl, - @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 2ff82f5e4..91d4a8569 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -112,11 +112,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{run}/cryptsetup/ r, @{run}/cryptsetup/L* rwk, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+scsi:* r, - @{run}/udev/data/+vmbus:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI + @{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices) @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, diff --git a/apparmor.d/groups/freedesktop/boltd b/apparmor.d/groups/freedesktop/boltd index 8f55bb375..5b72f8427 100644 --- a/apparmor.d/groups/freedesktop/boltd +++ b/apparmor.d/groups/freedesktop/boltd @@ -27,7 +27,7 @@ profile boltd @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/notify w, - @{run}/udev/data/+thunderbolt:* r, + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. @{sys}/bus/ r, @{sys}/bus/thunderbolt/devices/ r, diff --git a/apparmor.d/groups/freedesktop/iio-sensor-proxy b/apparmor.d/groups/freedesktop/iio-sensor-proxy index d7122bdbb..1201e1277 100644 --- a/apparmor.d/groups/freedesktop/iio-sensor-proxy +++ b/apparmor.d/groups/freedesktop/iio-sensor-proxy @@ -18,7 +18,7 @@ profile iio-sensor-proxy @{exec_path} { @{exec_path} mr, - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # For /dev/input/* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 4061af4c8..d58385831 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -28,15 +28,15 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { /var/lib/upower/ r, /var/lib/upower/history-*.dat{,.*} rw, - @{run}/udev/data/ r, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/ r, # Lists all udev data files + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for serial mice - @{run}/udev/data/+power_supply* r, + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 12c82aea3..c14af6d6e 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -92,17 +92,17 @@ profile xorg @{exec_path} flags=(attach_disconnected) { owner @{tmp}/server-* rwk, owner @{tmp}/serverauth.* r, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi* r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad? @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 85b3268dd..41b62df09 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -159,7 +159,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 25ce44f14..d4c8b1ba2 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -315,19 +315,19 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/tags/seat/ r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+dmi:id r, # for motherboard info - @{run}/udev/data/+acpi* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard - @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/uevent r, @{sys}/bus/ r, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index a330b76ce..2fa0b0b1f 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -58,9 +58,9 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, - @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 9f2e7583d..8c8c32da0 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -42,15 +42,15 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/@{int} r, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:id r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index e53bf4039..29447e22a 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -44,8 +44,8 @@ profile baloo @{exec_path} { @{run}/mount/utab r, - @{run}/udev/data/+*:* r, - @{run}/udev/data/c@{int}:@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 8410408b3..702288a1f 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -28,8 +28,8 @@ profile baloorunner @{exec_path} { /tmp/ r, - @{run}/udev/data/+*:* r, - @{run}/udev/data/c@{int}:@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 2ed232f85..5d51f8c4d 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -105,8 +105,8 @@ profile dolphin @{exec_path} { owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, - @{run}/udev/data/+*:* r, - @{run}/udev/data/c@{int}:@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 101affd8c..afaac3bd0 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -110,15 +110,15 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{run}/udev/data/+acpi:* r, # for ACPI + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:* r, # for motherboard info - @{run}/udev/data/+hid:* r, # for HID subsystem + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb:* r, + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel index 650a7e402..f817be69d 100644 --- a/apparmor.d/groups/lxqt/lxqt-panel +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -63,7 +63,8 @@ profile lxqt-panel @{exec_path} { owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/pulse/{,**} rwk, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/class/i2c-adapter/ r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 59efc3201..8220516bf 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -25,18 +25,18 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+pnp:* r, - @{run}/udev/data/+serial*:* r, - @{run}/udev/data/+usb:* r, - @{run}/udev/data/+vmbus:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+pnp:* r, # For Plug and Play devices (legacy hardware, sound cards, etc.) + @{run}/udev/data/+serial*:* r, # For serial devices (modems, serial ports, etc.) + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices) @{run}/udev/data/c16[6,7]:@{int} r, # USB modems @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index fc5c39ea7..f7c0dd084 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -125,9 +125,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{run}/nscd/db* rwl, @{run}/systemd/users/@{uid} r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/@{pci}/net/*/{,**} r, @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r, diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index 51cf215f9..7bcd9efba 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -49,7 +49,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{run}/dhcpcd/** rwk, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/@{pci}/uevent r, @{sys}/devices/virtual/dmi/id/product_uuid r, diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index 43a9d0dca..6065a12da 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -25,7 +25,7 @@ profile nmcli @{exec_path} { owner @{HOME}/.cert/nm-openvpn/*.pem rw, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/@{pci}/net/*/{,**} r, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 151a3e161..5009b970d 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -190,7 +190,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/ r, @{sys}/bus/ r, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 0fd89c199..a0d1471f9 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -59,7 +59,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { @{run}/systemd/netif/state r, @{run}/systemd/notify w, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/**/net/**/uevent r, diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight index 374e9c4ae..b5a966f37 100644 --- a/apparmor.d/groups/systemd/systemd-backlight +++ b/apparmor.d/groups/systemd/systemd-backlight @@ -18,8 +18,8 @@ profile systemd-backlight @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/backlight/*backlight* rw, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+leds:*backlight* r, # For keyboard backlights, mouse LEDs, etc. @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{sys}/bus/ r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index b0a646f66..ad3d96990 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -46,20 +46,20 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{run}/host/container-manager r, @{run}/utmp rk, - @{run}/udev/data/+acpi:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+ieee80211:* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+ieee80211:* r, # For Wi-Fi devices, such as wireless network cards and access points. @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+mdio_bus:* r, - @{run}/udev/data/+pci:* r, - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+scsi:* r, - @{run}/udev/data/+sdio:* r, - @{run}/udev/data/+thunderbolt:* r, - @{run}/udev/data/+usb-serial:* r, - @{run}/udev/data/+usb:* r, - @{run}/udev/data/+virtio:* r, + @{run}/udev/data/+mdio_bus:* r, # For Management Data Input/Output (Ethernet PHY (physical layer) devices) + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI + @{run}/udev/data/+sdio:* r, # For Secure Digital Input Output devices, such as Wi-Fi, Bluetooth cards, GPS and NFC modules. + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. + @{run}/udev/data/+usb-serial:* r, # For USB to serial adapters + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+virtio:* r, # For paravirtualized devices (network interfaces, block devices, console) @{run}/udev/data/b254:@{int} r, # for /dev/zram* @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c1:@{int} r, # For RAM disk diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 1fb3f6cb3..271354633 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -68,15 +68,15 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/tags/uaccess/ r, @{run}/udev/static_node-tags/uaccess/ r, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+drivers:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+drivers:* r, # For drivers loaded in the system @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+wakeup:* r, + @{run}/udev/data/+wakeup:* r, # For wakeup events (e.g., from sleep or hibernation) @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # For /dev/input/* diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 5105c69b8..ccb6d9629 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -71,7 +71,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/network/*.network r, owner @{run}/systemd/netif/** rw, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/rfkill@{int}/* r, diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index 552bd9996..bf983ea7a 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -22,7 +22,7 @@ profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/rfkill/* rw, @{run}/systemd/notify rw, - @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{sys}/devices/**/rfkill@{int}/{uevent,name} r, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index a5b65f5b3..8f673e261 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -53,13 +53,13 @@ profile subiquity-console-conf @{exec_path} { @{run}/snapd-recovery-chooser-triggered r, @{run}/snapd.socket rw, - @{run}/udev/data/+acpi:* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:* r, # For motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/c1:@{int} r, # For RAM disk @@ -74,7 +74,7 @@ profile subiquity-console-conf @{exec_path} { @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/devices/ r, @{sys}/*/*/ r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index c90e80af9..fa3005a65 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -164,9 +164,9 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/notify w, @{run}/utmp rk, - @{run}/udev/data/+*:* r, - @{run}/udev/data/c@{int}:@{int} r, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/bus/[a-z]*/devices/ r, @{sys}/bus/pci/drivers_probe w, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 957164e85..fb593068e 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -44,18 +44,18 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/utmp rk, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. @{run}/udev/data/+dmi:* r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply:* r, - @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{run}/udev/data/+sound:card@{int} r, # For sound card - @{run}/udev/data/+thunderbolt:* r, + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @@ -71,7 +71,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c203:@{int} r, # CPU CPUID information @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/ r, @{sys}/devices/@{pci}/net/{,**} r, diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese index cadd1beab..b308439c3 100644 --- a/apparmor.d/profiles-a-f/cheese +++ b/apparmor.d/profiles-a-f/cheese @@ -36,10 +36,11 @@ profile cheese @{exec_path} { owner @{user_cache_dirs}/gnome-desktop-thumbnailer/gstreamer-1.0/ r, - @{run}/udev/data/c@{dynamic}:@{int} r, owner @{tmp}/flatpak-seccomp-@{rand6} rw, owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,product_name,sys_vendor} r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 019aec5a9..ff9af895d 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -109,7 +109,9 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{run}/motd.d/@{int}-fwupd* rw, @{run}/motd.d/fwupd/{,**} rw, @{run}/mount/utab r, - @{run}/udev/data/* r, + + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi index 5b90dd3ef..9d6c9d1c2 100644 --- a/apparmor.d/profiles-g-l/kodi +++ b/apparmor.d/profiles-g-l/kodi @@ -50,7 +50,8 @@ profile kodi @{exec_path} { owner @{HOME}/core w, owner @{HOME}/kodi_crashlog-@{int}_@{int}.log w, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/**/ r, @{sys}/devices/@{pci}/usb@{int}/{bDeviceClass,idProduct,idVendor} r, diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index 93234bf52..ab624f099 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -38,12 +38,11 @@ profile labwc @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/**/uevent r, - @{run}/udev/data/+acpi:* r, # for ? + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad? @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 636f41754..b8f50ff7c 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -28,8 +28,8 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { /var/lib/power-profiles-daemon/{,**} rw, - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 0dccf1a23..1592d3aee 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -68,7 +68,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { owner @{run}/tlp/{,**} rw, owner @{run}/tlp/lock_tlp rwk, - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{sys}/bus/pci/devices/ r, @{sys}/bus/pci/drivers/*/ r, From 616486d5bad36719f8096ec9a4d540f199a603ad Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 16:18:58 +0200 Subject: [PATCH 670/672] tests(check): add a check to ensure all udev/data access are documented. --- tests/check.sh | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 9ecd809bf..9bafd5104 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -108,6 +108,7 @@ _check() { _check_trailing _check_indentation _check_vim + _check_udev # The following checks do not apply to commented lines [[ "$line" =~ ^[[:space:]]*# ]] && continue @@ -485,6 +486,15 @@ _res_vim() { fi } +_check_udev() { + _is_enabled udev || return 0 + if [[ "$line" == *"@{run}/udev/data/"* ]]; then + if [[ "$line" != *"#"* ]]; then + _err udev "$file:$line_number" "udev data path without a description comment" + fi + fi +} + check_sbin() { local file name jobs mapfile -t sbin Date: Mon, 11 Aug 2025 19:38:24 +0200 Subject: [PATCH 671/672] feat(profile): fwupd: allow access to dbx --- apparmor.d/profiles-a-f/fwupd | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index ff9af895d..7a00455a6 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -83,7 +83,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { owner /var/lib/fwupd/ rw, owner /var/lib/fwupd/** rwk, - # In order to get to this file, the attach_disconnected flag has to be set + @{att}/@{user_cache_dirs}/gnome-software/fwupd/{,**} r, owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r, owner @{user_cache_dirs}/gnome-software/fwupd/{,**} r, @@ -97,6 +97,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/firmware/efi/** r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw, + @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, @{sys}/firmware/efi/efivars/fwupd-* rw, @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @{sys}/kernel/security/lockdown r, From f35b64bcaec3dd23c11ab55c1b0fd3f0a21d849b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 22:27:08 +0200 Subject: [PATCH 672/672] fix(profile): missing documented udev/data --- apparmor.d/abstractions/app/udevadm | 3 ++- apparmor.d/groups/_full/sd | 3 ++- apparmor.d/groups/systemd/systemd-analyze | 3 ++- apparmor.d/profiles-a-f/ddcutil | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app/udevadm b/apparmor.d/abstractions/app/udevadm index e8414d026..d659143d6 100644 --- a/apparmor.d/abstractions/app/udevadm +++ b/apparmor.d/abstractions/app/udevadm @@ -11,7 +11,8 @@ /etc/udev/udev.conf r, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/** r, diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index da14cabf3..13864f2dd 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -187,7 +187,8 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { owner @{run}/*/** rw, @{run}/udev/**/ r, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/** r, @{sys}/fs/bpf/systemd/{,**} w, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 7310586e8..3ae0a7143 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -47,7 +47,8 @@ profile systemd-analyze @{exec_path} { @{run}/systemd/system/ r, @{run}/systemd/transient/ r, @{run}/systemd/userdb/io.systemd.DynamicUser w, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{run}/udev/tags/systemd/ r, @{sys}/devices/**/uevent r, diff --git a/apparmor.d/profiles-a-f/ddcutil b/apparmor.d/profiles-a-f/ddcutil index 7c353bf65..d8cb23a5c 100644 --- a/apparmor.d/profiles-a-f/ddcutil +++ b/apparmor.d/profiles-a-f/ddcutil @@ -28,7 +28,8 @@ profile ddcutil @{exec_path} { owner @{user_cache_dirs}/ddcutil/ rw, owner @{user_cache_dirs}/ddcutil/** rwlk, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/ r, @{sys}/bus/ r,