From c2952b1ec50cb09388650baa31be3f342d63ef11 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Oct 2022 20:43:39 +0100 Subject: [PATCH 01/16] feat(profiles): more flexibility in password-store dir name. --- apparmor.d/profiles-m-r/pass | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index b701b02b9..c85eac182 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -57,7 +57,7 @@ profile pass @{exec_path} { owner @{HOME}/.password-store/{,**} rw, owner @{user_projects_dirs}/**/*-store/{,**} rw, - owner @{user_config_dirs}/password-store/{,**} rw, + owner @{user_config_dirs}/*-store/{,**} rw, owner /dev/shm/pass.*/{,*} rw, @{PROC}/@{pids}/cmdline r, @@ -85,7 +85,7 @@ profile pass @{exec_path} { owner @{HOME}/.password-store/ r, owner @{user_projects_dirs}/**/*-store/ r, - owner @{user_config_dirs}/password-store/ r, + owner @{user_config_dirs}/*-store/ r, owner @{user_cache_dirs}/vim/{,**} rw, owner @{user_config_dirs}/vim/{,**} rw, @@ -120,8 +120,8 @@ profile pass @{exec_path} { owner @{HOME}/.password-store/** rwkl -> @{HOME}/.password-store/**, owner @{user_projects_dirs}/**/*-store/ rw, owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**, - owner @{user_config_dirs}/password-store/ rw, - owner @{user_config_dirs}/password-store/** rwkl -> @{user_config_dirs}/password-store/**, + owner @{user_config_dirs}/*-store/ rw, + owner @{user_config_dirs}/*-store/** rwkl -> @{user_config_dirs}/*-store/**, } From 1c97feb5c2a86cdb173a44aa856923b44ccdce36 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Oct 2022 20:45:31 +0100 Subject: [PATCH 02/16] feat(profiles): add modprobed-db. --- apparmor.d/profiles-m-r/modprobed-db | 45 ++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 apparmor.d/profiles-m-r/modprobed-db diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db new file mode 100644 index 000000000..e609bacd0 --- /dev/null +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -0,0 +1,45 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/modprobed-db +profile modprobed-db @{exec_path} { + include + include + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/getent rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/logname rix, + /{usr/,}bin/md5sum rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/uniq rix, + /{usr/,}bin/wc rix, + + /usr/share/terminfo/x/xterm-256color r, + + owner @{user_config_dirs}/modprobed-db.conf r, + owner @{user_config_dirs}/modprobed.db rw, + + owner /tmp/.inmem rw, + owner /tmp/.potential_new_db rw, + + @{PROC}/modules r, + owner @{PROC}/@{pid}/loginuid r, + + /dev/tty rw, + + include if exists +} \ No newline at end of file From 418107f11ea393e35b1feaf6d87883894de12ae3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Oct 2022 20:47:22 +0100 Subject: [PATCH 03/16] feat(profiles): allow gvfs-metadata on some profile that really need it. --- apparmor.d/groups/gnome/evolution-source-registry | 5 ++--- apparmor.d/groups/gnome/gnome-shell | 1 + 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 463470b2d..7375dbe33 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -25,14 +25,13 @@ profile evolution-source-registry @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{user_cache_dirs}/evolution/{,**} rwk, owner @{user_config_dirs}/evolution/sources/{,*} rw, owner @{user_share_dirs}/evolution/{,**} r, - owner @{user_cache_dirs}/evolution/{,**} rwk, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, @{PROC}/sys/kernel/osrelease r, @{PROC}/cmdline r, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index de80727b8..fe929c563 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -120,6 +120,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/desktop-directories/{,**} r, owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r, owner @{user_cache_dirs}/gnome-boxes/*.png r, From ece652488648aaa43f997485ee2e4998607d2164 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Oct 2022 20:48:08 +0100 Subject: [PATCH 04/16] fix(profile): fix gio-launch-desktop attachments. --- apparmor.d/groups/gnome/gio-launch-desktop | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 22bcffe5d..3b0c34946 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -9,7 +9,6 @@ include @{exec_path} = /{usr/,}bin/gio @{exec_path} += /{usr/,}bin/gio-launch-desktop -@{exec_path} += /{usr/,}lib/gio-launch-desktop @{exec_path} += /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include @@ -21,6 +20,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /{usr/,}lib/gio-launch-desktop rix, + # System files /etc/gnome/defaults.list r, /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r, From e4e54a26ef437286afd2034b3498af7ddd2017b8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Oct 2022 20:50:41 +0100 Subject: [PATCH 05/16] feat(profiles): restrict path access in pacman. --- apparmor.d/groups/pacman/pacman | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 29684946b..623065e90 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -104,13 +104,13 @@ profile pacman @{exec_path} { # Install/update packages / r, - /*/ rwl, - /boot/{,**} rwl, - /etc/{,**} rwl, - /opt/{,**} rwl, - /srv/{,**} rwl, - /usr/{,**} rwlk, - /var/{,**} rwlk, + /*/ rw, + /boot/** rwl -> /boot/**, + /etc/** rwl -> /etc/**, + /opt/** rwl -> /opt/**, + /srv/** rwl -> /srv/**, + /usr/** rwlk -> /usr/**, + /var/** rwlk -> /var/**, @{PROC}/ r, @{run}/ r, From ddedb39f3d756bda775a08e8fa0d8cb5e9c81f09 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Oct 2022 20:51:30 +0100 Subject: [PATCH 06/16] refactor: move profile in correct group. --- apparmor.d/{profiles-a-f => profiles-g-l}/losetup | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename apparmor.d/{profiles-a-f => profiles-g-l}/losetup (100%) diff --git a/apparmor.d/profiles-a-f/losetup b/apparmor.d/profiles-g-l/losetup similarity index 100% rename from apparmor.d/profiles-a-f/losetup rename to apparmor.d/profiles-g-l/losetup From 736e44a483af6c2888aad43d4ed224c5cb8bce68 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Oct 2022 20:53:54 +0100 Subject: [PATCH 07/16] feat(profiles): general update. --- apparmor.d/groups/apt/dpkg | 49 +++++++------------ apparmor.d/groups/apt/unattended-upgrade | 5 +- apparmor.d/groups/grub/grub-mkconfig | 20 +++++--- apparmor.d/groups/network/NetworkManager | 1 + .../groups/pacman/archlinux-keyring-wkd-sync | 4 +- apparmor.d/profiles-s-z/wpa-supplicant | 15 +++--- 6 files changed, 45 insertions(+), 49 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 0593605a0..282cbe041 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -28,18 +29,13 @@ profile dpkg @{exec_path} { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cat rix, /{usr/,}bin/rm rix, - # Do not strip env to avoid errors like the following: - # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open - # shared object file): ignored. - /{usr/,}bin/dpkg-query rpx, /{usr/,}bin/dpkg-deb rpx, - # + /{usr/,}bin/dpkg-query rpx, /{usr/,}bin/dpkg-split rPx, - /{usr/,}lib/needrestart/dpkg-status rPx, - /usr/share/debian-security-support/check-support-status.hook rPx, /{usr/,}bin/pager rCx -> diff, @@ -47,6 +43,9 @@ profile dpkg @{exec_path} { /{usr/,}bin/more rCx -> diff, /{usr/,}bin/diff rCx -> diff, + /etc/dpkg/dpkg.cfg.d/{,*} r, + /etc/dpkg/dpkg.cfg r, + # Run the package maintainer's scripts # What to do with it? Maintainer scripts can use lots of tools. (#FIXME#) # Move it to a child profile once more transitions will be available @@ -67,19 +66,9 @@ profile dpkg @{exec_path} { #/var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts, #/var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts, - /etc/dpkg/dpkg.cfg.d/{,*} r, - /etc/dpkg/dpkg.cfg r, - - owner @{PROC}/@{pid}/fd/ r, - @{PROC}/sys/kernel/random/boot_id r, - - owner /tmp/apt-dpkg-install-*/ r, - /var/log/dpkg.log w, /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, - @{run}/systemd/userdb/ r, - # For shell pwd /root/ r, @@ -120,9 +109,14 @@ profile dpkg @{exec_path} { /var/*.dpkg-new/ rw, /var/*/ rw, - # file_inherit - owner /dev/tty[0-9]* rw, + owner /tmp/apt-dpkg-install-*/ r, + @{run}/systemd/userdb/ r, + + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/sys/kernel/random/boot_id r, + + owner /dev/tty[0-9]* rw, profile diff { include @@ -134,19 +128,19 @@ profile dpkg @{exec_path} { /{usr/,}bin/more mr, /{usr/,}bin/diff mr, + /etc/** r, # Diff changed config files + /root/ r, # For shell pwd + owner @{HOME}/.lesshs* rw, - # Diff changed config files - /etc/** r, - - # For shell pwd - /root/ r, - } profile scripts { include + /{usr/,}{s,}bin/ r, + /{usr/,}{s,}bin/* rPUx, + /var/lib/dpkg/info/*.config r, /var/lib/dpkg/info/*.{preinst,postinst} r, /var/lib/dpkg/info/*.{prerm,postrm} r, @@ -154,11 +148,6 @@ profile dpkg @{exec_path} { /var/lib/dpkg/tmp.ci/{preinst,postinst} r, /var/lib/dpkg/tmp.ci/{prerm,postrm} r, - /{usr/,}bin/ r, - /{usr/,}bin/* rPUx, - /{usr/,}sbin/ r, - /{usr/,}sbin/* rPUx, - } include if exists diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 9ea5fe83e..fad95e44d 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -81,14 +81,17 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, + /etc/default/grub.d/* r, /etc/dpkg/origins/{debian,ubuntu,} r, + /etc/grub.d/* r, /etc/issue{.net,} r, + /etc/kernel/*.d/*grub* r, /etc/legal r, /etc/lsb-release r, /etc/profile.d/* r, - /etc/update-motd.d/* r, /etc/update-manager/{,**} r, /etc/update-motd.d/{91-release-upgrade,92-unattended-upgrades} r, + /etc/update-motd.d/* r, /etc/machine-id r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 3341b30c6..91ebc8ee9 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022 Jeroen Rijken +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,10 +12,17 @@ profile grub-mkconfig @{exec_path} flags=(complain) { include include + capability dac_override, capability dac_read_search, @{exec_path} mr, - /etc/grub.d/{**,} rix, + + /{usr/,}{local/,}{s,}bin/zfs rPx, + /{usr/,}{local/,}{s,}bin/zpool rPx, + /{usr/,}{s,}bin/dmsetup rPUx, + /{usr/,}{s,}bin/grub-probe rPx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{e,f,}grep rix, /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/basename rix, /{usr/,}bin/cat rix, @@ -26,22 +34,21 @@ profile grub-mkconfig @{exec_path} flags=(complain) { /{usr/,}bin/find rix, /{usr/,}bin/findmnt rPx, /{usr/,}bin/gettext rix, - /{usr/,}bin/{e,f,}grep rix, - /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/grub-mkrelpath rPx, /{usr/,}bin/grub-script-check rPx, /{usr/,}bin/head rix, /{usr/,}bin/id rPx, /{usr/,}bin/ls rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/mktemp rix, /{usr/,}bin/mount rPx, /{usr/,}bin/mountpoint rix, + /{usr/,}bin/os-prober rPx, /{usr/,}bin/paste rix, /{usr/,}bin/readlink rix, /{usr/,}bin/rm rix, /{usr/,}bin/rmdir rix, /{usr/,}bin/sed rix, - /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/sort rix, /{usr/,}bin/stat rix, /{usr/,}bin/tail rix, @@ -49,10 +56,7 @@ profile grub-mkconfig @{exec_path} flags=(complain) { /{usr/,}bin/umount rPx, /{usr/,}bin/uname rix, /{usr/,}bin/which{.debianutils,} rix, - /{usr/,}{s,}bin/dmsetup rPUx, - /{usr/,}{s,}bin/grub-probe rPx, - /{usr/,}{local/,}{s,}bin/zfs rPx, - /{usr/,}{local/,}{s,}bin/zpool rPx, + /etc/grub.d/{**,} rix, /boot/{**,} r, /boot/grub/{**,} rw, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index c612f740c..58556391d 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -87,6 +87,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/dnsmasq rPx, /{usr/,}bin/resolvconf rPx, /{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}lib/nm-dhcp-helper rPx, diff --git a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync index 12254a2cc..b6ffe7f3d 100644 --- a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync +++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync @@ -22,9 +22,9 @@ profile archlinux-keyring-wkd-sync @{exec_path} { /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/bash rix, + /{usr/,}bin/dirmngr rix, /{usr/,}bin/gpg rix, /{usr/,}bin/pacman-conf rix, - /{usr/,}bin/dirmngr rix, /etc/pacman.conf r, /etc/pacman.d/*-mirrorlist r, @@ -35,5 +35,7 @@ profile archlinux-keyring-wkd-sync @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/tty rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index 32472fb93..af1531bb5 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -38,23 +38,20 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/wpa_supplicant/wpa_supplicant.conf rw, + /etc/wpa_supplicant/wpa_supplicant.conf.tmp rw, + /etc/libnl/{classid,pktloc} r, + @{HOME}/.cat_installer/*.pem r, owner @{run}/wpa_supplicant/{,**} rw, - /etc/wpa_supplicant/wpa_supplicant.conf r, - /etc/libnl/{classid,pktloc} r, - - /dev/rfkill r, + @{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/name r, @{PROC}/sys/net/ipv[4,6]/conf/wlan[0-9]/drop_* rw, @{PROC}/sys/net/ipv[4,6]/conf/wlp*/drop_* rw, - @{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/name r, - - # For wpa_gui - #/etc/wpa_supplicant/wpa_supplicant.conf w, - #/etc/wpa_supplicant/wpa_supplicant.conf.tmp rw, + /dev/rfkill rw, include if exists } From 7632a2c1688685370981cc91f63c69662162cea3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Oct 2022 20:54:55 +0100 Subject: [PATCH 08/16] build: better change build dev container name. --- dists/build/build.sh | 54 +++++++++++++++++++++++--------------------- 1 file changed, 28 insertions(+), 26 deletions(-) diff --git a/dists/build/build.sh b/dists/build/build.sh index 12e6789ce..4aa838799 100644 --- a/dists/build/build.sh +++ b/dists/build/build.sh @@ -8,6 +8,7 @@ set -eu readonly BASEIMAGE="${BASEIMAGE:-}" +readonly IMAGEPREFIX="builder-" readonly PKGNAME=apparmor.d readonly VOLUME=/tmp/build readonly BUILDIR=/home/build/tmp @@ -17,13 +18,13 @@ PACKAGER="$(git config user.name) <$(git config user.email)>" readonly VERSION PACKAGER _start() { - local name="$1" - docker start "$name" + local img="$1" + docker start "$img" } _is_running() { - local name="$1" - res="$(docker inspect -f '{{ .State.Running }}' "$name")" &>/dev/null + local img="$1" + res="$(docker inspect -f '{{ .State.Running }}' "$img")" &>/dev/null exist=$? if [[ $exist -ne 0 ]]; then return $exist @@ -35,8 +36,8 @@ _is_running() { } _exist() { - local name="$1" - docker inspect -f '{{ .State.Running }}' "$name" &>/dev/null + local img="$1" + docker inspect -f '{{ .State.Running }}' "$img" &>/dev/null } sync() { @@ -45,42 +46,44 @@ sync() { } build_in_docker_makepkg() { - local name="$1" + local dist="$1" + local img="$IMAGEPREFIX$dist" - if _exist "$name"; then - if ! _is_running "$name"; then - _start "$name" + if _exist "$img"; then + if ! _is_running "$img"; then + _start "$img" fi else - docker build -t "$BASEIMAGE$name" "dists/build/$name" - docker run -tid --name "$name" --volume "$VOLUME:$BUILDIR" \ + docker build -t "$BASEIMAGE$img" "dists/build/$dist" + docker run -tid --name "$img" --volume "$PWD:$BUILDIR" \ --env MAKEFLAGS="-j$(nproc)" --env PACKAGER="$PACKAGER" \ - --env PKGDEST="$BUILDIR" --env DIST="$name" \ - "$BASEIMAGE$name" + --env PKGDEST="$BUILDIR" --env DIST="$dist" \ + "$BASEIMAGE$img" fi - docker exec -i --workdir="$BUILDIR/$PKGNAME" "$name" \ + docker exec -i "$img" \ makepkg -sfC --noconfirm --noprogressbar mv "$VOLUME/$PKGNAME"-*.pkg.* . } build_in_docker_dpkg() { - local name="$1" + local dist="$1" + local img="$IMAGEPREFIX$dist" - if _exist "$name"; then - if ! _is_running "$name"; then - _start "$name" + if _exist "$img"; then + if ! _is_running "$img"; then + _start "$img" fi else - docker build -t "$BASEIMAGE$name" "dists/build/$name" - docker run -tid --name "$name" --volume "$VOLUME:$BUILDIR" \ - --env DEBIAN_FRONTEND=noninteractive --env DIST="$name" \ - "$BASEIMAGE$name" + docker build -t "$BASEIMAGE$img" "dists/build/$dist" + docker run -tid --name "$img" --volume "$VOLUME:$BUILDIR" \ + --env DEBIAN_FRONTEND=noninteractive --env DIST="$dist" \ + "$BASEIMAGE$img" fi - docker exec --workdir="$BUILDIR/$PKGNAME" "$name" \ + docker exec --workdir="$BUILDIR/$PKGNAME" "$img" \ dch --newversion="$VERSION" --urgency=medium --distribution=stable --controlmaint "Release $VERSION" - docker exec --workdir="$BUILDIR/$PKGNAME" "$name" \ + docker exec --workdir="$BUILDIR/$PKGNAME" "$img" \ dpkg-buildpackage -b -d --no-sign mv "$VOLUME/${PKGNAME}_${VERSION}"_*.* . } @@ -88,7 +91,6 @@ build_in_docker_dpkg() { main() { case "$COMMAND" in archlinux) - sync build_in_docker_makepkg "$COMMAND" ;; From 28bb9b546f570068ebcea96a3c845b820d0e5f2b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Oct 2022 20:55:35 +0100 Subject: [PATCH 09/16] ci: add linter for dev container files. --- .gitlab-ci.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2073a9c64..ce00c7456 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -31,6 +31,12 @@ golangci-lint: script: - golangci-lint run +hadolint: + stage: lint + image: hadolint/hadolint:latest-alpine + script: + - hadolint dists/build/*/Dockerfile + sast: stage: lint From 75c6a32ee18ed1233e03465b463a3f1d5ef916ca Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Oct 2022 20:56:41 +0100 Subject: [PATCH 10/16] build: PKGBUILD for dev purpose only. --- PKGBUILD | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/PKGBUILD b/PKGBUILD index 71187a671..721374e2a 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -1,6 +1,9 @@ # Maintainer: Alexandre Pujol # shellcheck disable=SC2034,SC2154,SC2164 +# Warning: for development only, use https://aur.archlinux.org/packages/apparmor.d-git +# for production use. + pkgname=apparmor.d pkgver=0.001 pkgrel=1 @@ -10,6 +13,7 @@ url="https://github.com/roddhjav/$pkgname" license=('GPL2') depends=('apparmor') makedepends=('go' 'git' 'rsync' 'lsb-release') +conflicts=("$pkgname-git") pkgver() { cd "$srcdir/$pkgname" @@ -17,7 +21,7 @@ pkgver() { } prepare() { - git clone "$startdir" "$srcdir/$pkgname" + rsync -a --delete "$startdir" "$srcdir" cd "$srcdir/$pkgname" ./configure --complain From 41b3f37a3fd460687591c38a1265215661c9b868 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Oct 2022 20:57:55 +0100 Subject: [PATCH 11/16] build: ignore autostart on Ubuntu. --- dists/ignore/ubuntu.ignore | 1 + 1 file changed, 1 insertion(+) diff --git a/dists/ignore/ubuntu.ignore b/dists/ignore/ubuntu.ignore index 9cafc6750..552f5bfd7 100644 --- a/dists/ignore/ubuntu.ignore +++ b/dists/ignore/ubuntu.ignore @@ -1,3 +1,4 @@ # Archlinux specific apparmor.d/groups/pacman +root/etc/xdg/autostart/apparmor-notify.desktop root/usr/share/libalpm From 75b25c7e07b4973e0d9e6a2cc4cde22764d904e4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Oct 2022 20:59:07 +0100 Subject: [PATCH 12/16] build: update flags list. --- dists/flags/arch.flags | 1 + dists/flags/main.flags | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/dists/flags/arch.flags b/dists/flags/arch.flags index dcd02b831..9dd9c6c1b 100644 --- a/dists/flags/arch.flags +++ b/dists/flags/arch.flags @@ -1,3 +1,4 @@ +archlinux-keyring-wkd-sync complain mkinitcpio attach_disconnected,complain pacman complain pacman-conf attach_disconnected,complain diff --git a/dists/flags/main.flags b/dists/flags/main.flags index cc51e5dd2..52789821f 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -53,6 +53,7 @@ evince complain fail2ban-client attach_disconnected,complain fail2ban-server attach_disconnected,complain fdisk complain +file-roller complain flatpak-session-helper complain fprintd attach_disconnected,complain fsck-ext4 complain @@ -108,7 +109,7 @@ mke2fs complain ModemManager attach_disconnected,complain molly-guard complain mount complain -mullvad-daemon complain +mullvad-daemon attach_disconnected,complain mullvad-gui complain nautilus complain needrestart attach_disconnected,complain @@ -125,7 +126,7 @@ pinentry-gnome3 complain pinentry-gtk-2 complain pkttyagent complain plymouth complain -plymouth-set-default-theme complain +plymouth-set-default-theme attach_disconnected,complain plymouthd complain power-profiles-daemon attach_disconnected,complain qemu-ga complain @@ -199,7 +200,7 @@ systemd-user-runtime-dir complain systemd-user-sessions complain systemd-vconsole-setup complain systemd-xdg-autostart-generator complain -tailscaled complain +tailscaled attach_disconnected,complain tracker-extract complain udisksctl complain udisksd attach_disconnected,complain From f3e2ebfffa1275de51166cb3a2a569ffdc5b6e43 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Oct 2022 21:11:35 +0100 Subject: [PATCH 13/16] feat(aa-log): add support for multiple logger. --- cmd/aa-log/main.go | 71 ++++++++++++++++++++++++----------------- cmd/aa-log/main_test.go | 24 +++++++++----- 2 files changed, 58 insertions(+), 37 deletions(-) diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index 27cab29cb..4338f00d9 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -9,6 +9,7 @@ import ( "bytes" "encoding/hex" "encoding/json" + "errors" "flag" "fmt" "io" @@ -22,9 +23,9 @@ import ( // Command line options var ( - dbus bool - help bool - path string + help bool + path string + systemd bool ) // LogFile is the default path to the file to query @@ -94,20 +95,33 @@ func removeDuplicateLog(logs []string) []string { return list } -// getJournalctlDbusSessionLogs return a reader with the logs entries -func getJournalctlDbusSessionLogs(file io.Reader, useFile bool) (io.Reader, error) { +// getAuditLogs return a reader with the logs entries from Auditd +func getAuditLogs(path string) (io.Reader, error) { + file, err := os.Open(filepath.Clean(path)) + if err != nil { + return nil, err + } + return file, err +} + +// getJournalctlLogs return a reader with the logs entries from Systemd +func getJournalctlLogs(path string, user bool, useFile bool) (io.Reader, error) { var logs []SystemdLog var stdout bytes.Buffer var value string if useFile { - content, err := ioutil.ReadAll(file) + content, err := ioutil.ReadFile(filepath.Clean(path)) if err != nil { return nil, err } value = string(content) } else { - cmd := exec.Command("journalctl", "--user", "-b", "-u", "dbus.service", "-o", "json") + mode := "--system" + if user { + mode = "--user" + } + cmd := exec.Command("journalctl", mode, "--boot", "--unit=dbus.service", "--output=json") cmd.Stdout = &stdout if err := cmd.Run(); err != nil { return nil, err @@ -242,29 +256,23 @@ func (aaLogs AppArmorLogs) String() string { return res } -func aaLog(path string, profile string, dbus bool) error { - file, err := os.Open(filepath.Clean(path)) +func aaLog(logger string, path string, profile string) error { + var err error + var file io.Reader + + switch logger { + case "auditd": + file, err = getAuditLogs(path) + case "systemd": + file, err = getJournalctlLogs(path, true, path != LogFile) + default: + err = errors.New("Logger not supported: " + logger) + } if err != nil { return err } - /* #nosec G307 */ - defer func() { - if err := file.Close(); err != nil { - fmt.Println(err) - } - }() - - if dbus { - file, err := getJournalctlDbusSessionLogs(file, path != LogFile) - if err != nil { - return err - } - aaLogs := NewApparmorLogs(file, profile) - fmt.Print(aaLogs.String()) - } else { - aaLogs := NewApparmorLogs(file, profile) - fmt.Print(aaLogs.String()) - } + aaLogs := NewApparmorLogs(file, profile) + fmt.Print(aaLogs.String()) return nil } @@ -272,7 +280,7 @@ func init() { flag.BoolVar(&help, "h", false, "Show this help message and exit.") flag.StringVar(&path, "f", LogFile, "Set a log`file` or a suffix to the default log file.") - flag.BoolVar(&dbus, "d", false, "Show dbus session event.") + flag.BoolVar(&systemd, "s", false, "Parse systemd dbus logs.") } func main() { @@ -293,12 +301,17 @@ func main() { profile = flag.Args()[0] } + logger := "auditd" + if systemd { + logger = "systemd" + } + logfile := filepath.Clean(LogFile + "." + path) if _, err := os.Stat(logfile); err != nil { logfile = path } - err := aaLog(logfile, profile, dbus) + err := aaLog(logger, logfile, profile) if err != nil { fmt.Println(err) os.Exit(1) diff --git a/cmd/aa-log/main_test.go b/cmd/aa-log/main_test.go index c33c5f5a9..b62f7a1c1 100644 --- a/cmd/aa-log/main_test.go +++ b/cmd/aa-log/main_test.go @@ -217,15 +217,17 @@ func TestNewApparmorLogs(t *testing.T) { } } -func Test_getJournalctlDbusSessionLogs(t *testing.T) { +func Test_getJournalctlLogs(t *testing.T) { tests := []struct { name string path string + user bool useFile bool want AppArmorLogs }{ { name: "gsd-xsettings", + user: true, useFile: true, path: "../../tests/systemd.log", want: AppArmorLogs{ @@ -253,8 +255,7 @@ func Test_getJournalctlDbusSessionLogs(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - file, _ := os.Open(tt.path) - reader, _ := getJournalctlDbusSessionLogs(file, tt.useFile) + reader, _ := getJournalctlLogs(tt.path, tt.user, tt.useFile) if got := NewApparmorLogs(reader, tt.name); !reflect.DeepEqual(got, tt.want) { t.Errorf("NewApparmorLogs() = %v, want %v", got, tt.want) } @@ -310,36 +311,43 @@ func TestAppArmorLogs_String(t *testing.T) { func Test_app(t *testing.T) { tests := []struct { name string + logger string path string profile string - dbus bool wantErr bool }{ { name: "Test audit.log", + logger: "auditd", path: "../../tests/audit.log", profile: "", - dbus: false, wantErr: false, }, { name: "Test Dbus Session", + logger: "systemd", path: "../../tests/systemd.log", profile: "", - dbus: true, wantErr: false, }, { name: "No logfile", + logger: "auditd", path: "../../tests/log", profile: "", - dbus: false, + wantErr: true, + }, + { + name: "Logger not supported", + logger: "raw", + path: "../../tests/audit.log", + profile: "", wantErr: true, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - if err := aaLog(tt.path, tt.profile, tt.dbus); (err != nil) != tt.wantErr { + if err := aaLog(tt.logger, tt.path, tt.profile); (err != nil) != tt.wantErr { t.Errorf("aaLog() error = %v, wantErr %v", err, tt.wantErr) } }) From e226f4eb037a07ddf714dbbe814c2a014cea9dba Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Oct 2022 21:13:05 +0100 Subject: [PATCH 14/16] feat(profiles): add iwd. --- apparmor.d/groups/network/iwd | 43 +++++++++++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 44 insertions(+) create mode 100644 apparmor.d/groups/network/iwd diff --git a/apparmor.d/groups/network/iwd b/apparmor.d/groups/network/iwd new file mode 100644 index 000000000..c85017ee8 --- /dev/null +++ b/apparmor.d/groups/network/iwd @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/iwd/iwd +profile iwd @{exec_path} { + include + + capability net_admin, + capability net_raw, + capability net_bind_service, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + network netlink dgram, + network alg seqpacket, + + @{exec_path} mr, + + /etc/iwd/{,**} r, + /var/lib/iwd/{,**} rw, + + @{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/* r, + @{sys}/devices/pci[0-9]*/**/modalias r, + + @{PROC}/sys/net/ipv{4,6}/conf/wlan[0-9]*/arp_* rw, + @{PROC}/sys/net/ipv{4,6}/conf/wlan[0-9]*/drop_* rw, + @{PROC}/sys/net/ipv{4,6}/conf/wlan[0-9]*/ndisc_* rw, + @{PROC}/sys/net/ipv{4,6}/conf/wlp*/arp_* rw, + @{PROC}/sys/net/ipv{4,6}/conf/wlp*/drop_* rw, + @{PROC}/sys/net/ipv{4,6}/conf/wlp*/ndisc_* rw, + + /dev/rfkill rw, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 52789821f..694d16e90 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -89,6 +89,7 @@ ibus-memconf complain im-launch complain install-info complain irqbalance complain +iwd complain kernel-install complain kmod attach_disconnected,complain last complain From d629ac5788abba628f933a3e4b258869f2f6dddd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Oct 2022 21:44:57 +0100 Subject: [PATCH 15/16] doc: expand on the enforce mode swicth. --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c42028b8a..87e10c34d 100644 --- a/README.md +++ b/README.md @@ -170,12 +170,18 @@ Then, reload the apparmor rules with `sudo systemctl restart apparmor`. ## Enfore Mode The default package configuration installs all profile in *complain* mode. -You can easily switch to *enforce* mode. To do this, edit `PKGBUILD` on Archlinux or `debian/rules` on Debian and remove the `--complain` option to the configure script. Then build the package as usual: +Once you tested them and it works fine, you can easily switch to *enforce* mode. +To do this, edit `PKGBUILD` on Archlinux or `debian/rules` on Debian and remove +the `--complain` option to the configure script. Then build the package as usual: ```diff - ./configure --complain + ./configure ``` +Do not worry, the profiles that are not considered stable are kept in complain mode. +They can be tracked in the `dists/flags` directory. + + ## Troubleshooting **AppArmor messages** From eddf6bfc4fbd6352a37465fc4e811654e22b3f2c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 8 Oct 2022 13:13:44 +0100 Subject: [PATCH 16/16] feat(profiles): general update. --- apparmor.d/abstractions/totem | 5 +++-- apparmor.d/groups/bus/ibus-engine-table | 2 -- apparmor.d/groups/freedesktop/pipewire | 9 +++++---- apparmor.d/groups/freedesktop/pipewire-pulse | 1 + apparmor.d/groups/freedesktop/update-desktop-database | 8 ++++---- apparmor.d/groups/gnome/gnome-shell | 5 ++--- apparmor.d/groups/systemd/journalctl | 4 +++- apparmor.d/groups/systemd/systemd-machine-id-setup | 2 ++ apparmor.d/groups/systemd/systemd-mount | 2 ++ apparmor.d/groups/systemd/userdbctl | 4 +++- apparmor.d/profiles-a-f/code-git-editor | 2 ++ apparmor.d/profiles-s-z/sbctl | 2 +- apparmor.d/profiles-s-z/vlc-cache-gen | 2 ++ 13 files changed, 30 insertions(+), 18 deletions(-) diff --git a/apparmor.d/abstractions/totem b/apparmor.d/abstractions/totem index c14ff3d06..41da792ac 100644 --- a/apparmor.d/abstractions/totem +++ b/apparmor.d/abstractions/totem @@ -40,7 +40,6 @@ owner @{user_config_dirs}/totem/** rwk, owner @{user_share_dirs}/grilo-plugins/ rwk, owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/totem/ rwk, owner @{user_share_dirs}/tracker/data/tracker-store.journal rwk, @@ -50,6 +49,8 @@ @{run}/udev/data/+drm:card* r, @{run}/udev/data/+usb* r, - /sys/devices/system/node/*/meminfo r, + @{sys}/devices/system/node/*/meminfo r, + + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists \ No newline at end of file diff --git a/apparmor.d/groups/bus/ibus-engine-table b/apparmor.d/groups/bus/ibus-engine-table index 9e1104918..395f89f9f 100644 --- a/apparmor.d/groups/bus/ibus-engine-table +++ b/apparmor.d/groups/bus/ibus-engine-table @@ -13,7 +13,5 @@ profile ibus-engine-table @{exec_path} { @{exec_path} mr, - /{usr/,}bin/python3.[0-9]* rix, - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 46c7cd733..1c3864ff6 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -29,15 +29,18 @@ profile pipewire @{exec_path} { @{exec_path} mr, - /{usr/,}bin/pipewire-media-session rPx, + /{usr/,}bin/pactl rPx, + /{usr/,}bin/pipewire-media-session rPx, - /usr/share/pipewire/pipewire.conf r, + /usr/share/pipewire/pipewire*.conf r, /etc/pipewire/client.conf r, /etc/pipewire/pipewire-pulse.conf.d/{,*} r, /etc/pipewire/pipewire.conf r, /etc/pipewire/pipewire.conf.d/{,*} r, + / r, + owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk, @{sys}/devices/virtual/dmi/id/product_name r, @@ -45,8 +48,6 @@ profile pipewire @{exec_path} { @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/bios_vendor r, - / r, - /dev/video[0-9]* rw, include if exists diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index af39a1a92..c495a8d99 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -33,6 +33,7 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/.config/pulse/cookie rwk, owner @{run}/user/@{uid}/pulse/pid w, + owner /tmp/librnnoise-[0-9]*.so rm, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index 608595e6c..5b2ce5ce7 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -24,10 +24,10 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) { /usr/share/*/*.desktop r, - /var/lib/flatpak/{app/**/,}exports/share/applications/{,**/} r, - /var/lib/flatpak/{app/**/,}exports/share/applications/**.desktop r, - /var/lib/flatpak/{app/**/,}exports/share/applications/.mimeinfo.cache.* rw, - /var/lib/flatpak/{app/**/,}exports/share/applications/mimeinfo.cache w, + /var/lib/flatpak/{app/**/,}export/share/applications/{,**/} r, + /var/lib/flatpak/{app/**/,}export/share/applications/**.desktop r, + /var/lib/flatpak/{app/**/,}export/share/applications/.mimeinfo.cache.* rw, + /var/lib/flatpak/{app/**/,}export/share/applications/mimeinfo.cache w, /var/lib/snapd/desktop/applications/{,**/} r, /var/lib/snapd/desktop/applications/**.desktop r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index fe929c563..25c61c5a9 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -108,8 +108,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /var/lib/snapd/desktop/icons/{,**} r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{HOME}/.var/app/**/icons/**.png r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_music_dirs}/**/*.jpg r, @@ -206,7 +207,5 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /dev/input/event[0-9]* rw, /dev/tty[0-9]* rw, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - include if exists } diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index 772c7c4b6..e9efcd575 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}bin/journalctl -profile journalctl @{exec_path} { +profile journalctl @{exec_path} flags=(attach_disconnected) { include include include @@ -47,5 +47,7 @@ profile journalctl @{exec_path} { owner @{PROC}/@{pid}/cgroup r, + deny /apparmor/.null rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index 86a0d4f70..b5124c602 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -17,5 +17,7 @@ profile systemd-machine-id-setup @{exec_path} { /etc/machine-id rw, + owner @{PROC}/@{pid}/stat r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-mount b/apparmor.d/groups/systemd/systemd-mount index 3db963123..f658baea6 100644 --- a/apparmor.d/groups/systemd/systemd-mount +++ b/apparmor.d/groups/systemd/systemd-mount @@ -21,5 +21,7 @@ profile systemd-mount @{exec_path} { @{sys}/bus/ r, @{sys}/class/ r, + owner @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl index caaee986e..48f7b3452 100644 --- a/apparmor.d/groups/systemd/userdbctl +++ b/apparmor.d/groups/systemd/userdbctl @@ -16,7 +16,9 @@ profile userdbctl @{exec_path} { @{exec_path} mr, - /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, + /{usr/,}bin/pager rPx -> child-pager, /etc/shadow r, /etc/gshadow r, diff --git a/apparmor.d/profiles-a-f/code-git-editor b/apparmor.d/profiles-a-f/code-git-editor index c278becb6..9d1a76379 100644 --- a/apparmor.d/profiles-a-f/code-git-editor +++ b/apparmor.d/profiles-a-f/code-git-editor @@ -15,5 +15,7 @@ profile code-git-editor @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}lib/electron[0-9]*/electron rUx, + /dev/tty rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index dcfd7c1e0..530e1d903 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -21,8 +21,8 @@ profile sbctl @{exec_path} { /{boot,efi}/{,**} r, /{boot,efi}/EFI/{,**} rw, + /{boot,efi}/vmlinuz-linux* rw, /{usr/,}lib/fwupd/efi/{,**} rw, - /boot/vmlinuz-linux* rw, @{sys}/firmware/efi/efivars/db-@{uuid} rw, @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, diff --git a/apparmor.d/profiles-s-z/vlc-cache-gen b/apparmor.d/profiles-s-z/vlc-cache-gen index 52fa5c277..0fa668cb7 100644 --- a/apparmor.d/profiles-s-z/vlc-cache-gen +++ b/apparmor.d/profiles-s-z/vlc-cache-gen @@ -15,6 +15,8 @@ profile vlc-cache-gen @{exec_path} { /{usr/,}lib/vlc/plugins/{,*} rw, + @{sys}/devices/system/cpu/possible r, + # Inherit silencer deny network inet6 stream, deny network inet stream,