feat(fsp): remove the default profiles.

2025-05-26 23:20:37 +02:00 · 2025-05-26 23:20:37 +02:00 · 4ffbf84a00
commit 4ffbf84a00
parent 217448d09a
5 changed files with 0 additions and 260 deletions
--- a/apparmor.d/groups/_full/bwrap
+++ b/apparmor.d/groups/_full/bwrap
@ -1,56 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # Default profile for bwrap.
 abi <abi/4.0>,
 include <tunables/global>
@{exec_path} = @{bin}/bwrap
 profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/common/bwrap>
  include <abstractions/common/app>
  include <abstractions/dbus>
  include <abstractions/fontconfig-cache-write>
  capability dac_override,
  capability dac_read_search,
  capability sys_resource,
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  ptrace peer=bwrap//&bwrap-app,
  signal peer=bwrap//&bwrap-app,
  signal (receive) set=(kill),
  @{bin}/**                         rm,
  @{lib}/**                         rm,
  /opt/*/**                         rm,
  /usr/share/*/*                    rm,
  @{bin}/**                         Px -> bwrap//&bwrap-app,
  @{bin}/xdg-dbus-proxy             Px -> bwrap//&xdg-dbus-proxy,
  # @{lib}/**                         Px -> bwrap//&bwrap-app,
  /opt/*/**                         Px -> bwrap//&bwrap-app,
  /usr/share/*/*                    Px -> bwrap//&bwrap-app,
  /usr/.ref rk,
  /bindfile@{rand6} rw,
  owner /var/cache/ w,
  owner @{run}/ld-so-cache-dir/* rw,
  include if exists <usr/bwrap.d>
  include if exists <local/bwrap>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/_full/bwrap-app
+++ b/apparmor.d/groups/_full/bwrap-app
@ -1,36 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # Default profile for user sandboxed application
 abi <abi/4.0>,
 include <tunables/global>
 profile bwrap-app flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/common/app>
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,
  ptrace peer=bwrap//&bwrap-app,
  signal peer=bwrap//&bwrap-app,
  @{bin}/**                       rmix,
  @{lib}/**                       rmix,
  /opt/*/**                       rmix,
  /usr/share/*/*                  rmix,
  owner /var/cache/ w,
  include if exists <usr/bwrap-app.d>
  include if exists <local/bwrap-app>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/_full/default
+++ b/apparmor.d/groups/_full/default
@ -1,122 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # Default profile for unconfined programs
 abi <abi/4.0>,
 include <tunables/global>
@{exec_path} = /**
 profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/audio-client>
  include <abstractions/consoles>
  include <abstractions/dbus-session>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/devices-usb>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/shells>
  include <abstractions/ssl_certs>
  include <abstractions/video>
  capability dac_override,
  capability dac_read_search,
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink dgram,
  network netlink raw,
  signal receive set=hup,
  @{bin}/bwrap           rPx -> bwrap,
  @{bin}/pipewire-pulse  rPx -> systemd//&pipewire-pulse,
  @{bin}/pulseaudio      rPx -> systemd//&pulseaudio,
  @{bin}/su              rPx -> default-sudo,
  @{bin}/sudo            rPx -> default-sudo,
  @{bin}/systemctl       rix,
  @{coreutils_path}      rix,
  @{shells_path}         rix,
  @{pager_path}          rPx -> child-pager,
 #   @{open_path}           rPx -> child-open,
  audit @{bin}/**        Pix,
  audit @{lib}/**        Pix,
  audit /opt/*/**        Pix,
  audit /usr/share/*/*   Pix,
  @{bin}/{,**} r,
  @{lib}/{,**} r,
  /usr/share/** r,
  /etc/xdg/** r,
  # Full access to user's data
  / r,
  /*/ r,
  @{MOUNTDIRS}/ r,
  @{MOUNTS}/ r,
  @{MOUNTS}/** rwl,
  owner @{HOME}/{,**} rwlk,
  owner @{run}/user/@{uid}/{,**} rw,
  owner @{tmp}/{,**} rwk,
  owner @{run}/user/@{uid}/{,**} rwlk,
  @{run}/motd.dynamic.new rw,
  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
  @{sys}/ r,
  @{sys}/bus/ r,
  @{sys}/bus/pci/devices/ r,
  @{sys}/class/ r,
  @{sys}/class/drm/ r,
  @{sys}/class/hidraw/ r,
  @{sys}/class/input/ r,
  @{sys}/class/power_supply/ r,
  @{sys}/devices/**/input@{int}/ r,
  @{sys}/devices/**/input@{int}/capabilities/* r,
  @{sys}/devices/**/input/input@{int}/ r,
  @{sys}/devices/**/uevent r,
  @{sys}/devices/virtual/dmi/id/chassis_type r,
  @{sys}/firmware/acpi/pm_profile r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
        @{PROC}/cmdline r,
        @{PROC}/sys/kernel/seccomp/actions_avail r,
        @{PROC}/zoneinfo r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/gid_map w,
  owner @{PROC}/@{pid}/limits r,
  owner @{PROC}/@{pid}/loginuid r,
  owner @{PROC}/@{pid}/mem r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/oom_{,score_}adj rw,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pids}/cmdline r,
  owner @{PROC}/@{pids}/environ r,
  owner @{PROC}/@{pids}/task/ r,
        /dev/ r,
        /dev/ptmx rwk,
        /dev/tty rwk,
  owner /dev/tty@{int} rw,
  include if exists <usr/default.d>
  include if exists <local/default>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/_full/default-sudo
+++ b/apparmor.d/groups/_full/default-sudo
@ -1,42 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/4.0>,
 include <tunables/global>
 profile default-sudo {
  include <abstractions/base>
  include <abstractions/app/sudo>
  capability chown,
  capability mknod,
  capability sys_ptrace,
  network inet dgram,
  network inet6 dgram,
  ptrace (read),
  @{bin}/su       mr,
  @{bin}/**       Px,
  @{lib}/**       Px,
  /opt/*/**       Px,
        /var/db/sudo/lectured/ r,
        /var/lib/extrausers/shadow r,
        /var/lib/sudo/lectured/ r,
  owner /var/db/sudo/lectured/@{uid} rw,
  owner /var/lib/sudo/lectured/* rw,
  owner @{HOME}/.sudo_as_admin_successful rw,
  @{run}/ r,
  @{run}/systemd/sessions/* r,
  include if exists <local/default-sudo>
 }
 # vim:syntax=apparmor
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@ -1,10 +1,6 @@
 # Common profile flags definition for all distributions
 # File format: one profile by line using the format: '<profile> <flags>'
 bwrap attach_disconnected,mediate_deleted,complain
 bwrap-app attach_disconnected,mediate_deleted,complain
 default attach_disconnected,mediate_deleted,complain
 default-sudo attach_disconnected,complain
 systemd attach_disconnected,mediate_deleted,complain
 systemd-service attach_disconnected,complain
 systemd-user attach_disconnected,mediate_deleted,complain