diff --git a/apparmor.d/abstractions/libvirt-qemu b/apparmor.d/abstractions/libvirt-qemu index 2d08d6f7a..a03e9e2c9 100644 --- a/apparmor.d/abstractions/libvirt-qemu +++ b/apparmor.d/abstractions/libvirt-qemu @@ -32,6 +32,9 @@ # only modify its comm value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, @{PROC}/sys/kernel/cap_last_cap r, + @{PROC}/sys/vm/overcommit_memory r, + # detect hardware capabilities via qemu_getauxval + owner @{PROC}/*/auxv r, # For hostdev access. The actual devices will be added dynamically /sys/bus/usb/devices/ r, @@ -166,6 +169,11 @@ /usr/{lib,lib64}/qemu/*.so mr, /usr/lib/@{multiarch}/qemu/*.so mr, + # let qemu load old shared objects after upgrades (LP: #1847361) + /{var/,}run/qemu/*/*.so mr, + # but explicitly deny writing to these files + audit deny /{var/,}run/qemu/*/*.so w, + # swtpm /{usr/,}bin/swtpm rmix, /usr/{lib,lib64}/libswtpm_libtpms.so mr, diff --git a/apparmor.d/adduser b/apparmor.d/adduser index 1a6cf53fa..17d4ecb47 100644 --- a/apparmor.d/adduser +++ b/apparmor.d/adduser @@ -38,19 +38,19 @@ profile adduser @{exec_path} { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, - /{usr/,}bin/find rix, - /{usr/,}bin/rm rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/find rix, + /{usr/,}bin/rm rix, - /{usr/,}sbin/useradd rPx, - /{usr/,}sbin/userdel rPx, - /{usr/,}sbin/groupdel rPx, - /{usr/,}sbin/groupadd rPx, - /{usr/,}sbin/usermod rPx, - /{usr/,}bin/passwd rPx, - /{usr/,}bin/gpasswd rPx, - /{usr/,}bin/chfn rPx, - /{usr/,}bin/chage rPx, + /{usr/,}sbin/useradd rPx, + /{usr/,}sbin/userdel rPx, + /{usr/,}sbin/groupdel rPx, + /{usr/,}sbin/groupadd rPx, + /{usr/,}sbin/usermod rPx, + /{usr/,}bin/passwd rPx, + /{usr/,}bin/gpasswd rPx, + /{usr/,}bin/chfn rPx, + /{usr/,}bin/chage rPx, /etc/{group,passwd,shadow} r, diff --git a/apparmor.d/adequate b/apparmor.d/adequate index f2c6b54bb..38487c673 100644 --- a/apparmor.d/adequate +++ b/apparmor.d/adequate @@ -78,11 +78,11 @@ profile adequate @{exec_path} flags=(complain) { /usr/share/debconf/frontend r, /{usr/,}bin/perl r, - /{usr/,}bin/adequate rPx, + /{usr/,}bin/adequate rPx, - /{usr/,}bin/dash rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, /etc/debconf.conf r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, diff --git a/apparmor.d/amarok b/apparmor.d/amarok index 1575916b0..b65c133e5 100644 --- a/apparmor.d/amarok +++ b/apparmor.d/amarok @@ -61,7 +61,7 @@ profile amarok @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/amarokcollectionscanner rix, /{usr/,}bin/kde4-config rix, diff --git a/apparmor.d/android-studio b/apparmor.d/android-studio index 414858acf..3f5389e1d 100644 --- a/apparmor.d/android-studio +++ b/apparmor.d/android-studio @@ -32,6 +32,7 @@ profile android-studio @{exec_path} { #include #include #include + #include #include # The following rules are needed only when the kernel.unprivileged_userns_clone option is set @@ -47,7 +48,9 @@ profile android-studio @{exec_path} { signal (send) set=(term, kill) peer=android-studio//lsb-release, @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, + + /{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/which rix, /{usr/,}bin/uname rix, @@ -91,6 +94,7 @@ profile android-studio @{exec_path} { /media/*/ r, /usr/ r, /{usr/,}lib/ r, + /{usr/,}lib{x32,32,64}/ r, @{AS_LIBDIR}/ rw, @{AS_LIBDIR}/** mrwkix, @@ -120,13 +124,32 @@ profile android-studio @{exec_path} { owner @{HOME}/AndroidStudio/DeviceExplorer/ rw, owner @{HOME}/AndroidStudio/DeviceExplorer/** rw, + owner @{HOME}/Android/ rw, + owner @{HOME}/Android/** mrwkix, + owner "@{HOME}/.config/Android Open Source Project/" rw, owner "@{HOME}/.config/Android Open Source Project/**" rwk, + owner @{HOME}/.config/Google/ rw, + owner @{HOME}/.config/Google/** rwk, + owner @{HOME}/.cache/ rw, owner "@{HOME}/.cache/Android Open Source Project/" rw, owner "@{HOME}/.cache/Android Open Source Project/**" rw, + owner @{HOME}/.cache/Google/ rw, + owner @{HOME}/.cache/Google/** rwk, + # To remove the following error: + # Location: /home/morfik/.cache/Google/AndroidStudio4.1/tmp + # java.io.IOException: Cannot run program + # "/home/morfik/.cache/Google/AndroidStudio4.1/tmp/ij659840309.tmp": error=13, Permission denied + owner @{HOME}/.cache/Google/AndroidStudio*/tmp/ij[0-9]*.tmp rwkix, + # + owner @{HOME}/.cache/Google/AndroidStudio*/tmp/jna[0-9]*.tmp mrwk, + + owner @{HOME}/.cache/JNA/ rw, + owner @{HOME}/.cache/JNA/** rw, + owner @{HOME}/.gradle/ rw, owner @{HOME}/.gradle/** mrwkix, @@ -135,8 +158,7 @@ profile android-studio @{exec_path} { owner @{HOME}/.android/** rwkl -> @{HOME}/.android/**, owner @{HOME}/.local/share/Google/ rw, - owner @{HOME}/.local/share/Google/consentOptions/ rw, - owner @{HOME}/.local/share/Google/consentOptions/accepted rw, + owner @{HOME}/.local/share/Google/** rw, owner @{HOME}/.local/share/kotlin/ rw, owner @{HOME}/.local/share/kotlin/** rw, @@ -214,6 +236,9 @@ profile android-studio @{exec_path} { /{usr/,}bin/gpg mr, + owner @{HOME}/.gnupg/ rw, + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + } profile lsb-release { @@ -250,7 +275,11 @@ profile android-studio @{exec_path} { /{usr/,}bin/xdg-open mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, + + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, # Allowed apps to open /{usr/,}bin/spacefm rPx, diff --git a/apparmor.d/anki b/apparmor.d/anki index a94cd5817..eec5e4259 100644 --- a/apparmor.d/anki +++ b/apparmor.d/anki @@ -120,8 +120,8 @@ profile anki @{exec_path} { /etc/mime.types r, # SyncThread - /{usr/,}bin/dash rix, - /{usr/,}bin/uname rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/uname rix, /etc/ r, /etc/debian_version r, @@ -185,6 +185,10 @@ profile anki @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/anyremote b/apparmor.d/anyremote index 51c4c97ff..28a32839c 100644 --- a/apparmor.d/anyremote +++ b/apparmor.d/anyremote @@ -25,27 +25,26 @@ profile anyremote @{exec_path} { @{exec_path} rm, - /{usr/,}bin/dash rix, - /{usr/,}bin/bash rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/id rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/expr rix, - /{usr/,}bin/which rix, - /{usr/,}bin/head rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/tail rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/md5sum rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/sleep rix, - /{usr/,}bin/find rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/id rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/which rix, + /{usr/,}bin/head rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/tail rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/md5sum rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/sleep rix, + /{usr/,}bin/find rix, /{usr/,}bin/convert-im6.q16 rCx -> imagemagic, /{usr/,}bin/killall rCx -> killall, diff --git a/apparmor.d/apt b/apparmor.d/apt index a8232d65e..0fd069ae8 100644 --- a/apparmor.d/apt +++ b/apparmor.d/apt @@ -72,9 +72,9 @@ profile apt @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/test rix, - /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/test rix, + /{usr/,}bin/{,e}grep rix, /{usr/,}bin/ps rPx, /{usr/,}bin/dpkg rPx, @@ -110,6 +110,7 @@ profile apt @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/fd/ r, + /tmp/ r, owner /tmp/apt.conf.* rw, owner /tmp/apt.data.* rw, owner /tmp/apt-dpkg-install-*/ rw, @@ -128,7 +129,7 @@ profile apt @{exec_path} flags=(complain) { /{usr/,}bin/sensible-editor mr, /{usr/,}bin/vim.* mrix, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/which rix, owner @{HOME}/.selected_editor r, diff --git a/apparmor.d/apt-file b/apparmor.d/apt-file index 1387b718c..f1aea4c95 100644 --- a/apparmor.d/apt-file +++ b/apparmor.d/apt-file @@ -34,6 +34,9 @@ profile apt-file @{exec_path} { owner @{PROC}/@{pid}/fd/ r, + # For shell pwd + /root/ r, + # file_inherit /var/log/cron-apt/temp w, diff --git a/apparmor.d/apt-get b/apparmor.d/apt-get index fa8e50ab0..44da03ee5 100644 --- a/apparmor.d/apt-get +++ b/apparmor.d/apt-get @@ -71,9 +71,9 @@ profile apt-get @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/test rix, - /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/test rix, + /{usr/,}bin/{,e}grep rix, /{usr/,}bin/ps rPx, /{usr/,}bin/dpkg rPx, @@ -114,6 +114,7 @@ profile apt-get @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/fd/ r, + /tmp/ r, owner /tmp/apt-tmp-index.* rw, owner /tmp/apt-dpkg-install-*/ rw, owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w, @@ -134,16 +135,21 @@ profile apt-get @{exec_path} flags=(complain) { capability dac_read_search, + /{usr/,}bin/ r, /{usr/,}bin/sensible-pager mr, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, - /{usr/,}bin/less rix, + /{usr/,}bin/which rix, + /{usr/,}bin/less rix, owner @{HOME}/.less* rw, + owner /tmp/apt-changelog-*/ r, owner /tmp/apt-changelog-*/*.changelog r, + # For shell pwd + /root/ r, + } profile dpkg-source flags=(complain) { diff --git a/apparmor.d/apt-key b/apparmor.d/apt-key index 4593d27d5..a6eb903d9 100644 --- a/apparmor.d/apt-key +++ b/apparmor.d/apt-key @@ -20,25 +20,25 @@ profile apt-key @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cmp rix, - /{usr/,}bin/find rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/comm rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/id rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/uniq rix, - /{usr/,}bin/wc rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/cmp rix, + /{usr/,}bin/find rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/comm rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/id rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/uniq rix, + /{usr/,}bin/wc rix, /{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpg rCx -> gpg, @@ -46,10 +46,15 @@ profile apt-key @{exec_path} { /{usr/,}bin/dpkg-query rPx, /{usr/,}bin/apt-config rPx, + # For shell pwd / r, + /etc/ r, + /root/ r, + /etc/apt/trusted.gpg r, /etc/apt/trusted.gpg.d/{,*.gpg} r, + /tmp/ r, owner /tmp/apt-key-gpghome.*/{,**} rw, diff --git a/apparmor.d/apt-listbugs b/apparmor.d/apt-listbugs index a213da157..74a52dbf9 100644 --- a/apparmor.d/apt-listbugs +++ b/apparmor.d/apt-listbugs @@ -26,11 +26,11 @@ profile apt-listbugs @{exec_path} { @{exec_path} r, /{usr/,}bin/ruby2.[0-9]* rix, - /{usr/,}bin/dash rix, - /{usr/,}bin/logname rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/logname rix, - /{usr/,}bin/apt-config rPx, - /{usr/,}bin/dpkg-query rPx, + /{usr/,}bin/apt-config rPx, + /{usr/,}bin/dpkg-query rPx, /usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r, diff --git a/apparmor.d/apt-listbugs-aptcleanup b/apparmor.d/apt-listbugs-aptcleanup index af1d74510..6cb2f0b5c 100644 --- a/apparmor.d/apt-listbugs-aptcleanup +++ b/apparmor.d/apt-listbugs-aptcleanup @@ -16,6 +16,7 @@ @{exec_path} = /usr/libexec/apt-listbugs/aptcleanup profile apt-listbugs-aptcleanup @{exec_path} { #include + #include #include @{exec_path} r, diff --git a/apparmor.d/apt-listbugs-migratepins b/apparmor.d/apt-listbugs-migratepins index f881177a5..e3bc6cdc6 100644 --- a/apparmor.d/apt-listbugs-migratepins +++ b/apparmor.d/apt-listbugs-migratepins @@ -16,6 +16,7 @@ @{exec_path} = /usr/libexec/apt-listbugs/migratepins profile apt-listbugs-migratepins @{exec_path} { #include + #include #include @{exec_path} r, diff --git a/apparmor.d/apt-listbugs-prefclean b/apparmor.d/apt-listbugs-prefclean index da7188cfb..87409ad6f 100644 --- a/apparmor.d/apt-listbugs-prefclean +++ b/apparmor.d/apt-listbugs-prefclean @@ -16,6 +16,7 @@ @{exec_path} = /usr/libexec/apt-listbugs/prefclean profile apt-listbugs-prefclean @{exec_path} { #include + #include #include @{exec_path} r, @@ -27,6 +28,8 @@ profile apt-listbugs-prefclean @{exec_path} { /{usr/,}bin/rm rix, /{usr/,}bin/cp rix, + / r, + owner /var/spool/apt-listbugs/lastprefclean rw, #include if exists diff --git a/apparmor.d/apt-listchanges b/apparmor.d/apt-listchanges index c9b1dce23..7a57bc7db 100644 --- a/apparmor.d/apt-listchanges +++ b/apparmor.d/apt-listchanges @@ -26,7 +26,7 @@ profile apt-listchanges @{exec_path} { /{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/ r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/tar rix, /{usr/,}bin/hostname rPx, @@ -38,6 +38,10 @@ profile apt-listchanges @{exec_path} { /usr/share/apt-listchanges/{,**} r, /etc/apt/listchanges.conf r, + /etc/apt/listchanges.conf.d/{,*} r, + + /etc/apt/apt.conf r, + /etc/apt/apt.conf.d/{,*} r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, @@ -47,8 +51,11 @@ profile apt-listchanges @{exec_path} { /var/lib/apt/listchanges{,-new}.db rw, /var/lib/apt/listchanges-old.db rwl -> /var/lib/apt/listchanges.db, + /var/cache/apt/archives/ r, + owner @{PROC}/@{pid}/fd/ r, + /tmp/ r, owner /tmp/* rw, owner /tmp/apt-listchanges*/ rw, owner /tmp/apt-listchanges*/**/ rw, @@ -79,12 +86,17 @@ profile apt-listchanges @{exec_path} { /{usr/,}bin/sensible-pager mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/which rix, - /{usr/,}bin/less rix, + /{usr/,}bin/ r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/which rix, + /{usr/,}bin/less rix, owner @{HOME}/.less* rw, + # For shell pwd + /root/ r, + + /tmp/ r, owner /tmp/apt-listchanges-tmp*.txt r, } diff --git a/apparmor.d/apt-methods-cdrom b/apparmor.d/apt-methods-cdrom index 298312f20..fb5c6c9f8 100644 --- a/apparmor.d/apt-methods-cdrom +++ b/apparmor.d/apt-methods-cdrom @@ -38,6 +38,11 @@ profile apt-methods-cdrom @{exec_path} { owner /var/lib/apt/lists/* rw, owner /var/lib/apt/lists/partial/* rw, + # For shell pwd + / r, + /etc/ r, + /root/ r, + # For package building @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, diff --git a/apparmor.d/apt-methods-copy b/apparmor.d/apt-methods-copy index b2a83ebed..637d6917c 100644 --- a/apparmor.d/apt-methods-copy +++ b/apparmor.d/apt-methods-copy @@ -38,6 +38,11 @@ profile apt-methods-copy @{exec_path} { # apt-helper gets "no new privs" so "rix" it /{usr/,}lib/apt/apt-helper rix, + # For shell pwd + / r, + /etc/ r, + /root/ r, + /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, diff --git a/apparmor.d/apt-methods-file b/apparmor.d/apt-methods-file index 6f3289e91..a5523cf28 100644 --- a/apparmor.d/apt-methods-file +++ b/apparmor.d/apt-methods-file @@ -38,6 +38,11 @@ profile apt-methods-file @{exec_path} { # apt-helper gets "no new privs" so "rix" it /{usr/,}lib/apt/apt-helper rix, + # For shell pwd + / r, + /etc/ r, + /root/ r, + /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, diff --git a/apparmor.d/apt-methods-ftp b/apparmor.d/apt-methods-ftp index 1373a526f..c119f0e21 100644 --- a/apparmor.d/apt-methods-ftp +++ b/apparmor.d/apt-methods-ftp @@ -38,6 +38,11 @@ profile apt-methods-ftp @{exec_path} { owner /var/lib/apt/lists/* rw, owner /var/lib/apt/lists/partial/* rw, + # For shell pwd + / r, + /etc/ r, + /root/ r, + # For package building @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, diff --git a/apparmor.d/apt-methods-gpgv b/apparmor.d/apt-methods-gpgv index f3eb14597..0e2a1e83b 100644 --- a/apparmor.d/apt-methods-gpgv +++ b/apparmor.d/apt-methods-gpgv @@ -55,6 +55,11 @@ profile apt-methods-gpgv @{exec_path} { /{usr/,}bin/sort rix, /{usr/,}bin/touch rix, + # For shell pwd + / r, + /etc/ r, + /root/ r, + /etc/dpkg/dpkg.cfg.d/{,*} r, /etc/dpkg/dpkg.cfg r, @@ -64,6 +69,7 @@ profile apt-methods-gpgv @{exec_path} { /etc/apt/trusted.gpg.d/{,*.gpg} r, /etc/apt/trusted.gpg r, + /tmp/ r, owner /tmp/apt-key-gpghome.*/ rw, owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, owner /tmp/apt.{conf,sig,data}.* rw, @@ -79,8 +85,6 @@ profile apt-methods-gpgv @{exec_path} { @{PROC}/@{pid}/fd/ r, - / r, - # For package building @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, diff --git a/apparmor.d/apt-methods-http b/apparmor.d/apt-methods-http index abc831089..d1996be2b 100644 --- a/apparmor.d/apt-methods-http +++ b/apparmor.d/apt-methods-http @@ -39,8 +39,12 @@ profile apt-methods-http @{exec_path} { # apt-helper gets "no new privs" so "rix" it /{usr/,}lib/apt/apt-helper rix, - /etc/apt/auth.conf.d/{,*} r, + # For shell pwd + / r, + /etc/ r, + /root/ r, + /etc/apt/auth.conf.d/{,*} r, /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, @@ -55,6 +59,7 @@ profile apt-methods-http @{exec_path} { /var/cache/apt/** rwk, # For the aptitude interactive mode + /tmp/ r, owner /tmp/aptitude-root.*/aptitude-download-* rw, owner /tmp/apt-changelog-*/*.changelog rw, diff --git a/apparmor.d/apt-methods-mirror b/apparmor.d/apt-methods-mirror index aadb324f2..fe2785c50 100644 --- a/apparmor.d/apt-methods-mirror +++ b/apparmor.d/apt-methods-mirror @@ -38,6 +38,11 @@ profile apt-methods-mirror @{exec_path} { owner /var/lib/apt/lists/* rw, owner /var/lib/apt/lists/partial/* rw, + # For shell pwd + / r, + /etc/ r, + /root/ r, + # For package building @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, diff --git a/apparmor.d/apt-methods-rred b/apparmor.d/apt-methods-rred index 5c99528a0..862606415 100644 --- a/apparmor.d/apt-methods-rred +++ b/apparmor.d/apt-methods-rred @@ -38,6 +38,11 @@ profile apt-methods-rred @{exec_path} { # apt-helper gets "no new privs" so "rix" it /{usr/,}lib/apt/apt-helper rix, + # For shell pwd + / r, + /etc/ r, + /root/ r, + /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, diff --git a/apparmor.d/apt-methods-rsh b/apparmor.d/apt-methods-rsh index 2ce2e1e36..b9de67305 100644 --- a/apparmor.d/apt-methods-rsh +++ b/apparmor.d/apt-methods-rsh @@ -38,6 +38,11 @@ profile apt-methods-rsh @{exec_path} { owner /var/lib/apt/lists/* rw, owner /var/lib/apt/lists/partial/* rw, + # For shell pwd + / r, + /etc/ r, + /root/ r, + # For package building @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, diff --git a/apparmor.d/apt-methods-store b/apparmor.d/apt-methods-store index 5841d342d..3ed2218f2 100644 --- a/apparmor.d/apt-methods-store +++ b/apparmor.d/apt-methods-store @@ -38,6 +38,11 @@ profile apt-methods-store @{exec_path} { # apt-helper gets "no new privs" so "rix" it /{usr/,}lib/apt/apt-helper rix, + # For shell pwd + / r, + /etc/ r, + /root/ r, + /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, @@ -50,6 +55,7 @@ profile apt-methods-store @{exec_path} { /usr/share/doc/*/changelog.* r, + /tmp/ r, owner /tmp/apt-changelog-*/*.changelog{,.*} rw, # For package building diff --git a/apparmor.d/aptitude b/apparmor.d/aptitude index c04bde3f5..9867aad07 100644 --- a/apparmor.d/aptitude +++ b/apparmor.d/aptitude @@ -73,9 +73,9 @@ profile aptitude @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/test rix, - /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/test rix, + /{usr/,}bin/{,e}grep rix, /{usr/,}bin/ps rPx, /{usr/,}bin/dpkg rPx, @@ -127,6 +127,7 @@ profile aptitude @{exec_path} flags=(complain) { owner @{PROC}/@{pid}/fd/ r, + /tmp/ r, owner /tmp/aptitude-*.@{pid}:*/ rw, owner /tmp/aptitude-*.@{pid}:*/{pkgstates,control}* rw, /tmp/aptitude-*.@{pid}:*/pkgstates* r, @@ -172,16 +173,20 @@ profile aptitude @{exec_path} flags=(complain) { #include #include + /{usr/,}bin/ r, /{usr/,}bin/sensible-pager mr, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, - /{usr/,}bin/less rix, + /{usr/,}bin/which rix, + /{usr/,}bin/less rix, owner @{HOME}/.less* rw, owner /tmp/aptitude-*.@{pid}:*/aptitude-download-* rw, + # For shell pwd + /root/ r, + } #include if exists diff --git a/apparmor.d/aptitude-create-state-bundle b/apparmor.d/aptitude-create-state-bundle index 63bafae71..5f398845b 100644 --- a/apparmor.d/aptitude-create-state-bundle +++ b/apparmor.d/aptitude-create-state-bundle @@ -20,12 +20,12 @@ profile aptitude-create-state-bundle @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/bash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/gzip rix, + /{usr/,}bin/which rix, + /{usr/,}bin/tar rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/gzip rix, # Files included in the bundle owner @{HOME}/.aptitude/{,*} r, diff --git a/apparmor.d/aptitude-run-state-bundle b/apparmor.d/aptitude-run-state-bundle index be610bc03..8ebe76cd5 100644 --- a/apparmor.d/aptitude-run-state-bundle +++ b/apparmor.d/aptitude-run-state-bundle @@ -21,12 +21,12 @@ profile aptitude-run-state-bundle @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/bash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, + /{usr/,}bin/tar rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, /{usr/,}bin/aptitude-curses rPx, diff --git a/apparmor.d/atom b/apparmor.d/atom index 91215eeed..3f69cf159 100644 --- a/apparmor.d/atom +++ b/apparmor.d/atom @@ -48,32 +48,29 @@ profile atom @{exec_path} { deny /{usr/,}local/bin/ r, deny /{usr/,}bin/ r, - #/{usr/,}bin/bash rix, - #/{usr/,}bin/zsh rix, - #/{usr/,}bin/env rix, - #/{usr/,}bin/rmdir rix, - #/{usr/,}bin/{,e}grep rix, - #/{usr/,}bin/ls rix, - #/{usr/,}bin/gawk rix, - #/{usr/,}bin/tty rix, - #/{usr/,}bin/dircolors rix, - #/{usr/,}bin/cut rix, - #/{usr/,}bin/xwininfo rix, - #/{usr/,}bin/date rix, + #/{usr/,}bin/{,ba,da}sh rix, + #/{usr/,}bin/zsh rix, + #/{usr/,}bin/env rix, + #/{usr/,}bin/rmdir rix, + #/{usr/,}bin/{,e}grep rix, + #/{usr/,}bin/ls rix, + #/{usr/,}bin/gawk rix, + #/{usr/,}bin/tty rix, + #/{usr/,}bin/dircolors rix, + #/{usr/,}bin/cut rix, + #/{usr/,}bin/xwininfo rix, + #/{usr/,}bin/date rix, # The expr and uname tools are needed or Atom won't start with the following error: # Your platform () is not supported. - /{usr/,}bin/expr rix, - /{usr/,}bin/uname rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/uname rix, # The following also are needed to start Atom - /{usr/,}bin/basename rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/nohup rix, - /{usr/,}bin/cat rix, - # The dash shell is needed to install packages. If you don't want to install any, coment the - # following line out. - #/{usr/,}bin/dash rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/nohup rix, + /{usr/,}bin/cat rix, /{usr/,}bin/lsb_release rPx -> child-lsb_release, /{usr/,}bin/xdg-open rCx -> open, @@ -194,6 +191,10 @@ profile atom @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/bin.ping b/apparmor.d/bin.ping index 3a8ebf974..2ed7af5f2 100644 --- a/apparmor.d/bin.ping +++ b/apparmor.d/bin.ping @@ -21,7 +21,7 @@ profile ping /{usr/,}bin/{,iputils-}ping { network inet raw, network inet6 raw, - /{,usr/}bin/{,iputils-}ping mixr, + /{usr/,}bin/{,iputils-}ping mixr, /etc/modules.conf r, # Site-specific additions and overrides. See local/README for details. diff --git a/apparmor.d/birdtray b/apparmor.d/birdtray index f27e0073e..4f96ab97a 100644 --- a/apparmor.d/birdtray +++ b/apparmor.d/birdtray @@ -83,6 +83,10 @@ profile birdtray @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/brave b/apparmor.d/brave index e5af3ffe8..570a63224 100644 --- a/apparmor.d/brave +++ b/apparmor.d/brave @@ -209,8 +209,11 @@ profile brave @{exec_path} { /{usr/,}bin/xdg-open mr, - # Allowed apps to open + owner @{HOME}/ r, + owner @{run}/user/[0-9]*/ r, + + # Allowed apps to open # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/brave-browser b/apparmor.d/brave-browser index d3690963b..48503730e 100644 --- a/apparmor.d/brave-browser +++ b/apparmor.d/brave-browser @@ -24,13 +24,13 @@ profile brave-browser @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/bash r, + /{usr/,}bin/{,ba,da}sh rix, - /usr/bin/readlink rix, - /usr/bin/dirname rix, - /usr/bin/which rix, - /usr/bin/mkdir rix, - /usr/bin/cat rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/which rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/cat rix, @{BRAVE_INSTALLDIR}/brave rPx, diff --git a/apparmor.d/calibre b/apparmor.d/calibre index 92e6535d1..383e250ca 100644 --- a/apparmor.d/calibre +++ b/apparmor.d/calibre @@ -63,7 +63,7 @@ profile calibre @{exec_path} { #/{usr/,}bin/ r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}sbin/ldconfig rix, /{usr/,}bin/uname rix, /{usr/,}bin/file rix, @@ -183,7 +183,11 @@ profile calibre @{exec_path} { /{usr/,}bin/xdg-open mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, + + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, # Allowed apps to open /{usr/,}lib/firefox/firefox rPx, diff --git a/apparmor.d/cawbird b/apparmor.d/cawbird index f7d440586..10d422ab4 100644 --- a/apparmor.d/cawbird +++ b/apparmor.d/cawbird @@ -28,7 +28,7 @@ profile cawbird @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/exo-open rCx -> open, @@ -76,6 +76,10 @@ profile cawbird @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/check-bios-nx b/apparmor.d/check-bios-nx index c1bba8883..d122dc552 100644 --- a/apparmor.d/check-bios-nx +++ b/apparmor.d/check-bios-nx @@ -23,15 +23,15 @@ profile check-bios-nx @{exec_path} { capability dac_override, @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/getopt rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/getopt rix, - /{usr/,}bin/kmod rCx -> kmod, + /{usr/,}bin/kmod rCx -> kmod, - /{usr/,}sbin/rdmsr rPx, + /{usr/,}sbin/rdmsr rPx, owner @{PROC}/@{pid}/fd/2 w, diff --git a/apparmor.d/check-support-status b/apparmor.d/check-support-status index bce5f8574..8c55381a5 100644 --- a/apparmor.d/check-support-status +++ b/apparmor.d/check-support-status @@ -19,10 +19,11 @@ profile check-support-status @{exec_path} flags=(complain) { #include @{exec_path} rix, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /etc/debian_version r, + /{usr/,}bin/ r, /{usr/,}bin/gettext.sh r, /{usr/,}bin/cat rix, /{usr/,}bin/{,e}grep rix, @@ -57,9 +58,11 @@ profile check-support-status @{exec_path} flags=(complain) { owner /tmp/debian-security-support.*/{,**} rw, /tmp/debian-security-support.postinst.*/output w, + /var/lib/debian-security-support/ r, owner /var/lib/debian-security-support/security-support.semaphore rw, owner /var/lib/debian-security-support/tmp.* rw, + /usr/share/debian-security-support/ r, /usr/share/debian-security-support/* r, diff --git a/apparmor.d/check-support-status-hook b/apparmor.d/check-support-status-hook index a663d4ceb..0de24ca79 100644 --- a/apparmor.d/check-support-status-hook +++ b/apparmor.d/check-support-status-hook @@ -20,14 +20,15 @@ profile check-support-status-hook @{exec_path} flags=(complain) { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/getent rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/chown rix, - /{usr/,}bin/stat rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, + /{usr/,}bin/ r, + /{usr/,}bin/getent rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/chown rix, + /{usr/,}bin/stat rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, /{usr/,}sbin/adduser rPx, /{usr/,}bin/check-support-status rPx, @@ -40,9 +41,17 @@ profile check-support-status-hook @{exec_path} flags=(complain) { /usr/share/debconf/confmodule r, + # For shell pwd + / r, + /root/ r, + + /tmp/ r, owner /tmp/debian-security-support.postinst.*/ rw, owner /tmp/debian-security-support.postinst.*/output rw, + /var/lib/ r, + /var/lib/debian-security-support/ r, + profile debconf-escape flags=(complain) { #include @@ -52,6 +61,7 @@ profile check-support-status-hook @{exec_path} flags=(complain) { /{usr/,}bin/debconf-escape r, /{usr/,}bin/perl r, + /tmp/ r, owner /tmp/debian-security-support.postinst.*/output r, } @@ -65,11 +75,12 @@ profile check-support-status-hook @{exec_path} flags=(complain) { /usr/share/debconf/frontend r, /{usr/,}bin/perl r, + /usr/share/debian-security-support/ r, /usr/share/debian-security-support/check-support-status.hook rPx, - /{usr/,}bin/dash rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, /etc/debconf.conf r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, @@ -106,7 +117,7 @@ profile check-support-status-hook @{exec_path} flags=(complain) { /{usr/,}sbin/runuser mr, - /{usr/,}bin/bash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/check-support-status rPx, @@ -115,6 +126,7 @@ profile check-support-status-hook @{exec_path} flags=(complain) { /etc/security/limits.d/ r, + /tmp/ r, owner /tmp/debian-security-support.postinst.*/output w, } diff --git a/apparmor.d/child-lsb_release b/apparmor.d/child-lsb_release index 1d5987835..9be0414d6 100644 --- a/apparmor.d/child-lsb_release +++ b/apparmor.d/child-lsb_release @@ -38,8 +38,7 @@ profile child-lsb_release { # /etc/lsb-release r, # /etc/lsb-release.d/ r, -# /{usr/,}bin/bash ixr, -# /{usr/,}bin/dash ixr, +# /{usr/,}bin/{,ba,da}sh rix, # /{usr/,}bin/basename ixr, # /{usr/,}bin/getopt ixr, diff --git a/apparmor.d/child-pager b/apparmor.d/child-pager index 627abbfe3..9ca17b3dc 100644 --- a/apparmor.d/child-pager +++ b/apparmor.d/child-pager @@ -26,11 +26,15 @@ profile child-pager { signal (receive) set=(stop, cont, term, kill), + /{usr/,}bin/ r, /{usr/,}bin/pager mr, /{usr/,}bin/less mr, /{usr/,}bin/more mr, owner @{HOME}/.lesshs* rw, + # For shell pwd + /root/ r, + #include if exists } diff --git a/apparmor.d/chromium b/apparmor.d/chromium index 9d16a3953..61296c8a3 100644 --- a/apparmor.d/chromium +++ b/apparmor.d/chromium @@ -27,16 +27,16 @@ profile chromium @{exec_path} { @{CHROMIUM_INSTALLDIR}/chromium rPx, - /{usr/,}bin/dash rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/expr rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/mktemp rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/mktemp rix, # For chromium -g /{usr/,}bin/gdb rPUx, diff --git a/apparmor.d/chromium-chromium b/apparmor.d/chromium-chromium index 7b6526379..591156370 100644 --- a/apparmor.d/chromium-chromium +++ b/apparmor.d/chromium-chromium @@ -190,7 +190,11 @@ profile chromium-chromium @{exec_path} { /{usr/,}bin/xdg-open mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, + + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, # Allowed apps to open /{usr/,}bin/smplayer rPx, diff --git a/apparmor.d/claws-mail b/apparmor.d/claws-mail index d6cb6689a..024fea13f 100644 --- a/apparmor.d/claws-mail +++ b/apparmor.d/claws-mail @@ -30,21 +30,21 @@ profile claws-mail @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/which rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/which rix, - /{usr/,}bin/gpg rCx -> gpg, - /{usr/,}bin/gpgsm rCx -> gpg, - /{usr/,}bin/gpgconf rCx -> gpg, + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/gpgsm rCx -> gpg, + /{usr/,}bin/gpgconf rCx -> gpg, # For Orage integration - /{usr/,}bin/orage rPUx, + /{usr/,}bin/orage rPUx, # For sending local mails - /{usr/,}sbin/exim4 rPUx, + /{usr/,}sbin/exim4 rPUx, # For editing in an external editor - /{usr/,}bin/geany rPUx, + /{usr/,}bin/geany rPUx, owner @{HOME}/ r, owner @{HOME}/.claws-mail/ rw, diff --git a/apparmor.d/code b/apparmor.d/code index fc7690db9..3f0a69df4 100644 --- a/apparmor.d/code +++ b/apparmor.d/code @@ -44,9 +44,8 @@ profile code @{exec_path} { # The bash shell is needed only when you want to start code via bin/code. Also the shells are # needed if you plan to operate on the built in terminal. If you don't need the built in terminal # and want to use the linux one, the following three lines can be commented out. - # /{usr/,}bin/bash rix, - # /{usr/,}bin/zsh rix, - # /{usr/,}bin/dash rix, + #/{usr/,}bin/{,ba,da}sh rix, + # /{usr/,}bin/zsh rix, #/{usr/,}bin/dirname rix, #/{usr/,}bin/{,e}grep rix, diff --git a/apparmor.d/conky b/apparmor.d/conky index eead9452b..65160494e 100644 --- a/apparmor.d/conky +++ b/apparmor.d/conky @@ -28,21 +28,20 @@ profile conky @{exec_path} { @{exec_path} mr, # Needed tools to render conky output - /{usr/,}bin/dash rix, - /{usr/,}bin/bash rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/uniq rix, - /{usr/,}bin/head rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/date rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/sed rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/uniq rix, + /{usr/,}bin/head rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/date rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/sed rix, # To remove the following error: # .conky/Accuweather_conky_script/accuweather: line 917: /usr/bin/pkill: Permission denied @@ -154,7 +153,7 @@ profile conky @{exec_path} { /{usr/,}bin/lynx mr, /{usr/,}bin/w3m mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /etc/mime.types r, /etc/mailcap r, diff --git a/apparmor.d/convertall b/apparmor.d/convertall index 2f87ac53b..54881e806 100644 --- a/apparmor.d/convertall +++ b/apparmor.d/convertall @@ -29,7 +29,7 @@ profile convertall @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/python3.[0-9]* rix, diff --git a/apparmor.d/cpupower b/apparmor.d/cpupower index 851c638ab..24c32773b 100644 --- a/apparmor.d/cpupower +++ b/apparmor.d/cpupower @@ -26,9 +26,9 @@ profile cpupower @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/kmod rCx -> kmod, - /{usr/,}bin/man rPx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/kmod rCx -> kmod, + /{usr/,}bin/man rPx, @{sys}/devices/system/cpu/{cpufreq,cpuidle}/ r, @{sys}/devices/system/cpu/{cpufreq,cpuidle}/** r, diff --git a/apparmor.d/cron b/apparmor.d/cron index 85673b3cb..bb20a9fea 100644 --- a/apparmor.d/cron +++ b/apparmor.d/cron @@ -28,9 +28,9 @@ profile cron @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/nice rix, - /{usr/,}bin/ionice rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/nice rix, + /{usr/,}bin/ionice rix, /etc/crontab r, diff --git a/apparmor.d/cron-apt b/apparmor.d/cron-apt index 11e494b90..bfbdc462d 100644 --- a/apparmor.d/cron-apt +++ b/apparmor.d/cron-apt @@ -23,7 +23,7 @@ profile cron-apt @{exec_path} { @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/dotlockfile rix, /{usr/,}bin/sed rix, /{usr/,}bin/mktemp rix, @@ -61,10 +61,13 @@ profile cron-apt @{exec_path} { /etc/cron-apt/refrain r, /etc/cron-apt/action.d/[0-9]-* r, - /var/lib/cron-apt/{,**/} w, - /var/lib/cron-apt/.lk@{pid}* rw, - /var/lib/cron-apt/lockfile rwl -> /var/lib/cron-apt/.lk@{pid}*, - /var/lib/cron-apt/_-_etc_-_cron-apt_-_config/mailchanges/[0-9]-*-[0-9a-f]* rw, + # For shell pwd + / r, + /etc/ r, + /root/ r, + + /var/lib/cron-apt/ rw, + /var/lib/cron-apt/** rwl -> /var/lib/cron-apt/**, # Logs /var/log/cron-apt/ r, @@ -77,6 +80,7 @@ profile cron-apt @{exec_path} { /{usr/,}lib/locale/locale-archive r, # TMP + /tmp/ r, owner /tmp/cron-apt.*/ rw, owner /tmp/cron-apt.*/difftemp rw, owner /tmp/cron-apt.*/lockfile rw, diff --git a/apparmor.d/cron-apt-listbugs b/apparmor.d/cron-apt-listbugs index f1f1b3ec2..c26954d58 100644 --- a/apparmor.d/cron-apt-listbugs +++ b/apparmor.d/cron-apt-listbugs @@ -18,7 +18,7 @@ profile cron-apt-listbugs @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean rCx -> prefclean, @@ -30,12 +30,12 @@ profile cron-apt-listbugs @{exec_path} { /{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean mr, - /{usr/,}bin/dash r, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/date rix, - /{usr/,}bin/cat rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/date rix, + /{usr/,}bin/cat rix, /var/spool/apt-listbugs/lastprefclean rw, diff --git a/apparmor.d/cron-apt-show-versions b/apparmor.d/cron-apt-show-versions index 2e74b2564..fda645e0e 100644 --- a/apparmor.d/cron-apt-show-versions +++ b/apparmor.d/cron-apt-show-versions @@ -18,9 +18,12 @@ profile cron-apt-show-versions @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/apt-show-versions rPx, + # For shell pwd + / r, + #include if exists } diff --git a/apparmor.d/cron-apt-xapian-index b/apparmor.d/cron-apt-xapian-index index bc953c312..36fc40f1c 100644 --- a/apparmor.d/cron-apt-xapian-index +++ b/apparmor.d/cron-apt-xapian-index @@ -18,16 +18,20 @@ profile cron-apt-xapian-index @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, - /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/which rix, + /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/nice rix, - /{usr/,}bin/ionice rix, + /{usr/,}bin/nice rix, + /{usr/,}bin/ionice rix, + /{usr/,}sbin/ r, /{usr/,}sbin/update-apt-xapian-index rPx, /{usr/,}sbin/on_ac_power rPx, + # For shell pwd + / r, + #include if exists } diff --git a/apparmor.d/cron-aptitude b/apparmor.d/cron-aptitude index 7479cc593..99734edd7 100644 --- a/apparmor.d/cron-aptitude +++ b/apparmor.d/cron-aptitude @@ -18,20 +18,20 @@ profile cron-aptitude @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/date rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/which rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/mv rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/date rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/which rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mv rix, - /{usr/,}bin/savelog rix, - /{usr/,}bin/cmp rix, + /{usr/,}bin/savelog rix, + /{usr/,}bin/cmp rix, - /{usr/,}bin/gzip rix, + /{usr/,}bin/gzip rix, /var/lib/aptitude/pkgstates r, diff --git a/apparmor.d/cron-debsums b/apparmor.d/cron-debsums index 6859e7aba..82a4c94ec 100644 --- a/apparmor.d/cron-debsums +++ b/apparmor.d/cron-debsums @@ -19,20 +19,24 @@ profile cron-debsums @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/true rix, - /{usr/,}bin/logger rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/true rix, + /{usr/,}bin/logger rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/ionice rix, + /{usr/,}bin/ionice rix, - /{usr/,}bin/debsums rPx, - /{usr/,}bin/tee rCx -> tee, + /{usr/,}bin/debsums rPx, + /{usr/,}bin/tee rCx -> tee, + /etc/ r, /etc/default/debsums r, /etc/debsums-ignore r, + # For shell pwd + / r, + profile tee { #include diff --git a/apparmor.d/cron-dlocate b/apparmor.d/cron-dlocate index 3ff313436..b8d947868 100644 --- a/apparmor.d/cron-dlocate +++ b/apparmor.d/cron-dlocate @@ -18,7 +18,7 @@ profile cron-dlocate @{exec_path} { #include @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}sbin/update-dlocatedb rPx, diff --git a/apparmor.d/cron-ipset-autoban-save b/apparmor.d/cron-ipset-autoban-save index 0b57f403e..5d68ce1c0 100644 --- a/apparmor.d/cron-ipset-autoban-save +++ b/apparmor.d/cron-ipset-autoban-save @@ -19,10 +19,9 @@ profile cron-ipset-autoban-save @{exec_path} { #include @{exec_path} r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/bash rix, - - /{usr/,}sbin/ipset rix, + /{usr/,}sbin/ipset rix, /etc/peerblock/autoban rw, diff --git a/apparmor.d/cron-logrotate b/apparmor.d/cron-logrotate index 5578e61a9..6123ef48d 100644 --- a/apparmor.d/cron-logrotate +++ b/apparmor.d/cron-logrotate @@ -18,11 +18,14 @@ profile cron-logrotate @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}sbin/logrotate rPx, /{usr/,}bin/logger rix, + # For shell pwd + / r, + #include if exists } diff --git a/apparmor.d/cron-mlocate b/apparmor.d/cron-mlocate index fecc519e6..f34cb78c9 100644 --- a/apparmor.d/cron-mlocate +++ b/apparmor.d/cron-mlocate @@ -19,14 +19,14 @@ profile cron-mlocate @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/bash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, - /{usr/,}bin/true rix, - /{usr/,}bin/flock rix, - /{usr/,}bin/nocache rix, - /{usr/,}bin/ionice rix, - /{usr/,}bin/nice rix, + /{usr/,}bin/which rix, + /{usr/,}bin/true rix, + /{usr/,}bin/flock rix, + /{usr/,}bin/nocache rix, + /{usr/,}bin/ionice rix, + /{usr/,}bin/nice rix, /{usr/,}bin/updatedb.mlocate rPx, /{usr/,}sbin/on_ac_power rPx, diff --git a/apparmor.d/cron-popularity-contest b/apparmor.d/cron-popularity-contest index 985b85a97..a108f6e12 100644 --- a/apparmor.d/cron-popularity-contest +++ b/apparmor.d/cron-popularity-contest @@ -18,33 +18,39 @@ profile cron-popularity-contest @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}sbin/popularity-contest rPx, - /{usr/,}bin/logger rix, - /{usr/,}bin/date rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/setsid rix, + /{usr/,}bin/logger rix, + /{usr/,}bin/date rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/setsid rix, # To send reports via TOR - /{usr/,}bin/torify rix, - /{usr/,}bin/torsocks rix, - /{usr/,}sbin/getcap rix, + /{usr/,}bin/torify rix, + /{usr/,}bin/torsocks rix, + /{usr/,}sbin/getcap rix, /usr/share/popularity-contest/popcon-upload rCx -> popcon-upload, - /{usr/,}bin/gpg rCx -> gpg, - /{usr/,}sbin/runuser rCx -> runuser, - /{usr/,}bin/savelog rCx -> savelog, + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}sbin/runuser rCx -> runuser, + /{usr/,}bin/savelog rCx -> savelog, + /usr/share/popularity-contest/ r, /usr/share/popularity-contest/default.conf r, /etc/popularity-contest.conf r, + # For shell pwd + / r, + /root/ r, + + /var/log/ r, /var/log/popularity-contest{,.new} rw, /var/log/popularity-contest{,.new}.gpg rw, @@ -64,16 +70,16 @@ profile cron-popularity-contest @{exec_path} { /{usr/,}bin/savelog mr, - /{usr/,}bin/date rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/which rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/gzip rix, + /{usr/,}bin/date rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/which rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/gzip rix, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /var/log/ r, /var/log/popularity-contest.[0-9]*.gz rw, @@ -93,7 +99,7 @@ profile cron-popularity-contest @{exec_path} { /{usr/,}sbin/runuser mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}sbin/popularity-contest rPx, diff --git a/apparmor.d/crontab b/apparmor.d/crontab index 493a6860c..b62c26b60 100644 --- a/apparmor.d/crontab +++ b/apparmor.d/crontab @@ -24,7 +24,7 @@ profile crontab @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, # When editing the crontab file /{usr/,}bin/sensible-editor rCx -> editor, @@ -45,7 +45,7 @@ profile crontab @{exec_path} { /{usr/,}bin/sensible-editor mr, /{usr/,}bin/vim.* mrix, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/which rix, owner @{HOME}/.selected_editor r, diff --git a/apparmor.d/ddclient b/apparmor.d/ddclient index d5bc76586..d9e98a907 100644 --- a/apparmor.d/ddclient +++ b/apparmor.d/ddclient @@ -24,8 +24,8 @@ profile ddclient @{exec_path} { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, - /{usr/,}bin/logger rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/logger rix, /etc/ddclient.conf r, diff --git a/apparmor.d/debconf-apt-progress b/apparmor.d/debconf-apt-progress index 401402012..31b2ffe91 100644 --- a/apparmor.d/debconf-apt-progress +++ b/apparmor.d/debconf-apt-progress @@ -39,9 +39,9 @@ profile debconf-apt-progress @{exec_path} flags=(complain) { /{usr/,}bin/debconf-apt-progress rPx, - /{usr/,}bin/dash rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, # The following is needed when debconf uses dialog/whiptail frontend. /{usr/,}bin/whiptail rPx, diff --git a/apparmor.d/debsecan b/apparmor.d/debsecan index effe7a626..f497e94f6 100644 --- a/apparmor.d/debsecan +++ b/apparmor.d/debsecan @@ -25,11 +25,11 @@ profile debsecan @{exec_path} { @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/dash rix, + /{usr/,}bin/ r, + /{usr/,}bin/{,ba,da}sh rix, # Send results using email - /{usr/,}sbin/exim4 rPx, + /{usr/,}sbin/exim4 rPx, /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, diff --git a/apparmor.d/debsign b/apparmor.d/debsign index e6cd4204c..58cf7d68e 100644 --- a/apparmor.d/debsign +++ b/apparmor.d/debsign @@ -20,28 +20,28 @@ profile debsign @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/head rix, - /{usr/,}bin/cu rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/cmp rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/head rix, + /{usr/,}bin/cu rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/getopt rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/cmp rix, - /{usr/,}bin/md5sum rix, + /{usr/,}bin/md5sum rix, /{usr/,}bin/sha{1,256,512}sum rix, - /{usr/,}bin/perl rix, + /{usr/,}bin/perl rix, /etc/devscripts.conf r, owner @{HOME}/.devscripts r, diff --git a/apparmor.d/debsums b/apparmor.d/debsums index 9299d382a..068583a0e 100644 --- a/apparmor.d/debsums +++ b/apparmor.d/debsums @@ -23,8 +23,8 @@ profile debsums @{exec_path} { @{exec_path} r, - /{usr/,}bin/dash rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, /etc/dpkg/dpkg.cfg.d/{,*} r, /etc/dpkg/dpkg.cfg r, @@ -37,6 +37,9 @@ profile debsums @{exec_path} { /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/dpkg-divert rPx -> child-dpkg-divert, + # For shell pwd + / r, + # Scanning files /{usr/,}bin/{,*} r, /{usr/,}sbin/{,*} r, diff --git a/apparmor.d/debuild b/apparmor.d/debuild deleted file mode 100644 index 52634516d..000000000 --- a/apparmor.d/debuild +++ /dev/null @@ -1,49 +0,0 @@ -# vim:syntax=apparmor -# ------------------------------------------------------------------ -# -# Copyright (C) 2020 Mikhail Morfikov -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -#abi , - -#include - -@{BUILD_DIR} = /media/debuilder/ - -@{exec_path} = /{usr/,}bin/debuild -profile debuild @{exec_path} flags=(complain) { - #include - #include - #include - - @{exec_path} r, - /{usr/,}bin/perl r, - - /{usr/,}bin/dash rix, - /{usr/,}bin/bash rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/pwd rix, - /{usr/,}bin/tee rix, - - /{usr/,}bin/dpkg-architecture rPx, - /{usr/,}bin/dpkg-buildpackage rPx, - /{usr/,}bin/debsign rPx, - - /usr/share/lintian/bin/lintian rPx, - /{usr/,}bin/lintian rPx, - - /etc/devscripts.conf r, - - /etc/dpkg/origins/debian r, - - # For package building - owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, - - #include if exists -} diff --git a/apparmor.d/deluser b/apparmor.d/deluser index bf7cb4fa9..c5e3e08a1 100644 --- a/apparmor.d/deluser +++ b/apparmor.d/deluser @@ -29,15 +29,15 @@ profile deluser @{exec_path} { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}sbin/userdel rPx, - /{usr/,}sbin/groupdel rPx, - /{usr/,}bin/gpasswd rPx, + /{usr/,}sbin/userdel rPx, + /{usr/,}sbin/groupdel rPx, + /{usr/,}bin/gpasswd rPx, - /{usr/,}bin/crontab rPx, + /{usr/,}bin/crontab rPx, - /{usr/,}bin/mount rCx -> mount, + /{usr/,}bin/mount rCx -> mount, /etc/adduser.conf r, /etc/deluser.conf r, diff --git a/apparmor.d/dh b/apparmor.d/dh deleted file mode 100644 index 752150ca9..000000000 --- a/apparmor.d/dh +++ /dev/null @@ -1,114 +0,0 @@ -# vim:syntax=apparmor -# ------------------------------------------------------------------ -# -# Copyright (C) 2020 Mikhail Morfikov -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -#abi , - -#include - -@{BUILD_DIR} = /media/debuilder/ - -@{exec_path} = /{usr/,}bin/dh -@{exec_path} += /{usr/,}bin/dh_* -profile dh @{exec_path} flags=(complain) { - #include - #include - - @{exec_path} r, - /{usr/,}bin/perl r, - - /{usr/,}bin/dh_* rix, - - /{usr/,}bin/dash rix, - /{usr/,}bin/make rix, - /{usr/,}bin/find rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/mkdir rix, - - /{usr/,}bin/dpkg-vendor rPx, - - /usr/share/python/pyversions.py rCx -> python, - /usr/share/python3/py3versions.py rCx -> python, - /usr/share/dh-python/* rCx -> python, - - # What to do with it? The "rules" file is just a make file and can use any tool. (#FIXME#) - owner @{BUILD_DIR}/**/debian/rules rcx -> debian-rules, - owner @{BUILD_DIR}/** rcx -> debian-rules, - owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, - - /etc/dpkg/origins/debian r, - - /usr/share/dpkg/cputable r, - /usr/share/dpkg/tupletable r, - - owner @{HOME}/.config/dpkg/buildflags.conf r, - - /usr/share/dpkg/* r, - - - profile debian-rules flags=(complain) { - #include - - owner @{BUILD_DIR}/**/debian/rules rix, - owner @{BUILD_DIR}/** rix, - owner @{BUILD_DIR}/** rwkl -> /media/debuilder/*/**, - - /{usr/,}bin/dash rix, - /{usr/,}bin/make rix, - - # Don't strip env here - /{usr/,}bin/* rpux, - - /usr/share/dpkg/* r, - - / r, - /usr/include/{,**} r, - - # Key to sign the kernel and its modules - /etc/kernel_key/* r, - - owner /tmp/cpiolist.* rw, - - } - - profile python flags=(complain) { - #include - #include - - /usr/share/python/pyversions.py mr, - /usr/share/python3/py3versions.py mr, - /usr/share/dh-python/* mr, - - /{usr/,}bin/python2.[0-9]* rix, - /{usr/,}bin/python3.[0-9]* rix, - - /usr/share/python/ r, - /usr/share/python/debian_defaults r, - /usr/share/python3/ r, - /usr/share/python3/debian_defaults r, - - /usr/share/dh-python/ r, - /usr/share/dh-python/** r, - - /{usr/,}bin/which rix, - /{usr/,}bin/dash rix, - /{usr/,}bin/dpkg-architecture rPx, - /{usr/,}bin/git rPx, - - owner /media/debuilder/** r, - owner /media/debuilder/**/.pybuild/ rw, - owner /media/debuilder/**/.pybuild/** rw, - - owner @{PROC}/@{pid}/fd/ r, - - } - - #include if exists -} diff --git a/apparmor.d/dhclient-script b/apparmor.d/dhclient-script index 070c8575d..6781ccce1 100644 --- a/apparmor.d/dhclient-script +++ b/apparmor.d/dhclient-script @@ -25,16 +25,17 @@ profile dhclient-script @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash mrix, + /{usr/,}bin/{,ba,da}sh mrix, - /{usr/,}bin/ping rPx, - /{usr/,}bin/run-parts rCx -> run-parts, + /{usr/,}bin/ping rPx, + /{usr/,}bin/run-parts rCx -> run-parts, # To remove the following error: # /sbin/dhclient-script: 133: hostname: Permission denied - /{usr/,}bin/hostname rPx, + /{usr/,}bin/hostname rPx, # To read scripts + /etc/dhcp/ r, /etc/dhcp/dhclient-{enter,exit}-hooks.d/{,*} r, # For debug script @@ -43,9 +44,9 @@ profile dhclient-script @{exec_path} { owner /tmp/dhclient-script.debug rw, # For ddclient script - /{usr/,}sbin/ddclient rPx, - /etc/default/ddclient r, - /{usr/,}bin/logger rix, + /{usr/,}sbin/ddclient rPx, + /etc/default/ddclient r, + /{usr/,}bin/logger rix, # For samba script /{usr/,}bin/mv rix, diff --git a/apparmor.d/discord b/apparmor.d/discord index 26d5ed988..c17222803 100644 --- a/apparmor.d/discord +++ b/apparmor.d/discord @@ -49,7 +49,7 @@ profile discord @{exec_path} { owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/uid_map w, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/xdg-open rCx -> open, #/{usr/,}bin/lsb_release rCx -> lsb_release, @@ -143,12 +143,12 @@ profile discord @{exec_path} { /{usr/,}bin/xdg-mime mr, - /{usr/,}bin/dash r, - /{usr/,}bin/gawk rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/head rix, - /{usr/,}bin/sed rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/head rix, + /{usr/,}bin/sed rix, # file_inherit /usr/share/discord/** r, @@ -193,6 +193,10 @@ profile discord @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPx, diff --git a/apparmor.d/dkms b/apparmor.d/dkms index a2c533e82..d5733489e 100644 --- a/apparmor.d/dkms +++ b/apparmor.d/dkms @@ -19,34 +19,33 @@ profile dkms @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/bash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/head rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/nproc rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/diff rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/rmdir rix, - /{usr/,}bin/find rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/date rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/dash rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/echo rix, - /{usr/,}bin/pwd rix, - /{usr/,}bin/getconf rix, - /{usr/,}bin/xargs rix, + /{usr/,}bin/head rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/nproc rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/diff rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/rmdir rix, + /{usr/,}bin/find rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/date rix, + /{usr/,}bin/ln rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/echo rix, + /{usr/,}bin/pwd rix, + /{usr/,}bin/getconf rix, + /{usr/,}bin/xargs rix, /{usr/,}bin/make rix, /{usr/,}bin/{,@{multiarch}-}* rix, diff --git a/apparmor.d/dkms-autoinstaller b/apparmor.d/dkms-autoinstaller index cca33ec10..fd4288aad 100644 --- a/apparmor.d/dkms-autoinstaller +++ b/apparmor.d/dkms-autoinstaller @@ -19,15 +19,18 @@ profile dkms-autoinstaller @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/tput rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/tput rix, - /{usr/,}sbin/dkms rPx, + /{usr/,}sbin/dkms rPx, - /{usr/,}bin/run-parts rCx -> run-parts, - /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/run-parts rCx -> run-parts, + /{usr/,}bin/systemctl rPx -> child-systemctl, + + # For shell pwd + / r, profile run-parts { diff --git a/apparmor.d/dlocate b/apparmor.d/dlocate index 355b397da..c36987db6 100644 --- a/apparmor.d/dlocate +++ b/apparmor.d/dlocate @@ -20,7 +20,7 @@ profile dlocate @{exec_path} { #include @{exec_path} rix, - /{usr/,}bin/bash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/getopt rix, /{usr/,}bin/{,e}grep rix, diff --git a/apparmor.d/dpkg b/apparmor.d/dpkg index 72ef4daf0..f52e3b838 100644 --- a/apparmor.d/dpkg +++ b/apparmor.d/dpkg @@ -34,7 +34,7 @@ profile dpkg @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/rm rix, /{usr/,}bin/dpkg-query rPx, @@ -80,8 +80,12 @@ profile dpkg @{exec_path} { /var/log/dpkg.log w, + # For shell pwd + /root/ r, + # Basically, dpkg needs R/W permissions to the following files since it installs them. # It also needs the L permission when a package is reinstalled. + / r, /usr/ r, /usr/** rwl -> /usr/**, /lib/ r, @@ -115,6 +119,7 @@ profile dpkg @{exec_path} { #include #include + /{usr/,}bin/ r, /{usr/,}bin/pager mr, /{usr/,}bin/less mr, /{usr/,}bin/more mr, @@ -125,6 +130,9 @@ profile dpkg @{exec_path} { # Diff changed config files /etc/** r, + # For shell pwd + /root/ r, + } profile scripts { diff --git a/apparmor.d/dpkg-buildpackage b/apparmor.d/dpkg-buildpackage deleted file mode 100644 index 7c9cfd327..000000000 --- a/apparmor.d/dpkg-buildpackage +++ /dev/null @@ -1,117 +0,0 @@ -# vim:syntax=apparmor -# ------------------------------------------------------------------ -# -# Copyright (C) 2020 Mikhail Morfikov -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -#abi , - -#include - -@{BUILD_DIR} = /media/debuilder/ - -@{exec_path} = /{usr/,}bin/dpkg-buildpackage -profile dpkg-buildpackage @{exec_path} flags=(complain) { - #include - #include - - @{exec_path} r, - /{usr/,}bin/perl r, - - /{usr/,}bin/dash rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/getconf rix, - /{usr/,}bin/fakeroot-sysv rix, - /{usr/,}bin/faked-sysv rix, - - /{usr/,}bin/dh rPx, - /{usr/,}bin/dpkg-buildflags rPx, - /{usr/,}bin/dpkg-architecture rPx, - /{usr/,}bin/dpkg-genbuildinfo rPx, - /{usr/,}bin/dpkg-genchanges rPx, - /{usr/,}bin/dpkg-checkbuilddeps rPx, - - /{usr/,}bin/dpkg-source rcx -> dpkg-source, - - # What to do with it? The "rules" file is just a make file and can use any tool. (#FIXME#) - owner @{BUILD_DIR}/**/debian/rules rcx -> debian-rules, - owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, - - /etc/dpkg/origins/debian r, - - - profile dpkg-source flags=(complain) { - #include - #include - #include - - /{usr/,}bin/dpkg-source mr, - /{usr/,}bin/perl r, - - /{usr/,}bin/tar rix, - /{usr/,}bin/bunzip2 rix, - /{usr/,}bin/gunzip rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/xz rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/patch rix, - /{usr/,}bin/diff rix, - - /{usr/,}bin/gpg rix, - /{usr/,}bin/gpgv rix, - /{usr/,}bin/gpg-agent rix, - - /etc/dpkg/origins/debian r, - - owner /tmp/** rwkl -> /tmp/**, - owner @{run}/user/[0-9]*/gnupg/** w, - - @{PROC}/@{pid}/fd/ r, - - /usr/share/dpkg/tupletable r, - /usr/share/dpkg/cputable r, - - owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, - owner @{HOME}/** rwkl -> @{HOME}/**, - audit deny owner @{HOME}/.* mrwkl, - audit deny owner @{HOME}/.*/ rw, - audit deny owner @{HOME}/.*/** mrwkl, - - } - - profile debian-rules flags=(complain) { - #include - - owner @{BUILD_DIR}/**/debian/rules rix, - owner @{BUILD_DIR}/** rix, - owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/*/**, - - /{usr/,}bin/dash rix, - /{usr/,}bin/make rix, - - # Don't strip env here - /{usr/,}bin/* rpux, - - /usr/share/dpkg/* r, - - / r, - /usr/include/{,**} r, - - # Key to sign the kernel and its modules - /etc/kernel_key/* r, - - owner /tmp/cpiolist.* rw, - - } - - #include if exists -} diff --git a/apparmor.d/dpkg-divert b/apparmor.d/dpkg-divert index dc145e7fa..fb055b869 100644 --- a/apparmor.d/dpkg-divert +++ b/apparmor.d/dpkg-divert @@ -24,5 +24,9 @@ profile dpkg-divert @{exec_path} { /usr/share/*/**.dpkg-divert.tmp w, + /var/lib/dpkg/diversions rw, + /var/lib/dpkg/diversions-new rw, + /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, + #include if exists } diff --git a/apparmor.d/dpkg-preconfigure b/apparmor.d/dpkg-preconfigure index daaa316e1..914c0e61c 100644 --- a/apparmor.d/dpkg-preconfigure +++ b/apparmor.d/dpkg-preconfigure @@ -25,9 +25,9 @@ profile dpkg-preconfigure @{exec_path} { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, - /{usr/,}bin/locale rix, - /{usr/,}bin/stty rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/locale rix, + /{usr/,}bin/stty rix, /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/apt-extracttemplates rPx, diff --git a/apparmor.d/dpkg-query b/apparmor.d/dpkg-query index 5627a2d59..1e13965a9 100644 --- a/apparmor.d/dpkg-query +++ b/apparmor.d/dpkg-query @@ -20,11 +20,11 @@ profile dpkg-query @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/pager rPx -> child-pager, - /{usr/,}bin/less rPx -> child-pager, - /{usr/,}bin/more rPx -> child-pager, + /{usr/,}bin/pager rPx -> child-pager, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, /var/lib/dpkg/** r, diff --git a/apparmor.d/dropbox b/apparmor.d/dropbox index b47fc0a8e..5a40b872a 100644 --- a/apparmor.d/dropbox +++ b/apparmor.d/dropbox @@ -58,11 +58,11 @@ profile dropbox @{exec_path} { owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/*.so* mrw, owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/plugins/platforms/*.so mrw, - /{usr/,}bin/dash rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/uname rix, - /{usr/,}sbin/ldconfig rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/uname rix, + /{usr/,}sbin/ldconfig rix, /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, /{usr/,}bin/{,@{multiarch}-}objdump rix, @@ -135,6 +135,10 @@ profile dropbox @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/e2fsck b/apparmor.d/e2fsck index 355f4824b..11005abb8 100644 --- a/apparmor.d/e2fsck +++ b/apparmor.d/e2fsck @@ -22,7 +22,7 @@ profile e2fsck @{exec_path} { @{exec_path} mr, # To check for badblocks - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}sbin/badblocks rPx, owner @{run}/blkid/blkid.tab{,-*} rw, diff --git a/apparmor.d/eject b/apparmor.d/eject index 428ea0bbb..424d1dcea 100644 --- a/apparmor.d/eject +++ b/apparmor.d/eject @@ -22,7 +22,7 @@ profile eject @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}lib/eject/dmcrypt-get-device rPx, diff --git a/apparmor.d/engrampa b/apparmor.d/engrampa index 963577127..5c6fd20b8 100644 --- a/apparmor.d/engrampa +++ b/apparmor.d/engrampa @@ -28,11 +28,11 @@ profile engrampa @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/cp rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/cp rix, # Archivers /{usr/,}bin/7z rix, @@ -96,6 +96,10 @@ profile engrampa @{exec_path} { /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}bin/engrampa rPx, /{usr/,}bin/geany rPx, diff --git a/apparmor.d/execute-dput b/apparmor.d/execute-dput index 52ca2297c..c36146510 100644 --- a/apparmor.d/execute-dput +++ b/apparmor.d/execute-dput @@ -25,13 +25,13 @@ profile execute-dput @{exec_path} flags=(complain) { @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/dpkg rPx -> child-dpkg, - /{usr/,}bin/gpgconf rCx -> gpg, - /{usr/,}bin/gpg rCx -> gpg, - /{usr/,}bin/gpgsm rCx -> gpg, + /{usr/,}bin/gpgconf rCx -> gpg, + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/gpgsm rCx -> gpg, /usr/share/dput/{,**} r, diff --git a/apparmor.d/f3fix b/apparmor.d/f3fix index 092932093..e8a2a7670 100644 --- a/apparmor.d/f3fix +++ b/apparmor.d/f3fix @@ -32,11 +32,11 @@ profile f3fix @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}sbin/dmidecode rPx, - /{usr/,}bin/udevadm rCx -> udevadm, + /{usr/,}bin/udevadm rCx -> udevadm, owner @{PROC}/@{pid}/mounts r, @{PROC}/swaps r, diff --git a/apparmor.d/fatresize b/apparmor.d/fatresize index d87fdcb1d..28c5e6436 100644 --- a/apparmor.d/fatresize +++ b/apparmor.d/fatresize @@ -30,7 +30,7 @@ profile fatresize @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}sbin/dmidecode rPx, diff --git a/apparmor.d/filezilla b/apparmor.d/filezilla index 6ac9ff958..1ac8643a9 100644 --- a/apparmor.d/filezilla +++ b/apparmor.d/filezilla @@ -28,7 +28,7 @@ profile filezilla @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/uname rix, # When using SFTP protocol diff --git a/apparmor.d/firefox b/apparmor.d/firefox index dd2568f57..46d790a60 100644 --- a/apparmor.d/firefox +++ b/apparmor.d/firefox @@ -51,7 +51,7 @@ profile firefox @{exec_path} { owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/uid_map w, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, # Firefox files @{MOZ_LIBDIR}/{,**} r, @@ -191,6 +191,10 @@ profile firefox @{exec_path} { /{usr/,}bin/exo-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}bin/vlc rPx, /{usr/,}bin/qbittorrent rPx, diff --git a/apparmor.d/flameshot b/apparmor.d/flameshot index 7f9189727..8e823bf48 100644 --- a/apparmor.d/flameshot +++ b/apparmor.d/flameshot @@ -77,8 +77,11 @@ profile flameshot @{exec_path} { /{usr/,}bin/xdg-open mr, - # Allowed apps to open + owner @{HOME}/ r, + owner @{run}/user/[0-9]*/ r, + + # Allowed apps to open # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/freetube b/apparmor.d/freetube index 3c5415caa..95519c28a 100644 --- a/apparmor.d/freetube +++ b/apparmor.d/freetube @@ -48,8 +48,8 @@ profile freetube @{exec_path} { @{FT_LIBDIR}/ r, @{FT_LIBDIR}/** r, @{FT_LIBDIR}/libffmpeg.so mr, - @{FT_LIBDIR}/swiftshader/libGLESv2.so mr, - @{FT_LIBDIR}/swiftshader/libEGL.so mr, + @{FT_LIBDIR}/{swiftshader/,}libGLESv2.so mr, + @{FT_LIBDIR}/{swiftshader/,}libEGL.so mr, @{FT_LIBDIR}/chrome-sandbox rPx, owner @{HOME}/ r, @@ -61,6 +61,7 @@ profile freetube @{exec_path} { owner /tmp/.org.chromium.Chromium.*/ rw, owner /tmp/.org.chromium.Chromium.*/SingletonCookie w, owner /tmp/.org.chromium.Chromium.*/SS w, + owner /tmp/.org.chromium.Chromium.* w, owner /tmp/net-export/ rw, /dev/shm/ r, @@ -123,6 +124,10 @@ profile freetube @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPx, diff --git a/apparmor.d/frontend b/apparmor.d/frontend index 8ad975b3f..8a8ef23d5 100644 --- a/apparmor.d/frontend +++ b/apparmor.d/frontend @@ -25,9 +25,9 @@ profile frontend @{exec_path} flags=(complain) { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, # debconf apps /{usr/,}bin/adequate rPx, @@ -113,8 +113,15 @@ profile frontend @{exec_path} flags=(complain) { /usr/share/** r, /usr/share/** rPUx, + /etc/ r, /etc/** rw, - /var/cache/** rw, + /var/ r, + /var/** rw, + @{sys}/ r, + @{sys}/**/ r, + @{run}/ r, + @{run}/** r, + /tmp/ r, owner /tmp/** rw, } diff --git a/apparmor.d/fsck-btrfs b/apparmor.d/fsck-btrfs index 2acebfdd3..0a1e7abfa 100644 --- a/apparmor.d/fsck-btrfs +++ b/apparmor.d/fsck-btrfs @@ -19,7 +19,7 @@ profile fsck-btrfs @{exec_path} { @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /etc/fstab r, diff --git a/apparmor.d/fzsftp b/apparmor.d/fzsftp index 16558b074..9c982ed10 100644 --- a/apparmor.d/fzsftp +++ b/apparmor.d/fzsftp @@ -26,9 +26,9 @@ profile fzsftp @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash mrix, - /{usr/,}bin/ps rix, - /{usr/,}bin/ls rix, + /{usr/,}bin/{,ba,da}sh mrix, + /{usr/,}bin/ps rix, + /{usr/,}bin/ls rix, @{PROC}/ r, @{PROC}/uptime r, diff --git a/apparmor.d/gajim b/apparmor.d/gajim index 2f0f3fd11..1113581f3 100644 --- a/apparmor.d/gajim +++ b/apparmor.d/gajim @@ -32,17 +32,17 @@ profile gajim @{exec_path} { @{exec_path} r, - /{usr/,}bin/ r, - /{usr/,}bin/dash rix, - /{usr/,}bin/uname rix, - /{usr/,}sbin/ldconfig rix, + /{usr/,}bin/ r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/uname rix, + /{usr/,}sbin/ldconfig rix, # To play sounds - /{usr/,}bin/aplay rCx -> audio, - /{usr/,}bin/pacat rCx -> audio, + /{usr/,}bin/aplay rCx -> audio, + /{usr/,}bin/pacat rCx -> audio, # Needed for GPG/PGP support - /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/gpg rCx -> gpg, # External apps /{usr/,}bin/xdg-settings rPUx, diff --git a/apparmor.d/games-wesnoth-sh b/apparmor.d/games-wesnoth-sh index e18680b3c..06b9644b3 100644 --- a/apparmor.d/games-wesnoth-sh +++ b/apparmor.d/games-wesnoth-sh @@ -19,13 +19,13 @@ profile games-wesnoth-sh @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /usr/games/wesnoth{,-[0-9]*} rPx, # For the editor - /{usr/,}bin/basename rix, - /{usr/,}bin/sed rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/sed rix, # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/ganyremote b/apparmor.d/ganyremote index b2ba7df1d..0354b9e58 100644 --- a/apparmor.d/ganyremote +++ b/apparmor.d/ganyremote @@ -30,16 +30,15 @@ profile ganyremote @{exec_path} { @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/dash rix, - /{usr/,}bin/bash rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/id rix, - /{usr/,}bin/which rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/ r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/id rix, + /{usr/,}bin/which rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/gawk rix, /{usr/,}bin/anyremote rPx, /{usr/,}bin/ps rPx, diff --git a/apparmor.d/git b/apparmor.d/git index 9c8df883d..38140691c 100644 --- a/apparmor.d/git +++ b/apparmor.d/git @@ -44,7 +44,7 @@ profile git @{exec_path} { /{usr/,}bin/envsubst rix, /{usr/,}bin/gettext rix, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/pager rPx -> child-pager, @@ -136,7 +136,7 @@ profile git @{exec_path} { /{usr/,}bin/sensible-editor mr, /{usr/,}bin/vim.* mrix, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/which rix, owner @{HOME}/.selected_editor r, diff --git a/apparmor.d/google-chrome-chrome b/apparmor.d/google-chrome-chrome index cd962e24d..bea277189 100644 --- a/apparmor.d/google-chrome-chrome +++ b/apparmor.d/google-chrome-chrome @@ -186,6 +186,10 @@ profile google-chrome-chrome @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open # file_inherit diff --git a/apparmor.d/google-chrome-google-chrome b/apparmor.d/google-chrome-google-chrome index d5bb1c17b..fbedbab4f 100644 --- a/apparmor.d/google-chrome-google-chrome +++ b/apparmor.d/google-chrome-google-chrome @@ -24,13 +24,13 @@ profile google-chrome-google-chrome @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/bash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/which rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/cat rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/which rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/cat rix, @{CHROME_INSTALLDIR}/chrome rPx, diff --git a/apparmor.d/gparted b/apparmor.d/gparted index 856f6e3a2..cc583ee32 100644 --- a/apparmor.d/gparted +++ b/apparmor.d/gparted @@ -18,14 +18,14 @@ profile gparted @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/id rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/rm rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/id rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/rm rix, /{usr/,}lib/udisks2/udisks2-inhibit rix, /usr/libexec/udisks2/udisks2-inhibit rix, diff --git a/apparmor.d/gpartedbin b/apparmor.d/gpartedbin index 3d53afd05..49ad27e1e 100644 --- a/apparmor.d/gpartedbin +++ b/apparmor.d/gpartedbin @@ -44,7 +44,7 @@ profile gpartedbin @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}sbin/dmidecode rPx, /{usr/,}sbin/hdparm rPx, @@ -217,6 +217,10 @@ profile gpartedbin @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open # file_inherit diff --git a/apparmor.d/gpo b/apparmor.d/gpo index 50a7e93d9..7bd4f54ca 100644 --- a/apparmor.d/gpo +++ b/apparmor.d/gpo @@ -28,11 +28,11 @@ profile gpo @{exec_path} { /{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/ r, - /{usr/,}bin/dash rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/pager rPx -> child-pager, - /{usr/,}bin/less rPx -> child-pager, - /{usr/,}bin/more rPx -> child-pager, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/pager rPx -> child-pager, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/gpodder b/apparmor.d/gpodder index d9e7c1fe3..73fbd70d9 100644 --- a/apparmor.d/gpodder +++ b/apparmor.d/gpodder @@ -30,10 +30,9 @@ profile gpodder @{exec_path} { @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/dash rix, - - /{usr/,}bin/uname rix, + /{usr/,}bin/ r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/uname rix, owner @{HOME}/ r, owner @{HOME}/gPodder/ rw, @@ -79,6 +78,10 @@ profile gpodder @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/gpodder-migrate2tres b/apparmor.d/gpodder-migrate2tres index e4ca95928..4d111e14a 100644 --- a/apparmor.d/gpodder-migrate2tres +++ b/apparmor.d/gpodder-migrate2tres @@ -22,9 +22,9 @@ profile gpodder-migrate2tres @{exec_path} { @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, - /{usr/,}bin/ r, - /{usr/,}bin/dash rix, - /{usr/,}bin/uname rix, + /{usr/,}bin/ r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/uname rix, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/gsmartcontrol-root b/apparmor.d/gsmartcontrol-root index 5e12622c8..e05197e85 100644 --- a/apparmor.d/gsmartcontrol-root +++ b/apparmor.d/gsmartcontrol-root @@ -19,11 +19,11 @@ profile gsmartcontrol-root @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/bash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which rix, + /{usr/,}bin/which rix, - /{usr/,}bin/pkexec rPx, + /{usr/,}bin/pkexec rPx, #include if exists } diff --git a/apparmor.d/gtk-youtube-viewer b/apparmor.d/gtk-youtube-viewer index b175fa2dd..f8a6fbae6 100644 --- a/apparmor.d/gtk-youtube-viewer +++ b/apparmor.d/gtk-youtube-viewer @@ -29,7 +29,7 @@ profile gtk-youtube-viewer @{exec_path} { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/xterm rCx -> xterm, /{usr/,}bin/rxvt rCx -> xterm, @@ -71,8 +71,8 @@ profile gtk-youtube-viewer @{exec_path} { /{usr/,}bin/rxvt mr, /{usr/,}bin/urxvt mr, - /{usr/,}bin/zsh rix, - /{usr/,}bin/bash rix, + /{usr/,}bin/zsh rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/youtube-viewer rPx, @@ -102,6 +102,10 @@ profile gtk-youtube-viewer @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/hardinfo b/apparmor.d/hardinfo index 54a52b7b6..465055f7f 100644 --- a/apparmor.d/hardinfo +++ b/apparmor.d/hardinfo @@ -32,8 +32,7 @@ profile hardinfo @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/dash rix, - /{usr/,}bin/bash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/locale rix, /{usr/,}bin/ldd rix, /{usr/,}bin/tr rix, @@ -150,6 +149,10 @@ profile hardinfo @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/hw-probe b/apparmor.d/hw-probe index 8f1f76237..2142e01c8 100644 --- a/apparmor.d/hw-probe +++ b/apparmor.d/hw-probe @@ -25,7 +25,7 @@ profile hw-probe @{exec_path} { /{usr/,}bin/pwd rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/gawk rix, /{usr/,}bin/sleep rix, /{usr/,}bin/md5sum rix, diff --git a/apparmor.d/hwinfo b/apparmor.d/hwinfo index d21cd145e..ad0927d8e 100644 --- a/apparmor.d/hwinfo +++ b/apparmor.d/hwinfo @@ -34,12 +34,12 @@ profile hwinfo @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/kmod rCx -> kmod, - /{usr/,}bin/udevadm rCx -> udevadm, + /{usr/,}bin/kmod rCx -> kmod, + /{usr/,}bin/udevadm rCx -> udevadm, - /{usr/,}sbin/dmraid rPUx, + /{usr/,}sbin/dmraid rPUx, @{PROC}/version r, @{PROC}/cmdline r, diff --git a/apparmor.d/i3lock-fancy b/apparmor.d/i3lock-fancy index 37e4c598f..02d024c41 100644 --- a/apparmor.d/i3lock-fancy +++ b/apparmor.d/i3lock-fancy @@ -21,18 +21,18 @@ profile i3lock-fancy @{exec_path} { #include @{exec_path} r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/bash rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/fc-match rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/env rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/fc-match rix, + /{usr/,}bin/getopt rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/env rix, - /{usr/,}bin/i3lock rPx, - /{usr/,}bin/xrandr rPx, + /{usr/,}bin/i3lock rPx, + /{usr/,}bin/xrandr rPx, /{usr/,}bin/convert-im6.q16 rCx -> imagemagic, /{usr/,}bin/import-im6.q16 rCx -> imagemagic, diff --git a/apparmor.d/ifup b/apparmor.d/ifup index eff868669..d8839ada4 100644 --- a/apparmor.d/ifup +++ b/apparmor.d/ifup @@ -25,9 +25,9 @@ profile ifup @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/ip rix, - /{usr/,}bin/sleep rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/ip rix, + /{usr/,}bin/sleep rix, /{usr/,}sbin/dhclient rPx, /{usr/,}bin/macchanger rPx, diff --git a/apparmor.d/initd-kexec b/apparmor.d/initd-kexec index 5bfb5f8d7..5cd404723 100644 --- a/apparmor.d/initd-kexec +++ b/apparmor.d/initd-kexec @@ -18,17 +18,17 @@ profile initd-kexec @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/tput rix, - /{usr/,}bin/echo rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/tput rix, + /{usr/,}bin/echo rix, - /{usr/,}sbin/kexec rPx, + /{usr/,}sbin/kexec rPx, - /{usr/,}bin/run-parts rCx -> run-parts, - /{usr/,}bin/systemctl rCx -> systemctl, + /{usr/,}bin/run-parts rCx -> run-parts, + /{usr/,}bin/systemctl rCx -> systemctl, /etc/default/kexec r, diff --git a/apparmor.d/initd-kexec-load b/apparmor.d/initd-kexec-load index 92620ba62..196d91da9 100644 --- a/apparmor.d/initd-kexec-load +++ b/apparmor.d/initd-kexec-load @@ -18,24 +18,24 @@ profile initd-kexec-load @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/awk rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/tail rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/head rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/tput rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/awk rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/tail rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/head rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/tput rix, - /{usr/,}sbin/kexec rPx, + /{usr/,}sbin/kexec rPx, - /{usr/,}bin/run-parts rCx -> run-parts, - /{usr/,}bin/systemctl rCx -> systemctl, + /{usr/,}bin/run-parts rCx -> run-parts, + /{usr/,}bin/systemctl rCx -> systemctl, /no-kexec-reboot rw, diff --git a/apparmor.d/initd-kmod b/apparmor.d/initd-kmod index 267d1f5b0..a74e5d00e 100644 --- a/apparmor.d/initd-kmod +++ b/apparmor.d/initd-kmod @@ -18,18 +18,18 @@ profile initd-kmod @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/tput rix, - /{usr/,}bin/id rix, - /{usr/,}bin/echo rix, - /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/tput rix, + /{usr/,}bin/id rix, + /{usr/,}bin/echo rix, + /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/kmod rPx, + /{usr/,}bin/kmod rPx, - /{usr/,}bin/run-parts rCx -> run-parts, - /{usr/,}bin/systemctl rCx -> systemctl, + /{usr/,}bin/run-parts rCx -> run-parts, + /{usr/,}bin/systemctl rCx -> systemctl, /etc/modules-load.d/*.conf r, /etc/modules r, diff --git a/apparmor.d/install-printerdriver b/apparmor.d/install-printerdriver index fbbf0fdb6..b520d5405 100644 --- a/apparmor.d/install-printerdriver +++ b/apparmor.d/install-printerdriver @@ -21,7 +21,7 @@ profile install-printerdriver @{exec_path} flags=(complain) { @{exec_path} mrix, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/python3.[0-9]* r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/inxi b/apparmor.d/inxi index 939daa9d3..702e75143 100644 --- a/apparmor.d/inxi +++ b/apparmor.d/inxi @@ -24,7 +24,7 @@ profile inxi @{exec_path} { /{usr/,}bin/perl r, /{usr/,}bin/ r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/zsh rix, /{usr/,}bin/tty rix, /{usr/,}bin/tput rix, diff --git a/apparmor.d/jdownloader b/apparmor.d/jdownloader index e2d88546e..87b9cac68 100644 --- a/apparmor.d/jdownloader +++ b/apparmor.d/jdownloader @@ -112,6 +112,10 @@ profile jdownloader @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/jdownloader-install b/apparmor.d/jdownloader-install index d85963a3d..6bbf2187f 100644 --- a/apparmor.d/jdownloader-install +++ b/apparmor.d/jdownloader-install @@ -27,24 +27,23 @@ profile jdownloader-install @{exec_path} { #include @{exec_path} r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/which rix, - /{usr/,}bin/expr rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/tail rix, - /{usr/,}bin/gunzip rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/df rix, - /{usr/,}bin/nohup rix, - - /{usr/,}bin/dash rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/which rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/tail rix, + /{usr/,}bin/gunzip rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/tar rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/df rix, + /{usr/,}bin/nohup rix, # Check for old JD installations deny /opt/ r, diff --git a/apparmor.d/jgmenu b/apparmor.d/jgmenu index 458e59ce8..8bff2daa1 100644 --- a/apparmor.d/jgmenu +++ b/apparmor.d/jgmenu @@ -27,15 +27,16 @@ profile jgmenu @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/dash rix, - /{usr/,}bin/zsh rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/find rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/cat rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/zsh rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/find rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/cat rix, /{usr/,}lib/jgmenu/jgmenu-* rix, + owner @{HOME}/ r, owner @{HOME}/.jgmenu-lockfile rwk, owner @{HOME}/.config/tint2/tint2rc r, diff --git a/apparmor.d/kanyremote b/apparmor.d/kanyremote index 14eb2340f..7b044e101 100644 --- a/apparmor.d/kanyremote +++ b/apparmor.d/kanyremote @@ -32,25 +32,24 @@ profile kanyremote @{exec_path} { #include @{exec_path} r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/ r, - /{usr/,}bin/dash rix, - /{usr/,}bin/bash rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/id rix, - /{usr/,}bin/which rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/head rix, - /{usr/,}bin/find rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/id rix, + /{usr/,}bin/which rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/head rix, + /{usr/,}bin/find rix, - /{usr/,}bin/anyremote rPx, - /{usr/,}bin/ps rPx, + /{usr/,}bin/anyremote rPx, + /{usr/,}bin/ps rPx, - /{usr/,}bin/killall rCx -> killall, - /{usr/,}bin/pgrep rCx -> pgrep, + /{usr/,}bin/killall rCx -> killall, + /{usr/,}bin/pgrep rCx -> pgrep, /{usr/,}bin/pacmd rPUx, /{usr/,}bin/pactl rPUx, diff --git a/apparmor.d/kconfig-hardened-check b/apparmor.d/kconfig-hardened-check index 58d8fb4bb..b5d0f0555 100644 --- a/apparmor.d/kconfig-hardened-check +++ b/apparmor.d/kconfig-hardened-check @@ -29,7 +29,7 @@ profile kconfig-hardened-check @{exec_path} { @{PROC}/config.gz r, # This is for kernels, which are built manually - owner /**/.config r, + /**/.config r, #include if exists } diff --git a/apparmor.d/keepassxc b/apparmor.d/keepassxc index f31fed9e5..89b3c8298 100644 --- a/apparmor.d/keepassxc +++ b/apparmor.d/keepassxc @@ -126,6 +126,10 @@ profile keepassxc @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, /{usr/,}bin/geany rPUx, diff --git a/apparmor.d/kernel-install b/apparmor.d/kernel-install index 5dea937d7..e40fafb2b 100644 --- a/apparmor.d/kernel-install +++ b/apparmor.d/kernel-install @@ -20,9 +20,7 @@ profile kernel-install @{exec_path} flags=(complain) { #include @{exec_path} r, - /{usr/,}bin/bash r, - - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/mountpoint rix, /{usr/,}bin/sort rix, diff --git a/apparmor.d/kodi b/apparmor.d/kodi index 47dc35f8a..8492c7fd1 100644 --- a/apparmor.d/kodi +++ b/apparmor.d/kodi @@ -30,7 +30,7 @@ profile kodi @{exec_path} { /{usr/,}lib/@{multiarch}/kodi/kodi.bin mrix, /{usr/,}lib/@{multiarch}/kodi/kodi-xrandr rPx, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/mv rix, /{usr/,}bin/find rix, /{usr/,}bin/date rix, diff --git a/apparmor.d/kvm-ok b/apparmor.d/kvm-ok index 967b474ef..21a34a01d 100644 --- a/apparmor.d/kvm-ok +++ b/apparmor.d/kvm-ok @@ -18,15 +18,15 @@ profile kvm-ok @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/id rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/id rix, - /{usr/,}bin/kmod rCx -> kmod, + /{usr/,}bin/kmod rCx -> kmod, - /{usr/,}sbin/rdmsr rPx, + /{usr/,}sbin/rdmsr rPx, #/proc/cpuinfo r, #/dev/kvm r, diff --git a/apparmor.d/lightworks b/apparmor.d/lightworks index 746cdff25..23212dc72 100644 --- a/apparmor.d/lightworks +++ b/apparmor.d/lightworks @@ -19,13 +19,13 @@ profile lightworks @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}lib/lightworks/ntcardvt rPx, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/od rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/od rix, owner @{HOME}/Lightworks/{,**/} w, owner @{HOME}/Lightworks/Projects/DefNetDrive.txt w, diff --git a/apparmor.d/linssid b/apparmor.d/linssid index 6b899cb1c..531a785d7 100644 --- a/apparmor.d/linssid +++ b/apparmor.d/linssid @@ -35,8 +35,8 @@ profile linssid @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/cat rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cat rix, # When linssid is run as root, it wants to exec dbus-launch, and hence it creates the two # following root processes: diff --git a/apparmor.d/lintian b/apparmor.d/lintian deleted file mode 100644 index 73af38579..000000000 --- a/apparmor.d/lintian +++ /dev/null @@ -1,194 +0,0 @@ -# vim:syntax=apparmor -# ------------------------------------------------------------------ -# -# Copyright (C) 2020 Mikhail Morfikov -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -#abi , - -#include - -@{BUILD_DIR} = /media/debuilder/ - -@{exec_path} = /usr/share/lintian/bin/lintian -@{exec_path} += /usr/share/lintian/bin/lintian-info -@{exec_path} += /usr/share/lintian/bin/spellintian -@{exec_path} += /{usr/,}bin/lintian -@{exec_path} += /{usr/,}bin/lintian-info -@{exec_path} += /{usr/,}bin/spellintian -profile lintian @{exec_path} flags=(complain) { - #include - #include - #include - - capability sys_ptrace, - - ptrace (read), - - @{exec_path} r, - /{usr/,}bin/perl r, - - /usr/share/lintian/helpers/** rix, - - /{usr/,}bin/dash rix, - /{usr/,}bin/fgrep rix, - /{usr/,}bin/env rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/nproc rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/find rix, - /{usr/,}bin/xargs rix, - /{usr/,}bin/file rix, - /{usr/,}bin/md5sum rix, - /{usr/,}bin/sha{1,256,512}sum rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/xz rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/gunzip rix, - /{usr/,}bin/filterdiff rix, - /{usr/,}bin/lexgrog rix, - /{usr/,}bin/mv rix, - /usr/bin/cp rix, - - /{usr/,}bin/{,@{multiarch}-}ar rix, - /{usr/,}bin/{,@{multiarch}-}readelf rix, - /{usr/,}bin/{,@{multiarch}-}strings rix, - - /{usr/,}bin/dpkg-source rcx -> dpkg-source, - /{usr/,}bin/gpg rCx -> gpg, - - /{usr/,}bin/dpkg-deb rPx, - /{usr/,}bin/man rPx, - /{usr/,}bin/dpkg-architecture rPx, - - /usr/share/intltool-debian/* rCx -> intltool, - - /usr/share/lintian/{,**} rk, - - /etc/lintianrc r, - - /etc/xml/catalog r, - - /dev/null rwk, - - # For file - /etc/magic r, - - owner /tmp/lintian-pool-*/ rw, - owner /tmp/lintian-pool-*/** rwkl -> /tmp/lintian-pool-*/**, - - # For gpg - owner /tmp/*/ rw, - owner /tmp/*/pubring.kbx w, - owner /tmp/*/random_seed w, - - owner /tmp/* rw, - owner /tmp/lintian-po-debconf-*/ rw, - owner /tmp/lintian-po-debconf-*/** rw, - - # For pbuilder - owner @{BUILD_DIR}/**.{changes,dsc,buildinfo,tar.*,deb} rk, - owner @{HOME}/**.{changes,dsc,buildinfo,tar.*,deb} rk, - - @{PROC}/ r, - owner @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/stat r, - owner @{PROC}/@{pid}/environ r, - - /dev/ r, - /dev/**/ r, - - /etc/apt/apt.conf r, - /etc/apt/apt.conf.d/{,*} r, - - /etc/dpkg/origins/debian r, - /usr/share/dpkg/{cpu,tuple}table r, - - - profile dpkg-source flags=(complain) { - #include - #include - #include - - /{usr/,}bin/dpkg-source mr, - /{usr/,}bin/perl r, - - /{usr/,}bin/tar rix, - /{usr/,}bin/bunzip2 rix, - /{usr/,}bin/gunzip rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/xz rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/patch rix, - - /etc/dpkg/origins/debian r, - - owner /tmp/lintian-pool-*/** rw, - - owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, - owner @{HOME}/** rwkl -> @{HOME}/**, - audit deny owner @{HOME}/.* mrwkl, - audit deny owner @{HOME}/.*/ rw, - audit deny owner @{HOME}/.*/** mrwkl, - - # file_inherit - owner /tmp/* rw, - - } - - profile gpg flags=(complain) { - #include - - /{usr/,}bin/gpg mr, - - owner /tmp/temp-lintian-lab-*/**/debian/upstream/signing-key.asc r, - owner /tmp/lintian-pool-*/**/debian/upstream/signing-key.asc r, - owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid} rw, - owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, - owner /tmp/*/trustdb.gpg rw, - owner /tmp/*/trustdb.gpg.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, - owner /tmp/*/pubring.kbx rw, - owner /tmp/*/pubring.kbx.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, - owner /tmp/*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, - owner /tmp/*.gpg rw, - owner /tmp/*.gpg~ w, - owner /tmp/*.gpg.tmp rw, - owner /tmp/*.gpg.lock rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid}, - owner /tmp/.#lk0x[0-9a-f]*.*.@{pid} rw, - owner /tmp/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid}, - owner @{run}/user/[0-9]*/gnupg/d.*/ rw, - - # file_inherit - owner /tmp/* rw, - - } - - - profile intltool flags=(complain) { - #include - #include - - /usr/share/intltool-debian/* mrix, - - /usr/bin/dash rix, - /usr/bin/xgettext rix, - - /usr/share/gettext/** r, - /usr/share/gettext-*/** r, - - owner /tmp/lintian-po-debconf-*/** rw, - - # file_inherit - owner /tmp/* rw, - - } - - #include if exists -} diff --git a/apparmor.d/linux-check-removal b/apparmor.d/linux-check-removal index ffd509b7c..0595f00c5 100644 --- a/apparmor.d/linux-check-removal +++ b/apparmor.d/linux-check-removal @@ -38,12 +38,12 @@ profile linux-check-removal @{exec_path} flags=(complain) { /{usr/,}bin/linux-check-removal rPx, - /{usr/,}bin/dash rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, # The following is needed when debconf uses dialog/whiptail frontend. - /{usr/,}bin/whiptail rPx, + /{usr/,}bin/whiptail rPx, owner /tmp/file* w, /usr/share/debconf/confmodule r, diff --git a/apparmor.d/localepurge b/apparmor.d/localepurge index 36078d82b..4ac3c1143 100644 --- a/apparmor.d/localepurge +++ b/apparmor.d/localepurge @@ -19,24 +19,24 @@ profile localepurge @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/bash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/fgrep rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/du rix, - /{usr/,}bin/xargs rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/find rix, + /{usr/,}bin/fgrep rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/du rix, + /{usr/,}bin/xargs rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/find rix, - /{usr/,}bin/df rPx, + /{usr/,}bin/df rPx, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/logrotate b/apparmor.d/logrotate index ea8adf601..885d19074 100644 --- a/apparmor.d/logrotate +++ b/apparmor.d/logrotate @@ -27,10 +27,13 @@ profile logrotate @{exec_path} flags=(attach_disconnected,complain) { capability setuid, capability fsetid, capability fowner, + capability net_admin, @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}sbin/ r, + + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/ls rix, /{usr/,}bin/gzip rix, /{usr/,}sbin/invoke-rc.d rix, @@ -54,7 +57,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected,complain) { /etc/logrotate.d/ r, /etc/logrotate.d/* rk, - /var/lib/logrotate/status{,.tmp} rw, + /var/lib/logrotate/status rwk, + /var/lib/logrotate/status.tmp rw, /var/log/** rw, diff --git a/apparmor.d/lsinitramfs b/apparmor.d/lsinitramfs index 5fced5451..e95b9c909 100644 --- a/apparmor.d/lsinitramfs +++ b/apparmor.d/lsinitramfs @@ -18,10 +18,10 @@ profile lsinitramfs @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/getopt rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/getopt rix, /{usr/,}bin/unmkinitramfs rPx, diff --git a/apparmor.d/lynx b/apparmor.d/lynx index 24a660c59..d04276522 100644 --- a/apparmor.d/lynx +++ b/apparmor.d/lynx @@ -30,7 +30,7 @@ profile lynx @{exec_path} { /etc/mime.types r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /etc/mailcap r, owner /tmp/lynxXXXX*/ rw, diff --git a/apparmor.d/megasync b/apparmor.d/megasync index 0dd557e2b..d9ec33f11 100644 --- a/apparmor.d/megasync +++ b/apparmor.d/megasync @@ -36,14 +36,14 @@ profile megasync @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/bash rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/gawk rix, - /{usr/,}bin/xrdb rPx, - /{usr/,}bin/xdg-mime rPx, + /{usr/,}bin/xrdb rPx, + /{usr/,}bin/xdg-mime rPx, - /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/xdg-open rCx -> open, # Megasync home files owner @{HOME}/ r, @@ -96,6 +96,11 @@ profile megasync @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + owner "@{HOME}/.local/share/data/Mega Limited/MEGAsync/" r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPx, /{usr/,}bin/spacefm rPx, diff --git a/apparmor.d/minitube b/apparmor.d/minitube index 708aa33a3..558b7c07a 100644 --- a/apparmor.d/minitube +++ b/apparmor.d/minitube @@ -105,6 +105,10 @@ profile minitube @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/mke2fs b/apparmor.d/mke2fs index 4c5b845c4..5b90f2083 100644 --- a/apparmor.d/mke2fs +++ b/apparmor.d/mke2fs @@ -22,7 +22,7 @@ profile mke2fs @{exec_path} { @{exec_path} mr, # To check for badblocks - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}sbin/badblocks rPx, /etc/mke2fs.conf r, diff --git a/apparmor.d/mkinitramfs b/apparmor.d/mkinitramfs index c2e4f5ee5..304d51a8e 100644 --- a/apparmor.d/mkinitramfs +++ b/apparmor.d/mkinitramfs @@ -24,37 +24,49 @@ profile mkinitramfs @{exec_path} { capability fsetid, @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/tsort rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/id rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/cpio rix, - /{usr/,}bin/env rix, - /{usr/,}bin/rmdir rix, - /{usr/,}bin/tr rix, + /{usr/,}sbin/ r, + /{usr/,}bin/ r, + /{usr/,}lib/ r, + /{usr/,}lib64/ r, - /{usr/,}bin/ldd rCx -> ldd, - /{usr/,}sbin/ldconfig rCx -> ldconfig, - /{usr/,}bin/find rCx -> find, - /{usr/,}bin/kmod rCx -> kmod, + /{usr/,}bin/getopt rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/ln rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/tsort rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/id rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/env rix, + /{usr/,}bin/rmdir rix, + /{usr/,}bin/tr rix, - /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/cpio rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/lzma rix, + /{usr/,}bin/lzop rix, + /{usr/,}bin/xz rix, + /{usr/,}bin/zstd rix, + + /{usr/,}bin/ldd rCx -> ldd, + /{usr/,}sbin/ldconfig rCx -> ldconfig, + /{usr/,}bin/find rCx -> find, + /{usr/,}bin/kmod rCx -> kmod, + + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/linux-version rPx, # What to do with it? (#FIXME#) /usr/share/initramfs-tools/hooks/* rPUx, @@ -65,12 +77,17 @@ profile mkinitramfs @{exec_path} { /usr/share/initramfs-tools/{,**} r, /etc/initramfs-tools/{,**} r, + # For shell pwd / r, /etc/ r, + /root/ r, + /etc/modprobe.d/{,*.conf} r, + /boot/ r, owner /boot/initrd.img-*.new rw, + /var/tmp/ r, owner /var/tmp/mkinitramfs_*/ rw, owner /var/tmp/mkinitramfs_*/** rwl -> /var/tmp/mkinitramfs_*/**, /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw, @@ -86,7 +103,7 @@ profile mkinitramfs @{exec_path} { /{usr/,}bin/ldd mr, /{usr/,}bin/kmod mr, - /{usr/,}bin/bash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}lib/@{multiarch}/ld-*.so rix, /{usr/,}lib{,x}32/ld-*.so rix, @@ -124,6 +141,7 @@ profile mkinitramfs @{exec_path} { # pwd dir / r, + /etc/ r, /root/ r, /usr/share/initramfs-tools/scripts/{,**/} r, diff --git a/apparmor.d/mumble b/apparmor.d/mumble index 94ae54275..d03c9d633 100644 --- a/apparmor.d/mumble +++ b/apparmor.d/mumble @@ -84,6 +84,10 @@ profile mumble @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/mumble-overlay b/apparmor.d/mumble-overlay index 60af44bbe..747eee910 100644 --- a/apparmor.d/mumble-overlay +++ b/apparmor.d/mumble-overlay @@ -20,12 +20,12 @@ profile mumble-overlay @{exec_path} { #include @{exec_path} r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/bash rix, - /{usr/,}bin/file rix, - /{usr/,}bin/which rix, + /{usr/,}bin/file rix, + /{usr/,}bin/which rix, - /{usr/,}bin/glxgears rPx, + /{usr/,}bin/glxgears rPx, /etc/magic r, diff --git a/apparmor.d/okular b/apparmor.d/okular index ecb25b053..0737ef28b 100644 --- a/apparmor.d/okular +++ b/apparmor.d/okular @@ -109,6 +109,10 @@ profile okular @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/on-ac-power b/apparmor.d/on-ac-power index 64907d27d..0d70d4019 100644 --- a/apparmor.d/on-ac-power +++ b/apparmor.d/on-ac-power @@ -18,10 +18,10 @@ profile on-ac-power @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/awk rix, - /{usr/,}bin/cat rix, + /{usr/,}bin/awk rix, + /{usr/,}bin/cat rix, @{sys}/class/power_supply/ r, @{sys}/devices/**/power_supply/**/{online,type} r, @@ -29,5 +29,7 @@ profile on-ac-power @{exec_path} { @{PROC}/pmu/info r, @{PROC}/apm r, + / r, + #include if exists } diff --git a/apparmor.d/openbox b/apparmor.d/openbox index 61200bdfa..66bbb6c6b 100644 --- a/apparmor.d/openbox +++ b/apparmor.d/openbox @@ -61,8 +61,8 @@ profile openbox @{exec_path} { /{usr/,}lib/@{multiarch}/openbox-autostart mr, /{usr/,}lib/@{multiarch}/openbox-xdg-autostart rix, - /{usr/,}bin/dash rix, - /{usr/,}bin/which rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/which rix, # Apps allowed to run /{usr/,}bin/* rPUx, @@ -72,10 +72,10 @@ profile openbox @{exec_path} { /usr/local/lib/python*/dist-packages/ r, + owner @{HOME}/ r, owner @{HOME}/.config/openbox/autostart r, - /etc/xdg/openbox/autostart r, - owner @{HOME}/.config/autostart/{,*} r, + /etc/xdg/openbox/autostart r, /etc/xdg/autostart/{,*} r, # file_inherit diff --git a/apparmor.d/openbox-session b/apparmor.d/openbox-session index 1435d1649..64d6c63ba 100644 --- a/apparmor.d/openbox-session +++ b/apparmor.d/openbox-session @@ -19,10 +19,10 @@ profile openbox-session @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/xprop rPx, - /{usr/,}bin/openbox rPx, + /{usr/,}bin/xprop rPx, + /{usr/,}bin/openbox rPx, /etc/xdg/openbox/environment r, owner @{HOME}/.config/openbox/environment r, diff --git a/apparmor.d/openvpn b/apparmor.d/openvpn index 22021a108..4bbcdc9d1 100644 --- a/apparmor.d/openvpn +++ b/apparmor.d/openvpn @@ -75,10 +75,10 @@ profile openvpn @{exec_path} { /etc/openvpn/update-resolv-conf.sh r, - /{usr/,}bin/bash rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/which rix, - /{usr/,}bin/ip rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/which rix, + /{usr/,}bin/ip rix, /{usr/,}sbin/xtables-nft-multi rix, /etc/iproute2/rt_tables r, @@ -93,16 +93,16 @@ profile openvpn @{exec_path} { capability net_admin, + /etc/openvpn/ r, /etc/openvpn/force-user-traffic-via-vpn.sh r, - /{usr/,}bin/dash rix, - #/{usr/,}bin/bash rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/ip rix, - /{usr/,}sbin/nft rix, - /{usr/,}bin/env rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/ip rix, + /{usr/,}sbin/nft rix, + /{usr/,}bin/env rix, /etc/iproute2/rt_realms r, /etc/iproute2/group r, diff --git a/apparmor.d/opera b/apparmor.d/opera index e1e4d3fe0..03b86d946 100644 --- a/apparmor.d/opera +++ b/apparmor.d/opera @@ -183,8 +183,11 @@ profile opera @{exec_path} { /{usr/,}bin/xdg-open mr, - # Allowed apps to open + owner @{HOME}/ r, + owner @{run}/user/[0-9]*/ r, + + # Allowed apps to open # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/orage b/apparmor.d/orage index 5b584b03c..4c0eeb861 100644 --- a/apparmor.d/orage +++ b/apparmor.d/orage @@ -58,6 +58,10 @@ profile orage @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/pam-auth-update b/apparmor.d/pam-auth-update index 555ed9331..2c9f606c9 100644 --- a/apparmor.d/pam-auth-update +++ b/apparmor.d/pam-auth-update @@ -44,9 +44,9 @@ profile pam-auth-update @{exec_path} flags=(complain) { /{usr/,}sbin/pam-auth-update rPx, - /{usr/,}bin/dash rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, /etc/debconf.conf r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, diff --git a/apparmor.d/parted b/apparmor.d/parted index fbf5f4d16..919fc7e24 100644 --- a/apparmor.d/parted +++ b/apparmor.d/parted @@ -34,7 +34,7 @@ profile parted @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/udevadm rCx -> udevadm, diff --git a/apparmor.d/partprobe b/apparmor.d/partprobe index 49d48dc1e..c75080c6c 100644 --- a/apparmor.d/partprobe +++ b/apparmor.d/partprobe @@ -33,7 +33,7 @@ profile partprobe @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/udevadm rCx -> udevadm, diff --git a/apparmor.d/popcon-largest-unused b/apparmor.d/popcon-largest-unused index 0a77f5f70..10842b5f5 100644 --- a/apparmor.d/popcon-largest-unused +++ b/apparmor.d/popcon-largest-unused @@ -21,13 +21,13 @@ profile popcon-largest-unused @{exec_path} { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/xargs rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/xargs rix, - /{usr/,}bin/apt-cache rPx, + /{usr/,}bin/apt-cache rPx, /var/log/popularity-contest r, diff --git a/apparmor.d/popularity-contest b/apparmor.d/popularity-contest index 25dce7849..8689cfb1b 100644 --- a/apparmor.d/popularity-contest +++ b/apparmor.d/popularity-contest @@ -31,13 +31,16 @@ profile popularity-contest @{exec_path} { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/env rix, /{usr/,}bin/dpkg-query rPx, /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/dpkg-divert rPx -> child-dpkg-divert, + # For shell pwd + /root/ r, + /etc/popularity-contest.conf r, /etc/dpkg/origins/debian r, @@ -48,8 +51,12 @@ profile popularity-contest @{exec_path} { @{PROC}/ r, - # file_inherit + /var/log/ r, /var/log/popularity-contest.new w, + + /var/lib/ r, + + # file_inherit /tmp/#[0-9]*[0-9] rw, #include if exists diff --git a/apparmor.d/psi-plus b/apparmor.d/psi-plus index 6fa656837..38a27f335 100644 --- a/apparmor.d/psi-plus +++ b/apparmor.d/psi-plus @@ -141,6 +141,10 @@ profile psi-plus @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/qbittorrent b/apparmor.d/qbittorrent index c30cc747e..a89c29b9b 100644 --- a/apparmor.d/qbittorrent +++ b/apparmor.d/qbittorrent @@ -145,7 +145,11 @@ profile qbittorrent @{exec_path} { /{usr/,}bin/xdg-open mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, + + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, # Allowed apps to open /{usr/,}bin/spacefm rPx, diff --git a/apparmor.d/qnapi b/apparmor.d/qnapi index 41c0bf53f..2a1361bef 100644 --- a/apparmor.d/qnapi +++ b/apparmor.d/qnapi @@ -129,6 +129,10 @@ profile qnapi @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/qpdfview b/apparmor.d/qpdfview index 8bf7f459f..73d6b2a72 100644 --- a/apparmor.d/qpdfview +++ b/apparmor.d/qpdfview @@ -109,6 +109,10 @@ profile qpdfview @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/qt5ct b/apparmor.d/qt5ct index a0726c59c..88cd43efd 100644 --- a/apparmor.d/qt5ct +++ b/apparmor.d/qt5ct @@ -30,9 +30,7 @@ profile qt5ct @{exec_path} { @{exec_path} mr, owner @{HOME}/.config/qt5ct/ rw, - owner @{HOME}/.config/qt5ct/** rwk, - owner @{HOME}/.config/qt5ct/qt5ct.conf.* rwl -> @{HOME}/.config/qt5ct/#[0-9]*[0-9], - owner @{HOME}/.config/qt5ct/colors/*.conf rwl -> @{HOME}/.config/qt5ct/colors/#[0-9]*[0-9], + owner @{HOME}/.config/qt5ct/** rwkl -> @{HOME}/.config/qt5ct/#[0-9]*[0-9], owner @{HOME}/.config/fontconfig/ rw, owner @{HOME}/.config/fontconfig/** rw, diff --git a/apparmor.d/querybts b/apparmor.d/querybts index 424bd77c0..c7bfd0f18 100644 --- a/apparmor.d/querybts +++ b/apparmor.d/querybts @@ -31,13 +31,13 @@ profile querybts @{exec_path} { /{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/ r, - /{usr/,}bin/dash rix, - /{usr/,}bin/stty rix, - /{usr/,}sbin/ldconfig rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/stty rix, + /{usr/,}sbin/ldconfig rix, - /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/dpkg rPx -> child-dpkg, /etc/reportbug.conf r, owner @{HOME}/.reportbugrc r, @@ -64,6 +64,10 @@ profile querybts @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/quiterss b/apparmor.d/quiterss index 59ee8b5a7..e73f0eb67 100644 --- a/apparmor.d/quiterss +++ b/apparmor.d/quiterss @@ -95,6 +95,10 @@ profile quiterss @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/repo b/apparmor.d/repo index a7ff2efe3..62536305c 100644 --- a/apparmor.d/repo +++ b/apparmor.d/repo @@ -28,7 +28,7 @@ profile repo @{exec_path} flags=(complain) { /{usr/,}bin/ r, /{usr/,}bin/env rix, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/uname rix, /{usr/,}bin/git rix, diff --git a/apparmor.d/reportbug b/apparmor.d/reportbug index dc7c5c1a4..c2abcbf0f 100644 --- a/apparmor.d/reportbug +++ b/apparmor.d/reportbug @@ -34,8 +34,7 @@ profile reportbug @{exec_path} { /{usr/,}bin/ r, /{usr/,}sbin/ldconfig rix, - /{usr/,}bin/dash rix, - /{usr/,}bin/bash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/stty rix, /{usr/,}bin/readlink rix, /{usr/,}bin/locale rix, @@ -64,7 +63,10 @@ profile reportbug @{exec_path} { /etc/** r, /etc/reportbug.conf r, - owner @{HOME}/.reportbugrc r, + owner @{HOME}/.reportbugrc{,~} rw, + + # For shell pwd + owner @{HOME}/ r, # Think what to do with it (#FIXME#) /usr/share/bug/*/{control,presubj} r, @@ -111,6 +113,10 @@ profile reportbug @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/run-parts b/apparmor.d/run-parts index 7af7e71ff..2fbf74f32 100644 --- a/apparmor.d/run-parts +++ b/apparmor.d/run-parts @@ -50,11 +50,12 @@ profile run-parts @{exec_path} { profile motd { #include + / r, /etc/update-motd.d/[0-9]*-[a-z]* r, - /{usr/,}bin/dash r, - /{usr/,}bin/uname rix, - /{usr/,}bin/cat rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/cat rix, } @@ -65,25 +66,24 @@ profile run-parts @{exec_path} { /etc/kernel/header_postinst.d/* r, /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, - /{usr/,}bin/bash r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/rmdir rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/which rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/rmdir rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/which rix, - /{usr/,}bin/kmod rix, + /{usr/,}bin/kmod rix, /{usr/,}bin/dpkg rPx -> child-dpkg, @@ -97,7 +97,11 @@ profile run-parts @{exec_path} { /{usr/,}sbin/update-grub rPUx, /{usr/,}bin/systemd-detect-virt rPUx, + # For shell pwd / r, + /boot/ r, + + /etc/apt/apt.conf.d/ r, /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, # For kmod diff --git a/apparmor.d/scrot b/apparmor.d/scrot index c7b6acf38..86c8c842b 100644 --- a/apparmor.d/scrot +++ b/apparmor.d/scrot @@ -22,8 +22,8 @@ profile scrot @{exec_path} { @{exec_path} mr, # "mv" is needed to change the image dir - /{usr/,}bin/dash rix, - /{usr/,}bin/mv rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/mv rix, # The image dir owner @{HOME}/*.png rw, diff --git a/apparmor.d/sddm b/apparmor.d/sddm index 7015ad478..73c349715 100644 --- a/apparmor.d/sddm +++ b/apparmor.d/sddm @@ -71,7 +71,7 @@ profile sddm @{exec_path} { @{exec_path} mr, /{usr/,}lib/@{multiarch}/sddm/sddm-helper rix, - /{usr/,}bin/dash mrix, + /{usr/,}bin/{,ba,da}sh mrix, /{usr/,}bin/sddm-greeter rPx, /etc/sddm/Xsession rPx, @@ -177,14 +177,14 @@ profile sddm @{exec_path} { /usr/share/sddm/scripts/Xstop r, /usr/share/sddm/scripts/wayland-session r, /usr/share/sddm/scripts/Xsession r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/bash rix, - /{usr/,}bin/zsh rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/zsh rix, - /{usr/,}bin/id rix, - /{usr/,}bin/flatpak rPUx, - /{usr/,}bin/sway rPUx, + /{usr/,}bin/id rix, + /{usr/,}bin/flatpak rPUx, + /{usr/,}bin/sway rPUx, /{usr/,}bin/dbus-run-session rix, /{usr/,}bin/dbus-daemon rPUx, diff --git a/apparmor.d/sddm-xsession b/apparmor.d/sddm-xsession index 600400d2b..a24295d3f 100644 --- a/apparmor.d/sddm-xsession +++ b/apparmor.d/sddm-xsession @@ -21,26 +21,25 @@ profile sddm-xsession @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/which rix, - /{usr/,}bin/id rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/date rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/tempfile rix, - /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/which rix, + /{usr/,}bin/id rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/date rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/tempfile rix, + /{usr/,}bin/mktemp rix, /{usr/,}bin/ r, - /{usr/,}bin/bash rix, - /{usr/,}bin/zsh rix, - /{usr/,}bin/tcsh rix, - /{usr/,}bin/csh rix, - /{usr/,}bin/fish rix, + /{usr/,}bin/zsh rix, + /{usr/,}bin/tcsh rix, + /{usr/,}bin/csh rix, + /{usr/,}bin/fish rix, /usr/local/bin/ r, diff --git a/apparmor.d/smtube b/apparmor.d/smtube index fca4c4066..85a421f95 100644 --- a/apparmor.d/smtube +++ b/apparmor.d/smtube @@ -91,6 +91,10 @@ profile smtube @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/spacefm-auth b/apparmor.d/spacefm-auth index 4c00a775c..cfa280578 100644 --- a/apparmor.d/spacefm-auth +++ b/apparmor.d/spacefm-auth @@ -18,7 +18,7 @@ profile spacefm-auth @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/bash r, + /{usr/,}bin/{,ba,da}sh rix, #include if exists } diff --git a/apparmor.d/spectre-meltdown-checker b/apparmor.d/spectre-meltdown-checker index 528180317..6033900ba 100644 --- a/apparmor.d/spectre-meltdown-checker +++ b/apparmor.d/spectre-meltdown-checker @@ -24,46 +24,46 @@ profile spectre-meltdown-checker @{exec_path} { capability syslog, @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/head rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/od rix, - /{usr/,}bin/dd rix, - /{usr/,}bin/id rix, - /{usr/,}bin/gunzip rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/stat rix, - /{usr/,}bin/tail rix, - /{usr/,}bin/xz rix, - /{usr/,}bin/seq rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/perl rix, - /{usr/,}bin/base64 rix, - /{usr/,}bin/unzip rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/head rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/od rix, + /{usr/,}bin/dd rix, + /{usr/,}bin/id rix, + /{usr/,}bin/gunzip rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/stat rix, + /{usr/,}bin/tail rix, + /{usr/,}bin/xz rix, + /{usr/,}bin/seq rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/perl rix, + /{usr/,}bin/base64 rix, + /{usr/,}bin/unzip rix, /{usr/,}bin/{,@{multiarch}-}readelf rix, /{usr/,}bin/{,@{multiarch}-}strings rix, /{usr/,}bin/{,@{multiarch}-}objdump rix, /{usr/,}sbin/iucode_tool rix, /{usr/,}bin/dmesg rix, - /{usr/,}bin/pgrep rCx -> pgrep, - /{usr/,}bin/ccache rCx -> ccache, - /{usr/,}bin/kmod rCx -> kmod, + /{usr/,}bin/pgrep rCx -> pgrep, + /{usr/,}bin/ccache rCx -> ccache, + /{usr/,}bin/kmod rCx -> kmod, # To fetch MCE.db from the MCExtractor project - /{usr/,}bin/wget rCx -> mcedb, - /{usr/,}bin/sqlite3 rCx -> mcedb, + /{usr/,}bin/wget rCx -> mcedb, + /{usr/,}bin/sqlite3 rCx -> mcedb, owner /tmp/mcedb-* rw, owner /tmp/smc-* rw, owner /tmp/intelfw-*/ rw, diff --git a/apparmor.d/startx b/apparmor.d/startx index bed435c55..8f7ffaf6c 100644 --- a/apparmor.d/startx +++ b/apparmor.d/startx @@ -21,29 +21,33 @@ profile startx @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/hostname rix, - /{usr/,}bin/mcookie rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/tty rix, - /{usr/,}bin/expr rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/deallocvt rix, + /{usr/,}bin/hostname rix, + /{usr/,}bin/mcookie rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/tty rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/deallocvt rix, - /{usr/,}bin/xauth rPx, - /{usr/,}bin/xinit rPx, + /{usr/,}bin/xauth rPx, + /{usr/,}bin/xinit rPx, /etc/X11/xinit/xinitrc r, /etc/X11/xinit/xserverrc r, + owner @{HOME}/ r, owner @{HOME}/.xinitrc r, owner @{HOME}/.xserverrc r, + /tmp/ r, owner /tmp/serverauth.* rw, + /dev/ r, owner /dev/tty[0-9]* rw, + #include if exists } diff --git a/apparmor.d/strawberry b/apparmor.d/strawberry index a7f855a59..453902912 100644 --- a/apparmor.d/strawberry +++ b/apparmor.d/strawberry @@ -122,6 +122,10 @@ profile strawberry @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/suid3num b/apparmor.d/suid3num index c4bbdf3d7..2963f9330 100644 --- a/apparmor.d/suid3num +++ b/apparmor.d/suid3num @@ -26,7 +26,7 @@ profile suid3num @{exec_path} { @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, - /usr/bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /usr/bin/find rix, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/synaptic b/apparmor.d/synaptic index 3f3c48736..398674928 100644 --- a/apparmor.d/synaptic +++ b/apparmor.d/synaptic @@ -72,13 +72,13 @@ profile synaptic @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/test rix, - /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/test rix, + /{usr/,}bin/{,e}grep rix, # For update-apt-xapian-index - /{usr/,}bin/nice rix, - /{usr/,}bin/ionice rix, + /{usr/,}bin/nice rix, + /{usr/,}bin/ionice rix, # When synaptic is run as root, it wants to exec dbus-launch, and hence it creates the two # following root processes: @@ -133,6 +133,7 @@ profile synaptic @{exec_path} { /var/lib/dpkg/** r, /var/lib/dpkg/lock{,-frontend} rwk, + /tmp/ r, owner /tmp/apt-dpkg-install-*/ rw, owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w, diff --git a/apparmor.d/syncthing b/apparmor.d/syncthing index 0c44da154..d3d6a3ce3 100644 --- a/apparmor.d/syncthing +++ b/apparmor.d/syncthing @@ -49,6 +49,10 @@ profile syncthing @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/system-config-printer b/apparmor.d/system-config-printer index 60774c06f..65ef0ef70 100644 --- a/apparmor.d/system-config-printer +++ b/apparmor.d/system-config-printer @@ -28,7 +28,7 @@ profile system-config-printer @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/python3.[0-9]* r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/system-config-printer-applet b/apparmor.d/system-config-printer-applet index eab7e8d78..22f0e2cd0 100644 --- a/apparmor.d/system-config-printer-applet +++ b/apparmor.d/system-config-printer-applet @@ -22,7 +22,7 @@ profile system-config-printer-applet @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/python3.[0-9]* r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/tasksel b/apparmor.d/tasksel index 0748ba289..890e721a2 100644 --- a/apparmor.d/tasksel +++ b/apparmor.d/tasksel @@ -21,7 +21,7 @@ profile tasksel @{exec_path} flags=(complain) { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/tempfile rix, /{usr/,}lib/tasksel/tasksel-debconf rix, @@ -47,7 +47,7 @@ profile tasksel @{exec_path} flags=(complain) { #include /{usr/,}lib/tasksel/tests/* r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, } @@ -62,9 +62,9 @@ profile tasksel @{exec_path} flags=(complain) { /{usr/,}bin/tasksel rPx, - /{usr/,}bin/dash rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, # The following is needed when debconf uses dialog/whiptail frontend. /{usr/,}bin/whiptail rPx, diff --git a/apparmor.d/telegram-desktop b/apparmor.d/telegram-desktop index da228e37c..a8d0ffcf9 100644 --- a/apparmor.d/telegram-desktop +++ b/apparmor.d/telegram-desktop @@ -90,7 +90,11 @@ profile telegram-desktop @{exec_path} { /{usr/,}bin/xdg-open mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, + + owner @{TELEGRAM_WORK_DIR}/ r, + + owner @{run}/user/[0-9]*/ r, # Allowed apps to open /{usr/,}lib/firefox/firefox rPx, diff --git a/apparmor.d/thunderbird b/apparmor.d/thunderbird index 7584e8fe4..a516ed3a8 100644 --- a/apparmor.d/thunderbird +++ b/apparmor.d/thunderbird @@ -53,15 +53,14 @@ profile thunderbird @{exec_path} { @{exec_path} mrix, @{MOZ_LIBDIR}/thunderbird-wrapper-helper.sh rix, - /{usr/,}bin/dash rix, - /{usr/,}bin/bash rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/date rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/which rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/date rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/which rix, - /{usr/,}bin/ps rPx, - /{usr/,}bin/dig rix, + /{usr/,}bin/ps rPx, + /{usr/,}bin/dig rix, # Thunderbird files /usr/share/thunderbird/{,**} r, @@ -245,6 +244,10 @@ profile thunderbird @{exec_path} { /{usr/,}bin/exo-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, /{usr/,}bin/qpdfview rPUx, diff --git a/apparmor.d/tint2conf b/apparmor.d/tint2conf index b788fecc7..79a76d7c5 100644 --- a/apparmor.d/tint2conf +++ b/apparmor.d/tint2conf @@ -24,9 +24,9 @@ profile tint2conf @{exec_path} { @{exec_path} mr, - /{usr/,}bin/tint2 rPx, + /{usr/,}bin/tint2 rPx, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /usr/share/tint2/{,*} r, diff --git a/apparmor.d/torify b/apparmor.d/torify index a296fa98f..279db4236 100644 --- a/apparmor.d/torify +++ b/apparmor.d/torify @@ -18,7 +18,7 @@ profile torify @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, #include if exists } diff --git a/apparmor.d/torsocks b/apparmor.d/torsocks index 709bcb5df..cb1a5db33 100644 --- a/apparmor.d/torsocks +++ b/apparmor.d/torsocks @@ -18,7 +18,7 @@ profile torsocks @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, #include if exists } diff --git a/apparmor.d/tpacpi-bat b/apparmor.d/tpacpi-bat index 63f15223d..742966980 100644 --- a/apparmor.d/tpacpi-bat +++ b/apparmor.d/tpacpi-bat @@ -21,8 +21,8 @@ profile tpacpi-bat @{exec_path} { @{exec_path} mr, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, - /{usr/,}bin/cat rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cat rix, # To load the acpi_call module /{usr/,}bin/kmod rPx, diff --git a/apparmor.d/ucf b/apparmor.d/ucf index 804e1e1c4..13a2a14da 100644 --- a/apparmor.d/ucf +++ b/apparmor.d/ucf @@ -19,8 +19,7 @@ profile ucf @{exec_path} flags=(complain) { #include @{exec_path} r, - /{usr/,}bin/bash r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/basename rix, /{usr/,}bin/seq rix, @@ -60,20 +59,29 @@ profile ucf @{exec_path} flags=(complain) { # For md5sum /etc/** r, /usr/share/*/conffiles/* r, - @{run}/* r, + @{run}/** r, + # For writing new config files /etc/** rw, /usr/share/debconf/confmodule r, + # For shell pwd + / r, + /root/ r, + profile pager flags=(complain) { #include #include + /{usr/,}bin/ r, /{usr/,}bin/sensible-pager mr, + # For shell pwd + /root/ r, + } profile frontend flags=(complain) { @@ -87,9 +95,9 @@ profile ucf @{exec_path} flags=(complain) { /{usr/,}bin/ucf rPx, - /{usr/,}bin/dash rix, - /{usr/,}bin/stty rix, - /{usr/,}bin/locale rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/locale rix, /etc/debconf.conf r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, diff --git a/apparmor.d/udiskie b/apparmor.d/udiskie index 90dc9113d..0f4508297 100644 --- a/apparmor.d/udiskie +++ b/apparmor.d/udiskie @@ -59,6 +59,10 @@ profile udiskie @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}bin/spacefm rPx, diff --git a/apparmor.d/udisksd b/apparmor.d/udisksd index 487e029c9..6e472617e 100644 --- a/apparmor.d/udisksd +++ b/apparmor.d/udisksd @@ -35,7 +35,7 @@ profile udisksd @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/umount rix, /{usr/,}bin/eject rPx, diff --git a/apparmor.d/unhide-linux b/apparmor.d/unhide-linux index 7069dacbb..9f48f3b95 100644 --- a/apparmor.d/unhide-linux +++ b/apparmor.d/unhide-linux @@ -24,8 +24,8 @@ profile unhide-linux @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/ps rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/ps rix, @{PROC}/ r, @{PROC}/uptime r, diff --git a/apparmor.d/unhide-posix b/apparmor.d/unhide-posix index fc2f60572..550a55cbc 100644 --- a/apparmor.d/unhide-posix +++ b/apparmor.d/unhide-posix @@ -24,10 +24,10 @@ profile unhide-posix @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/ps rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/ps rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/{,e}grep rix, @{PROC}/ r, @{PROC}/uptime r, diff --git a/apparmor.d/unhide-tcp b/apparmor.d/unhide-tcp index addc0cf95..48917e271 100644 --- a/apparmor.d/unhide-tcp +++ b/apparmor.d/unhide-tcp @@ -24,11 +24,11 @@ profile unhide-tcp @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/ss rix, - /{usr/,}bin/netstat rix, - /{usr/,}bin/fuser rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/ss rix, + /{usr/,}bin/netstat rix, + /{usr/,}bin/fuser rix, @{PROC}/@{pids}/net/tcp{,6} r, @{PROC}/@{pids}/net/udp{,6} r, diff --git a/apparmor.d/unmkinitramfs b/apparmor.d/unmkinitramfs index 04e4e2ef8..a6330fde8 100644 --- a/apparmor.d/unmkinitramfs +++ b/apparmor.d/unmkinitramfs @@ -22,21 +22,21 @@ profile unmkinitramfs @{exec_path} { capability mknod, @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/xzcat rix, - /{usr/,}bin/lz4cat rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/lzop rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/dd rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/cpio rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/xzcat rix, + /{usr/,}bin/lz4cat rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/lzop rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/dd rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/getopt rix, + /{usr/,}bin/cpio rix, owner /boot/initrd.img-* r, owner /tmp/initrd.img-* r, diff --git a/apparmor.d/update-ca-certificates b/apparmor.d/update-ca-certificates index 581c68486..18682176d 100644 --- a/apparmor.d/update-ca-certificates +++ b/apparmor.d/update-ca-certificates @@ -20,23 +20,23 @@ profile update-ca-certificates @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/find rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/test rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/find rix, + /{usr/,}bin/ln rix, + /{usr/,}bin/test rix, - /{usr/,}bin/openssl rix, + /{usr/,}bin/openssl rix, /etc/ca-certificates/update.d/jks-keystore rCx -> jks-keystore, /{usr/,}bin/run-parts rCx -> run-parts, @@ -74,7 +74,7 @@ profile update-ca-certificates @{exec_path} { /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/jre/bin/java rix, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/sed rix, /{usr/,}bin/head rix, /{usr/,}bin/mountpoint rix, diff --git a/apparmor.d/update-dlocatedb b/apparmor.d/update-dlocatedb index e3118b778..d1bfddb0b 100644 --- a/apparmor.d/update-dlocatedb +++ b/apparmor.d/update-dlocatedb @@ -19,15 +19,15 @@ profile update-dlocatedb @{exec_path} { #include @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/uniq rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/uniq rix, - /{usr/,}bin/ionice rix, + /{usr/,}bin/ionice rix, /usr/share/dlocate/updatedb rCx -> updatedb, /{usr/,}bin/dpkg rPx -> child-dpkg, @@ -36,6 +36,9 @@ profile update-dlocatedb @{exec_path} { /var/lib/dlocate/dpkg-list w, + # For shell pwd + / r, + profile updatedb { #include diff --git a/apparmor.d/update-initramfs b/apparmor.d/update-initramfs index 07ec1c351..e8793583e 100644 --- a/apparmor.d/update-initramfs +++ b/apparmor.d/update-initramfs @@ -19,18 +19,20 @@ profile update-initramfs @{exec_path} { #include @{exec_path} rix, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/ischroot rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/sha1sum rix, - /{usr/,}bin/sync rix, - /{usr/,}bin/uname rix, + /{usr/,}sbin/ r, + + /{usr/,}bin/getopt rix, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/ln rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/sha1sum rix, + /{usr/,}bin/sync rix, + /{usr/,}bin/uname rix, /{usr/,}bin/dpkg-trigger rPx, /{usr/,}bin/linux-version rPx, @@ -38,6 +40,11 @@ profile update-initramfs @{exec_path} { /var/lib/initramfs-tools/* w, + # For shell pwd + / r, + /etc/ r, + /root/ r, + /etc/initramfs-tools/update-initramfs.conf r, @{PROC}/1/mountinfo r, diff --git a/apparmor.d/update-pciids b/apparmor.d/update-pciids index d2669395c..d29747f92 100644 --- a/apparmor.d/update-pciids +++ b/apparmor.d/update-pciids @@ -19,31 +19,34 @@ profile update-pciids @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/chown rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/echo rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/which rix, - /{usr/,}bin/bunzip2 rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/zgrep rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/chown rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/echo rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/which rix, + /{usr/,}bin/bunzip2 rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/ln rix, + /{usr/,}bin/zgrep rix, - /{usr/,}bin/wget rCx -> browse, - /{usr/,}bin/curl rCx -> browse, - /{usr/,}bin/lynx rCx -> browse, + /{usr/,}bin/wget rCx -> browse, + /{usr/,}bin/curl rCx -> browse, + /{usr/,}bin/lynx rCx -> browse, /usr/share/misc/ r, /usr/share/misc/* rwl -> /usr/share/misc/*, + # For shell pwd + /root/ r, + profile browse { #include diff --git a/apparmor.d/update-smart-drivedb b/apparmor.d/update-smart-drivedb index 55f2a80c9..c9d2afddf 100644 --- a/apparmor.d/update-smart-drivedb +++ b/apparmor.d/update-smart-drivedb @@ -18,26 +18,26 @@ profile update-smart-drivedb @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/dirname rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/dd rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/cmp rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/dirname rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/dd rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/cmp rix, - /{usr/,}sbin/smartctl rPx, + /{usr/,}sbin/smartctl rPx, - /{usr/,}bin/gpg rCx -> gpg, - /{usr/,}bin/wget rCx -> browse, - /{usr/,}bin/curl rCx -> browse, - /{usr/,}bin/lynx rCx -> browse, + /{usr/,}bin/gpg rCx -> gpg, + /{usr/,}bin/wget rCx -> browse, + /{usr/,}bin/curl rCx -> browse, + /{usr/,}bin/lynx rCx -> browse, /var/lib/smartmontools/drivedb/drivedb.h{,.*} rw, @@ -70,7 +70,7 @@ profile update-smart-drivedb @{exec_path} { /{usr/,}bin/curl mr, /{usr/,}bin/lynx mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /etc/mime.types r, /etc/mailcap r, diff --git a/apparmor.d/updatedb-mlocate b/apparmor.d/updatedb-mlocate index b7e1aca63..064e13a1d 100644 --- a/apparmor.d/updatedb-mlocate +++ b/apparmor.d/updatedb-mlocate @@ -27,7 +27,9 @@ profile updatedb-mlocate @{exec_path} { /{usr/,}sbin/on_ac_power rPx, + # For shell pwd / r, + /boot/ r, /boot/**/ r, diff --git a/apparmor.d/usb-devices b/apparmor.d/usb-devices index 6305a53b3..1e8367229 100644 --- a/apparmor.d/usb-devices +++ b/apparmor.d/usb-devices @@ -18,13 +18,13 @@ profile usb-devices @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/readlink rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/readlink rix, @{sys}/bus/ r, @{sys}/bus/usb/devices/ r, diff --git a/apparmor.d/uscan b/apparmor.d/uscan index 053ae6190..d937d6771 100644 --- a/apparmor.d/uscan +++ b/apparmor.d/uscan @@ -27,16 +27,16 @@ profile uscan @{exec_path} { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/bash rix, - /{usr/,}bin/pwd rix, - /{usr/,}bin/find rix, - /{usr/,}bin/file rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/pwd rix, + /{usr/,}bin/find rix, + /{usr/,}bin/file rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/bzip2 rix, + /{usr/,}bin/tar rix, + /{usr/,}bin/gzip rix, + /{usr/,}bin/bzip2 rix, - /{usr/,}bin/uupdate rPUx, + /{usr/,}bin/uupdate rPUx, # To run custom maintainer scripts owner @{BUILD_DIR}/**/debian/* rPUx, diff --git a/apparmor.d/usr.sbin.libvirtd b/apparmor.d/usr.sbin.libvirtd index 7213f7c76..60829ee00 100644 --- a/apparmor.d/usr.sbin.libvirtd +++ b/apparmor.d/usr.sbin.libvirtd @@ -31,6 +31,7 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { mount options=(rw,rslave) -> /, mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, + umount /{var/,}run/libvirt/qemu/*.dev/, # libvirt provides any mounts under /dev to qemu namespaces mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/, @@ -86,8 +87,8 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { /{usr/,}lib/udev/scsi_id PUx, /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, /usr/{lib,lib64}/xen/bin/* Ux, - /usr/lib/xen-*/bin/libxl-save-helper PUx, - /usr/lib/xen-*/bin/pygrub PUx, + /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx, + /usr/{lib,libexec}/xen-*/bin/pygrub PUx, /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx, diff --git a/apparmor.d/uupdate b/apparmor.d/uupdate index 9e4f9795b..579cc5cdc 100644 --- a/apparmor.d/uupdate +++ b/apparmor.d/uupdate @@ -23,29 +23,29 @@ profile uupdate @{exec_path} flags=(complain) { #include @{exec_path} r, - /{usr/,}bin/bash r, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/which rix, - /{usr/,}bin/tr rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/getopt rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/expr rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/which rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/getopt rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/expr rix, - /{usr/,}bin/perl rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/md5sum rix, + /{usr/,}bin/perl rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/md5sum rix, - /{usr/,}bin/tar rix, - /{usr/,}bin/bzip2 rix, - /{usr/,}bin/xz rix, + /{usr/,}bin/tar rix, + /{usr/,}bin/bzip2 rix, + /{usr/,}bin/xz rix, # FIXME /{usr/,}bin/debchange rPUx, diff --git a/apparmor.d/vidcutter b/apparmor.d/vidcutter index 3d90226f8..db9da1cba 100644 --- a/apparmor.d/vidcutter +++ b/apparmor.d/vidcutter @@ -145,6 +145,10 @@ profile vidcutter @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/vipw-vigr b/apparmor.d/vipw-vigr index d0491e3a5..a3a6b9a7d 100644 --- a/apparmor.d/vipw-vigr +++ b/apparmor.d/vipw-vigr @@ -21,7 +21,7 @@ profile vipw-vigr @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/sensible-editor rCx -> editor, /{usr/,}bin/vim.* rCx -> editor, @@ -52,7 +52,7 @@ profile vipw-vigr @{exec_path} { /{usr/,}bin/sensible-editor mr, /{usr/,}bin/vim.* mrix, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/which rix, owner @{HOME}/.selected_editor r, diff --git a/apparmor.d/virt-manager b/apparmor.d/virt-manager index 9b1c1e608..0e44dc558 100644 --- a/apparmor.d/virt-manager +++ b/apparmor.d/virt-manager @@ -34,7 +34,7 @@ profile virt-manager @{exec_path} flags=(complain) { #include @{exec_path} rix, - /{usr/,}bin/dash r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/ r, diff --git a/apparmor.d/volumeicon b/apparmor.d/volumeicon index 6aa55bfad..fff723c29 100644 --- a/apparmor.d/volumeicon +++ b/apparmor.d/volumeicon @@ -43,7 +43,7 @@ profile volumeicon @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, # Start the PulseAudio sound mixer - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/pavucontrol rPUx, # file_inherit diff --git a/apparmor.d/whdd b/apparmor.d/whdd index dfc431c6b..c18aac1c4 100644 --- a/apparmor.d/whdd +++ b/apparmor.d/whdd @@ -25,13 +25,13 @@ profile whdd @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/tr rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/tr rix, # To read SMART attributes - /{usr/,}sbin/smartctl rPx, + /{usr/,}sbin/smartctl rPx, owner @{PROC}/@{pid}/mounts r, @{PROC}/partitions r, diff --git a/apparmor.d/wireshark b/apparmor.d/wireshark index 810bdbf99..2a905e31a 100644 --- a/apparmor.d/wireshark +++ b/apparmor.d/wireshark @@ -100,6 +100,10 @@ profile wireshark @{exec_path} { /{usr/,}bin/xdg-open mr, + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, + # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/x11-xsession b/apparmor.d/x11-xsession index 17f8eeb1c..80c3f97f9 100644 --- a/apparmor.d/x11-xsession +++ b/apparmor.d/x11-xsession @@ -19,21 +19,21 @@ profile x11-xsession @{exec_path} { #include @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/which rix, - /{usr/,}bin/id rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/date rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/tempfile rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/head rix, - /{usr/,}bin/fold rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/which rix, + /{usr/,}bin/id rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/date rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/tempfile rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/head rix, + /{usr/,}bin/fold rix, /{usr/,}bin/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/xarchiver b/apparmor.d/xarchiver index 543376819..9b369e08a 100644 --- a/apparmor.d/xarchiver +++ b/apparmor.d/xarchiver @@ -27,11 +27,11 @@ profile xarchiver @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/dash rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/cp rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/cp rix, # Archivers /{usr/,}bin/7z rix, @@ -86,7 +86,11 @@ profile xarchiver @{exec_path} { /{usr/,}bin/xdg-open mr, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, + + owner @{HOME}/ r, + + owner @{run}/user/[0-9]*/ r, # Allowed apps to open /{usr/,}bin/engrampa rPUx, diff --git a/apparmor.d/xautolock b/apparmor.d/xautolock index 203c12432..aa0d21782 100644 --- a/apparmor.d/xautolock +++ b/apparmor.d/xautolock @@ -19,8 +19,8 @@ profile xautolock @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/env rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/env rix, # Locker apps to launch. /{usr/,}bin/i3lock-fancy rPx, diff --git a/apparmor.d/xdg-desktop-menu b/apparmor.d/xdg-desktop-menu index f25a59b8c..87fdce014 100644 --- a/apparmor.d/xdg-desktop-menu +++ b/apparmor.d/xdg-desktop-menu @@ -22,20 +22,20 @@ profile xdg-desktop-menu @{exec_path} flags=(complain) { @{exec_path} r, - /{usr/,}bin/dash rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/whoami rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/readlink rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/whoami rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/readlink rix, /{usr/,}bin/update-desktop-database rPx, diff --git a/apparmor.d/xdg-email b/apparmor.d/xdg-email index 9f10a5e4e..ec88d4752 100644 --- a/apparmor.d/xdg-email +++ b/apparmor.d/xdg-email @@ -19,8 +19,7 @@ profile xdg-email @{exec_path} flags=(complain) { #include @{exec_path} r, - - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, #include if exists } diff --git a/apparmor.d/xdg-icon-resource b/apparmor.d/xdg-icon-resource index 1bb5f9667..72016d29c 100644 --- a/apparmor.d/xdg-icon-resource +++ b/apparmor.d/xdg-icon-resource @@ -22,16 +22,16 @@ profile xdg-icon-resource @{exec_path} flags=(complain) { @{exec_path} r, - /{usr/,}bin/dash rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/whoami rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/touch rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/whoami rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/touch rix, /{usr/,}bin/gtk-update-icon-cache rPUx, diff --git a/apparmor.d/xdg-mime b/apparmor.d/xdg-mime index 2b2911b61..227b68ca9 100644 --- a/apparmor.d/xdg-mime +++ b/apparmor.d/xdg-mime @@ -20,21 +20,21 @@ profile xdg-mime @{exec_path} { @{exec_path} r, - /{usr/,}bin/dash rix, - /{usr/,}bin/gawk rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/which rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/head rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/file rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/which rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/head rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/file rix, - /{usr/,}bin/mimetype rPx, - /{usr/,}bin/xprop rPx, + /{usr/,}bin/mimetype rPx, + /{usr/,}bin/xprop rPx, # When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two # following root processes: @@ -51,6 +51,8 @@ profile xdg-mime @{exec_path} { owner @{HOME}/.Xauthority r, + owner @{run}/user/[0-9]*/ r, + # file_inherit /media/** rw, diff --git a/apparmor.d/xdg-open b/apparmor.d/xdg-open index 6a82d18fb..019959982 100644 --- a/apparmor.d/xdg-open +++ b/apparmor.d/xdg-open @@ -20,7 +20,7 @@ profile xdg-open @{exec_path} { @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/sed rix, /{usr/,}bin/cut rix, diff --git a/apparmor.d/xdg-screensaver b/apparmor.d/xdg-screensaver index f4f373dfd..05384ade4 100644 --- a/apparmor.d/xdg-screensaver +++ b/apparmor.d/xdg-screensaver @@ -21,7 +21,9 @@ profile xdg-screensaver @{exec_path} { @{exec_path} r, - /{usr/,}bin/dash rix, + /{usr/,}bin/ r, + + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/mv rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/sed rix, @@ -39,9 +41,12 @@ profile xdg-screensaver @{exec_path} { /dev/dri/card[0-9] rw, + owner @{HOME}/ r, owner @{HOME}/.Xauthority r, owner /tmp/xauth-[0-9]*-_[0-9] r, + owner @{run}/user/[0-9]*/ r, + # file_inherit owner @{HOME}/.xsession-errors w, /dev/dri/card[0-9]* rw, diff --git a/apparmor.d/xdg-settings b/apparmor.d/xdg-settings index 813ab653b..1c2e2cd05 100644 --- a/apparmor.d/xdg-settings +++ b/apparmor.d/xdg-settings @@ -20,19 +20,19 @@ profile xdg-settings @{exec_path} { @{exec_path} r, - /{usr/,}bin/dash rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/mv rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/sort rix, - /{usr/,}bin/which rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, - /{usr/,}bin/uname rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/which rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/uname rix, # When xdg-settings is run as root, it wants to exec dbus-launch, and hence it creates the two # following root processes: diff --git a/apparmor.d/xinit b/apparmor.d/xinit index edff27c3a..c5fcc2e17 100644 --- a/apparmor.d/xinit +++ b/apparmor.d/xinit @@ -29,6 +29,7 @@ profile xinit @{exec_path} { /etc/X11/xinit/xinitrc rix, /etc/X11/xinit/xserverrc rix, + /{usr/,}bin/ r, /{usr/,}bin/rm rix, /{usr/,}bin/touch rix, /{usr/,}bin/{,e}grep rix, @@ -71,6 +72,7 @@ profile xinit @{exec_path} { /etc/default/{,*} r, # Xsession logs + owner @{HOME}/ r, owner @{HOME}/.xsession-errors w, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/xorg b/apparmor.d/xorg index ec6f669e4..928535daf 100644 --- a/apparmor.d/xorg +++ b/apparmor.d/xorg @@ -67,9 +67,9 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - /{usr/,}bin/dash rix, - /{usr/,}bin/xkbcomp rPx, - /{usr/,}bin/pkexec rPx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/xkbcomp rPx, + /{usr/,}bin/pkexec rPx, # Xorg files /etc/X11/{,**} r, @@ -83,12 +83,14 @@ profile xorg @{exec_path} flags=(attach_disconnected) { # Log files owner /var/log/Xorg.[0-9].log{,.old} rw, owner /var/log/Xorg.pid-@{pid}.log{,.old} rw, + owner @{HOME}/ r, owner @{HOME}/.local/share/xorg/ rw, owner @{HOME}/.local/share/xorg/Xorg.[0-9].log{,.old} rw, owner @{HOME}/.local/share/xorg/Xorg.pid-@{pid}.log{,.old} rw, owner @{HOME}/.xsession-errors w, # TMP files + /tmp/ r, owner /tmp/.X11-unix/ rw, owner /tmp/.X11-unix/X* rwk, owner /tmp/.tX[0-9]-lock rwk, diff --git a/apparmor.d/xrdb b/apparmor.d/xrdb index 6fd1b63ea..8e5582194 100644 --- a/apparmor.d/xrdb +++ b/apparmor.d/xrdb @@ -20,8 +20,8 @@ profile xrdb @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dash rix, - /{usr/,}bin/{,@{multiarch}-}cpp-[0-9]* rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,@{multiarch}-}cpp-[0-9]* rix, /{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix, /usr/include/stdc-predef.h r, diff --git a/apparmor.d/youtube-viewer b/apparmor.d/youtube-viewer index e6c1d3960..78501f641 100644 --- a/apparmor.d/youtube-viewer +++ b/apparmor.d/youtube-viewer @@ -28,11 +28,11 @@ profile youtube-viewer @{exec_path} { @{exec_path} r, /{usr/,}bin/perl r, - /{usr/,}bin/dash rix, - /{usr/,}bin/infocmp rix, - /{usr/,}bin/stty rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/infocmp rix, + /{usr/,}bin/stty rix, - /{usr/,}bin/wget rCx -> wget, + /{usr/,}bin/wget rCx -> wget, owner @{HOME}/.config/youtube-viewer/{,*} rw, owner @{HOME}/.cache/youtube-viewer/{,*} rw,