Merge branch 'tunables' of https://github.com/nobody43/apparmor.d into nobody43-tunables

* 'tunables' of https://github.com/nobody43/apparmor.d: dbus temp tails Update apparmor.d Update gdm-runtime-config more unrelated changes adjust date-time random tails rename to int, convert more profiles fixes tunables
2023-08-17 20:01:53 +01:00 · 2023-08-17 20:01:53 +01:00 · 557d905543
commit 557d905543
parent 7b018a60bd
198 changed files with 560 additions and 507 deletions
--- a/apparmor.d/abstractions/X-strict
+++ b/apparmor.d/abstractions/X-strict
@ -28,7 +28,7 @@
        @{run}/user/@{uid}/xauth_* rl,

  # Xwayland
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,

  /etc/X11/cursors/{,**} r,
  /usr/share/X11/{,**} r,
--- a/apparmor.d/abstractions/apt-common
+++ b/apparmor.d/abstractions/apt-common
@ -27,6 +27,6 @@
  /var/lib/ubuntu-advantage/apt-esm/{,**} r,

  owner /tmp/clearsigned.message.* rw,
-  owner /tmp/#[0-9]*[0-9] rw,
+  owner /tmp/#@{int} rw,

  include if exists <abstractions/apt-common.d>
--- a/apparmor.d/abstractions/dbus-session-strict.d/complete
+++ b/apparmor.d/abstractions/dbus-session-strict.d/complete
@ -2,12 +2,12 @@
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

-  unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*",
-  unix (bind, listen) type=stream addr="@/tmp/dbus-*",
+  unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-????????",
+  unix (bind, listen) type=stream addr="@/tmp/dbus-????????",

-  unix (connect, receive, send, accept) type=stream peer=(addr="@/tmp/dbus-*"),
+  unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-????????"),

  owner @{run}/user/@{uid}/at-spi/ rw,
  owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
  
-  owner /tmp/dbus-[0-9a-zA-Z]* rw,
+  owner /tmp/dbus-@{rand8} rw,
--- a/apparmor.d/abstractions/gstreamer
+++ b/apparmor.d/abstractions/gstreamer
@ -13,7 +13,7 @@
  /etc/openni2/OpenNI.ini r,

  owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/ rw,
-  owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
+  owner @{HOME}/{.cache/,.}gstreamer-[0-9]*/registry.*.bin{,.tmp@{rand6}} rw,

  /tmp/ r,
  /var/tmp/ r,
@ -46,4 +46,4 @@
  /dev/bus/usb/ r,
  /dev/dri/ r,

-  include if exists <abstractions/gstreamer.d>
+  include if exists <abstractions/gstreamer.d>
--- a/apparmor.d/abstractions/ibus.d/complete
+++ b/apparmor.d/abstractions/ibus.d/complete
@ -6,17 +6,17 @@
  # abstract path in ibus < 1.5.22 uses /tmp
  unix (connect, receive, send)
      type=stream
-      peer=(addr="@/tmp/ibus/dbus-*"),
+      peer=(addr="@/tmp/ibus/dbus-????????"),

  # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{user_cache_dirs})
  # This should use this, but due to LP: #1856738 we cannot
  #unix (connect, receive, send)
  #    type=stream
-  #    peer=(addr="@@{user_cache_dirs}/ibus/dbus-*"),
+  #    peer=(addr="@@{user_cache_dirs}/ibus/dbus-????????"),
  unix (connect, receive, send)
      type=stream
-      peer=(addr="@/home/*/.cache/ibus/dbus-*"),
+      peer=(addr="@/home/*/.cache/ibus/dbus-????????"),

  unix (connect, send, receive, accept, bind, listen)
       type=stream
-       addr="@/home/*/.cache/ibus/dbus-*",
+       addr="@/home/*/.cache/ibus/dbus-????????",
--- a/apparmor.d/abstractions/kde5-plasma5
+++ b/apparmor.d/abstractions/kde5-plasma5
@ -19,14 +19,14 @@

  # For app config (in order to work the KDE_APP_NAME variable has to be set in profile which
  # includes this abstraction)
-  #owner @{user_config_dirs}/#[0-9]*[0-9] rwk,
-  #owner @{user_config_dirs}/@{KDE_APP_NAME}rc* rwlk -> @{user_config_dirs}/#[0-9]*[0-9],
-  #owner @{run}/user/@{uid}/#[0-9]*[0-9] rw,
-  #owner @{run}/user/@{uid}/@{KDE_APP_NAME}*.slave-socket rwl -> @{run}/user/@{uid}/#[0-9]*[0-9],
+  #owner @{user_config_dirs}/#@{int} rwk,
+  #owner @{user_config_dirs}/@{KDE_APP_NAME}rc* rwlk -> @{user_config_dirs}/#@{int},
+  #owner @{run}/user/@{uid}/#@{int} rw,
+  #owner @{run}/user/@{uid}/@{KDE_APP_NAME}*.slave-socket rwl -> @{run}/user/@{uid}/#@{int},

  # Common KDE config files
-  #owner @{user_config_dirs}/#[0-9]*[0-9] rw,
-  #owner @{user_config_dirs}/kdeglobals* rwkl -> @{user_config_dirs}/#[0-9]*[0-9],
+  #owner @{user_config_dirs}/#@{int} rw,
+  #owner @{user_config_dirs}/kdeglobals* rwkl -> @{user_config_dirs}/#@{int},
  #owner @{user_config_dirs}/baloofilerc r,
  #owner @{user_config_dirs}/dolphinrc r,
  #owner @{user_config_dirs}/trashrc r,
@ -36,8 +36,8 @@
  # For bookmarks
  #@{bin}/keditbookmarks rPUx,
  #owner @{user_share_dirs}/kfile/ rw,
-  #owner @{user_share_dirs}/kfile/#[0-9]*[0-9] rw,
-  #owner @{user_share_dirs}/kfile/bookmarks.xml* rwl -> @{user_share_dirs}/kfile/#[0-9]*[0-9],
+  #owner @{user_share_dirs}/kfile/#@{int} rw,
+  #owner @{user_share_dirs}/kfile/bookmarks.xml* rwl -> @{user_share_dirs}/kfile/#@{int},

  # Common cache files
  #owner @{user_cache_dirs}/icon-cache.kcache rw,
--- a/apparmor.d/abstractions/qt5-shader-cache
+++ b/apparmor.d/abstractions/qt5-shader-cache
@ -6,10 +6,10 @@
  abi <abi/3.0>,

  owner @{user_cache_dirs}/qtshadercache/ rw,
-  owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
-  owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
+  owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int},
  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/ rw,
-  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
-  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw,
+  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int},

  include if exists <abstractions/qt5-shader-cache.d>
--- a/apparmor.d/abstractions/thumbnails-cache-write
+++ b/apparmor.d/abstractions/thumbnails-cache-write
@ -6,12 +6,12 @@

  owner @{HOME}/thumbnails/ rw,
  owner @{HOME}/thumbnails/{large,normal}/ rw,
-  owner @{HOME}/thumbnails/{large,normal}/#[0-9]*[0-9] rw,
-  owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#[0-9]*[0-9],
+  owner @{HOME}/thumbnails/{large,normal}/#@{int} rw,
+  owner @{HOME}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#@{int},

  owner @{user_cache_dirs}/thumbnails/ rw,
  owner @{user_cache_dirs}/thumbnails/{large,normal}/ rw,
-  owner @{user_cache_dirs}/thumbnails/{large,normal}/#[0-9]*[0-9] rw,
-  owner @{user_cache_dirs}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#[0-9]*[0-9],
+  owner @{user_cache_dirs}/thumbnails/{large,normal}/#@{int} rw,
+  owner @{user_cache_dirs}/thumbnails/{large,normal}/[a-f0-9]*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#@{int},

  include if exists <abstractions/thumbnails-cache-write.d>
--- a/apparmor.d/abstractions/trash.d/complete
+++ b/apparmor.d/abstractions/trash.d/complete
@ -5,11 +5,11 @@

  owner @{user_config_dirs}/trashrc rw,
  owner @{user_config_dirs}/trashrc.lock rwk,
-  owner @{user_config_dirs}/#[0-9]*[0-9] rwk,
-  owner @{user_config_dirs}/trashrc.* rwl -> @{user_config_dirs}/#[0-9]*[0-9],
+  owner @{user_config_dirs}/#@{int} rwk,
+  owner @{user_config_dirs}/trashrc.* rwl -> @{user_config_dirs}/#@{int},

-  owner @{run}/user/@{uid}/#[0-9]*[0-9] rw,
-  owner @{run}/user/@{uid}/trash.so*.[0-9].slave-socket rwl -> @{run}/user/@{uid}/#[0-9]*[0-9],
+  owner @{run}/user/@{uid}/#@{int} rw,
+  owner @{run}/user/@{uid}/trash.so*.[0-9].slave-socket rwl -> @{run}/user/@{uid}/#@{int},

  # Home trash location
  owner @{user_share_dirs}/Trash/{,**} rwl,