From 599ed6464cb7287109e99b58855e843af16d4a34 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Thu, 2 Jun 2022 19:27:15 +0300 Subject: [PATCH] Ubuntu 22.04, second batch --- apparmor.d/groups/apps/vlc | 96 ++++++++++++++++++- apparmor.d/groups/freedesktop/polkitd | 20 ++++ .../groups/ubuntu/package-system-locked | 6 +- apparmor.d/profiles-m-r/pkexec | 12 +++ 4 files changed, 128 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc index eb065a9bd..fffbd401a 100644 --- a/apparmor.d/groups/apps/vlc +++ b/apparmor.d/groups/apps/vlc @@ -70,6 +70,13 @@ profile vlc @{exec_path} { include include include + include + include + include + include if exists + +# capability sys_ptrace, +# ptrace (read), signal (receive) set=(term, kill) peer=anyremote//*, @@ -94,9 +101,6 @@ profile vlc @{exec_path} { owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**.@{vlc_ext} r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - # VLC files /usr/share/vlc/{,**} r, @@ -104,7 +108,7 @@ profile vlc @{exec_path} { owner @{HOME}/ r, owner @{user_config_dirs}/vlc/ rw, owner @{user_config_dirs}/vlc/* rwkl -> @{user_config_dirs}/vlc/#[0-9]*[0-9], - owner @{user_share_dirs}/vlc/{,*} rw, + owner @{user_share_dirs}/vlc/{,**} rw, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/vlc/{,**} rw, @@ -119,7 +123,9 @@ profile vlc @{exec_path} { deny owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - @{PROC}/@{pid}/net/if_inet6 r, + owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/@{pids}/net/if_inet6 r, deny @{PROC}/sys/kernel/random/boot_id r, # Udev enumeration @@ -147,6 +153,84 @@ profile vlc @{exec_path} { owner /dev/tty[0-9]* rw, owner @{HOME}/.anyRemote/anyremote.stdout w, + # DBus + dbus send + bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{RequestName,ReleaseName,GetConnectionUnixProcessID}" peer=(name="org.freedesktop.DBus"), + + dbus receive + bus="session" path="/org/freedesktop/Notifications" interface="org.freedesktop.Notifications" member="NotificationClosed" peer=(name=":*"), + + dbus send + bus="session" path="/org/a11y/bus" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.a11y.Bus"), + + dbus send + bus="session" path="/StatusNotifierWatcher" interface="org.freedesktop.DBus.Introspectable" member="Introspect" peer=(name="org.kde.StatusNotifierWatcher"), + + dbus send + bus="session" path="/StatusNotifierWatcher" interface="org.freedesktop.DBus.Properties" member="{Get,RegisterStatusNotifierItem}" peer=(name="org.kde.StatusNotifierWatcher"), + + dbus send + bus="session" path="/StatusNotifierWatcher" interface="org.kde.StatusNotifierWatcher" member="RegisterStatusNotifierItem" peer=(name="org.kde.StatusNotifierWatcher"), + + dbus send + bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="{NewToolTip,NewStatus,NewAttentionIcon,NewTitle,NewStatus,NewIcon}" peer=(name="org.freedesktop.DBus"), + + dbus receive + bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="Activate" peer=(name=":*"), + + dbus receive + bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="{Get,GetAll}" peer=(name=":*"), + + dbus send + bus="session" path="/ScreenSaver" interface="org.freedesktop.ScreenSaver" member="{Inhibit,UnInhibit}" peer=(name="org.freedesktop.ScreenSaver"), + + dbus receive + bus="session" path="/MenuBar" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"), + + dbus send + bus="session" path="/MenuBar" interface="com.canonical.dbusmenu" member="{LayoutUpdated,ItemsPropertiesUpdated}" peer=(name="org.freedesktop.DBus"), + + dbus receive + bus="session" path="/MenuBar" interface="com.canonical.dbusmenu" member="{GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event}" peer=(name=":*"), + + dbus (send receive) + bus="session" path="/org/mpris/MediaPlayer2" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"), + + dbus send + bus="session" path="/org/mpris/MediaPlayer2" interface="org.mpris.MediaPlayer2.Player" peer=(name="org.freedesktop.DBus"), + + dbus receive + bus="session" path="/org/mpris/MediaPlayer2" interface="org.mpris.MediaPlayer2.Playlists" peer=(name=":*"), + +# dbus send +# bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" peer=(name="org.freedesktop.Avahi"), + + dbus send + bus="accessibility" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{Hello,AddMatch,RemoveMatch}" peer=(name="org.freedesktop.DBus"), + + dbus send + bus="accessibility" path="/org/a11y/atspi/accessible/root" interface="org.a11y.atspi.Socket" member="Embed" peer=(name="org.a11y.atspi.Registry"), + + dbus receive + bus="accessibility" path="/org/a11y/atspi/accessible/root" interface="org.freedesktop.DBus.Properties" member="Set" peer=(name=":*"), + + dbus send + bus="accessibility" path="/org/a11y/atspi/registry" interface="org.a11y.atspi.Registry" member="GetRegisteredEvents" peer=(name="org.a11y.atspi.Registry"), + + dbus receive + bus="accessibility" path="/org/a11y/atspi/registry" interface="org.a11y.atspi.Registry" member="EventListenerDeregistered" peer=(name=":*"), + + dbus send + bus="accessibility" path="/org/a11y/atspi/registry/deviceeventcontroller" interface="org.a11y.atspi.DeviceEventController" member="{GetKeystrokeListeners,GetDeviceEventListeners}" peer=(name="org.a11y.atspi.Registry"), + + dbus bind + bus="session" name="org.kde.StatusNotifierItem-*", + + dbus bind + bus="session" name="org.mpris.MediaPlayer2.vlc{,.instance*}", + + owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw, + owner @{run}/user/*/dconf/user rw, profile xdg-screensaver { include @@ -169,6 +253,8 @@ profile vlc @{exec_path} { /dev/dri/card[0-9]* rw, network inet stream, network inet6 stream, + + include if exists } include if exists diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 289496ba3..735532d1e 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -16,6 +16,7 @@ profile polkitd @{exec_path} { capability setuid, capability setgid, capability sys_ptrace, + capability sys_nice, audit deny capability net_admin, ptrace (read), @@ -53,9 +54,28 @@ profile polkitd @{exec_path} { @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, @{run}/systemd/userdb/io.systemd.DynamicUser w, + @{run}/systemd/userdb/io.systemd.Machine rw, # Silencer deny /.cache/ rw, + # DBus + dbus send + bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{GetConnectionUnixProcessID,GetConnectionUnixUser,AddMatch,RemoveMatch,Hello,RequestName}" peer=(name="org.freedesktop.DBus"), + + dbus receive + bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"), + + dbus send + bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" peer=(name="{org.freedesktop.DBus,:*}"), + + dbus receive + bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="{EnumerateActions,CheckAuthorization,CancelCheckAuthorization,RegisterAuthenticationAgent}" peer=(name=":*"), + + dbus bind + bus="system" name="org.freedesktop.PolicyKit1", + + @{run}/dbus/system_bus_socket rw, + include if exists } diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index d307f0eb4..7f29301c8 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -12,6 +12,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability syslog, + capability sys_ptrace, ptrace (read), @@ -20,6 +21,9 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/fuser rix, + network inet dgram, + network inet6 dgram, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/net/unix r, @{PROC}/ r, @@ -28,4 +32,4 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { @{PROC}/swaps r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index b754183e7..2c5932f4b 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -53,5 +53,17 @@ profile pkexec @{exec_path} flags=(complain) { owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, + # DBus + @{run}/dbus/system_bus_socket rw, + + dbus send + bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{Hello,AddMatch,StartServiceByName,GetNameOwner}" peer=(name="org.freedesktop.DBus"), + + dbus send + bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="{GetAll,CheckAuthorization}" peer=(name=":*"), + + dbus send + bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" peer=(name=":*"), + include if exists }