From 5e5fde7741402aac6648f6ee6fa4f7bf531e9004 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Aug 2025 21:43:20 +0200 Subject: [PATCH] feat(abs): add the sqlite abstraction. --- apparmor.d/abstractions/common/app | 2 +- apparmor.d/abstractions/sqlite | 23 +++++++++++++++++++ apparmor.d/groups/gnome/gnome-music | 3 +-- apparmor.d/groups/gnome/localsearch | 4 +--- apparmor.d/groups/gnome/tracker-miner | 4 +--- apparmor.d/profiles-a-f/dropbox | 3 +-- apparmor.d/profiles-a-f/fractal | 2 +- apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-g-l/gpo | 8 +++---- apparmor.d/profiles-g-l/gpodder | 4 +--- .../profiles-m-r/protonmail-bridge-core | 3 +-- apparmor.d/profiles-m-r/psi | 2 +- apparmor.d/profiles-m-r/psi-plus | 2 +- apparmor.d/profiles-m-r/quiterss | 3 +-- apparmor.d/profiles-s-z/strawberry | 2 +- apparmor.d/profiles-s-z/syncthing | 4 +--- apparmor.d/profiles-s-z/wechat-appimage | 4 +--- apparmor.d/tunables/multiarch.d/system | 3 --- 18 files changed, 41 insertions(+), 37 deletions(-) create mode 100644 apparmor.d/abstractions/sqlite diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index b6e6734e6..5072cadfd 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -28,6 +28,7 @@ include include include + include include include @@ -63,7 +64,6 @@ owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, - owner /var/tmp/etilqs_@{sqlhex} rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/abstractions/sqlite b/apparmor.d/abstractions/sqlite new file mode 100644 index 000000000..690417f87 --- /dev/null +++ b/apparmor.d/abstractions/sqlite @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# SQlite temporary files (hexadecimal from 12 to 16 characters) + + abi , + + owner /var/tmp/etilqs_@{hex12} rw, + owner /var/tmp/etilqs_@{hex12}@{h} rw, + owner /var/tmp/etilqs_@{hex12}@{hex2} rw, + owner /var/tmp/etilqs_@{hex15} rw, + owner /var/tmp/etilqs_@{hex16} rw, + + owner @{tmp}/etilqs_@{hex12} rw, + owner @{tmp}/etilqs_@{hex12}@{h} rw, + owner @{tmp}/etilqs_@{hex12}@{hex2} rw, + owner @{tmp}/etilqs_@{hex15} rw, + owner @{tmp}/etilqs_@{hex16} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 511a48987..2f9795ceb 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -17,6 +17,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { include include include + include include network inet stream, @@ -51,8 +52,6 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 88e2bf327..049b3c402 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -23,6 +23,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, @@ -56,9 +57,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/tracker3/files/ rw, owner @{user_cache_dirs}/tracker3/files/** rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index d35f6467f..6b358c8b0 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -21,6 +21,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, @@ -63,9 +64,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ r, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index 15f86bcf5..f40d69799 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -23,6 +23,7 @@ profile dropbox @{exec_path} { include include include + include include @{exec_path} mr, @@ -61,8 +62,6 @@ profile dropbox @{exec_path} { # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead owner @{tmp}/dropbox-antifreeze-* rw, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 40001da68..a7222a664 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -13,6 +13,7 @@ profile fractal @{exec_path} flags=(attach_disconnected) { include include include + include include network inet dgram, @@ -34,7 +35,6 @@ profile fractal @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, owner @{run}/user/@{uid}/fractal/{,**} rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 7a00455a6..58ba493cc 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -18,6 +18,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include + include capability dac_override, capability dac_read_search, @@ -77,7 +78,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, /var/lib/flatpak/exports/share/mime/mime.cache r, - /var/tmp/etilqs_@{sqlhex} rw, owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, owner /var/lib/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index cebfc955f..46ff3eec5 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -11,10 +11,11 @@ include profile gpo @{exec_path} { include include - include include - include + include + include include + include network inet dgram, network inet6 dgram, @@ -36,9 +37,6 @@ profile gpo @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index dd7a20eb7..e60034172 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -14,6 +14,7 @@ profile gpodder @{exec_path} { include include include + include include include @@ -47,9 +48,6 @@ profile gpodder @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index 45c6766e3..ca9680aea 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -17,6 +17,7 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, @@ -43,8 +44,6 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { owner "@{user_config_dirs}/autostart/Proton Mail Bridge.desktop" rw, owner @{tmp}/bridge@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/ r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 02bf3bc56..2ff7b4e71 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -18,6 +18,7 @@ profile psi @{exec_path} { include include include + include include include include @@ -54,7 +55,6 @@ profile psi @{exec_path} { owner @{user_share_dirs}/psi/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index a455df0e9..f72147cc6 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -18,6 +18,7 @@ profile psi-plus @{exec_path} { include include include + include include include include @@ -54,7 +55,6 @@ profile psi-plus @{exec_path} { owner @{user_share_dirs}/psi+/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index d1194abf5..73b8f7488 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -18,6 +18,7 @@ profile quiterss @{exec_path} { include include include + include include include @@ -47,8 +48,6 @@ profile quiterss @{exec_path} { owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 611c8462d..ae22e1f1d 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -21,6 +21,7 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include @@ -68,7 +69,6 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/.*/s rw, owner @{tmp}/*= w, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/kdsingleapp-*-strawberry w, owner @{tmp}/kdsingleapp-*-strawberry.lock rwk, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 4553ac1e9..83e1b2f45 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -12,6 +12,7 @@ profile syncthing @{exec_path} { include include include + include include network inet dgram, @@ -35,9 +36,6 @@ profile syncthing @{exec_path} { /home/ r, @{user_sync_dirs}/{,**} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, - @{PROC}/@{pids}/net/route r, @{PROC}/bus/pci/devices r, @{PROC}/modules r, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 98ce53f07..335860d07 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -19,6 +19,7 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, network netlink dgram, @@ -59,9 +60,6 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { owner @{user_documents_dirs}/xwechat_files/{,**} rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - /dev/fuse rw, /dev/tty rw, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 288665770..cf8575db0 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -56,9 +56,6 @@ # System Internal # --------------- -# SQlite temporary files (hexadecimal from 12 to 16 characters) -@{sqlhex}=@{hex12} @{hex12}@{h} @{hex12}@{hex2} @{hex15} @{hex16} - # Shortcut for PCI device @{pci_id}=@{hex}:@{hex2}:@{hex2}.@{h} @{pci_bus}=pci@{hex4}:@{hex2}