feat(profile): initial integration with attached path.

The feature is not yet enabled. See https://apparmor.pujol.io/development/internal/#re-attached-path
2024-10-11 14:13:17 +01:00 · 2024-10-11 14:13:17 +01:00 · 61a27bc336
commit 61a27bc336
parent 5bf8c6ef0f
85 changed files with 164 additions and 139 deletions
--- a/apparmor.d/groups/freedesktop/colord
+++ b/apparmor.d/groups/freedesktop/colord
@ -49,8 +49,8 @@ profile colord @{exec_path} flags=(attach_disconnected) {
  owner /var/lib/snmp/mibs/{iana,ietf}/ r,
  owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r,

-  @{desktop_share_dirs}/icc/edid-*.icc r,
-  @{user_share_dirs}/icc/edid-*.icc r,
+  @{att}/@{desktop_share_dirs}/icc/edid-*.icc r,
+  @{att}/@{user_share_dirs}/icc/edid-*.icc r,

  @{run}/systemd/sessions/* r,

--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@ -44,8 +44,9 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {

  /etc/pipewire/{,**} r,

-  / r,
-  /.flatpak-info r,
+              / r,
+        @{att}/ r,
+  owner @{att}/.flatpak-info r,

  owner @{user_config_dirs}/pipewire/{,**} r,

--- a/apparmor.d/groups/freedesktop/pipewire-pulse
+++ b/apparmor.d/groups/freedesktop/pipewire-pulse
@ -28,8 +28,8 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,

-  / r,
-  /.flatpak-info r,
+        @{att}/ r,
+  owner @{att}/.flatpak-info r,

  owner @{run}/user/@{uid}/pulse/pid w,
  owner @{tmp}/librnnoise-@{int}.so rm,
--- a/apparmor.d/groups/freedesktop/upowerd
+++ b/apparmor.d/groups/freedesktop/upowerd
@ -41,7 +41,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
  @{run}/udev/data/c116:@{int} r,         # for ALSA

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

  @{sys}/bus/hid/devices/ r,
  @{sys}/class/input/ r,
--- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy
+++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/xdg-dbus-proxy
 profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
@ -16,7 +17,6 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
-  include <abstractions/consoles>
  include <abstractions/user-download-strict>

  network unix stream,
@ -31,7 +31,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/.var/app/*/.local/share/*/logs/* rw,
  owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw,

-        @{run}/systemd/inhibit/@{int}.ref rw,
+        @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
  owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw,
  owner @{run}/flatpak/doc/** r,
  owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -10,6 +10,7 @@ include <tunables/global>
 profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app-open>
+  include <abstractions/attached/consoles>
  include <abstractions/audio-client>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
@ -61,8 +62,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  @{lib}/xdg-desktop-portal-validate-icon rPx,
  @{open_path}                            rPx -> child-open,

-  / r,
-  /.flatpak-info r,
+        / r,
+  @{att}/.flatpak-info r,

  /usr/share/dconf/profile/gdm r,
  /usr/share/xdg-desktop-portal/** r,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/xdg-desktop-portal-gnome
 profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
@ -65,8 +66,6 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/task/@{tid}/ r,
  owner @{PROC}/@{pid}/task/@{tid}/status r,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/xdg-desktop-portal-gnome>
 }

--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/xdg-document-portal
 profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
  include <abstractions/deny-sensitive-home>
@ -39,8 +40,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
  @{bin}/flatpak         rPUx,
  @{bin}/fusermount{,3}  rCx -> fusermount,

-  / r,
-  owner /.flatpak-info r,
+  owner @{att}/ r,
+  owner @{att}/.flatpak-info r,

  owner @{HOME}/ r,
  owner @{HOME}/*/{,**} rw,
@ -57,7 +58,6 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/fd/ r,

        /dev/fuse rw,
-  owner /dev/tty@{int} rw,

  profile fusermount flags=(attach_disconnected) {
    include <abstractions/base>
@ -83,7 +83,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
    @{PROC}/@{pids}/mounts r,

          /dev/fuse rw,
-    owner /dev/tty@{int} rw,
+    @{att}/dev/tty@{int} rw,
  
    include if exists <local/xdg-document-portal_fusermount>
  }
--- a/apparmor.d/groups/freedesktop/xdg-permission-store
+++ b/apparmor.d/groups/freedesktop/xdg-permission-store
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/xdg-permission-store
 profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-session>
  include <abstractions/nameservice-strict>

@ -45,8 +46,6 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/flatpak/db/documents rw,
  owner @{user_share_dirs}/flatpak/db/notifications rw,

-  /dev/tty@{int} rw,
-
  include if exists <local/xdg-permission-store>
 }

--- a/apparmor.d/groups/freedesktop/xkbcomp
+++ b/apparmor.d/groups/freedesktop/xkbcomp
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/xkbcomp
 profile xkbcomp @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/mesa>
  include <abstractions/X-strict>

@ -37,7 +38,6 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
  /dev/dri/card@{int} rw,
  /dev/fb@{int} rw,
  /dev/tty rw,
-  /dev/tty@{int} rw,

  deny /dev/input/event@{int} rw,
  deny /var/log/Xorg.@{int}.log w,
--- a/apparmor.d/groups/freedesktop/xwayland
+++ b/apparmor.d/groups/freedesktop/xwayland
@ -36,7 +36,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {

  @{PROC}/@{pids}/cmdline r,

-  /dev/tty@{int} rw,
+  @{att}/dev/tty@{int} rw,
  /dev/tty rw,

  include if exists <local/xwayland>