feat(profile): update and enforce a few profiles.

2025-05-18 14:46:35 +02:00 · 2025-05-18 14:46:35 +02:00 · 658c054c47
commit 658c054c47
parent 1fab846875
17 changed files with 76 additions and 86 deletions
--- a/apparmor.d/groups/filesystem/mke2fs
+++ b/apparmor.d/groups/filesystem/mke2fs
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{sbin}/mke2fs @{sbin}/mkfs.ext2 @{sbin}/mkfs.ext3 @{sbin}/mkfs.ext4
 profile mke2fs @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/disks-write>
  include <abstractions/user-download-strict>

--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -103,7 +103,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  profile open flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/consoles>
-    include <abstractions/consoles>
    include <abstractions/desktop>

    @{bin}/env rix,
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -9,10 +9,8 @@ include <tunables/global>
@{exec_path} = @{bin}/gnome-software
 profile gnome-software @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf-write>
+  include <abstractions/common/gnome>
  include <abstractions/fontconfig-cache-write>
-  include <abstractions/gnome-strict>
-  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
@ -71,15 +69,11 @@ profile gnome-software @{exec_path} {
  /var/tmp/flatpak-cache-*/** rwkl,
  /var/tmp/#@{int} rw,

-  / r,
-
  owner @{HOME}/.var/app/{,**} rw,

  owner @{user_download_dirs}/*.flatpakref r,

  owner @{user_cache_dirs}/flatpak/{,**} rwl,
-  owner @{user_cache_dirs}/gnome-software/ rw,
-  owner @{user_cache_dirs}/gnome-software/** rwlk -> @{user_cache_dirs}/gnome-software/**,

  owner @{user_config_dirs}/flatpak/{,**} r,
  owner @{user_config_dirs}/pulse/*.conf r,
@ -94,7 +88,6 @@ profile gnome-software @{exec_path} {
  owner @{user_share_dirs}/flatpak/overrides/* r,
  owner @{user_share_dirs}/flatpak/repo/ rw,
  owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**,
-  owner @{user_share_dirs}/gnome-software/{,**} rw,

  owner @{tmp}/ostree-gpg-@{rand6}/ rw,
  owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,
@ -123,10 +116,7 @@ profile gnome-software @{exec_path} {
        @{PROC}/sys/fs/pipe-max-size r,
        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
  owner @{PROC}/@{pid}/cgroup r,
-  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fdinfo/@{int} r,
-  owner @{PROC}/@{pid}/stat r,
-  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

  /dev/fuse rw,

@ -166,6 +156,8 @@ profile gnome-software @{exec_path} {
    include <abstractions/base>
    include <abstractions/app/fusermount>

+    capability setuid,
+
    mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
    umount /var/tmp/flatpak-cache-*/*/,

--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@ -9,10 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/gnome-system-monitor
 profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/bus-session>
-  include <abstractions/dconf-write>
-  include <abstractions/gnome-strict>
-  include <abstractions/graphics>
+  include <abstractions/common/gnome>
  include <abstractions/nameservice-strict>

  capability sys_ptrace,
@ -35,7 +32,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
  @{bin}/sed    rix,
  @{bin}/tr     rix,

-  /usr/share/gnome-system-monitor/{,**} r,
  /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r,

  / r,
@ -78,8 +74,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
  @{PROC}/diskstats r,
  @{PROC}/vmstat r,

-  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
-
  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  /dev/tty rw,
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -19,11 +19,11 @@ profile gnome-terminal-server @{exec_path} {
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>

-  signal (send) set=(hup) peer=htop,
-  signal (send) set=(term hup kill) peer=unconfined,
+  signal send set=(hup) peer=htop,
+  signal send set=(term hup kill) peer=unconfined,

-  ptrace (read) peer=htop,
-  ptrace (read) peer=unconfined,
+  ptrace read peer=htop,
+  ptrace read peer=unconfined,

  #aa:dbus own bus=session name=org.gnome.Terminal interface+=org.gtk.Actions

@ -39,14 +39,14 @@ profile gnome-terminal-server @{exec_path} {
  @{exec_path} mr,

  # The shell is not confined on purpose.
-  @{bin}/@{shells}            rUx,
+  @{bin}/@{shells}            Ux,

  # Some CLI program can be launched directly from Gnome Shell
-  @{bin}/htop                 rPx,
-  @{bin}/micro               rPUx,
-  @{bin}/nvtop                rPx,
+  @{bin}/htop                 Px,
+  @{bin}/micro               PUx,
+  @{bin}/nvtop                Px,

-  @{open_path}                rPx -> child-open,
+  @{open_path}                Px -> child-open,

  /etc/shells r,

--- a/apparmor.d/groups/gnome/gnome-tweaks
+++ b/apparmor.d/groups/gnome/gnome-tweaks
@ -32,7 +32,7 @@ profile gnome-tweaks @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,

  owner @{user_config_dirs}/autostart/ rw,
-  owner @{user_config_dirs}/autostart/*.desktop r,
+  owner @{user_config_dirs}/autostart/*.desktop rw,
  owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw,
  owner @{user_share_dirs}/backgrounds/{,**} r,
  owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r,
--- a/apparmor.d/groups/gnome/kgx
+++ b/apparmor.d/groups/gnome/kgx
@ -17,7 +17,7 @@ profile kgx @{exec_path} {

  capability sys_ptrace,

-  ptrace (read),
+  ptrace read,

  @{exec_path} mr,

@ -25,14 +25,14 @@ profile kgx @{exec_path} {
  @{bin}/@{shells}           rUx,

  # Some CLI program can be launched directly from Gnome Shell
-  @{bin}/btop                rPUx,
-  @{bin}/htop                 rPx,
-  @{bin}/micro               rPUx,
-  @{bin}/nvtop                rPx,
-  @{bin}/nvtop                rPx,
-  @{bin}/vim                  rUx,
+  @{bin}/btop                 PUx,
+  @{bin}/htop                  Px,
+  @{bin}/micro                PUx,
+  @{bin}/nvtop                 Px,
+  @{bin}/nvtop                 Px,
+  @{bin}/vim                   Ux,

-  @{open_path}                rPx -> child-open-help,
+  @{open_path}                 Px -> child-open-help,

  owner @{tmp}/#@{int} rw,

--- a/apparmor.d/groups/network/ModemManager
+++ b/apparmor.d/groups/network/ModemManager
@ -14,7 +14,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.PolicyKit1>
  include <abstractions/consoles>
  include <abstractions/devices-usb>
-  include <abstractions/dri-enumerate>
+  include <abstractions/dri>

  capability net_admin,

@ -47,7 +47,6 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
  @{sys}/class/tty/ r,
  @{sys}/class/wwan/ r,

-  @{sys}/devices/@{pci}/revision r,
  @{sys}/devices/**/net/*/ r,
  @{sys}/devices/**/uevent r,
  @{sys}/devices/virtual/tty/*/ r,
--- a/apparmor.d/groups/polkit/pkttyagent
+++ b/apparmor.d/groups/polkit/pkttyagent
@ -18,7 +18,7 @@ profile pkttyagent @{exec_path} {
  capability sys_nice,
  capability audit_write,

-  ptrace (read),
+  ptrace read,
  signal (send, receive),

  @{exec_path} mr,
--- a/apparmor.d/groups/shadow/newgidmap
+++ b/apparmor.d/groups/shadow/newgidmap
@ -18,6 +18,8 @@ profile newgidmap @{exec_path} {

  @{exec_path} mr,

+  @{etc_ro}/login.defs r,
+  @{etc_ro}/login.defs.d/{,*} r,
  /etc/subgid r,

  @{PROC}/@{pids}/ r,
--- a/apparmor.d/groups/shadow/newuidmap
+++ b/apparmor.d/groups/shadow/newuidmap
@ -18,6 +18,8 @@ profile newuidmap @{exec_path} {

  @{exec_path} mr,

+  @{etc_ro}/login.defs r,
+  @{etc_ro}/login.defs.d/{,*} r,
  /etc/subuid r,

  @{PROC}/@{pids}/ r,
--- a/apparmor.d/profiles-a-f/calibre
+++ b/apparmor.d/profiles-a-f/calibre
@ -15,9 +15,10 @@ profile calibre @{exec_path} {
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
-  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/bus/org.freedesktop.UDisks2>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/bus/org.kde.StatusNotifierWatcher>
+  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/devices-usb>
  include <abstractions/fontconfig-cache-read>
@ -35,11 +36,13 @@ profile calibre @{exec_path} {

  capability sys_ptrace,

+  network inet dgram,
  network inet stream,
+  network inet6 dgram,
  network inet6 stream,
  network netlink raw,

-  unix (send, receive) type=stream peer=(addr=none, label=xorg),
+  # unix (send, receive) type=stream peer=(addr=none, label=xorg),
  unix (bind, listen)  type=stream addr="@*-calibre-gui.socket",
  unix (bind)          type=stream addr="@calibre-*",

@ -47,9 +50,10 @@ profile calibre @{exec_path} {

  @{sh_path}              rix,
  @{python_path}          rix,
+  @{bin}/env                r,
  @{bin}/file             rix,
-  @{sbin}/ldconfig{,.real} rix,
  @{bin}/uname            rix,
+  @{sbin}/ldconfig{,.real} rix,
  @{lib}/{,@{multiarch}/}qt{5,6}{,/libexec/}QtWebEngineProcess rix,

  @{bin}/pdftoppm        rPUx, # (#FIXME#)
@ -61,6 +65,7 @@ profile calibre @{exec_path} {
  /usr/share/calibre/{,**} r,

  /etc/fstab r,
+  /etc/httpd/conf/mime.types r,
  /etc/inputrc r,
  /etc/magic r,
  /etc/mime.types r,
@ -68,10 +73,15 @@ profile calibre @{exec_path} {
  owner @{HOME}/ r,
  owner "@{HOME}/Calibre Library/{,**}" rw,
  owner "@{HOME}/Calibre Library/metadata.db" rwk,
-  owner @{user_documents_dirs}/{,**} rwl,
+
  owner @{user_books_dirs}/{,**} rwl,
+  owner @{user_books_dirs}/Calibre/** rwk,
+  owner @{user_documents_dirs}/{,**} rwl,
+  owner @{user_documents_dirs}/Calibre/** rwk,
  owner @{user_torrents_dirs}/{,**} rwl,
+  owner @{user_torrents_dirs}/Calibre/** rwk,
  owner @{user_work_dirs}/{,**} rwl,
+  owner @{user_work_dirs}/Calibre/** rwk,

  owner @{user_config_dirs}/calibre/ rw,
  owner @{user_config_dirs}/calibre/** rwk,
@ -82,10 +92,11 @@ profile calibre @{exec_path} {
  owner @{user_cache_dirs}/calibre/ rw,
  owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**,

-  owner @{tmp}/calibre_*_tmp_*/{,**} rw,
-  owner @{tmp}/calibre-*/{,**} rw,
-  owner @{tmp}/@{int}-*/ rw,
-  owner @{tmp}/@{int}-*/** rwl,
+  owner @{tmp}/@{rand8} rw,
+  audit owner @{tmp}/@{int}-*/ rw,
+  audit owner @{tmp}/@{int}-*/** rwl,
+  audit owner @{tmp}/calibre_@{rand8}_tmp_*/{,**} rw,
+  audit owner @{tmp}/calibre-@{rand8}/{,**} rw,

  owner /dev/shm/#@{int} rw,

@ -108,6 +119,7 @@ profile calibre @{exec_path} {
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/task/@{tid}/status r,

+        /dev/tty r,
  owner /dev/tty@{int} rw,

  include if exists <local/calibre>
--- a/apparmor.d/profiles-m-r/mdevctl
+++ b/apparmor.d/profiles-m-r/mdevctl
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/mdevctl
 profile mdevctl @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>

  @{exec_path} mr,

--- a/apparmor.d/profiles-m-r/metadata-cleaner
+++ b/apparmor.d/profiles-m-r/metadata-cleaner
@ -9,9 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/metadata-cleaner
 profile metadata-cleaner @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/dconf-write>
-  include <abstractions/gnome-strict>
-  include <abstractions/graphics>
+  include <abstractions/common/gnome>
  include <abstractions/nameservice-strict>
  include <abstractions/python>
  include <abstractions/user-read-strict>
@ -20,12 +18,10 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  @{python_path} rix,

-  @{bin}/bwrap rCx -> bwrap,
-  @{open_path} rPx -> child-open-help,
+  @{bin}/bwrap  Cx -> bwrap,
+  @{open_path}  Px -> child-open-help,

-  /usr/share/metadata-cleaner/{,**} r,
  /usr/share/metadata-cleaner/src/metadatacleaner/{,*/}__pycache__/ w,
-
  /usr/share/poppler/{,**} r,

  /etc/httpd/conf/mime.types r,
@ -38,10 +34,8 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) {

  @{run}/mount/utab r,

-  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

  deny owner @{user_share_dirs}/gvfs-metadata/* r,
  deny owner @{user_cache_dirs}/thumbnails/** r,
@ -51,7 +45,7 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) {
    include <abstractions/common/bwrap>
    include <abstractions/perl>

-    signal (receive) set=(kill) peer=metadata-cleaner,
+    signal receive set=(kill) peer=metadata-cleaner,

    @{bin}/bwrap mr,
    @{bin}/vendor_perl/exiftool rix,
--- a/apparmor.d/profiles-s-z/totem
+++ b/apparmor.d/profiles-s-z/totem
@ -14,6 +14,7 @@ profile totem @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.gnome.SessionManager>
  include <abstractions/common/gnome>
  include <abstractions/gstreamer>
+  include <abstractions/thumbnails-cache-write>
  include <abstractions/user-download-strict>

  network netlink raw,
@ -67,6 +68,10 @@ profile totem @{exec_path} flags=(attach_disconnected) {
    include <abstractions/gstreamer>

    capability dac_override,
+    capability sys_ptrace,
+
+    network inet dgram,
+    network inet6 dgram,

    @{bin}/bwrap mr,
    @{bin}/totem-video-thumbnailer rix,
@ -78,8 +83,11 @@ profile totem @{exec_path} flags=(attach_disconnected) {
    owner @{tmp}/flatpak-seccomp-@{rand6} rw,
    owner @{tmp}/gnome-desktop-file-to-thumbnail.* rw,
    owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw,
+    owner @{tmp}/gnome-desktop-thumbnailer.png rw,

          @{PROC}/sys/vm/mmap_min_addr r,
+    owner @{PROC}/@{pid}/mountinfo r,
+    owner @{PROC}/@{pid}/stat r,
    owner @{PROC}/@{pid}/task/@{tid}/comm w,

    /dev/ r,
--- a/apparmor.d/profiles-s-z/xsane-gimp
+++ b/apparmor.d/profiles-s-z/xsane-gimp
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Roman Beslik <me@beroal.in.ua>
+# Copyright (C) 2024-2025 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/4.0>,
@ -10,27 +11,30 @@ include <tunables/global>
 profile xsane-gimp @{exec_path} {
  include <abstractions/base>
  include <abstractions/devices-usb>
-  include <abstractions/gnome-strict>
-
-  signal (receive) set=(term, kill) peer=gimp,
+  include <abstractions/desktop>

  network inet dgram,
  network inet6 dgram,
  network netlink raw,

+  signal receive set=(term, kill) peer=gimp,
+
  @{exec_path} mr,
+
  @{system_share_dirs}/gimp/{,**} r,
  @{system_share_dirs}/sane/xsane/{,**} r,
-  @{system_share_dirs}/snmp/mibs/{,**} r, # network
+  @{system_share_dirs}/snmp/mibs/{,**} r,
+
  /etc/sane.d/{,**} r,
+
  owner @{HOME}/.sane/{,**} rw,
  owner @{tmp}/xsane-*-@{rand6} rw,
-  @{sys}/devices/@{pci}/{model,type,vendor} r,
-  @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r,

-  # SCSI
  @{sys}/bus/scsi/devices/ r,
+  @{sys}/devices/@{pci}/{model,type,vendor} r,
+
  @{PROC}/scsi/scsi r,
+  @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r,

  include if exists <local/xsane-gimp>
 }
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@ -9,7 +9,6 @@ systemd attach_disconnected,mediate_deleted,complain
 systemd-service attach_disconnected,complain
 systemd-user attach_disconnected,mediate_deleted,complain

-aa-notify complain
 akonadi_akonotes_resource complain
 akonadi_archivemail_agent complain
 akonadi_birthdays_resource complain
@ -106,7 +105,6 @@ filezilla complain
 finalrd complain
 firewall-applet attach_disconnected,complain
 firewall-config complain
-firewalld attach_disconnected,complain
 flameshot complain
 flatpak attach_disconnected,mediate_deleted,complain
 flatpak-app attach_disconnected,mediate_deleted,complain
@ -117,29 +115,20 @@ flatpak-system-helper complain
 flatpak-validate-icon complain
 fstrim complain
 fuse-overlayfs complain
-fusermount complain
 gdk-pixbuf-thumbnailer complain
 gdm-generate-config complain
 gdm-runtime-config complain
 gdm-session attach_disconnected,complain
 gdm-xsession complain
-gimp complain
 gmenudbusmenuproxy complain
 gnome-browser-connector-host complain
 gnome-control-center attach_disconnected,complain
 gnome-control-center-goa-helper complain
 gnome-disk-image-mounter complain
-gnome-disks complain
 gnome-extension-gsconnect complain
 gnome-extension-manager complain
 gnome-initial-setup complain
-gnome-music attach_disconnected,complain
-gnome-photos-thumbnailer complain
 gnome-remote-desktop-daemon complain
-gnome-software complain
-gnome-system-monitor attach_disconnected,complain
-gnome-terminal-server complain
-gnome-tweaks complain
 grub-bios-setup complain
 grub-editenv complain
 grub-file complain
@ -173,8 +162,8 @@ gsettings complain
 gvfsd-dav complain
 gvfsd-wsdd complain
 hostnamectl complain
-hyprctl complain
-hyprlock complain
+hyprctl attach_disconnected,complain
+hyprlock attach_disconnected,complain
 hyprpaper attach_disconnected,complain
 hyprpicker complain
 hyprpm complain
@ -184,7 +173,6 @@ im-launch complain
 install-info complain
 iwctl complain
 iwd complain
-jitterentropy-rngd complain
 kaccess complain
 kactivitymanagerd complain
 kalendarac complain
@ -202,7 +190,6 @@ kded complain
 kernel-install complain
 keyboxd complain
 kglobalacceld complain
-kgx complain
 kio_http_cache_cleaner complain
 kiod complain
 kioworker complain
@ -238,9 +225,6 @@ lvmdump complain
 lvmpolld complain
 man complain
 mate-notification-daemon complain
-mdevctl complain
-metadata-cleaner attach_disconnected,complain
-mke2fs complain
 ModemManager attach_disconnected,complain
 mount attach_disconnected,complain
 multipath attach_disconnected,complain
@ -357,7 +341,6 @@ systemd-network-generator complain
 systemd-nsresourced complain
 systemd-nsresourcework complain
 systemd-portabled complain
-systemd-remount-fs complain
 systemd-resolve complain
 systemd-shutdown complain
 systemd-sleep-tlp complain
@ -408,6 +391,5 @@ xdm-xsession complain
 xembedsniproxy complain
 xfce-session attach_disconnected,complain
 xsettingsd complain
-xwaylandvideobridge complain
 zpool complain