feat(profile): improve support for some profiles.

Most of the rules have come from the integration tests.
2024-11-12 22:18:11 +00:00 · 2024-11-12 22:18:11 +00:00 · 66455a9251
commit 66455a9251
parent e4f0f06648
29 changed files with 50 additions and 22 deletions
--- a/apparmor.d/groups/bus/ibus-engine-simple
+++ b/apparmor.d/groups/bus/ibus-engine-simple
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,ibus/}ibus-engine-simple
 profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/ibus>
@ -28,8 +29,6 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
  owner @{desktop_config_dirs}/ibus/bus/ r,
  owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/ibus-engine-simple>
 }

--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,ibus/}ibus-x11
 profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
@ -42,8 +43,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
  owner @{user_config_dirs}/ibus/bus/ r,
  owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/ibus-x11>
 }

--- a/apparmor.d/groups/cron/cron-apport
+++ b/apparmor.d/groups/cron/cron-apport
@ -18,7 +18,7 @@ profile cron-apport @{exec_path} {

  / r,
  /var/crash/ r,
-  /var/crash/*.crash w,
+  /var/crash/* w,

  include if exists <local/cron-apport>
 }
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@ -54,6 +54,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
  owner /var/lib/polkit{,-1}/.cache/ rw,

  @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw,
+  @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw,

  @{run}/systemd/sessions/* r,
  @{run}/systemd/users/@{uid} r,
--- a/apparmor.d/groups/freedesktop/upower
+++ b/apparmor.d/groups/freedesktop/upower
@ -13,8 +13,7 @@ profile upower @{exec_path} {
  include <abstractions/bus-system>
  include <abstractions/consoles>

-  # Needed?
-  audit capability sys_nice,
+  #aa:dbus own bus=system name=org.freedesktop.UPower label=upowerd

  @{exec_path} mr,

--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -63,8 +63,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  @{lib}/xdg-desktop-portal-validate-icon rPx,
  @{open_path}                            rPx -> child-open,

-        / r,
-  @{att}/.flatpak-info r,
+              / r,
+        @{att}/.flatpak-info r,
+  owner @{att}/ r,

  /usr/share/dconf/profile/gdm r,
  /usr/share/xdg-desktop-portal/** r,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -30,6 +30,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
  include <abstractions/user-download-strict>

  signal receive set=term peer=gdm,
+  signal receive set=hup  peer=gdm-session-worker,

  unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),

--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -17,7 +17,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/bus/net.hadess.SwitcherooControl>
  include <abstractions/bus/net.reactivated.Fprint>
  include <abstractions/bus/org.a11y>
-  include <abstractions/bus/org.freedesktop.Accounts>
  include <abstractions/bus/org.freedesktop.background.Monitor>
  include <abstractions/bus/org.freedesktop.FileManager1>
  include <abstractions/bus/org.freedesktop.GeoClue2>
@ -83,6 +82,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {

  # Talk with gnome-shell

+  #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
  #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
  #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm
--- a/apparmor.d/groups/gpg/dirmngr
+++ b/apparmor.d/groups/gpg/dirmngr
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/dirmngr
 profile dirmngr @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
--- a/apparmor.d/groups/gpg/keyboxd
+++ b/apparmor.d/groups/gpg/keyboxd
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gnupg/keyboxd
 profile keyboxd @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>

  @{exec_path} mr,

--- a/apparmor.d/groups/network/netplan.script
+++ b/apparmor.d/groups/network/netplan.script
@ -36,7 +36,10 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/app/udevadm>

-    @{run}/udev/control rw,
+    capability net_admin,
+
+    @{att}/@{run}/udev/control rw,
+
    @{run}/udev/rules.d/90-netplan.rules rw,
    @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw,

--- a/apparmor.d/groups/systemd/systemd-analyze
+++ b/apparmor.d/groups/systemd/systemd-analyze
@ -22,6 +22,8 @@ profile systemd-analyze @{exec_path} {

  signal (send) peer=child-pager,

+  unix bind type=stream addr=@@{hex16}/bus/systemd-analyze/system,
+
  #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"

  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-cgls
+++ b/apparmor.d/groups/systemd/systemd-cgls
@ -10,6 +10,8 @@ include <tunables/global>
 profile systemd-cgls @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.systemd1>
+  include <abstractions/consoles>

  capability sys_ptrace,

@ -17,6 +19,8 @@ profile systemd-cgls @{exec_path} {

  signal send set=cont peer=child-pager,

+  unix bind type=stream addr=@@{hex16}/bus/systemd-cgls/system,
+
  @{exec_path} mr,

  @{pager_path} rPx -> child-pager,
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@ -37,8 +37,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
  /etc/machine-info rw,
  /etc/os-release r,

+  @{att}/@{run}/systemd/notify rw,
+
  @{run}/systemd/default-hostname rw,
-  @{run}/systemd/notify rw,
  @{run}/udev/data/+dmi:* r,              # for motherboard info

  @{sys}/devices/virtual/dmi/id/ r,
--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@ -35,7 +35,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
  /etc/X11/xorg.conf.d/.#*.confd* rw,
  /etc/X11/xorg.conf.d/*.conf rw,

-  @{run}/systemd/notify rw,
+  @{att}/@{run}/systemd/notify rw,

  include if exists <local/systemd-localed>
 }
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -95,6 +95,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511

  @{att}/@{run}/systemd/notify w,
+  @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw,

  @{run}/systemd/inhibit/ rw,
  @{run}/systemd/inhibit/.#* rw,
--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@ -25,6 +25,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
  /etc/systemd/oomd.conf.d/{,**} r,

  @{att}/@{run}/systemd/notify w,
+  @{att}/@{run}/systemd/io.systemd.ManagedOOM rw,

  @{run}/systemd/io.system.ManagedOOM rw,
  @{run}/systemd/io.systemd.ManagedOOM rw,
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@ -41,8 +41,9 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
  /etc/systemd/resolved.conf r,
  /etc/systemd/resolved.conf.d/{,*} r,

+  @{att}/@{run}/systemd/notify w,
+
  @{run}/systemd/netif/links/* r,
-  @{run}/systemd/notify rw,
  @{run}/systemd/resolve/{,**} rw,

  @{PROC}/@{pid}/cgroup r,
--- a/apparmor.d/groups/systemd/systemd-timedated
+++ b/apparmor.d/groups/systemd/systemd-timedated
@ -35,7 +35,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
  /etc/.#timezone* rw,
  /etc/timezone rw,

-  @{run}/systemd/notify rw,
+  @{att}/@{run}/systemd/notify rw,

  /dev/rtc@{int} r,

--- a/apparmor.d/groups/systemd/systemd-userdbd
+++ b/apparmor.d/groups/systemd/systemd-userdbd
@ -30,6 +30,9 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted)

  /etc/machine-id r,

+  @{att}/@{run}/systemd/notify w,
+  @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw,
+
  @{run}/systemd/userdb/{,**} rw,

  @{PROC}/@{pid}/cgroup r,