From 67c9e86d832c144d70e4d1e1d49d79ac007a8472 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 19:00:42 +0200 Subject: [PATCH] feat(profile): improve integration with ubuntu. --- apparmor.d/groups/apt/dpkg-script-apparmor | 7 +++++++ apparmor.d/groups/cups/cups-browsed | 6 ++++-- apparmor.d/groups/cups/cupsd | 3 +++ apparmor.d/groups/gnome/gdm-generate-config | 4 ++-- apparmor.d/groups/gnome/gnome-terminal-server | 2 ++ apparmor.d/groups/gnome/papers | 1 + apparmor.d/groups/systemd/systemd-coredump | 1 + apparmor.d/groups/systemd/systemd-logind | 10 +++++----- apparmor.d/groups/systemd/systemd-sleep-hdparm | 1 + apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders | 6 ++++-- apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer | 2 ++ apparmor.d/profiles-g-l/git | 5 ++++- apparmor.d/profiles-g-l/gitstatusd | 4 +++- apparmor.d/profiles-g-l/host | 5 +++-- apparmor.d/profiles-g-l/language-validate | 1 - apparmor.d/profiles-m-r/on-ac-power | 1 + apparmor.d/profiles-m-r/pass | 1 + apparmor.d/profiles-s-z/spotify | 2 +- apparmor.d/profiles-s-z/sysstat-sadc | 5 ++--- apparmor.d/profiles-s-z/thermald | 3 +-- 20 files changed, 48 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 122e4541e..38a068ac0 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -11,6 +11,8 @@ profile dpkg-script-apparmor @{exec_path} { include include + capability dac_read_search, + @{exec_path} mrix, @{bin}/{,e}grep ix, @@ -43,11 +45,16 @@ profile dpkg-script-apparmor @{exec_path} { capability net_admin, capability sys_resource, + capability dac_override, + capability dac_read_search, signal send set=(cont term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent rix, + @{run}/user/@{uid}/systemd/ask-password/ rw, + @{run}/user/@{uid}/systemd/ask-password-block/{,*} rw, + owner @{run}/systemd/ask-password/ rw, owner @{run}/systemd/ask-password-block/{,*} rw, diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 745337a8d..9498f245a 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -16,9 +16,9 @@ profile cups-browsed @{exec_path} { include include - capability net_admin, +# capability net_admin, capability net_bind_service, - capability sys_nice, +# capability sys_nice, network inet dgram, network inet6 dgram, @@ -43,6 +43,8 @@ profile cups-browsed @{exec_path} { @{exec_path} mr, + @{bin}/ippfind rPx, + /usr/share/cups/locale/{,**} r, /etc/cups/{,**} r, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index f9b70ae4d..acae9b7a1 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -29,7 +29,9 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { capability setuid, capability wake_alarm, + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network appletalk dgram, @@ -99,6 +101,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{run}/cups/{,**} rw, @{run}/systemd/notify w, + @{run}/avahi-daemon/socket rw, @{sys}/module/apparmor/parameters/enabled r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 7240ffaef..d48b9eff6 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -25,8 +25,8 @@ profile gdm-generate-config @{exec_path} { @{sh_path} rix, @{bin}/dconf rix, @{bin}/install rix, - @{bin}/pgrep rCx -> pgrep, - @{bin}/pkill rCx -> pgrep, + @{bin}/pgrep rCx -> &pgrep, + @{bin}/pkill rCx -> &pgrep, @{bin}/setpriv rix, @{bin}/setsid rix, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 837f00f68..cda4568c1 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -38,6 +38,8 @@ profile gnome-terminal-server @{exec_path} { @{exec_path} mr, + @{lib}/gnome-terminal-preferences ix, + # The shell is not confined on purpose. @{bin}/@{shells} Ux, diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 87820376c..27000b93a 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -26,6 +26,7 @@ profile papers @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{tmp}/.goutputstream-@{rand6} rw, + owner @{tmp}/papers-@{int}/{,**} rw, owner @{tmp}/gtkprint_@{rand6} rw, owner @{tmp}/gtkprint@{rand6} rw, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 2bd25ec16..54f366c2f 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -35,6 +35,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{bin}/* r, @{sbin}/* r, /opt/** r, + /usr/share/*/** r, @{user_lib_dirs}/** r, /etc/systemd/coredump.conf r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 7bd5c88de..1fb3f6cb3 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -136,11 +136,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/fdinfo/@{int} r, - /dev/dri/card@{int} rw, - /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) - /dev/mqueue/ r, - /dev/tty@{int} rw, - owner /dev/shm/{,**/} rw, + /dev/dri/card@{int} rw, + /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) + /dev/mqueue/ r, + /dev/tty@{int} rw, + /dev/shm/{,**/} rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 71008c96d..4cbe61755 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -11,6 +11,7 @@ profile systemd-sleep-hdparm @{exec_path} { include @{exec_path} mr, + @{sh_path} r, include if exists } diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders index b64c34a4b..04c9a33f2 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders @@ -18,8 +18,10 @@ profile gdk-pixbuf-query-loaders @{exec_path} { @{exec_path} mr, - @{lib}/gdk-pixbuf-[0-9].@{int}/{,*}/loaders.cache.* rw, - @{lib}/gdk-pixbuf-[0-9].@{int}/*/loaders.cache rw, + @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/ w, + @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/loaders.cache w, + @{lib}/gdk-pixbuf-@{version}/{,*}/loaders.cache.* rw, + @{lib}/gdk-pixbuf-@{version}/@{version}/loaders.cache rw, /usr/share/gvfs/remote-volume-monitors/{,**} r, diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer index 6ec661d31..d3df6f5f3 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer @@ -10,6 +10,8 @@ include profile gdk-pixbuf-thumbnailer @{exec_path} { include + @{exec_path} mr, + include if exists } diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index c9373c7ae..425fe2f14 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -115,6 +115,8 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.git_vtag_tmp@{rand6} r, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists @@ -138,13 +140,14 @@ profile git @{exec_path} flags=(attach_disconnected) { @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config r, - owner @{HOME}/@{XDG_SSH_DIR}/* r, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_* rwl, owner @{tmp}/git@*:@{int} rwl -> @{tmp}/git@*:@{int}.*, owner @{tmp}/ssh-*/agent.@{int} rw, + owner @{run}/user/@{uid}/keyring/ssh rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index 8901ade9c..579536674 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -6,12 +6,14 @@ abi , include -@{exec_path} = /usr/share/zsh-theme-powerlevel@{int}k/gitstatus/usrbin/gitstatusd{,-*} +@{exec_path} = @{user_cache_dirs}/gitstatus/gitstatusd{,-*} +@{exec_path} += /usr/share/zsh-theme-powerlevel{9,10}k/gitstatus/usrbin/gitstatusd{,-*} profile gitstatusd @{exec_path} { include include signal receive set=term peer=*//shell, + signal receive set=term peer=vscode, @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index aca2c5d61..ab0cf0cba 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -22,10 +22,11 @@ profile host @{exec_path} { @{exec_path} mr, - owner @{PROC}/@{pids}/task/@{tid}/comm rw, - @{sys}/kernel/mm/transparent_hugepage/enabled r, + @{PROC}/version_signature r, + owner @{PROC}/@{pids}/task/@{tid}/comm rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate index 80f914fab..3d7383aef 100644 --- a/apparmor.d/profiles-g-l/language-validate +++ b/apparmor.d/profiles-g-l/language-validate @@ -18,7 +18,6 @@ profile language-validate @{exec_path} flags=(attach_disconnected) { @{bin}/{,e}grep rix, @{bin}/locale rix, - /usr/share/locale-langpack/{,*} r, /usr/share/language-tools/{,*} r, include if exists diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index ffe3d4119..16ccfd9da 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -18,6 +18,7 @@ profile on-ac-power @{exec_path} { @{bin}/cat rix, @{sys}/class/power_supply/ r, + @{sys}/class/typec/ r, @{sys}/devices/**/power_supply/**/{online,type} r, @{PROC}/pmu/info r, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 7e432a838..30f92c964 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -146,6 +146,7 @@ profile pass @{exec_path} { owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, owner /dev/shm/pass.@{rand}/* rw, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index b619a8720..1ec4eeea3 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -8,7 +8,7 @@ abi , include @{name} = spotify -@{lib_dirs} = /opt/spotify/ +@{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc index dfdd00524..7d9143938 100644 --- a/apparmor.d/profiles-s-z/sysstat-sadc +++ b/apparmor.d/profiles-s-z/sysstat-sadc @@ -24,10 +24,9 @@ profile sysstat-sadc @{exec_path} { @{sys}/class/fc_host/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/ r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/name r, @{sys}/devices/@{pci}/net/*/duplex r, - @{sys}/devices/**/i2c-*/name r, + @{sys}/devices/**/hwmon@{int}/ r, + @{sys}/devices/**/name r, @{sys}/devices/**/net/*/duplex r, @{sys}/devices/**/net/*/speed r, @{sys}/devices/virtual/net/*/duplex r, diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index 101310df1..b663865e8 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -24,8 +24,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { /etc/thermald/{,*} r, owner @{run}/thermald/ rw, - owner @{run}/thermald/thd_preference.conf rw, - owner @{run}/thermald/thd_preference.conf.save w, + owner @{run}/thermald/** rw, owner @{run}/thermald/thermald.pid rwk, @{sys}/class/hwmon/ r,