From 6d1fa42f253aac1f30be1bd0f32e471d1a451af9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 30 Mar 2022 22:20:56 +0100 Subject: [PATCH] feat: update profiles. --- apparmor.d/groups/desktop/at-spi-bus-launcher | 2 +- apparmor.d/groups/desktop/xwayland | 1 + apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/gnome/tracker-extract | 1 + apparmor.d/groups/gnome/tracker-miner | 3 ++- apparmor.d/groups/systemd/systemd-logind | 2 ++ .../systemd/systemd-tty-ask-password-agent | 1 + apparmor.d/groups/systemd/zram-generator | 5 +++-- apparmor.d/profiles-a-f/aa-status | 1 + apparmor.d/profiles-a-f/borg | 9 +++++++-- apparmor.d/profiles-a-f/dmidecode | 1 + apparmor.d/profiles-g-l/hostname | 2 ++ apparmor.d/profiles-g-l/ifup | 5 ++++- apparmor.d/profiles-g-l/ip | 1 + apparmor.d/profiles-g-l/lsblk | 1 + apparmor.d/profiles-m-r/on-ac-power | 2 +- apparmor.d/profiles-s-z/sensors | 19 ++++++++++--------- apparmor.d/profiles-s-z/sensors-detect | 5 +++-- apparmor.d/profiles-s-z/sudo | 1 + 19 files changed, 44 insertions(+), 19 deletions(-) diff --git a/apparmor.d/groups/desktop/at-spi-bus-launcher b/apparmor.d/groups/desktop/at-spi-bus-launcher index da34e0d51..9f4df2b12 100644 --- a/apparmor.d/groups/desktop/at-spi-bus-launcher +++ b/apparmor.d/groups/desktop/at-spi-bus-launcher @@ -33,7 +33,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.Xauthority r, owner @{HOME}/.xsession-errors w, - owner @{run}/user/@{uid}/at-spi/ w, + owner @{run}/user/@{uid}/at-spi/{,bus} rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, diff --git a/apparmor.d/groups/desktop/xwayland b/apparmor.d/groups/desktop/xwayland index 8cec4f89a..df3c81ec4 100644 --- a/apparmor.d/groups/desktop/xwayland +++ b/apparmor.d/groups/desktop/xwayland @@ -31,6 +31,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, @{sys}/bus/pci/devices/ r, + @{sys}/devices/pci[0-9]*/**/revision r, @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pids}/comm r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 812f8738e..0b27b6f7f 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -156,6 +156,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/drm/ r, @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r, @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r, + @{sys}/devices/pci[0-9]*/**/revision r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index ac9993b4a..523658508 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -44,6 +44,7 @@ profile tracker-extract @{exec_path} { owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + @{run}/blkid/blkid.tab r, @{run}/udev/data/c235:* r, @{run}/udev/data/c236:* r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 0bbe7f2a9..80eb5ad40 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/tracker-miner-fs-{,control-}3 profile tracker-miner @{exec_path} { include + include include include include @@ -38,9 +39,9 @@ profile tracker-miner @{exec_path} { owner @{PROC}/@{pid}/mounts r, @{PROC}/sys/fs/inotify/max_user_watches r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + @{run}/blkid/blkid.tab r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 7b1d374ca..adaa5d804 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -46,12 +46,14 @@ profile systemd-logind @{exec_path} flags=(complain) { @{run}/udev/data/c116:[0-9]* r, # for ALSA @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* @{run}/udev/data/c23[0-9]:[0-9]* r, + @{run}/udev/data/c29:[0-9]* r, @{run}/udev/data/c50[0-9]:[0-9]* r, @{run}/udev/data/c51[0-9]:[0-9]* r, @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs @{run}/udev/data/+backlight:intel_backlight r, + @{run}/udev/data/+pci* r, @{run}/systemd/seats/ rw, @{run}/systemd/seats/.#seat* rw, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 7c73c8444..204a9b3e0 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/systemd-tty-ask-password-agent profile systemd-tty-ask-password-agent @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index 8ca0cfc3e..6d176ebb9 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -13,8 +13,9 @@ profile zram-generator @{exec_path} { @{exec_path} mr, - /{usr/,}lib/systemd/systemd-makefs rPx, - /{usr/,}bin/systemd-detect-virt rPx, + /{usr/,}bin/kmod rix, + /{usr/,}bin/systemd-detect-virt rPx, + /{usr/,}lib/systemd/systemd-makefs rPx, /etc/systemd/zram-generator.conf r, diff --git a/apparmor.d/profiles-a-f/aa-status b/apparmor.d/profiles-a-f/aa-status index 453ba8ddb..66c3f1579 100644 --- a/apparmor.d/profiles-a-f/aa-status +++ b/apparmor.d/profiles-a-f/aa-status @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}{s,}bin/aa-status profile aa-status @{exec_path} { include + include capability dac_read_search, capability sys_ptrace, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 21a2459b5..5e40c1ec9 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -43,6 +43,7 @@ profile borg @{exec_path} { @{PROC}/sys/kernel/random/boot_id r, @{run}/systemd/userdb/ r, + @{run}/resolvconf/resolv.conf r, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/borg/ rw, @@ -80,6 +81,10 @@ profile borg @{exec_path} { owner @{MOUNTS}/ r, owner @{MOUNTS}/** rwkl -> @{MOUNTS}/**, + # borg serve on server's side + owner /home/borg/*/ rw, + owner /home/borg/*/{,**} rw, + # For exporting the key owner /**/key w, diff --git a/apparmor.d/profiles-a-f/dmidecode b/apparmor.d/profiles-a-f/dmidecode index ad8f2aebb..e605ee5f8 100644 --- a/apparmor.d/profiles-a-f/dmidecode +++ b/apparmor.d/profiles-a-f/dmidecode @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}{s,}bin/dmidecode profile dmidecode @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname index 2ce28d156..4e0d4de6f 100644 --- a/apparmor.d/profiles-g-l/hostname +++ b/apparmor.d/profiles-g-l/hostname @@ -18,5 +18,7 @@ profile hostname @{exec_path} { @{exec_path} mr, + @{run}/resolvconf/resolv.conf r, + include if exists } diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index a1a94ce62..73e36a65a 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -52,7 +52,10 @@ profile ifup @{exec_path} { /{usr/,}bin/run-parts mr, + /{usr/,}lib/bridge-utils/ifupdown.sh rPUx, + /etc/network/if-down.d/ r, + /etc/network/if-down.d/resolvconf rPUx, /etc/network/if-down.d/openvpn rPUx, /etc/network/if-down.d/wpasupplicant rPUx, /etc/wpa_supplicant/ifupdown.sh rPUx, @@ -70,7 +73,6 @@ profile ifup @{exec_path} { /etc/network/if-pre-up.d/ r, /etc/network/if-pre-up.d/bridge rPUx, - /{usr/,}lib/bridge-utils/ifupdown.sh rPUx, /etc/network/if-pre-up.d/ethtool rPUx, /etc/network/if-pre-up.d/hostapd rPUx, /etc/network/if-pre-up.d/ifenslave rPUx, @@ -109,6 +111,7 @@ profile ifup @{exec_path} { include # capability mac_admin, + capability net_admin, capability sys_admin, # capability sys_resource, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index ffd68bd2f..8c5a471c5 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/ip profile ip @{exec_path} flags=(attach_disconnected) { include + include capability net_admin, capability sys_module, diff --git a/apparmor.d/profiles-g-l/lsblk b/apparmor.d/profiles-g-l/lsblk index a10dffe84..c71fe8e2c 100644 --- a/apparmor.d/profiles-g-l/lsblk +++ b/apparmor.d/profiles-g-l/lsblk @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/lsblk profile lsblk @{exec_path} { include + include include include diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index 4407d8c6f..7434eef22 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{s,}bin/on_ac_power /{usr/,}bin/on_ac_power +@{exec_path} = /{usr/,}{s,}bin/on_ac_power profile on-ac-power @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index 43cf3cf77..2ee51148d 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2015-2020 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2015-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -18,18 +18,19 @@ profile sensors @{exec_path} { /etc/sensors.d/{,*} r, /etc/sensors3.conf r, - @{sys}/devices/pci[0-9]*/**/name r, - - @{sys}/class/i2c-adapter/ r, @{sys}/class/hwmon/ r, + @{sys}/class/i2c-adapter/ r, + @{sys}/devices/**/hwmon*/{,**/} r, + @{sys}/devices/**/hwmon*/{in[0-9]_label,in[0-9]_min,in[0-9]_max} r, + @{sys}/devices/**/hwmon*/{name,temp*,*_input} r, + @{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r, + @{sys}/devices/**/hwmon/hwmon[0-9]*/power[0-9]*_crit r, + @{sys}/devices/i2c-[0-9]*/name r, + @{sys}/devices/pci[0-9]*/**/name r, @{sys}/devices/virtual/hwmon/hwmon[0-9]* r, @{sys}/devices/virtual/hwmon/hwmon[0-9]*/ r, @{sys}/devices/virtual/hwmon/hwmon[0-9]*/{name,temp*} r, @{sys}/devices/virtual/hwmon/hwmon[0-9]*/fan[0-9]_label r, - @{sys}/devices/**/hwmon*/{,**/} r, - @{sys}/devices/**/hwmon*/{name,temp*,*_input} r, - @{sys}/devices/**/hwmon*/{in[0-9]_label,in[0-9]_min,in[0-9]_max} r, - @{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r, # file_inherit deny @{PROC}/@{pid}/net/dev r, diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index d7ddabdfc..27b738a8e 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -37,7 +38,7 @@ profile sensors-detect @{exec_path} { /dev/i2c-[0-9]* r, owner @{PROC}/@{pid}/mounts r, - /proc/modules r, + @{PROC}/modules r, profile udevadm { diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 0ef984ee4..c80f46386 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -78,6 +78,7 @@ profile sudo @{exec_path} { @{run}/systemd/userdb/ r, @{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{run}/resolvconf/resolv.conf r, /dev/ r, # interactive login /dev/ptmx rw,