felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profiles): new definition for MOUNTs, add MOUNTDIRS.

Browse source
This commit is contained in:
Alexandre Pujol 2022-06-12 22:51:37 +01:00
parent 9493e783ce
commit 779853dc7f
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
62 changed files with 198 additions and 203 deletions
Download patch file Download diff file Expand all files Collapse all files

9
apparmor.d/profiles-m-r/megasync
View file

@ -6,8 +6,6 @@ abi <abi/3.0>,
include <tunables/global>
@{SYNC_FOLDER}=@{MOUNTS}/*/cloud_storage
@{exec_path} = /{usr/,}bin/megasync
profile megasync @{exec_path} {
include <abstractions/base>
@ -55,11 +53,8 @@ profile megasync @{exec_path} {
owner @{user_config_dirs}/QtProject.conf r,
# Sync folder
#/ r,
#@{MOUNTS}/ r,
#@{MOUNTS}/*/ r,
owner @{SYNC_FOLDER}/ r,
owner @{SYNC_FOLDER}/** rwl -> @{SYNC_FOLDER}/**,
owner @{user_sync_dirs}/ r,
owner @{user_sync_dirs}/** rwl -> @{user_sync_dirs}/**,
# Proc filesystem
deny owner @{PROC}/@{pid}/cmdline r,

4
apparmor.d/profiles-m-r/mke2fs
View file

@ -30,9 +30,9 @@ profile mke2fs @{exec_path} {
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# For virt-resize
owner /var/tmp/.guestfs-[0-9]*/** rwk,

4
apparmor.d/profiles-m-r/mkfs-btrfs
View file

@ -24,9 +24,9 @@ profile mkfs-btrfs @{exec_path} {
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/mkfs-btrfs>
}

4
apparmor.d/profiles-m-r/mkfs-fat
View file

@ -18,9 +18,9 @@ profile mkfs-fat @{exec_path} {
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/mkfs-fat>
}

4
apparmor.d/profiles-m-r/mount
View file

@ -45,9 +45,9 @@ profile mount @{exec_path} flags=(complain) {
# Mount iso/img files
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# The special /dev/loop-control file can be used to create and destroy loop devices or to find
# the first available loop device.

13
apparmor.d/profiles-m-r/mount-cifs
View file

@ -30,19 +30,18 @@ profile mount-cifs @{exec_path} flags=(complain) {
owner @{HOME}/.smbcredentials r,
# Mount points
@{MOUNTDIRS}/ r,
@{MOUNTS}/ r,
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
# Allow to mount smb/cifs disks only under the /media/ dirs
mount fstype=cifs -> @{MOUNTDIRS}/,
mount fstype=cifs -> @{MOUNTS}/,
mount fstype=cifs -> @{MOUNTS}/*/,
mount fstype=cifs -> @{MOUNTS}/*/*/,
mount fstype=cifs -> /mnt/,
mount fstype=cifs -> /mnt/*/,
umount @{MOUNTDIRS}/,
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
umount @{MOUNTS}/*/*/,
umount /mnt/,
umount /mnt/*/,
include if exists <local/mount-cifs>
}

13
apparmor.d/profiles-m-r/mount-nfs
View file

@ -45,21 +45,20 @@ profile mount-nfs @{exec_path} flags=(complain) {
owner @{run}/rpc.statd.lock wk,
# Mount points
@{MOUNTDIRS}/ r,
@{MOUNTS}/ r,
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
# Allow to mount smb/cifs disks only under the /media/ dirs
mount fstype=nfs -> @{MOUNTDIRS}/,
mount fstype=nfs -> @{MOUNTS}/,
mount fstype=nfs -> @{MOUNTS}/*/,
mount fstype=nfs -> @{MOUNTS}/*/*/,
mount fstype=nfs -> /mnt/,
mount fstype=nfs -> /mnt/*/,
mount fstype=nfs -> /,
mount fstype=nfs -> /*/,
umount @{MOUNTDIRS}/,
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
umount @{MOUNTS}/*/*/,
umount /mnt/,
umount /mnt/*/,
umount /,
umount /*/,

4
apparmor.d/profiles-m-r/mtools
View file

@ -25,9 +25,9 @@ profile mtools @{exec_path} {
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/mtools>
}

51
apparmor.d/profiles-m-r/ntfs-3g
View file

@ -23,36 +23,35 @@ profile ntfs-3g @{exec_path} {
@{exec_path} mr,
@{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pid}/mounts r,
/{usr/,}bin/kmod rPx, # To load the fuse kernel module
# Mount points
@{MOUNTDIRS}/ r,
@{MOUNTS}/ r,
@{MOUNTS}/*/ r,
# Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTDIRS},
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/,
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/,
mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/,
# Allow to mount encrypted partition
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTDIRS}/,
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/,
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/,
umount @{MOUNTDIRS}/,
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/swaps r,
owner @{PROC}/@{pid}/mounts r,
/dev/fuse rw,
# Mount points
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
# Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/*/,
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /mnt/,
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /mnt/*/,
mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/,
mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/*/,
# Allow to mount encrypted partition
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/,
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/*/,
mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/,
mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/*/,
umount @{MOUNTS}/*/,
umount /mnt/*/,
# kmod is used to load the fuse kernel module
/{usr/,}bin/kmod rPx,
include if exists <local/ntfs-3g>
}

2
apparmor.d/profiles-m-r/ntfsclone
View file

@ -21,7 +21,7 @@ profile ntfsclone @{exec_path} {
# A place for backups
@{HOME}/* rwk,
@{MOUNTS}/*/** rwk,
@{MOUNTS}/** rwk,
include if exists <local/ntfsclone>
}

4
apparmor.d/profiles-m-r/obex-folder-listing
View file

@ -16,8 +16,8 @@ profile obex-folder-listing @{exec_path} {
owner @{HOME}/ r,
owner @{HOME}/**/ r,
owner @{MOUNTS}/*/ r,
owner @{MOUNTS}/*/**/ r,
owner @{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
include if exists <local/obex-folder-listing>
}

4
apparmor.d/profiles-m-r/parted
View file

@ -70,9 +70,9 @@ profile parted @{exec_path} {
# file_inherit
include <abstractions/disks-write> # lots of files in this abstraction get inherited
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
}

10
apparmor.d/profiles-m-r/qbittorrent
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{TORRENT_DIR} = @{MOUNTS}/*/torrent
@{TORRENT_DIR} = @{MOUNTS}/torrent
@{exec_path} = /{usr/,}bin/qbittorrent
profile qbittorrent @{exec_path} {
@ -241,9 +241,9 @@ profile qbittorrent @{exec_path} {
owner @{run}/user/@{uid}/ r,
# file_inherit
owner @{MOUNTS}/*/torrent/** r,
owner @{MOUNTS}/*/torrent/**.[0-9a-f]*.parts rw,
owner "@{MOUNTS}/*/torrent/**.!qB" rw,
owner @{MOUNTS}/torrent/** r,
owner @{MOUNTS}/torrent/**.[0-9a-f]*.parts rw,
owner "@{MOUNTS}/torrent/**.!qB" rw,
owner @{HOME}/.xsession-errors w,
@ -291,7 +291,7 @@ profile qbittorrent @{exec_path} {
owner /tmp/tmp* rw,
# file_inherit
owner @{MOUNTS}/*/torrent/** r,
owner @{MOUNTS}/torrent/** r,
deny /dev/dri/card[0-9]* rw,
include if exists <local/qbittorrent_python3>

9
apparmor.d/profiles-m-r/qnapi
View file

@ -74,11 +74,10 @@ profile qnapi @{exec_path} {
# Movie dirs
@{MOUNTS}/ r,
owner @{MOUNTS}/*/ r,
owner @{MOUNTS}/*/** r,
owner @{MOUNTS}/*/**#[0-9]*[0-9] rw,
owner @{MOUNTS}/*/**.@{qnapi_vid_ext} r,
owner @{MOUNTS}/*/**.@{qnapi_txt_ext} rwl -> @{MOUNTS}/*/**/#[0-9]*[0-9],
owner @{MOUNTS}/** r,
owner @{MOUNTS}/**#[0-9]*[0-9] rw,
owner @{MOUNTS}/**.@{qnapi_vid_ext} r,
owner @{MOUNTS}/**.@{qnapi_txt_ext} rwl -> @{MOUNTS}/**/#[0-9]*[0-9],
owner @{HOME}/ r,
owner @{user_config_dirs}/qnapi.ini rw,

2
apparmor.d/profiles-m-r/qtox
View file

@ -34,7 +34,7 @@ profile qtox @{exec_path} {
# For importing old profile
owner @{HOME}/**.tox r,
owner @{MOUNTS}/*/**.tox r,
owner @{MOUNTS}/**.tox r,
owner @{HOME}/ r,
owner @{user_cache_dirs}/qTox/ rw,

4
apparmor.d/profiles-m-r/resize2fs
View file

@ -24,9 +24,9 @@ profile resize2fs @{exec_path} {
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/resize2fs>
}