From 7a3ba21d50a539ec092485f55e237131cdbd3c0f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 13 Apr 2021 14:14:23 +0100 Subject: [PATCH] Add gdm profiles. --- apparmor.d/groups/desktop/at-spi-bus-launcher | 1 + apparmor.d/groups/desktop/at-spi2-registryd | 2 + apparmor.d/groups/desktop/xwayland | 2 + apparmor.d/groups/gnome/gdm | 55 ++++++++++++++++ apparmor.d/groups/gnome/gdm-session-worker | 63 +++++++++++++++++++ apparmor.d/groups/gnome/gdm-wayland-session | 4 +- 6 files changed, 126 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/gnome/gdm create mode 100644 apparmor.d/groups/gnome/gdm-session-worker diff --git a/apparmor.d/groups/desktop/at-spi-bus-launcher b/apparmor.d/groups/desktop/at-spi-bus-launcher index e328b8046..ce897babe 100644 --- a/apparmor.d/groups/desktop/at-spi-bus-launcher +++ b/apparmor.d/groups/desktop/at-spi-bus-launcher @@ -17,6 +17,7 @@ profile at-spi-bus-launcher @{exec_path} { # Needed? deny capability sys_nice, + signal (receive) set=term peer=gdm, signal (send) set=(term, kill) peer=dbus-daemon, network inet stream, diff --git a/apparmor.d/groups/desktop/at-spi2-registryd b/apparmor.d/groups/desktop/at-spi2-registryd index 5426a0a37..f7aee8e27 100644 --- a/apparmor.d/groups/desktop/at-spi2-registryd +++ b/apparmor.d/groups/desktop/at-spi2-registryd @@ -16,6 +16,8 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { # Needed? deny capability sys_nice, + signal (receive) set=term peer=gdm, + @{exec_path} mr, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/desktop/xwayland b/apparmor.d/groups/desktop/xwayland index cea447ad0..06df13d0b 100644 --- a/apparmor.d/groups/desktop/xwayland +++ b/apparmor.d/groups/desktop/xwayland @@ -12,6 +12,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { include include + signal (receive) set=term peer=gdm, + @{exec_path} mrix, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm new file mode 100644 index 000000000..02ac67e19 --- /dev/null +++ b/apparmor.d/groups/gnome/gdm @@ -0,0 +1,55 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/gdm +profile gdm @{exec_path} { + include + include + include + + capability chown, + capability fsetid, + capability kill, + capability net_admin, + capability sys_nice, + + ptrace (read) peer=unconfined, + + signal (send) set=(term) peer=confined, + + @{exec_path} mr, + + /{usr/,}lib/gdm-session-worker rPx, + + /usr/share/gdm/gdm.schemas r, + /usr/share/wayland-sessions/*.desktop r, + + /etc/gdm/custom.conf r, + /etc/locale.conf r, + + /var/{lib,log}/gdm/ rw, + + @{run}/gdm/ rw, + @{run}/gdm/gdm.pid rw, + @{run}/gdm/greeter/ rw, + @{run}/systemd/seats/seat[0-9]* r, + @{run}/systemd/sessions/[0-9].ref r, + @{run}/systemd/userdb/ r, + @{run}/systemd/users/[0-9]* r, + + @{sys}/devices/virtual/tty/tty[0-9]*/active r, + + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker new file mode 100644 index 000000000..e91c4ccae --- /dev/null +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -0,0 +1,63 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/gdm-session-worker +profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { + include + include + include + + signal (send) set=term peer=gdm-wayland-session, + + capability audit_write, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability kill, + capability net_admin, + capability setgid, + capability setuid, + capability sys_nice, + capability sys_tty_config, + + signal (receive) set=term peer=gdm, + + network netlink raw, + + @{exec_path} mr, + + /{usr/,}bin/gnome-keyring-daemon rPx, + /{usr/,}lib/gdm-wayland-session rPx, + /{usr/,}lib/gdm-x-session rPx, + /etc/gdm/{Pre,Post}Session/Default rix, + + /etc/motd r, + /etc/shells r, + /etc/locale.conf r, + /etc/environment r, + /etc/gdm/custom.conf r, + /etc/security/limits.d/{,*.conf} r, + + /usr/share/gdm/gdm.schemas r, + + @{run}/faillock/[a-zA-z0-9]* rwk, + @{run}/systemd/sessions/[0-9].ref rw, + @{run}/systemd/users/[0-9]* r, + @{run}/utmp rwk, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/loginuid rw, + owner @{PROC}/@{pid}/uid_map r, + owner @{PROC}/sys/kernel/random/boot_id r, + + /dev/tty rw, + /dev/tty[0-9]* rw, + + include if exists +} diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index 7e537d35b..dea3f4c4d 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -14,7 +14,9 @@ profile gdm-wayland-session @{exec_path} { include include - signal (send) set=(term) peer=dbus-run-session, + signal (receive) set=term peer=gdm{,-session-worker}, + signal (send) set=(term) peer=dbus-run-session, + signal (send) set=(term) peer=dbus-daemon, signal (send) set=(term) peer=gnome-session-binary, @{exec_path} mr,