feat(profile): general updtae.

apparmor.d/groups/browsers/torbrowser-start

@@ -42,6 +42,8 @@ profile torbrowser-start @{exec_path} {
   owner @{lib_dirs}/sed@{rand6} rw,
   owner @{lib_dirs}/TorBrowser/Tor/tor r,
 
+  owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/sed@{rand6} rw,
+  owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/start-tor-browser.desktop rw,
   owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/sed@{rand6} rw,
   owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop rw,
 

apparmor.d/groups/bus/at-spi2-registryd

@@ -17,24 +17,8 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
 
   signal (receive) set=(term) peer=gdm,
 
-  #aa:dbus own bus=accessibility name=org.a11y.atspi.{R,r}egistry
-  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
-       interface=org.freedesktop.DBus.Properties
-       member=Set
-       peer=(name=:*),
-  dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
-       interface=org.a11y.atspi.Socket
-       member=Embed
-       peer=(name=:*),
-  dbus receive bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
-       interface=org.a11y.atspi.DeviceEventController
-       member={GetKeystrokeListeners,GetDeviceEventListeners}
-       peer=(name=:*),
-
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.a11y.Bus
-       member=GetAddress
-       peer=(name=org.a11y.Bus, label=dbus-accessibility),
+  #aa:dbus own bus=accessibility name=org.a11y.atspi
+  #aa:dbus talk bus=session name=org.a11y.{B,b}us label=dbus-accessibility
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable

apparmor.d/groups/freedesktop/xdg-desktop-portal

@@ -20,6 +20,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
   include <abstractions/dconf-write>
   include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
+  include <abstractions/thumbnails-cache-read>
   include <abstractions/user-download-strict>
 
   capability sys_ptrace,
@@ -34,19 +35,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
        member=MakeThread*
        peer=(name=:*),
 
-  dbus receive bus=system path=/org/freedesktop/NetworkManager
-       interface=org.freedesktop.NetworkManager
-       member=CheckPermissions
-       peer=(name=:*, label=NetworkManager),
-
   #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor
 
-  dbus send bus=session path=/org/freedesktop/portal/documents
-       interface=org.freedesktop.DBus.Properties
-       peer=(name=:*, label=xdg-document-portal),
-  dbus send bus=session path=/org/freedesktop/portal/documents
-       interface=org.freedesktop.portal.Documents
-       peer=(name=:*, label=xdg-document-portal),
+  #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal
 
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
@@ -62,10 +53,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
 
   @{sh_path}         rix,
   @{bin}/nautilus    rPx,
-  @{bin}/snap       rPUx,
 
-  @{bin}/kreadconfig5                     rPx,
-  @{lib}/xdg-desktop-portal-validate-icon rPUx,
+  @{bin}/kreadconfig{,5}                  rPx,
+  @{lib}/xdg-desktop-portal-validate-icon rPx,
   @{open_path}                            rPx -> child-open,
 
   / r,
@@ -76,7 +66,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
 
   /etc/sysconfig/proxy r,
 
-  /var/lib/gdm{,3}/greeter-dconf-defaults r,
+  @{GDM_HOME}/greeter-dconf-defaults r,
 
         @{user_config_dirs}/kioslaverc r,
   owner @{user_config_dirs}/xdg-desktop-portal/* r,

apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome

@@ -13,7 +13,6 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.Accounts>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
-  include <abstractions/bus/org.gnome.Mutter.DisplayConfig>
   include <abstractions/bus/org.gnome.Shell.Introspect>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/dconf-write>
@@ -30,39 +29,16 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
   signal (receive) set=(hup term) peer=gdm-session-worker,
 
   #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome
-
-  dbus send bus=session path=/org/gnome/Shell/Screenshot
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*, label=gnome-shell),
-
-  dbus send bus=session path=/org/freedesktop/portal/desktop
-       interface=org.freedesktop.impl.portal.Background
-       member=RunningApplicationsChanged
-       peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal),
-
-  dbus receive bus=session path=/org/freedesktop/portal/desktop
-       interface=org.freedesktop.impl.portal.Background
-       member=GetAppState
-       peer=(name=:*, label=xdg-desktop-portal),
-
-  dbus send bus=session path=/org/freedesktop/portal/desktop
-       interface=org.freedesktop.impl.portal.Settings
-       member=SettingChanged
-       peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal),
-
-  dbus (send, receive) bus=session path=/org/gnome/Mutter/*
-       interface=org.gnome.Mutter.*
-       peer=(name=:*, label="{gnome-shell,gsd-xsettings}"),
-  dbus send bus=session path=/org/gnome/Mutter/*
-       interface=org.freedesktop.DBus.Properties
-       peer=(name=:*, label="{gnome-shell,gsd-xsettings}"),
+  #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal
+  #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell
+  #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell
 
   @{exec_path} mr,
 
   / r,
   @{bin}/ r,
   @{bin}/* r,
+  /opt/*/* r,
 
   /usr/share/dconf/profile/gdm r,
   /usr/share/thumbnailers/{,**} r,

apparmor.d/groups/freedesktop/xdg-user-dir

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/xdg-user-dir
 profile xdg-user-dir @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
@@ -18,8 +19,6 @@ profile xdg-user-dir @{exec_path} flags=(attach_disconnected) {
 
   owner @{user_config_dirs}/user-dirs.dirs r,
 
-  /dev/tty rw,
-
   # Silencer
   deny network inet stream,
   deny network inet6 stream,

apparmor.d/groups/gpg/gpg-agent

@@ -62,6 +62,7 @@ profile gpg-agent @{exec_path} {
 
   #aa:only pacman
   owner /etc/pacman.d/gnupg/ rw,
+  owner /etc/pacman.d/gnupg/*.conf r,
   owner /etc/pacman.d/gnupg/private-keys-v1.d/ rw,
   owner /etc/pacman.d/gnupg/private-keys-v1.d/@{hex}.key rw,
   owner /etc/pacman.d/gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw,

apparmor.d/groups/gpg/scdaemon

@@ -19,12 +19,16 @@ profile scdaemon @{exec_path} {
 
   @{exec_path} mr,
 
+  #aa:only pacman
+  owner /etc/pacman.d/gnupg/scdaemon.conf r,
+  owner /etc/pacman.d/gnupg/S.scdaemon rw,
+
   owner @{HOME}/@{XDG_GPG_DIR}/scdaemon.conf r,
   owner @{HOME}/@{XDG_GPG_DIR}common.conf r,
   owner @{HOME}/@{XDG_GPG_DIR}/reader_@{int}.status rw,
 
   owner @{run}/user/@{uid}/gnupg/S.scdaemon rw,
-  owner @{run}/user/@{uid}/gnupg/d.*/S.scdaemon rw,
+  owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw,
 
   owner /var/tmp/zypp.*/PublicKey/S.scdaemon w,
   owner /var/tmp/zypp.*/zypp-general-kr*/S.scdaemon w,

apparmor.d/groups/network/NetworkManager

@@ -90,9 +90,10 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog            rPx,
   @{lib}/{,NetworkManager/}nm-openvpn-service                rPx,
   @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx,
+  /usr/share/netplan/netplan.script                          rPx,
 
-  /usr/share/netplan/netplan.script rPx,
   /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
+  /usr/share/iproute2/{,**} r,
 
   / r,
   /etc/ r,

apparmor.d/groups/pacman/makepkg

@@ -11,7 +11,7 @@ profile makepkg @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  signal send set=winch peer=pacman,           
+  signal send set=winch peer=pacman,
   signal send set=winch peer=pacman//systemctl,
 
   network inet stream,
@@ -48,7 +48,10 @@ profile makepkg @{exec_path} {
     owner @{HOME}/@{XDG_GPG_DIR}/ rw,
     owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
 
+    owner @{user_cache_dirs}/makepkg/src/*.asc r,
+
     owner @{tmp}/.git_vtag_tmp@{rand6} rw,
+    owner @{tmp}/tmp.@{rand10} rw,
 
     owner @{run}/user/@{uid}/ r,
     owner @{run}/user/@{uid}/gnupg/ r,

apparmor.d/groups/pacman/yay

@@ -67,6 +67,8 @@ profile yay @{exec_path} {
     include <abstractions/base>
     include <abstractions/app/editor>
 
+    owner @{HOME}/**/ r, # For pwd
+
     owner @{user_cache_dirs}/yay/*/** rw,
 
     include if exists <local/yay_editor>

apparmor.d/groups/systemd/systemd-udevd

@@ -123,8 +123,6 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
 
     # / r,
 
-    @{PROC}/sys/kernel/cap_last_cap r,
-
     include if exists <local/systemd-udevd_systemctl>
   }
 

apparmor.d/groups/virt/cni-xtables-nft

@@ -1,36 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2022 Jeroen Rijken
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/xtables-nft-multi
-profile cni-xtables-nft {
-    include <abstractions/base>
-    include <abstractions/consoles>
-    include <abstractions/nameservice-strict>
-
-    capability net_admin,
-    capability net_raw,
-
-    network inet dgram,
-    network inet6 dgram,
-    network inet raw,
-    network inet6 raw,
-    network inet stream,
-    network inet6 stream,
-    network netlink raw,
-
-    @{exec_path} mr,
-    @{bin}/xtables-legacy-multi mr,
-  
-    /etc/libnl/classid r,
-    /etc/iptables/{,**} rw,
-    /etc/nftables.conf rw,
-
-    @{PROC}/@{pids}/net/ip_tables_names r,
-}
-
-# vim:syntax=apparmor

apparmor.d/groups/virt/cockpit-bridge

@@ -26,11 +26,11 @@ profile cockpit-bridge @{exec_path} {
 
   ptrace read,
 
+  signal send set=term peer=cockpit-bridge//sudo,
   signal send set=term peer=cockpit-pcp,
   signal send set=term peer=dbus-daemon,
   signal send set=term peer=journalctl,
   signal send set=term peer=ssh-agent,
-  signal send set=term peer=sudo,
   signal send set=term peer=unconfined,
 
   @{exec_path} mr,
@@ -41,24 +41,30 @@ profile cockpit-bridge @{exec_path} {
   @{bin}/ip                   ix,
   @{bin}/python3.@{int}       ix,
   @{bin}/test                 ix,
+  @{bin}/file                 ix,
 
+  @{bin}/chage                Px,
+  @{bin}/dmidecode            Px,
   @{bin}/findmnt              Px,
   @{bin}/journalctl           Px,
+  @{bin}/last                 Px,
   @{bin}/lastlog              Px,
+  @{bin}/lscpu                Px,
   @{bin}/passwd               Px,
   @{bin}/ssh-agent            Px,
-  @{bin}/sudo                 Px, # TODO: rCx -> privilieged ? or rix?
+  @{bin}/sudo                 Cx -> sudo,
   @{bin}/udevadm              Cx -> udevadm,
+  @{bin}/virsh               rPUx,
   @{bin}/virt-install        PUx, # TODO: rPx
   @{lib}/cockpit/cockpit-pcp  Px,
   @{lib}/cockpit/cockpit-ssh  Px,
-  @{bin}/virsh               rPUx,
 
   # The shell is not confined on purpose.
   @{bin}/@{shells}            Ux,
 
   /usr/{,local/}share/ r,
   /usr/share/cockpit/{,**} r,
+  /usr/share/file/** r,
   /usr/share/iproute2/* r,
 
   /etc/cockpit/{,**} r,
@@ -70,7 +76,8 @@ profile cockpit-bridge @{exec_path} {
   /etc/shadow r,
   /etc/shells r,
 
-  / r,
+  / r, 
+  @{HOME}/ r,
 
   owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw,
   owner @{user_share_dirs}/ r,
@@ -103,6 +110,18 @@ profile cockpit-bridge @{exec_path} {
 
   /dev/ptmx rw,
 
+  profile sudo {
+    include <abstractions/base>
+    include <abstractions/app/sudo>
+
+    signal (send receive) set=term peer=cockpit-bridge,
+
+    @{bin}/cockpit-bridge Px,
+    @{lib}/cockpit/cockpit-askpass Px,
+
+    include if exists <local/cockpit-bridge_sudo>
+  }
+
   profile udevadm {
     include <abstractions/base>
     include <abstractions/app/udevadm>

apparmor.d/groups/virt/cockpit-update-motd

@@ -30,8 +30,6 @@ profile cockpit-update-motd @{exec_path} {
     capability net_admin,
     capability sys_ptrace,
 
-    @{PROC}/sys/kernel/cap_last_cap r,
-
     include if exists <local/cockpit-update-motd_systemctl>
   }
 

apparmor.d/groups/virt/xtables

@@ -0,0 +1,43 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/xtables-nft-multi @{bin}/xtables-legacy-multi
+profile xtables {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  capability net_admin,
+  capability net_raw,
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet raw,
+  network inet6 raw,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /usr/share/iproute2/{,**} r,
+
+  /etc/iproute2/{,**} r,
+  /etc/iptables/{,**} rw,
+  /etc/libnl/classid r,
+  /etc/nftables.conf rw,
+
+  @{run}/xtables.lock rwk,
+
+  @{PROC}/@{pids}/net/ip_tables_names r,
+
+  include if exists <local/xtables>
+}
+
+# vim:syntax=apparmor