feat(profile): general update.

2024-10-01 17:43:54 +01:00 · 2024-10-01 17:43:54 +01:00 · 8730c09b96
commit 8730c09b96
parent 21e8456383
47 changed files with 146 additions and 118 deletions
--- a/apparmor.d/groups/browsers/firefox-glxtest
+++ b/apparmor.d/groups/browsers/firefox-glxtest
@ -29,6 +29,8 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) {

  owner @{PROC}/@{pid}/cmdline r,

+  deny @{user_share_dirs}/gnome-shell/session.gvdb rw,
+
  include if exists <local/firefox-glxtest>
 }

--- a/apparmor.d/groups/browsers/firefox-vaapitest
+++ b/apparmor.d/groups/browsers/firefox-vaapitest
@ -25,6 +25,7 @@ profile firefox-vaapitest @{exec_path} flags=(attach_disconnected) {
  deny @{config_dirs}/firefox/*/.parentlock rw,
  deny @{config_dirs}/firefox/*/startupCache/** r,
  deny @{user_cache_dirs}/mozilla/firefox/*/startupCache/* r,
+  deny @{user_share_dirs}/gnome-shell/session.gvdb rw,

  include if exists <local/firefox-vaapitest>
 }
--- a/apparmor.d/groups/bus/ibus-portal
+++ b/apparmor.d/groups/bus/ibus-portal
@ -28,6 +28,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

+  owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw,
  owner @{desktop_config_dirs}/ibus/bus/ r,
  owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,

--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@ -33,6 +33,7 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

+  owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw,
  owner @{desktop_config_dirs}/ibus/bus/ r,
  owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,

--- a/apparmor.d/groups/children/child-open-strict
+++ b/apparmor.d/groups/children/child-open-strict
@ -15,8 +15,8 @@ profile child-open-strict {
  include <abstractions/base>
  include <abstractions/app/open>

-  @{browsers_path}              rPx,
-  @{file_explorers_path}        rPx,
+  @{browsers_path}               Px,
+  @{file_explorers_path}         Px,

  include if exists <usr/child-open-strict.d>
  include if exists <local/child-open-strict>
--- a/apparmor.d/groups/children/child-pager
+++ b/apparmor.d/groups/children/child-pager
@ -14,7 +14,7 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = @{bin}/pager @{bin}/less @{bin}/more 
-profile child-pager {
+profile child-pager flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>

--- a/apparmor.d/groups/freedesktop/cpupower
+++ b/apparmor.d/groups/freedesktop/cpupower
@ -40,7 +40,6 @@ profile cpupower @{exec_path} {

  /dev/cpu/@{int}/msr r,

-
  profile kmod {
    include <abstractions/base>
    include <abstractions/app/kmod>
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -11,6 +11,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
+  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.Accounts>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.gnome.Shell.Introspect>
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@ -49,7 +49,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {

  @{sh_path}        rix,
  @{bin}/xkbcomp    rPx,
-  @{bin}/pkexec     rPx,
+  @{bin}/pkexec     rCx -> pkexec,

  @{lib}/xorg/ r,
  @{lib}/xorg/modules/ r,
@ -136,6 +136,13 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
  /dev/tty@{int} rw,
  /dev/vga_arbiter rw,  # Graphic card modules

+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/app/pkexec>
+
+    include if exists <local/xorg_pkexec>
+  }
+
  include if exists <local/xorg>
 }

--- a/apparmor.d/groups/gnome/gdm-generate-config
+++ b/apparmor.d/groups/gnome/gdm-generate-config
@ -23,7 +23,7 @@ profile gdm-generate-config @{exec_path} {
  @{sh_path}         rix,
  @{bin}/dconf       rix,
  @{bin}/install     rix,
-  @{bin}/pgrep       rCx -> pgrep,
+  @{bin}/pgrep       rix,
  @{bin}/pkill       rix,
  @{bin}/setpriv     rix,
  @{bin}/setsid      rix,
@ -46,13 +46,6 @@ profile gdm-generate-config @{exec_path} {
  @{PROC}/@{pid}/stat r,
  @{PROC}/uptime r,

-  profile pgrep {
-    include <abstractions/base>
-    include <abstractions/app/pgrep>
-
-    include if exists <local/gdm-generate-config_pgrep>
-  }
-
  include if exists <local/gdm-generate-config>
 }

--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@ -23,6 +23,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/trash-strict>
+  include <abstractions/user-read-strict>
+  include <abstractions/user-write-strict>

  @{exec_path} mr,

--- a/apparmor.d/groups/gnome/gnome-clocks
+++ b/apparmor.d/groups/gnome/gnome-clocks
@ -13,6 +13,8 @@ profile gnome-clocks @{exec_path} {
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.freedesktop.portal.Desktop>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/common/gnome>
  include <abstractions/gstreamer>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -163,6 +163,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
       member=Introspect
       peer=(name=org.freedesktop.DBus, label=dbus-session),

+  dbus send bus=session path=/org/gnome/*/SearchProvider
+      interface=org.gnome.Shell.SearchProvider2
+      peer=(name=@{busname}),
+
  @{exec_path} mr,

  @{bin}/unzip                  rix,
@ -280,7 +284,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
  owner @{run}/user/@{uid}/systemd/notify rw,

-  owner /dev/shm/.org.chromium.Chromium.@{rand6} r,
+  owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
  owner /dev/shm/wayland.mozilla.ipc.@{int} rw,

        /tmp/.X@{int}-lock rw,
@ -343,6 +347,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r,

        @{PROC}/ r,
+        @{PROC}/@{pid}/attr/current r,
+        @{PROC}/@{pid}/cgroup r,
        @{PROC}/@{pid}/cmdline r,
        @{PROC}/@{pid}/net/* r,
        @{PROC}/1/cgroup r,
@ -350,8 +356,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
        @{PROC}/sys/kernel/osrelease r,
        @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
        @{PROC}/vmstat r,
-  owner @{PROC}/@{pid}/attr/current r,
-  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/fdinfo/@{int} r,
  owner @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/groups/gnome/yelp
+++ b/apparmor.d/groups/gnome/yelp
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/yelp @{bin}/gnome-help
 profile yelp @{exec_path} {
  include <abstractions/base>
+  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus/org.a11y>
  include <abstractions/common/gnome>
--- a/apparmor.d/groups/pacman/makepkg
+++ b/apparmor.d/groups/pacman/makepkg
@ -11,15 +11,15 @@ profile makepkg @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>

-  signal send set=winch peer=pacman,
-  signal send set=winch peer=pacman//systemctl,
-
  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  network netlink raw,

+  signal send set=winch peer=pacman,
+  signal send set=winch peer=pacman//systemctl,
+
  file,

  @{bin}/gpg{,2}  Cx -> gpg,
@ -74,6 +74,9 @@ profile makepkg @{exec_path} {

    ptrace read,

+    signal send set=winch peer=pacman,           
+    signal send set=winch peer=pacman//systemctl,
+
    @{bin}/pacman Px,

    include if exists <local/makepkg_sudo>
--- a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules
+++ b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/gtk4-querymodules
 profile pacman-hook-gtk4-querymodules @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>

  capability dac_read_search,

--- a/apparmor.d/groups/pacman/pacman-key
+++ b/apparmor.d/groups/pacman/pacman-key
@ -65,9 +65,10 @@ profile pacman-key @{exec_path} {
    owner @{PROC}/@{pid}/task/@{tid}/comm rw,
    owner @{PROC}/@{pid}/task/@{tid}/stat rw,

-   /dev/pts/@{int} rw,
-   /dev/tty@{int} rw,
+    /dev/pts/@{int} rw,
+    /dev/tty@{int} rw,

+    include if exists <local/pacman-key_gpg>
  }

  include if exists <local/pacman-key>
--- a/apparmor.d/groups/pacman/reflector
+++ b/apparmor.d/groups/pacman/reflector
@ -29,9 +29,10 @@ profile reflector @{exec_path} flags=(attach_disconnected) {
  /etc/xdg/reflector/reflector.conf r,
  /etc/pacman.d/mirrorlist rw,

-  owner @{user_cache_dirs}/mirrorstatus.json rw,
  /var/cache/reflector/mirrorstatus.json rw,

+  owner @{user_cache_dirs}/mirrorstatus.json r,
+
  @{PROC}/1/environ r,
  @{PROC}/cmdline r,
  @{PROC}/sys/kernel/osrelease r,
--- a/apparmor.d/groups/ssh/ssh-agent
+++ b/apparmor.d/groups/ssh/ssh-agent
@ -25,8 +25,8 @@ profile ssh-agent @{exec_path} {
  owner @{HOME}/.xsession-errors w,
  owner @{user_projects_dirs}/**/ssh/{,*} r,

-  owner @{tmp}/ssh-*/ rw,
-  owner @{tmp}/ssh-*/agent.* rw,
+  owner @{tmp}/ssh-@{rand12}/ rw,
+  owner @{tmp}/ssh-@{rand12}/agent.@{int} rw,

  owner @{run}/user/@{uid}/keyring/.ssh rw,
  owner @{run}/user/@{uid}/openssh_agent rw,
--- a/apparmor.d/groups/systemd/systemd-sleep
+++ b/apparmor.d/groups/systemd/systemd-sleep
@ -31,7 +31,6 @@ profile systemd-sleep @{exec_path} {

  @{sys}/power/state rw,

-
  include if exists <local/systemd-sleep>
 }

--- a/apparmor.d/groups/virt/cockpit-certificate-helper
+++ b/apparmor.d/groups/virt/cockpit-certificate-helper
@ -13,15 +13,15 @@ profile cockpit-certificate-helper @{exec_path} {

  @{exec_path} mr,

-  @{sh_path}        rix,
-  @{bin}/chmod rix,
-  @{bin}/id rix,
-  @{bin}/mkdir rix,
-  @{bin}/mv rix,
-  @{bin}/openssl rix,
-  @{bin}/rm rix,
-  @{bin}/sscg rix,
-  @{bin}/tr rix,
+  @{sh_path}      rix,
+  @{bin}/chmod    rix,
+  @{bin}/id       rix,
+  @{bin}/mkdir    rix,
+  @{bin}/mv       rix,
+  @{bin}/openssl  rix,
+  @{bin}/rm       rix,
+  @{bin}/sscg     rix,
+  @{bin}/tr       rix,

  /etc/machine-id r,
  /etc/cockpit/ws-certs.d/* w,
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@ -47,7 +47,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,

  @{bin}/apparmor_parser          rPx,
-  @{bin}/containerd-shim-runc-v2 rPUx,
+  @{bin}/containerd-shim-runc-v2  rPx,
  @{bin}/kmod                     rPx,
  @{bin}/unpigz                  rPUx,
  /{usr/,}{local/,}{s,}bin/zfs    rPx,
@ -71,8 +71,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
  /var/lib/cni/results/cni-loopback-@{uuid}-lo wl,
  /var/lib/cni/results/cni-loopback-[0-9a-z]*-lo wl,
  /var/lib/cni/results/k8s-pod-network-[0-9a-z]*-eth0 wl,
-  /var/lib/containerd/{,**} rwk,
-  /var/lib/containerd/tmpmounts/containerd-mount@{int}/** l,
+  /var/lib/containerd/{,**} rwlk,
  /var/lib/docker/containerd/{,**} rwk,
  /var/lib/kubelet/seccomp/{,**} r,
  /var/lib/security-profiles-operator/{,**} r,
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@ -27,19 +27,22 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
  capability sys_ptrace,

  network inet dgram,
-  network inet6 dgram,
  network inet stream,
+  network inet6 dgram,
  network inet6 stream,
  network netlink raw,

-  mount /tmp/containerd-mount@{int}/, 
-  mount /var/lib/docker/buildkit/**/,
-  mount /var/lib/docker/overlay2/**/,
-  mount /var/lib/docker/tmp/buildkit-mount@{int}/,
-  mount options=(rw, bind) -> /run/docker/netns/*,
-  mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder@{int}/,
-  mount options=(rw, rprivate) -> /.pivot_root@{int}/,
-  mount options=(rw, rslave) -> /,
+  mount                        /tmp/containerd-mount@{int}/,
+  mount                        /var/lib/docker/buildkit/**/,
+  mount                        /var/lib/docker/overlay2/**/,
+  mount                        /var/lib/docker/tmp/buildkit-mount@{int}/,
+  mount fstype=overlay                              overlay -> /var/lib/docker/rootfs/overlayfs/@{hex64}/,
+  mount options=(rw bind)                                   -> /run/docker/netns/*,
+  mount options=(rw rbind)                                  -> /var/lib/docker/tmp/docker-builder@{int}/,
+  mount options=(rw rbind)     /var/lib/docker/volumes/**/- -> /var/lib/docker/rootfs/overlayfs/**/,
+  mount options=(rw rprivate)                               -> /.pivot_root@{int}/,
+  mount options=(rw rprivate)                               -> /var/lib/docker/rootfs/overlayfs/@{hex64}/var/lib/buildkit/,
+  mount options=(rw rslave)                                 -> /,

  remount /tmp/containerd-mount@{int10}/,
  remount /var/lib/docker/tmp/buildkit-mount@{int10}/,
@ -48,18 +51,20 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
  umount /run/docker/netns/*,
  umount /tmp/containerd-mount@{int}/,
  umount /var/lib/docker/buildkit/**/,
+  umount /var/lib/docker/rootfs/**/,
  umount /var/lib/docker/overlay*/**/,
  umount /var/lib/docker/tmp/buildkit-mount@{int}/,

-  pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/ /var/lib/docker/overlay2/**/,
-  pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/ /var/lib/docker/tmp/**/,
+  pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/               /var/lib/docker/overlay2/**/,
+  pivot_root oldroot=/var/lib/docker/rootfs/overlayfs/@{hex64}/.pivot_root@{int}/ /var/lib/docker/rootfs/overlayfs/@{hex64}/,
+  pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/                    /var/lib/docker/tmp/**/,

-  ptrace (read) peer=docker-*,
-  ptrace (read) peer=unconfined,
+  ptrace read peer=docker-*,
+  ptrace read peer=unconfined,

-  signal (send) set=int peer=docker-proxy,
-  signal (send) set=kill peer=docker-*,
-  signal (send) set=term peer=containerd,
+  signal send set=int  peer=docker-proxy,
+  signal send set=kill peer=docker-*,
+  signal send set=term peer=containerd,

  @{exec_path} mrix,