refractor: moce a lot of profiles inside they own groups.

2025-02-09 21:46:10 +01:00 · 2025-02-09 21:46:10 +01:00 · 9304c9a668
commit 9304c9a668
parent e5aad04be4
61 changed files with 1 additions and 9 deletions
--- a/apparmor.d/groups/cups/cups-backend-beh
+++ b/apparmor.d/groups/cups/cups-backend-beh
@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/cups/backend/beh
+profile cups-backend-beh @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-beh>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/cups/cups-backend-bluetooth
+++ b/apparmor.d/groups/cups/cups-backend-bluetooth
@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/cups/backend/bluetooth
+profile cups-backend-bluetooth @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-bluetooth>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/cups/cups-backend-brf
+++ b/apparmor.d/groups/cups/cups-backend-brf
@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/cups/backend/cups-brf
+profile cups-backend-brf @{exec_path} {
+  include <abstractions/base>
+
+  capability setuid,
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-brf>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/cups/cups-backend-dnssd
+++ b/apparmor.d/groups/cups/cups-backend-dnssd
@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/cups/backend/dnssd
+profile cups-backend-dnssd @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus/org.freedesktop.Avahi>
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-dnssd>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/cups/cups-backend-hp
+++ b/apparmor.d/groups/cups/cups-backend-hp
@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/cups/backend/hp{,fax}
+profile cups-backend-hp @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-hp>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/cups/cups-backend-implicitclass
+++ b/apparmor.d/groups/cups/cups-backend-implicitclass
@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/cups/backend/implicitclass
+profile cups-backend-implicitclass @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-implicitclass>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/cups/cups-backend-ipp
+++ b/apparmor.d/groups/cups/cups-backend-ipp
@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/cups/backend/ipp
+profile cups-backend-ipp @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-ipp>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/cups/cups-backend-lpd
+++ b/apparmor.d/groups/cups/cups-backend-lpd
@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/cups/backend/lpd
+profile cups-backend-lpd @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-lpd>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/cups/cups-backend-mdns
+++ b/apparmor.d/groups/cups/cups-backend-mdns
@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/cups/backend/mdns
+profile cups-backend-mdns @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-mdns>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/cups/cups-backend-parallel
+++ b/apparmor.d/groups/cups/cups-backend-parallel
@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/cups/backend/parallel
+profile cups-backend-parallel @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-parallel>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/cups/cups-backend-pdf
+++ b/apparmor.d/groups/cups/cups-backend-pdf
@ -0,0 +1,48 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/cups/backend/cups-pdf
+profile cups-backend-pdf @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/fonts>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+
+  capability chown,
+  capability setgid,
+  capability setuid,
+  capability dac_override,
+
+  unix peer=(label=cupsd),
+
+  @{exec_path} mr,
+
+  @{sh_path}             rix,
+  @{bin}/cp              rix,
+  @{bin}/gs              rix,
+  @{bin}/gsc             rix,
+  @{lib}/ghostscript/**  mr,
+
+  /usr/share/ghostscript/{,**} r,
+
+  /etc/papersize r,
+  /etc/cups/ r,
+  /etc/cups/cups-pdf.conf r,
+  /etc/cups/ppd/*.ppd r,
+
+  /var/log/cups/cups-pdf*_log w,
+  /var/spool/cups-pdf/{,**} rw,
+  /var/spool/cups/** r,
+  /var/tmp/gs_* rw,
+
+  /dev/tty rw,
+
+  include if exists <local/cups-backend-pdf>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/cups/cups-backend-serial
+++ b/apparmor.d/groups/cups/cups-backend-serial
@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/cups/backend/serial
+profile cups-backend-serial @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  /dev/ttyS@{int} w,
+
+  include if exists <local/cups-backend-serial>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/cups/cups-backend-snmp
+++ b/apparmor.d/groups/cups/cups-backend-snmp
@ -0,0 +1,26 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/cups/backend/snmp
+profile cups-backend-snmp @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /etc/cups/snmp.conf r,
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-snmp>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/cups/cups-backend-socket
+++ b/apparmor.d/groups/cups/cups-backend-socket
@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/cups/backend/socket
+profile cups-backend-socket @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-socket>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/cups/cups-backend-usb
+++ b/apparmor.d/groups/cups/cups-backend-usb
@ -0,0 +1,28 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/cups/backend/usb
+profile cups-backend-usb @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/devices-usb>
+
+  capability net_admin,
+
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /usr/share/cups/usb/{,**} r,
+
+  /etc/cups/ppd/*.ppd r,
+  /etc/papersize r,
+
+  include if exists <local/cups-backend-usb>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/cups/cups-browsed
+++ b/apparmor.d/groups/cups/cups-browsed
@ -0,0 +1,55 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/cups-browsed
+profile cups-browsed @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.Avahi>
+  include <abstractions/bus/org.freedesktop.NetworkManager>
+  include <abstractions/cups-client>
+  include <abstractions/nameservice-strict>
+  include <abstractions/p11-kit>
+
+  capability net_admin,
+  capability net_bind_service,
+  capability sys_nice,
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  dbus receive bus=system path=/
+       interface=org.freedesktop.Avahi.Server
+       member=StateChanged
+       peer=(name=:*, label=avahi-daemon),
+
+  dbus receive bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.NetworkManager
+       member=CheckPermissions
+       peer=(name=:*, label=NetworkManager),
+
+  @{exec_path} mr,
+
+  /usr/share/cups/locale/{,**} r,
+
+  /etc/cups/{,**} r,
+
+  /var/cache/cups/{,**} rw,
+  /var/log/cups/{,**} rw,
+
+  @{run}/cups/certs/* r,
+
+  @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
+
+  include if exists <local/cups-browsed>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/cups/cups-notifier-dbus
+++ b/apparmor.d/groups/cups/cups-notifier-dbus
@ -0,0 +1,28 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/cups/notifier/dbus
+profile cups-notifier-dbus @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
+  include <abstractions/cups-client>
+  include <abstractions/nameservice-strict>
+
+  signal (receive) set=(term) peer=cupsd,
+
+  @{exec_path} mr,
+
+  owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw,
+
+  owner @{tmp}/cups-dbus-notifier-lockfile rwk,
+
+  include if exists <local/cups-notifier-dbus>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/cups/cups-notifier-mailto
+++ b/apparmor.d/groups/cups/cups-notifier-mailto
@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/cups/notifier/mailto
+profile cups-notifier-mailto @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  include if exists <local/cups-notifier-mailto>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/cups/cups-notifier-rss
+++ b/apparmor.d/groups/cups/cups-notifier-rss
@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/cups/notifier/rss
+profile cups-notifier-rss @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  include if exists <local/cups-notifier-rss>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/cups/cups-pk-helper-mechanism
+++ b/apparmor.d/groups/cups/cups-pk-helper-mechanism
@ -0,0 +1,36 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/{,cups-pk-helper/}cups-pk-helper-mechanism
+@{exec_path} += @{lib}/@{multiarch}/cups-pk-helper-mechanism
+profile cups-pk-helper-mechanism @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.PolicyKit1>
+  include <abstractions/nameservice-strict>
+
+  capability dac_read_search,
+  capability sys_nice,
+
+  network inet stream,
+  network inet6 stream,
+
+  #aa:dbus own bus=system name=org.opensuse.CupsPkHelper.Mechanism path=/
+
+  @{exec_path} mr,
+
+  /etc/cups/ppd/*.ppd r,
+
+  owner @{tmp}/[a-z0-9]* rw,
+
+  @{run}/cups/cups.sock rw,
+
+  include if exists <local/cups-pk-helper-mechanism>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/cups/cupsd
+++ b/apparmor.d/groups/cups/cupsd
@ -0,0 +1,106 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/cupsd
+profile cupsd @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/authentication>
+  include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.Avahi>
+  include <abstractions/bus/org.freedesktop.ColorManager>
+  include <abstractions/nameservice-strict>
+  include <abstractions/python>
+
+  capability audit_write,
+  capability chown,
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability fsetid,
+  capability kill,
+  capability net_admin,
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+  capability wake_alarm,
+
+  network inet stream,
+  network inet6 stream,
+
+  network appletalk dgram,
+  network ash dgram,
+  network ax25 dgram,
+  network bluetooth,
+  network econet dgram,
+  network ipx dgram,
+  network netrom seqpacket,
+  network rose dgram,
+  network x25 seqpacket,
+
+  signal (send) set=(term) peer=cups-notifier-dbus,
+
+  @{exec_path} mr,
+
+  @{sh_path}                 rix,
+  @{bin}/cat                 rix,
+  @{bin}/chmod               rix,
+  @{bin}/cp                  rix,
+  @{bin}/grep                rix,
+  @{bin}/gs                  rix,
+  @{bin}/gsc                 rix,
+  @{bin}/hostname            rix,
+  @{bin}/ippfind             rix,
+  @{bin}/mktemp              rix,
+  @{bin}/printenv            rix,
+  @{bin}/python3.@{int}      rix,
+  @{bin}/rm                  rix,
+  @{bin}/sed                 rix,
+  @{bin}/smbspool            rPx,
+  @{bin}/touch               rix,
+  @{bin}/xz                  rix,
+  @{lib}/cups/backend/*      rPx,
+  @{lib}/cups/cgi-bin/*.cgi  rix,
+  @{lib}/cups/daemon/*       rix,
+  @{lib}/cups/driver/*       rix,
+  @{lib}/cups/filter/*       rix,
+  @{lib}/cups/monitor/*      rix,
+  @{lib}/cups/notifier/*     rPx,
+
+  /usr/share/cups/{,**} r,
+  /usr/share/ghostscript/{,**} r,
+  /usr/share/poppler/{,**} r,
+  /usr/share/ppd/{,**} r,
+
+  /etc/cups/{,**} rw,
+  /etc/foomatic/* r,
+  /etc/papersize r,
+  /etc/paperspecs r,
+  /etc/pnm2ppa.conf r,
+  /etc/printcap rwl,
+
+  /var/cache/cups/ rw,
+  /var/cache/cups/** rwk,
+  /var/log/cups/{,*} rw,
+  /var/spool/cups/{,**} rw,
+
+  @{run}/cups/{,**} rw,
+  @{run}/systemd/notify w,
+
+  @{sys}/module/apparmor/parameters/enabled r,
+
+        @{PROC}/@{pids}/fd/ r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  owner @{tmp}/*_latest_print_info w,
+
+  /dev/tty rw,
+
+  include if exists <local/cupsd>
+}
+
+# vim:syntax=apparmor