diff --git a/apparmor.d/groups/browsers/chromium b/apparmor.d/groups/browsers/chromium index 8e7481caa..84fd618b4 100644 --- a/apparmor.d/groups/browsers/chromium +++ b/apparmor.d/groups/browsers/chromium @@ -11,7 +11,7 @@ include @{CHROMIUM_CACHEDIR} = @{user_cache_dirs}/chromium @{exec_path} = /{usr/,}bin/chromium -profile chromium @{exec_path} { +profile chromium @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium index 72c6e561b..5325b726a 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/groups/browsers/chromium-chromium @@ -191,6 +191,11 @@ profile chromium-chromium @{exec_path} { # file_inherit owner /dev/tty[0-9]* rw, + # Video support + /dev/ r, + /dev/video[0-9]* rw, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idProduct,idVendor,interface} r, + /etc/opensc.conf r, include diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 50e1fa9a4..33957a48c 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -12,7 +12,7 @@ include @{MOZ_CACHEDIR} = @{user_cache_dirs}/mozilla @{exec_path} = @{MOZ_LIBDIR}/firefox{,-bin,-esr} -profile firefox @{exec_path} { +profile firefox @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 6ac2b8ec8..8f44a74d3 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -62,6 +62,7 @@ profile firefox-crashreporter @{exec_path} { # file_inherit owner @{MOZ_CACHEDIR}/firefox/*.*/** r, owner @{MOZ_HOMEDIR}/firefox/*.*/extensions/*.xpi r, + owner @{MOZ_HOMEDIR}/firefox/*.*/.parentlock rw, owner @{HOME}/.xsession-errors w, /dev/dri/renderD128 rw, diff --git a/apparmor.d/groups/pacman/arch-audit b/apparmor.d/groups/pacman/arch-audit index 62f23ae3a..3e23bb056 100644 --- a/apparmor.d/groups/pacman/arch-audit +++ b/apparmor.d/groups/pacman/arch-audit @@ -10,6 +10,7 @@ include profile arch-audit @{exec_path} { include include + include include capability dac_read_search, diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index 6e1f75955..82c9713f5 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -15,20 +15,25 @@ profile paccache @{exec_path} { @{exec_path} mr, - /{usr/,}bin/cat rix, - /{usr/,}bin/gettext rix, - /{usr/,}bin/pacman-conf rPx, - /{usr/,}bin/pacman rPUx, - /{usr/,}bin/tput rix, - /{usr/,}bin/pacsort rix, - /{usr/,}bin/gawk rix, /{usr/,}bin/bash rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/gettext rix, + /{usr/,}bin/pacman rPUx, + /{usr/,}bin/pacman-conf rPx, + /{usr/,}bin/pacsort rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/stat rix, + /{usr/,}bin/tput rix, + /{usr/,}bin/xargs rix, /usr/share/makepkg/util/*.sh r, /usr/share/terminfo/x/xterm-256color r, /var/cache/pacman/pkg/{,*} rw, + owner @{PROC}/@{pid}/fd/ r, + /dev/tty rw, include if exists diff --git a/apparmor.d/groups/systemd/child-systemctl b/apparmor.d/groups/systemd/child-systemctl index 7d3c078b5..080136f3f 100644 --- a/apparmor.d/groups/systemd/child-systemctl +++ b/apparmor.d/groups/systemd/child-systemctl @@ -23,6 +23,9 @@ profile child-systemctl { ptrace (read), + network inet stream, + network inet6 stream, + /{usr/,}bin/systemctl mr, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 1a359805c..2e2246e8b 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -10,29 +10,30 @@ include @{exec_path} = /{usr/,}lib/systemd/systemd-coredump profile systemd-coredump @{exec_path} flags=(attach_disconnected complain) { include + include include include - include + capability dac_read_search, + capability setgid, capability setpcap, capability setuid, - capability setgid, - capability dac_read_search, capability sys_ptrace, # Needed? - deny capability net_admin, + # deny capability net_admin, @{exec_path} mr, /{usr/,}bin/* r, /{usr/,}sbin/* r, - /usr/libexec/** r, + /usr/{lib,libexec}/** r, /etc/systemd/coredump.conf r, - /var/lib/systemd/coredump/ r, - owner /var/lib/systemd/coredump/#[0-9]* rw, - owner /var/lib/systemd/coredump/core.*.[0-9]*.[0-9a-f]*.[0-9]*.[0-9]*{,.zst} rwl -> /var/lib/systemd/coredump/#[0-9]*, + /var/lib/systemd/coredump/ r, + /var/lib/systemd/coredump/#[0-9]* rwl, + /var/lib/systemd/coredump/core.*.@{uid}.[0-9a-f]*.[0-9]*.[0-9]*.zst rwl, + /var/lib/systemd/coredump/core.*.@{uid}.[0-9a-f]*.[0-9]*.[0-9]* rwl, owner @{PROC}/@{pid}/setgroups r, @{PROC}/@{pids}/comm r, diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 11357e94d..df757bc69 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov +# 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -19,5 +20,9 @@ profile systemd-detect-virt @{exec_path} { @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + # Silencer + deny network inet6 stream, + deny network inet stream, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index e25108d44..435629155 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -37,5 +37,9 @@ profile systemd-sysusers @{exec_path} { owner @{PROC}/@{pid}/stat r, @{PROC}/sys/kernel/random/boot_id r, + # Silencer + deny network inet6 stream, + deny network inet stream, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index b9ce3dfbd..542c507e3 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -48,5 +48,9 @@ profile systemd-tmpfiles @{exec_path} { @{PROC}/@{pid}/net/unix r, + # Silencer + deny network inet6 stream, + deny network inet stream, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index e52b2b09b..e4066dec4 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -91,5 +91,9 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { # file_inherit owner @{HOME}/.xsession-errors w, + # Silencer + deny network inet6 stream, + deny network inet stream, + include if exists } diff --git a/apparmor.d/profiles-a-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-a-l/gdk-pixbuf-query-loaders index c1fbc4eaa..8793377aa 100644 --- a/apparmor.d/profiles-a-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-a-l/gdk-pixbuf-query-loaders @@ -10,9 +10,13 @@ include profile gdk-pixbuf-query-loaders @{exec_path} { include + network inet stream, + network inet6 stream, + @{exec_path} mr, /{usr/,}lib/gdk-pixbuf-[0-9].[0-9]*/{,*}/loaders.cache.* rw, + /{usr/,}lib/gdk-pixbuf-[0-9].[0-9]*/*/loaders.cache rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-l/gio-querymodules b/apparmor.d/profiles-a-l/gio-querymodules index b01e0e3e2..ee711c868 100644 --- a/apparmor.d/profiles-a-l/gio-querymodules +++ b/apparmor.d/profiles-a-l/gio-querymodules @@ -15,5 +15,9 @@ profile gio-querymodules @{exec_path} { /{usr/,}lib/gtk-{3,4}.0/**/giomodule.cache{,.[0-9A-Z]*} w, + # Silencer + deny network inet6 stream, + deny network inet stream, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-l/install-info b/apparmor.d/profiles-a-l/install-info index 0e45e73bc..41c679cca 100644 --- a/apparmor.d/profiles-a-l/install-info +++ b/apparmor.d/profiles-a-l/install-info @@ -22,5 +22,9 @@ profile install-info @{exec_path} { /dev/tty rw, + # Silencer + deny network inet6 stream, + deny network inet stream, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-l/logrotate b/apparmor.d/profiles-a-l/logrotate index 6082990ca..cc4635440 100644 --- a/apparmor.d/profiles-a-l/logrotate +++ b/apparmor.d/profiles-a-l/logrotate @@ -32,6 +32,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/ls rix, /{usr/,}bin/gzip rix, + /{usr/,}bin/zstd rix, /{usr/,}{s,}bin/invoke-rc.d rix, /{usr/,}lib/rsyslog/rsyslog-rotate rix, diff --git a/apparmor.d/profiles-m-z/update-desktop-database b/apparmor.d/profiles-m-z/update-desktop-database index 30b959801..9e50d44d8 100644 --- a/apparmor.d/profiles-m-z/update-desktop-database +++ b/apparmor.d/profiles-m-z/update-desktop-database @@ -20,5 +20,9 @@ profile update-desktop-database @{exec_path} { /usr/share/*/*.desktop r, + # Silencer + deny network inet6 stream, + deny network inet stream, + include if exists } diff --git a/apparmor.d/profiles-m-z/xdg-mime b/apparmor.d/profiles-m-z/xdg-mime index 152d3f87c..180be189b 100644 --- a/apparmor.d/profiles-m-z/xdg-mime +++ b/apparmor.d/profiles-m-z/xdg-mime @@ -53,6 +53,7 @@ profile xdg-mime @{exec_path} { # file_inherit @{MOUNTS}/** rw, + /dev/tty rw, profile dbus { include