From 9c9f743e1ea6747e12dd52ef1cbe5325e9ad3279 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Jul 2024 12:12:30 +0100 Subject: [PATCH] fix: variour small fixes. See #409 --- apparmor.d/groups/bus/ibus-daemon | 1 + apparmor.d/groups/freedesktop/xdg-desktop-portal | 5 +++++ apparmor.d/groups/gnome/gio-launch-desktop | 5 +++++ apparmor.d/groups/gnome/gsd-color | 2 ++ apparmor.d/groups/gnome/gsd-keyboard | 2 ++ apparmor.d/groups/gnome/gsd-power | 1 + apparmor.d/groups/gnome/gsd-smartcard | 10 +++++++--- apparmor.d/groups/systemd/systemd-sleep-tlp | 1 + apparmor.d/profiles-s-z/usbguard-daemon | 2 +- dists/flags/main.flags | 1 + 10 files changed, 26 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index b072bcae9..52707ff63 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -42,6 +42,7 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{lib}/{,ibus/}ibus-* rPUx, + @{lib}/ibus-*/ibus-* rPUx, /usr/share/ibus/{,**} r, /usr/share/ibus-table/{,**} r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 65420a2ee..59ef5a734 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -84,6 +84,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/.flatpak/{,*/*} r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{PROC}/ r, @{PROC}/*/ r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 19b33d743..8e6d80f9e 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -3,6 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# TODO: Rethink this profile: +# - Access to gio from a profile is handled by child-open-* +# - Direct access should only be needed is some special context and it should not +# require access to that much resources. + abi , include diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 5c43cddf4..8d77f6cb2 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -21,6 +21,8 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { include include + network inet stream, + signal (receive) set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Color diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index c87d6c9be..d621a43ae 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -21,6 +21,8 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include + network inet stream, + signal (receive) set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Keyboard diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 096839994..2c21bc4fd 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -30,6 +30,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include + network inet stream, network netlink raw, signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index c72c9a8eb..b0ff24b58 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -31,13 +31,17 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/{,opensc/}opensc.conf r, - - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, + /etc/tpm2-tss/* r, /var/tmp/ r, /tmp/ r, + owner @{GDM_HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, + owner @{GDM_HOME}/greeter-dconf-defaults r, + owner @{gdm_config_dirs}/dconf/user r, + + owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, + owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-sleep-tlp b/apparmor.d/groups/systemd/systemd-sleep-tlp index 1e7d3fe34..03fb69356 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-tlp +++ b/apparmor.d/groups/systemd/systemd-sleep-tlp @@ -12,6 +12,7 @@ profile systemd-sleep-tlp @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/tlp rPUx, include if exists diff --git a/apparmor.d/profiles-s-z/usbguard-daemon b/apparmor.d/profiles-s-z/usbguard-daemon index d6c05f782..674da7ad4 100644 --- a/apparmor.d/profiles-s-z/usbguard-daemon +++ b/apparmor.d/profiles-s-z/usbguard-daemon @@ -24,8 +24,8 @@ profile usbguard-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/usbguard/{,**} r, /etc/usbguard/*.conf rw, - /etc/usbguard/IPCAccessControl.d/{,*} r, owner @{run}/usbguard.pid rwk, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 06eae76b7..53631aaeb 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -353,6 +353,7 @@ systemd-portabled complain systemd-remount-fs complain systemd-resolve complain systemd-shutdown complain +systemd-sleep-tlp complain systemd-socket-proxyd complain systemd-udevd attach_disconnected,complain systemd-user-sessions complain