diff --git a/apparmor.d/abstractions/fontconfig-cache-read b/apparmor.d/abstractions/fontconfig-cache-read index d5fdf8447..cd5ce1fff 100644 --- a/apparmor.d/abstractions/fontconfig-cache-read +++ b/apparmor.d/abstractions/fontconfig-cache-read @@ -28,17 +28,22 @@ /var/cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r, /var/cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, + #owner @{HOME}/.fonts/ r, + deny @{HOME}/.fonts/ w, + owner @{HOME}/.fonts/.uuid{,.NEW,.LCK,.TMP-*} r, + deny @{HOME}/.fonts/.uuid{,.NEW,.LCK,.TMP-*} w, + # This is to create .uuid file containing an UUID at a font directory. The UUID will be used to # identify the font directory and is used to determine the cache filename if available. + # owner /usr/local/share/fonts/ r, owner /usr/local/share/fonts/.uuid r, deny /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} w, /usr/share/**/.uuid r, deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w, - # For Google Fonts downloaded via font-manager - owner "@{user_share_dirs}/fonts/Google Fonts/.uuid" r, - deny "@{user_share_dirs}/fonts/Google Fonts/.uuid{,.NEW,.LCK,.TMP-*}" w, - owner "@{user_share_dirs}/fonts/Google Fonts/**/.uuid" r, - deny "@{user_share_dirs}/fonts/Google Fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" w, + # For fonts downloaded via font-manager + # owner "@{user_share_dirs}/fonts/ r, + owner "@{user_share_dirs}/fonts/**/.uuid" r, + deny "@{user_share_dirs}/fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" w, - include if exists \ No newline at end of file + include if exists diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write index 534f521cc..24bead1ff 100644 --- a/apparmor.d/abstractions/fontconfig-cache-write +++ b/apparmor.d/abstractions/fontconfig-cache-write @@ -12,17 +12,23 @@ owner @{HOME}/.fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw, owner @{HOME}/.fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk, + owner @{HOME}/.fonts/ rw, + link @{HOME}/.fonts/.uuid.LCK -> @{HOME}/.fonts/.uuid.TMP-*, + owner @{HOME}/.fonts/.uuid{,.NEW,.LCK,.TMP-*} r, + owner @{HOME}/.fonts/.uuid{,.NEW,.LCK,.TMP-*} w, + # This is to create .uuid file containing an UUID at a font directory. The UUID will be used to # identify the font directory and is used to determine the cache filename if available. + owner /usr/local/share/fonts/ rw, owner /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} rw, link /usr/local/share/fonts/.uuid.LCK -> /usr/local/share/fonts/.uuid.TMP-*, + # Should writing to these dirs be blocked? /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} r, deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w, - # For Google Fonts downloaded via font-manager (###FIXME### when they fix resolving of vars) - owner "@{user_share_dirs}/fonts/Google Fonts/.uuid{,.NEW,.LCK,.TMP-*}" rw, - link "@{user_share_dirs}/fonts/Google Fonts/.uuid.LCK" -> "/home/*/.local/share/fonts/Google Fonts/.uuid.TMP-*", - owner "@{user_share_dirs}/fonts/Google Fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" rw, - link "@{user_share_dirs}/fonts/Google Fonts/**/.uuid.LCK" -> "/home/*/.local/share/fonts/Google Fonts/**/.uuid.TMP-*", + # For fonts downloaded via font-manager (###FIXME### when they fix resolving of vars) + owner @{user_share_dirs}/fonts/ rw, + owner @{user_share_dirs}/fonts/**/.uuid{,.NEW,.LCK,.TMP-*} rw, + link @{user_share_dirs}/fonts/**/.uuid.LCK -> /home/*/.local/share/fonts/**/.uuid.TMP-*, - include if exists \ No newline at end of file + include if exists diff --git a/apparmor.d/abstractions/video b/apparmor.d/abstractions/video new file mode 100644 index 000000000..87e1eb4c9 --- /dev/null +++ b/apparmor.d/abstractions/video @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # System devices + @{sys}/class/video4linux/ r, + @{sys}/class/video4linux/** r, + + owner /dev/shm/libv4l-* rw, + /dev/video[0-9]* rw, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/video4linux/video[0-9]*/dev r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{modalias,speed} r, + + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/dmi/id/product_{name,version} r, + @{sys}/devices/virtual/dmi/id/board_{vendor,name,version} r, + + # Include additions to the abstraction + include if exists diff --git a/apparmor.d/groups/apps/signal-desktop b/apparmor.d/groups/apps/signal-desktop index 569565845..e42374c63 100644 --- a/apparmor.d/groups/apps/signal-desktop +++ b/apparmor.d/groups/apps/signal-desktop @@ -8,7 +8,8 @@ include @{SIGNAL_INSTALLDIR} = "/opt/Signal{, Beta}" @{SIGNAL_HOMEDIR} = "@{user_config_dirs}/Signal{, Beta}" -@{exec_path} = @{SIGNAL_INSTALLDIR}/signal-desktop{,-beta} +#@{exec_path} = @{SIGNAL_INSTALLDIR}/signal-desktop{,-beta} # (#FIXME#) +@{exec_path} = "/opt/Signal{, Beta}/signal-desktop{,-beta}" # (#FIXME#) profile signal-desktop @{exec_path} { include include @@ -22,14 +23,36 @@ profile signal-desktop @{exec_path} { include include - @{exec_path} mr, + # Needed? + deny capability sys_ptrace, - # Signal installation dir + # The following rules are needed only when the kernel.unprivileged_userns_clone option is set + # to "1". + capability sys_admin, + capability sys_chroot, + owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/uid_map w, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mrix, + + # Signal installation dir (#FIXME#) @{SIGNAL_INSTALLDIR}/ r, @{SIGNAL_INSTALLDIR}/** r, @{SIGNAL_INSTALLDIR}/libnode.so mr, @{SIGNAL_INSTALLDIR}/libffmpeg.so mr, + @{SIGNAL_INSTALLDIR}/{swiftshader/,}libGLESv2.so mr, + @{SIGNAL_INSTALLDIR}/{swiftshader/,}libEGL.so mr, @{SIGNAL_INSTALLDIR}/chrome-sandbox rPx, + @{SIGNAL_INSTALLDIR}/resources/app.asar.unpacked/node_modules/**.node mr, + @{SIGNAL_INSTALLDIR}/resources/app.asar.unpacked/node_modules/**.so mr, + @{SIGNAL_INSTALLDIR}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr, # Signal home dirs @{SIGNAL_HOMEDIR}/ rw, @@ -42,13 +65,17 @@ profile signal-desktop @{exec_path} { # Signal wants the /tmp/ dir to be mounted with the "exec" flag. If this is not acceptable in # your system, use the TMPDIR variable to set some other tmp dir. /tmp/ r, - owner /tmp/.org.chromium.Chromium.* mrw, + owner /tmp/.org.chromium.Chromium.*/ rw, + owner /tmp/.org.chromium.Chromium.*/SingletonCookie w, + owner /tmp/.org.chromium.Chromium.*/SS w, + owner /tmp/.org.chromium.Chromium.* rw, /var/tmp/ r, owner @{SIGNAL_HOMEDIR}/tmp/.org.chromium.Chromium.* mrw, @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, @{sys}/devices/pci[0-9]*/**/{irq,vendor,device} r, @{sys}/devices/virtual/tty/tty[0-9]/active r, + @{sys}/fs/cgroup/** r, @{PROC}/ r, owner @{PROC}/@{pid}/fd/ r, @@ -56,6 +83,10 @@ profile signal-desktop @{exec_path} { owner @{PROC}/@{pids}/task/ r, owner @{PROC}/@{pids}/task/@{tid}/status r, @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pids}/statm r, + deny owner @{PROC}/@{pid}/cmdline r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/vmstat r, deny /dev/shm/ r, @@ -64,6 +95,7 @@ profile signal-desktop @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, + # No new privs /{usr/,}bin/xdg-settings rPUx, /{usr/,}bin/getconf rix, diff --git a/apparmor.d/groups/apps/signal-desktop-chrome-sandbox b/apparmor.d/groups/apps/signal-desktop-chrome-sandbox index cd20d1337..6ff5aebc6 100644 --- a/apparmor.d/groups/apps/signal-desktop-chrome-sandbox +++ b/apparmor.d/groups/apps/signal-desktop-chrome-sandbox @@ -9,14 +9,15 @@ include @{SIGNAL_INSTALLDIR} = "/opt/Signal{, Beta}" @{SIGNAL_HOMEDIR} = "@{user_config_dirs}/Signal{, Beta}" -@{exec_path} = @{SIGNAL_INSTALLDIR}/signal-desktop{,-beta} +#@{exec_path} = @{SIGNAL_INSTALLDIR}/chrome-sandbox # (#FIXME#) +@{exec_path} = "/opt/Signal{, Beta}/chrome-sandbox" profile signal-desktop-chrome-sandbox @{exec_path} { include include @{exec_path} mr, - @{SIGNAL_INSTALLDIR}/signal-desktop rPx, + @{SIGNAL_INSTALLDIR}/signal-desktop{,-beta} rPx, include if exists } diff --git a/apparmor.d/groups/apps/thunderbird b/apparmor.d/groups/apps/thunderbird index f9316b8f4..60d1aaa80 100644 --- a/apparmor.d/groups/apps/thunderbird +++ b/apparmor.d/groups/apps/thunderbird @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2015-2020 Mikhail Morfikov +# Copyright (C) 2015-2021 Mikhail Morfikov # SPDX-License-Identifier: GPL-2.0-only # Useful info: # http://kb.mozillazine.org/Files_and_folders_in_the_profile_-_Thunderbird diff --git a/apparmor.d/groups/apps/usr.lib.libreoffice.program.oosplash b/apparmor.d/groups/apps/usr.lib.libreoffice.program.oosplash index b77b79d33..5d1696915 100644 --- a/apparmor.d/groups/apps/usr.lib.libreoffice.program.oosplash +++ b/apparmor.d/groups/apps/usr.lib.libreoffice.program.oosplash @@ -12,11 +12,11 @@ # # ------------------------------------------------------------------ -include +#include -profile libreoffice-oopslash /usr/lib/libreoffice/program/oosplash flags=(complain) { - include - include +profile libreoffice-oosplash /usr/lib/libreoffice/program/oosplash flags=(complain) { + #include + #include /etc/libreoffice/ r, /etc/libreoffice/** r, diff --git a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin index 699f2b470..7c12426cd 100644 --- a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin +++ b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin @@ -2,6 +2,7 @@ # # Copyright (C) 2016 Canonical Ltd. # Copyright (C) 2018 Software in the Public Interest, Inc. +# Copyright (C) 2021 Google LLC # # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this @@ -223,6 +224,7 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp owner @{HOME}/@{XDG_GPG_DIR}/* r, owner @{HOME}/@{XDG_GPG_DIR}/random_seed rk, + owner @{HOME}/@{XDG_GPG_DIR}/tofu.db rwk, } # probably should become a subprofile like gpg above, but then it doesn't diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc index b79b404c5..415ed7fac 100644 --- a/apparmor.d/groups/apps/vlc +++ b/apparmor.d/groups/apps/vlc @@ -90,6 +90,10 @@ profile vlc @{exec_path} { owner @{MOUNTS}/**/ r, owner /{home,media}/**.@{vlc_ext} rw, + # For SMB shares + owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, + owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**.@{vlc_ext} r, + /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/groups/apt/apt-forktracer b/apparmor.d/groups/apt/apt-forktracer new file mode 100644 index 000000000..e67736b84 --- /dev/null +++ b/apparmor.d/groups/apt/apt-forktracer @@ -0,0 +1,40 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2021 Mikhail Morfikov +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi , + +include + +@{exec_path} = /{usr/,}bin/apt-forktracer +profile apt-forktracer @{exec_path} { + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/ r, + /{usr/,}bin/dpkg rPx -> child-dpkg, + + /usr/share/apt-forktracer/{,**} r, + + /var/lib/apt/lists/ r, + /var/lib/apt/lists/*_InRelease r, + + /usr/share/distro-info/debian.csv r, + + owner @{PROC}/@{pid}/fd/ r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + include if exists +} diff --git a/apparmor.d/groups/apt/apt-key b/apparmor.d/groups/apt/apt-key index 16524edea..2ba7e8987 100644 --- a/apparmor.d/groups/apt/apt-key +++ b/apparmor.d/groups/apt/apt-key @@ -59,6 +59,7 @@ profile apt-key @{exec_path} { include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index 9f1d7dfa6..b6d2e40a4 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -78,6 +78,10 @@ profile apt-methods-gpgv @{exec_path} { @{PROC}/@{pid}/fd/ r, + # Local keyring storage + /etc/keyrings/ r, + /etc/keyrings/*.gpg r, + # For package building @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**, diff --git a/apparmor.d/groups/apt/usr.sbin.apt-cacher-ng b/apparmor.d/groups/apt/usr.sbin.apt-cacher-ng index 041ecdafc..c4ceb4893 100644 --- a/apparmor.d/groups/apt/usr.sbin.apt-cacher-ng +++ b/apparmor.d/groups/apt/usr.sbin.apt-cacher-ng @@ -20,7 +20,7 @@ profile apt-cacher-ng /usr/sbin/apt-cacher-ng flags=(complain) { /var/lib/apt-cacher-ng/** r, /{,var/}run/apt-cacher-ng/* rw, @{APT_CACHER_NG_CACHE_DIR}/ r, - @{APT_CACHER_NG_CACHE_DIR}/** rw, + @{APT_CACHER_NG_CACHE_DIR}/** rwl, /var/log/apt-cacher-ng/ r, /var/log/apt-cacher-ng/* rw, /{,var/}run/systemd/notify w, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index d9107cb34..617db1d3d 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -130,6 +130,10 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /etc/mime.types r, /etc/mailcap r, + include + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + # Set default browser /{usr/,}bin/update-mime-database rPx, owner @{user_config_dirs}/ r, diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index a075e499c..dbadd7872 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -65,7 +65,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /dev/dri/card[0-9]* rw, /dev/input/event[0-9]* rw, - /tmp/dbus-[0-9a-zA-Z]* rw, + owner /tmp/dbus-[0-9a-zA-Z]* rw, # file_inherit /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 247ca5a90..2593a0174 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -79,6 +79,7 @@ profile cron @{exec_path} { /etc/cron.{hourly,daily,weekly,monthly}/apt-listbugs rPx, /etc/cron.{hourly,daily,weekly,monthly}/apt-show-versions rPx, /etc/cron.{hourly,daily,weekly,monthly}/bsdmainutils rPUx, + /etc/cron.{hourly,daily,weekly,monthly}/checksecurity rPUx, /etc/cron.{hourly,daily,weekly,monthly}/debtags rPx, /etc/cron.{hourly,daily,weekly,monthly}/exim4-base rPx, /etc/cron.{hourly,daily,weekly,monthly}/logrotate rPx, diff --git a/apparmor.d/groups/desktop/bluetoothd b/apparmor.d/groups/desktop/bluetoothd index 30f501713..1aed057a3 100644 --- a/apparmor.d/groups/desktop/bluetoothd +++ b/apparmor.d/groups/desktop/bluetoothd @@ -34,8 +34,11 @@ profile bluetoothd @{exec_path} { @{run}/sdp rw, + @{run}/udev/data/+hid:* r, + @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/platform/**/rfkill/**/name r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/uevent r, /var/lib/bluetooth/{,**} rw, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 58705d191..c0bf3dfeb 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -28,7 +28,7 @@ profile ssh @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/ r, owner @{HOME}/@{XDG_SSH_DIR}/config r, - owner @{HOME}/@{XDG_SSH_DIR}/known_hosts r, + owner @{HOME}/@{XDG_SSH_DIR}/known_hosts rw, owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/ssh/{,*} r, owner @{HOME}/@{XDG_PROJECTS_DIR}/**/config r, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 495c6ac1d..4c9b57df1 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -26,6 +26,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected complain) { /{usr/,}bin/* r, /{usr/,}sbin/* r, @{libexec}/** r, + /opt/** r, /etc/systemd/coredump.conf r, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 05fbe1aee..6b53437d3 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -18,6 +18,9 @@ profile systemd-timesyncd @{exec_path} { capability sys_time, + network inet dgram, + network inet6 dgram, + @{exec_path} mr, /etc/adjtime r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index e4066dec4..33619caec 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -36,11 +36,15 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/perl rix, /{usr/,}bin/chgrp rix, /{usr/,}bin/chmod rix, /{usr/,}bin/setfacl rix, /{usr/,}bin/logger rix, /{usr/,}bin/nohup rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/ln rix, + /{usr/,}bin/readlink rix, /{usr/,}{s,}bin/* rPUx, @@ -48,6 +52,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { /{usr/,}lib/systemd/systemd-* rPUx, /{usr/,}lib/crda/* rPUx, + /{usr,/}lib/pm-utils/power.d/* rPUx, + /usr/share/hplip/config_usb_printer.py rPUx, /etc/console-setup/*.sh rPUx, diff --git a/apparmor.d/profiles-a-l/amixer b/apparmor.d/profiles-a-l/amixer index 0ba1f05c8..2880e46dc 100644 --- a/apparmor.d/profiles-a-l/amixer +++ b/apparmor.d/profiles-a-l/amixer @@ -20,5 +20,8 @@ profile amixer @{exec_path} { owner @{user_config_dirs}/pulse/ r, + # file_inherit + owner /dev/tty[0-9]* rw, + include if exists } diff --git a/apparmor.d/profiles-a-l/appstreamcli b/apparmor.d/profiles-a-l/appstreamcli index 13a31e3bf..15842940c 100644 --- a/apparmor.d/profiles-a-l/appstreamcli +++ b/apparmor.d/profiles-a-l/appstreamcli @@ -22,6 +22,8 @@ profile appstreamcli @{exec_path} flags=(complain) { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/appstream-cache-*.mdb rw, + owner @{user_cache_dirs}/appstream/ rw, + owner @{user_cache_dirs}/appstream/appcache-*.mdb rw, /usr/share/appdata/ r, /var/lib/app-info/yaml/ r, diff --git a/apparmor.d/profiles-a-l/cawbird b/apparmor.d/profiles-a-l/cawbird index 01cdb8e12..fb3b060c6 100644 --- a/apparmor.d/profiles-a-l/cawbird +++ b/apparmor.d/profiles-a-l/cawbird @@ -20,6 +20,12 @@ profile cawbird @{exec_path} { include include + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-a-l/conky b/apparmor.d/profiles-a-l/conky index 7b675e66e..a23e338e8 100644 --- a/apparmor.d/profiles-a-l/conky +++ b/apparmor.d/profiles-a-l/conky @@ -21,6 +21,11 @@ profile conky @{exec_path} { network inet dgram, network inet6 dgram, + # For dig + #network inet stream, + #network inet6 stream, + #network netlink raw, + @{exec_path} mr, # Needed tools to render conky output @@ -39,6 +44,10 @@ profile conky @{exec_path} { /{usr/,}bin/wc rix, /{usr/,}bin/sed rix, + # For external IP address + #/{usr/,}bin/dig rix, + #owner @{PROC}/@{pid}/task/@{tid}/comm rw, + # To remove the following error: # .conky/Accuweather_conky_script/accuweather: line 917: /usr/bin/pkill: Permission denied /{usr/,}bin/pgrep rix, diff --git a/apparmor.d/profiles-a-l/deltachat-desktop b/apparmor.d/profiles-a-l/deltachat-desktop new file mode 100644 index 000000000..46ac315fe --- /dev/null +++ b/apparmor.d/profiles-a-l/deltachat-desktop @@ -0,0 +1,129 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{DCD_LIBDIR} = /{usr/,}lib/deltachat-desktop +@{DCD_LIBDIR} += /{usr/,}lib/deltachat +@{DCD_LIBDIR} += /opt/DeltaChat/ + +@{exec_path} = /usr/bin/deltachat-desktop +@{exec_path} += /opt/DeltaChat/deltachat-desktop +#@{exec_path} += @{DCD_LIBDIR}/deltachat-desktop +profile deltachat-desktop @{exec_path} { + include + include + include + include + include + include + include + include + include + + # The following rules are needed only when the kernel.unprivileged_userns_clone option is set + # to "1". + capability sys_admin, + capability sys_chroot, + owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/uid_map w, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mrix, + + @{DCD_LIBDIR}/ r, + @{DCD_LIBDIR}/** r, + @{DCD_LIBDIR}/libffmpeg.so mr, + @{DCD_LIBDIR}/{swiftshader/,}libGLESv2.so mr, + @{DCD_LIBDIR}/{swiftshader/,}libEGL.so mr, + @{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.node mr, + @{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.so mr, + @{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr, + @{DCD_LIBDIR}/chrome-sandbox rPx, + + owner @{HOME}/.config/DeltaChat/ rw, + owner @{HOME}/.config/DeltaChat/** rwk, + + include + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /var/tmp/ r, + /tmp/ r, + owner /tmp/.org.chromium.Chromium.*/ rw, + owner /tmp/.org.chromium.Chromium.*/SingletonCookie w, + owner /tmp/.org.chromium.Chromium.*/SS w, + owner /tmp/.org.chromium.Chromium.*/*.png rw, + owner /tmp/.org.chromium.Chromium.* rw, + owner /tmp/[0-9a-f]*/ rw, + owner /tmp/[0-9a-f]*/db.sqlite-blobs/ rw, + owner /tmp/[0-9a-f]*/db.sqlite rwk, + owner /tmp/[0-9a-f]*/db.sqlite-journal rw, + + @{PROC}/ r, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/task/ r, + @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pids}/statm r, + deny owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pids}/oom_{,score_}adj r, + deny owner @{PROC}/@{pids}/oom_{,score_}adj w, + owner @{PROC}/@{pid}/cgroup r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/sys/fs/inotify/max_user_watches r, + + /dev/ r, + /dev/shm/ r, + owner /dev/shm/.org.chromium.Chromium.* rw, + + # (#FIXME#) + deny @{sys}/bus/pci/devices/ r, + + deny @{sys}/devices/virtual/tty/tty0/active r, + + # no new privs + /{usr/,}bin/xdg-settings rPx, + + /{usr/,}bin/xdg-open rCx -> open, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPx, + + + profile open { + include + include + + /{usr/,}bin/xdg-open mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gawk rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/basename rix, + + owner @{HOME}/ r, + + owner @{run}/user/@{uid}/ r, + + # Allowed apps to open + /{usr/,}lib/firefox/firefox rPx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + include if exists +} diff --git a/apparmor.d/profiles-a-l/dkms-autoinstaller b/apparmor.d/profiles-a-l/dkms-autoinstaller index fafae4285..8dd6e33b6 100644 --- a/apparmor.d/profiles-a-l/dkms-autoinstaller +++ b/apparmor.d/profiles-a-l/dkms-autoinstaller @@ -16,6 +16,7 @@ profile dkms-autoinstaller @{exec_path} { /{usr/,}bin/readlink rix, /{usr/,}bin/tput rix, + /{usr/,}bin/echo rix, /{usr/,}{s,}bin/dkms rPx, diff --git a/apparmor.d/profiles-a-l/dring b/apparmor.d/profiles-a-l/dring new file mode 100644 index 000000000..09ba01ff2 --- /dev/null +++ b/apparmor.d/profiles-a-l/dring @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/ring/dring +profile dring @{exec_path} { + include + include + include + include + + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mr, + + owner @{HOME}/.config/ring/ rw, + owner @{HOME}/.config/jami/dring.yml rw, + owner @{HOME}/.config/jami/dring.yml.bak w, + owner @{HOME}/.local/share/jami/ r, + + @{sys}/class/ r, + @{sys}/bus/ r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + + include if exists +} diff --git a/apparmor.d/profiles-a-l/dumpcap b/apparmor.d/profiles-a-l/dumpcap index 9b57aca17..4dfb61450 100644 --- a/apparmor.d/profiles-a-l/dumpcap +++ b/apparmor.d/profiles-a-l/dumpcap @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/dumpcap profile dumpcap @{exec_path} { include + include # To capture packekts capability net_raw, diff --git a/apparmor.d/profiles-a-l/dunst b/apparmor.d/profiles-a-l/dunst new file mode 100644 index 000000000..692aef0c8 --- /dev/null +++ b/apparmor.d/profiles-a-l/dunst @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/dunst +profile dunst @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /etc/xdg/dunst/dunstrc r, + owner @{HOME}/.config/dunst/dunstrc r, + + owner @{HOME}/.Xauthority r, + + include if exists +} diff --git a/apparmor.d/profiles-a-l/dunstctl b/apparmor.d/profiles-a-l/dunstctl new file mode 100644 index 000000000..92db1794a --- /dev/null +++ b/apparmor.d/profiles-a-l/dunstctl @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/dunstctl +profile dunstctl @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}bin/dbus-send rCx -> dbus, + + profile dbus { + include + + /{usr/,}bin/dbus-send mr, + } + + include if exists +} diff --git a/apparmor.d/profiles-a-l/dunstify b/apparmor.d/profiles-a-l/dunstify new file mode 100644 index 000000000..b0663dbc5 --- /dev/null +++ b/apparmor.d/profiles-a-l/dunstify @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/dunstify +profile dunstify @{exec_path} { + include + + @{exec_path} mr, + + # file_inherit + owner /dev/tty[0-9]* rw, + + include if exists +} diff --git a/apparmor.d/profiles-a-l/gajim b/apparmor.d/profiles-a-l/gajim index 56c52cd8b..6da3dc111 100644 --- a/apparmor.d/profiles-a-l/gajim +++ b/apparmor.d/profiles-a-l/gajim @@ -15,6 +15,7 @@ profile gajim @{exec_path} { include include include + include include include include @@ -84,10 +85,6 @@ profile gajim @{exec_path} { /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r, - # For video streaming - @{sys}/class/video4linux/ r, - /dev/video[0-9]* rw, - # TMP files locations (first in /tmp/ , /var/tmp/ and @{HOME}/) /var/tmp/ r, /tmp/ r, diff --git a/apparmor.d/profiles-a-l/gpartedbin b/apparmor.d/profiles-a-l/gpartedbin index 71970e865..53b3a08f2 100644 --- a/apparmor.d/profiles-a-l/gpartedbin +++ b/apparmor.d/profiles-a-l/gpartedbin @@ -127,6 +127,12 @@ profile gpartedbin @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + include + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + @{run}/mount/utab r, # For fsck of the btrfs filesystem @@ -135,6 +141,9 @@ profile gpartedbin @{exec_path} { # Started as root so without "owner". @{HOME}/.Xauthority r, + # For saving reports + owner @{HOME}/*.htm w, + profile mount { include diff --git a/apparmor.d/profiles-a-l/gsmartcontrol b/apparmor.d/profiles-a-l/gsmartcontrol index ff5cdb1a6..9443d5dd3 100644 --- a/apparmor.d/profiles-a-l/gsmartcontrol +++ b/apparmor.d/profiles-a-l/gsmartcontrol @@ -43,6 +43,10 @@ profile gsmartcontrol @{exec_path} { # As it's started as root @{HOME}/.Xauthority r, + # For saving SMART raport + owner /root/ r, + owner /root/**.txt w, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-a-l/jami-gnome b/apparmor.d/profiles-a-l/jami-gnome new file mode 100644 index 000000000..f94e21e49 --- /dev/null +++ b/apparmor.d/profiles-a-l/jami-gnome @@ -0,0 +1,63 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/jami-gnome +profile jami-gnome @{exec_path} { + include + include + include + include + include + include + include + include + include + include + + network netlink raw, + + @{exec_path} mr, + + owner @{HOME}/.cache/ rw, + owner @{HOME}/.cache/jami-gnome/ rw, + owner @{HOME}/.cache/jami-gnome/** rw, + + owner @{HOME}/.local/share/jami/ rw, + owner @{HOME}/.local/share/jami/** rwkl -> @{HOME}/.local/share/jami/, + + owner @{HOME}/.config/autostart/jami-gnome.desktop w, + + owner @{HOME}/.local/share/ r, + owner @{HOME}/.local/share/webkitgtk/deviceidhashsalts/1/ r, + owner @{HOME}/.local/share/webkitgtk/databases/indexeddb/v0 w, + owner @{HOME}/.local/share/webkitgtk/databases/indexeddb/v1/ w, + + /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix, + /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix, + + include + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /usr/share/ring/{,**} r, + /usr/share/sounds/jami-gnome/{,**} r, + + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/smaps r, + deny owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/cgroup r, + @{PROC}/zoneinfo r, + + @{sys}/firmware/acpi/pm_profile r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/fs/cgroup/** r, + + include if exists +} diff --git a/apparmor.d/profiles-m-z/mpv b/apparmor.d/profiles-m-z/mpv index df32c1b45..ae3ecb5fc 100644 --- a/apparmor.d/profiles-m-z/mpv +++ b/apparmor.d/profiles-m-z/mpv @@ -101,6 +101,10 @@ profile mpv @{exec_path} { owner /tmp/mozilla_*/ r, owner /{home,media,tmp/mozilla_*}/**.@{mpv_ext} rw, + # For SMB shares + owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, + owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**.@{mpv_ext} r, + # For the SMPlayer's builtin thumbnail generator owner /tmp/smplayer_preview/[0-9]*.{jpg,png} w, diff --git a/apparmor.d/profiles-m-z/pactl b/apparmor.d/profiles-m-z/pactl index 7b73933b7..48c9ee4e8 100644 --- a/apparmor.d/profiles-m-z/pactl +++ b/apparmor.d/profiles-m-z/pactl @@ -23,6 +23,7 @@ profile pactl @{exec_path} { owner @{user_config_dirs}/pulse/ rw, # file_inherit + owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, owner @{HOME}/.anyRemote/anyremote.stdout w, diff --git a/apparmor.d/profiles-m-z/smplayer b/apparmor.d/profiles-m-z/smplayer index 469106ccb..94d968f45 100644 --- a/apparmor.d/profiles-m-z/smplayer +++ b/apparmor.d/profiles-m-z/smplayer @@ -97,6 +97,10 @@ profile smplayer @{exec_path} { owner /tmp/mozilla_*/ r, owner /{home,media,tmp/mozilla_*}/**.@{smplayer_ext} rw, + # For SMB shares + owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, + owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**.@{smplayer_ext} r, + # SMPlayer config files owner @{user_config_dirs}/smplayer/ rw, owner @{user_config_dirs}/smplayer/* rwkl -> @{user_config_dirs}/smplayer/#[0-9]*[0-9], diff --git a/apparmor.d/profiles-m-z/tune2fs b/apparmor.d/profiles-m-z/tune2fs index 176d34adf..7f189cb02 100644 --- a/apparmor.d/profiles-m-z/tune2fs +++ b/apparmor.d/profiles-m-z/tune2fs @@ -12,6 +12,9 @@ profile tune2fs @{exec_path} { include include + network inet stream, + network inet6 stream, + @{exec_path} mr, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-z/update-initramfs b/apparmor.d/profiles-m-z/update-initramfs index 22df9a943..4cd6945e2 100644 --- a/apparmor.d/profiles-m-z/update-initramfs +++ b/apparmor.d/profiles-m-z/update-initramfs @@ -11,6 +11,9 @@ profile update-initramfs @{exec_path} { include include + # Needed? (comm="ischroot") + #ptrace (read), + @{exec_path} rix, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-m-z/usr.bin.tcpdump b/apparmor.d/profiles-m-z/usr.bin.tcpdump index 3d0fef2cf..a9099bb85 100644 --- a/apparmor.d/profiles-m-z/usr.bin.tcpdump +++ b/apparmor.d/profiles-m-z/usr.bin.tcpdump @@ -1,10 +1,10 @@ # vim:syntax=apparmor -include +#include -profile tcpdump /usr/sbin/tcpdump { - include - include - include +profile tcpdump /usr/bin/tcpdump { + #include + #include + #include capability net_raw, capability setuid, @@ -54,11 +54,12 @@ profile tcpdump /usr/sbin/tcpdump { # for -r, -F and -w /**.[pP][cC][aA][pP] rw, + /**.[cC][aA][pP] rw, # for convenience with -r (ie, read pcap files from other sources) /var/log/snort/*log* r, - /usr/sbin/tcpdump mr, + /usr/bin/tcpdump mr, include if exists } diff --git a/apparmor.d/profiles-m-z/utox b/apparmor.d/profiles-m-z/utox index f5b43ba48..3e54d0e50 100644 --- a/apparmor.d/profiles-m-z/utox +++ b/apparmor.d/profiles-m-z/utox @@ -16,6 +16,7 @@ profile utox @{exec_path} { include include include + include include network inet dgram, @@ -43,15 +44,6 @@ profile utox @{exec_path} { owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - # For video support - owner /dev/shm/libv4l-* rw, - /dev/video[0-9]* rw, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/video4linux/video[0-9]*/dev r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{modalias,speed} r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/dmi/id/product_{name,version} r, - @{sys}/devices/virtual/dmi/id/board_{vendor,name,version} r, - profile open { include diff --git a/apparmor.d/profiles-m-z/xorg b/apparmor.d/profiles-m-z/xorg index 610d12229..d17b183a5 100644 --- a/apparmor.d/profiles-m-z/xorg +++ b/apparmor.d/profiles-m-z/xorg @@ -87,8 +87,11 @@ profile xorg @{exec_path} flags=(attach_disconnected) { # TMP files /tmp/ r, - owner /tmp/.X11-unix/ rw, - owner /tmp/.X11-unix/X* rwk, + # These are only needed when using abstract sockets. When Xserver is started with + # "-nolisten local" , you don't need the following rules. + #owner /tmp/.X11-unix/ rw, + #owner /tmp/.X11-unix/X* rwk, + # owner /tmp/.tX[0-9]-lock rwk, owner /tmp/.X[0-9]-lock rwkl -> /tmp/.tX[0-9]-lock, owner /tmp/server-* rwk,