felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Profiles update.

Browse source
This commit is contained in:
Alexandre Pujol 2021-10-22 15:01:43 +01:00
parent b91ddfa493
commit aac0a93080
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
34 changed files with 136 additions and 144 deletions
Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/apps/atom
View file

@ -68,9 +68,9 @@ profile atom @{exec_path} {
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/xdg-settings rPUx,
/{usr/,}bin/xdg-settings rPx,
/{usr/,}bin/git rPUx,
/{usr/,}bin/git rPx,
# Needed to sign commits
/{usr/,}bin/gpg rCx -> gpg,

4
apparmor.d/groups/apps/usr.lib.libreoffice.program.senddoc
View file

@ -27,8 +27,8 @@ profile libreoffice-senddoc /usr/lib/libreoffice/program/senddoc flags=(complain
/usr/bin/basename rmix,
/{usr/,}bin/grep rmix,
/{usr/,}bin/uname rmix,
/usr/bin/xdg-open rPUx,
/usr/bin/xdg-email rPUx,
/usr/bin/xdg-open rPx,
/usr/bin/xdg-email rPx,
/dev/null rw,
/usr/lib/libreoffice/program/uri-encode rmpux,
/usr/share/libreoffice/share/config/* r,

2
apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
View file

@ -169,7 +169,7 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
/usr/lib/libreoffice/program/soffice.bin mix,
/usr/lib/libreoffice/program/xpdfimport px,
/usr/lib/libreoffice/program/senddoc px,
/usr/bin/xdg-open rPUx,
/usr/bin/xdg-open rPx,
/usr/share/java/**.jar r,
/usr/share/hunspell/ r,

4
apparmor.d/groups/browsers/brave
View file

@ -73,8 +73,8 @@ profile brave @{exec_path} {
#deny /{usr/,}bin/xdg-desktop-menu rx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/xdg-settings rPUx,
/{usr/,}bin/xdg-mime rPUx,
/{usr/,}bin/xdg-settings rPx,
/{usr/,}bin/xdg-mime rPx,
/usr/share/chromium/extensions/ r,

2
apparmor.d/groups/browsers/chromium
View file

@ -34,6 +34,8 @@ profile chromium @{exec_path} flags=(attach_disconnected) {
# For chromium -g
/{usr/,}bin/gdb rPUx,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner /tmp/chromiumargs.?????? rw,
# For a temp profile

8
apparmor.d/groups/browsers/chromium-chromium
View file

@ -60,11 +60,11 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/browserpass rPx,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-mime rPUx,
/{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/xdg-settings rPUx,
/{usr/,}bin/xdg-desktop-menu rPUx,
/{usr/,}bin/xdg-icon-resource rPUx,
/{usr/,}bin/xdg-settings rPx,
/{usr/,}bin/xdg-desktop-menu rPx,
/{usr/,}bin/xdg-icon-resource rPx,
# To remove the following error:
# Error initializing NSS with a persistent database

35
apparmor.d/groups/browsers/firefox
View file

@ -1,8 +1,10 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Warning: Such a profile is limitted as it gives access to a lot of resources.
abi <abi/3.0>,
include <tunables/global>
@ -14,22 +16,22 @@ include <tunables/global>
@{exec_path} = @{MOZ_LIBDIR}/firefox{,-bin,-esr}
profile firefox @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/wayland>
include <abstractions/opencl-intel>
include <abstractions/vulkan>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/audio>
include <abstractions/deny-root-dir-access>
include <abstractions/enchant>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/opencl-intel>
include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
include <abstractions/user-read>
include <abstractions/thumbnails-cache-read>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/deny-root-dir-access>
include <abstractions/vulkan>
include <abstractions/wayland>
##include <abstractions/nvidia>
ptrace peer=@{profile_name},
@ -210,16 +212,14 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
owner @{user_share_dirs}/ r,
owner @{user_share_dirs}/gvfs-metadata/home r,
owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
owner @{user_share_dirs}/gvfs-metadata/root r,
owner @{user_share_dirs}/gvfs-metadata/root-*.log r,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
# Silencer
deny capability sys_ptrace,
deny owner @{HOME}/.* r,
profile open {
@ -252,6 +252,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/telegram-desktop rPx,
/{usr/,}bin/spacefm rPx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/evince rPx,
/usr/share/xfce4/exo/exo-compose-mail rPx,
# file_inherit

4
apparmor.d/groups/browsers/google-chrome-chrome
View file

@ -66,8 +66,8 @@ profile google-chrome-chrome @{exec_path} {
deny /{usr/,}bin/xdg-desktop-menu rx,
deny /{usr/,}bin/xdg-icon-resource rx,
/{usr/,}bin/xdg-mime rPUx,
/{usr/,}bin/xdg-settings rPUx,
/{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/xdg-settings rPx,
# To remove the following error:
# Error initializing NSS with a persistent database

8
apparmor.d/groups/browsers/opera
View file

@ -56,11 +56,11 @@ profile opera @{exec_path} {
@{OPERA_INSTALLDIR}/opera_autoupdate krix,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-mime rPUx,
/{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/xdg-settings rPUx,
/{usr/,}bin/xdg-desktop-menu rPUx,
/{usr/,}bin/xdg-icon-resource rPUx,
/{usr/,}bin/xdg-settings rPx,
/{usr/,}bin/xdg-desktop-menu rPx,
/{usr/,}bin/xdg-icon-resource rPx,
# To remove the following error:
# Error initializing NSS with a persistent database

6
apparmor.d/groups/bus/dbus-daemon
View file

@ -17,9 +17,9 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
capability setuid,
capability sys_resource,
signal (receive) set=(term, kill),
signal (receive) set=(term, hup) peer=gdm*,
signal (send) set=(term, kill) peer=at-spi-bus-launcher,
signal (receive) set=(term hup kill) peer=gdm*,
signal (send) set=(term hup kill) peer=at-spi-bus-launcher,
signal (send) set=(term hup kill) peer=xdg-permission-store,
network netlink raw,

8
apparmor.d/groups/desktop/at-spi-bus-launcher
View file

@ -17,16 +17,16 @@ profile at-spi-bus-launcher @{exec_path} {
# Needed?
deny capability sys_nice,
signal (receive) set=(term hup) peer=gdm*,
signal (receive) set=(term hup) peer=dbus-daemon,
signal (send) set=(term, kill) peer=dbus-daemon,
signal (receive) set=(term hup kill) peer=dbus-daemon,
signal (receive) set=(term hup kill) peer=gdm*,
signal (send) set=(term hup kill) peer=dbus-daemon,
network inet stream,
network inet6 stream,
@{exec_path} mr,
/{usr/,}bin/dbus-daemon rPUx,
/{usr/,}bin/dbus-daemon rPx,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/cgroup r,

1
apparmor.d/groups/gnome/gnome-calendar
View file

@ -12,6 +12,7 @@ profile gnome-calendar @{exec_path} {
include <abstractions/gnome>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/p11-kit>
include <abstractions/ssl_certs>
network netlink raw,

5
apparmor.d/groups/gnome/gnome-shell
View file

@ -79,10 +79,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/backgrounds/{,**} rw,
owner @{user_share_dirs}/gnome-shell/{,**} rw,
owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
owner @{user_share_dirs}/gvfs-metadata/home r,
owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
owner @{user_share_dirs}/gvfs-metadata/root r,
owner @{user_share_dirs}/gvfs-metadata/root-*.log r,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r,
owner @{user_cache_dirs}/gnome-photos/{,**} r,

5
apparmor.d/groups/gnome/gnome-system-monitor
View file

@ -30,10 +30,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
/usr/share/gnome-system-monitor/{,**} r,
/usr/share/pixmaps/{,**} r,
owner @{user_share_dirs}/gvfs-metadata/home r,
owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
owner @{user_share_dirs}/gvfs-metadata/root r,
owner @{user_share_dirs}/gvfs-metadata/root-*.log r,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,

6
apparmor.d/groups/gnome/nautilus
View file

@ -44,11 +44,17 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/net/wireless r,
@{PROC}/sys/kernel/random/boot_id r,
@{run}/mount/utab r,
@{run}/systemd/userdb/ r,
@{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
@{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
@{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r,
@{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r,
/dev/tty rw,
/dev/dri/card[0-9]* rw,

3
apparmor.d/groups/gvfs/gvfsd-metadata
View file

@ -16,8 +16,7 @@ profile gvfsd-metadata @{exec_path} {
@{exec_path} mr,
owner @{HOME}/.local/share/gvfs-metadata/ rw,
owner @{HOME}/.local/share/gvfs-metadata/** rw,
owner @{user_share_dirs}/gvfs-metadata/{,*} rw,
include if exists <local/gvfsd-metadata>
}

5
apparmor.d/groups/pacman/pacman
View file

@ -48,6 +48,7 @@ profile pacman @{exec_path} {
/{usr/,}bin/cat rix,
/{usr/,}bin/dot rix,
/{usr/,}bin/env rix,
/{usr/,}bin/ghc-pkg-* rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/setcap rix,
/{usr/,}bin/vercmp rix,
@ -81,8 +82,8 @@ profile pacman @{exec_path} {
/etc/{,**} rwl,
/opt/{,**} rwl,
/srv/{,**} rwl,
/usr/{,**} rwl,
/var/{,**} rwl,
/usr/{,**} rwlk,
/var/{,**} rwlk,
/bin/ rwl,
/home/ rw,

6
apparmor.d/groups/pacman/pacman-hook-fontconfig
View file

@ -10,6 +10,8 @@ include <tunables/global>
profile pacman-hook-fontconfig @{exec_path} {
include <abstractions/base>
capability dac_read_search,
@{exec_path} mr,
/{usr/,}bin/bash rix,
@ -19,5 +21,9 @@ profile pacman-hook-fontconfig @{exec_path} {
/etc/fonts/conf.d/* rwl,
/usr/share/fontconfig/conf.default/* r,
# Inherit Silencer
deny network inet6 stream,
deny network inet stream,
include if exists <local/pacman-hook-fontconfig>
}

9
apparmor.d/groups/systemd/systemd-sysctl
View file

@ -12,11 +12,10 @@ profile systemd-sysctl @{exec_path} {
include <abstractions/consoles>
include <abstractions/systemd-common>
# Are these needed?
deny capability sys_ptrace,
deny capability sys_admin,
deny capability net_admin,
deny capability sys_resource,
capability net_admin,
capability sys_admin,
capability sys_ptrace,
# capability sys_resource,
@{exec_path} mr,

3
apparmor.d/groups/systemd/systemd-sysusers
View file

@ -37,6 +37,9 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/stat r,
@{PROC}/sys/kernel/random/boot_id r,
# Inherit Silencer
deny network inet6 stream,
deny network inet stream,
deny /apparmor/.null rw,
include if exists <local/systemd-sysusers>