Profiles update.

2021-10-22 15:01:43 +01:00 · 2021-10-22 15:01:43 +01:00 · aac0a93080
commit aac0a93080
parent b91ddfa493
34 changed files with 136 additions and 144 deletions
--- a/apparmor.d/profiles-s-z/su
+++ b/apparmor.d/profiles-s-z/su
@ -9,25 +9,16 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/su
 profile su @{exec_path} {
  include <abstractions/base>
-  include <abstractions/consoles>
  include <abstractions/authentication>
-  include <abstractions/wutmp>
+  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
+  include <abstractions/wutmp>
 # include <pam/mappings>

-  # To remove the following errors:
-  #  su: cannot set groups: Operation not permitted
-  capability setgid,
-
-  # To remove the following errors:
-  #  su: cannot set user id: Operation not permitted
-  capability setuid,
-
-  # To write records to the kernel auditing log.
  capability audit_write,
-
-  # Needed?
-  audit deny capability net_bind_service,
+  capability setgid,
+  capability setuid,
+  #audit deny capability net_bind_service,

  signal (send)    set=(term,kill),
  signal (receive) set=(int,quit,term),
@ -43,16 +34,14 @@ profile su @{exec_path} {
  # Fake shells to politely refuse a login
  #/{usr/,}{s,}bin/nologin rpux,

+  /etc/default/locale r,
  /etc/environment r,
+  /etc/security/limits.d/ r,
+  /etc/shells r,

        @{PROC}/1/limits r,
  owner @{PROC}/@{pid}/loginuid r,

-  /etc/default/locale r,
-  /etc/security/limits.d/ r,
-
-  /etc/shells r,
-
  # For pam_securetty
  @{PROC}/cmdline r,
  @{sys}/devices/virtual/tty/console/active r,
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -9,43 +9,26 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/sudo
 profile sudo @{exec_path} {
  include <abstractions/base>
-  include <abstractions/consoles>
  include <abstractions/authentication>
-  include <abstractions/wutmp>
+  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
+  include <abstractions/wutmp>
 # include <pam/mappings>

-  # To remove the following errors:
-  #  sudo: unable to change to root gid: Operation not permitted
-  capability setgid,
-
-  # To remove the following errors:
-  #  sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted
-  #  sudo: no valid sudoers sources found, quitting
-  #  sudo: setresuid() [0, 0, 0] -> [1000, -1, -1]: Operation not permitted
-  capability setuid,
-
-  # To write records to the kernel auditing log.
+  # capability mknod,
  capability audit_write,
-
-  # For changing ownership of the /var/log/sudo.log file
  capability chown,
-
-  # Needed? (#FIXME#)
-  capability sys_resource,
-  capability net_admin,
-  capability sys_ptrace,
-  capability dac_read_search,
  capability dac_override,
-  capability mknod,
-  ptrace read,
+  capability dac_read_search,
+  capability net_admin,
+  capability setgid,
+  capability setuid,
+  capability sys_ptrace,
+  capability sys_resource,

-  # To remove the following error:
-  #  sudo: PAM account management error: Permission denied
-  #  sudo: unable to open audit system: Permission denied
-  #  sudo: a password is required
  network netlink raw,

+  ptrace (read),
  signal,

  @{exec_path} mr,
@ -54,21 +37,9 @@ profile sudo @{exec_path} {
  /{usr/,}bin/{,b,d,rb}ash rpux,
  /{usr/,}bin/{c,k,tc,z}sh rpux,

-  /{usr/,}bin/[a-z0-9]* rPUx,
-  /{usr/,}{s,}bin/[a-z0-9]* rPUx,
-  /{usr/,}lib/cockpit/cockpit-askpass rPx,
-
-  /dev/ r,
-  /dev/ptmx rw,
-
-  # For timestampdir
-  owner @{run}/sudo/ rw,
-  owner @{run}/sudo/ts/ rw,
-  owner @{run}/sudo/ts/* rwk,
-        @{run}/faillock/{,*} rwk,
-
-  @{PROC}/@{pid}/fd/ r,
-  @{PROC}/@{pids}/stat r,
+  /{usr/,}bin/[a-z0-9]*               rPUx,
+  /{usr/,}{s,}bin/[a-z0-9]*           rPUx,
+  /{usr/,}lib/cockpit/cockpit-askpass rPUx,

  /etc/sudo.conf r,

@ -79,9 +50,21 @@ profile sudo @{exec_path} {

  /var/log/sudo.log wk,

-  # file_inherit
+  # For timestampdir
+  owner @{run}/sudo/ rw,
+  owner @{run}/sudo/ts/ rw,
+  owner @{run}/sudo/ts/* rwk,
+        @{run}/faillock/{,*} rwk,
+
+  @{PROC}/@{pid}/fd/ r,
+  @{PROC}/@{pids}/stat r,
+
+  # File Inherit
  owner /dev/tty[0-9]* rw,
  owner @{HOME}/.xsession-errors w,

+  /dev/ r,
+  /dev/ptmx rw,
+
  include if exists <local/sudo>
 }
--- a/apparmor.d/profiles-s-z/update-mime-database
+++ b/apparmor.d/profiles-s-z/update-mime-database
@ -10,6 +10,9 @@ include <tunables/global>
 profile update-mime-database @{exec_path} {
  include <abstractions/base>

+  capability dac_override,
+  capability dac_read_search,
+
  @{exec_path} mr,

  /usr/share/mime/{,**} rw,
--- a/apparmor.d/profiles-s-z/xdg-dbus-proxy
+++ b/apparmor.d/profiles-s-z/xdg-dbus-proxy
@ -12,10 +12,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected, complain) {

  @{exec_path} mr,

-  owner @{user_share_dirs}/gvfs-metadata/home r,
-  owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
-  owner @{user_share_dirs}/gvfs-metadata/root r,
-  owner @{user_share_dirs}/gvfs-metadata/root-*.log r,
+  owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw,
  owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-[0-9A-Z]* rw,
--- a/apparmor.d/profiles-s-z/xdg-desktop-portal
+++ b/apparmor.d/profiles-s-z/xdg-desktop-portal
@ -13,6 +13,8 @@ profile xdg-desktop-portal @{exec_path} {

  network netlink raw,

+  ptrace (read),
+
  @{exec_path} mr,

  /usr/share/glib-2.0/schemas/gschemas.compiled r,
@ -26,8 +28,9 @@ profile xdg-desktop-portal @{exec_path} {
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,

-  @{PROC}/sys/kernel/osrelease r,
-  @{PROC}/cmdline r,
+  owner @{PROC}/@{pids}/cgroup r,
+        @{PROC}/sys/kernel/osrelease r,
+        @{PROC}/cmdline r,

  include if exists <local/xdg-desktop-portal>
 }
--- a/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk
+++ b/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk
@ -11,6 +11,9 @@ profile xdg-desktop-portal-gtk @{exec_path} {
  include <abstractions/base>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/user-download>

  @{exec_path} mr,

@ -18,6 +21,11 @@ profile xdg-desktop-portal-gtk @{exec_path} {
  /usr/share/themes/{,**} r,
  /usr/share/X11/xkb/{,**} r,

+  / r,
+
+  owner @{HOME}/@{XDG_DATA_HOME}/ r,
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
+
  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/user rw,

--- a/apparmor.d/profiles-s-z/xdg-mime
+++ b/apparmor.d/profiles-s-z/xdg-mime
@ -46,10 +46,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {

  owner @{user_config_dirs}/mimeapps.list{,.new} rw,

-  owner @{user_share_dirs}/gvfs-metadata/home r,
-  owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
-  owner @{user_share_dirs}/gvfs-metadata/root r,
-  owner @{user_share_dirs}/gvfs-metadata/root-*.log r,
+  owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  owner @{HOME}/.Xauthority r,