From b1950cbe91c2f93bfdbec5f8f73f6df5650cb802 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 14 Oct 2022 22:17:27 +0100 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/children/child-open | 8 +++++++- apparmor.d/groups/freedesktop/pipewire | 4 +++- apparmor.d/groups/gnome/gnome-shell | 2 ++ apparmor.d/groups/gnome/nautilus | 8 +++++--- apparmor.d/groups/network/NetworkManager | 4 +++- apparmor.d/groups/pacman/pacman | 1 + apparmor.d/profiles-a-f/appstreamcli | 2 ++ apparmor.d/profiles-a-f/flatpak-system-helper | 8 +++++--- apparmor.d/profiles-g-l/kmod | 2 ++ apparmor.d/profiles-m-r/mount | 2 +- 10 files changed, 31 insertions(+), 10 deletions(-) diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index 280a1058c..f5fa46ece 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -3,7 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # Note: This profile does not specify an attachment path because it is -# intended to be used only via "Px -> child-open-X" exec transitions +# intended to be used only via "Px -> child-open" exec transitions # from other profiles. # Instead of allowing the run of all software in /{usr/,}bin/, the purpose of @@ -32,10 +32,14 @@ profile child-open { /{usr/,}bin/readlink rix, # Sandbox managers + /{usr/,}bin/bwrap rPUx, /{usr/,}bin/firejail rPUx, /{usr/,}bin/flatpak rPUx, /{usr/,}bin/snap rPUx, + # Files explorer + /{usr/,}bin/nautilus rPx, + # Browsers /{usr/,}bin/chromium rPx, /{usr/,}bin/firefox rPx, @@ -58,11 +62,13 @@ profile child-open { /{usr/,}bin/filezilla rPx, /{usr/,}bin/flameshot rPx, /{usr/,}bin/geany rPx, + /{usr/,}bin/gnome-disk-image-mounter rPx, /{usr/,}bin/okular rPx, /{usr/,}bin/qbittorrent rPx, /{usr/,}bin/qpdfview rPx, /{usr/,}bin/smplayer rPx, /{usr/,}bin/spacefm rPx, + /{usr/,}bin/teams rPUx, /{usr/,}bin/telegram-desktop rPx, /{usr/,}bin/thunderbird rPx, /{usr/,}bin/transmission-gtk rPx, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 1c3864ff6..0e91917e9 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -8,13 +8,15 @@ abi , include @{exec_path} = /{usr/,}bin/pipewire -profile pipewire @{exec_path} { +profile pipewire @{exec_path} flags=(attach_disconnected) { include include include include include + capability sys_ptrace, + ptrace (read), dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9] diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 25c61c5a9..ef77d18bb 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -63,6 +63,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /opt/*/**/*.png r, /snap/*/@{uid}/**.png r, + /usr/share/app-info/icons/{,**} r, /usr/share/backgrounds/{,**} r, /usr/share/dconf/profile/gdm r, /usr/share/desktop-directories/{,*.directory} r, @@ -103,6 +104,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /var/lib/gdm{3,}/greeter-dconf-defaults r, /var/lib/flatpak/app/**/gnome-shell/{,**} r, + /var/lib/flatpak/appstream/**/icons/** r, /var/lib/flatpak/exports/share/gnome-shell/{,**} r, /var/lib/snapd/desktop/icons/{,**} r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index e74728041..dead8dab8 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -37,7 +37,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}lib/gio-launch-desktop rPx -> child-open, + /{usr/,}lib/gio-launch-desktop rPx -> child-open, /usr/share/nautilus/{,**} r, /usr/share/poppler/{,**} r, @@ -49,15 +49,17 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /var/lib/snapd/desktop/icons/{,**} r, # Full access to user's data + include / r, /home/ r, + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, owner @{HOME}/{,**} rw, - owner @{MOUNTS}/{,**} rw, + owner @{MOUNTS}/** rw, owner @{run}/user/@{uid}/{,**} rw, owner /tmp/{,**} rw, # Silence non user's data - include deny /boot/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 58556391d..9f6ea6df3 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -102,13 +102,14 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { / r, /etc/ r, + /etc/machine-id r, /etc/resolv.conf rw, /etc/resolv.conf.[0-9A-Z]* rw, /etc/NetworkManager/{,**} r, /etc/NetworkManager/system-connections/{,**} w, - /etc/machine-id r, + /var/lib/iwd/*open* rw, /var/lib/NetworkManager/{,**} rw, @{sys}/bus/ r, @@ -130,6 +131,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/net/*/{,**} r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/net/{,**} r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/stat r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 623065e90..8f32f2627 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -59,6 +59,7 @@ profile pacman @{exec_path} { /{usr/,}bin/env rix, /{usr/,}bin/filecap rix, /{usr/,}bin/find rix, + /{usr/,}bin/gdbus rix, /{usr/,}bin/getent rix, /{usr/,}bin/gettext rix, /{usr/,}bin/ghc-pkg-* rix, diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index bc053307e..74f634449 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -21,11 +21,13 @@ profile appstreamcli @{exec_path} flags=(complain) { /{usr/,}bin/gzip rix, /{usr/,}bin/tar rix, + /usr/share/app-info/{,**} r, /usr/share/appdata/ r, /usr/share/applications/{,*.desktop} r, /usr/share/metainfo/ r, /usr/share/metainfo/*.{metainfo,appdata}.xml r, /usr/share/mime/mime.cache r, + /usr/share/swcatalog/{,**} r, /etc/appstream.conf r, diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index 7e9cd9e18..5f1d899de 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -15,6 +15,7 @@ profile flatpak-system-helper @{exec_path} { capability chown, capability dac_override, + capability fowner, capability net_admin, capability setgid, capability setuid, @@ -33,17 +34,18 @@ profile flatpak-system-helper @{exec_path} { /etc/flatpak/{,**} r, + /usr/share/mime/mime.cache r, /usr/share/flatpak/triggers/ r, /var/lib/flatpak/{,**} rwkl, /var/tmp/flatpak-cache-*/{,**} rw, - owner /tmp/#[0-9]* rw, - owner /tmp/ostree-gpg-*/ rw, + owner /{var/,}tmp/#[0-9]* rw, + owner /{var/,}tmp/ostree-gpg-*/ rw, owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/stat r, profile gpg { include diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 71f30ab2d..caf3238cc 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -24,7 +24,9 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/false rix, /{usr/,}bin/sysctl rPx, + /{usr/,}bin/true rix, /{usr/,}lib/modprobe.d/{,*.conf} r, /{usr/,}lib/modules/*/modules.* rw, diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount index 7432f00a4..01473d6e7 100644 --- a/apparmor.d/profiles-m-r/mount +++ b/apparmor.d/profiles-m-r/mount @@ -64,7 +64,7 @@ profile mount @{exec_path} flags=(complain) { /tmp/sanity-squashfs-[0-9]* rw, /tmp/syscheck-squashfs-[0-9]* rw, - owner @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/mountinfo r, # The special /dev/loop-control file can be used to create and destroy loop # devices or to find the first available loop device.