felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2024-09-01 20:36:23 +01:00
parent 265e3928c1
commit b223e2eb8e
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
13 changed files with 98 additions and 53 deletions
Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/groups/browsers/chromium-wrapper
View file

@ -40,11 +40,8 @@ profile chromium-wrapper @{exec_path} {
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,
owner @{tmp}/chromiumargs.@{rand6} rw, owner @{tmp}/chromiumargs.@{rand6} rw,
owner @{tmp}/tmp.*/ rw,
owner @{tmp}/tmp.*/** rwk,
owner /dev/tty@{int} rw, owner /dev/tty@{int} rw,
/dev/dri/card[0-9] rw,
# Silencer # Silencer
deny @{user_share_dirs}/gvfs-metadata/* r, deny @{user_share_dirs}/gvfs-metadata/* r,

5
apparmor.d/groups/freedesktop/xdg-mime
View file

@ -53,11 +53,11 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r, @{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r,
@{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r, @{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r,
@{PROC}/version r,
/dev/dri/card@{int} rw, /dev/dri/card@{int} rw,
/dev/tty rw, /dev/tty rw,
@{PROC}/version r,
# When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two # When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two
# following root processes: # following root processes:
# dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr
@ -82,6 +82,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
@{HOME}/.Xauthority r, @{HOME}/.Xauthority r,
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
include if exists <local/xdg-mime_dbus>
} }
include if exists <local/xdg-mime> include if exists <local/xdg-mime>

34
apparmor.d/groups/network/socat
View file

@ -1,7 +1,7 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Nishit Majithia (nishitm) # Copyright (C) 2024 Nishit Majithia (nishitm)
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# vim: ft=apparmor
abi <abi/3.0>, abi <abi/3.0>,
@ -10,19 +10,19 @@ include <tunables/global>
@{exec_path} = @{bin}/socat @{exec_path} = @{bin}/socat
profile socat @{exec_path} { profile socat @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/consoles>
capability dac_read_search,
capability dac_override,
capability net_raw,
capability net_admin,
capability sys_module,
capability sys_admin,
capability fsetid,
capability chown, capability chown,
capability dac_override,
capability dac_read_search,
capability fsetid,
capability net_admin,
capability net_bind_service, capability net_bind_service,
capability net_raw,
capability sys_admin,
capability sys_module,
capability sys_resource, capability sys_resource,
# Allow creation of network sockets and `socat` uses dccp for some # Allow creation of network sockets and `socat` uses dccp for some
@ -31,19 +31,13 @@ profile socat @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# Enale /dev/ptmx access for testsuite
# /dev/ptmx rw,
# TUN/TAP device
/dev/net/tun rw,
# Process-specific access
@{PROC}/@{pid}/fdinfo/@{int} rw, @{PROC}/@{pid}/fdinfo/@{int} rw,
@{PROC}/@{pid}/stat r, @{PROC}/@{pid}/stat r,
# For bi-directional communication between vms and host/hypervisor /dev/net/tun rw,
/dev/vsock r, /dev/vsock r, # For bi-directional communication between vms and host/hypervisor
# Site-specific additions and overrides. See local/README for details.
include if exists <local/socat> include if exists <local/socat>
} }
# vim:syntax=apparmor

5
apparmor.d/groups/ssh/ssh-agent
View file

@ -12,8 +12,8 @@ profile ssh-agent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
signal (receive) set=term peer=cockpit-bridge, signal receive set=term peer=cockpit-bridge,
signal (receive) set=term peer=gnome-keyring-daemon, signal receive set=term peer=gnome-keyring-daemon,
@{exec_path} mr, @{exec_path} mr,
@ -34,6 +34,7 @@ profile ssh-agent @{exec_path} {
owner @{run}/user/@{uid}/gcr/.ssh w, owner @{run}/user/@{uid}/gcr/.ssh w,
/dev/tty@{int} rw, /dev/tty@{int} rw,
/dev/tty rw,
include if exists <local/ssh-agent> include if exists <local/ssh-agent>
} }

2
apparmor.d/groups/systemd/systemd-hostnamed
View file

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-hostnamed @{exec_path} = @{lib}/systemd/systemd-hostnamed
profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.PolicyKit1> include <abstractions/bus/org.freedesktop.PolicyKit1>

39
apparmor.d/groups/virt/cockpit-bridge
View file

@ -22,33 +22,44 @@ profile cockpit-bridge @{exec_path} {
network inet stream, network inet stream,
network inet6 dgram, network inet6 dgram,
network inet6 stream, network inet6 stream,
network netlink raw,
ptrace (read), ptrace read,
signal (send) set=term peer=cockpit-pcp, signal send set=term peer=cockpit-pcp,
signal (send) set=term peer=dbus-daemon, signal send set=term peer=dbus-daemon,
signal (send) set=term peer=journalctl, signal send set=term peer=journalctl,
signal (send) set=term peer=ssh-agent, signal send set=term peer=ssh-agent,
signal (send) set=term peer=sudo, signal send set=term peer=sudo,
signal (send) set=term peer=unconfined, signal send set=term peer=unconfined,
@{exec_path} mr, @{exec_path} mr,
@{bin}/cat ix, @{bin}/cat ix,
@{bin}/date ix, @{bin}/date ix,
@{bin}/find ix,
@{bin}/ip ix,
@{bin}/python3.@{int} ix,
@{bin}/test ix,
@{bin}/findmnt Px, @{bin}/findmnt Px,
@{bin}/journalctl Px, @{bin}/journalctl Px,
@{bin}/python3.@{int} ix, @{bin}/lastlog Px,
@{bin}/passwd Px,
@{bin}/ssh-agent Px, @{bin}/ssh-agent Px,
@{bin}/sudo Px, # TODO: rCx -> privilieged ? or rix? @{bin}/sudo Px, # TODO: rCx -> privilieged ? or rix?
@{bin}/udevadm Cx -> udevadm,
@{bin}/virt-install PUx, # TODO: rPx
@{lib}/cockpit/cockpit-pcp Px, @{lib}/cockpit/cockpit-pcp Px,
@{lib}/cockpit/cockpit-ssh Px, @{lib}/cockpit/cockpit-ssh Px,
@{bin}/virsh rPUx,
# The shell is not confined on purpose. # The shell is not confined on purpose.
@{bin}/@{shells} Ux, @{bin}/@{shells} Ux,
/usr/share/cockpit/{,**} r,
/usr/{,local/}share/ r, /usr/{,local/}share/ r,
/usr/share/cockpit/{,**} r,
/usr/share/iproute2/* r,
/etc/cockpit/{,**} r, /etc/cockpit/{,**} r,
/etc/httpd/conf/mime.types r, /etc/httpd/conf/mime.types r,
@ -59,6 +70,8 @@ profile cockpit-bridge @{exec_path} {
/etc/shadow r, /etc/shadow r,
/etc/shells r, /etc/shells r,
/ r,
owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw, owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw,
owner @{user_share_dirs}/ r, owner @{user_share_dirs}/ r,
@ -66,6 +79,7 @@ profile cockpit-bridge @{exec_path} {
@{run}/utmp r, @{run}/utmp r,
@{sys}/class/hwmon/ r, @{sys}/class/hwmon/ r,
@{sys}/class/net/ r,
@{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/ r,
@{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r,
@{sys}/fs/cgroup/ r, @{sys}/fs/cgroup/ r,
@ -89,6 +103,13 @@ profile cockpit-bridge @{exec_path} {
/dev/ptmx rw, /dev/ptmx rw,
profile udevadm {
include <abstractions/base>
include <abstractions/app/udevadm>
include if exists <local/cockpit-bridge_udevadm>
}
include if exists <local/cockpit-bridge> include if exists <local/cockpit-bridge>
} }

5
apparmor.d/groups/virt/cockpit-session
View file

@ -36,11 +36,12 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
/etc/motd.d/ r, /etc/motd.d/ r,
/etc/shells r, /etc/shells r,
@{run}/cockpit/active.motd r,
@{run}/cockpit/inactive.motd r,
@{run}/faillock/@{user} rwk, @{run}/faillock/@{user} rwk,
@{run}/motd.d/{,*} r,
@{run}/systemd/sessions/*.ref rw, @{run}/systemd/sessions/*.ref rw,
@{run}/utmp rwk, @{run}/utmp rwk,
@{run}/motd.d/{,*} r,
@{run}/cockpit/active.motd r,
/var/log/btmp rw, /var/log/btmp rw,
/var/log/lastlog rw, /var/log/lastlog rw,

8
apparmor.d/groups/virt/libvirtd
View file

@ -68,6 +68,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
ptrace (read,trace) peer=@{profile_name}, ptrace (read,trace) peer=@{profile_name},
ptrace (read,trace) peer=dnsmasq, ptrace (read,trace) peer=dnsmasq,
ptrace (read,trace) peer=gnome-boxes,
ptrace (read,trace) peer=libvirt-@{uuid}, ptrace (read,trace) peer=libvirt-@{uuid},
ptrace (read,trace) peer=libvirt-dbus, ptrace (read,trace) peer=libvirt-dbus,
ptrace (read,trace) peer=unconfined, ptrace (read,trace) peer=unconfined,
@ -93,15 +94,14 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
@{lib}/libvirt/libvirt_iohelper rix, @{lib}/libvirt/libvirt_iohelper rix,
@{lib}/libvirt/libvirt_parthelper rix, @{lib}/libvirt/libvirt_parthelper rix,
@{lib}/{,qemu/}qemu-bridge-helper rPx,
@{lib}/{,qemu/}vhost-user-gpu rPUx,
@{lib}/{,qemu/}virtiofsd rux, # TODO: WIP
@{lib}/udev/scsi_id rPUx, @{lib}/udev/scsi_id rPUx,
@{lib}/xen-*/bin/libxl-save-helper rPUx, @{lib}/xen-*/bin/libxl-save-helper rPUx,
@{lib}/xen-*/bin/pygrub rPUx, @{lib}/xen-*/bin/pygrub rPUx,
@{lib}/xen-common/bin/xen-toolstack rPUx, @{lib}/xen-common/bin/xen-toolstack rPUx,
@{lib}/xen/bin/* rPUx, @{lib}/xen/bin/* rPUx,
/{usr/,}{lib,lib64,lib/qemu,libexec}/vhost-user-gpu rPUx,
/{usr/,}{lib,lib64,lib/qemu,libexec}/virtiofsd rux, # TODO: WIP
/{usr/,}{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
@{bin}/dmidecode rPx, @{bin}/dmidecode rPx,
@{bin}/dnsmasq rPx, @{bin}/dnsmasq rPx,

35
apparmor.d/groups/virt/qemu-bridge-helper Normal file
View file

@ -0,0 +1,35 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{lib}/{,qemu/}qemu-bridge-helper
profile qemu-bridge-helper @{exec_path} {
include <abstractions/base>
capability net_admin,
capability setpcap,
network inet stream,
unix (send, receive) type=stream addr=none peer=(label=libvirtd),
signal receive set=term peer=libvirtd,
@{exec_path} mr,
/etc/qemu/bridge.conf r,
@{sys}/devices/system/node/ r,
owner @{PROC}/@{pids}/status r,
/dev/net/tun rw,
include if exists <local/qemu-bridge-helper>
}
# vim:syntax=apparmor

3
apparmor.d/profiles-g-l/git
View file

@ -92,9 +92,6 @@ profile git @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/*/ rw, owner @{user_cache_dirs}/*/ rw,
owner @{user_cache_dirs}/*/** rwkl -> @{user_cache_dirs}/*/**, owner @{user_cache_dirs}/*/** rwkl -> @{user_cache_dirs}/*/**,
owner @{tmp}/** rwkl -> /tmp/**,
owner @{tmp}/**/bin/* rCx -> exec,
owner @{HOME}/.gitconfig* rw, owner @{HOME}/.gitconfig* rw,
owner @{HOME}/.netrc r, owner @{HOME}/.netrc r,
owner @{user_config_dirs}/git/{,*} rw, owner @{user_config_dirs}/git/{,*} rw,

2
apparmor.d/profiles-s-z/smartd
View file

@ -39,8 +39,6 @@ profile smartd @{exec_path} {
/var/lib/smartmontools/smartd.*.state{,~} rw, /var/lib/smartmontools/smartd.*.state{,~} rw,
/var/lib/smartmontools/attrlog.*.csv rw, /var/lib/smartmontools/attrlog.*.csv rw,
/tmp/tmp.* rw,
@{run}/systemd/notify rw, @{run}/systemd/notify rw,
@{sys}/class/scsi_host/ r, @{sys}/class/scsi_host/ r,

8
apparmor.d/profiles-s-z/virt-manager
View file

@ -61,15 +61,15 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
/etc/fstab r, /etc/fstab r,
/etc/libnl/classid r, /etc/libnl/classid r,
owner @{HOME}/ r, # System VM images
owner @{user_cache_dirs}/virt-manager/{,**} rw, /var/lib/libvirt/images/{,**} rw,
# For disk images # For disk images
@{MOUNTS}/ r, @{MOUNTS}/ r,
@{user_img_dirs}/{,**} r, @{user_img_dirs}/{,**} r,
# System VM images owner @{HOME}/ r,
/var/lib/libvirt/images/{,**} rw, owner @{user_cache_dirs}/virt-manager/{,**} rw,
# User VM images # User VM images
owner @{user_share_dirs}/ r, owner @{user_share_dirs}/ r,

2
dists/flags/main.flags
View file

@ -279,6 +279,7 @@ plymouth-set-default-theme attach_disconnected,complain
plymouthd complain plymouthd complain
polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted
qdbus complain qdbus complain
qemu-bridge-helper complain
realmd complain realmd complain
remmina complain remmina complain
run-parts complain run-parts complain
@ -369,7 +370,6 @@ systemd-userwork attach_disconnected,complain
systemsettings complain systemsettings complain
totem attach_disconnected,complain totem attach_disconnected,complain
tracker-writeback complain tracker-writeback complain
transmission complain
udev-dmi-memory-id complain udev-dmi-memory-id complain
udisksctl complain udisksctl complain
udisksd attach_disconnected,complain udisksd attach_disconnected,complain