From f9442e82581c858e4c8c256320fe334e6a3124f4 Mon Sep 17 00:00:00 2001 From: REmerald <55359236+REmerald@users.noreply.github.com> Date: Mon, 3 Jun 2024 16:27:38 +0000 Subject: [PATCH 01/28] fix(systemd-oomd): add `app.slice` and `session.slice` paths --- apparmor.d/groups/systemd/systemd-oomd | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 2ad2a82d7..64b03e02f 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -32,6 +32,8 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/memory.pressure r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/memory.* r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/memory.* r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, From a1fe682e7ac4b66d21b4ec7b0bbcb5813850af23 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 3 Jun 2024 18:34:55 +0100 Subject: [PATCH 02/28] feat(profile): update btop. --- apparmor.d/profiles-a-f/btop | 38 ++++++++++++++++++++++++------------ 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index ec2ba089a..3ec7b2f3b 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -9,8 +9,9 @@ include @{exec_path} = @{bin}/btop profile btop @{exec_path} { include - include include + include + include capability sys_ptrace, @@ -21,30 +22,41 @@ profile btop @{exec_path} { @{exec_path} mr, + /usr/share/btop/{,**} r, + + /etc/fstab r, + owner @{user_config_dirs}/btop/{,**} rw, + @{sys}/bus/pci/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/host@{int}/*/*/block/*/*/stat r, - @{sys}/devices/@{pci}/net/*/address r, - @{sys}/devices/@{pci}/net/*/statistics/{rx,tx}_bytes r, + @{sys}/devices/@{pci}/**/stat r, + @{sys}/devices/@{pci}/net/*/{,**} r, @{sys}/devices/@{pci}/usb@{int}/**/power_supply/** r, - @{sys}/devices/platform/coretemp.@{int}/hwmon/hwmon@{int}/{,*} r, + @{sys}/devices/**/hwmon@{int}/{,*} r, + @{sys}/devices/**/power_supply/{AC,BAT@{int}}/{,**} r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, - @{sys}/devices/virtual/**/net/*/address r, - @{sys}/devices/virtual/**/net/*/statistics/{rx,tx}_bytes r, + @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/virtual/block/dm-@{int}/stat r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/ r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/{,*} r, + @{sys}/devices/virtual/net/{,**} r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,} r, @{PROC} r, - @{PROC}/loadavg r, - @{PROC}/uptime r, - @{PROC}/@{pids}/comm r, + @{PROC}/@{pid}/statm r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/stat r, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + @{PROC}/loadavg r, + @{PROC}/spl/kstat/zfs/arcstats r, + @{PROC}/uptime r, owner @{PROC}/@{pid}/mounts r, + /dev/nvidia-caps/ rw, + /dev/nvidia-caps/nvidia-cap@{int} rw, + include if exists } From ff16790421a01e40efdea166628dcbf01bda470c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 3 Jun 2024 18:37:12 +0100 Subject: [PATCH 03/28] feat(abs): general update. --- apparmor.d/abstractions/app-launcher-root | 4 ++-- apparmor.d/abstractions/app-launcher-user | 23 +++++++++++------------ apparmor.d/abstractions/app/firefox | 2 ++ apparmor.d/abstractions/common/app | 4 +++- apparmor.d/abstractions/mesa.d/complete | 3 ++- apparmor.d/abstractions/vulkan-strict | 2 +- 6 files changed, 21 insertions(+), 17 deletions(-) diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index 680eb5686..69bcf9007 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -3,8 +3,8 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - @{bin}/* rPUx, - /usr/local/{s,}bin/* rPUx, + @{bin}/* PUx, + /usr/local/{s,}bin/* PUx, @{bin}/ r, / r, diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 73f4e0b24..4a6c795d6 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -3,19 +3,18 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - @{bin}/* rPUx, - /opt/*/** rPUx, - /usr/share/*/* rPUx, - /usr/local/bin/* rPUx, + @{bin}/* PUx, + /opt/*/** PUx, + /usr/share/*/* PUx, + /usr/local/bin/* PUx, - @{bin}/chromium rPx, - @{brave_path} rPx, - @{chrome_path} rPx, - @{chromium_path} rPx, - @{firefox_path} rPx, - @{opera_path} rPx, - @{thunderbird_path} rPx, - @{lib}/libreoffice/program/{soffice{,.bin},oosplash} rPUx, + @{brave_path} Px, + @{chrome_path} Px, + @{chromium_path} Px, + @{firefox_path} Px, + @{opera_path} Px, + @{thunderbird_path} Px, + @{offices_path} PUx, @{bin}/ r, / r, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 138294664..ba0c7f3ee 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -41,6 +41,8 @@ network inet6 stream, network netlink raw, + ptrace trace peer=@{profile_name}, + signal (send) set=(term, kill) peer=@{profile_name}-*, @{sh_path} rix, diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 59d93c8f0..36e4e29de 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no # Common rules for applications sandboxed using bwrap. @@ -40,8 +41,9 @@ @{bin}/ r, @{lib}/ r, /usr/local/bin/ r, - owner /@{uuid}/ w, owner /_@{int}_/ w, + owner /@{uuid}/ w, + owner /var/cache/ldconfig/{,**} rw, # Full access to user's data / r, diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index 436ddc96c..1a77e3e7c 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -5,7 +5,8 @@ # Extra Mesa rules for desktop environments owner @{desktop_cache_dirs}/ w, owner @{desktop_cache_dirs}/mesa_shader_cache/ rw, - owner @{desktop_cache_dirs}/mesa_shader_cache/index rw, owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/ rw, owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38} rw, owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38}.tmp rwk, + owner @{desktop_cache_dirs}/mesa_shader_cache/index rw, + owner @{desktop_cache_dirs}/mesa_shader_cache/marker rw, diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict index 70d5711d5..ee56ef44c 100644 --- a/apparmor.d/abstractions/vulkan-strict +++ b/apparmor.d/abstractions/vulkan-strict @@ -15,7 +15,7 @@ /etc/vulkan/implicit_layer.d/{,*.json} r, owner @{user_share_dirs}/vulkan/implicit_layer.d/{,*.json} r, - owner @{user_cache_dirs}/radv_builtin_shaders64 r, #Vulkan radv shaders cache + owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache @{sys}/class/ r, @{sys}/class/drm/ r, From 0fa7985f0e45e30805887ac66a338483199c724d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 3 Jun 2024 19:06:02 +0100 Subject: [PATCH 04/28] doc: improve documentation. --- docs/configuration.md | 9 ++++++++- docs/development/abstractions.md | 2 +- docs/development/dbus.md | 8 +++++++- docs/development/directives.md | 2 +- docs/development/guidelines.md | 17 ++++++++--------- docs/development/index.md | 2 +- docs/full-system-policy.md | 15 ++++++++++++++- docs/install.md | 2 +- docs/report.md | 5 +++++ docs/usage.md | 14 ++++++++++++-- docs/variables.md | 1 - 11 files changed, 58 insertions(+), 19 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index 05d4fa1f1..c367de4d2 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -49,7 +49,14 @@ The profiles heavily use the (largely extended) XDG directory variables defined | Vm | `@{XDG_VM_DIR}` | `.vm` | Wallpapers | `@{XDG_WALLPAPERS_DIR}` | `@{XDG_PICTURES_DIR}/Wallpapers` | -You can personalize these values by creating a file such as: `/etc/apparmor.d/tunables/xdg-user-dirs.d/local` where you define your own personal directories. Example: +You can personalize these values. + +First create the directory `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d`: +``` +sudo mkdir /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d +``` +Then create a `local` addition file in it where you define your own personal +directories. Example: ```sh @{XDG_VIDEOS_DIR}+="Films" @{XDG_MUSIC_DIR}+="Musique" diff --git a/docs/development/abstractions.md b/docs/development/abstractions.md index 6657bb78a..07d147d6e 100644 --- a/docs/development/abstractions.md +++ b/docs/development/abstractions.md @@ -114,7 +114,7 @@ Minimal set of rules for all electron based UI application. It works as a *funct !!! note "" - [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/e979fe05b06f525e5a65c767b4eabe5600147355/apparmor.d/profile-s-z/spotify#L10-L13) + [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/7d1380530aa56f31589ccc6a360a8144f3601731/apparmor.d/profiles-s-z/spotify#L10-L13) ``` sh linenums="10" @{name} = spotify @{lib_dirs} = /opt/@{name} diff --git a/docs/development/dbus.md b/docs/development/dbus.md index 875370c57..1c8e2e971 100644 --- a/docs/development/dbus.md +++ b/docs/development/dbus.md @@ -2,7 +2,13 @@ title: Dbus --- -All dbus rules are labelled under the name of the given profiles that provide dbus data. If the profiles were going to change (a renaming, an architectural change), the dbus rules need to be updated accordingly. +All dbus rules are labelled under the name of the given profiles that provide dbus data. It is one of the value added by this project, as we have profile for *everything*, we can restrict the bus further by limitint connection to a given peer label (the profile name). In case of a renaming of a profile, all dbus rules related it this profile need to be updated accordingly. + +## Profiles + +Regardless of the Dbus implementation used (`dbus-daemon` or `dbus-broker`), all dbus daemons are handled under the same set of profiles: [`dbus-system`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/bus/dbus-system), [`dbus-session`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/bus/dbus-session), and [`dbus-accessibility`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/bus/dbus-accessibility). This structure largely improves the confinement of each profile. + +To ensure system and session bus are handled by a different profile, a [systemd drop-in](https://github.com/roddhjav/apparmor.d/blob/main/systemd/default/system/dbus.service) configuration file is used to set the specific dbus profile a dbus service must use. ## Abstractions diff --git a/docs/development/directives.md b/docs/development/directives.md index fb8c79c4e..877001adb 100644 --- a/docs/development/directives.md +++ b/docs/development/directives.md @@ -136,7 +136,7 @@ The `exec` directive is useful to allow executing transition to a profile withou include capability dac_override, capability kill, - unix (bind) type=stream addr=@@{hex}/bus/systemd-oomd/bus-api-oom, + unix (bind) type=stream addr=@@{hex16}/bus/systemd-oomd/bus-api-oom, #aa:dbus own bus=system name=org.freedesktop.oom1 /etc/systemd/oomd.conf r, /etc/systemd/oomd.conf.d/{,**} r, diff --git a/docs/development/guidelines.md b/docs/development/guidelines.md index b25305f88..4e5e1af7e 100644 --- a/docs/development/guidelines.md +++ b/docs/development/guidelines.md @@ -91,24 +91,23 @@ If there is no predictable label it can be omitted. ### Profile rules -`bin, sbin & lib` +#### :material-numeric-1-circle: Variables -: - Do not use: `/usr/lib` or `/usr/bin` but `@{bin}/` or `@{lib}/` - - Do not use: `/usr/sbin` or `/sbin` but `@{bin}/`. +: Always use the apparmor [variables](../variables.md). + Example: -`Variables` + - `/usr/lib` or `/usr/bin` become `@{bin}` or `@{lib}` + - `/usr/sbin` or `/sbin` become `@{bin}`. -: Always use the apparmor variables. - -`Sort` +#### :material-numeric-2-circle: Sort : In a rule block, the rules must be alphabetically sorted. -`Sub profile` +#### :material-numeric-3-circle: Sub profile : Sub profile should come at the end of a profile. -`Similar purpose` +#### :material-numeric-4-circle: Similar purpose : When some rules share similar purpose, they may be sorted together. Eg: ``` diff --git a/docs/development/index.md b/docs/development/index.md index 21e8457ba..72029af86 100644 --- a/docs/development/index.md +++ b/docs/development/index.md @@ -36,7 +36,7 @@ You want to contribute to `apparmor.d`, **thanks a lot for this.** Feedbacks, co : As these are mandatory access control policies only what is explicitly required should be authorized. Meaning, you should **not** allow everything (or a large area) - and blacklist some sub areas. + and deny some sub areas. #### Rule :material-numeric-2-circle: - Do not break a program diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index 21c209ea1..f5b7fa812 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -1,5 +1,5 @@ --- -title: Full system policy +title: Full system policy (FSP) --- !!! danger @@ -18,6 +18,19 @@ title: Full system policy *Source: [AppArmor Wiki][apparmor-wiki]* +## Overview + +The default mode of `apparmor.d` is the more advanced confinement configuration we can achieve while being as simple as installing a package and doing some minor configuration on your system. By design, a full system confinement does not work this way. Before enabling you need to consider your use case and security objective. + +Particularly: + +- Every system application will be **blocked** if they do not have a profile. +- Any non-standard system app need to be explicitly profiled and allowed to run. For instance, if you want to use your own proxy or VPN software, you need to ensure it is correctly profiled and allowed to run in the `systemd` profile. +- Desktop environment must be explicitly supported, your UI will not start otherwise. Again, it is a **feature**. +- FSP mode will run unknown user application into the `default` profile. It might be enough for your application. If not you have to make a profile for it. +- In FSP mode, all sandbox manager **must** have a profile. Then user sandboxed application (flatpak, snap...) will work as expected. + + ## Install diff --git a/docs/install.md b/docs/install.md index 828624d5c..59a963a23 100644 --- a/docs/install.md +++ b/docs/install.md @@ -14,7 +14,7 @@ title: Installation **AppArmor** -An `apparmor` based Linux distribution is required. The basic profiles and abstractions shipped with AppArmor must be installed. +An `apparmor` based Linux distribution is required. The default profiles and abstractions shipped with AppArmor must be installed. **Desktop environment** diff --git a/docs/report.md b/docs/report.md index 05995fae1..2292d1bd0 100644 --- a/docs/report.md +++ b/docs/report.md @@ -16,5 +16,10 @@ If this command produce nothing, try: aa-log -s -R ``` +You can get more logs with: + +1. `aa-log -R -s` that will provide all apparmor logs since boot time (if journalctl collect them) +2. `aa-log -R -f ` where `` is `1`, `2`, `3` and `4` (the rotated audit log file) + [newissue]: https://github.com/roddhjav/apparmor.d/issues/new [paste]: https://pastebin.com/ diff --git a/docs/usage.md b/docs/usage.md index e20714b12..9ad0d7050 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -86,17 +86,27 @@ Other AppArmor userspace tools such as `aa-enforce`, `aa-complain`, and `aa-logp To read the AppArmor log from `/var/log/audit/audit.log`: ```sh -aa-log +$ aa-log ``` To optionally filter a given profile name: `aa-log ` (your shell will autocomplete the profile name): ``` -aa-log dnsmasq +$ aa-log dnsmasq DENIED dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r DENIED dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r ``` +To generate AppArmor rule: +```sh +$ aa-log -r dnsmasq +profile dnsmasq { + @{PROC}/@{pid}/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, +} +``` + !!! info Other logs file in `/var/log/audit/` can easily be checked: `aa-log -f 1` diff --git a/docs/variables.md b/docs/variables.md index f1113be13..6ea5285c8 100644 --- a/docs/variables.md +++ b/docs/variables.md @@ -86,7 +86,6 @@ title: Variables References | Integer (up to 10 digits) | `@{int}` | `[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}` | | Any 6, 8 or 10 characters | `@{rand6}`, `@{rand8}`, `@{rand10}` | | | Hexadecimal | `@{h}*@{h}` | | -| MD5 hash | `@{md5}` | | | Universally unique identifier | `@{uuid}` | | | Current Process id | `@{pid}` | `[0-9]*` | | Processes ids | `@{pids}` | `[0-9]*` | From 789ba3836ee6f654d56159cbe156bb230c0e884f Mon Sep 17 00:00:00 2001 From: REmerald <55359236+REmerald@users.noreply.github.com> Date: Mon, 3 Jun 2024 17:58:39 +0000 Subject: [PATCH 05/28] fix(kmod): add `/run/modprobe.d` --- apparmor.d/profiles-g-l/kmod | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 0ae2ba626..4dbb2de6b 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -34,6 +34,8 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{lib}/modprobe.d/{,*.conf} r, @{lib}/modules/*/modules.* rw, + @{run}/modprobe.d/{,*.conf} r, + /etc/depmod.d/{,**} r, /etc/modprobe.d/{,*.conf} r, From c40c3e1c981e6c273d01557aa23b20b719c4a374 Mon Sep 17 00:00:00 2001 From: REmerald <55359236+REmerald@users.noreply.github.com> Date: Mon, 3 Jun 2024 19:54:40 +0000 Subject: [PATCH 06/28] fix(lspci): add `/run/modprobe.d` --- apparmor.d/profiles-g-l/lspci | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci index 7c277d6e7..d8aa90103 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -24,6 +24,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) { /usr/share/misc/pci.ids.gz r, /usr/share/pci.ids r, + @{run}/modprobe.d/{,*.conf} r, /etc/modprobe.d/{,*.conf} r, /etc/udev/hwdb.bin r, From 34973baaeab7ef420402ad346fbb14ac50684ada Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Jun 2024 19:52:06 +0100 Subject: [PATCH 07/28] build: use the same technique to disable upstream profile on all distribution. Only enabled on Ubuntu & opensuse --- Makefile | 7 +++- pkg/prebuild/cfg/directories.go | 7 +++- pkg/prebuild/cfg/files.go | 45 ++++++++++------------- pkg/prebuild/cfg/files_test.go | 61 ------------------------------- pkg/prebuild/prebuild.go | 7 +++- pkg/prebuild/prepare/configure.go | 13 +++++-- 6 files changed, 45 insertions(+), 95 deletions(-) diff --git a/Makefile b/Makefile index 1caed67f8..85a4a7190 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ P = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*))) .PHONY: all build enforce full install local $(P) pkg dpkg rpm tests lint clean all: build - @./${BUILD}/prebuild --complain + @./${BUILD}/prebuild --complain build: @go build -o ${BUILD}/ ./cmd/aa-log @@ -26,6 +26,7 @@ full: build ROOT = $(shell find "${BUILD}/root" -type f -printf "%P\n") PROFILES = $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n") +DISABLES = $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n") install: @install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log @for file in ${ROOT}; do \ @@ -34,6 +35,10 @@ install: @for file in ${PROFILES}; do \ install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ done; + @for file in ${DISABLES}; do \ + mkdir -p "${DESTDIR}/etc/apparmor.d/disable"; \ + cp -d "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ + done; @for file in ${BUILD}/systemd/system/*; do \ service="$$(basename "$$file")"; \ install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/system/$${service}.d/apparmor.conf"; \ diff --git a/pkg/prebuild/cfg/directories.go b/pkg/prebuild/cfg/directories.go index 4032249b4..497a67df4 100644 --- a/pkg/prebuild/cfg/directories.go +++ b/pkg/prebuild/cfg/directories.go @@ -28,8 +28,11 @@ var ( // DebianDir is the directory where the debian specific files are stored DebianDir *paths.Path = paths.New("debian") - // Either or not overwrite some upstreamed profile - Overwrite = Overwriter{Enabled: false} + // AppArmor 4.0 contains several profiles that allow userns and are otherwise + // unconfined. Overwriter disables upstream profile in favor of (better) apparmor.d + // counterpart + Overwrite Overwriter = false + Ignore = Ignorer{} Flags = Flagger{} diff --git a/pkg/prebuild/cfg/files.go b/pkg/prebuild/cfg/files.go index 6d635d657..7fb3a2fad 100644 --- a/pkg/prebuild/cfg/files.go +++ b/pkg/prebuild/cfg/files.go @@ -50,42 +50,35 @@ func (i Ignorer) Read(name string) []string { return util.MustReadFileAsLines(path) } -type Overwriter struct { - Enabled bool -} +type Overwriter bool + +// Overwrite upstream profile: disable upstream & rename ours +func (o Overwriter) Apply() error { + const ext = ".apparmor.d" + disableDir := RootApparmord.Join("disable") + if err := disableDir.Mkdir(); err != nil { + return err + } -// Get the list of upstream profiles to overwrite from dist/overwrite -func (o Overwriter) Get() []string { path := DistDir.Join("overwrite") if !path.Exist() { - return []string{} + return fmt.Errorf("%s not found", path) } - return util.MustReadFileAsLines(path) -} - -// Overwrite upstream profile for APT: rename our profile & hide upstream -func (o Overwriter) Apt(files []string) { - const ext = ".apparmor.d" - file, err := DebianDir.Join("apparmor.d.hide").Append() - if err != nil { - panic(err) - } - for _, name := range files { + for _, name := range util.MustReadFileAsLines(path) { origin := RootApparmord.Join(name) dest := RootApparmord.Join(name + ext) if err := origin.Rename(dest); err != nil { - panic(err) + return err } - if _, err := file.WriteString("/etc/apparmor.d/" + name + "\n"); err != nil { - panic(err) + originRel, err := origin.RelFrom(dest) + if err != nil { + return err + } + if err := os.Symlink(originRel.String(), disableDir.Join(name).String()); err != nil { + return err } } + return nil } -// Clean the debian/apparmor.d.hide file -func (o Overwriter) AptClean() { - path := DebianDir.Join("apparmor.d.hide") - if err := path.WriteFile([]byte(Hide)); err != nil { - panic(err) - } } diff --git a/pkg/prebuild/cfg/files_test.go b/pkg/prebuild/cfg/files_test.go index c3d89dd20..b4ce13a1c 100644 --- a/pkg/prebuild/cfg/files_test.go +++ b/pkg/prebuild/cfg/files_test.go @@ -102,64 +102,3 @@ code }) } } - -func TestOverwriter_Get(t *testing.T) { - tests := []struct { - name string - content string - want []string - }{ - { - name: "empty", - content: ` - -`, - want: []string{}, - }, - { - name: "main", - content: ` -# This is managed globally -brave # not so brave -chrome -firefox -`, - want: []string{ - "brave", - "chrome", - "firefox", - }, - }, - } - DistDir = paths.New("/tmp/") - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - err := DistDir.Join("overwrite").WriteFile([]byte(tt.content)) - if err != nil { - return - } - if got := Overwrite.Get(); !reflect.DeepEqual(got, tt.want) { - t.Errorf("Overwriter.Get() = %v, want %v", got, tt.want) - } - }) - } -} - -func TestOverwriter_Apt(t *testing.T) { - tests := []struct { - name string - files []string - }{ - { - name: "empty", - files: []string{}, - }, - } - DebianDir = paths.New("/tmp/") - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - Overwrite.Apt(tt.files) - Overwrite.AptClean() - }) - } -} diff --git a/pkg/prebuild/prebuild.go b/pkg/prebuild/prebuild.go index a0e8117d3..fc327fffb 100644 --- a/pkg/prebuild/prebuild.go +++ b/pkg/prebuild/prebuild.go @@ -32,11 +32,16 @@ func init() { builder.Register("dev") switch cfg.Distribution { + case "opensuse": + builder.Register("abi3") + cfg.Overwrite = true + case "ubuntu": if cfg.Release["VERSION_CODENAME"] == "noble" { builder.Register("abi3") - cfg.Overwrite.Enabled = true + cfg.Overwrite = true } + case "whonix": cfg.Hide += `/etc/apparmor.d/abstractions/base.d/kicksecure /etc/apparmor.d/home.tor-browser.firefox diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index ba0c700c4..abca3d54d 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -28,12 +28,17 @@ func (p Configure) Apply() ([]string, error) { res := []string{} switch cfg.Distribution { case "arch", "opensuse": + if cfg.Overwrite { + if err := cfg.Overwrite.Apply(); err != nil { + return res, err + } + } case "ubuntu": - cfg.Overwrite.AptClean() - if cfg.Overwrite.Enabled { - profiles := cfg.Overwrite.Get() - cfg.Overwrite.Apt(profiles) + if cfg.Overwrite { + if err := cfg.Overwrite.Apply(); err != nil { + return res, err + } } else { if err := util.CopyTo(cfg.DistDir.Join("ubuntu"), cfg.RootApparmord); err != nil { return res, err From 13d3b23a04662cfd822897bcbc879399e2258123 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Jun 2024 19:52:56 +0100 Subject: [PATCH 08/28] fix(opensuse): ensure integration on opensuse. --- apparmor.d/abstractions/authentication.d/complete | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/authentication.d/complete b/apparmor.d/abstractions/authentication.d/complete index de6c758b3..4a9d55bd3 100644 --- a/apparmor.d/abstractions/authentication.d/complete +++ b/apparmor.d/abstractions/authentication.d/complete @@ -1,7 +1,7 @@ @{bin}/pam-tmpdir-helper rPx, - #aa:exclude ubuntu + #aa:exclude ubuntu opensuse @{bin}/unix_chkpwd rPx, #aa:only whonix From 41c0e57ecab16ca26f198217e7140fca33f34f51 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Jun 2024 19:55:53 +0100 Subject: [PATCH 09/28] build: better way to handle debian hide file. only needed as whonix needs special addition. --- pkg/prebuild/cfg/directories.go | 2 ++ pkg/prebuild/cfg/files.go | 16 ++++++++++++++++ pkg/prebuild/prebuild.go | 6 +++--- pkg/prebuild/prepare/configure.go | 8 +++++++- 4 files changed, 28 insertions(+), 4 deletions(-) diff --git a/pkg/prebuild/cfg/directories.go b/pkg/prebuild/cfg/directories.go index 497a67df4..282aa1ad8 100644 --- a/pkg/prebuild/cfg/directories.go +++ b/pkg/prebuild/cfg/directories.go @@ -33,6 +33,8 @@ var ( // counterpart Overwrite Overwriter = false + // DebianHide is the path to the debian/apparmor.d.hide file + DebianHide = DebianHider{path: DebianDir.Join("apparmor.d.hide")} Ignore = Ignorer{} Flags = Flagger{} diff --git a/pkg/prebuild/cfg/files.go b/pkg/prebuild/cfg/files.go index 7fb3a2fad..c716235cd 100644 --- a/pkg/prebuild/cfg/files.go +++ b/pkg/prebuild/cfg/files.go @@ -5,11 +5,15 @@ package cfg import ( + "fmt" + "os" "strings" + "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/util" ) +// Default content of debian/apparmor.d.hide. Whonix has special addition. var Hide = `# This file is generated by "make", all edit will be lost. /etc/apparmor.d/usr.bin.firefox @@ -81,4 +85,16 @@ func (o Overwriter) Apply() error { return nil } +type DebianHider struct { + path *paths.Path +} + +// Initialize the file with content from Hide +func (d DebianHider) Init() error { + return d.path.WriteFile([]byte(Hide)) +} + +// Initialize the file with content from Hide +func (d DebianHider) Clean() error { + return d.path.WriteFile([]byte("# This file is generated by \"make\", all edit will be lost.\n")) } diff --git a/pkg/prebuild/prebuild.go b/pkg/prebuild/prebuild.go index fc327fffb..30bf5c2e6 100644 --- a/pkg/prebuild/prebuild.go +++ b/pkg/prebuild/prebuild.go @@ -45,14 +45,14 @@ func init() { case "whonix": cfg.Hide += `/etc/apparmor.d/abstractions/base.d/kicksecure /etc/apparmor.d/home.tor-browser.firefox -/etc/apparmor.d/tunables/home.d/anondist +/etc/apparmor.d/tunables/homsanitycheck +/etc/apparmor.d/usr.bin.url_e.d/anondist /etc/apparmor.d/tunables/home.d/live-mode /etc/apparmor.d/tunables/home.d/qubes-whonix-anondist /etc/apparmor.d/usr.bin.hexchat /etc/apparmor.d/usr.bin.sdwdate /etc/apparmor.d/usr.bin.systemcheck -/etc/apparmor.d/usr.bin.timesanitycheck -/etc/apparmor.d/usr.bin.url_to_unixtime +/etc/apparmor.d/usr.bin.timeto_unixtime /etc/apparmor.d/whonix-firewall ` } diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index abca3d54d..c7f9330a3 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -35,6 +35,10 @@ func (p Configure) Apply() ([]string, error) { } case "ubuntu": + if err := cfg.DebianHide.Clean(); err != nil { + return res, err + } + if cfg.Overwrite { if err := cfg.Overwrite.Apply(); err != nil { return res, err @@ -46,7 +50,9 @@ func (p Configure) Apply() ([]string, error) { } case "debian", "whonix": - cfg.Overwrite.AptClean() + if err := cfg.DebianHide.Init(); err != nil { + return res, err + } // Copy Debian specific abstractions if err := util.CopyTo(cfg.DistDir.Join("ubuntu"), cfg.RootApparmord); err != nil { From d98621625a6cc9fa5f50b32b07f8c7b079fe89fc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Jun 2024 20:01:05 +0100 Subject: [PATCH 10/28] chore: small fixes and cosmetic. --- debian/control | 1 + dists/apparmor.d.spec | 1 + dists/docker.sh | 2 +- dists/ignore/opensuse.ignore | 4 ++++ dists/overwrite | 8 ++------ pkg/prebuild/cfg/files.go | 5 ----- pkg/prebuild/prepare/configure.go | 2 +- pkg/util/tools.go | 8 ++++---- 8 files changed, 14 insertions(+), 17 deletions(-) diff --git a/debian/control b/debian/control index a93c56280..3d15800b8 100644 --- a/debian/control +++ b/debian/control @@ -18,6 +18,7 @@ Depends: apparmor-profiles, ${shlibs:Depends} Conflicts: apparmor-profiles-extra +Provides: apparmor-profiles-extra Description: Full set of AppArmor profiles (~ 1500 profiles) apparmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes. diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index 06eee4510..c07066412 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -16,6 +16,7 @@ Source0: %{name}-%{version}.tar.gz Requires: apparmor-profiles BuildRequires: distribution-release BuildRequires: golang-packaging +BuildRequires: apparmor-profiles %description AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes. diff --git a/dists/docker.sh b/dists/docker.sh index d62d469eb..19a8737ae 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -80,7 +80,7 @@ build_in_docker_dpkg() { --env DISTRIBUTION="$target" "$BASEIMAGE/$dist" docker exec "$img" sudo apt-get update -q docker exec "$img" sudo apt-get install -y config-package-dev rsync - [[ "$COMMAND" == debian ]] && aptopt=(-t bookworm-backports) + [[ "$dist" == debian ]] && aptopt=(-t bookworm-backports) docker exec "$img" sudo apt-get install -y "${aptopt[@]}" golang-go fi diff --git a/dists/ignore/opensuse.ignore b/dists/ignore/opensuse.ignore index a4c63bd3d..0d393c6c1 100644 --- a/dists/ignore/opensuse.ignore +++ b/dists/ignore/opensuse.ignore @@ -11,3 +11,7 @@ apparmor.d/groups/ubuntu # Whonix specific definition apparmor.d/groups/whonix apparmor.d/tunables/home.d/whonix + +# Profiles provided by they own package +libvirt +virt-aa-helper diff --git a/dists/overwrite b/dists/overwrite index 37db232dc..bea6d574b 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -1,12 +1,8 @@ -# Apparmor ships some unconfined profiles that allow everything and set the -# userns rules. This file keeps track of them and allow apparmor.d to replace +# Apparmor 4.0 ships several profiles that allow userns and are otherwise +# unconfined. This file keeps track of them and allow apparmor.d to replace # them by our own. # File format: one profile name by line. -# This is managed globally in this file and not in debian/apparmor.d.hide as -# it applies to all distributions using apparmor 4.0+. When needed, it is -# automatically enabled during prebuild. - brave chrome element-desktop diff --git a/pkg/prebuild/cfg/files.go b/pkg/prebuild/cfg/files.go index c716235cd..6f81d25bc 100644 --- a/pkg/prebuild/cfg/files.go +++ b/pkg/prebuild/cfg/files.go @@ -93,8 +93,3 @@ type DebianHider struct { func (d DebianHider) Init() error { return d.path.WriteFile([]byte(Hide)) } - -// Initialize the file with content from Hide -func (d DebianHider) Clean() error { - return d.path.WriteFile([]byte("# This file is generated by \"make\", all edit will be lost.\n")) -} diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index c7f9330a3..df4daaeb1 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -35,7 +35,7 @@ func (p Configure) Apply() ([]string, error) { } case "ubuntu": - if err := cfg.DebianHide.Clean(); err != nil { + if err := cfg.DebianHide.Init(); err != nil { return res, err } diff --git a/pkg/util/tools.go b/pkg/util/tools.go index c7d91a8da..96cffb36a 100644 --- a/pkg/util/tools.go +++ b/pkg/util/tools.go @@ -71,11 +71,11 @@ func DecodeHexInString(str string) string { func RemoveDuplicate[T comparable](inlist []T) []T { var empty T list := []T{} - keys := map[T]bool{} - keys[empty] = true + seen := map[T]bool{} + seen[empty] = true for _, item := range inlist { - if _, ok := keys[item]; !ok { - keys[item] = true + if _, ok := seen[item]; !ok { + seen[item] = true list = append(list, item) } } From 8b60e56002129063d5692c20b0e43f554f51d943 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Jun 2024 20:13:40 +0100 Subject: [PATCH 11/28] feat(profile): general update. --- apparmor.d/groups/apt/dpkg-preconfigure | 2 ++ apparmor.d/groups/apt/unattended-upgrade | 3 +++ apparmor.d/groups/bus/dbus-session | 2 +- apparmor.d/groups/bus/dbus-system | 6 ++--- apparmor.d/groups/gnome/gnome-control-center | 2 ++ .../groups/gnome/gnome-remote-desktop-daemon | 4 +++ apparmor.d/groups/gnome/gnome-shell | 6 +++-- apparmor.d/groups/gnome/gnome-text-editor | 2 ++ apparmor.d/groups/gvfs/gvfsd-wsdd | 1 + apparmor.d/groups/network/nmcli | 15 +++-------- apparmor.d/groups/pacman/pacman | 10 +++---- apparmor.d/groups/pacman/pacman-key | 3 ++- apparmor.d/groups/ssh/sshd | 5 ++++ apparmor.d/profiles-a-f/borg | 5 ---- .../profiles-g-l/gdk-pixbuf-query-loaders | 2 ++ apparmor.d/profiles-g-l/gpu-manager | 3 +++ apparmor.d/profiles-g-l/hostapd | 27 ------------------- apparmor.d/profiles-s-z/snapd | 2 +- apparmor.d/profiles-s-z/spotify | 5 +++- apparmor.d/profiles-s-z/wsdd | 24 +++++++++++++++++ dists/flags/main.flags | 1 + 21 files changed, 71 insertions(+), 59 deletions(-) delete mode 100644 apparmor.d/profiles-g-l/hostapd create mode 100644 apparmor.d/profiles-s-z/wsdd diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 9d8d33300..bb4789570 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -21,6 +21,8 @@ profile dpkg-preconfigure @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, + @{bin}/{,g,m}awk rix, + @{bin}/cat rix, @{bin}/dialog rix, @{bin}/locale rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 9ab8fc698..769b165a8 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -33,6 +33,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-http, + unix type=stream addr=@@{hex16}/bus/unattended-upgr/system, + @{exec_path} mr, @{bin}/ r, @@ -106,6 +108,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { owner @{tmp}/apt-dpkg-install-*/{,*} rw, @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/fd/ r, /dev/ptmx rw, diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 4df679c9f..4d8fc6cdf 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -38,7 +38,7 @@ profile dbus-session flags=(attach_disconnected) { @{bin}/** PUx, @{lib}/** PUx, - /usr/share/** PUx, + /usr/share/*/** PUx, /etc/dbus-1/{,**} r, /usr/share/dbus-1/{,**} r, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index bb37fa90a..ac13f478d 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -36,9 +36,9 @@ profile dbus-system flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/** PUx, - @{lib}/** PUx, - /usr/share/*/** PUx, + @{bin}/** PUx, + @{lib}/** PUx, + /usr/share/*/** PUx, /etc/dbus-1/{,**} r, /usr/share/dbus-1/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 531a3273e..fd2462ffa 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -57,6 +57,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{bin}/grep rix, @{bin}/locale rix, @{bin}/sed rix, + @{bin}/tecla rix, @{bin}/bwrap rCx -> bwrap, @{bin}/gkbd-keyboard-display rPx, @@ -159,6 +160,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, @{PROC}/cmdline r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 9c7044d07..4fcf39da3 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -24,5 +24,9 @@ profile gnome-remote-desktop-daemon @{exec_path} { @{exec_path} mr, + /usr/share/gnome-remote-desktop/{,**} r, + + owner /var/lib/gnome-remote-desktop//{,**} r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index dd58dc810..217cc0d52 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -281,7 +281,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, - @{run}/gdm{3,}/dbus/dbus-@{rand8} w, + @{run}/gdm{3,}/dbus/dbus-@{rand8} rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @@ -398,9 +398,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + unix receive type=stream, + @{lib}/gio-launch-desktop mr, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - + @{lib}/* PUx, /usr/games/* PUx, /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index bfd2ed5f3..6d40144ce 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -16,6 +16,8 @@ profile gnome-text-editor @{exec_path} { @{exec_path} mr, + /usr/share/enchant-*/{,**} r, + owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 4c0459cf1..d44e12dbc 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -14,6 +14,7 @@ profile gvfsd-wsdd @{exec_path} { @{exec_path} mr, + @{bin}/env r, @{bin}/wsdd rPx, @{run}/mount/utab r, diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index 71fe1dcb6..c3ae732bd 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -15,7 +15,9 @@ profile nmcli @{exec_path} { @{exec_path} mr, - @{bin}/less rCx -> pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, owner @{HOME}/.nm-vpngate/*.ovpn r, owner @{HOME}/.cert/nm-openvpn/*.pem rw, @@ -26,16 +28,5 @@ profile nmcli @{exec_path} { @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/@{pci}/net/*/{,**} r, - profile pager { - include - include - - @{bin}/less mr, - - owner @{HOME}/.lesshs* rw, - owner @{user_cache_dirs}/.lesshs* rw, - - } - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index e84e8aa5d..d9c670d0b 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -117,11 +117,6 @@ profile pacman @{exec_path} { /usr/** rwlk -> /usr/**, /var/** rwlk -> /var/**, - @{PROC}/ r, - @{run}/ r, - @{sys}/{,**} r, - /mnt r, - # Read packages files @{user_pkg_dirs}/**/ r, @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r, @@ -132,13 +127,16 @@ profile pacman @{exec_path} { owner @{tmp}/checkup-db-@{int}/db.lck rw, @{run}/utmp rk, - + + @{sys}/{,**} r, + @{PROC}/@{pids}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, @{PROC}/1/environ r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/tty/drivers r, @{PROC}/uptime r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 5b363b2ab..31994b373 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -16,13 +16,14 @@ profile pacman-key @{exec_path} { @{exec_path} mr, + @{bin}/{m,g,}awk rix, @{bin}/basename rix, @{bin}/bash rix, @{bin}/chmod rix, - @{bin}/{m,g,}awk rix, @{bin}/gettext rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/grep rix, + @{bin}/ngettext rix, @{bin}/pacman-conf rPx, @{bin}/touch rix, @{bin}/tput rix, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index fef44a12c..59f2b4ebe 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -84,6 +84,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{etc_ro}/ssh/sshd_config.d/{,*} r, /etc/ssh/ssh_host_* r, + /var/lib/lastlog/ r, + /var/lib/lastlog/* rwk, + /var/lib/wtmpdb/ r, + /var/lib/wtmpdb/* rwk, + # For scp owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 739d18472..dffe9087f 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -21,11 +21,6 @@ profile borg @{exec_path} { network inet6 dgram, network netlink raw, - mount fstype=fuse -> @{MOUNTS}/, - mount fstype=fuse -> @{MOUNTS}/*/, - umount @{MOUNTS}/, - umount @{MOUNTS}/*/, - @{exec_path} r, @{bin}/ r, diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders index ad4a8d4c6..cce69937f 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders @@ -21,5 +21,7 @@ profile gdk-pixbuf-query-loaders @{exec_path} { @{lib}/gdk-pixbuf-[0-9].@{int}/{,*}/loaders.cache.* rw, @{lib}/gdk-pixbuf-[0-9].@{int}/*/loaders.cache rw, + /usr/share/gvfs/remote-volume-monitors/{,**} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 7e79f79c3..9177b7b3c 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -26,6 +26,9 @@ profile gpu-manager @{exec_path} { /var/log/gpu-manager.log w, + @{sys}/devices/@{pci}/boot_vga r, + @{sys}/module/compression r, + @{PROC}/modules r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-g-l/hostapd b/apparmor.d/profiles-g-l/hostapd deleted file mode 100644 index a57a22a79..000000000 --- a/apparmor.d/profiles-g-l/hostapd +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/hostapd -profile hostapd @{exec_path} { - include - include - - capability net_admin, - capability net_raw, - - @{exec_path} mr, - - /dev/rfkill r, - - /etc/hostapd.conf r, - /etc/hostapd/{,*} r, - - @{run}/hostapd/{,**} rw, - @{run}/hostapd.pid rw, - - include if exists -} diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 7228dd885..dfae29999 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -153,7 +153,7 @@ profile snapd @{exec_path} { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r, @{sys}/kernel/kexec_loaded r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{sys}/kernel/security/apparmor/features/{,*/} r, + @{sys}/kernel/security/apparmor/features/{,**} r, @{sys}/kernel/security/apparmor/profiles r, @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index ba94636f2..e588ffbcf 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -41,7 +41,10 @@ profile spotify @{exec_path} { owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/*.crx3 rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, + + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, @{PROC}/pressure/* r, diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd new file mode 100644 index 000000000..46a3c40b6 --- /dev/null +++ b/apparmor.d/profiles-s-z/wsdd @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/wsdd +profile wsdd @{exec_path} { + include + include + + @{exec_path} mr, + + @{bin}/env r, + @{bin}/python3.@{int} rix, + + /etc/machine-id r, + + owner @{run}/user/@{uid}/gvfsd/wsdd w, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 733f75ee2..4770b79eb 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -373,6 +373,7 @@ virtsecretd attach_disconnected,complain virtstoraged attach_disconnected,complain wg complain wg-quick complain +wsdd complain xdg-dbus-proxy attach_disconnected,complain xdg-desktop-icon complain xdg-desktop-portal-kde complain From 70697cf31549db464aed25be3121f8a150235ce4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Jun 2024 20:26:32 +0100 Subject: [PATCH 12/28] ci: fix opensuse build & re-enable ubuntu preprocess. --- .gitlab-ci.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6c0ad7b45..ffc9dded0 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -119,7 +119,7 @@ opensuse: image: registry.gitlab.com/roddhjav/builders/opensuse script: - mkdir -p "$PKGDEST" - - sudo zypper install -y distribution-release golang-packaging rsync + - sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles - bash dists/build.sh rpm artifacts: expire_in: 1 day @@ -151,11 +151,16 @@ preprocess-debian: - dpkg --install $PKGDEST/* - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null -.preprocess-ubuntu: - extends: preprocess-debian +preprocess-ubuntu: + stage: preprocess image: ubuntu dependencies: - ubuntu + script: + - apt-get update -q + - apt-get install -y apparmor apparmor-profiles + - dpkg --install $PKGDEST/* + - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null preprocess-whonix: extends: preprocess-debian From c3de88e476c219f5b4aee064f6ec39399917b243 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Jun 2024 20:36:51 +0100 Subject: [PATCH 13/28] build(opensuse): update exclude files. These files are now managed in dists/ignore/ --- dists/apparmor.d.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index c07066412..b00b12eca 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -37,9 +37,6 @@ systemctl is-active -q apparmor && systemctl reload apparmor ||: %files %license LICENSE %doc README.md -%exclude /etc/apparmor.d/libvirtd -%exclude /etc/apparmor.d/unix-chkpwd -%exclude /etc/apparmor.d/virt-aa-helper %config /etc/apparmor.d/ /usr/bin/aa-log From 37d0a3676337e83817eedbc131b10d1455500674 Mon Sep 17 00:00:00 2001 From: REmerald <55359236+REmerald@users.noreply.github.com> Date: Thu, 6 Jun 2024 06:45:03 +0000 Subject: [PATCH 14/28] fix(polkit-gnome-authentication-agent): include dconf-write --- .../groups/freedesktop/polkit-gnome-authentication-agent | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent index f1d235c95..5642d7cff 100644 --- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent @@ -12,6 +12,7 @@ include @{exec_path} += @{lib}/polkit-gnome/polkit-gnome-authentication-agent-1 profile polkit-gnome-authentication-agent @{exec_path} { include + include include @{exec_path} mr, @@ -19,4 +20,4 @@ profile polkit-gnome-authentication-agent @{exec_path} { @{PROC}/@{pid}/cgroup r, include if exists -} \ No newline at end of file +} From 5a8510a1f784ceceedcd72d86506e902ef7d1b11 Mon Sep 17 00:00:00 2001 From: REmerald <55359236+REmerald@users.noreply.github.com> Date: Tue, 4 Jun 2024 19:49:07 +0000 Subject: [PATCH 15/28] fix(systemd-oomd): add `cgroup/system.slice/` and `app-dbus*` paths --- apparmor.d/groups/systemd/systemd-oomd | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 64b03e02f..013892f62 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -31,9 +31,11 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/memory.pressure r, + @{sys}/fs/cgroup/system.slice/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/memory.* r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/memory.* r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.a11y.atspi.Registry.slice/memory.* r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, From 6801ae1e0c5c9652430f2bb658dee497197393dc Mon Sep 17 00:00:00 2001 From: REmerald <55359236+REmerald@users.noreply.github.com> Date: Tue, 4 Jun 2024 21:28:04 +0000 Subject: [PATCH 16/28] fix(systemd-oomd): make `org.a11y.atspi.Registry.slice` as in `apparmor.d/groups/gnome/epiphany-search-provider` --- apparmor.d/groups/systemd/systemd-oomd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 013892f62..d919f2a84 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -35,7 +35,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/memory.* r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.a11y.atspi.Registry.slice/memory.* r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.a11y.atspi.Registry.slice/memory.* r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, From 281768667a53d23da7e62551dd7c97719ec70de5 Mon Sep 17 00:00:00 2001 From: REmerald <55359236+REmerald@users.noreply.github.com> Date: Thu, 6 Jun 2024 06:36:49 +0000 Subject: [PATCH 17/28] fix(systemd-oomd): change to `{,**/}` --- apparmor.d/groups/systemd/systemd-oomd | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index d919f2a84..922ed7a25 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -34,8 +34,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/system.slice/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/memory.* r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/memory.* r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.a11y.atspi.Registry.slice/memory.* r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/{,**/}memory.* r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, From 8f05f023560eea27446004d9fe8e69cb1cfc3cdf Mon Sep 17 00:00:00 2001 From: REmerald <55359236+REmerald@users.noreply.github.com> Date: Thu, 6 Jun 2024 06:39:19 +0000 Subject: [PATCH 18/28] fix(systemd-oomd): shorten paths --- apparmor.d/groups/systemd/systemd-oomd | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 922ed7a25..2460d6994 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -30,11 +30,9 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { owner @{run}/systemd/journal/socket w, @{sys}/fs/cgroup/cgroup.controllers r, - @{sys}/fs/cgroup/memory.pressure r, + @{sys}/fs/cgroup/memory.* r, @{sys}/fs/cgroup/system.slice/memory.* r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/memory.* r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/{,**/}memory.* r, + @{sys}/fs/cgroup/user.slice/{,**/}/memory.* r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, From e937eabd4eba77b1177f7938bbecb409e3a9d70a Mon Sep 17 00:00:00 2001 From: REmerald <55359236+REmerald@users.noreply.github.com> Date: Thu, 6 Jun 2024 06:53:58 +0000 Subject: [PATCH 19/28] fix(nm-dispatcher): add modem-manager-gui --- apparmor.d/groups/network/nm-dispatcher | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 05b6b946c..bcbb12f92 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -81,6 +81,8 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { /dev/tty rw, + @{run}/modem-manager-gui/{,timestamps} rw, + profile systemctl { include include From 0565558fe08fdcb6ee71588b976582d07f19393c Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 6 Jun 2024 10:50:21 +0200 Subject: [PATCH 20/28] complete atool --- apparmor.d/profiles-a-f/atool | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-a-f/atool b/apparmor.d/profiles-a-f/atool index 3a1177081..cb5317ded 100644 --- a/apparmor.d/profiles-a-f/atool +++ b/apparmor.d/profiles-a-f/atool @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/atool profile atool @{exec_path} { include + include include include From 11e05037c358b10cf5177489ec54e468752f2e9d Mon Sep 17 00:00:00 2001 From: REmerald <55359236+REmerald@users.noreply.github.com> Date: Thu, 6 Jun 2024 07:05:30 +0000 Subject: [PATCH 21/28] fix(xdg-document-portal): add `/etc/nsswitch.conf`, `/etc/passwd` --- apparmor.d/groups/freedesktop/xdg-document-portal | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 2715d9712..9a2e0a43a 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -35,6 +35,9 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/nsswitch.conf r, + /etc/passwd r, + @{bin}/flatpak rPUx, @{bin}/fusermount{,3} rCx -> fusermount, From 2ea558c1464ad9a17096e1bffcf94a31b35d81f4 Mon Sep 17 00:00:00 2001 From: REmerald <55359236+REmerald@users.noreply.github.com> Date: Thu, 6 Jun 2024 09:43:23 +0000 Subject: [PATCH 22/28] fix(xdg-document-portal): use `abstractions/nameservice-strict` --- apparmor.d/groups/freedesktop/xdg-document-portal | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 9a2e0a43a..54104e51d 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -12,6 +12,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_admin, capability sys_nice, @@ -35,9 +36,6 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/nsswitch.conf r, - /etc/passwd r, - @{bin}/flatpak rPUx, @{bin}/fusermount{,3} rCx -> fusermount, From d1ec0b90fc94d2ce3be787b2168307db3eea5ba0 Mon Sep 17 00:00:00 2001 From: REmerald <55359236+REmerald@users.noreply.github.com> Date: Thu, 6 Jun 2024 10:13:52 +0000 Subject: [PATCH 23/28] fix(xdg-permission-store): add `abstractions/nameservice-strict` and `@{HOME}/.local/` --- apparmor.d/groups/freedesktop/xdg-permission-store | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 088561f36..43faaaf9a 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -10,6 +10,7 @@ include profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { include include + include capability sys_nice, @@ -25,6 +26,8 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + owner @{HOME}/.local/ w, + @{HOME}/@{XDG_DATA_DIR}/flatpak/db/gnome rw, owner @{desktop_share_dirs}/flatpak/ w, From ac86b5ac78b3a041b32687b66f39470978ecea3f Mon Sep 17 00:00:00 2001 From: REmerald <55359236+REmerald@users.noreply.github.com> Date: Thu, 6 Jun 2024 10:23:05 +0000 Subject: [PATCH 24/28] fix(gvfsd): add `abstractions/nameservice-strict` --- apparmor.d/groups/gvfs/gvfsd | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index 1e6e05bfb..ea08abe24 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -11,6 +11,7 @@ include profile gvfsd @{exec_path} { include include + include #aa:dbus own bus=session name=org.gtk.vfs.Daemon #aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker From 46008e4edbfad84b98a1cdc33f7ef42819094ef8 Mon Sep 17 00:00:00 2001 From: REmerald <55359236+REmerald@users.noreply.github.com> Date: Thu, 6 Jun 2024 10:24:08 +0000 Subject: [PATCH 25/28] fix(gvfsd-fuse): add `abstractions/nameservice-strict` --- apparmor.d/groups/gvfs/gvfsd-fuse | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index b29faeea4..aa0065211 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -12,6 +12,7 @@ profile gvfsd-fuse @{exec_path} { include include include + include mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, From b6b00628861828953335db1fb18f1fbf09f77ba9 Mon Sep 17 00:00:00 2001 From: REmerald <55359236+REmerald@users.noreply.github.com> Date: Tue, 4 Jun 2024 21:54:50 +0000 Subject: [PATCH 26/28] fix(arch.flags): add `attach_disconnected` to pacman Fixes #350 --- dists/flags/arch.flags | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dists/flags/arch.flags b/dists/flags/arch.flags index 3b7c594d0..b94fae2c2 100644 --- a/dists/flags/arch.flags +++ b/dists/flags/arch.flags @@ -1,7 +1,7 @@ archlinux-keyring-wkd-sync complain makepkg complain mkinitcpio attach_disconnected,complain -pacman complain +pacman attach_disconnected,complain pacman-conf attach_disconnected,complain pacman-hook-dconf complain pacman-hook-depmod complain From aa0e33804a7a3f86fc68b6a2ab095f4e7a1eb6b1 Mon Sep 17 00:00:00 2001 From: REmerald <55359236+REmerald@users.noreply.github.com> Date: Tue, 4 Jun 2024 21:56:15 +0000 Subject: [PATCH 27/28] fix(pacman): add `attach_disconnected` flag Fixes #350 --- apparmor.d/groups/pacman/pacman | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index d9c670d0b..7207c714c 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/pacman -profile pacman @{exec_path} { +profile pacman @{exec_path} flags=(attach_disconnected) { include include include From b66274b2ca4a36873cdf9f7ae5f7ef2133e94b9d Mon Sep 17 00:00:00 2001 From: REmerald <55359236+REmerald@users.noreply.github.com> Date: Thu, 6 Jun 2024 17:27:33 +0000 Subject: [PATCH 28/28] fix(systemd-oomd): remove double slash Double slash caused the path to not work --- apparmor.d/groups/systemd/systemd-oomd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 2460d6994..99fb6bb2f 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -32,7 +32,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/memory.* r, @{sys}/fs/cgroup/system.slice/memory.* r, - @{sys}/fs/cgroup/user.slice/{,**/}/memory.* r, + @{sys}/fs/cgroup/user.slice/{,**/}memory.* r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r,