Merge branch 'roddhjav:main' into main

.gitlab-ci.yml

@@ -119,7 +119,7 @@ opensuse:
   image: registry.gitlab.com/roddhjav/builders/opensuse
   script:
     - mkdir -p "$PKGDEST"
-    - sudo zypper install -y distribution-release golang-packaging rsync
+    - sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles
     - bash dists/build.sh rpm
   artifacts:
     expire_in: 1 day
@@ -151,11 +151,16 @@ preprocess-debian:
     - dpkg --install $PKGDEST/*
     - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null
 
-.preprocess-ubuntu:
+preprocess-ubuntu:
-  extends: preprocess-debian
+  stage: preprocess
   image: ubuntu
   dependencies:
     - ubuntu
+  script:
+    - apt-get update -q
+    - apt-get install -y apparmor apparmor-profiles
+    - dpkg --install $PKGDEST/*
+    - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null
 
 preprocess-whonix:
   extends: preprocess-debian

Makefile

@@ -12,7 +12,7 @@ P = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*)))
 .PHONY: all build enforce full install local $(P) pkg dpkg rpm tests lint clean
 
 all: build
-	@./${BUILD}/prebuild --complain	
+	@./${BUILD}/prebuild --complain
 
 build:
 	@go build -o ${BUILD}/ ./cmd/aa-log
@@ -26,6 +26,7 @@ full: build
 
 ROOT = $(shell find "${BUILD}/root" -type f -printf "%P\n")
 PROFILES = $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n")
+DISABLES = $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n")
 install:
 	@install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
 	@for file in ${ROOT}; do \
@@ -34,6 +35,10 @@ install:
 	@for file in ${PROFILES}; do \
 		install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
 	done;
+	@for file in ${DISABLES}; do \
+		mkdir -p "${DESTDIR}/etc/apparmor.d/disable"; \
+		cp -d "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
+	done;
 	@for file in ${BUILD}/systemd/system/*; do \
 		service="$$(basename "$$file")"; \
 		install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/system/$${service}.d/apparmor.conf"; \

apparmor.d/abstractions/app-launcher-root

@@ -3,8 +3,8 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-  @{bin}/*                      rPUx,
+  @{bin}/*                      PUx,
-  /usr/local/{s,}bin/*          rPUx,
+  /usr/local/{s,}bin/*          PUx,
 
   @{bin}/                       r,
   /                             r,

apparmor.d/abstractions/app-launcher-user

@@ -3,19 +3,18 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-  @{bin}/*                      rPUx,
+  @{bin}/*                      PUx,
-  /opt/*/**                     rPUx,
+  /opt/*/**                     PUx,
-  /usr/share/*/*                rPUx,
+  /usr/share/*/*                PUx,
-  /usr/local/bin/*              rPUx,
+  /usr/local/bin/*              PUx,
 
-  @{bin}/chromium               rPx,
+  @{brave_path}                 Px,
-  @{brave_path}                 rPx,
+  @{chrome_path}                Px,
-  @{chrome_path}                rPx,
+  @{chromium_path}              Px,
-  @{chromium_path}              rPx,
+  @{firefox_path}               Px,
-  @{firefox_path}               rPx,
+  @{opera_path}                 Px,
-  @{opera_path}                 rPx,
+  @{thunderbird_path}           Px,
-  @{thunderbird_path}           rPx,
+  @{offices_path}              PUx,
-  @{lib}/libreoffice/program/{soffice{,.bin},oosplash} rPUx,
 
   @{bin}/                       r,
   /                             r,

apparmor.d/abstractions/app/firefox

@@ -41,6 +41,8 @@
   network inet6 stream,
   network netlink raw,
 
+  ptrace trace peer=@{profile_name},
+
   signal (send) set=(term, kill) peer=@{profile_name}-*,
 
   @{sh_path}                 rix,

apparmor.d/abstractions/authentication.d/complete

@@ -1,7 +1,7 @@
 
   @{bin}/pam-tmpdir-helper rPx,
 
-  #aa:exclude ubuntu
+  #aa:exclude ubuntu opensuse
   @{bin}/unix_chkpwd rPx,
 
   #aa:only whonix

apparmor.d/abstractions/common/app

@@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
 
 # Common rules for applications sandboxed using bwrap.
 
@@ -40,8 +41,9 @@
         @{bin}/ r,
         @{lib}/ r,
         /usr/local/bin/ r,
-  owner /@{uuid}/ w,
   owner /_@{int}_/ w,
+  owner /@{uuid}/ w,
+  owner /var/cache/ldconfig/{,**} rw,
 
   # Full access to user's data
   / r,

apparmor.d/abstractions/mesa.d/complete

@@ -5,7 +5,8 @@
   # Extra Mesa rules for desktop environments
   owner @{desktop_cache_dirs}/ w,
   owner @{desktop_cache_dirs}/mesa_shader_cache/ rw,
-  owner @{desktop_cache_dirs}/mesa_shader_cache/index rw,
   owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/ rw,
   owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38} rw,
   owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38}.tmp rwk,
+  owner @{desktop_cache_dirs}/mesa_shader_cache/index rw,
+  owner @{desktop_cache_dirs}/mesa_shader_cache/marker rw,

apparmor.d/abstractions/vulkan-strict

@@ -15,7 +15,7 @@
   /etc/vulkan/implicit_layer.d/{,*.json} r,
 
   owner @{user_share_dirs}/vulkan/implicit_layer.d/{,*.json} r,
-  owner @{user_cache_dirs}/radv_builtin_shaders64 r, #Vulkan radv shaders cache
+  owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache
 
   @{sys}/class/ r,
   @{sys}/class/drm/ r,

apparmor.d/groups/apt/dpkg-preconfigure

@@ -21,6 +21,8 @@ profile dpkg-preconfigure @{exec_path} {
 
   @{sh_path}        rix,
   @{bin}/{,e}grep   rix,
+  @{bin}/{,g,m}awk  rix,
+  @{bin}/cat        rix,
   @{bin}/dialog     rix,
   @{bin}/locale     rix,
   @{bin}/sed        rix,

apparmor.d/groups/apt/unattended-upgrade

@@ -33,6 +33,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
 
   signal (send) peer=apt-methods-http,
 
+  unix type=stream addr=@@{hex16}/bus/unattended-upgr/system,
+
   @{exec_path} mr,
 
   @{bin}/ r,
@@ -106,6 +108,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   owner @{tmp}/apt-dpkg-install-*/{,*} rw,
 
         @{PROC}/@{pids}/mountinfo r,
+        @{PROC}/@{pids}/stat r,
   owner @{PROC}/@{pids}/fd/ r,
 
   /dev/ptmx rw,

apparmor.d/groups/bus/dbus-session

@@ -38,7 +38,7 @@ profile dbus-session flags=(attach_disconnected) {
 
   @{bin}/**                   PUx,
   @{lib}/**                   PUx,
-  /usr/share/**               PUx,
+  /usr/share/*/**             PUx,
 
   /etc/dbus-1/{,**} r,
   /usr/share/dbus-1/{,**} r,

apparmor.d/groups/bus/dbus-system

@@ -36,9 +36,9 @@ profile dbus-system flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
-  @{bin}/**                         PUx,
+  @{bin}/**                   PUx,
-  @{lib}/**                         PUx,
+  @{lib}/**                   PUx,
-  /usr/share/*/**                   PUx,
+  /usr/share/*/**             PUx,
 
   /etc/dbus-1/{,**} r,
   /usr/share/dbus-1/{,**} r,

apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent

@@ -12,6 +12,7 @@ include <tunables/global>
 @{exec_path} += @{lib}/polkit-gnome/polkit-gnome-authentication-agent-1
 profile polkit-gnome-authentication-agent @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
 
   @{exec_path} mr,
@@ -19,4 +20,4 @@ profile polkit-gnome-authentication-agent @{exec_path} {
   @{PROC}/@{pid}/cgroup r,
 
   include if exists <local/polkit-gnome-authentication-agent>
-}
+}

apparmor.d/groups/freedesktop/xdg-document-portal

@@ -12,6 +12,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-session>
   include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
   include <abstractions/deny-sensitive-home>
+  include <abstractions/nameservice-strict>
 
   capability sys_admin,
   capability sys_nice,

apparmor.d/groups/freedesktop/xdg-permission-store

@@ -10,6 +10,7 @@ include <tunables/global>
 profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-session>
+  include <abstractions/nameservice-strict>
 
   capability sys_nice,
 
@@ -25,6 +26,8 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  owner @{HOME}/.local/ w,
+
   @{HOME}/@{XDG_DATA_DIR}/flatpak/db/gnome rw,
 
   owner @{desktop_share_dirs}/flatpak/ w,

apparmor.d/groups/gnome/gnome-control-center

@@ -57,6 +57,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   @{bin}/grep          rix,
   @{bin}/locale        rix,
   @{bin}/sed           rix,
+  @{bin}/tecla         rix,
 
   @{bin}/bwrap                                   rCx -> bwrap,
   @{bin}/gkbd-keyboard-display                   rPx,
@@ -159,6 +160,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,
 
         @{PROC}/cmdline r,
+        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
         @{PROC}/zoneinfo r,
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,

apparmor.d/groups/gnome/gnome-remote-desktop-daemon

@@ -24,5 +24,9 @@ profile gnome-remote-desktop-daemon @{exec_path} {
 
   @{exec_path} mr,
 
+  /usr/share/gnome-remote-desktop/{,**} r,
+
+  owner /var/lib/gnome-remote-desktop//{,**} r,
+
   include if exists <local/gnome-remote-desktop-daemon>
 }

apparmor.d/groups/gnome/gnome-shell

@@ -281,7 +281,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{user_cache_dirs}/media-art/{,**} r,
   owner @{user_cache_dirs}/vlc/**/*.jpg r,
 
-        @{run}/gdm{3,}/dbus/dbus-@{rand8} w,
+        @{run}/gdm{3,}/dbus/dbus-@{rand8} rw,
   owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
   owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
   owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
@@ -398,9 +398,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
     include <abstractions/base>
     include <abstractions/app-launcher-user>
 
+    unix receive type=stream,
+
     @{lib}/gio-launch-desktop                               mr,
     @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop      mr,
-  
+
     @{lib}/*      PUx,
     /usr/games/*  PUx,
     /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx,

apparmor.d/groups/gnome/gnome-text-editor

@@ -16,6 +16,8 @@ profile gnome-text-editor @{exec_path} {
 
   @{exec_path} mr,
 
+  /usr/share/enchant-*/{,**} r,
+
   owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw,
 
   owner @{PROC}/@{pid}/mountinfo r,

apparmor.d/groups/gvfs/gvfsd

@@ -11,6 +11,7 @@ include <tunables/global>
 profile gvfsd @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-session>
+  include <abstractions/nameservice-strict>
 
   #aa:dbus own bus=session name=org.gtk.vfs.Daemon
   #aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker

apparmor.d/groups/gvfs/gvfsd-fuse

@@ -12,6 +12,7 @@ profile gvfsd-fuse @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-session>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
+  include <abstractions/nameservice-strict>
 
   mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/,
 

apparmor.d/groups/gvfs/gvfsd-wsdd

@@ -14,6 +14,7 @@ profile gvfsd-wsdd @{exec_path} {
 
   @{exec_path} mr,
 
+  @{bin}/env r,
   @{bin}/wsdd rPx,
 
         @{run}/mount/utab r,

apparmor.d/groups/network/nm-dispatcher

@@ -81,6 +81,8 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
 
   /dev/tty rw,
 
+  @{run}/modem-manager-gui/{,timestamps} rw,
+
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>

apparmor.d/groups/network/nmcli

@@ -15,7 +15,9 @@ profile nmcli @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/less rCx -> pager,
+  @{bin}/less            rPx -> child-pager,
+  @{bin}/more            rPx -> child-pager,
+  @{bin}/pager           rPx -> child-pager,
 
   owner @{HOME}/.nm-vpngate/*.ovpn r,
   owner @{HOME}/.cert/nm-openvpn/*.pem rw,
@@ -26,16 +28,5 @@ profile nmcli @{exec_path} {
   @{sys}/devices/virtual/net/{,**} r,
   @{sys}/devices/@{pci}/net/*/{,**} r,
 
-  profile pager {
-    include <abstractions/base>
-    include <abstractions/consoles>
-
-    @{bin}/less  mr,
-
-    owner @{HOME}/.lesshs* rw,
-    owner @{user_cache_dirs}/.lesshs* rw,
-
-  }
-
   include if exists <local/nmcli>
 }

apparmor.d/groups/pacman/pacman

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/pacman
-profile pacman @{exec_path} {
+profile pacman @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/disks-read>
@@ -117,11 +117,6 @@ profile pacman @{exec_path} {
   /usr/** rwlk -> /usr/**,
   /var/** rwlk -> /var/**,
 
-  @{PROC}/ r,
-  @{run}/ r,
-  @{sys}/{,**} r,
-  /mnt r,
-
   # Read packages files
   @{user_pkg_dirs}/**/ r,
   @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r,
@@ -132,13 +127,16 @@ profile pacman @{exec_path} {
   owner @{tmp}/checkup-db-@{int}/db.lck rw,
 
   @{run}/utmp rk,
-  
+
+  @{sys}/{,**} r,
+
         @{PROC}/@{pids}/ r,
         @{PROC}/@{pids}/cgroup r,
         @{PROC}/@{pids}/cmdline r,
         @{PROC}/@{pids}/stat r,
         @{PROC}/1/environ r,
         @{PROC}/sys/kernel/osrelease r,
+        @{PROC}/tty/drivers r,
         @{PROC}/uptime r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,

apparmor.d/groups/pacman/pacman-key

@@ -16,13 +16,14 @@ profile pacman-key @{exec_path} {
 
   @{exec_path} mr,
 
+  @{bin}/{m,g,}awk    rix,
   @{bin}/basename     rix,
   @{bin}/bash         rix,
   @{bin}/chmod        rix,
-  @{bin}/{m,g,}awk    rix,
   @{bin}/gettext      rix,
   @{bin}/gpg{,2}      rCx -> gpg,
   @{bin}/grep         rix,
+  @{bin}/ngettext     rix,
   @{bin}/pacman-conf  rPx,
   @{bin}/touch        rix,
   @{bin}/tput         rix,

apparmor.d/groups/ssh/sshd

@@ -84,6 +84,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
   @{etc_ro}/ssh/sshd_config.d/{,*} r,
   /etc/ssh/ssh_host_* r,
 
+  /var/lib/lastlog/ r,
+  /var/lib/lastlog/* rwk,
+  /var/lib/wtmpdb/ r,
+  /var/lib/wtmpdb/* rwk,
+
   # For scp
   owner @{user_download_dirs}/{,**} rwl,
   owner @{user_sync_dirs}/{,**} rwl,

apparmor.d/groups/systemd/systemd-oomd

@@ -30,8 +30,9 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
   owner @{run}/systemd/journal/socket w,
 
   @{sys}/fs/cgroup/cgroup.controllers r,
-  @{sys}/fs/cgroup/memory.pressure r,
+  @{sys}/fs/cgroup/memory.* r,
-  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r,
+  @{sys}/fs/cgroup/system.slice/memory.* r,
+  @{sys}/fs/cgroup/user.slice/{,**/}memory.* r,
 
   @{PROC}/pressure/cpu r,
   @{PROC}/pressure/io r,

apparmor.d/profiles-a-f/atool

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/atool
 profile atool @{exec_path} {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
   include <abstractions/perl>
   include <abstractions/user-write-strict>
 

apparmor.d/profiles-a-f/borg

@@ -21,11 +21,6 @@ profile borg @{exec_path} {
   network inet6 dgram,
   network netlink raw,
 
-  mount fstype=fuse -> @{MOUNTS}/,
-  mount fstype=fuse -> @{MOUNTS}/*/,
-  umount @{MOUNTS}/,
-  umount @{MOUNTS}/*/,
-
   @{exec_path} r,
 
   @{bin}/ r,

apparmor.d/profiles-a-f/btop

@@ -9,8 +9,9 @@ include <tunables/global>
 @{exec_path} = @{bin}/btop
 profile btop @{exec_path} {
   include <abstractions/base>
-  include <abstractions/nameservice-strict>
   include <abstractions/consoles>
+  include <abstractions/graphics-full>
+  include <abstractions/nameservice-strict>
 
   capability sys_ptrace,
 
@@ -21,30 +22,41 @@ profile btop @{exec_path} {
 
   @{exec_path} mr,
 
+  /usr/share/btop/{,**} r,
+
+  /etc/fstab r,
+
   owner @{user_config_dirs}/btop/{,**} rw,
 
+  @{sys}/bus/pci/devices/ r,
   @{sys}/class/hwmon/ r,
   @{sys}/class/power_supply/ r,
-  @{sys}/devices/@{pci}/host@{int}/*/*/block/*/*/stat r,
+  @{sys}/devices/@{pci}/**/stat r,
-  @{sys}/devices/@{pci}/net/*/address r,
+  @{sys}/devices/@{pci}/net/*/{,**} r,
-  @{sys}/devices/@{pci}/net/*/statistics/{rx,tx}_bytes r,
   @{sys}/devices/@{pci}/usb@{int}/**/power_supply/** r,
-  @{sys}/devices/platform/coretemp.@{int}/hwmon/hwmon@{int}/{,*} r,
+  @{sys}/devices/**/hwmon@{int}/{,*} r,
+  @{sys}/devices/**/power_supply/{AC,BAT@{int}}/{,**} r,
   @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r,
-  @{sys}/devices/virtual/**/net/*/address r,
+  @{sys}/devices/system/node/node@{int}/cpumap r,
-  @{sys}/devices/virtual/**/net/*/statistics/{rx,tx}_bytes r,
   @{sys}/devices/virtual/block/dm-@{int}/stat r,
-  @{sys}/devices/virtual/thermal/thermal_zone@{int}/ r,
+  @{sys}/devices/virtual/net/{,**} r,
-  @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/{,*} r,
+  @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,} r,
 
         @{PROC} r,
-        @{PROC}/loadavg r,
+        @{PROC}/@{pid}/statm r,
-        @{PROC}/uptime r,
-        @{PROC}/@{pids}/comm r,
         @{PROC}/@{pids}/cmdline r,
-        @{PROC}/@{pids}/stat r,
+        @{PROC}/@{pids}/comm r,
         @{PROC}/@{pids}/io r,
+        @{PROC}/@{pids}/stat r,
+        @{PROC}/devices r,
+        @{PROC}/driver/nvidia/capabilities/mig/monitor r,
+        @{PROC}/loadavg r,
+        @{PROC}/spl/kstat/zfs/arcstats r,
+        @{PROC}/uptime r,
   owner @{PROC}/@{pid}/mounts r,
 
+  /dev/nvidia-caps/ rw,
+  /dev/nvidia-caps/nvidia-cap@{int} rw,
+
   include if exists <local/btop>
 }

apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders

@@ -21,5 +21,7 @@ profile gdk-pixbuf-query-loaders @{exec_path} {
   @{lib}/gdk-pixbuf-[0-9].@{int}/{,*}/loaders.cache.* rw,
   @{lib}/gdk-pixbuf-[0-9].@{int}/*/loaders.cache rw,
 
+  /usr/share/gvfs/remote-volume-monitors/{,**} r,
+
   include if exists <local/gdk-pixbuf-query-loaders>
 }

apparmor.d/profiles-g-l/gpu-manager

@@ -26,6 +26,9 @@ profile gpu-manager @{exec_path} {
 
   /var/log/gpu-manager.log w,
 
+  @{sys}/devices/@{pci}/boot_vga r,
+  @{sys}/module/compression r,
+
   @{PROC}/modules r,
   @{PROC}/cmdline r,
 

apparmor.d/profiles-g-l/hostapd

@@ -1,27 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/hostapd
-profile hostapd @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/nameservice-strict>
-
-  capability net_admin,
-  capability net_raw,
-
-  @{exec_path} mr,
-
-  /dev/rfkill r,
-
-  /etc/hostapd.conf r,
-  /etc/hostapd/{,*} r,
-
-  @{run}/hostapd/{,**} rw,
-  @{run}/hostapd.pid rw,
-
-  include if exists <local/hostapd>
-}

apparmor.d/profiles-g-l/kmod

@@ -34,6 +34,8 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
   @{lib}/modprobe.d/{,*.conf} r,
   @{lib}/modules/*/modules.* rw,
 
+  @{run}/modprobe.d/{,*.conf} r,
+
   /etc/depmod.d/{,**} r,
   /etc/modprobe.d/{,*.conf} r,
 

apparmor.d/profiles-g-l/lspci

@@ -24,6 +24,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) {
   /usr/share/misc/pci.ids.gz r,
   /usr/share/pci.ids r,
 
+  @{run}/modprobe.d/{,*.conf} r,
   /etc/modprobe.d/{,*.conf} r,
   /etc/udev/hwdb.bin r,
 

apparmor.d/profiles-s-z/snapd

@@ -153,7 +153,7 @@ profile snapd @{exec_path} {
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r,
   @{sys}/kernel/kexec_loaded r,
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-  @{sys}/kernel/security/apparmor/features/{,*/} r,
+  @{sys}/kernel/security/apparmor/features/{,**} r,
   @{sys}/kernel/security/apparmor/profiles r,
 
   @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r,

apparmor.d/profiles-s-z/spotify

@@ -41,7 +41,10 @@ profile spotify @{exec_path} {
   owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm,
   owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm,
 
-  owner @{tmp}/.org.chromium.Chromium.@{rand6}/*.crx3 rw,
+  owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw,
+
+  @{sys}/bus/ r,
+  @{sys}/bus/*/devices/ r,
 
   @{PROC}/pressure/* r,
 

apparmor.d/profiles-s-z/wsdd

@@ -0,0 +1,24 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/wsdd
+profile wsdd @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/python>
+
+  @{exec_path} mr,
+
+  @{bin}/env r,
+  @{bin}/python3.@{int} rix,
+
+  /etc/machine-id r,
+
+  owner @{run}/user/@{uid}/gvfsd/wsdd w,
+
+  include if exists <local/wsdd>
+}

debian/control

@@ -18,6 +18,7 @@ Depends:
   apparmor-profiles,
   ${shlibs:Depends}
 Conflicts: apparmor-profiles-extra
+Provides: apparmor-profiles-extra
 Description: Full set of AppArmor profiles (~ 1500 profiles)
  apparmor.d is a set of over 1500 AppArmor profiles whose aim is to confine
  most Linux based applications and processes.

dists/apparmor.d.spec

@@ -16,6 +16,7 @@ Source0:        %{name}-%{version}.tar.gz
 Requires:       apparmor-profiles
 BuildRequires:  distribution-release
 BuildRequires:  golang-packaging
+BuildRequires:  apparmor-profiles
 
 %description
 AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes.
@@ -36,9 +37,6 @@ systemctl is-active -q apparmor && systemctl reload apparmor ||:
 %files
 %license LICENSE
 %doc README.md
-%exclude /etc/apparmor.d/libvirtd
-%exclude /etc/apparmor.d/unix-chkpwd
-%exclude /etc/apparmor.d/virt-aa-helper
 %config /etc/apparmor.d/
 /usr/bin/aa-log
 

dists/docker.sh

@@ -80,7 +80,7 @@ build_in_docker_dpkg() {
 			--env DISTRIBUTION="$target" "$BASEIMAGE/$dist"
 		docker exec "$img" sudo apt-get update -q
 		docker exec "$img" sudo apt-get install -y config-package-dev rsync
-		[[ "$COMMAND" == debian ]] && aptopt=(-t bookworm-backports)
+		[[ "$dist" == debian ]] && aptopt=(-t bookworm-backports)
 		docker exec "$img" sudo apt-get install -y "${aptopt[@]}" golang-go
 	fi
 

dists/flags/arch.flags

@@ -1,7 +1,7 @@
 archlinux-keyring-wkd-sync complain
 makepkg complain
 mkinitcpio attach_disconnected,complain
-pacman complain
+pacman attach_disconnected,complain
 pacman-conf attach_disconnected,complain
 pacman-hook-dconf complain
 pacman-hook-depmod complain

dists/flags/main.flags

@@ -373,6 +373,7 @@ virtsecretd attach_disconnected,complain
 virtstoraged attach_disconnected,complain
 wg complain
 wg-quick complain
+wsdd complain
 xdg-dbus-proxy attach_disconnected,complain
 xdg-desktop-icon complain
 xdg-desktop-portal-kde complain

dists/ignore/opensuse.ignore

@@ -11,3 +11,7 @@ apparmor.d/groups/ubuntu
 # Whonix specific definition
 apparmor.d/groups/whonix
 apparmor.d/tunables/home.d/whonix
+
+# Profiles provided by they own package
+libvirt
+virt-aa-helper

dists/overwrite

@@ -1,12 +1,8 @@
-# Apparmor ships some unconfined profiles that allow everything and set the
+# Apparmor 4.0 ships several profiles that allow userns and are otherwise
-# userns rules. This file keeps track of them and allow apparmor.d to replace
+# unconfined. This file keeps track of them and allow apparmor.d to replace
 # them by our own.
 # File format: one profile name by line.
 
-# This is managed globally in this file and not in debian/apparmor.d.hide as
-# it applies to all distributions using apparmor 4.0+. When needed, it is
-# automatically enabled during prebuild.
-
 brave
 chrome
 element-desktop

docs/configuration.md

@@ -49,7 +49,14 @@ The profiles heavily use the (largely extended) XDG directory variables defined
     | Vm | `@{XDG_VM_DIR}` | `.vm`
     | Wallpapers | `@{XDG_WALLPAPERS_DIR}` | `@{XDG_PICTURES_DIR}/Wallpapers` |
 
-You can personalize these values by creating a file such as: `/etc/apparmor.d/tunables/xdg-user-dirs.d/local` where you define your own personal directories. Example:
+You can personalize these values.
+
+First create the directory `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d`:
+```
+sudo mkdir /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d
+```
+Then create a `local` addition file in it where you define your own personal
+directories. Example:
 ```sh
 @{XDG_VIDEOS_DIR}+="Films"
 @{XDG_MUSIC_DIR}+="Musique"

docs/development/abstractions.md

@@ -114,7 +114,7 @@ Minimal set of rules for all electron based UI application. It works as a *funct
 
 !!! note ""
 
-    [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/e979fe05b06f525e5a65c767b4eabe5600147355/apparmor.d/profile-s-z/spotify#L10-L13)
+    [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/7d1380530aa56f31589ccc6a360a8144f3601731/apparmor.d/profiles-s-z/spotify#L10-L13)
     ``` sh linenums="10"
     @{name} = spotify
     @{lib_dirs} = /opt/@{name}

docs/development/dbus.md

@@ -2,7 +2,13 @@
 title: Dbus
 ---
 
-All dbus rules are labelled under the name of the given profiles that provide dbus data. If the profiles were going to change (a renaming, an architectural change), the dbus rules need to be updated accordingly.
+All dbus rules are labelled under the name of the given profiles that provide dbus data. It is one of the value added by this project, as we have profile for *everything*, we can restrict the bus further by limitint connection to a given peer label (the profile name). In case of a renaming of a profile, all dbus rules related it this profile need to be updated accordingly.
+
+## Profiles
+
+Regardless of the Dbus implementation used (`dbus-daemon` or `dbus-broker`), all dbus daemons are handled under the same set of profiles: [`dbus-system`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/bus/dbus-system), [`dbus-session`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/bus/dbus-session), and [`dbus-accessibility`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/bus/dbus-accessibility). This structure largely improves the confinement of each profile.
+
+To ensure system and session bus are handled by a different profile, a [systemd drop-in](https://github.com/roddhjav/apparmor.d/blob/main/systemd/default/system/dbus.service) configuration file is used to set the specific dbus profile a dbus service must use.
 
 ## Abstractions
 

docs/development/directives.md

@@ -136,7 +136,7 @@ The `exec` directive is useful to allow executing transition to a profile withou
     include <abstractions/common/systemd>
     capability dac_override,
     capability kill,
-    unix (bind) type=stream addr=@@{hex}/bus/systemd-oomd/bus-api-oom,
+    unix (bind) type=stream addr=@@{hex16}/bus/systemd-oomd/bus-api-oom,
     #aa:dbus own bus=system name=org.freedesktop.oom1
     /etc/systemd/oomd.conf r,
     /etc/systemd/oomd.conf.d/{,**} r,

docs/development/guidelines.md

@@ -91,24 +91,23 @@ If there is no predictable label it can be omitted.
 
 ### Profile rules
 
-`bin, sbin & lib`
+#### :material-numeric-1-circle: Variables
 
-:   - Do not use: `/usr/lib` or `/usr/bin` but `@{bin}/` or `@{lib}/`
+:   Always use the apparmor [variables](../variables.md).
-    - Do not use: `/usr/sbin` or `/sbin` but `@{bin}/`.
+    Example:
 
-`Variables`
+    - `/usr/lib` or `/usr/bin` become `@{bin}` or `@{lib}`
+    - `/usr/sbin` or `/sbin` become `@{bin}`.
 
-:   Always use the apparmor variables.
+#### :material-numeric-2-circle: Sort
-
-`Sort`
 
 :   In a rule block, the rules must be alphabetically sorted.
 
-`Sub profile`
+#### :material-numeric-3-circle: Sub profile
 
 :   Sub profile should come at the end of a profile.
 
-`Similar purpose`
+#### :material-numeric-4-circle: Similar purpose
 
 :   When some rules share similar purpose, they may be sorted together. Eg:
     ```

docs/development/index.md

@@ -36,7 +36,7 @@ You want to contribute to `apparmor.d`, **thanks a lot for this.** Feedbacks, co
 
 :   As these are mandatory access control policies only what is explicitly required
     should be authorized. Meaning, you should **not** allow everything (or a large area)
-    and blacklist some sub areas.
+    and deny some sub areas.
 
 #### Rule :material-numeric-2-circle: - Do not break a program
 

docs/full-system-policy.md

@@ -1,5 +1,5 @@
 ---
-title: Full system policy
+title: Full system policy (FSP)
 ---
 
 !!! danger
@@ -18,6 +18,19 @@ title: Full system policy
     *Source: [AppArmor Wiki][apparmor-wiki]*
 
 
+## Overview
+
+The default mode of `apparmor.d` is the more advanced confinement configuration we can achieve while being as simple as installing a package and doing some minor configuration on your system. By design, a full system confinement does not work this way. Before enabling you need to consider your use case and security objective.
+
+Particularly:
+
+- Every system application will be **blocked** if they do not have a profile.
+- Any non-standard system app need to be explicitly profiled and allowed to run. For instance, if you want to use your own proxy or VPN software, you need to ensure it is correctly profiled and allowed to run in the `systemd` profile.
+- Desktop environment must be explicitly supported, your UI will not start otherwise. Again, it is a **feature**.
+- FSP mode will run unknown user application into the `default` profile. It might be enough for your application. If not you have to make a profile for it.
+- In FSP mode, all sandbox manager **must** have a profile. Then user sandboxed application (flatpak, snap...) will work as expected.
+
+
 ## Install
 
 

docs/install.md

@@ -14,7 +14,7 @@ title: Installation
 
 **AppArmor**
 
-An `apparmor` based Linux distribution is required. The basic profiles and abstractions shipped with AppArmor must be installed.
+An `apparmor` based Linux distribution is required. The default profiles and abstractions shipped with AppArmor must be installed.
 
 **Desktop environment**
 

docs/report.md

@@ -16,5 +16,10 @@ If this command produce nothing, try:
 aa-log -s -R
 ```
 
+You can get more logs with:
+
+1. `aa-log -R -s` that will provide all apparmor logs since boot time (if journalctl collect them)
+2. `aa-log -R -f <nb>` where `<nb>` is `1`, `2`, `3` and `4` (the rotated audit log file)
+
 [newissue]: https://github.com/roddhjav/apparmor.d/issues/new
 [paste]: https://pastebin.com/

docs/usage.md

@@ -86,17 +86,27 @@ Other AppArmor userspace tools such as `aa-enforce`, `aa-complain`, and `aa-logp
 
 To read the AppArmor log from `/var/log/audit/audit.log`:
 ```sh
-aa-log
+$ aa-log
 ```
 
 To optionally filter a given profile name: `aa-log <profile-name>` (your shell will autocomplete the profile name):
 ```
-aa-log dnsmasq
+$ aa-log dnsmasq
 DENIED  dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r
 DENIED  dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r
 DENIED  dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r
 ```
 
+To generate AppArmor rule:
+```sh
+$ aa-log -r dnsmasq
+profile dnsmasq {
+  @{PROC}/@{pid}/environ r,
+  @{PROC}/cmdline r,
+  @{PROC}/sys/kernel/osrelease r,
+}
+```
+
 !!! info
 
     Other logs file in `/var/log/audit/` can easily be checked: `aa-log -f 1`

docs/variables.md

@@ -86,7 +86,6 @@ title: Variables References
 | Integer (up to 10 digits) | `@{int}` | `[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}` |
 | Any 6, 8 or 10 characters | `@{rand6}`, `@{rand8}`, `@{rand10}` | |
 | Hexadecimal | `@{h}*@{h}` |  |
-| MD5 hash | `@{md5}` |  |
 | Universally unique identifier | `@{uuid}` |  |
 | Current Process id | `@{pid}` | `[0-9]*` |
 | Processes ids | `@{pids}` | `[0-9]*` |

pkg/prebuild/cfg/directories.go

@@ -28,8 +28,13 @@ var (
 	// DebianDir is the directory where the debian specific files are stored
 	DebianDir *paths.Path = paths.New("debian")
 
-	// Either or not overwrite some upstreamed profile
+	// AppArmor 4.0 contains several profiles that allow userns and are otherwise
-	Overwrite = Overwriter{Enabled: false}
+	// unconfined. Overwriter disables upstream profile in favor of (better) apparmor.d
+	// counterpart
+	Overwrite Overwriter = false
+
+	// DebianHide is the path to the debian/apparmor.d.hide file
+	DebianHide = DebianHider{path: DebianDir.Join("apparmor.d.hide")}
 
 	Ignore = Ignorer{}
 	Flags  = Flagger{}

pkg/prebuild/cfg/files.go

@@ -5,11 +5,15 @@
 package cfg
 
 import (
+	"fmt"
+	"os"
 	"strings"
 
+	"github.com/roddhjav/apparmor.d/pkg/paths"
 	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
+// Default content of debian/apparmor.d.hide. Whonix has special addition.
 var Hide = `# This file is generated by "make", all edit will be lost.
 
 /etc/apparmor.d/usr.bin.firefox
@@ -50,42 +54,42 @@ func (i Ignorer) Read(name string) []string {
 	return util.MustReadFileAsLines(path)
 }
 
-type Overwriter struct {
+type Overwriter bool
-	Enabled bool
+
-}
+// Overwrite upstream profile: disable upstream & rename ours
+func (o Overwriter) Apply() error {
+	const ext = ".apparmor.d"
+	disableDir := RootApparmord.Join("disable")
+	if err := disableDir.Mkdir(); err != nil {
+		return err
+	}
 
-// Get the list of upstream profiles to overwrite from dist/overwrite
-func (o Overwriter) Get() []string {
 	path := DistDir.Join("overwrite")
 	if !path.Exist() {
-		return []string{}
+		return fmt.Errorf("%s not found", path)
 	}
-	return util.MustReadFileAsLines(path)
+	for _, name := range util.MustReadFileAsLines(path) {
-}
-
-// Overwrite upstream profile for APT: rename our profile & hide upstream
-func (o Overwriter) Apt(files []string) {
-	const ext = ".apparmor.d"
-	file, err := DebianDir.Join("apparmor.d.hide").Append()
-	if err != nil {
-		panic(err)
-	}
-	for _, name := range files {
 		origin := RootApparmord.Join(name)
 		dest := RootApparmord.Join(name + ext)
 		if err := origin.Rename(dest); err != nil {
-			panic(err)
+			return err
 		}
-		if _, err := file.WriteString("/etc/apparmor.d/" + name + "\n"); err != nil {
+		originRel, err := origin.RelFrom(dest)
-			panic(err)
+		if err != nil {
+			return err
+		}
+		if err := os.Symlink(originRel.String(), disableDir.Join(name).String()); err != nil {
+			return err
 		}
 	}
+	return nil
 }
 
-// Clean the debian/apparmor.d.hide file
+type DebianHider struct {
-func (o Overwriter) AptClean() {
+	path *paths.Path
-	path := DebianDir.Join("apparmor.d.hide")
+}
-	if err := path.WriteFile([]byte(Hide)); err != nil {
+
-		panic(err)
+// Initialize the file with content from Hide
-	}
+func (d DebianHider) Init() error {
+	return d.path.WriteFile([]byte(Hide))
 }

pkg/prebuild/cfg/files_test.go

@@ -102,64 +102,3 @@ code
 		})
 	}
 }
-
-func TestOverwriter_Get(t *testing.T) {
-	tests := []struct {
-		name    string
-		content string
-		want    []string
-	}{
-		{
-			name: "empty",
-			content: `
-
-`,
-			want: []string{},
-		},
-		{
-			name: "main",
-			content: `
-# This is managed globally 
-brave # not so brave
-chrome
-firefox
-`,
-			want: []string{
-				"brave",
-				"chrome",
-				"firefox",
-			},
-		},
-	}
-	DistDir = paths.New("/tmp/")
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := DistDir.Join("overwrite").WriteFile([]byte(tt.content))
-			if err != nil {
-				return
-			}
-			if got := Overwrite.Get(); !reflect.DeepEqual(got, tt.want) {
-				t.Errorf("Overwriter.Get() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
-func TestOverwriter_Apt(t *testing.T) {
-	tests := []struct {
-		name  string
-		files []string
-	}{
-		{
-			name:  "empty",
-			files: []string{},
-		},
-	}
-	DebianDir = paths.New("/tmp/")
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			Overwrite.Apt(tt.files)
-			Overwrite.AptClean()
-		})
-	}
-}

pkg/prebuild/prebuild.go

@@ -32,22 +32,27 @@ func init() {
 	builder.Register("dev")
 
 	switch cfg.Distribution {
+	case "opensuse":
+		builder.Register("abi3")
+		cfg.Overwrite = true
+
 	case "ubuntu":
 		if cfg.Release["VERSION_CODENAME"] == "noble" {
 			builder.Register("abi3")
-			cfg.Overwrite.Enabled = true
+			cfg.Overwrite = true
 		}
+
 	case "whonix":
 		cfg.Hide += `/etc/apparmor.d/abstractions/base.d/kicksecure
 /etc/apparmor.d/home.tor-browser.firefox
-/etc/apparmor.d/tunables/home.d/anondist
+/etc/apparmor.d/tunables/homsanitycheck
+/etc/apparmor.d/usr.bin.url_e.d/anondist
 /etc/apparmor.d/tunables/home.d/live-mode
 /etc/apparmor.d/tunables/home.d/qubes-whonix-anondist
 /etc/apparmor.d/usr.bin.hexchat
 /etc/apparmor.d/usr.bin.sdwdate
 /etc/apparmor.d/usr.bin.systemcheck
-/etc/apparmor.d/usr.bin.timesanitycheck
+/etc/apparmor.d/usr.bin.timeto_unixtime
-/etc/apparmor.d/usr.bin.url_to_unixtime
 /etc/apparmor.d/whonix-firewall
 `
 	}

pkg/prebuild/prepare/configure.go

@@ -28,12 +28,21 @@ func (p Configure) Apply() ([]string, error) {
 	res := []string{}
 	switch cfg.Distribution {
 	case "arch", "opensuse":
+		if cfg.Overwrite {
+			if err := cfg.Overwrite.Apply(); err != nil {
+				return res, err
+			}
+		}
 
 	case "ubuntu":
-		cfg.Overwrite.AptClean()
+		if err := cfg.DebianHide.Init(); err != nil {
-		if cfg.Overwrite.Enabled {
+			return res, err
-			profiles := cfg.Overwrite.Get()
+		}
-			cfg.Overwrite.Apt(profiles)
+
+		if cfg.Overwrite {
+			if err := cfg.Overwrite.Apply(); err != nil {
+				return res, err
+			}
 		} else {
 			if err := util.CopyTo(cfg.DistDir.Join("ubuntu"), cfg.RootApparmord); err != nil {
 				return res, err
@@ -41,7 +50,9 @@ func (p Configure) Apply() ([]string, error) {
 		}
 
 	case "debian", "whonix":
-		cfg.Overwrite.AptClean()
+		if err := cfg.DebianHide.Init(); err != nil {
+			return res, err
+		}
 
 		// Copy Debian specific abstractions
 		if err := util.CopyTo(cfg.DistDir.Join("ubuntu"), cfg.RootApparmord); err != nil {

pkg/util/tools.go

@@ -71,11 +71,11 @@ func DecodeHexInString(str string) string {
 func RemoveDuplicate[T comparable](inlist []T) []T {
 	var empty T
 	list := []T{}
-	keys := map[T]bool{}
+	seen := map[T]bool{}
-	keys[empty] = true
+	seen[empty] = true
 	for _, item := range inlist {
-		if _, ok := keys[item]; !ok {
+		if _, ok := seen[item]; !ok {
-			keys[item] = true
+			seen[item] = true
 			list = append(list, item)
 		}
 	}