From ef9000e59edb1a93645514f02423a6e40a2dd1a5 Mon Sep 17 00:00:00 2001 From: REmerald <55359236+REmerald@users.noreply.github.com> Date: Sun, 14 Jul 2024 14:56:37 +0300 Subject: [PATCH 1/8] Update firewalld Add changes from aa-log -r. Add attach_disconnected. Add profile to main.flags, it was missing there for some reason. There's some uncertainty about some lines, see comments. --- apparmor.d/profiles-a-f/firewalld | 25 +++++++++++++++++++++++-- dists/flags/main.flags | 1 + 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld index 143719f0d..fdca331a4 100644 --- a/apparmor.d/profiles-a-f/firewalld +++ b/apparmor.d/profiles-a-f/firewalld @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/firewalld -profile firewalld @{exec_path} { +profile firewalld @{exec_path} flags=(attach_disconnected) { include include include @@ -15,10 +15,12 @@ profile firewalld @{exec_path} { include include + capability dac_read_search, capability mknod, capability net_admin, capability net_raw, capability setpcap, + capability sys_module, network inet raw, network inet6 raw, @@ -50,10 +52,11 @@ profile firewalld @{exec_path} { @{bin}/false rix, @{bin}/ipset rix, @{bin}/kmod rPx, + @{bin}/modprobe rPx, @{bin}/xtables-legacy-multi rix, @{bin}/xtables-nft-multi rix, - /usr/local/lib/python3.10/dist-packages/ r, + /usr/local/lib/python*/dist-packages/ r, /usr/share/libalternatives/ r, /usr/share/libalternatives/ebtables*/{,*} r, @@ -62,20 +65,38 @@ profile firewalld @{exec_path} { /etc/firewalld/{,**} rw, /etc/iproute2/group r, /etc/iproute2/rt_realms r, + # Maybe change to as in kmod,lspci,...? + # /etc/modprobe.d/{,*.conf} r, + /etc/modprobe.d/ r, + /etc/modprobe.d/firewalld-sysctls.conf r, /var/lib/ebtables/lock rwk, /var/log/firewalld rw, @{run}/firewalld/{,*} rw, + @{run}/modprobe.d/ r, # Maybe change to as in kmod,lspci? + # @{run}/modprobe.d/{,*.conf} r, @{run}/xtables.lock rwk, + @{PROC}/cmdline r, @{PROC}/sys/kernel/modprobe r, @{PROC}/sys/net/ipv{4,6}/ip_forward rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pids}/net/ip_tables_names r, + @{sys}/module/compression r, + # Maybe change to as in systemd-modules-load? + # @{sys}/module/*/initstate r, + @{sys}/module/crc32c_generic/initstate r, + @{sys}/module/crc32c_intel/initstate r, + @{sys}/module/libcrc32c/initstate r, + @{sys}/module/nf_conntrack/initstate r, + @{sys}/module/nf_conntrack_tftp/initstate r, + @{sys}/module/nf_defrag_ipv{4,6}/initstate r, + @{sys}/module/nf_nat/initstate r, + include if exists } diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 3239cd47b..737531b47 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -106,6 +106,7 @@ fail2ban-server attach_disconnected,complain fdisk complain firewall-applet attach_disconnected,complain firewall-config complain +firewalld attach_disconnected,complain flameshot complain flatpak attach_disconnected,mediate_deleted,complain flatpak-app attach_disconnected,mediate_deleted,complain From d96550cd279370913fa36f12a960aa5cc6c286c8 Mon Sep 17 00:00:00 2001 From: REmerald <55359236+REmerald@users.noreply.github.com> Date: Tue, 16 Jul 2024 17:25:02 +0300 Subject: [PATCH 2/8] firewalld: make changes from the reviews See #441 Also, I changed @{run}/modprobe.d/ to @{run}/modprobe.d/{,*.conf} --- apparmor.d/profiles-a-f/firewalld | 31 +++++++++++-------------------- 1 file changed, 11 insertions(+), 20 deletions(-) diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld index fdca331a4..1d683c327 100644 --- a/apparmor.d/profiles-a-f/firewalld +++ b/apparmor.d/profiles-a-f/firewalld @@ -14,6 +14,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_read_search, capability mknod, @@ -51,12 +52,12 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{bin}/ebtables-legacy-restore rix, @{bin}/false rix, @{bin}/ipset rix, - @{bin}/kmod rPx, + @{bin}/kmod rix, @{bin}/modprobe rPx, @{bin}/xtables-legacy-multi rix, @{bin}/xtables-nft-multi rix, - /usr/local/lib/python*/dist-packages/ r, + /usr/local/lib/python3.@{int}/dist-packages/ r, /usr/share/libalternatives/ r, /usr/share/libalternatives/ebtables*/{,*} r, @@ -65,38 +66,28 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { /etc/firewalld/{,**} rw, /etc/iproute2/group r, /etc/iproute2/rt_realms r, - # Maybe change to as in kmod,lspci,...? - # /etc/modprobe.d/{,*.conf} r, - /etc/modprobe.d/ r, - /etc/modprobe.d/firewalld-sysctls.conf r, /var/lib/ebtables/lock rwk, /var/log/firewalld rw, @{run}/firewalld/{,*} rw, - @{run}/modprobe.d/ r, # Maybe change to as in kmod,lspci? - # @{run}/modprobe.d/{,*.conf} r, + @{run}/modprobe.d/{,*.conf} r, @{run}/xtables.lock rwk, - @{PROC}/cmdline r, + @{sys}/module/compression r, + @{sys}/module/crc32c_{generic,intel}/initstate r, + @{sys}/module/libcrc32c/initstate r, + @{sys}/module/nf_conntrack{,_tftp}/initstate r, + @{sys}/module/nf_defrag_ipv{4,6}/initstate r, + @{sys}/module/nf_nat/initstate r, + @{PROC}/sys/kernel/modprobe r, @{PROC}/sys/net/ipv{4,6}/ip_forward rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pids}/net/ip_tables_names r, - @{sys}/module/compression r, - # Maybe change to as in systemd-modules-load? - # @{sys}/module/*/initstate r, - @{sys}/module/crc32c_generic/initstate r, - @{sys}/module/crc32c_intel/initstate r, - @{sys}/module/libcrc32c/initstate r, - @{sys}/module/nf_conntrack/initstate r, - @{sys}/module/nf_conntrack_tftp/initstate r, - @{sys}/module/nf_defrag_ipv{4,6}/initstate r, - @{sys}/module/nf_nat/initstate r, - include if exists } From d05c9b92765412aa0e0dc8824fb3f2598ad4fcf0 Mon Sep 17 00:00:00 2001 From: odomingao Date: Fri, 19 Jul 2024 13:54:08 -0300 Subject: [PATCH 3/8] Fix hyprpicker (#418) --- apparmor.d/groups/hyprland/hyprpicker | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker index d9af7f884..77edc07dc 100644 --- a/apparmor.d/groups/hyprland/hyprpicker +++ b/apparmor.d/groups/hyprland/hyprpicker @@ -16,6 +16,9 @@ profile hyprpicker @{exec_path} { /usr/share/icons/** r, owner @{run}/user/@{uid}/.hyprpicker* rw, + owner /dev/shm/wlroots-@{rand6} r, + + owner /dev/tty@{int} rw, include if exists } From aaf435ece166d4fc0765fd96b2554293184f5bcc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Jul 2024 19:22:32 +0100 Subject: [PATCH 4/8] feat(profile): general update. --- .../abstractions/freedesktop.org.d/complete | 2 -- apparmor.d/groups/grub/grub-mkconfig | 4 ++- apparmor.d/groups/grub/grub-probe | 2 ++ apparmor.d/groups/systemd/systemd-logind | 2 ++ apparmor.d/profiles-a-f/firewalld | 27 ++++--------------- apparmor.d/profiles-g-l/ifup | 6 ++--- apparmor.d/profiles-m-r/os-prober | 6 +++-- apparmor.d/profiles-s-z/wsdd | 3 +++ 8 files changed, 21 insertions(+), 31 deletions(-) diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index 3e669f4dc..ed4f067a5 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -13,8 +13,6 @@ @{system_share_dirs}/ r, @{system_share_dirs}/mime/ r, - /usr/share/mime/ r, - /etc/gnome/defaults.list r, /etc/xfce4/defaults.list r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index d44ffcf3d..cd9c825f6 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -32,6 +32,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/find rix, @{bin}/findmnt rPx, @{bin}/gettext rix, + @{bin}/grub-editenv rPx, @{bin}/grub-mkrelpath rPx, @{bin}/grub-probe rPx, @{bin}/grub-script-check rPx, @@ -60,6 +61,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/zpool rPx, /etc/grub.d/{,**} rix, + @{lib}/grub-customizer/* rix, @{lib}/grub/grub-sort-version rPx, @{lib}/libostree/grub[0-9]-@{int}_ostree rix, @@ -81,7 +83,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { /boot/{,**} r, /boot/grub/{,**} rw, - # owner /tmp/** rw, + /tmp/grub-*.@{rand10}/{,**} rw, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index f0bbf8e41..d0ef6b78b 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -13,6 +13,7 @@ profile grub-probe @{exec_path} { include include + capability dac_read_search, capability sys_admin, @{exec_path} mr, @@ -36,6 +37,7 @@ profile grub-probe @{exec_path} { /dev/bus/ r, /dev/bus/usb/ r, /dev/bus/usb/@{int}/ r, + /dev/char/ r, /dev/cpu/ r, /dev/cpu/@{int}/ r, /dev/dma_heap/ r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index d5c7b963e..9a0a2c7d7 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -79,7 +79,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+hid:* r, @{run}/udev/data/+i2c:* r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+leds:* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+wakeup:* r, @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # For /dev/input/* diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld index 1d683c327..ea083ed96 100644 --- a/apparmor.d/profiles-a-f/firewalld +++ b/apparmor.d/profiles-a-f/firewalld @@ -9,12 +9,12 @@ include @{exec_path} = @{bin}/firewalld profile firewalld @{exec_path} flags=(attach_disconnected) { include + include include include - include include + include include - include capability dac_read_search, capability mknod, @@ -27,21 +27,6 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { network inet6 raw, network netlink raw, - dbus receive bus=system path=/org/fedoraproject/FirewallD1 - interface=org.fedoraproject.FirewallD1.direct - member=passthrough - peer=(name=:*, label=libvirtd), - - dbus receive bus=system path=/org/fedoraproject/FirewallD1 - interface=org.fedoraproject.FirewallD1.zone - member={changeZoneOfInterface,getZones} - peer=(name=:*, label=libvirtd), - - dbus receive bus=system path=/org/fedoraproject/FirewallD1 - interface=org.fedoraproject.FirewallD1.zone - member={changeZoneOfInterface,removeInterface} - peer=(name=:*, label=libvirtd), - #aa:dbus own bus=system name=org.fedoraproject.FirewallD1 @{exec_path} mr, @@ -53,7 +38,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{bin}/false rix, @{bin}/ipset rix, @{bin}/kmod rix, - @{bin}/modprobe rPx, + @{bin}/modprobe rix, @{bin}/xtables-legacy-multi rix, @{bin}/xtables-nft-multi rix, @@ -76,11 +61,9 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{run}/xtables.lock rwk, @{sys}/module/compression r, - @{sys}/module/crc32c_{generic,intel}/initstate r, + @{sys}/module/crc32c_*/initstate r, @{sys}/module/libcrc32c/initstate r, - @{sys}/module/nf_conntrack{,_tftp}/initstate r, - @{sys}/module/nf_defrag_ipv{4,6}/initstate r, - @{sys}/module/nf_nat/initstate r, + @{sys}/module/nf_*/initstate r, @{PROC}/sys/kernel/modprobe r, @{PROC}/sys/net/ipv{4,6}/ip_forward rw, diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index e621bd7f0..4788daeb6 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -106,10 +106,8 @@ profile ifup @{exec_path} { profile sysctl { include -# capability mac_admin, - capability net_admin, - capability sys_admin, -# capability sys_resource, + capability net_admin, + capability sys_admin, @{bin}/sysctl mr, diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index 819c4c9bd..c9c9ea2df 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -10,6 +10,7 @@ include profile os-prober @{exec_path} flags=(attach_disconnected) { include include + include capability dac_read_search, capability sys_admin, @@ -59,11 +60,12 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { / r, /boot/{efi/,} r, /boot/{efi/,}EFI/ r, - /boot/{efi/,}EFI/*/ r, + /boot/{efi/,}EFI/**/ r, owner @{tmp}/os-prober.*/{,**} rw, - @{sys}/block/ r, + @{run}/mount/utab r, + @{sys}/devices/@{pci}/block/*/ r, @{sys}/devices/virtual/block/*/ r, diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 92b0f360f..56a852d11 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -10,9 +10,12 @@ include profile wsdd @{exec_path} { include include + include network inet dgram, + network inet stream, network inet6 dgram, + network inet6 stream, network netlink raw, @{exec_path} mr, From 6073dc491f0fdd56f83bcfd2beb74a07591badad Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Jul 2024 19:23:48 +0100 Subject: [PATCH 5/8] feat(profile): add nvidia-smi. --- apparmor.d/profiles-m-r/nvidia-smi | 34 ++++++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 35 insertions(+) create mode 100644 apparmor.d/profiles-m-r/nvidia-smi diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi new file mode 100644 index 000000000..571ab3311 --- /dev/null +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/nvidia-smi +profile nvidia-smi @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/cpumap r, + + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/config r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + owner @{PROC}/@{pid}/cmdline r, + + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 + /dev/nvidia-caps/ rw, + /dev/nvidia-caps/nvidia-cap@{int} r, + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 737531b47..57862b8ce 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -255,6 +255,7 @@ nmap complain nmcli complain nvidia-detector complain nvidia-persistenced complain +nvidia-smi complain okular complain ollama attach_disconnected,complain os-prober attach_disconnected,complain From 245898a9d2da324c99f33dded2406be659ff7806 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 20 Jul 2024 13:06:30 +0100 Subject: [PATCH 6/8] feat(profile): ensure any gnome extension can be launched. see #422 --- apparmor.d/groups/bus/dbus-session | 1 + apparmor.d/groups/gnome/gnome-extension-ding | 7 +++++-- apparmor.d/groups/gnome/gnome-extension-gsconnect | 4 ++-- apparmor.d/groups/gnome/gnome-shell | 3 ++- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 423df6a26..d3da171f1 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -40,6 +40,7 @@ profile dbus-session flags=(attach_disconnected) { @{bin}/** PUx, @{lib}/** PUx, + @{user_share_dirs}/*/** PUx, /usr/share/*/** PUx, /etc/dbus-1/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index d8c5a9cfe..1cef7f074 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -6,7 +6,10 @@ abi , include -@{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,app/}ding.js +@{share_dirs} = /usr/share/gnome-shell/extensions/ding@rastersoft.com +@{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/ding@rastersoft.com + +@{exec_path} = @{share_dirs}/{,app/}ding.js profile gnome-extension-ding @{exec_path} { include include @@ -57,7 +60,7 @@ profile gnome-extension-ding @{exec_path} { @{bin}/gnome-control-center rPx, @{bin}/nautilus rPx, - /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,app/}* r, + @{share_dirs}/{,**} r, /usr/share/thumbnailers/{,*.thumbnailer} r, owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 5808aecad..10db5f66d 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -6,8 +6,8 @@ abi , include -@{share_dirs} = /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/ -@{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/ +@{share_dirs} = /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io +@{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io @{exec_path} = @{share_dirs}/service/daemon.js profile gnome-extension-gsconnect @{exec_path} { diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 4e36f1020..0e68c90a9 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -188,7 +188,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib}/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, - /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx, + @{user_share_dirs}/gnome-shell/extensions/*/** rPUx, + /usr/share/gnome-shell/extensions/*/** rPUx, /opt/**/share/icons/{,**} r, /opt/*/**/*.png r, From 52a2ae8c230cf85767eb99e2d7479bcf2e5647b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 20 Jul 2024 13:13:27 +0100 Subject: [PATCH 7/8] feat(profile): general update. see #422 --- apparmor.d/abstractions/app-open | 3 +++ apparmor.d/abstractions/app/firefox | 9 ++++++--- apparmor.d/groups/browsers/firefox-crashreporter | 2 ++ apparmor.d/groups/bus/dbus-session | 2 ++ apparmor.d/groups/freedesktop/plymouthd | 1 + apparmor.d/groups/gnome/gnome-extension-gsconnect | 12 ++---------- apparmor.d/groups/gnome/gnome-keyring-daemon | 1 + apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/gnome/gnome-tweaks | 4 ++++ apparmor.d/groups/gpg/gpg | 2 ++ apparmor.d/groups/ssh/ssh | 5 ++--- apparmor.d/profiles-a-f/agetty | 2 +- apparmor.d/profiles-a-f/file-roller | 1 + apparmor.d/profiles-a-f/firewalld | 4 +--- apparmor.d/profiles-m-r/pcscd | 3 ++- apparmor.d/profiles-m-r/power-profiles-daemon | 1 + apparmor.d/profiles-s-z/smartd | 6 ++---- apparmor.d/profiles-s-z/su | 2 ++ apparmor.d/profiles-s-z/w3m | 15 ++++++++++++--- 19 files changed, 48 insertions(+), 28 deletions(-) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 942e0a55b..8c4efc350 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -50,6 +50,9 @@ @{bin}/vlc rPUx, @{bin}/xbrlapi rPx, + #aa:only opensuse + @{lib}/YaST2/** rPUx, + include if exists diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index bf86f419c..9de4359e1 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -100,6 +100,12 @@ owner @{tmp}/tmpaddon r, owner @{tmp}/tmpaddon-@{int} r, + owner /dev/shm/org.chromium.@{rand6} rw, + owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, + owner /dev/shm/wayland.mozilla.ipc.@{int} rw, + + owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w, + @{run}/mount/utab r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @@ -144,9 +150,6 @@ /dev/hidraw@{int} rw, /dev/tty rw, /dev/video@{int} rw, - owner /dev/shm/org.chromium.* rw, - owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, - owner /dev/shm/wayland.mozilla.ipc.@{int} rw, owner /dev/tty@{int} rw, # File Inherit # Silencer diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 8d62a6fbf..5223486d0 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -54,6 +54,8 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r, + owner @{PROC}/@{pid}/cmdline r, + /dev/dri/card@{int} rw, /dev/dri/renderD128 rw, diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index d3da171f1..e5e382795 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -54,6 +54,8 @@ profile dbus-session flags=(attach_disconnected) { owner @{HOME}/.var/app/*/**/.ref rw, owner @{HOME}/.var/app/*/**/logs/* rw, + owner @{user_share_dirs}/dbus-1/services/{,**} r, + @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/dbus-1/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 16e87a50d..815375f20 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -42,6 +42,7 @@ profile plymouthd @{exec_path} { /etc/vconsole.conf r, /var/lib/plymouth/{,**} rw, + /var/log/plymouth-*.log w, @{run}/plymouth/{,**} rw, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 10db5f66d..3083c73f9 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -17,9 +17,7 @@ profile gnome-extension-gsconnect @{exec_path} { include include include - include - include - include + include include include include @@ -32,10 +30,10 @@ profile gnome-extension-gsconnect @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/env rix, @{bin}/gjs-console rix, @{bin}/openssl rix, - @{sh_path} rix, @{bin}/ssh-add rix, @{bin}/ssh-keygen rPx, @@ -49,18 +47,12 @@ profile gnome-extension-gsconnect @{exec_path} { @{share_dirs}/{,**} r, @{share_dirs}/gsconnect-preferences rix, - /etc/machine-id r, - owner @{user_cache_dirs}/gsconnect/{,**} rw, - owner @{user_config_dirs}/ r, - owner @{user_config_dirs}/gsconnect/{,**} rw, owner @{user_config_dirs}/mimeapps.list w, owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, - owner @{user_share_dirs}/ r, - owner @{run}/user/@{uid}/gsconnect/ w, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 722a69fe7..5d945b641 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -38,6 +38,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { @{bin}/ssh-add rix, @{bin}/ssh-agent rPx, + @{lib}/gcr-ssh-askpass rPUx, /etc/gcrypt/hwf.deny r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index ddb95f1b9..b1a0bd8ac 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -78,6 +78,7 @@ profile gnome-software @{exec_path} { owner @{user_cache_dirs}/flatpak/{,**} rwl, owner @{user_cache_dirs}/gnome-software/{,**} rw, + owner @{user_config_dirs}/flatpak/{,**} r, owner @{user_config_dirs}/pulse/*.conf r, owner @{user_share_dirs}/ r, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index a04234cce..84f37da76 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -12,6 +12,7 @@ profile gnome-tweaks @{exec_path} { include include include + include include include @@ -38,6 +39,9 @@ profile gnome-tweaks @{exec_path} { owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, owner @{user_share_dirs}/recently-used.xbel* rw, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + owner @{PROC}/@{pid}/fd/ r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 9d23622d2..b549f1477 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -65,6 +65,8 @@ profile gpg @{exec_path} { owner /tmp/@{int}@{int} rw, + owner @{run}/user/@{uid}/gnupg/d.*/ rw, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat rw, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index d4c948f86..1dac2be00 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -27,12 +27,11 @@ profile ssh @{exec_path} { @{bin}/{c,k,tc,z}sh rix, @{etc_ro}/ssh/ssh_config r, + @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/sshd_config r, @{etc_ro}/ssh/sshd_config.d/{,*} r, /etc/machine-id r, - /etc/ssh/ssh_config r, - /etc/ssh/ssh_config.d/{,*} r, - + owner @{HOME}/@{XDG_SSH_DIR}/ r, owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, owner @{HOME}/@{XDG_SSH_DIR}/config r, diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index ec711895d..3db817006 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -30,7 +30,7 @@ profile agetty @{exec_path} { /{etc,run,lib,usr/lib}/issue.d/{,*} r, /etc/inittab r, /etc/login.defs r, - /etc/login.defs.d/ r, + /etc/login.defs.d/{,*} r, /etc/os-release r, /usr/etc/login.defs r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 4e432e2f1..e82f0d372 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -25,6 +25,7 @@ profile file-roller @{exec_path} { # Archivers @{bin}/7z rix, + @{bin}/7zz rix, @{bin}/ar rix, @{bin}/bzip2 rix, @{bin}/cpio rix, diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld index ea083ed96..d32790f0b 100644 --- a/apparmor.d/profiles-a-f/firewalld +++ b/apparmor.d/profiles-a-f/firewalld @@ -61,9 +61,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{run}/xtables.lock rwk, @{sys}/module/compression r, - @{sys}/module/crc32c_*/initstate r, - @{sys}/module/libcrc32c/initstate r, - @{sys}/module/nf_*/initstate r, + @{sys}/module/*/initstate r, @{PROC}/sys/kernel/modprobe r, @{PROC}/sys/net/ipv{4,6}/ip_forward rw, diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index 9a25cd7d2..200319c6c 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -16,12 +16,13 @@ profile pcscd @{exec_path} { network netlink raw, - ptrace (read) peer=veracrypt, ptrace (read) peer=@{p_systemd_user}, ptrace (read) peer=gsd-smartcard, + ptrace (read) peer=keepassxc, ptrace (read) peer=pkcs11-register, ptrace (read) peer=rngd, ptrace (read) peer=scdaemon, + ptrace (read) peer=veracrypt, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 067968258..8f85f3c03 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -28,6 +28,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { /var/lib/power-profiles-daemon/{,**} rw, @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply:* r, @{sys}/bus/ r, @{sys}/bus/platform/devices/ r, diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd index 4548813bf..bdac4d92f 100644 --- a/apparmor.d/profiles-s-z/smartd +++ b/apparmor.d/profiles-s-z/smartd @@ -14,11 +14,9 @@ profile smartd @{exec_path} { include include - capability sys_rawio, + capability net_admin, capability sys_admin, - - # Needed? - audit capability net_admin, + capability sys_rawio, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 429c48938..237d5ed02 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -26,6 +26,8 @@ profile su @{exec_path} { @{bin}/@{shells} rUx, @{bin}/nologin rPx, + @{etc_ro}/default/su r, + include if exists } diff --git a/apparmor.d/profiles-s-z/w3m b/apparmor.d/profiles-s-z/w3m index 5b919ecc0..b4601147a 100644 --- a/apparmor.d/profiles-s-z/w3m +++ b/apparmor.d/profiles-s-z/w3m @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only @@ -9,6 +10,7 @@ include @{exec_path} = @{bin}/w3m profile w3m @{exec_path} { include + include include include include @@ -21,13 +23,20 @@ profile w3m @{exec_path} { @{exec_path} mr, + @{sh_path} rix, + @{lib}/w3m/cgi-bin/* rix, + @{lib}/w3m/* rix, + /usr/share/terminfo/{,**} r, + /etc/mime.types r, /etc/w3m/{,**} r, - owner @{HOME}/.w3m/{,**} r, - owner @{user_config_dirs}/w3m/{,**} r, - owner /tmp/@{rand6}/{,**} rw, + owner @{HOME}/.w3m/{,**} rw, + + owner @{user_config_dirs}/w3m/{,**} rw, + + owner @{tmp}/@{rand6}/{,**} rw, include if exists } From d9ca201519ddd361987860efccf95babbe24163c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 20 Jul 2024 13:20:45 +0100 Subject: [PATCH 8/8] feat(profile): cleanup handling of gnome session. --- apparmor.d/groups/gnome/gdm-prime-defaut | 18 ++++++++++++++++++ apparmor.d/groups/gnome/gdm-session | 9 +-------- apparmor.d/groups/gnome/gnome-control-center | 5 +---- apparmor.d/groups/gnome/gnome-session-binary | 5 +---- 4 files changed, 21 insertions(+), 16 deletions(-) create mode 100644 apparmor.d/groups/gnome/gdm-prime-defaut diff --git a/apparmor.d/groups/gnome/gdm-prime-defaut b/apparmor.d/groups/gnome/gdm-prime-defaut new file mode 100644 index 000000000..5e4e02b6f --- /dev/null +++ b/apparmor.d/groups/gnome/gdm-prime-defaut @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/gdm{3,}/{Init,Prime}/Default +profile gdm-defaut @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index d889a708a..da99a23db 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -34,21 +34,14 @@ profile gdm-session @{exec_path} { # only: xorg @{bin}/Xorg rPx, - /etc/gdm{3,}/Prime/Default rix, + /etc/gdm{3,}/Prime/Default rPx, /etc/gdm{3,}/Xsession rPx, /usr/share/gdm{3,}/gdm.schemas r, - /etc/default/locale r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, - /etc/locale.conf r, - /etc/sysconfig/console r, /etc/sysconfig/displaymanager r, - /etc/sysconfig/language r, - /etc/sysconfig/mail r, - /etc/sysconfig/proxy r, - /etc/sysconfig/windowmanager r, owner @{gdm_cache_dirs}/gdm/ rw, owner @{gdm_cache_dirs}/gdm/Xauthority rw, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index c1802c0a5..7643844c5 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -37,9 +37,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), - dbus bus=session, - dbus bus=system, - #aa:dbus own bus=session name=org.gnome.Settings #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell @@ -68,7 +65,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{bin}/pkexec rCx -> pkexec, @{bin}/software-properties-gtk rPx, @{bin}/usermod rPx, - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rPx, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/cups/backend/snmp rPx, @{lib}/gnome-control-center-goa-helper rPx, @{lib}/gnome-control-center-print-renderer rPx, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index c53f26eb2..962897ea8 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -51,10 +51,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/dbus-daemon rPx -> dbus-session, - @{bin}/env rix, - @{bin}/gnome-session rPx, - @{bin}/gnome-shell rPx, + @{bin}/tput rix, @{bin}/session-migration rPx, @{lib}/gnome-session-check-accelerated rix,