Merge branch 'main' into akonadi
This commit is contained in:
Alex
GitHub
commit
c50730a050
62 changed files with 297 additions and 109 deletions
|
|
@ -62,6 +62,9 @@ bubblewrap, toolbox...).
|
|||
This is fundamentally different from how AppArmor is usually used on Linux servers
|
||||
as it is common to only confine the applications that face the internet and/or the users.
|
||||
|
||||
**Presentation**
|
||||
|
||||
- [Building the largest working set of AppArmor profiles](https://www.youtube.com/watch?v=OzyalrOzxE8) *[Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/)* ([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin))
|
||||
|
||||
## Installation
|
||||
|
||||
|
|
|
|||
|
|
@ -17,13 +17,21 @@
|
|||
/opt/*/ r,
|
||||
/opt/*/[a-zA-Z0-9]* rPUx,
|
||||
|
||||
# Codium
|
||||
/usr/share/codium/codium rPUx,
|
||||
|
||||
# Firefox
|
||||
/{usr/,}bin/firefox{,.sh,-esr,-bin} rPx,
|
||||
/{usr/,}lib{,32,64}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx,
|
||||
/opt/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx,
|
||||
|
||||
# Thunderbird
|
||||
/{usr/,}bin/thunderbird{,.sh,-esr,-bin} rPx,
|
||||
/{usr/,}lib{,32,64}/thunderbird{,.sh,-esr,-bin}/thunderbird{,.sh,-esr,-bin} rPx,
|
||||
/opt/thunderbird{,.sh,-esr,-bin}/thunderbird{,.sh,-esr,-bin} rPx,
|
||||
|
||||
# Brave
|
||||
/opt/brave{-bin,.com}/brave{,-beta,-dev,-bin}/brave{,-beta,-dev,-bin} rPx,
|
||||
/opt/brave{-bin,.com}/brave{,-beta,-dev,-bin}/brave{,-beta,-dev,-bin,-browser} rPx,
|
||||
|
||||
# Chromium
|
||||
/{usr/,}lib/chromium/chromium rPx,
|
||||
|
|
|
|||
|
|
@ -29,6 +29,7 @@
|
|||
include <abstractions/user-download-strict>
|
||||
include <abstractions/user-read>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/wayland>
|
||||
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
|
@ -132,8 +133,6 @@
|
|||
# owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
|
||||
# owner @{HOME}/.mozilla/firefox/*/logins.json r,
|
||||
|
||||
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||
|
||||
/tmp/ r,
|
||||
/var/tmp/ r,
|
||||
owner /tmp/.@{chromium_domain}.* rw,
|
||||
|
|
|
|||
33
apparmor.d/groups/apt/apt-overlay
Normal file
33
apparmor.d/groups/apt/apt-overlay
Normal file
|
|
@ -0,0 +1,33 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/apt-overlay
|
||||
profile apt-overlay @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
/{usr/,}bin/apt-get rPx,
|
||||
/{usr/,}bin/ruby* mrix,
|
||||
|
||||
/{usr/,}sbin/apt-overlay r,
|
||||
|
||||
/{usr/,}lib/ruby/{,**} r,
|
||||
/{usr/,}lib/locale/locale-archive r,
|
||||
/{usr/,}lib/ruby/gems/3.0.0/specifications/default/*.gemspec rwk,
|
||||
|
||||
/usr/share/rubygems-integration/{,**} r,
|
||||
|
||||
/ r,
|
||||
/root/ r,
|
||||
|
||||
owner @{PROC}/@{pids}/loginuid r,
|
||||
owner @{PROC}/@{pids}/maps r,
|
||||
|
||||
include if exists <local/apt-overlay>
|
||||
}
|
||||
|
|
@ -42,6 +42,7 @@ profile apt-systemd-daily @{exec_path} {
|
|||
|
||||
/{usr/,}bin/apt-config rPx,
|
||||
/{usr/,}bin/apt-get rPx,
|
||||
/{usr/,}bin/apt-overlay rPx,
|
||||
/{usr/,}bin/unattended-upgrade rPx,
|
||||
|
||||
/etc/default/locale r,
|
||||
|
|
|
|||
|
|
@ -10,14 +10,15 @@ include <tunables/global>
|
|||
@{exec_path} += @{libexec}/ibus-extension-gtk3
|
||||
profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/ibus>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/wayland>
|
||||
|
||||
signal (receive) set=term peer=ibus-daemon,
|
||||
|
||||
|
|
@ -74,7 +75,6 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9] rw,
|
||||
|
||||
/var/lib/gdm{3,}/.config/ibus/bus/*-unix{,-wayland}-[0-9]* r,
|
||||
/var/lib/gdm{3,}/.config/dconf/user r,
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@ include <tunables/global>
|
|||
profile child-dpkg {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
capability dac_read_search,
|
||||
capability setgid,
|
||||
|
|
@ -26,11 +27,22 @@ profile child-dpkg {
|
|||
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
|
||||
# shared object file): ignored.
|
||||
/{usr/,}bin/dpkg-query rpx,
|
||||
/{usr/,}bin/dpkg-deb rPx,
|
||||
/{usr/,}bin/dpkg-split rPx,
|
||||
|
||||
/etc/dpkg/dpkg.cfg.d/{,*} r,
|
||||
/etc/dpkg/dpkg.cfg r,
|
||||
|
||||
/usr/share/doc/perl-modules-*/{,**/}*.dpkg-{new,tmp} rwl,
|
||||
/usr/share/perl/*/{,**/}*.dpkg-{new,tmp} rwl,
|
||||
|
||||
/var/lib/dpkg/** r,
|
||||
/var/lib/dpkg/lock rw,
|
||||
/var/lib/dpkg/tmp.ci/control rw,
|
||||
/var/lib/dpkg/tmp.ci/md5sums rw,
|
||||
/var/lib/dpkg/triggers/Lock rw,
|
||||
/var/lib/dpkg/updates/* rw,
|
||||
/var/log/dpkg.log ra,
|
||||
|
||||
# file_inherit
|
||||
/tmp/#[0-9]*[0-9] rw,
|
||||
|
|
|
|||
|
|
@ -37,16 +37,31 @@ profile pulseaudio @{exec_path} {
|
|||
network bluetooth stream,
|
||||
network bluetooth seqpacket,
|
||||
|
||||
dbus send bus=session path=/Client0/EntryGroup[0-9]*
|
||||
dbus send bus=session path=/Client[0-9]*/EntryGroup[0-9]*
|
||||
interface=org.freedesktop.Avahi.EntryGroup
|
||||
member={GetState,AddService,AddServiceSubtype,Commit}
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus receive bus=system path=/Client0/EntryGroup[0-9]*
|
||||
dbus receive bus=system path=/Client[0-9]*/EntryGroup[0-9]*
|
||||
interface=org.freedesktop.Avahi.EntryGroup
|
||||
member={AddService,AddServiceSubtype,Commit,GetState,StateChanged}
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
|
||||
interface=org.freedesktop.Avahi.ServiceBrowser
|
||||
member={ItemNew,ItemRemove}
|
||||
peer=(name=org.freedesktop.Avahi), # no peer's label
|
||||
|
||||
dbus receive bus=system path=/Client[0-9]*/ServiceResolver[0-9]*
|
||||
interface=org.freedesktop.Avahi.ServiceResolver
|
||||
member=Found
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus send bus=system path=/Client[0-9]*/ServiceResolver[0-9]*
|
||||
interface=org.freedesktop.Avahi.ServiceResolver
|
||||
member=Free
|
||||
peer=(name=org.freedesktop.Avahi),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName}
|
||||
|
|
|
|||
|
|
@ -9,10 +9,41 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}bin/xdg-dbus-proxy
|
||||
profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
dbus (send,receive) bus=system path=/
|
||||
interface=org.freedesktop.DBus
|
||||
member={AddMatch,GetNameOwner}
|
||||
peer=(label=dbus-daemon),
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={AddMatch,RemoveMatch,NameHasOwner,GetNameOwner}
|
||||
peer=(label=dbus-daemon),
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager
|
||||
interface=org.freedesktop.NetworkManager
|
||||
member=GetDevices
|
||||
peer=(label=NetworkManager),
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager{/Devices/[0-9]*,/ActiveConnection/[0-9]*}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(label=NetworkManager),
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager/Settings
|
||||
interface=org.freedesktop.NetworkManager.Settings
|
||||
member=ListConnections
|
||||
peer=(label=NetworkManager),
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]*
|
||||
interface=org.freedesktop.NetworkManager.Settings.Connection
|
||||
member=GetSettings
|
||||
peer=(label=NetworkManager),
|
||||
|
||||
owner @{run}/firejail/dbus/[0-9]*/[0-9]*-{system,user} rw,
|
||||
owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw,
|
||||
owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-[0-9A-Z]* rw,
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
|
|||
include <abstractions/mesa>
|
||||
include <abstractions/user-download>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/wayland>
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
|
|
@ -124,8 +125,6 @@ profile xdg-desktop-portal-gnome @{exec_path} {
|
|||
|
||||
owner @{user_share_dirs}/ r,
|
||||
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
|
|
|
|||
|
|
@ -24,6 +24,7 @@ profile xdg-desktop-portal-gtk @{exec_path} {
|
|||
include <abstractions/thumbnails-cache-read>
|
||||
include <abstractions/user-download>
|
||||
include <abstractions/user-write>
|
||||
include <abstractions/wayland>
|
||||
|
||||
unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),
|
||||
|
||||
|
|
@ -169,8 +170,6 @@ profile xdg-desktop-portal-gtk @{exec_path} {
|
|||
@{run}/user/@{uid}/xauth_* rl,
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
|
|
|
|||
|
|
@ -43,8 +43,8 @@ profile xdg-settings @{exec_path} {
|
|||
/var/lib/snapd/desktop/applications/{,*} r,
|
||||
|
||||
# freedesktop.org-strict
|
||||
/usr/share/applications/{,*} r,
|
||||
/usr/share/ubuntu/applications/ r,
|
||||
/usr/{,local/}share/applications/{,*} r,
|
||||
/usr/{,local/}share/ubuntu/applications/ r,
|
||||
owner @{user_share_dirs}/applications/ r,
|
||||
owner @{user_share_dirs}/applications/*.desktop r,
|
||||
|
||||
|
|
|
|||
|
|
@ -21,6 +21,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/opencl-nvidia>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/wayland>
|
||||
|
||||
network netlink raw,
|
||||
|
||||
|
|
@ -99,9 +100,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_cache_dirs}/gstreamer-1.0/ rw,
|
||||
owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ profile gnome-calculator-search-provider @{exec_path} {
|
|||
include <abstractions/gtk>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/wayland>
|
||||
|
||||
signal (send) set=kill peer=unconfined,
|
||||
|
||||
|
|
@ -28,7 +29,6 @@ profile gnome-calculator-search-provider @{exec_path} {
|
|||
/usr/share/icons/{,**} r,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pids}/cmdline r,
|
||||
|
|
|
|||
|
|
@ -9,8 +9,9 @@ include <tunables/global>
|
|||
@{exec_path} = /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService
|
||||
profile gnome-characters-backgroudservice @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/wayland>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -24,8 +25,6 @@ profile gnome-characters-backgroudservice @{exec_path} {
|
|||
|
||||
/etc/gtk-3.0/settings.ini r,
|
||||
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/stat r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||
|
|
|
|||
|
|
@ -9,8 +9,8 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/gnome-control-center-print-renderer
|
||||
profile gnome-control-center-print-renderer @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
|
|
@ -20,6 +20,7 @@ profile gnome-control-center-print-renderer @{exec_path} {
|
|||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl-nvidia>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/wayland>
|
||||
|
||||
dbus send bus=session path=/org/a11y/bus
|
||||
interface=org.a11y.Bus
|
||||
|
|
@ -44,7 +45,6 @@ profile gnome-control-center-print-renderer @{exec_path} {
|
|||
owner @{user_share_dirs}/icons/{,**} r,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/comm r,
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ profile gnome-control-center-search-provider @{exec_path} {
|
|||
include <abstractions/gtk>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/wayland>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -26,7 +27,6 @@ profile gnome-control-center-search-provider @{exec_path} {
|
|||
/var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
|
||||
include if exists <local/gnome-control-center-search-provider>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,17 +9,18 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/gnome-session-binary
|
||||
profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/wayland>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
network inet stream,
|
||||
|
|
@ -230,7 +231,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
|
||||
owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl,
|
||||
owner @{run}/user/@{uid}/systemd/notify w,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
|
||||
@{sys}/devices/**/{vendor,device} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/thumbnails-cache-read>
|
||||
include <abstractions/video>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/wayland>
|
||||
include <abstractions/X-strict>
|
||||
|
||||
capability sys_nice,
|
||||
|
|
@ -589,7 +590,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw,
|
||||
owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
|
||||
owner @{run}/user/@{uid}/systemd/notify rw,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9].lock rwk,
|
||||
|
||||
owner /dev/shm/.org.chromium.Chromium.* rw,
|
||||
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ profile gnome-terminal-server @{exec_path} {
|
|||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/wayland>
|
||||
|
||||
signal (send) set=(term hup kill) peer=unconfined,
|
||||
ptrace (read) peer=unconfined,
|
||||
|
|
@ -47,8 +48,6 @@ profile gnome-terminal-server @{exec_path} {
|
|||
owner @{user_config_dirs}/*xdg-terminals.list* rw,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||
|
||||
owner /tmp/#[0-9]* rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/fonts>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/wayland>
|
||||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
||||
|
|
@ -134,8 +135,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_share_dirs}/icc/edid-*.icc rw,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9] rw,
|
||||
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/fonts>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/wayland>
|
||||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
||||
|
|
@ -108,8 +109,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_share_dirs}/gnome-settings-daemon/{,input-sources*} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9] rw,
|
||||
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/wayland>
|
||||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
||||
|
|
@ -183,8 +184,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/fonts>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/wayland>
|
||||
|
||||
network netlink raw,
|
||||
|
||||
|
|
@ -183,8 +184,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9] rw,
|
||||
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||
|
||||
@{run}/udev/data/+backlight:* r,
|
||||
@{run}/udev/data/+leds:*backlight* r,
|
||||
|
|
|
|||
|
|
@ -9,13 +9,14 @@ include <tunables/global>
|
|||
@{exec_path} = @{libexec}/gsd-wacom
|
||||
profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/wayland>
|
||||
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
||||
|
|
@ -107,8 +108,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/mime/mime.cache r,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9] rw,
|
||||
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||
|
||||
/var/lib/gdm{3,}/.config/dconf/user r,
|
||||
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ profile gsd-xsettings @{exec_path} {
|
|||
include <abstractions/gtk>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl>
|
||||
include <abstractions/wayland>
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
|
@ -143,8 +144,6 @@ profile gsd-xsettings @{exec_path} {
|
|||
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||
@{run}/systemd/sessions/* r,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -38,9 +38,14 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/@{pid}/mounts r,
|
||||
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/drm/ r,
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/devices/pci[0-9]*/[0-9]*/drm/card[0-9]*/*/status r,
|
||||
|
||||
/dev/tty rw,
|
||||
/dev/rfkill r,
|
||||
|
||||
include if exists <local/kde-powerdevil>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -84,6 +84,8 @@ profile kded5 @{exec_path} {
|
|||
owner @{user_share_dirs}/kded5/{,**} r,
|
||||
owner @{user_share_dirs}/kscreen/{,**} rw,
|
||||
owner @{user_share_dirs}/ktp/cache.db rwk,
|
||||
owner @{user_share_dirs}/kcookiejar/#@{hex}* rw,
|
||||
owner @{user_share_dirs}/kcookiejar/cookies.* rwkl,
|
||||
|
||||
owner @{run}/user/@{uid}/#[0-9]* rw,
|
||||
owner @{run}/user/@{uid}/kded5*kioworker.socket rwl,
|
||||
|
|
@ -120,4 +122,4 @@ profile kded5 @{exec_path} {
|
|||
}
|
||||
|
||||
include if exists <local/kded5>
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ profile plasmashell @{exec_path} {
|
|||
include <abstractions/app-launcher-user>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/disks-read>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
|
|
@ -32,6 +33,11 @@ profile plasmashell @{exec_path} {
|
|||
|
||||
signal (send),
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/UPower/devices/{,DisplayDevice,battery_BAT[0-9]*,mouse_hidpp_battery_[0-9]*}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={GetAll,PropertiesChanged}
|
||||
peer=(label=upowerd),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{libexec}/libheif/ r,
|
||||
|
|
|
|||
|
|
@ -47,9 +47,8 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/var/cache/mullvad-vpn/{,*} rw,
|
||||
/var/log/mullvad-vpn/{,*} rw,
|
||||
owner /var/log/private/mullvad-vpn/daemon.log rw,
|
||||
owner /var/log/private/mullvad-vpn/daemon.old.log w,
|
||||
|
||||
owner /var/log/private/mullvad-vpn/*.log rw,
|
||||
|
||||
@{run}/mullvad-vpn rw,
|
||||
@{run}/NetworkManager/resolv.conf r,
|
||||
|
||||
|
|
@ -62,6 +61,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
owner /tmp/talpid-openvpn-@{uuid} rw,
|
||||
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
|
||||
@{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw,
|
||||
|
||||
/dev/net/tun rw,
|
||||
|
|
|
|||
|
|
@ -57,6 +57,7 @@ profile pacman @{exec_path} {
|
|||
/{usr/,}bin/cat rix,
|
||||
/{usr/,}bin/chgrp rix,
|
||||
/{usr/,}bin/chmod rix,
|
||||
/{usr/,}bin/cp rix,
|
||||
/{usr/,}bin/dot rix,
|
||||
/{usr/,}bin/env rix,
|
||||
/{usr/,}bin/filecap rix,
|
||||
|
|
@ -72,7 +73,7 @@ profile pacman @{exec_path} {
|
|||
/{usr/,}bin/ln rix,
|
||||
/{usr/,}bin/perl rix,
|
||||
/{usr/,}bin/pkill rix,
|
||||
/{usr/,}bin/cp rix,
|
||||
/{usr/,}bin/pwd rix,
|
||||
/{usr/,}bin/rm rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
/{usr/,}bin/setcap rix,
|
||||
|
|
@ -88,6 +89,7 @@ profile pacman @{exec_path} {
|
|||
/{usr/,}bin/dconf rPx,
|
||||
/{usr/,}bin/fc-cache{,-32} rPx,
|
||||
/{usr/,}bin/gdk-pixbuf-query-loaders rPx,
|
||||
/{usr/,}bin/gio-querymodules rPx,
|
||||
/{usr/,}bin/glib-compile-schemas rPx,
|
||||
/{usr/,}bin/groupadd rPx,
|
||||
/{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx,
|
||||
|
|
@ -107,7 +109,10 @@ profile pacman @{exec_path} {
|
|||
/{usr/,}bin/update-mime-database rPx,
|
||||
/{usr/,}lib/systemd/systemd-* rPx,
|
||||
/{usr/,}lib/vlc/vlc-cache-gen rPx,
|
||||
/opt/Mullvad*/resources/mullvad-setup rPx,
|
||||
/usr/share/code-features/patch.sh rPx,
|
||||
/usr/share/libalpm/scripts/* rPUx,
|
||||
/usr/share/texmf-dist/scripts/texlive/mktexlsr rPUx,
|
||||
|
||||
# Install/update packages
|
||||
/ r,
|
||||
|
|
|
|||
24
apparmor.d/groups/pacman/pacman-hook-code
Normal file
24
apparmor.d/groups/pacman/pacman-hook-code
Normal file
|
|
@ -0,0 +1,24 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /usr/share/code-features/patch.sh
|
||||
profile pacman-hook-code @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
capability dac_read_search,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/{,ba}sh rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
/{usr/,}bin/grep rix,
|
||||
|
||||
/{usr/,}lib/code/sed?????? rw,
|
||||
|
||||
include if exists <local/pacman-hook-code>
|
||||
}
|
||||
|
|
@ -40,10 +40,17 @@ profile ssh @{exec_path} {
|
|||
owner @{user_projects_dirs}/**/ssh/{,*} r,
|
||||
owner @{user_projects_dirs}/**/config r,
|
||||
|
||||
/etc/ssh/ssh_config r,
|
||||
/etc/ssh/ssh_config.d/{,*} r,
|
||||
# Needed to work for systemd-homed users
|
||||
/etc/machine-id r,
|
||||
@{run}/systemd/userdb/ r,
|
||||
|
||||
owner @{run}/user/@{uid}/keyring/ssh rw,
|
||||
|
||||
owner @{PROC}/@{pid}/loginuid r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
owner /tmp/ssh-*/{,agent.[0-9]*} rwkl,
|
||||
|
||||
include if exists <local/ssh>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@ profile ssh-agent @{exec_path} {
|
|||
|
||||
/{usr/,}bin/enlightenment_start rPUx,
|
||||
/{usr/,}bin/gpg-agent rPx,
|
||||
/{usr/,}bin/im-launch rPUx,
|
||||
/{usr/,}bin/kwalletaskpass rPUx,
|
||||
/{usr/,}bin/openbox-session rPx,
|
||||
/{usr/,}bin/startkde rPUx,
|
||||
|
|
|
|||
|
|
@ -12,6 +12,8 @@ profile sshfs @{exec_path} flags=(complain) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none),
|
||||
|
||||
/{usr/,}bin/ssh rPx,
|
||||
/{usr/,}bin/fusermount{,3} rCx -> fusermount,
|
||||
|
||||
|
|
@ -23,13 +25,15 @@ profile sshfs @{exec_path} flags=(complain) {
|
|||
@{PROC}/sys/fs/pipe-max-size r,
|
||||
|
||||
|
||||
profile fusermount {
|
||||
profile fusermount flags=(complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
# To mount anything:
|
||||
capability sys_admin,
|
||||
|
||||
unix (connect, send, receive) type=stream peer=(label="sshfs",addr=none),
|
||||
|
||||
/{usr/,}bin/fusermount{,3} mr,
|
||||
|
||||
mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/,
|
||||
|
|
|
|||
|
|
@ -19,8 +19,9 @@ profile systemd-fsck @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}{s,}bin/fsck rPx,
|
||||
/{usr/,}{s,}bin/e2fsck rPx,
|
||||
/{usr/,}{s,}bin/fsck rPx,
|
||||
/{usr/,}{s,}bin/fsck.* rPx,
|
||||
|
||||
owner @{run}/systemd/quotacheck w,
|
||||
owner @{run}/systemd/fsck.progress rw,
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ profile apport-gtk @{exec_path} {
|
|||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/wayland>
|
||||
|
||||
capability fowner,
|
||||
capability sys_ptrace,
|
||||
|
|
@ -76,7 +77,6 @@ profile apport-gtk @{exec_path} {
|
|||
/var/log/installer/media-info r,
|
||||
|
||||
@{run}/snapd.socket rw,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9] rw,
|
||||
owner @{run}/user/.mutter-Xwaylandauth.* rw,
|
||||
|
||||
/tmp/[a-z0-9]* rw,
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ profile check-new-release-gtk @{exec_path} {
|
|||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/wayland>
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
|
|
@ -53,8 +54,6 @@ profile check-new-release-gtk @{exec_path} {
|
|||
|
||||
owner @{user_cache_dirs}/update-manager-core/{,**} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/wayland-[0-9] rw,
|
||||
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
@{PROC}/@{pids}/mounts r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ profile livepatch-notification @{exec_path} {
|
|||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/wayland>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -21,7 +22,6 @@ profile livepatch-notification @{exec_path} {
|
|||
|
||||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
owner @{run}/user/@{uid}/bus rw,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
|
||||
@{run}/user/@{uid}/gdm/Xauthority r,
|
||||
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ profile software-properties-gtk @{exec_path} {
|
|||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
include <abstractions/wayland>
|
||||
|
||||
dbus (send,receive) bus=system path=/com/canonical/UbuntuAdvantage/{,**}
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
|
|
@ -67,8 +68,6 @@ profile software-properties-gtk @{exec_path} {
|
|||
/var/lib/snapd/desktop/icons/ r,
|
||||
/var/lib/ubuntu-advantage/status.json r,
|
||||
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
|
||||
owner /tmp/[a-z0-9]* rw,
|
||||
owner /tmp/tmp*/{,apt.conf} rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ profile ubuntu-advantage-notification @{exec_path} {
|
|||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/wayland>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -19,7 +20,5 @@ profile ubuntu-advantage-notification @{exec_path} {
|
|||
/usr/share/icons/{,**} r,
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
|
||||
include if exists <local/ubuntu-advantage-notification>
|
||||
}
|
||||
|
|
@ -21,6 +21,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/wayland>
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
|
|
@ -85,8 +86,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner @{user_cache_dirs}/update-manager-core/{,**} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
|
||||
@{run}/systemd/inhibit/*.ref w,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@ profile update-notifier @{exec_path} {
|
|||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
include <abstractions/wayland>
|
||||
|
||||
dbus receive bus=session path=/org/ayatana/NotificationItem{,/**}
|
||||
interface={com.canonical.dbusmenu,org.freedesktop.DBus.Properties}
|
||||
|
|
@ -69,7 +70,6 @@ profile update-notifier @{exec_path} {
|
|||
owner @{run}/user/@{uid}/at-spi/bus rw,
|
||||
owner @{run}/user/@{uid}/bus rw,
|
||||
owner @{run}/user/@{uid}/update-notifier.pid rwk,
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
|
||||
owner /tmp/#[0-9]* rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -22,6 +22,8 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
|
|||
ptrace (read) peer=containerd,
|
||||
ptrace (read) peer=unconfined,
|
||||
|
||||
signal (send) set=kill peer=cri-containerd.apparmor.d,
|
||||
|
||||
mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
|
||||
umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
|
||||
|
||||
|
|
|
|||
|
|
@ -28,12 +28,15 @@ profile k3s @{exec_path} flags=(attach_disconnected) {
|
|||
ptrace peer=@{profile_name},
|
||||
ptrace (read) peer={cni-calico-node,cri-containerd.apparmor.d,cni-xtables-nft,ip,kmod,kubernetes-pause,mount,unconfined},
|
||||
|
||||
# k3s requires ptrace to all AppArmor profiles loaded in Kubernetes
|
||||
# k3s requires ptrace to all AppArmor profiles loaded in Kubernetes.
|
||||
# For simplification, let's assume for now all AppArmor profiles start with a predefined prefix.
|
||||
ptrace (read) peer=container-*,
|
||||
ptrace (read) peer=docker-*,
|
||||
ptrace (read) peer=k3s-*,
|
||||
ptrace (read) peer=kubernetes-*,
|
||||
# When using ZFS as storage provider instead of the default overlay2.
|
||||
ptrace (read) peer=zfs,
|
||||
ptrace (read) peer=zpool,
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ profile aa-status @{exec_path} {
|
|||
@{PROC}/@{pids}/attr/apparmor/current r,
|
||||
@{PROC}/@{pids}/attr/current r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
|
||||
/dev/tty[0-9]* rw,
|
||||
|
||||
include if exists <local/aa-status>
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/python>
|
||||
include <abstractions/thumbnails-cache-read>
|
||||
include <abstractions/user-download-strict>
|
||||
include <abstractions/wayland>
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
|
@ -58,7 +59,6 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_cache_dirs}/obexd/* rw,
|
||||
|
||||
owner @{run}/user/@{uid}/gdm/Xauthority r,
|
||||
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ profile file-roller @{exec_path} {
|
|||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/user-write>
|
||||
include <abstractions/wayland>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -35,7 +36,5 @@ profile file-roller @{exec_path} {
|
|||
|
||||
/etc/gtk-3.0/settings.ini r,
|
||||
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
|
||||
include if exists <local/file-roller>
|
||||
}
|
||||
|
|
@ -13,6 +13,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
|
|||
include <abstractions/consoles>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/disks-read>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
|
||||
|
|
@ -38,7 +39,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
|
|||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={Changed,GetAll},
|
||||
member={Changed,GetAll}
|
||||
peer=(label=polkitd),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/*
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
|
|
@ -52,9 +54,24 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
|
|||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.fwupd
|
||||
member=Changed
|
||||
peer=(label=fwupdmgr),
|
||||
|
||||
dbus send bus=system path=/
|
||||
interface=org.freedesktop.DBus
|
||||
member=Changed
|
||||
peer=(label=fwupdmgr),
|
||||
|
||||
dbus receive bus=system path=/
|
||||
interface=org.freedesktop.fwupd,
|
||||
|
||||
dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={Changed,GetAll}
|
||||
peer=(label=polkitd),
|
||||
|
||||
dbus receive bus=system path=/
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={GetAll,SetHints,GetPlugins,GetRemotes}
|
||||
|
|
|
|||
|
|
@ -63,6 +63,8 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
|
|||
owner @{user_cache_dirs}/fwupd/ rw,
|
||||
owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw,
|
||||
|
||||
owner @{run}/systemd/.cache/ rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
/dev/tty rw,
|
||||
|
|
|
|||
|
|
@ -25,6 +25,8 @@ profile htop @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/lsof rix,
|
||||
|
||||
/usr/share/terminfo/x/xterm-256color r,
|
||||
|
||||
/etc/sensors.d/ r,
|
||||
|
|
|
|||
|
|
@ -9,17 +9,17 @@ include <tunables/global>
|
|||
@{exec_path} = /{usr/,}bin/labwc
|
||||
profile labwc @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/wayland>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/devices-usb>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/devices-usb>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/wayland>
|
||||
|
||||
network netlink raw,
|
||||
|
||||
|
|
@ -30,16 +30,14 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
|
|||
/{usr/,}bin/* rPUx,
|
||||
@{libexec}/* rPUx,
|
||||
|
||||
owner @{user_config_dirs}/labwc/ r,
|
||||
owner @{user_config_dirs}/labwc/* r,
|
||||
|
||||
/usr/share/libinput/ r,
|
||||
/usr/share/libinput/*.quirks r,
|
||||
|
||||
/usr/share/themes/**/themerc r,
|
||||
|
||||
/usr/share/X11/xkb/** r,
|
||||
|
||||
owner @{user_config_dirs}/labwc/ r,
|
||||
owner @{user_config_dirs}/labwc/* r,
|
||||
|
||||
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
|
||||
|
||||
@{sys}/class/drm/ r,
|
||||
|
|
|
|||
|
|
@ -9,12 +9,12 @@ abi <abi/3.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}{s,}bin/mount
|
||||
profile mount @{exec_path} {
|
||||
profile mount @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/disks-write>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
|
||||
capability chown,
|
||||
capability dac_read_search,
|
||||
capability setgid,
|
||||
|
|
|
|||
|
|
@ -2,6 +2,8 @@
|
|||
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# TODO: Rethink this profile. Should not be called by another profile.
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
|
|
|||
|
|
@ -21,6 +21,7 @@ profile system-config-printer @{exec_path} flags=(complain) {
|
|||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/python>
|
||||
include <abstractions/wayland>
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
|
@ -59,7 +60,6 @@ profile system-config-printer @{exec_path} flags=(complain) {
|
|||
owner @{HOME}/.cups/ rw,
|
||||
owner @{HOME}/.cups/lpoptions rw,
|
||||
|
||||
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-* rw,
|
||||
@{run}/cups/cups.sock rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ abi <abi/3.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}sbin/thermald
|
||||
profile thermald @{exec_path} {
|
||||
profile thermald @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
|
||||
|
|
@ -39,16 +39,25 @@ profile thermald @{exec_path} {
|
|||
|
||||
@{sys}/class/hwmon/ r,
|
||||
@{sys}/class/thermal/ r,
|
||||
@{sys}/devices/platform/ r,
|
||||
@{sys}/devices/platform/{,*} r,
|
||||
@{sys}/devices/platform/**/path r,
|
||||
@{sys}/devices/platform/**/available_uuids r,
|
||||
@{sys}/devices/platform/**/current_uuid rw,
|
||||
|
||||
@{sys}/devices/system/cpu/present r,
|
||||
@{sys}/devices/system/cpu/intel_pstate/max_perf_pct r,
|
||||
@{sys}/devices/system/cpu/intel_pstate/max_perf_pct rw,
|
||||
@{sys}/devices/system/cpu/intel_pstate/no_turbo rw,
|
||||
@{sys}/devices/system/cpu/intel_pstate/status r,
|
||||
|
||||
@{sys}/devices/pci[0-9]*/**/drm/**/intel_backlight/max_brightness r,
|
||||
@{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_max_uw r,
|
||||
@{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_min_uw r,
|
||||
@{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_tmax_us r,
|
||||
@{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_tmin_us r,
|
||||
|
||||
@{sys}/devices/**/hwmon[0-9]*/name r,
|
||||
@{sys}/devices/**/hwmon[0-9]*/temp[0-9]*_{max,crit} r,
|
||||
@{sys}/devices/**/path r,
|
||||
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
@{sys}/devices/virtual/dmi/id/product_uuid r,
|
||||
|
|
@ -56,8 +65,11 @@ profile thermald @{exec_path} {
|
|||
@{sys}/devices/virtual/thermal/**/{type,temp} r,
|
||||
|
||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/ r,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/mode rw,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/policy rw,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_temp rw,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_type r,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_hyst r,
|
||||
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/cdev[0-9]*_trip_point r,
|
||||
|
||||
@{sys}/devices/virtual/thermal/cooling_device[0-9]*/ r,
|
||||
|
|
@ -66,11 +78,16 @@ profile thermald @{exec_path} {
|
|||
|
||||
@{sys}/devices/virtual/powercap/intel-rapl/ r,
|
||||
@{sys}/devices/virtual/powercap/intel-rapl/**/name r,
|
||||
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/{,*} r,
|
||||
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/constraint_*_time_window_us w,
|
||||
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/constraint_*_power_limit_uw w,
|
||||
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/enabled w,
|
||||
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/intel-rapl:[0-9]*:[0-9]*/{,*} r,
|
||||
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/ r,
|
||||
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/* r,
|
||||
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/constraint_*_time_window_us w,
|
||||
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/constraint_*_power_limit_uw w,
|
||||
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/enabled w,
|
||||
@{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/intel-rapl:[0-9]*:[0-9]*/{,*} r,
|
||||
|
||||
/dev/acpi_thermal_rel rw,
|
||||
/dev/input/ r,
|
||||
/dev/input/event[0-9]* r,
|
||||
|
||||
include if exists <local/thermald>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -54,6 +54,14 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
|
|||
umount @{run}/udisks2/temp-mount-*/,
|
||||
umount /media/cdrom[0-9]/,
|
||||
|
||||
dbus (send,receive) bus=system path=/
|
||||
interface=org.freedesktop.DBus.Introspectable
|
||||
member=Introspect,
|
||||
|
||||
dbus (send,receive) bus=system path=/
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get,
|
||||
|
||||
dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**}
|
||||
interface=org.freedesktop.{DBus*,UDisks2*},
|
||||
|
||||
|
|
|
|||
|
|
@ -13,10 +13,9 @@ profile uname @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner /tmp/mktexlsr.* rw,
|
||||
|
||||
# file_inherit
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
owner /tmp/mktexlsr.* rw,
|
||||
|
||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -12,21 +13,13 @@ profile userdel @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
# The userdel command is issued as root and its task is to delete regular user accounts. It
|
||||
# optionally can remove user files (via --remove). Because of that, the userdel command needs the
|
||||
# following CAPs to be able to do so.
|
||||
capability dac_read_search,
|
||||
capability dac_override,
|
||||
|
||||
# To write records to the kernel auditing log.
|
||||
capability audit_write,
|
||||
|
||||
# To set the right permission to the files in the /etc/ dir).
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability fsetid,
|
||||
|
||||
# To prevent removing a user when it's used by some process.
|
||||
capability sys_ptrace,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
network netlink raw,
|
||||
|
|
@ -35,9 +28,6 @@ profile userdel @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/etc/login.defs r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pids}/task/ r,
|
||||
|
||||
/etc/{passwd,shadow,gshadow,group,subuid,subgid} rw,
|
||||
/etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w,
|
||||
/etc/{passwd,shadow,gshadow,group,subuid,subgid}- w,
|
||||
|
|
@ -60,5 +50,8 @@ profile userdel @{exec_path} flags=(attach_disconnected) {
|
|||
/var/lib/ r,
|
||||
/var/lib/*/{,**} rw,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pids}/task/ r,
|
||||
|
||||
include if exists <local/userdel>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/thumbnails-cache-read>
|
||||
include <abstractions/user-download-strict>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/wayland>
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
|
@ -86,7 +87,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
|
||||
owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk,
|
||||
owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
@{run}/udev/data/c3[0-9]*:[0-9]* r, # For dynamic assignment range 384 to 511
|
||||
|
|
|
|||
|
|
@ -207,7 +207,7 @@ mdevctl complain
|
|||
mke2fs complain
|
||||
ModemManager attach_disconnected,complain
|
||||
molly-guard complain
|
||||
mount complain
|
||||
mount attach_disconnected,complain
|
||||
nautilus complain
|
||||
needrestart attach_disconnected,complain
|
||||
needrestart-iucode-scan-versions complain
|
||||
|
|
|
|||
|
|
@ -36,3 +36,7 @@ See the [Concepts](concepts) page for more detail on the architecture.
|
|||
- Support all major desktop environments:
|
||||
* Currently only :material-gnome: Gnome
|
||||
- Fully tested (Work in progress)
|
||||
|
||||
**Presentation**
|
||||
|
||||
- [Building the largest working set of AppArmor profiles](https://www.youtube.com/watch?v=OzyalrOzxE8) *[Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/)* ([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin))
|
||||
Loading…
Add table
Add a link
Reference in a new issue