update apparmor profiles

Co-authored-by: Mikhail Morfikov <mmorfikov@gmail.com> Signed-off-by: Alexandre Pujol <alexandre@pujol.io>
2022-02-27 01:22:35 +00:00 · 2022-02-27 01:22:35 +00:00 · d701e39939
commit d701e39939
parent b0690c0e55
201 changed files with 540 additions and 608 deletions
--- a/apparmor.d/abstractions/chromium-common
+++ b/apparmor.d/abstractions/chromium-common
@ -0,0 +1,41 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/3.0>,
+
+  # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
+  # to "1".
+  capability sys_admin,
+  capability sys_chroot,
+  capability setuid,
+  capability setgid,
+  owner @{PROC}/@{pid}/setgroups w,
+  owner @{PROC}/@{pid}/gid_map w,
+  owner @{PROC}/@{pid}/uid_map w,
+
+        /var/tmp/ r,
+        /tmp/ r,
+  owner /tmp/.org.chromium.Chromium.*/ rw,
+  owner /tmp/.org.chromium.Chromium.*/SingletonCookie w,
+  owner /tmp/.org.chromium.Chromium.*/SingletonSocket w,
+  owner /tmp/.org.chromium.Chromium.*/SS w,
+  owner /tmp/.org.chromium.Chromium.* rw,
+  owner /tmp/scoped_dir*/ rw,
+  owner /tmp/scoped_dir*/SingletonCookie w,
+  owner /tmp/scoped_dir*/SingletonSocket w,
+  owner /tmp/scoped_dir*/SS w,
+
+        /dev/shm/ r,
+  owner /dev/shm/.org.chromium.Chromium.* rw,
+
+  owner @{HOME}/.local/share/.org.chromium.Chromium.* rw,
+
+  # Should this be read-only? (##FIXME##)
+  # To remove the following error:
+  #  Error initializing NSS with a persistent database
+  owner @{HOME}/.pki/ rw,
+  owner @{HOME}/.pki/nssdb/ rw,
+  owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
+  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
+  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
--- a/apparmor.d/abstractions/deny-dconf
+++ b/apparmor.d/abstractions/deny-dconf
@ -1,23 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
-# SPDX-License-Identifier: GPL-2.0-only
-
-  abi <abi/3.0>,
-
-  deny /etc/dconf/{,**} r,
-
-  # When this is blocked, expect lots of the following errors:
-  #  dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied.
-  #  dconf will not work properly.
-  deny owner @{run}/user/@{uid}/dconf/{,**} rw,
-
-  deny owner @{user_config_dirs}/dconf/{,**} rw,
-  deny owner @{user_cache_dirs}/dconf/{,**} rw,
-
-  # When GSETTINGS_BACKEND=keyfile
-  deny owner @{user_config_dirs}/glib-2.0/ rw,
-  deny owner @{user_config_dirs}/glib-2.0/settings/ rw,
-  deny owner @{user_config_dirs}/glib-2.0/settings/keyfile rw,
-  deny owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-* rw,
-
-  include if exists <abstractions/deny-dconf.d>
--- a/apparmor.d/abstractions/deny-root-dir-access
+++ b/apparmor.d/abstractions/deny-root-dir-access
@ -1,18 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-# SPDX-License-Identifier: GPL-2.0-only
-
-  # The goal of this abstraction is preventing apps (GUI) to be run as the root user by restraining
-  # access to the /root/ dir and its subdirectories. If you don't want to start an app as the super
-  # user (possibly by mistake), just include this abstraction in the app's AppArmor profile.
-  #
-  # Note that some apps will work anyway when run as root even if all of the files in the /root/
-  # are denied. Anyway, most of the apps refuse to start when they don't get the access to the
-  # needed files in the user home dir.
-
-  abi <abi/3.0>,
-
-  # Use audit for now to see whether some apps are trying to get access to the /root/ dir.
-  audit deny /root/{,**} rwkmlx,
-
-  include if exists <abstractions/deny-root-dir-access.d>
--- a/apparmor.d/abstractions/gtk
+++ b/apparmor.d/abstractions/gtk
@ -7,8 +7,10 @@

  /usr/share/themes/{,**} r,

-  /usr/share/gtksourceview-[0-9]*/ r,
-  /usr/share/gtksourceview-[0-9]*/** r,
+  /usr/share/gtksourceview-[0-9]*/{,**} r,
+
+  /usr/share/gtk-2.0/ r,
+  /usr/share/gtk-2.0/gtkrc r,

  /usr/share/gtk-{3,4}.0/ r,
  /usr/share/gtk-{3,4}.0/settings.ini r,
@ -20,6 +22,9 @@

  /etc/gtk/gtkrc r,

+  owner @{HOME}/.themes/{,**} r,
+  owner @{HOME}/.local/share/themes/{,**} r,
+
  owner @{HOME}/.gtk r,
  owner @{HOME}/.gtkrc r,
  owner @{HOME}/.gtkrc-2.0 r,
@ -43,4 +48,5 @@
  # Xsession errors file
  owner @{HOME}/.xsession-errors w,

-  include if exists <abstraction/gtk.d>
+  # Include additions to the abstraction
+  include if exists <abstractions/gtk.d>