update apparmor profiles

Co-authored-by: Mikhail Morfikov <mmorfikov@gmail.com> Signed-off-by: Alexandre Pujol <alexandre@pujol.io>
2022-02-27 01:22:35 +00:00 · 2022-02-27 01:22:35 +00:00 · d701e39939
commit d701e39939
parent b0690c0e55
201 changed files with 540 additions and 608 deletions
--- a/apparmor.d/profiles-g-l/gajim
+++ b/apparmor.d/profiles-g-l/gajim
@ -25,7 +25,6 @@ profile gajim @{exec_path} {
  include <abstractions/ssl_certs>
  include <abstractions/gstreamer>
  include <abstractions/enchant>
-  include <abstractions/deny-root-dir-access>

  network inet dgram,
  network inet6 dgram,
--- a/apparmor.d/profiles-g-l/games-wesnoth
+++ b/apparmor.d/profiles-g-l/games-wesnoth
@ -16,7 +16,6 @@ profile games-wesnoth @{exec_path} {
  include <abstractions/audio>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mrix,

--- a/apparmor.d/profiles-g-l/games-wesnoth-sh
+++ b/apparmor.d/profiles-g-l/games-wesnoth-sh
@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /usr/games/wesnoth-[0-9]*{-nolog,-smalgui,_editor} /usr/games/wesnoth-nolog
 profile games-wesnoth-sh @{exec_path} {
  include <abstractions/base>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} r,
  /{usr/,}bin/{,ba,da}sh       rix,
--- a/apparmor.d/profiles-g-l/ganyremote
+++ b/apparmor.d/profiles-g-l/ganyremote
@ -18,7 +18,6 @@ profile ganyremote @{exec_path} {
  include <abstractions/user-download-strict>
  include <abstractions/python>
  include <abstractions/thumbnails-cache-read>
-  include <abstractions/deny-root-dir-access>

  network inet stream,
  network inet6 stream,
--- a/apparmor.d/profiles-g-l/globaltime
+++ b/apparmor.d/profiles-g-l/globaltime
@ -13,7 +13,6 @@ profile globaltime @{exec_path} {
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/freedesktop.org>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-g-l/gpa
+++ b/apparmor.d/profiles-g-l/gpa
@ -15,7 +15,6 @@ profile gpa @{exec_path} {
  include <abstractions/fontconfig-cache-read>
  include <abstractions/user-download-strict>
  include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-g-l/gpo
+++ b/apparmor.d/profiles-g-l/gpo
@ -15,7 +15,6 @@ profile gpo @{exec_path} {
  include <abstractions/user-download-strict>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>

  network inet dgram,
  network inet6 dgram,
--- a/apparmor.d/profiles-g-l/gpodder
+++ b/apparmor.d/profiles-g-l/gpodder
@ -18,7 +18,6 @@ profile gpodder @{exec_path} {
  include <abstractions/user-download-strict>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>

  network inet dgram,
  network inet6 dgram,
--- a/apparmor.d/profiles-g-l/gpodder-migrate2tres
+++ b/apparmor.d/profiles-g-l/gpodder-migrate2tres
@ -10,7 +10,6 @@ include <tunables/global>
 profile gpodder-migrate2tres @{exec_path} {
  include <abstractions/base>
  include <abstractions/python>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} r,
  /{usr/,}bin/python3.[0-9]* r,
--- a/apparmor.d/profiles-g-l/gsmartcontrol
+++ b/apparmor.d/profiles-g-l/gsmartcontrol
@ -14,7 +14,6 @@ profile gsmartcontrol @{exec_path} {
  include <abstractions/fontconfig-cache-read>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>
-  include <abstractions/deny-dconf>

  capability dac_read_search,

@ -67,9 +66,6 @@ profile gsmartcontrol @{exec_path} {
  # hence this behavior should be blocked.
  deny /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rx,

-  # file_inherit
-  owner @{HOME}/.xsession-errors w,
-

  profile dbus {
    include <abstractions/base>
--- a/apparmor.d/profiles-g-l/gtk-youtube-viewer
+++ b/apparmor.d/profiles-g-l/gtk-youtube-viewer
@ -17,7 +17,6 @@ profile gtk-youtube-viewer @{exec_path} {
  include <abstractions/perl>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>

  network inet dgram,
  network inet6 dgram,
--- a/apparmor.d/profiles-g-l/hardinfo
+++ b/apparmor.d/profiles-g-l/hardinfo
@ -38,7 +38,7 @@ profile hardinfo @{exec_path} {
  /{usr/,}bin/python2.[0-9]*  rix,
  /{usr/,}bin/python3.[0-9]*  rix,
  /{usr/,}bin/perl            rix,
-  /{usr/,}bin/ruby2.[0-9]*    rix,
+  /{usr/,}bin/ruby[0-9].[0-9]* rix,
  /{usr/,}bin/make            rix,
  /{usr/,}bin/strace          rix,
  /{usr/,}bin/gdb             rix,
--- a/apparmor.d/profiles-g-l/hexchat
+++ b/apparmor.d/profiles-g-l/hexchat
@ -21,7 +21,6 @@ profile hexchat @{exec_path} {
  # For python/perl plugins
  include <abstractions/python>
  include <abstractions/perl>
-  include <abstractions/deny-root-dir-access>

  network inet dgram,
  network inet6 dgram,
--- a/apparmor.d/profiles-g-l/hypnotix
+++ b/apparmor.d/profiles-g-l/hypnotix
@ -31,6 +31,7 @@ profile hypnotix @{exec_path} {
  include <abstractions/python>

  signal (send) set=(term, kill) peer=youtube-dl,
+  signal (send) set=(term, kill) peer=yt-dlp,

  network inet dgram,
  network inet6 dgram,
@ -48,7 +49,8 @@ profile hypnotix @{exec_path} {

  /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver,

-  /{usr/,}bin/youtube-dl      rPx,
+  /{usr/,}bin/youtube-dl     rPUx,
+  /{usr/,}bin/yt-dlp         rPUx,
  /{usr/,}lib/firefox/firefox rPx,

  # Which files hypnotix should be able to open
--- a/apparmor.d/profiles-g-l/ifup
+++ b/apparmor.d/profiles-g-l/ifup
@ -23,14 +23,20 @@ profile ifup @{exec_path} {
  /{usr/,}bin/{,ba,da}sh rix,
  /{usr/,}bin/ip         rix,
  /{usr/,}bin/sleep      rix,
+  /{usr/,}bin/seq        rix,

  /{usr/,}{s,}bin/dhclient  rPx,
  /{usr/,}bin/macchanger rPx,

+  /{usr/,}lib/ifupdown/*.sh rix,
+
  /{usr/,}bin/run-parts  rCx -> run-parts,
+  /{usr/,}bin/kmod       rCx -> kmod,
+  /{usr/,}sbin/sysctl    rCx -> sysctl,

  /etc/network/interfaces r,
  /etc/network/interfaces.d/{,*} r,
+  /etc/iproute2/rt_scopes r,

  @{run}/network/ rw,
  @{run}/network/{.,}ifstate* rwk,
@ -82,5 +88,37 @@ profile ifup @{exec_path} {

  }

+  profile kmod {
+    include <abstractions/base>
+
+    /{usr/,}bin/kmod mr,
+
+    @{sys}/module/** r,
+
+    @{PROC}/cmdline r,
+    @{PROC}/modules r,
+
+    /etc/modprobe.d/ r,
+    /etc/modprobe.d/*.conf r,
+
+  }
+
+  profile sysctl {
+    include <abstractions/base>
+
+#    capability mac_admin,
+#    capability sys_admin,
+#    capability sys_resource,
+
+    /{usr/,}sbin/sysctl mr,
+
+    @{PROC}/sys/ r,
+    @{PROC}/sys/** r,
+
+    @{PROC}/sys/net/ipv6/conf/*/accept_ra rw,
+    @{PROC}/sys/net/ipv6/conf/*/autoconf rw,
+
+  }
+
  include if exists <local/ifup>
 }
--- a/apparmor.d/profiles-g-l/jdownloader
+++ b/apparmor.d/profiles-g-l/jdownloader
@ -17,7 +17,6 @@ profile jdownloader @{exec_path} {
  include <abstractions/freedesktop.org>
  include <abstractions/user-download-strict>
  include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} rix,

--- a/apparmor.d/profiles-g-l/jdownloader-install
+++ b/apparmor.d/profiles-g-l/jdownloader-install
@ -17,7 +17,6 @@ profile jdownloader-install @{exec_path} {
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} r,
  /{usr/,}bin/{,ba,da}sh rix,
--- a/apparmor.d/profiles-g-l/jekyll
+++ b/apparmor.d/profiles-g-l/jekyll
@ -13,12 +13,16 @@ profile jekyll @{exec_path} {
  include <abstractions/base>
  include <abstractions/ruby>
  include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} r,
-  /{usr/,}bin/ruby2.[0-9]* r,
+  /{usr/,}bin/ruby[0-9].[0-9]* rix,

-  /usr/share/rubygems-integration/** r,
+  /usr/share/rubygems-integration/*/specifications/ r,
+  /usr/share/rubygems-integration/*/specifications/*.gemspec rwk,
+
+  /{usr/,}lib/ruby/gems/*/specifications/ r,
+  /{usr/,}lib/ruby/gems/*/specifications/** r,
+  /{usr/,}lib/ruby/gems/*/specifications/**.gemspec rwk,

  /usr/share/ruby-addressable/unicode.data r,

--- a/apparmor.d/profiles-g-l/jgmenu
+++ b/apparmor.d/profiles-g-l/jgmenu
@ -15,7 +15,6 @@ profile jgmenu @{exec_path} {
  include <abstractions/fontconfig-cache-read>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
  include <abstractions/app-launcher-user>

  @{exec_path} mrix,
--- a/apparmor.d/profiles-g-l/kanyremote
+++ b/apparmor.d/profiles-g-l/kanyremote
@ -22,7 +22,6 @@ profile kanyremote @{exec_path} {
  include <abstractions/mesa>
  include <abstractions/qt5-compose-cache-write>
  include <abstractions/qt5-settings-write>
-  include <abstractions/deny-root-dir-access>

  network inet stream,
  network inet6 stream,
--- a/apparmor.d/profiles-g-l/keepassxc
+++ b/apparmor.d/profiles-g-l/keepassxc
@ -25,7 +25,6 @@ profile keepassxc @{exec_path} {
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  include <abstractions/devices-usb>
-  include <abstractions/deny-root-dir-access>

  network inet dgram,
  network inet6 dgram,
--- a/apparmor.d/profiles-g-l/keepassxc-cli
+++ b/apparmor.d/profiles-g-l/keepassxc-cli
@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/keepassxc-cli
 profile keepassxc-cli @{exec_path} {
  include <abstractions/base>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-g-l/keepassxc-proxy
+++ b/apparmor.d/profiles-g-l/keepassxc-proxy
@ -10,7 +10,6 @@ include <tunables/global>
 profile keepassxc-proxy @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
-  include <abstractions/deny-root-dir-access>

  signal (receive) set=(term, kill),

--- a/apparmor.d/profiles-g-l/kerneloops-applet
+++ b/apparmor.d/profiles-g-l/kerneloops-applet
@ -13,7 +13,6 @@ profile kerneloops-applet @{exec_path} {
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/freedesktop.org>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-g-l/kodi
+++ b/apparmor.d/profiles-g-l/kodi
@ -17,7 +17,6 @@ profile kodi @{exec_path} {
  include <abstractions/mesa>
  include <abstractions/python>
  include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-g-l/kodi-xrandr
+++ b/apparmor.d/profiles-g-l/kodi-xrandr
@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/kodi/kodi-xrandr
 profile kodi-xrandr @{exec_path} {
  include <abstractions/base>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-g-l/kscreenlocker-greet
+++ b/apparmor.d/profiles-g-l/kscreenlocker-greet
@ -18,7 +18,6 @@ profile kscreenlocker-greet @{exec_path} {
  include <abstractions/qt5-compose-cache-write>
  include <abstractions/qt5-shader-cache>
  include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>

  signal (send) peer=kcheckpass,

--- a/apparmor.d/profiles-g-l/kwalletd5
+++ b/apparmor.d/profiles-g-l/kwalletd5
@ -21,7 +21,6 @@ profile kwalletd5 @{exec_path} {
  include <abstractions/dri-enumerate>
  include <abstractions/nameservice-strict>
  include <abstractions/audio>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-g-l/kwalletmanager5
+++ b/apparmor.d/profiles-g-l/kwalletmanager5
@ -22,7 +22,6 @@ profile kwalletmanager5 @{exec_path} {
  include <abstractions/mesa>
  include <abstractions/dri-enumerate>
  include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-g-l/labwc
+++ b/apparmor.d/profiles-g-l/labwc
@ -20,7 +20,6 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
  include <abstractions/dri-enumerate>
  include <abstractions/mesa>
  include <abstractions/devices-usb>
-  include <abstractions/deny-root-dir-access>

  network netlink raw,

--- a/apparmor.d/profiles-g-l/light
+++ b/apparmor.d/profiles-g-l/light
@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/light
 profile light @{exec_path} {
  include <abstractions/base>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-g-l/light-locker
+++ b/apparmor.d/profiles-g-l/light-locker
@ -16,7 +16,6 @@ profile light-locker @{exec_path} {
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>
  include <abstractions/wayland>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

@ -28,13 +27,9 @@ profile light-locker @{exec_path} {
  # when locking the screen and switching/closing sessions
  @{run}/systemd/sessions/[0-9]* r,

-  # To silecne the following error:
-  #  dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied.
-  #  dconf will not work properly.
-  ##include <abstractions/dconf>
-  #owner @{run}/user/@{uid}/dconf/ w,
-  #owner @{run}/user/@{uid}/dconf/user rw,
-  include <abstractions/deny-dconf>
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,

  @{sys}/devices/pci[0-9]*/**/uevent r,
  @{sys}/devices/pci[0-9]*/**/vendor r,
--- a/apparmor.d/profiles-g-l/light-locker-command
+++ b/apparmor.d/profiles-g-l/light-locker-command
@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/light-locker-command
 profile light-locker-command @{exec_path} {
  include <abstractions/base>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-g-l/lightworks
+++ b/apparmor.d/profiles-g-l/lightworks
@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/lightworks
 profile lightworks @{exec_path} {
  include <abstractions/base>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} r,
  /{usr/,}bin/{,ba,da}sh          rix,
--- a/apparmor.d/profiles-g-l/lightworks-ntcardvt
+++ b/apparmor.d/profiles-g-l/lightworks-ntcardvt
@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/lightworks/ntcardvt
 profile lightworks-ntcardvt @{exec_path} {
  include <abstractions/base>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-g-l/logrotate
+++ b/apparmor.d/profiles-g-l/logrotate
@ -23,11 +23,15 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) {
  # Needed?
  audit deny capability net_admin,

+  signal (send) set=(hup),
+
  @{exec_path} mr,

  /{usr/,}{s,}bin/ r,

  /{usr/,}bin/{,ba,da}sh             rix,
+  /{usr/,}bin/cat                    rix,
+  /{usr/,}bin/kill                   rix,
  /{usr/,}bin/ls                     rix,
  /{usr/,}bin/gzip                   rix,
  /{usr/,}bin/zstd                   rix,
--- a/apparmor.d/profiles-g-l/lynx
+++ b/apparmor.d/profiles-g-l/lynx
@ -13,7 +13,6 @@ profile lynx @{exec_path} {
  include <abstractions/wutmp>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>

  network inet dgram,
  network inet6 dgram,