update apparmor profiles

Co-authored-by: Mikhail Morfikov <mmorfikov@gmail.com>
Signed-off-by: Alexandre Pujol <alexandre@pujol.io>

apparmor.d/profiles-m-r/mediainfo

@@ -36,7 +36,6 @@ profile mediainfo @{exec_path} {
   include <abstractions/base>
   include <abstractions/user-download-strict>
   include <abstractions/private-files-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 

apparmor.d/profiles-m-r/mediainfo-gui

@@ -40,7 +40,6 @@ profile mediainfo-gui @{exec_path} {
   include <abstractions/freedesktop.org>
   include <abstractions/user-download-strict>
   include <abstractions/private-files-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 

apparmor.d/profiles-m-r/megasync

@@ -25,7 +25,6 @@ profile megasync @{exec_path} {
   include <abstractions/user-download-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,

apparmor.d/profiles-m-r/minitube

@@ -23,7 +23,6 @@ profile minitube @{exec_path} {
   include <abstractions/qt5-shader-cache>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,

apparmor.d/profiles-m-r/mkvmerge

@@ -42,7 +42,6 @@ profile mkvmerge @{exec_path} {
   include <abstractions/base>
   include <abstractions/user-download-strict>
   include <abstractions/private-files-strict>
-  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=mkvtoolnix-gui,
 

apparmor.d/profiles-m-r/mkvtoolnix-gui

@@ -54,7 +54,6 @@ profile mkvtoolnix-gui @{exec_path} {
   include <abstractions/ssl_certs>
   include <abstractions/user-download-strict>
   include <abstractions/private-files-strict>
-  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=mkvmerge,
 

apparmor.d/profiles-m-r/monitorix

@@ -0,0 +1,106 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/monitorix
+profile monitorix @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/perl>
+  include <abstractions/nameservice-strict>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+
+  capability net_admin,
+  capability chown,
+  capability fowner,
+  capability setgid,
+  capability fsetid,
+  capability setuid,
+  capability dac_override,
+  capability kill,
+
+  network netlink raw,
+  network inet stream,
+  network inet6 stream,
+
+  ptrace (read),
+
+  signal (receive) set=(hup) peer=logroate,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/{,ba,da}sh         rix,
+  /{usr/,}bin/{,e}grep           rix,
+  /{usr/,}bin/df                 rix,
+  /{usr/,}bin/cat                rix,
+  /{usr/,}bin/tail               rix,
+  /{usr/,}bin/gawk               rix,
+  /{usr/,}bin/free               rix,
+  /{usr/,}bin/ss                 rix,
+  /{usr/,}bin/who                rix,
+  /{usr/,}sbin/lvm               rix,
+  /{usr/,}sbin/xtables-nft-multi rix,
+  /{usr/,}bin/sensors            rix,
+  /{usr/,}bin/getconf            rix,
+  /{usr/,}bin/ps                 rix,
+
+  /etc/monitorix/monitorix.conf r,
+  /etc/monitorix/conf.d/ r,
+  /etc/monitorix/conf.d/[0-9][0-9]-*.conf r,
+
+  /var/log/monitorix w,
+  /var/log/monitorix-* w,
+
+  owner @{run}/monitorix.pid w,
+
+  /var/lib/monitorix/*.rrd* rwk,
+  /var/lib/monitorix/www/** rw,
+  /var/lib/monitorix/www/cgi/monitorix.cgi rwix,
+
+  / r,
+  /tmp/ r,
+  /etc/shadow r,
+
+  /dev/tty r,
+
+  @{run}/utmp rk,
+
+        @{PROC}/ r,
+        @{PROC}/swaps r,
+        @{PROC}/diskstats r,
+        @{PROC}/loadavg r,
+        @{PROC}/sys/kernel/random/entropy_avail r,
+        @{PROC}/uptime r,
+        @{PROC}/interrupts r,
+        @{PROC}/sys/fs/dentry-state r,
+        @{PROC}/sys/fs/file-nr r,
+        @{PROC}/sys/fs/inode-nr r,
+        @{PROC}/sys/kernel/osrelease r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/net/dev r,
+  owner @{PROC}/@{pid}/net/ip_tables_names r,
+  owner @{PROC}/@{pid}/net/ip6_tables_names r,
+        @{PROC}/@{pid}/net/udp{,6} r,
+        @{PROC}/@{pid}/net/tcp{,6} r,
+        @{PROC}/sys/kernel/pid_max r,
+        @{PROC}/@{pids}/stat r,
+        @{PROC}/@{pids}/cmdline r,
+        @{PROC}/@{pids}/fdinfo/ r,
+        @{PROC}/@{pids}/io r,
+
+  @{sys}/class/i2c-adapter/ r,
+  @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r,
+  @{sys}/class/hwmon/ r,
+  @{sys}/devices/**/thermal*/{,**} r,
+  @{sys}/devices/**/hwmon*/{,**} r,
+
+  /etc/sensors3.conf r,
+  /etc/sensors.d/ r,
+
+  include if exists <local/monitorix>
+}

apparmor.d/profiles-m-r/mount

@@ -41,6 +41,10 @@ profile mount @{exec_path} flags=(complain) {
   /{usr/,}{s,}bin/mount.*    rPx,
 
   # Mount points
+  @{HOME}/ r,
+  @{HOME}/*/ r,
+  @{HOME}/*/*/ r,
+  @{MOUNTS}/ r,
   @{MOUNTS}/*/ r,
   @{MOUNTS}/*/*/ r,
   /media/cdrom[0-9]/ r,

apparmor.d/profiles-m-r/mpsyt

@@ -14,7 +14,6 @@ profile mpsyt @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=mpv,
 

apparmor.d/profiles-m-r/mpv

@@ -70,11 +70,11 @@ profile mpv @{exec_path} {
   include <abstractions/private-files-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill),
 
   signal (send) set=(term, kill) peer=youtube-dl,
+  signal (send) set=(term, kill) peer=yt-dlp,
 
   network inet dgram,
   network inet6 dgram,
@@ -149,6 +149,7 @@ profile mpv @{exec_path} {
 
   # External apps
   /{usr/,}bin/youtube-dl rPUx,
+  /{usr/,}bin/yt-dlp     rPUx,
 
   # file_inherit
   owner /dev/tty[0-9]* rw,

apparmor.d/profiles-m-r/mumble

@@ -24,7 +24,6 @@ profile mumble @{exec_path} {
   include <abstractions/user-download-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,

apparmor.d/profiles-m-r/mumble-overlay

@@ -10,7 +10,6 @@ include <tunables/global>
 profile mumble-overlay @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,

apparmor.d/profiles-m-r/numlockx

@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/numlockx
 profile numlockx @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 

apparmor.d/profiles-m-r/obamenu

@@ -10,7 +10,6 @@ include <tunables/global>
 profile obamenu @{exec_path} {
   include <abstractions/base>
   include <abstractions/python>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* rix,

apparmor.d/profiles-m-r/obconf

@@ -15,8 +15,6 @@ profile obconf @{exec_path} {
   include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
   include <abstractions/user-download-strict>
-  include <abstractions/deny-dconf>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -35,6 +33,10 @@ profile obconf @{exec_path} {
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
   # file_inherit
   owner /dev/tty[0-9]* rw,
 

apparmor.d/profiles-m-r/obxprop

@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/obxprop
 profile obxprop @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 

apparmor.d/profiles-m-r/openbox

@@ -13,7 +13,6 @@ profile openbox @{exec_path} {
   include <abstractions/fontconfig-cache-read>
   include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill),
 

apparmor.d/profiles-m-r/openbox-session

@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/openbox-session
 profile openbox-session @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,

apparmor.d/profiles-m-r/orage

@@ -15,7 +15,6 @@ profile orage @{exec_path} {
   include <abstractions/freedesktop.org>
   include <abstractions/user-download-strict>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -42,7 +41,6 @@ profile orage @{exec_path} {
 
   # file_inherit
   owner /dev/tty[0-9]* rw,
-  owner @{HOME}/.xsession-errors w,
 
 
   profile open {

apparmor.d/profiles-m-r/pacmd

@@ -11,10 +11,10 @@ profile pacmd @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/audio>
-  include <abstractions/deny-root-dir-access>
 
   #capability sys_ptrace,
   ptrace peer=pulseaudio,
+  ptrace (read) peer=pipewire,
 
   signal (send) peer=pulseaudio,
 

apparmor.d/profiles-m-r/pactl

@@ -11,7 +11,6 @@ profile pactl @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/audio>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 

apparmor.d/profiles-m-r/pavucontrol

@@ -14,7 +14,6 @@ profile pavucontrol @{exec_path} {
   include <abstractions/fontconfig-cache-read>
   include <abstractions/freedesktop.org>
   include <abstractions/audio>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 

apparmor.d/profiles-m-r/picom

@@ -12,7 +12,6 @@ profile picom @{exec_path} {
   include <abstractions/dri-common>
   include <abstractions/nameservice-strict>
   include <abstractions/mesa>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 

apparmor.d/profiles-m-r/pipewire

@@ -13,7 +13,7 @@ profile pipewire @{exec_path} {
   include <abstractions/audio>
   include <abstractions/nameservice-strict>
 
-  ptrace (read),
+  ptrace (read) peer=pipewire*,
 
   @{exec_path} mr,
 

apparmor.d/profiles-m-r/pipewire-media-session

@@ -22,10 +22,12 @@ profile pipewire-media-session @{exec_path} {
 
   /usr/share/alsa-card-profile/{,**} r,
   /usr/share/alsa/{,**} r,
+  /usr/share/pipewire/*.conf r,
   /usr/share/pipewire/media-session.d/{,**} r,
   /usr/share/spa-*/bluez[0-9]*/{,*} r,
 
   /etc/alsa/{,**} r,
+  /etc/pipewire/*.conf r,
   /etc/pipewire/media-session.d/*.conf r,
   /etc/pulse/{,**} r,
 

apparmor.d/profiles-m-r/pipewire-pulse

@@ -15,7 +15,7 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
 
   capability sys_ptrace,
 
-  ptrace (read),
+  ptrace (read) peer=pipewire*,
 
   @{exec_path} mr,
 

apparmor.d/profiles-m-r/polkit-agent-helper

@@ -13,7 +13,6 @@ profile polkit-agent-helper @{exec_path} {
   include <abstractions/authentication>
   include <abstractions/nameservice-strict>
   include <abstractions/consoles>
-  include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=polkit-*-authentication-agent,
   signal (receive) set=(term, kill) peer=gnome-shell,

apparmor.d/profiles-m-r/polkit-kde-authentication-agent

@@ -20,7 +20,6 @@ profile polkit-kde-authentication-agent @{exec_path} {
   include <abstractions/dri-enumerate>
   include <abstractions/nameservice-strict>
   include <abstractions/mesa>
-  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=polkit-agent-helper,
 

apparmor.d/profiles-m-r/polkit-mate-authentication-agent

@@ -17,8 +17,6 @@ profile polkit-mate-authentication-agent @{exec_path} {
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
   include <abstractions/mesa>
-  include <abstractions/deny-root-dir-access>
-  include <abstractions/deny-dconf>
 
   signal (send) set=(term, kill) peer=polkit-agent-helper,
 
@@ -35,6 +33,10 @@ profile polkit-mate-authentication-agent @{exec_path} {
 
   owner @{HOME}/.Xauthority r,
 
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
   /usr/share/X11/xkb/** r,

apparmor.d/profiles-m-r/psi

@@ -25,7 +25,6 @@ profile psi @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
-  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=lsb_release,
 
@@ -92,9 +91,6 @@ profile psi @{exec_path} {
 
   /usr/share/hwdata/pnp.ids r,
 
-  # file_inherit
-  owner @{HOME}/.xsession-errors w,
-
   # Allowed apps to open
   /{usr/,}lib/firefox/firefox rPUx,
 

apparmor.d/profiles-m-r/psi-plus

@@ -25,7 +25,6 @@ profile psi-plus @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
-  include <abstractions/deny-root-dir-access>
 
   signal (send) set=(term, kill) peer=lsb_release,
 
@@ -92,9 +91,6 @@ profile psi-plus @{exec_path} {
 
   /usr/share/hwdata/pnp.ids r,
 
-  # file_inherit
-  owner @{HOME}/.xsession-errors w,
-
   # Allowed apps to open
   /{usr/,}lib/firefox/firefox rPUx,
 

apparmor.d/profiles-m-r/pulseaudio

@@ -15,7 +15,6 @@ profile pulseaudio @{exec_path} {
   include <abstractions/dbus-strict>
   include <abstractions/dbus-session-strict>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   ptrace (trace) peer=@{profile_name},
 

apparmor.d/profiles-m-r/qbittorrent

@@ -35,7 +35,6 @@ profile qbittorrent @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
   include if exists <abstractions/ubuntu-unity7-base>
   include if exists <abstractions/dbus-network-manager-strict>
 

apparmor.d/profiles-m-r/qbittorrent-nox

@@ -14,7 +14,6 @@ profile qbittorrent-nox @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,

apparmor.d/profiles-m-r/qnapi

@@ -52,7 +52,6 @@ profile qnapi @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/user-download-strict>
   include <abstractions/private-files-strict>
-  include <abstractions/deny-root-dir-access>
 
   # Some apps can use qnapi to automate downloading of subtitles. When a user wants to abort the
   # action (stop qnapi), the apps send the term/kill signal to qnapi.

apparmor.d/profiles-m-r/qpdfview

@@ -28,7 +28,6 @@ profile qpdfview @{exec_path} {
   include <abstractions/qt5-settings-write>
   include <abstractions/qt5-compose-cache-write>
   include <abstractions/thumbnails-cache-read>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 
@@ -48,7 +47,7 @@ profile qpdfview @{exec_path} {
   owner @{MOUNTS}/**/ r,
         /tmp/ r,
         /tmp/mozilla_*/ r,
-  owner /{home,media,tmp,tmp/mozilla_*}/**.@{qpdfview_ext} rw,
+  owner /{home,media,tmp}/**.@{qpdfview_ext} rw,
 
   owner @{user_config_dirs}/qpdfview/ rw,
   owner @{user_config_dirs}/qpdfview/* rwkl -> @{user_config_dirs}/qpdfview/#[0-9]*[0-9],

apparmor.d/profiles-m-r/qtox

@@ -21,7 +21,6 @@ profile qtox @{exec_path} {
   include <abstractions/dri-enumerate>
   include <abstractions/nameservice-strict>
   include <abstractions/audio>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,

apparmor.d/profiles-m-r/quiterss

@@ -24,7 +24,6 @@ profile quiterss @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/gstreamer>
-  include <abstractions/deny-root-dir-access>
   # This one is needed when you want to receive sound notifications
   include <abstractions/audio>
 
@@ -68,13 +67,13 @@ profile quiterss @{exec_path} {
 
   owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]* rw,
   owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]*-lockfile rwk,
+  owner /var/tmp/etilqs_* rw,
 
   # Allowed apps to open
   /{usr/,}lib/firefox/firefox rPUx,
 
   # file_inherit
   owner /dev/tty[0-9]* rw,
-  owner @{HOME}/.xsession-errors w,
 
 
   profile open {

apparmor.d/profiles-m-r/redshift

@@ -12,7 +12,6 @@ profile redshift @{exec_path} {
   include <abstractions/base>
   include <abstractions/wayland>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,
 

apparmor.d/profiles-m-r/repo

@@ -15,7 +15,6 @@ profile repo @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,

apparmor.d/profiles-m-r/reprepro

@@ -11,7 +11,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/reprepro
 profile reprepro @{exec_path} {
   include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,