update apparmor profiles

Co-authored-by: Mikhail Morfikov <mmorfikov@gmail.com> Signed-off-by: Alexandre Pujol <alexandre@pujol.io>
2022-02-27 01:22:35 +00:00 · 2022-02-27 01:22:35 +00:00 · d701e39939
commit d701e39939
parent b0690c0e55
201 changed files with 540 additions and 608 deletions
--- a/apparmor.d/profiles-s-z/scrot
+++ b/apparmor.d/profiles-s-z/scrot
@ -10,7 +10,6 @@ include <tunables/global>
 profile scrot @{exec_path} {
  include <abstractions/base>
  include <abstractions/user-download-strict>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/smplayer
+++ b/apparmor.d/profiles-s-z/smplayer
@ -71,7 +71,6 @@ profile smplayer @{exec_path} {
  include <abstractions/user-download-strict>
  include <abstractions/private-files-strict>
  include <abstractions/openssl>
-  include <abstractions/deny-root-dir-access>

  # Needed for hardware decoding
  ##include <abstractions/nvidia>
@ -141,6 +140,7 @@ profile smplayer @{exec_path} {
  /{usr/,}bin/mpv        rPUx,
  /{usr/,}bin/smtube     rPUx,
  /{usr/,}bin/youtube-dl rPUx,
+  /{usr/,}bin/yt-dlp     rPUx,

  # PulseAudio (to use "pacmd")
  /{usr/,}bin/pacmd      rPUx,
--- a/apparmor.d/profiles-s-z/smtube
+++ b/apparmor.d/profiles-s-z/smtube
@ -21,7 +21,6 @@ profile smtube @{exec_path} {
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  include <abstractions/gstreamer>
-  include <abstractions/deny-root-dir-access>

  network inet dgram,
  network inet6 dgram,
@ -70,6 +69,7 @@ profile smtube @{exec_path} {
  /{usr/,}bin/vlc        rPUx,
  /{usr/,}bin/cvlc       rPUx,
  /{usr/,}bin/youtube-dl rPUx,
+  /{usr/,}bin/yt-dlp     rPUx,

  /{usr/,}bin/xdg-open   rCx -> open,

--- a/apparmor.d/profiles-s-z/speedtest
+++ b/apparmor.d/profiles-s-z/speedtest
@ -12,7 +12,6 @@ profile speedtest @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>

  network inet dgram,
  network inet6 dgram,
--- a/apparmor.d/profiles-s-z/spflashtool
+++ b/apparmor.d/profiles-s-z/spflashtool
@ -13,7 +13,6 @@ profile spflashtool @{exec_path} {
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/freedesktop.org>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mrix,

--- a/apparmor.d/profiles-s-z/startx
+++ b/apparmor.d/profiles-s-z/startx
@ -11,7 +11,6 @@ profile startx @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} r,
  /{usr/,}bin/{,ba,da}sh rix,
--- a/apparmor.d/profiles-s-z/strawberry
+++ b/apparmor.d/profiles-s-z/strawberry
@ -27,7 +27,6 @@ profile strawberry @{exec_path} {
  include <abstractions/ssl_certs>
  include <abstractions/devices-usb>
  include <abstractions/gstreamer>
-  include <abstractions/deny-root-dir-access>

  signal (send) set=(term, kill) peer=strawberry-tagreader,

--- a/apparmor.d/profiles-s-z/strawberry-tagreader
+++ b/apparmor.d/profiles-s-z/strawberry-tagreader
@ -14,7 +14,6 @@ profile strawberry-tagreader @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>

  signal (receive) set=(term, kill) peer=strawberry,
  signal (receive) set=(term, kill) peer=anyremote//*,
--- a/apparmor.d/profiles-s-z/syncthing
+++ b/apparmor.d/profiles-s-z/syncthing
@ -10,7 +10,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/syncthing
 profile syncthing @{exec_path} {
  include <abstractions/base>
-  include <abstractions/deny-root-dir-access>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

--- a/apparmor.d/profiles-s-z/system-config-printer
+++ b/apparmor.d/profiles-s-z/system-config-printer
@ -17,7 +17,6 @@ profile system-config-printer @{exec_path} flags=(complain) {
  include <abstractions/fontconfig-cache-read>
  include <abstractions/freedesktop.org>
  include <abstractions/openssl>
-  include <abstractions/deny-root-dir-access>

  network inet stream,
  network inet6 stream,
--- a/apparmor.d/profiles-s-z/thermald
+++ b/apparmor.d/profiles-s-z/thermald
@ -10,6 +10,8 @@ include <tunables/global>
 profile thermald @{exec_path} {
  include <abstractions/base>

+  capability sys_boot,
+
  @{exec_path} mr,

  owner @{run}/thermald/ rw,
@ -42,6 +44,7 @@ profile thermald @{exec_path} {
  @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_temp rw,
  @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_type r,

+  @{sys}/devices/virtual/thermal/cooling_device[0-9]*/ r,
  @{sys}/devices/virtual/thermal/cooling_device[0-9]*/cur_state rw,
  @{sys}/devices/virtual/thermal/cooling_device[0-9]*/max_state r,

@ -49,6 +52,9 @@ profile thermald @{exec_path} {
  @{sys}/devices/virtual/powercap/intel-rapl/**/name r,
  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/ r,
  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/* r,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/constraint_*_time_window_us w,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/constraint_*_power_limit_uw w,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/enabled w,

  include if exists <local/thermald>
 }
--- a/apparmor.d/profiles-s-z/tint2
+++ b/apparmor.d/profiles-s-z/tint2
@ -12,7 +12,6 @@ profile tint2 @{exec_path} {
  include <abstractions/freedesktop.org>
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
-  include <abstractions/deny-root-dir-access>
  include <abstractions/app-launcher-user>

  network netlink dgram,
--- a/apparmor.d/profiles-s-z/tint2conf
+++ b/apparmor.d/profiles-s-z/tint2conf
@ -13,7 +13,6 @@ profile tint2conf @{exec_path} {
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/freedesktop.org>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/transmission-qt
+++ b/apparmor.d/profiles-s-z/transmission-qt
@ -25,7 +25,6 @@ profile transmission-qt @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>

  network inet dgram,
  network inet6 dgram,
--- a/apparmor.d/profiles-s-z/udiskie
+++ b/apparmor.d/profiles-s-z/udiskie
@ -19,8 +19,6 @@ profile udiskie @{exec_path} {
  include <abstractions/thumbnails-cache-read>
  include <abstractions/mesa>
  include <abstractions/dri-enumerate>
-  include <abstractions/deny-dconf>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} r,
  /{usr/,}bin/python3.[0-9]* r,
@ -39,6 +37,10 @@ profile udiskie @{exec_path} {

  /usr/share/glib-2.0/schemas/gschemas.compiled r,

+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
  # Allowed apps to open
  /{usr/,}bin/spacefm rPx,

--- a/apparmor.d/profiles-s-z/usbguard-applet-qt
+++ b/apparmor.d/profiles-s-z/usbguard-applet-qt
@ -18,7 +18,6 @@ profile usbguard-applet-qt @{exec_path} {
  include <abstractions/qt5-compose-cache-write>
  include <abstractions/dri-enumerate>
  include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>

  # Needed?
  ptrace (read),
--- a/apparmor.d/profiles-s-z/utox
+++ b/apparmor.d/profiles-s-z/utox
@ -17,7 +17,6 @@ profile utox @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/audio>
  include <abstractions/video>
-  include <abstractions/deny-root-dir-access>

  network inet dgram,
  network inet6 dgram,
--- a/apparmor.d/profiles-s-z/vcsi
+++ b/apparmor.d/profiles-s-z/vcsi
@ -13,7 +13,6 @@ profile vcsi @{exec_path} {
  include <abstractions/fontconfig-cache-read>
  include <abstractions/user-download-strict>
  include <abstractions/python>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} r,
  /{usr/,}bin/python3.[0-9]* r,
--- a/apparmor.d/profiles-s-z/vidcutter
+++ b/apparmor.d/profiles-s-z/vidcutter
@ -51,7 +51,6 @@ profile vidcutter @{exec_path} {
  include <abstractions/python>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} r,
  /{usr/,}bin/python3.[0-9]* r,
--- a/apparmor.d/profiles-s-z/vnstat
+++ b/apparmor.d/profiles-s-z/vnstat
@ -10,7 +10,6 @@ include <tunables/global>
 profile vnstat @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
-  include <abstractions/deny-root-dir-access>

  # The following rules are needed when adding a new interface to the vnstat database. Usually this
  # action is performed as root, but the vnstatd daemon is run as vnstat (user/group), and all the
--- a/apparmor.d/profiles-s-z/volumeicon
+++ b/apparmor.d/profiles-s-z/volumeicon
@ -19,7 +19,6 @@ profile volumeicon @{exec_path} {
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/wayland>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/vsftpd
+++ b/apparmor.d/profiles-s-z/vsftpd
@ -11,7 +11,6 @@ profile vsftpd @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice>
  include <abstractions/openssl>
-  include <abstractions/deny-root-dir-access>

  # Only for local users authentication
  include <abstractions/authentication>
--- a/apparmor.d/profiles-s-z/warzone2100
+++ b/apparmor.d/profiles-s-z/warzone2100
@ -16,7 +16,6 @@ profile warzone2100 @{exec_path} {
  include <abstractions/dri-enumerate>
  include <abstractions/nameservice-strict>
  include <abstractions/audio>
-  include <abstractions/deny-root-dir-access>

  network inet dgram,
  network inet6 dgram,
--- a/apparmor.d/profiles-s-z/wmctrl
+++ b/apparmor.d/profiles-s-z/wmctrl
@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/wmctrl
 profile wmctrl @{exec_path} {
  include <abstractions/base>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/wpa-gui
+++ b/apparmor.d/profiles-s-z/wpa-gui
@ -17,7 +17,6 @@ profile wpa-gui @{exec_path} {
  include <abstractions/mesa>
  include <abstractions/dri-enumerate>
  include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/xarchiver
+++ b/apparmor.d/profiles-s-z/xarchiver
@ -16,7 +16,6 @@ profile xarchiver @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/user-download-strict>
  include <abstractions/thumbnails-cache-read>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mrix,

--- a/apparmor.d/profiles-s-z/xauth
+++ b/apparmor.d/profiles-s-z/xauth
@ -10,7 +10,6 @@ include <tunables/global>
 profile xauth @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/xbacklight
+++ b/apparmor.d/profiles-s-z/xbacklight
@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/xbacklight
 profile xbacklight @{exec_path} {
  include <abstractions/base>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/xdg-desktop-menu
+++ b/apparmor.d/profiles-s-z/xdg-desktop-menu
@ -11,7 +11,6 @@ profile xdg-desktop-menu @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/consoles>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} r,

--- a/apparmor.d/profiles-s-z/xdg-email
+++ b/apparmor.d/profiles-s-z/xdg-email
@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-email
 profile xdg-email @{exec_path} flags=(complain) {
  include <abstractions/base>
-  include <abstractions/deny-root-dir-access>

  @{exec_path}  r,
  /{usr/,}bin/{,ba,da}sh rix,
--- a/apparmor.d/profiles-s-z/xdg-icon-resource
+++ b/apparmor.d/profiles-s-z/xdg-icon-resource
@ -11,7 +11,6 @@ profile xdg-icon-resource @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} r,

--- a/apparmor.d/profiles-s-z/xdg-screensaver
+++ b/apparmor.d/profiles-s-z/xdg-screensaver
@ -10,7 +10,6 @@ include <tunables/global>
 profile xdg-screensaver @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} r,

--- a/apparmor.d/profiles-s-z/xfce4-notifyd
+++ b/apparmor.d/profiles-s-z/xfce4-notifyd
@ -17,7 +17,6 @@ profile xfce4-notifyd @{exec_path} {
  include <abstractions/mesa>
  include <abstractions/dri-enumerate>
  include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/xfconfd
+++ b/apparmor.d/profiles-s-z/xfconfd
@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/xfce[0-9]/xfconf/xfconfd
 profile xfconfd @{exec_path} {
  include <abstractions/base>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/xhost
+++ b/apparmor.d/profiles-s-z/xhost
@ -10,7 +10,6 @@ include <tunables/global>
 profile xhost @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/xinit
+++ b/apparmor.d/profiles-s-z/xinit
@ -10,7 +10,6 @@ include <tunables/global>
 profile xinit @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/xkbcomp
+++ b/apparmor.d/profiles-s-z/xkbcomp
@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/xkbcomp
 profile xkbcomp @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/xorg
+++ b/apparmor.d/profiles-s-z/xorg
@ -24,7 +24,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
  include <abstractions/freedesktop.org>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
-  include <abstractions/deny-root-dir-access>

  # When the Xserver is started via startx as a regular user, there's no need for any of the
  # following CAPs. When some DM is used instead, some of the CAPs are needed.
--- a/apparmor.d/profiles-s-z/xrdb
+++ b/apparmor.d/profiles-s-z/xrdb
@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/xrdb
 profile xrdb @{exec_path} {
  include <abstractions/base>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/xsel
+++ b/apparmor.d/profiles-s-z/xsel
@ -10,7 +10,6 @@ include <tunables/global>
 profile xsel @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/xset
+++ b/apparmor.d/profiles-s-z/xset
@ -10,7 +10,6 @@ include <tunables/global>
 profile xset @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/xsetroot
+++ b/apparmor.d/profiles-s-z/xsetroot
@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/xsetroot
 profile xsetroot @{exec_path} {
  include <abstractions/base>
-  include <abstractions/deny-root-dir-access>

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/youtube-dl
+++ b/apparmor.d/profiles-s-z/youtube-dl
@ -52,7 +52,6 @@ profile youtube-dl @{exec_path} {
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
-  include <abstractions/deny-root-dir-access>

  signal (receive) set=(term, kill),

--- a/apparmor.d/profiles-s-z/youtube-viewer
+++ b/apparmor.d/profiles-s-z/youtube-viewer
@ -14,7 +14,6 @@ profile youtube-viewer @{exec_path} {
  include <abstractions/perl>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
-  include <abstractions/deny-root-dir-access>

  signal (receive) set=(hup, winch) peer=gtk-youtube-viewer//xterm,

--- a/apparmor.d/profiles-s-z/yt-dlp
+++ b/apparmor.d/profiles-s-z/yt-dlp
@ -41,12 +41,12 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/yt-dlp
 profile yt-dlp @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/python>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
-  include <abstractions/deny-root-dir-access>

  network inet dgram,
  network inet6 dgram,
@ -58,16 +58,22 @@ profile yt-dlp @{exec_path} {
  /{usr/,}bin/python3.[0-9]* r,

  /{usr/,}bin/ r,
-  /{usr/,}bin/file rix,
+  /{usr/,}bin/file    rix,
+
+  /{usr/,}bin/ffmpeg  rPx,
+  /{usr/,}bin/ffprobe rPx,

  # Which files yt-dlp should be able to open
  owner /media/**/ r,
  owner /media/**.@{ytdlp_ext} rw,

+  owner @{HOME}/.cache/ rw,
+  owner @{HOME}/.cache/yt-dlp/ rw,
+  owner @{HOME}/.cache/yt-dlp/** rw,
+
  owner @{PROC}/@{pid}/fd/ r,

  /etc/magic r,

-
  include if exists <local/yt-dlp>
 }
--- a/apparmor.d/profiles-s-z/ytdl
+++ b/apparmor.d/profiles-s-z/ytdl
@ -46,7 +46,6 @@ profile ytdl @{exec_path} {
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
-  include <abstractions/deny-root-dir-access>

  signal (receive) set=(term, kill),