From db87c56f37e8cc97a41186da48e663d078a62ac3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 May 2024 14:22:42 +0100 Subject: [PATCH] feat(profile): general update. --- apparmor.d/groups/freedesktop/plymouthd | 4 ++-- apparmor.d/groups/freedesktop/xprop | 2 +- apparmor.d/groups/freedesktop/xsetroot | 2 ++ apparmor.d/groups/kde/baloorunner | 2 ++ apparmor.d/groups/kde/dolphin | 13 ++++++++++--- apparmor.d/groups/kde/konsole | 7 ++++--- apparmor.d/groups/kde/kwin_wayland | 5 ++++- apparmor.d/groups/kde/plasmashell | 3 ++- apparmor.d/groups/kde/sddm | 3 +++ apparmor.d/groups/kde/sddm-greeter | 1 + apparmor.d/groups/pacman/mkinitcpio | 3 ++- .../groups/systemd/systemd-generator-gpt-auto | 1 + apparmor.d/groups/systemd/systemd-hostnamed | 1 + apparmor.d/groups/systemd/systemd-shutdown | 3 +++ apparmor.d/profiles-a-f/cups-backend-usb | 2 ++ apparmor.d/profiles-m-r/plocate | 1 + apparmor.d/profiles-s-z/smbspool | 18 ++++++++++++++++++ apparmor.d/profiles-s-z/sudo | 1 + apparmor.d/profiles-s-z/udisksd | 3 +++ apparmor.d/profiles-s-z/whatis | 4 ++++ apparmor.d/profiles-s-z/zpool | 7 +++++-- 21 files changed, 72 insertions(+), 14 deletions(-) create mode 100644 apparmor.d/profiles-s-z/smbspool diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 3fbb2389e..0b3fac14b 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -10,7 +10,8 @@ include profile plymouthd @{exec_path} { include include - include + include + include capability checkpoint_restore, capability dac_override, @@ -52,7 +53,6 @@ profile plymouthd @{exec_path} { @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/graphics/ r, - @{sys}/devices/@{pci}/{,uevent,vendor,device} r, @{sys}/devices/virtual/graphics/fbcon/uevent r, @{sys}/devices/virtual/tty/console/active r, @{sys}/firmware/acpi/bgrt/{,*} r, diff --git a/apparmor.d/groups/freedesktop/xprop b/apparmor.d/groups/freedesktop/xprop index c9698ba17..dd837aa5c 100644 --- a/apparmor.d/groups/freedesktop/xprop +++ b/apparmor.d/groups/freedesktop/xprop @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/xprop -profile xprop @{exec_path} { +profile xprop @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index 34490cc98..31851f767 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -14,6 +14,8 @@ profile xsetroot @{exec_path} { capability dac_read_search, + signal (receive) set=(kill) peer=sddm, + @{exec_path} mr, /usr/share/icons/{,**} r, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 54282725c..ad3ef62e3 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -30,5 +30,7 @@ profile baloorunner @{exec_path} { @{PROC}/sys/kernel/core_pattern r, + /dev/tty r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 5e5381da8..7883ee7cf 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -15,6 +15,7 @@ profile dolphin @{exec_path} { include include include + include include include include @@ -45,9 +46,15 @@ profile dolphin @{exec_path} { # Full access to user's data / r, + /*/ r, + @{bin}/ r, + @{lib}/ r, + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/** rw, owner @{HOME}/{,**} rw, - - /var/lib/flatpak/exports/share/mime/ r, + owner @{run}/user/@{uid}/{,**} rw, + owner /tmp/{,**} rw, # Silence non user's data deny /boot/{,**} r, @@ -65,7 +72,7 @@ profile dolphin @{exec_path} { owner @{user_config_dirs}/dolphinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc.lock rwk, owner @{user_config_dirs}/kde.org/#@{int} rw, - owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.@{rand6}} rwlk -> @{user_config_dirs}/kde.org/#@{int}, + owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int}, owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk, owner @{user_config_dirs}/session/ rw, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index b3c2853fe..1e1043cfb 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -36,23 +36,24 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/sounds/** r, /etc/xdg/konsolerc r, + /etc/xdg/kshorturifilterrc r, /etc/xdg/menus/{,**} r, /etc/xdg/ui/ui_standards.rc r, owner @{HOME}/@{XDG_SSH_DIR}/config r, - owner @{user_config_dirs}/#@{int} rwl, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/ksycoca{5,6}_* r, + owner @{user_config_dirs}/#@{int} rwl, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/konsolerc{,*} rwlk, owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.lock rwk, + owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/menus/{,**} r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_share_dirs}/color-schemes/{,**} r, owner @{user_share_dirs}/konsole/ rw, owner @{user_share_dirs}/konsole/** rwlk, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 6b570b1dd..9a513c62d 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -52,6 +52,9 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /etc/machine-id r, /var/lib/dbus/machine-id r, + / r, + owner @{HOME}/ r, + owner @{sddm_cache_dirs}/#@{int} rwk, owner @{sddm_cache_dirs}/fontconfig/* rwk, owner @{sddm_cache_dirs}/fontconfig/*-le64.cache-@{int}.LCK l -> @{sddm_cache_dirs}/fontconfig/*-le64.cache-@{int}.TMP-@{rand6}, @@ -73,7 +76,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_cache_dirs}/ksycoca{5,6}_* r, owner @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/kwin/ rw, - owner @{user_cache_dirs}/kwin/** rwl -> @{user_cache_dirs}/kwin/**, + owner @{user_cache_dirs}/kwin/** rwkl -> @{user_cache_dirs}/kwin/**, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index f50ced75f..b48475654 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -78,8 +78,9 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /etc/fstab r, /etc/ksysguarddrc r, /etc/machine-id r, - /etc/sensors3.conf r, + /etc/os-release r, /etc/sensors.d/ r, + /etc/sensors3.conf r, /etc/xdg/** r, /var/lib/AccountsService/icons/* r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index adc56bae5..3a2977300 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -42,6 +42,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (receive) set=(hup) peer=@{p_systemd}, signal (send) set=(kill, term) peer=startplasma, signal (send) set=(kill, term) peer=xorg, + signal (send) set=(kill, term) peer=xsetroot, signal (send) set=(term) peer=kwin_wayland, signal (send) set=(term) peer=sddm-greeter, signal (send) set=(term) peer=startplasma-wayland, @@ -76,6 +77,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/disable-paste rix, @{bin}/locale rix, @{bin}/manpath rix, + @{bin}/mktemp rix, @{bin}/pidof rix, @{bin}/readlink rix, @{bin}/realpath rix, @@ -151,6 +153,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{sddm_cache_dirs}/sddm-greeter/qmlcache/*.jsc mrw, owner @{sddm_cache_dirs}/sddm-greeter/qmlcache/*.qmlc mrw, + owner @{HOME}/ r, owner @{HOME}/.local/ w, owner @{HOME}/.Xauthority rw, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index f19aaf478..1944a52f2 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -37,6 +37,7 @@ profile sddm-greeter @{exec_path} { /usr/share/hunspell/** r, /etc/fstab r, + /etc/os-release r, /etc/sddm.conf r, /etc/sddm.conf.d/{,*} r, /etc/xdg/plasmarc r, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index c5a1b83cc..960b87798 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -76,9 +76,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/locale.conf r, /etc/lvm/lvm.conf r, /etc/mkinitcpio.conf r, - /etc/mkinitcpio.d/{,**} r, /etc/mkinitcpio.conf.d/{,**} r, + /etc/mkinitcpio.d/{,**} r, /etc/modprobe.d/{,*} r, + /etc/os-release r, /etc/plymouth/plymouthd.conf r, /etc/vconsole.conf r, diff --git a/apparmor.d/groups/systemd/systemd-generator-gpt-auto b/apparmor.d/groups/systemd/systemd-generator-gpt-auto index b1b9fbc96..5ae2b9264 100644 --- a/apparmor.d/groups/systemd/systemd-generator-gpt-auto +++ b/apparmor.d/groups/systemd/systemd-generator-gpt-auto @@ -20,6 +20,7 @@ profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected) { /boot/ r, /efi/ r, /etc/fstab r, + /usr/ r, @{run}/systemd/generator.late/**.{,auto}mount w, @{run}/systemd/generator.late/local-fs.target.wants/ w, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index b4efcdc5d..d37284ec8 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -32,6 +32,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { /etc/.#machine-info@{rand6} rw, /etc/machine-id r, /etc/machine-info rw, + /etc/os-release r, @{run}/systemd/default-hostname rw, @{run}/systemd/notify rw, diff --git a/apparmor.d/groups/systemd/systemd-shutdown b/apparmor.d/groups/systemd/systemd-shutdown index 6de9639cc..bdb8825b9 100644 --- a/apparmor.d/groups/systemd/systemd-shutdown +++ b/apparmor.d/groups/systemd/systemd-shutdown @@ -17,6 +17,8 @@ profile systemd-shutdown @{exec_path} { capability sys_ptrace, capability sys_resource, + mount options=(rw rprivate) -> /, + signal (send) set=(stop, cont, term, kill), signal (receive) set=(rtmin+23) peer=plymouthd, @@ -24,6 +26,7 @@ profile systemd-shutdown @{exec_path} { @{PROC}/ r, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/sys/kernel/core_pattern w, diff --git a/apparmor.d/profiles-a-f/cups-backend-usb b/apparmor.d/profiles-a-f/cups-backend-usb index c7beb7cca..ec059f654 100644 --- a/apparmor.d/profiles-a-f/cups-backend-usb +++ b/apparmor.d/profiles-a-f/cups-backend-usb @@ -11,6 +11,8 @@ profile cups-backend-usb @{exec_path} { include include + capability net_admin, + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/plocate b/apparmor.d/profiles-m-r/plocate index 82617fc62..21a27e43e 100644 --- a/apparmor.d/profiles-m-r/plocate +++ b/apparmor.d/profiles-m-r/plocate @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/plocate profile plocate @{exec_path} { include + include # For running as root capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/smbspool b/apparmor.d/profiles-s-z/smbspool new file mode 100644 index 000000000..4ae50fbb4 --- /dev/null +++ b/apparmor.d/profiles-s-z/smbspool @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/smbspool +profile smbspool @{exec_path} { + include + + @{exec_path} mr, + + /etc/papersize r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 4d92f30b7..e3c2f1d4a 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -14,6 +14,7 @@ profile sudo @{exec_path} flags=(attach_disconnected) { include capability chown, + capability fowner, capability mknod, capability sys_ptrace, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 4529c2c56..cbe3a79b0 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -47,6 +47,9 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/, mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, + mount options=(rw move) -> @{MOUNTS}/, + mount options=(rw move) -> @{MOUNTS}/*/, + # Allow mounting on temporary mount point mount -> @{run}/udisks2/temp-mount-*/, mount / -> @{MOUNTS}/*/, diff --git a/apparmor.d/profiles-s-z/whatis b/apparmor.d/profiles-s-z/whatis index b1295df1d..db62117f8 100644 --- a/apparmor.d/profiles-s-z/whatis +++ b/apparmor.d/profiles-s-z/whatis @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Zane Zakraisek +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -24,5 +25,8 @@ profile whatis @{exec_path} { owner @{HOME}/.manpath r, + owner @{user_share_dirs}/man/{,**/}{,whatis} r, + owner @{user_share_dirs}/man/{,**/}index.{bt,db,dir,pag} rk, + include if exists } diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index e5aff51c7..aad07309a 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -18,15 +18,18 @@ profile zpool @{exec_path} { @{sh_path} rix, /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, + /usr/share/zfs/{,**} r, + /etc/hostid r, /etc/zfs/*.cache rwk, + /tmp/tmp.* rw, + @{run}/blkid/blkid.tab rw, @{run}/blkid/blkid.tab.old rwl, @{run}/blkid/blkid.tab-@{rand6} rwl, - /tmp/tmp.* rw, - + @{sys}/module/zfs/** r, @{sys}/bus/pci/slots/ r, @{sys}/bus/pci/slots/@{int}/address r,