diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 74edf6a63..27fd724ee 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -13,6 +13,11 @@ #/etc/udev/udev.conf r, #/etc/wildmidi/wildmidi.cfg r, + /etc/openni2/OpenNI.ini r, + + /tmp/ r, + /var/tmp/ r, + /dev/ r, /dev/bus/usb/ r, /dev/dri/ r, @@ -21,16 +26,19 @@ #owner /{dev,run}/shm/shmfd-* rw, # - @{run}/udev/data/c81:* r, # For video4linux - @{run}/udev/data/c226:* r, # For /dev/dri/card[0-9]* - @{run}/udev/data/+drm:* r, # For screen outputs - #@{run}/udev/data/+pci:* r, - @{run}/udev/data/+usb:* r, + @{run}/udev/data/c81:[0-9]* r, # For video4linux + @{run}/udev/data/c189:[0-9]* r, # For /dev/bus/usb/** + @{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card[0-9]* + @{run}/udev/data/+drm:* r, # For screen outputs + #@{run}/udev/data/+pci:* r, + @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** @{sys}/bus/ r, @{sys}/bus/usb/devices/ r, + @{sys}/bus/media/devices/ r, @{sys}/class/ r, @{sys}/class/drm/ r, + @{sys}/class/video4linux/ r, @{sys}/devices/pci[0-9]*/**/{busnum,config,devnum,descriptors,speed,uevent} r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/meminfo r, diff --git a/apparmor.d/abstractions/qt5-shader-cache b/apparmor.d/abstractions/qt5-shader-cache new file mode 100644 index 000000000..d63dd0c5d --- /dev/null +++ b/apparmor.d/abstractions/qt5-shader-cache @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + owner @{HOME}/.cache/qtshadercache/ rw, + owner @{HOME}/.cache/qtshadercache/#[0-9]*[0-9] rw, + owner @{HOME}/.cache/qtshadercache/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9], + owner @{HOME}/.cache/qtshadercache-*-little_endian-*/ rw, + owner @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, + owner @{HOME}/.cache/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9], diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre index 699e76afe..aea80d21c 100644 --- a/apparmor.d/groups/apps/calibre +++ b/apparmor.d/groups/apps/calibre @@ -32,6 +32,7 @@ profile calibre @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/apps/dropbox b/apparmor.d/groups/apps/dropbox index e834cb4ca..e7476e04c 100644 --- a/apparmor.d/groups/apps/dropbox +++ b/apparmor.d/groups/apps/dropbox @@ -56,6 +56,7 @@ profile dropbox @{exec_path} { /{usr/,}bin/dirname rix, /{usr/,}bin/uname rix, /{usr/,}{s,}bin/ldconfig rix, + /{usr/,}lib/llvm-[0-9]*/bin/clang rix, /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, /{usr/,}bin/{,@{multiarch}-}objdump rix, diff --git a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin index fbdcf2fb8..699f2b470 100644 --- a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin +++ b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin @@ -73,32 +73,32 @@ @{libo_user_dirs} = @{HOME} /mnt /media -include +#include profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(complain) { - include + #include - include - include - include - include - include - include - include - include - include - include - include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include # GnuPG1 only... -# include - include - include +# #include + #include + #include - include + #include - include - include - include + #include + #include + #include #List directories for file browser / r, @@ -107,7 +107,7 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp owner @{libo_user_dirs}/**/ rw, #allow creating directories that we own owner @{libo_user_dirs}/**~lock.* rw, #lock file support owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk, #Open files rw with the right exts - owner @{libo_user_dirs}/{,**/}lu??????????{,?}.tmp rwk, #Temporary file used when saving + owner @{libo_user_dirs}/{,**/}lu???????????{,?}.tmp rwk, #Temporary file used when saving owner @{libo_user_dirs}/{,**/}.directory r, #Read directory settings on KDE # Settings @@ -214,8 +214,8 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp owner @{user_share_dirs}/user-places.xbel r, # there is abstractions/gnupg but that's just for gpg1... - profile gpg flags=(complain) { - include + profile gpg { + #include /usr/bin/gpgconf rm, /usr/bin/gpg rm, diff --git a/apparmor.d/groups/apt/dpkg-architecture b/apparmor.d/groups/apt/dpkg-architecture index 123043649..22c414b75 100644 --- a/apparmor.d/groups/apt/dpkg-architecture +++ b/apparmor.d/groups/apt/dpkg-architecture @@ -12,16 +12,21 @@ profile dpkg-architecture @{exec_path} { include include + capability dac_read_search, + @{exec_path} r, /usr/bin/perl r, /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, + /{usr/,}lib/llvm-[0-9]*/bin/clang rix, /{usr/,}bin/ccache rCx -> ccache, /{usr/,}bin/dpkg rPx -> child-dpkg, /usr/share/dpkg/** r, + /etc/debian_version r, + # file_inherit owner /tmp/* rw, @@ -31,10 +36,14 @@ profile dpkg-architecture @{exec_path} { /{usr/,}bin/ccache mr, + /{usr/,}lib/llvm-[0-9]*/bin/clang rix, /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, + /{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix, /media/ccache/*/** rw, + /etc/debian_version r, + } include if exists diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 226d613b6..50e1fa9a4 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2015-2020 Mikhail Morfikov +# Copyright (C) 2015-2021 Mikhail Morfikov # 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only @@ -100,6 +100,12 @@ profile firefox @{exec_path} { deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r, + # For Cryptographic Attestation of Personhood + #@{sys}/bus/ r, + #@{sys}/class/ r, + #@{sys}/class/hidraw/ r, + #@{run}/udev/data/c241:[0-9]* r, # dynamic + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/cgroup r, deny owner @{PROC}/@{pid}/stat r, @@ -126,6 +132,7 @@ profile firefox @{exec_path} { # Set default browser /{usr/,}bin/update-mime-database rPx, + owner @{user_config_dirs}/ r, owner @{user_config_dirs}/mimeapps.list{,.*} rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, diff --git a/apparmor.d/groups/browsers/torbrowser.Tor.tor b/apparmor.d/groups/browsers/torbrowser.Tor.tor index cef2f6016..77861cd95 100644 --- a/apparmor.d/groups/browsers/torbrowser.Tor.tor +++ b/apparmor.d/groups/browsers/torbrowser.Tor.tor @@ -1,10 +1,10 @@ -include -include +#include +#include @{torbrowser_tor_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/TorBrowser/Tor/tor profile torbrowser_tor @{torbrowser_tor_executable} { - include + #include network netlink raw, network tcp, @@ -24,7 +24,7 @@ profile torbrowser_tor @{torbrowser_tor_executable} { # Support some of the included pluggable transports owner @{torbrowser_home_dir}/TorBrowser/Tor/PluggableTransports/** rix, @{PROC}/sys/net/core/somaxconn r, - include + #include # Silence file_inherit logs deny @{torbrowser_home_dir}/{browser/,}omni.ja r, @@ -38,6 +38,7 @@ profile torbrowser_tor @{torbrowser_tor_executable} { @{PROC}/sys/kernel/random/uuid r, /sys/devices/system/cpu/ r, + /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, # OnionShare compatibility /tmp/onionshare/** rw, diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 447cefce5..99fb913f7 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -22,9 +22,6 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { network netlink raw, - network bluetooth stream, - network bluetooth seqpacket, - ptrace (read) peer=unconfined, @{exec_path} mr, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 66089521a..a2aba291f 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -36,6 +36,11 @@ profile gpg-agent @{exec_path} { owner /var/lib/*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw, owner /var/lib/*/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner /tmp/tmp.*/gnupg/ rw, + owner /tmp/tmp.*/gnupg/private-keys-v1.d/ rw, + owner /tmp/tmp.*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw, + owner /tmp/tmp.*/gnupg/S.gpg-agent rw, + # For debuild owner /tmp/dpkg-import-key.*/private-keys-v1.d/ w, owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w, diff --git a/apparmor.d/groups/gpg/gpg-connect-agent b/apparmor.d/groups/gpg/gpg-connect-agent index 8293c5d01..fc3b7da55 100644 --- a/apparmor.d/groups/gpg/gpg-connect-agent +++ b/apparmor.d/groups/gpg/gpg-connect-agent @@ -13,7 +13,18 @@ profile gpg-connect-agent @{exec_path} { @{exec_path} mr, + /{usr/,}bin/gpg-agent rPx, + /etc/inputrc r, + owner @{PROC}/@{pid}/fd/ r, + + owner @{run}/user/@{uid}/gnupg/d.*/ rw, + + owner /tmp/tmp.*/.#lk0x[0-9a-f]*.*.@{pid} rw, + owner /tmp/tmp.*/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, + owner /tmp/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}, + include if exists } + diff --git a/apparmor.d/profiles-a-l/anki b/apparmor.d/profiles-a-l/anki index 6550785e4..4a38062cc 100644 --- a/apparmor.d/profiles-a-l/anki +++ b/apparmor.d/profiles-a-l/anki @@ -20,6 +20,7 @@ profile anki @{exec_path} { include include include + include include include include @@ -28,6 +29,12 @@ profile anki @{exec_path} { signal (send) set=(term, kill) peer=anki//mpv, + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, @@ -57,9 +64,15 @@ profile anki @{exec_path} { /usr/share/javascript/**/*.js r, + owner @{user_cache_dirs}/Anki/ rw, + owner @{user_cache_dirs}/Anki/** rw, + owner @{user_share_dirs}/Anki{,2}/ rw, owner @{user_share_dirs}/Anki{,2}/** rwk, + owner @{HOME}/ r, + owner @{HOME}/.cache/ rw, + # To remove the following error: # Error initializing NSS with a persistent database owner @{HOME}/.pki/ rw, @@ -78,10 +91,13 @@ profile anki @{exec_path} { # [:FATAL:sandbox_linux.cc(172)] Check failed: proc_fd_ >= 0 (-1 vs. 0) @{PROC}/ r, owner @{PROC}/@{pid}/fd/ r, - deny owner @{PROC}/@{pid}/mem r, + owner @{PROC}/@{pid}/mem r, + owner @{PROC}/@{pids}/statm r, + owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/sys/fs/inotify/max_user_watches r, deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, deny owner @{PROC}/@{pid}/cmdline r, # To remove the following error: @@ -90,7 +106,7 @@ profile anki @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, deny @{PROC}/sys/kernel/random/boot_id r, - deny @{PROC}/vmstat r, + @{PROC}/vmstat r, deny owner @{PROC}/@{pid}/setgroups w, /etc/fstab r, diff --git a/apparmor.d/profiles-a-l/arduino-builder b/apparmor.d/profiles-a-l/arduino-builder index 3553c0334..c4c0e3a73 100644 --- a/apparmor.d/profiles-a-l/arduino-builder +++ b/apparmor.d/profiles-a-l/arduino-builder @@ -23,6 +23,7 @@ profile arduino-builder @{exec_path} { /{usr/,}lib/gcc/avr/[0-9]*/collect2 rix, /{usr/,}lib/gcc/avr/[0-9]*/lto-wrapper rix, /{usr/,}lib/gcc/avr/[0-9]*/lto1 rix, + /{usr/,}lib/llvm-[0-9]*/bin/clang rix, /{usr/,}lib/avr/bin/as rix, /{usr/,}lib/avr/bin/ar rix, /{usr/,}lib/avr/bin/ld rix, diff --git a/apparmor.d/profiles-a-l/borg b/apparmor.d/profiles-a-l/borg index 288cacea5..4cb1f4ae3 100644 --- a/apparmor.d/profiles-a-l/borg +++ b/apparmor.d/profiles-a-l/borg @@ -92,10 +92,14 @@ profile borg @{exec_path} { /{usr/,}bin/ccache mr, + /{usr/,}lib/llvm-[0-9]*/bin/clang rix, /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, + /{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix, /media/ccache/*/** rw, + /etc/debian_version r, + } profile fusermount { diff --git a/apparmor.d/profiles-a-l/dkms b/apparmor.d/profiles-a-l/dkms index bb1f731a0..e8031ec17 100644 --- a/apparmor.d/profiles-a-l/dkms +++ b/apparmor.d/profiles-a-l/dkms @@ -49,6 +49,7 @@ profile dkms @{exec_path} { /{usr/,}bin/make rix, /{usr/,}bin/{,@{multiarch}-}* rix, /{usr/,}lib/gcc/@{multiarch}/[0-9]*/* rix, + /{usr/,}lib/llvm-[0-9]*/bin/clang rix, /{usr/,}bin/kmod rCx -> kmod, /{usr/,}bin/lsb_release rPx -> child-lsb_release, @@ -70,6 +71,7 @@ profile dkms @{exec_path} { /etc/dkms/{,**} r, # For building module in /usr/src/ subdirs + /usr/src/ r, /usr/src/** rw, /usr/src/linux-headers-*/scripts/gcc-plugins/*.so mr, /usr/src/linux-headers-*/scripts/** rix, diff --git a/apparmor.d/profiles-a-l/exim4 b/apparmor.d/profiles-a-l/exim4 index c8463b566..69392267f 100644 --- a/apparmor.d/profiles-a-l/exim4 +++ b/apparmor.d/profiles-a-l/exim4 @@ -53,22 +53,25 @@ profile exim4 @{exec_path} { /etc/email-addresses r, /etc/aliases r, - deny /var/log/exim4/ w, + /var/log/exim4/ w, /var/log/exim4/mainlog w, /var/log/exim4/paniclog w, + /var/log/exim4/rejectlog w, - owner /var/spool/exim4/ r, + /var/spool/exim4/ r, /var/spool/exim4/input/ r, /var/spool/exim4/input/*-*-*-* rwk, owner /var/spool/exim4/input/hdr.*-*-* rw, owner /var/spool/exim4/input/hdr.@{pid} rw, /var/spool/exim4/db/retry.lockfile rwk, + owner /var/spool/exim4/db/__db.retry rwk, /var/spool/exim4/msglog/*-*-* w, owner /var/mail/* rwk, owner /var/mail/*.lock.*.[0-9a-f]*.[0-9a-f]* w, owner /var/mail/*.lock wl -> /var/mail/*.lock.*.[0-9a-f]*.[0-9a-f]*, + @{run}/exim4/ r, owner @{run}/exim4/exim.pid rw, owner @{run}/dbus/system_bus_socket rw, diff --git a/apparmor.d/profiles-a-l/hardinfo b/apparmor.d/profiles-a-l/hardinfo index ccb2e00eb..dfed76060 100644 --- a/apparmor.d/profiles-a-l/hardinfo +++ b/apparmor.d/profiles-a-l/hardinfo @@ -126,10 +126,14 @@ profile hardinfo @{exec_path} { /{usr/,}bin/ccache mr, + /{usr/,}lib/llvm-[0-9]*/bin/clang rix, /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, + /{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix, /media/ccache/*/** rw, + /etc/debian_version r, + } profile javac { diff --git a/apparmor.d/profiles-a-l/inxi b/apparmor.d/profiles-a-l/inxi index ab794bba0..e155345d5 100644 --- a/apparmor.d/profiles-a-l/inxi +++ b/apparmor.d/profiles-a-l/inxi @@ -27,10 +27,12 @@ profile inxi @{exec_path} { /{usr/,}bin/zsh rix, /{usr/,}bin/tty rix, /{usr/,}bin/tput rix, - /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, /{usr/,}bin/getconf rix, /{usr/,}bin/file rix, + /{usr/,}lib/llvm-[0-9]*/bin/clang rix, + /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, + /{usr/,}bin/ip rCx -> ip, /{usr/,}lib/systemd/systemd rCx -> systemd, /{usr/,}bin/kmod rCx -> kmod, diff --git a/apparmor.d/profiles-a-l/kscreenlocker-greet b/apparmor.d/profiles-a-l/kscreenlocker-greet index 00839aff2..acf2453f3 100644 --- a/apparmor.d/profiles-a-l/kscreenlocker-greet +++ b/apparmor.d/profiles-a-l/kscreenlocker-greet @@ -16,6 +16,7 @@ profile kscreenlocker-greet @{exec_path} { include include include + include include include diff --git a/apparmor.d/profiles-m-z/merkaartor b/apparmor.d/profiles-m-z/merkaartor new file mode 100644 index 000000000..debbaf248 --- /dev/null +++ b/apparmor.d/profiles-m-z/merkaartor @@ -0,0 +1,62 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/merkaartor +profile merkaartor @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink dgram, + network netlink raw, + + @{exec_path} mr, + + /usr/share/merkaartor/{,**} r, + + owner @{HOME}/.config/Merkaartor/ rw, + owner @{HOME}/.config/Merkaartor/* rwkl -> @{HOME}/.config/Merkaartor/, + + owner @{HOME}/.merkaartor/ rw, + owner @{HOME}/.merkaartor/* rw, + + owner @{HOME}/merkaartor.log rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration + owner @{HOME}/.config/qt5ct/{,**} r, + /usr/share/qt5ct/** r, + + /usr/share/hwdata/pnp.ids r, + + deny owner @{PROC}/@{pid}/cmdline r, + + owner /tmp/qtsingleapp-merkaa-* rw, + owner /tmp/qtsingleapp-merkaa-*-lockfile rwk, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + + include if exists +} diff --git a/apparmor.d/profiles-m-z/minitube b/apparmor.d/profiles-m-z/minitube index 29ddf17cc..5e364b98c 100644 --- a/apparmor.d/profiles-m-z/minitube +++ b/apparmor.d/profiles-m-z/minitube @@ -17,10 +17,10 @@ profile minitube @{exec_path} { include include include - include include include include + include include include include diff --git a/apparmor.d/profiles-m-z/pinentry-kwallet b/apparmor.d/profiles-m-z/pinentry-kwallet index 9138e41ba..90a6762d8 100644 --- a/apparmor.d/profiles-m-z/pinentry-kwallet +++ b/apparmor.d/profiles-m-z/pinentry-kwallet @@ -11,7 +11,6 @@ profile pinentry-kwallet @{exec_path} { include include include - include signal (send) set=(term, kill) peer=gpg-agent, diff --git a/apparmor.d/profiles-m-z/pinentry-qt b/apparmor.d/profiles-m-z/pinentry-qt index 0bcb9e96b..bcd7de01a 100644 --- a/apparmor.d/profiles-m-z/pinentry-qt +++ b/apparmor.d/profiles-m-z/pinentry-qt @@ -18,7 +18,6 @@ profile pinentry-qt @{exec_path} { include include include - include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-z/pipewire b/apparmor.d/profiles-m-z/pipewire new file mode 100644 index 000000000..e90bf484c --- /dev/null +++ b/apparmor.d/profiles-m-z/pipewire @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2015-2020 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/pipewire +profile pipewire @{exec_path} { + include + include + + ptrace (read) peer=pipewire-media-session, + ptrace (read) peer=pipewire-pulse, + + # Needed for all sound/music apps. + ptrace (read), + + @{exec_path} mr, + + /etc/pipewire/pipewire.conf r, + /etc/pipewire/client.conf r, + + owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk, + + /dev/snd/controlC[0-9]* rw, + /dev/snd/pcmC[0-9]*D[0-9]*p rw, + /dev/snd/pcmC[0-9]*D[0-9]*c rw, + + /usr/share/alsa/{,**} r, + /etc/alsa/{,**} r, + + /dev/shm/ r, + @{run}/shm/ r, + /etc/pulse/{,**} r, + owner @{HOME}/.config/pulse/ rw, + owner @{HOME}/.config/pulse/cookie rwk, + owner @{run}/user/@{uid}/pulse/ r, + + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + + / r, + + include if exists +} diff --git a/apparmor.d/profiles-m-z/pipewire-media-session b/apparmor.d/profiles-m-z/pipewire-media-session new file mode 100644 index 000000000..7a234d0fe --- /dev/null +++ b/apparmor.d/profiles-m-z/pipewire-media-session @@ -0,0 +1,54 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2015-2020 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/pipewire-media-session +profile pipewire-media-session @{exec_path} { + include + include + + network netlink raw, + + @{exec_path} mr, + + /etc/pipewire/media-session.d/*.conf r, + + owner @{HOME}/.config/pipewire/ rw, + owner @{HOME}/.config/pipewire/** rw, + + /dev/snd/controlC[0-9]* rw, + /dev/snd/pcmC[0-9]*D[0-9]*p rw, + /dev/snd/pcmC[0-9]*D[0-9]*c rw, + + /usr/share/alsa-card-profile/{,**} r, + /usr/share/alsa/{,**} r, + /etc/alsa/{,**} r, + + /dev/shm/ r, + @{run}/shm/ r, + /etc/pulse/{,**} r, + owner @{HOME}/.config/pulse/ rw, + owner @{HOME}/.config/pulse/cookie rwk, + owner @{run}/user/@{uid}/pulse/ rw, + + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/sound/ r, + @{sys}/class/video4linux/ r, + + @{sys}/devices/**/sound/**/uevent r, + + @{run}/udev/data/+sound:card[0-9]* r, # For sound + @{run}/udev/data/c116:[0-9]* r, # For ALSA + + @{run}/systemd/users/@{uid} r, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + + include if exists +} diff --git a/apparmor.d/profiles-m-z/pipewire-pulse b/apparmor.d/profiles-m-z/pipewire-pulse new file mode 100644 index 000000000..1ccf3c33f --- /dev/null +++ b/apparmor.d/profiles-m-z/pipewire-pulse @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2015-2020 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/pipewire-pulse +profile pipewire-pulse @{exec_path} { + include + include + + ptrace (read) peer=pipewire, + ptrace (read) peer=pipewire-media-session, + + # Needed for all sound/music apps. + ptrace (read), + + @{exec_path} mr, + + /etc/pipewire/client.conf r, + + /etc/pipewire/pipewire-pulse.conf r, + + owner @{run}/user/@{uid}/pulse/pid w, + + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + + / r, + + include if exists +} diff --git a/apparmor.d/profiles-m-z/polkitd b/apparmor.d/profiles-m-z/polkitd index a0d1cb67e..2a11480bc 100644 --- a/apparmor.d/profiles-m-z/polkitd +++ b/apparmor.d/profiles-m-z/polkitd @@ -30,21 +30,22 @@ profile polkitd @{exec_path} { @{PROC}/cmdline r, # System rules - /etc/polkit-1/rules.d/{,[0-9][0-9]-*.rules} r, + /etc/polkit-1/rules.d/ r, + /etc/polkit-1/rules.d/[0-9][0-9]-*.rules r, # Vendor rules - /usr/share/polkit-1/rules.d/{,*.rules} r, + /usr/share/polkit-1/rules.d/ r, + /usr/share/polkit-1/rules.d/*.rules r, # Vendor policies - /usr/share/polkit-1/actions/{,*.policy} r, + /usr/share/polkit-1/actions/ r, + /usr/share/polkit-1/actions/*.policy r, + /usr/share/polkit-1/actions/*.policy.choice r, owner /var/lib/polkit-1/.cache/ rw, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, - # Silencer - deny /.cache/ rw, - include if exists } diff --git a/apparmor.d/profiles-m-z/pulseeffects b/apparmor.d/profiles-m-z/pulseeffects new file mode 100644 index 000000000..e2f983bfa --- /dev/null +++ b/apparmor.d/profiles-m-z/pulseeffects @@ -0,0 +1,44 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2015-2020 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/pulseeffects +profile pulseeffects @{exec_path} { + include + include + include + include + include + include + include + + network netlink raw, + + @{exec_path} mr, + + /etc/pipewire/pipewire.conf r, + /etc/pipewire/client.conf r, + + owner @{HOME}/.config/PulseEffects/ rw, + owner @{HOME}/.config/PulseEffects/** rw, + + owner @{HOME}/.config/autostart/pulseeffects-service.desktop w, + + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + include + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + + # file_inherit + owner /dev/tty[0-9]* rw, + + include if exists +} diff --git a/apparmor.d/profiles-m-z/rpi-imager b/apparmor.d/profiles-m-z/rpi-imager index 628d01d46..fe08acabe 100644 --- a/apparmor.d/profiles-m-z/rpi-imager +++ b/apparmor.d/profiles-m-z/rpi-imager @@ -19,6 +19,7 @@ profile rpi-imager @{exec_path} { include include include + include include include @@ -28,7 +29,7 @@ profile rpi-imager @{exec_path} { network inet dgram, network inet6 dgram, network inet stream, - network inet6 stream, + network inet6 stream, network netlink dgram, network netlink raw, diff --git a/apparmor.d/profiles-m-z/sddm-greeter b/apparmor.d/profiles-m-z/sddm-greeter index dc42ef533..bf271b1ec 100644 --- a/apparmor.d/profiles-m-z/sddm-greeter +++ b/apparmor.d/profiles-m-z/sddm-greeter @@ -14,6 +14,7 @@ profile sddm-greeter @{exec_path} { include include include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-z/spectre-meltdown-checker b/apparmor.d/profiles-m-z/spectre-meltdown-checker index f79c19dea..4a6c618ac 100644 --- a/apparmor.d/profiles-m-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-m-z/spectre-meltdown-checker @@ -104,10 +104,14 @@ profile spectre-meltdown-checker @{exec_path} { /{usr/,}bin/ccache mr, + /{usr/,}lib/llvm-[0-9]*/bin/clang rix, /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, + /{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix, /media/ccache/*/** rw, + /etc/debian_version r, + } profile pgrep { diff --git a/apparmor.d/profiles-m-z/thermald b/apparmor.d/profiles-m-z/thermald new file mode 100644 index 000000000..a8e20a636 --- /dev/null +++ b/apparmor.d/profiles-m-z/thermald @@ -0,0 +1,54 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2015-2020 Mikhail Morfikov +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}sbin/thermald +profile thermald @{exec_path} { + include + + @{exec_path} mr, + + owner @{run}/thermald/ rw, + owner @{run}/thermald/thd_preference.conf rw, + owner @{run}/thermald/thd_preference.conf.save w, + owner @{run}/thermald/thermald.pid rwk, + + /etc/thermald/thermal-conf.xml r, + /etc/thermald/thermal-cpu-cdev-order.xml r, + + @{sys}/class/hwmon/ r, + @{sys}/class/thermal/ r, + @{sys}/devices/platform/ r, + + @{sys}/devices/system/cpu/present r, + @{sys}/devices/system/cpu/intel_pstate/max_perf_pct r, + @{sys}/devices/system/cpu/intel_pstate/status r, + + @{sys}/devices/pci[0-9]*/**/drm/**/intel_backlight/max_brightness r, + + @{sys}/devices/**/hwmon[0-9]*/name r, + @{sys}/devices/**/hwmon[0-9]*/temp[0-9]*_{max,crit} r, + + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_uuid r, + + @{sys}/devices/virtual/thermal/**/{type,temp} r, + + @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/ r, + @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_temp rw, + @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_type r, + + @{sys}/devices/virtual/thermal/cooling_device[0-9]*/cur_state rw, + @{sys}/devices/virtual/thermal/cooling_device[0-9]*/max_state r, + + @{sys}/devices/virtual/powercap/intel-rapl/ r, + @{sys}/devices/virtual/powercap/intel-rapl/**/name r, + @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/ r, + @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/* r, + + include if exists +} diff --git a/apparmor.d/profiles-m-z/vidcutter b/apparmor.d/profiles-m-z/vidcutter index 517c9f87a..4c6a80cc2 100644 --- a/apparmor.d/profiles-m-z/vidcutter +++ b/apparmor.d/profiles-m-z/vidcutter @@ -43,6 +43,7 @@ profile vidcutter @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-m-z/volumeicon b/apparmor.d/profiles-m-z/volumeicon index a3404ed21..3d703c977 100644 --- a/apparmor.d/profiles-m-z/volumeicon +++ b/apparmor.d/profiles-m-z/volumeicon @@ -36,8 +36,9 @@ profile volumeicon @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, # Start the PulseAudio sound mixer - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/pavucontrol rPUx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/pavucontrol rPUx, + /{usr/,}bin/pulseeffects rPUx, # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-m-z/xdg-mime b/apparmor.d/profiles-m-z/xdg-mime index c55630482..152d3f87c 100644 --- a/apparmor.d/profiles-m-z/xdg-mime +++ b/apparmor.d/profiles-m-z/xdg-mime @@ -47,8 +47,6 @@ profile xdg-mime @{exec_path} { owner @{run}/user/@{uid}/ r, - /dev/tty rw, - # For shell pwd owner @{HOME}/ r, diff --git a/apparmor.d/profiles-m-z/xrdb b/apparmor.d/profiles-m-z/xrdb index 9dea8aa03..68b3a5eb3 100644 --- a/apparmor.d/profiles-m-z/xrdb +++ b/apparmor.d/profiles-m-z/xrdb @@ -16,6 +16,7 @@ profile xrdb @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,@{multiarch}-}cpp-[0-9]* rix, /{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix, + /{usr/,}lib/llvm-[0-9]*/bin/clang rix, /usr/include/stdc-predef.h r, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-m-z/youtube-dl b/apparmor.d/profiles-m-z/youtube-dl index 5ca4edc20..9f0ff95e5 100644 --- a/apparmor.d/profiles-m-z/youtube-dl +++ b/apparmor.d/profiles-m-z/youtube-dl @@ -65,7 +65,8 @@ profile youtube-dl @{exec_path} { /{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/ r, - /{usr/,}bin/gcc rix, + /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, + /{usr/,}lib/llvm-[0-9]*/bin/clang rix, /{usr/,}{s,}bin/ldconfig rix, /{usr/,}bin/uname rix, /{usr/,}bin/rtmpdump rix,