felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(profile): issue with re-attached paths

Browse source 
- Add missing att on some profiles
- Fix alias / -> //
- Fix aa-log att variable resolution

fix #813 #814
This commit is contained in:
Alexandre Pujol 2025-08-17 00:07:53 +02:00
parent 5ee999536c
commit e55ace4e0a
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
8 changed files with 15 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/abstractions/attached/base
View file

@ -14,6 +14,8 @@
@{att}/@{run}/systemd/journal/socket w, @{att}/@{run}/systemd/journal/socket w,
@{att}/@{run}/systemd/journal/stdout rw, @{att}/@{run}/systemd/journal/stdout rw,
@{att}/dev/null rw,
/apparmor/.null rw, /apparmor/.null rw,
@{att}/apparmor/.null rw, @{att}/apparmor/.null rw,

4
apparmor.d/abstractions/common/bwrap
View file

@ -38,12 +38,14 @@
pivot_root oldroot=/newroot/ /newroot/, pivot_root oldroot=/newroot/ /newroot/,
pivot_root oldroot=/tmp/oldroot/ /tmp/, pivot_root oldroot=/tmp/oldroot/ /tmp/,
owner / r,
owner /newroot/{,**} w, owner /newroot/{,**} w,
owner /tmp/newroot/ w, owner /tmp/newroot/ w,
owner /tmp/oldroot/ w, owner /tmp/oldroot/ w,
@{att}/ r,
@{att}/@{run}/.userns r,
@{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowgid r,
@{PROC}/sys/kernel/overflowuid r, @{PROC}/sys/kernel/overflowuid r,
@{PROC}/sys/user/max_user_namespaces r, @{PROC}/sys/user/max_user_namespaces r,

2
apparmor.d/groups/flatpak/flatpak
View file

@ -66,7 +66,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
/etc/flatpak/{,**} r, /etc/flatpak/{,**} r,
/etc/pulse/client.conf r, /etc/pulse/client.conf r,
/ r, @{att}/ r,
/var/lib/flatpak/{,**} rwlk, /var/lib/flatpak/{,**} rwlk,

6
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -64,9 +64,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
@{lib}/xdg-desktop-portal-validate-icon rPx, @{lib}/xdg-desktop-portal-validate-icon rPx,
@{open_path} rPx -> child-open, @{open_path} rPx -> child-open,
/ r, / r,
@{att}/.flatpak-info r, @{att}/ r,
owner @{att}/ r, @{att}/.flatpak-info r,
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/usr/share/xdg-desktop-portal/** r, /usr/share/xdg-desktop-portal/** r,

4
apparmor.d/groups/freedesktop/xwayland
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/Xwayland @{exec_path} = @{bin}/Xwayland
profile xwayland @{exec_path} flags=(attach_disconnected) { profile xwayland @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/graphics> include <abstractions/graphics>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/wayland> include <abstractions/wayland>
@ -41,9 +42,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cmdline r,
@{att}/dev/tty@{int} rw,
/dev/tty rw,
include if exists <local/xwayland> include if exists <local/xwayland>
} }

3
apparmor.d/groups/hyprland/hyprland
View file

@ -62,6 +62,9 @@ profile hyprland @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/environ r,
@{att}/dev/dri/card@{int} rw,
@{att}/dev/input/event@{int} rw,
/dev/input/event@{int} rw, /dev/input/event@{int} rw,
/dev/tty r, /dev/tty r,
owner /dev/tty@{int} rw, owner /dev/tty@{int} rw,

2
apparmor.d/tunables/multiarch.d/system
View file

@ -74,6 +74,6 @@
# See https://apparmor.pujol.io/development/internal/#re-attached-path # See https://apparmor.pujol.io/development/internal/#re-attached-path
@{att}=/ @{att}=/
alias // -> /, alias / -> //,
# vim:syntax=apparmor # vim:syntax=apparmor

3
pkg/logs/logs.go
View file

@ -64,7 +64,7 @@ var (
`/home/[^/]+/`, `@{HOME}/`, `/home/[^/]+/`, `@{HOME}/`,
// Resolve system variables // Resolve system variables
`/att/[^/@]+`, `@{att}/`, `/att/[^/]+/`, `@{att}/`,
`/usr/lib(32|64|exec)`, `@{lib}`, `/usr/lib(32|64|exec)`, `@{lib}`,
`/usr/lib`, `@{lib}`, `/usr/lib`, `@{lib}`,
`/usr/sbin`, `@{sbin}`, `/usr/sbin`, `@{sbin}`,
@ -86,7 +86,6 @@ var (
`pci` + strings.Repeat(h, 4) + `:` + strings.Repeat(h, 2), `@{pci_bus}`, `pci` + strings.Repeat(h, 4) + `:` + strings.Repeat(h, 2), `@{pci_bus}`,
`@{pci_bus}/[0-9a-f:*./]*/`, `@{pci}/`, `@{pci_bus}/[0-9a-f:*./]*/`, `@{pci}/`,
`1000`, `@{uid}`, `1000`, `@{uid}`,
`@{att}//`, `@{att}/`,
// Some system glob // Some system glob
`:not.active.yet`, `@{busname}`, // dbus unique bus name `:not.active.yet`, `@{busname}`, // dbus unique bus name