felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into ubuntu2204__2

Browse source
This commit is contained in:
nobodysu 2022-08-18 15:36:21 +00:00 committed by GitHub
commit e65a78972b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
483 changed files with 7221 additions and 2538 deletions
Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/profiles-m-r/man
View file

@ -97,10 +97,9 @@ profile man_filter {
# do is feed data to the invoking man process.
/usr/** r,
owner @{HOME}/@{XDG_DATA_HOME}/** r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/** r,
owner @{user_projects_dirs}/** r,
owner @{user_cache_dirs}/** r,
owner @{MOUNTS}/*/@{XDG_DATA_HOME}/** r,
owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/** r,
/var/cache/man/** w,
}

24
apparmor.d/profiles-m-r/mdevctl Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mdevctl
profile mdevctl @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/mdevctl.d/{,**} r,
@{PROC}/@{pids}/maps r,
@{sys}/bus/mdev/devices/ r,
@{sys}/class/mdev_bus/ r,
@{sys}/devices/pci[0-9]*/**/mdev_supported_types/{,**} r,
include if exists <local/mdevctl>
}

6
apparmor.d/profiles-m-r/mediainfo-gui
View file

@ -34,6 +34,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/mediainfo-gui
profile mediainfo-gui @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
@ -56,11 +57,6 @@ profile mediainfo-gui @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>

9
apparmor.d/profiles-m-r/megasync
View file

@ -6,8 +6,6 @@ abi <abi/3.0>,
include <tunables/global>
@{SYNC_FOLDER}=@{MOUNTS}/*/cloud_storage
@{exec_path} = /{usr/,}bin/megasync
profile megasync @{exec_path} {
include <abstractions/base>
@ -55,11 +53,8 @@ profile megasync @{exec_path} {
owner @{user_config_dirs}/QtProject.conf r,
# Sync folder
#/ r,
#@{MOUNTS}/ r,
#@{MOUNTS}/*/ r,
owner @{SYNC_FOLDER}/ r,
owner @{SYNC_FOLDER}/** rwl -> @{SYNC_FOLDER}/**,
owner @{user_sync_dirs}/ r,
owner @{user_sync_dirs}/** rwl -> @{user_sync_dirs}/**,
# Proc filesystem
deny owner @{PROC}/@{pid}/cmdline r,

2
apparmor.d/profiles-m-r/minitube
View file

@ -41,7 +41,7 @@ profile minitube @{exec_path} {
owner "@{user_share_dirs}/Flavio Tordini/Minitube/*" rwk,
# Snapshot
owner @{HOME}/@{XDG_PICTURES_DIR}/*.png rw,
owner @{user_pictures_dirs}/*.png rw,
owner @{HOME}/vlcsnap-.png rw,
/usr/share/minitube/{,**} r,

3
apparmor.d/profiles-m-r/mission-control
View file

@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/telepathy/mission-control-5
profile mission-control @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
include <abstractions/dconf-write>
network netlink raw,
@ -21,7 +21,6 @@ profile mission-control @{exec_path} {
owner @{user_share_dirs}/telepathy/mission-control/*.cfg r,
@{run}/user/@{uid}/dconf/user rw,
@{run}/systemd/inhibit/[0-9]*.ref rw,
include if exists <local/mission-control>

4
apparmor.d/profiles-m-r/mke2fs
View file

@ -30,9 +30,9 @@ profile mke2fs @{exec_path} {
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# For virt-resize
owner /var/tmp/.guestfs-[0-9]*/** rwk,

4
apparmor.d/profiles-m-r/mkfs-btrfs
View file

@ -24,9 +24,9 @@ profile mkfs-btrfs @{exec_path} {
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/mkfs-btrfs>
}

4
apparmor.d/profiles-m-r/mkfs-fat
View file

@ -18,9 +18,9 @@ profile mkfs-fat @{exec_path} {
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/mkfs-fat>
}

71
apparmor.d/profiles-m-r/mkinitramfs
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -19,37 +20,36 @@ profile mkinitramfs @{exec_path} {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/ r,
/{usr/,}bin/ r,
/{usr/,}{s,}bin/ r,
/{usr/,}lib/ r,
/{usr/,}lib64/ r,
/{usr/,}bin/getopt rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/tsort rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/id rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/env rix,
/{usr/,}bin/rmdir rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/cpio rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cpio rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/env rix,
/{usr/,}bin/getopt rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/id rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/lzma rix,
/{usr/,}bin/lzop rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/rmdir rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/tsort rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/zstd rix,
@ -87,20 +87,23 @@ profile mkinitramfs @{exec_path} {
/var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw,
owner /var/tmp/mkinitramfs-* rw,
@{PROC}/modules r,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/cmdline r,
@{PROC}/modules r,
profile ldd {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
/{usr/,}bin/ldd mr,
/{usr/,}bin/kmod mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/kmod mr,
/{usr/,}lib/initramfs-tools/bin/* mr,
/{usr/,}lib/@{multiarch}/ld-*.so rix,
/{usr/,}lib{,x}32/ld-*.so rix,
/{usr/,}lib/@{multiarch}/ld-*.so* rix,
/{usr/,}lib{,x}32/ld-*.so rix,
}
@ -110,7 +113,10 @@ profile mkinitramfs @{exec_path} {
capability sys_chroot,
/{usr/,}sbin/ldconfig mr,
/{usr/,}{s,}bin/ldconfig mr,
/{usr/,}{s,}bin/ldconfig.real rix,
/{usr/,}bin/{,ba,da}sh rix,
owner /var/tmp/mkinitramfs_*/etc/ld.so.conf r,
owner /var/tmp/mkinitramfs_*/etc/ld.so.conf.d/{,*.conf} r,
@ -148,11 +154,14 @@ profile mkinitramfs @{exec_path} {
profile kmod {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/openssl>
/{usr/,}bin/kmod mr,
@{PROC}/cmdline r,
/etc/depmod.d/ r,
/etc/depmod.d/*.conf r,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,

39
apparmor.d/profiles-m-r/mount
View file

@ -1,12 +1,14 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mount
@{exec_path} = /{usr/,}{s,}bin/mount
profile mount @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@ -25,14 +27,20 @@ profile mount @{exec_path} flags=(complain) {
network inet stream,
network inet6 stream,
ptrace (read) peer=k3s,
signal (receive) set=(term, kill),
@{exec_path} mr,
/{usr/,}bin/ntfs-3g rPx,
/{usr/,}{s,}bin/lowntfs-3g rPx,
/{usr/,}bin/sshfs rPx,
/{usr/,}{s,}bin/mount.* rPx,
/{usr/,}bin/ntfs-3g rPx,
/{usr/,}bin/sshfs rPx,
/etc/fstab r,
/var/lib/snapd/snaps/*.snap r,
# Mount points
@{HOME}/ r,
@ -45,23 +53,22 @@ profile mount @{exec_path} flags=(complain) {
# Mount iso/img files
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
# The special /dev/loop-control file can be used to create and destroy loop devices or to find
# the first available loop device.
/dev/loop-control rw,
/etc/fstab r,
/tmp/sanity-squashfs-[0-9]* rw,
owner @{PROC}/@{pid}/mountinfo r,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{run}/mount/ rw,
owner @{run}/mount/utab{,.*} rw,
owner @{run}/mount/utab.lock wk,
/tmp/sanity-squashfs-[0-9]* rw,
/tmp/syscheck-squashfs-[0-9]* rw,
owner @{PROC}/@{pid}/mountinfo r,
# The special /dev/loop-control file can be used to create and destroy loop
# devices or to find the first available loop device.
/dev/loop-control rw,
include if exists <local/mount>
}

18
apparmor.d/profiles-m-r/mount-cifs
View file

@ -1,12 +1,13 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/mount.cifs
@{exec_path} = /{usr/,}{s,}bin/mount.cifs
profile mount-cifs @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -30,19 +31,18 @@ profile mount-cifs @{exec_path} flags=(complain) {
owner @{HOME}/.smbcredentials r,
# Mount points
@{MOUNTDIRS}/ r,
@{MOUNTS}/ r,
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
# Allow to mount smb/cifs disks only under the /media/ dirs
mount fstype=cifs -> @{MOUNTDIRS}/,
mount fstype=cifs -> @{MOUNTS}/,
mount fstype=cifs -> @{MOUNTS}/*/,
mount fstype=cifs -> @{MOUNTS}/*/*/,
mount fstype=cifs -> /mnt/,
mount fstype=cifs -> /mnt/*/,
umount @{MOUNTDIRS}/,
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
umount @{MOUNTS}/*/*/,
umount /mnt/,
umount /mnt/*/,
include if exists <local/mount-cifs>
}

26
apparmor.d/profiles-m-r/mount-nfs
View file

@ -1,12 +1,13 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/mount.nfs
@{exec_path} = /{usr/,}{s,}bin/mount.nfs
profile mount-nfs @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -26,11 +27,11 @@ profile mount-nfs @{exec_path} flags=(complain) {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}sbin/start-statd rix,
/{usr/,}bin/flock rix,
/{usr/,}{s,}bin/start-statd rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/flock rix,
/usr/bin/systemctl rPx -> child-systemctl,
/usr/bin/systemctl rPx -> child-systemctl,
/etc/fstab r,
/etc/netconfig r,
@ -45,21 +46,20 @@ profile mount-nfs @{exec_path} flags=(complain) {
owner @{run}/rpc.statd.lock wk,
# Mount points
@{MOUNTDIRS}/ r,
@{MOUNTS}/ r,
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
# Allow to mount smb/cifs disks only under the /media/ dirs
mount fstype=nfs -> @{MOUNTDIRS}/,
mount fstype=nfs -> @{MOUNTS}/,
mount fstype=nfs -> @{MOUNTS}/*/,
mount fstype=nfs -> @{MOUNTS}/*/*/,
mount fstype=nfs -> /mnt/,
mount fstype=nfs -> /mnt/*/,
mount fstype=nfs -> /,
mount fstype=nfs -> /*/,
umount @{MOUNTDIRS}/,
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
umount @{MOUNTS}/*/*/,
umount /mnt/,
umount /mnt/*/,
umount /,
umount /*/,

45
apparmor.d/profiles-m-r/mount-zfs Normal file
View file

@ -0,0 +1,45 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/mount.zfs
profile mount-zfs @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability sys_admin, # To mount anything.
@{exec_path} mr,
/dev/pts/[0-9]* rw,
@{MOUNTDIRS}/ r,
@{MOUNTS}/ r,
@{MOUNTS}/*/ r,
mount fstype=zfs -> @{MOUNTDIRS}/,
mount fstype=zfs -> @{MOUNTS}/,
mount fstype=zfs -> @{MOUNTS}/*/,
mount fstype=zfs -> /,
mount fstype=zfs -> /**/,
mount fstype=zfs -> /tmp/zfsmnt.*/,
mount fstype=zfs -> /tmp/zfsmnt.*/*/,
umount @{MOUNTDIRS}/,
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
umount /,
umount /*/,
umount /tmp/zfsmnt.*/,
umount /tmp/zfsmnt.*/*/,
@{PROC}/@{pids}/mounts r,
/dev/zfs rw,
include if exists <local/mount-zfs>
}

4
apparmor.d/profiles-m-r/mtools
View file

@ -25,9 +25,9 @@ profile mtools @{exec_path} {
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/mtools>
}

45
apparmor.d/profiles-m-r/needrestart
View file

@ -7,28 +7,55 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/needrestart
profile needrestart @{exec_path} {
profile needrestart @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/perl>
include <abstractions/python>
include <abstractions/wutmp>
capability checkpoint_restore,
capability dac_read_search,
capability sys_ptrace,
ptrace (read),
@{exec_path} mr,
@{exec_path} mrix,
/{usr/,}bin/systemd-detect-virt rPx,
/{usr/,}bin/who rix,
/usr/share/debconf/frontend rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/dpkg-query rpx,
/{usr/,}bin/fail2ban-server rPx,
/{usr/,}bin/locale rix,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/systemctl rPx,
/{usr/,}bin/systemd-detect-virt rPx,
/{usr/,}bin/udevadm rPx,
/{usr/,}bin/whiptail rPx,
/{usr/,}bin/who rix,
/{usr/,}lib/needrestart/iucode-scan-versions rPx,
/usr/share/debconf/frontend rix,
/{usr/,}bin/gettext.sh r,
/usr/share/needrestart/{,**} r,
/usr/share/unattended-upgrades/unattended-upgrade-shutdown r,
/etc/debconf.conf r,
/etc/needrestart/{,**} r,
/etc/needrestart/*.d/* rix,
/etc/shadow r,
@{PROC}/ r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/stat r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/ r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/maps r,
@{PROC}/@{pids}/stat r,
/dev/ r,
/dev/**/ r,

49
apparmor.d/profiles-m-r/netstat Normal file
View file

@ -0,0 +1,49 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2017 Christian Boltz
# Copyright (C) 2018-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/netstat
profile netstat @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
capability dac_read_search,
capability sys_ptrace,
capability syslog,
ptrace (trace,read),
@{exec_path} rmix,
/etc/networks r,
@{PROC} r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/fd/ r,
@{PROC}/@{pids}/net/dev r,
@{PROC}/@{pids}/net/netstat r,
@{PROC}/@{pids}/net/raw r,
@{PROC}/@{pids}/net/raw6 r,
@{PROC}/@{pids}/net/snmp r,
@{PROC}/@{pids}/net/tcp r,
@{PROC}/@{pids}/net/tcp6 r,
@{PROC}/@{pids}/net/udp r,
@{PROC}/@{pids}/net/udp6 r,
@{PROC}/@{pids}/net/udplite r,
@{PROC}/@{pids}/net/udplite6 r,
@{PROC}/@{pids}/net/unix r,
@{PROC}/net r,
@{PROC}/net/* r,
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
owner @{PROC}/@{pid}/attr/current r,
include if exists <local/netstat>
}

2
apparmor.d/profiles-m-r/newgidmap
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -11,6 +12,7 @@ profile newgidmap @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability dac_override,
capability setgid,
capability sys_admin,

2
apparmor.d/profiles-m-r/newuidmap
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -11,6 +12,7 @@ profile newuidmap @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability dac_override,
capability setuid,
capability sys_admin,

16
apparmor.d/profiles-m-r/nologin Normal file
View file

@ -0,0 +1,16 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/nologin
profile nologin @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/nologin>
}

2
apparmor.d/profiles-m-r/nslookup
View file

@ -17,7 +17,7 @@ profile nslookup @{exec_path} {
network inet stream,
network inet6 stream,
@{exec_path} r,
@{exec_path} mr,
owner @{PROC}/@{pids}/task/@{tid}/comm rw,

51
apparmor.d/profiles-m-r/ntfs-3g
View file

@ -23,36 +23,35 @@ profile ntfs-3g @{exec_path} {
@{exec_path} mr,
@{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pid}/mounts r,
/{usr/,}bin/kmod rPx, # To load the fuse kernel module
# Mount points
@{MOUNTDIRS}/ r,
@{MOUNTS}/ r,
@{MOUNTS}/*/ r,
# Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTDIRS},
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/,
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/,
mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/,
# Allow to mount encrypted partition
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTDIRS}/,
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/,
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/,
umount @{MOUNTDIRS}/,
umount @{MOUNTS}/,
umount @{MOUNTS}/*/,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/swaps r,
owner @{PROC}/@{pid}/mounts r,
/dev/fuse rw,
# Mount points
@{MOUNTS}/*/ r,
@{MOUNTS}/*/*/ r,
# Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/*/,
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /mnt/,
mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /mnt/*/,
mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/,
mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/*/,
# Allow to mount encrypted partition
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/,
mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/*/,
mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/,
mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/*/,
umount @{MOUNTS}/*/,
umount /mnt/*/,
# kmod is used to load the fuse kernel module
/{usr/,}bin/kmod rPx,
include if exists <local/ntfs-3g>
}

2
apparmor.d/profiles-m-r/ntfsclone
View file

@ -21,7 +21,7 @@ profile ntfsclone @{exec_path} {
# A place for backups
@{HOME}/* rwk,
@{MOUNTS}/*/** rwk,
@{MOUNTS}/** rwk,
include if exists <local/ntfsclone>
}

6
apparmor.d/profiles-m-r/ntfscp
View file

@ -17,10 +17,10 @@ profile ntfscp @{exec_path} {
# For writing files owned by users other than root, since ntfscp has to be started as root.
capability dac_read_search,
@{HOME}/@{XDG_DOWNLOAD_DIR}/ r,
@{HOME}/@{XDG_DOWNLOAD_DIR}/** rwl -> @{HOME}/@{XDG_DOWNLOAD_DIR}/**,
@{HOME}/@{XDG_DESKTOP_DIR}/ r,
@{HOME}/@{XDG_DESKTOP_DIR}/** rwl -> @{HOME}/@{XDG_DESKTOP_DIR}/**,
@{HOME}/@{XDG_DESKTOP_DIR}/** rwkl -> @{HOME}/@{XDG_DESKTOP_DIR}/**,
@{user_download_dirs}/ r,
@{user_download_dirs}/** rwkl -> @{user_download_dirs}/**,
owner @{PROC}/@{pid}/mounts r,

2
apparmor.d/profiles-m-r/nvtop
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile nvtop @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dri-enumerate>
include <abstractions/nameservice-strict>
include <abstractions/opencl-nvidia>
@ -25,6 +26,7 @@ profile nvtop @{exec_path} {
@{PROC}/@{pids}/stat r,
@{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r,
/dev/dri/ r,
/dev/nvidia-caps/{,nvidia-cap[0-9]*} rw,
include if exists <local/nvtop>

5
apparmor.d/profiles-m-r/obconf
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/obconf
profile obconf @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
@ -33,10 +34,6 @@ profile obconf @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
# file_inherit
owner /dev/tty[0-9]* rw,

4
apparmor.d/profiles-m-r/obex-folder-listing
View file

@ -16,8 +16,8 @@ profile obex-folder-listing @{exec_path} {
owner @{HOME}/ r,
owner @{HOME}/**/ r,
owner @{MOUNTS}/*/ r,
owner @{MOUNTS}/*/**/ r,
owner @{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
include if exists <local/obex-folder-listing>
}

4
apparmor.d/profiles-m-r/parted
View file

@ -70,9 +70,9 @@ profile parted @{exec_path} {
# file_inherit
include <abstractions/disks-write> # lots of files in this abstraction get inherited
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
}

8
apparmor.d/profiles-m-r/pass
View file

@ -56,7 +56,7 @@ profile pass @{exec_path} {
/usr/share/terminfo/x/xterm-256color r,
owner @{HOME}/.password-store/{,**} rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/{,**} rw,
owner @{user_projects_dirs}/**/*-store/{,**} rw,
owner @{user_config_dirs}/password-store/{,**} rw,
owner /dev/shm/pass.*/{,*} rw,
@ -84,7 +84,7 @@ profile pass @{exec_path} {
owner @{HOME}/.viminfo{,.tmp} rw,
owner @{HOME}/.password-store/ r,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/ r,
owner @{user_projects_dirs}/**/*-store/ r,
owner @{user_config_dirs}/password-store/ r,
owner @{user_cache_dirs}/vim/{,**} rw,
@ -118,8 +118,8 @@ profile pass @{exec_path} {
owner @{HOME}/.password-store/ rw,
owner @{HOME}/.password-store/** rwkl -> @{HOME}/.password-store/**,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/ rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/**,
owner @{user_projects_dirs}/**/*-store/ rw,
owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**,
owner @{user_config_dirs}/password-store/ rw,
owner @{user_config_dirs}/password-store/** rwkl -> @{user_config_dirs}/password-store/**,

2
apparmor.d/profiles-m-r/pass-import
View file

@ -27,7 +27,7 @@ profile pass-import @{exec_path} {
/usr/share/file/misc/magic.mgc r,
owner @{HOME}/.password-store/{,**} rw,
owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/{,**} rw,
owner @{user_projects_dirs}/**/*-store/{,**} rw,
owner @{user_config_dirs}/password-store/{,**} rw,
owner /tmp/[a-zA-Z0-9]* rw,

1
apparmor.d/profiles-m-r/passwd
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/passwd
profile passwd @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/authentication>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>

2
apparmor.d/profiles-m-r/pkexec
View file

@ -52,7 +52,7 @@ profile pkexec @{exec_path} flags=(complain) {
@{exec_path} mr,
# Apps to be run via pkexec
/{usr/,}{s,}bin/* rPUx,
/{usr/,}{s,}bin/* rPUx,
@{libexec}/gvfs/gvfsd-admin rPUx, #(#FIXME#)
@{libexec}/polkit-agent-helper-[0-9] rPx,
@{libexec}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,

24
apparmor.d/profiles-m-r/pkttyagent
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -9,11 +10,30 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/pkttyagent
profile pkttyagent @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
capability sys_nice,
capability audit_write,
ptrace (read),
signal (receive),
signal (send,receive),
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority
member=RegisterAuthenticationAgentWithOptions,
dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/AuthenticationAgent
interface=org.freedesktop.PolicyKit1.AuthenticationAgent
member=BeginAuthentication,
dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority
member=Changed,
@{exec_path} mr,
@ -22,4 +42,4 @@ profile pkttyagent @{exec_path} {
/dev/tty rw,
include if exists <local/pkttyagent>
}
}

25
apparmor.d/profiles-m-r/power-profiles-daemon
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/power-profiles-daemon
profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
capability sys_nice,
@ -16,6 +17,29 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
network netlink raw,
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=RequestName,
dbus send bus=system path=/net/hadess/PowerProfiles
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged,
dbus receive bus=system path=/net/hadess/PowerProfiles
interface=org.freedesktop.DBus.Properties
member={GetAll,Set},
dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority
member=Changed,
dbus bind bus=system
name=net.hadess.PowerProfiles,
@{exec_path} mr,
/var/lib/power-profiles-daemon/{,**} rw,
@ -30,6 +54,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/system/cpu/cpufreq/ r,
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/energy_performance_preference rw,
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_governor rw,
@{sys}/devices/system/cpu/cpu[0-9]*/power/energy_perf_bias rw,
include if exists <local/power-profiles-daemon>
}

2
apparmor.d/profiles-m-r/ps
View file

@ -52,7 +52,7 @@ profile ps @{exec_path} flags=(attach_disconnected) {
@{PROC}/tty/drivers r,
@{PROC}/uptime r,
@{run}/systemd/sessions/[0-9]* r,
@{run}/systemd/sessions/* r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,

4
apparmor.d/profiles-m-r/pstree
View file

@ -22,8 +22,8 @@ profile pstree @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/task/ r,
@{PROC}/@{pids}/attr/current r,
owner @{PROC}/@{pids}/cmdline r,
owner @{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/task/@{tid}/stat r,
owner @{PROC}/@{pid}/cmdline r,
include if exists <local/pstree>
}

5
apparmor.d/profiles-m-r/pulseeffects
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/pulseeffects
profile pulseeffects @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
@ -33,10 +34,6 @@ profile pulseeffects @{exec_path} {
/usr/share/glib-2.0/schemas/gschemas.compiled r,
include <abstractions/dconf>
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
# file_inherit
owner /dev/tty[0-9]* rw,

2
apparmor.d/profiles-m-r/pwck
View file

@ -24,7 +24,5 @@ profile pwck @{exec_path} {
/etc/shadow.[0-9]* rw,
/etc/shadow.lock wl,
@{run}/systemd/userdb/ r,
include if exists <local/pwck>
}

204
apparmor.d/profiles-m-r/qbittorrent
View file

@ -1,21 +1,17 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2022 Mikhail Morfikov
# Copyright (C) 2022 nobodysu
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{TORRENT_DIR} = @{MOUNTS}/*/torrent
@{exec_path} = /{usr/,}bin/qbittorrent
profile qbittorrent @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/gnome>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
@ -24,19 +20,19 @@ profile qbittorrent @{exec_path} {
include <abstractions/qt5>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/dconf>
include <abstractions/dconf-write>
include <abstractions/ibus>
include <abstractions/dbus-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-network-manager-strict>
include <abstractions/dbus-gtk>
include <abstractions/wayland>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include if exists <abstractions/ubuntu-unity7-base>
include if exists <abstractions/dbus-network-manager-strict>
signal (send) set=(term, kill) peer=qbittorrent//python3,
@ -47,6 +43,71 @@ profile qbittorrent @{exec_path} {
network netlink dgram,
network netlink raw,
dbus (send) bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.kde.StatusNotifierWatcher),
dbus (send) bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.kde.StatusNotifierWatcher),
dbus (send) bus=session path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem
peer=(name=org.kde.StatusNotifierWatcher),
dbus (send) bus=session path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member={NewToolTip,NewIcon}
peer=(name=org.freedesktop.DBus),
dbus (receive) bus=session path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member=Activate
peer=(name=:*),
dbus (receive) bus=session path=/StatusNotifierItem
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus (receive) bus=session path=/MenuBar
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus (send) bus=session path=/MenuBar
interface=com.canonical.dbusmenu
member=ItemsPropertiesUpdated
peer=(name=org.freedesktop.DBus),
dbus (receive) bus=session path=/MenuBar
interface=com.canonical.dbusmenu
member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event}
peer=(name=:*),
dbus (send) bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus),
dbus (send) bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry),
dbus (receive) bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name=:*),
dbus (bind) bus=session
name=org.kde.StatusNotifierItem-*,
owner /tmp/dbus-[0-9a-zA-Z]* rw,
@{exec_path} mr,
# For "search engine"
@ -57,7 +118,7 @@ profile qbittorrent @{exec_path} {
owner @{user_config_dirs}/qBittorrent/** rwkl -> @{user_config_dirs}/qBittorrent/#[0-9]*[0-9],
owner @{user_share_dirs}/data/ rw,
owner @{user_share_dirs}/{,data/}qBittorrent/ rw,
owner @{user_share_dirs}/{,data/}qBittorrent/** rwl -> @{user_share_dirs}/data/qBittorrent/**/#[0-9]*[0-9],
owner @{user_share_dirs}/{,data/}qBittorrent/** rwl -> @{user_share_dirs}/{,data/}qBittorrent/**/#[0-9]*[0-9],
# Old dir, not recommended to use:
# deny owner @{user_share_dirs}/data/qBittorrent/ rw,
@ -71,10 +132,8 @@ profile qbittorrent @{exec_path} {
/usr/share/qt5ct/** r,
# Torrent files
@{MOUNTS}/ r,
owner @{MOUNTS}/*/ r,
owner @{TORRENT_DIR}/ r,
owner @{TORRENT_DIR}/** rw,
owner @{user_torrents_dirs}/ r,
owner @{user_torrents_dirs}/** rw,
# GeoIP settings
/usr/share/GeoIP/GeoIP.dat r,
@ -108,96 +167,12 @@ profile qbittorrent @{exec_path} {
# file_inherit
owner /dev/tty[0-9]* rw,
# dconf write
owner @{run}/user/@{uid}/dconf/user rw,
# X-tiny
owner @{run}/user/@{uid}/ICEauthority r,
# DBus
deny dbus send
bus=session
path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=ListMountableInfo,
dbus send
bus=session
path=/org/gtk/vfs/Daemon
interface=org.gtk.vfs.Daemon
member=ListMonitorImplementations,
dbus send
bus=session
path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=org.kde.StatusNotifierWatcher),
dbus send
bus=session
path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.kde.StatusNotifierWatcher),
dbus send
bus=session
path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem
peer=(name=org.kde.StatusNotifierWatcher),
dbus send
bus=session
path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member=NewToolTip
peer=(name=org.freedesktop.DBus),
dbus receive
bus=session
path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem
member=Activate
peer=(name=:*),
dbus receive
bus=session
path=/MenuBar
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus send
bus=session
path=/MenuBar
interface=com.canonical.dbusmenu
member=ItemsPropertiesUpdated
peer=(name=org.freedesktop.DBus),
dbus receive
bus=session
path=/MenuBar
interface=com.canonical.dbusmenu
member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event}
peer=(name=:*),
dbus receive
bus=session
path=/StatusNotifierItem
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus send
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus),
dbus bind
bus=session
name=org.kde.StatusNotifierItem-*,
# gnome-tiny
/usr/share/gvfs/remote-volume-monitors/{,*} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Launch external apps
/{usr/,}bin/xdg-{open,mime} rCx -> open,
@ -217,7 +192,12 @@ profile qbittorrent @{exec_path} {
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
include if exists <abstractions/ubuntu-unity7-base>
include <abstractions/dbus-gtk>
dbus (send) bus=session path=/org/gnome/{Nautilus,Totem,gedit}
interface=org.freedesktop.Application
member=Open
peer=(name="org.gnome.{Nautilus,Totem,gedit}"),
/{usr/,}bin/xdg-open mr,
@ -231,6 +211,7 @@ profile qbittorrent @{exec_path} {
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/ebook-viewer rPx,
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/engrampa rPx,
/{usr/,}bin/{ba,da,}sh rix,
/{usr/,}bin/{g,m,}awk rix,
@ -243,25 +224,12 @@ profile qbittorrent @{exec_path} {
owner @{run}/user/@{uid}/ r,
# file_inherit
owner @{MOUNTS}/*/torrent/** r,
owner @{MOUNTS}/*/torrent/**.[0-9a-f]*.parts rw,
owner "@{MOUNTS}/*/torrent/**.!qB" rw,
owner @{MOUNTS}/torrent/** r,
owner @{MOUNTS}/torrent/**.[0-9a-f]*.parts rw,
owner "@{MOUNTS}/torrent/**.!qB" rw,
owner @{HOME}/.xsession-errors w,
dbus send
bus=session
path=/org/gtk/vfs/Daemon
interface=org.gtk.vfs.Daemon
member=ListMonitorImplementations,
dbus send
bus=session
path=/org/gnome/{Nautilus,Totem,gedit}
interface=org.freedesktop.Application
member=Open
peer=(name="org.gnome.{Nautilus,Totem,gedit}"),
include if exists <local/qbittorrent_open>
}
@ -293,7 +261,7 @@ profile qbittorrent @{exec_path} {
owner /tmp/tmp* rw,
# file_inherit
owner @{MOUNTS}/*/torrent/** r,
owner @{MOUNTS}/torrent/** r,
deny /dev/dri/card[0-9]* rw,
include if exists <local/qbittorrent_python3>

8
apparmor.d/profiles-m-r/qbittorrent-nox
View file

@ -6,8 +6,6 @@ abi <abi/3.0>,
include <tunables/global>
@{TORRENT_DIR} = @{MOUNTS}/*/torrent
@{exec_path} = /{usr/,}bin/qbittorrent-nox
profile qbittorrent-nox @{exec_path} {
include <abstractions/base>
@ -38,10 +36,8 @@ profile qbittorrent-nox @{exec_path} {
owner @{user_cache_dirs}/qBittorrent/{,**} rw,
# Torrent files
@{MOUNTS}/ r,
owner @{MOUNTS}/*/ r,
owner @{TORRENT_DIR}/ r,
owner @{TORRENT_DIR}/** rw,
owner @{user_torrents_dirs}/ r,
owner @{user_torrents_dirs}/** rw,
/dev/disk/by-label/ r,

10
apparmor.d/profiles-m-r/qemu-ga
View file

@ -10,8 +10,18 @@ include <tunables/global>
profile qemu-ga @{exec_path} {
include <abstractions/base>
capability mknod,
capability net_admin,
capability sys_ptrace,
ptrace peer=unconfined,
@{exec_path} mr,
/{usr/,}bin/systemctl rix,
/etc/qemu/qemu-ga.conf r,
owner @{run}/qga.state* rw,
/dev/vport[0-9]*p[0-9]* rw,

9
apparmor.d/profiles-m-r/qnapi
View file

@ -74,11 +74,10 @@ profile qnapi @{exec_path} {
# Movie dirs
@{MOUNTS}/ r,
owner @{MOUNTS}/*/ r,
owner @{MOUNTS}/*/** r,
owner @{MOUNTS}/*/**#[0-9]*[0-9] rw,
owner @{MOUNTS}/*/**.@{qnapi_vid_ext} r,
owner @{MOUNTS}/*/**.@{qnapi_txt_ext} rwl -> @{MOUNTS}/*/**/#[0-9]*[0-9],
owner @{MOUNTS}/** r,
owner @{MOUNTS}/**#[0-9]*[0-9] rw,
owner @{MOUNTS}/**.@{qnapi_vid_ext} r,
owner @{MOUNTS}/**.@{qnapi_txt_ext} rwl -> @{MOUNTS}/**/#[0-9]*[0-9],
owner @{HOME}/ r,
owner @{user_config_dirs}/qnapi.ini rw,

2
apparmor.d/profiles-m-r/qtox
View file

@ -34,7 +34,7 @@ profile qtox @{exec_path} {
# For importing old profile
owner @{HOME}/**.tox r,
owner @{MOUNTS}/*/**.tox r,
owner @{MOUNTS}/**.tox r,
owner @{HOME}/ r,
owner @{user_cache_dirs}/qTox/ rw,

4
apparmor.d/profiles-m-r/resize2fs
View file

@ -24,9 +24,9 @@ profile resize2fs @{exec_path} {
# A place for file images
owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
include if exists <local/resize2fs>
}

9
apparmor.d/profiles-m-r/rngd
View file

@ -1,12 +1,13 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/rngd
@{exec_path} = /{usr/,}{s,}bin/rngd
profile rngd @{exec_path} {
include <abstractions/base>
include <abstractions/devices-usb>
@ -14,18 +15,20 @@ profile rngd @{exec_path} {
@{exec_path} mr,
capability dac_read_search,
capability sys_admin,
capability sys_nice,
capability dac_read_search,
network netlink raw,
/etc/opensc.conf r,
/etc/conf.d/rngd r,
/etc/opensc.conf r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
@{sys}/devices/virtual/misc/hw_random/rng_available r,
@{PROC}/sys/kernel/random/poolsize r,
@{PROC}/sys/kernel/random/write_wakeup_threshold rw,

24
apparmor.d/profiles-m-r/rsyslogd
View file

@ -16,19 +16,12 @@ profile rsyslogd @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice>
# Needed to remove the following error:
# rsyslogd[]: imklog: cannot open kernel log (/proc/kmsg): Operation not permitted.
capability chown, # For creating new log files and changing their owner/group
capability net_admin, # For remote logs
capability setgid, # For downgrading privileges
capability setuid,
capability syslog,
# For remote logs
capability net_admin,
# for creating new log files and changing their owner/group
capability chown,
# Needed?
deny capability sys_nice,
@{exec_path} mr,
/{usr/,}lib/@{multiarch}/rsyslog/*.so mr,
@ -41,6 +34,7 @@ profile rsyslogd @{exec_path} {
owner @{run}/rsyslogd.pid{,.tmp} rwk,
owner @{run}/systemd/journal/syslog w,
@{run}/systemd/notify rw,
# log files and devices
/var/log/** rw,
@ -50,5 +44,11 @@ profile rsyslogd @{exec_path} {
/etc/CA/*.crt r,
/etc/CA/*.key r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
@{run}/systemd/notify w,
include if exists <local/rsyslogd>
}

24
apparmor.d/profiles-m-r/rtkit-daemon
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2018-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/rtkit-daemon
profile rtkit-daemon @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict>
capability dac_read_search,
@ -20,6 +21,25 @@ profile rtkit-daemon @{exec_path} {
capability sys_nice,
capability sys_ptrace,
dbus (send,receive) bus=system path=/org/freedesktop/RealtimeKit[0-9]
interface=org.freedesktop.RealtimeKit[0-9],
dbus receive bus=system path=/org/freedesktop/RealtimeKit[0-9]
interface=org.freedesktop.DBus.Properties
member={Get,GetAll},
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,GetConnectionUnixUser,GetConnectionUnixProcessID}
peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority
member=CheckAuthorization,
dbus bind bus=system
name=org.freedesktop.RealtimeKit[0-9],
@{exec_path} mr,
# When applying policies to processes

134
apparmor.d/profiles-m-r/run-parts
View file

@ -14,58 +14,136 @@ profile run-parts @{exec_path} {
@{exec_path} mr,
# This is for motd PAM module (see: /etc/pam.d/login) when "noupdate" isn't specified
/usr/share/update-notifier/notify-reboot-required rPx,
# Crontrab
/etc/cron.{hourly,daily,weekly,monthly}/ r,
/etc/cron.{hourly,daily,weekly,monthly}/0anacron rPx,
/etc/cron.{hourly,daily,weekly,monthly}/apport rPx,
/etc/cron.{hourly,daily,weekly,monthly}/apt-compat rPx,
/etc/cron.{hourly,daily,weekly,monthly}/apt-listbugs rPx,
/etc/cron.{hourly,daily,weekly,monthly}/apt-show-versions rPx,
/etc/cron.{hourly,daily,weekly,monthly}/apt-xapian-index rPx,
/etc/cron.{hourly,daily,weekly,monthly}/aptitude rPx,
/etc/cron.{hourly,daily,weekly,monthly}/bsdmainutils rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/checksecurity rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/cracklib-runtime rPx,
/etc/cron.{hourly,daily,weekly,monthly}/debsums rPx,
/etc/cron.{hourly,daily,weekly,monthly}/debtags rPx,
/etc/cron.{hourly,daily,weekly,monthly}/dlocate rPx,
/etc/cron.{hourly,daily,weekly,monthly}/dpkg rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/etckeeper rPx,
/etc/cron.{hourly,daily,weekly,monthly}/exim4-base rPx,
/etc/cron.{hourly,daily,weekly,monthly}/logrotate rPx,
/etc/cron.{hourly,daily,weekly,monthly}/man-db rPx,
/etc/cron.{hourly,daily,weekly,monthly}/mlocate rPx,
/etc/cron.{hourly,daily,weekly,monthly}/passwd rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/plocate rPx,
/etc/cron.{hourly,daily,weekly,monthly}/popularity-contest rPx,
/etc/cron.{hourly,daily,weekly,monthly}/spamassassin rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/sysstat rPx,
/etc/cron.{hourly,daily,weekly,monthly}/tor rPUx,
/etc/cron.{hourly,daily,weekly,monthly}/vrms rPUx,
# Network
/etc/network/if-down.d/ r,
/etc/network/if-down.d/openvpn rPUx,
/etc/network/if-down.d/resolvconf rPUx,
/etc/network/if-down.d/wpasupplicant rPUx,
/etc/hostapd/ifupdown.sh rPUx,
/etc/macchanger/ifupdown.sh rPUx,
/etc/wpa_supplicant/ifupdown.sh rPUx,
/etc/network/if-post-down.d/ r,
/etc/network/if-post-down.d/bridge rPUx,
/etc/network/if-post-down.d/chrony rPUx,
/etc/network/if-post-down.d/hostapd rPUx,
/etc/network/if-post-down.d/ifenslave rPUx,
/etc/network/if-post-down.d/macchanger rPUx,
/etc/network/if-post-down.d/wireless-tools rPUx,
/etc/network/if-post-down.d/wpasupplicant rPUx,
/etc/network/if-pre-up.d/ r,
/etc/network/if-pre-up.d/bridge rPUx,
/etc/network/if-pre-up.d/ethtool rPUx,
/etc/network/if-pre-up.d/hostapd rPUx,
/etc/network/if-pre-up.d/ifenslave rPUx,
/etc/network/if-pre-up.d/macchanger rPUx,
/etc/network/if-pre-up.d/random-secret rPUx,
/etc/network/if-pre-up.d/wireless-tools rPUx,
/etc/network/if-pre-up.d/wpasupplicant rPUx,
/etc/network/if-up.d/ r,
/etc/network/if-up.d/*resolvconf rPUx,
/etc/network/if-up.d/avahi-autoipd rPUx,
/etc/network/if-up.d/chrony rPUx,
/etc/network/if-up.d/ethtool rPUx,
/etc/network/if-up.d/ifenslave rPUx,
/etc/network/if-up.d/openvpn rPUx,
/etc/network/if-up.d/postfix rPUx,
/etc/network/if-up.d/ubuntu-fan rPx,
/etc/network/if-up.d/wpasupplicant rPUx,
# Motd
/etc/update-motd.d/ r,
/etc/update-motd.d/[0-9]*-[a-z]* rCx -> motd,
# The "/etc/kernel/" dirs are for the pre/post scripts of the linux-{header,image} packages
# Kernel
/etc/kernel/header_postinst.d/ r,
/etc/kernel/header_postinst.d/dkms rCx -> kernel-pre-post,
/etc/kernel/header_postinst.d/dkms rCx -> kernel,
/etc/kernel/postinst.d/ r,
/etc/kernel/postinst.d/apt-auto-removal rCx -> kernel-pre-post,
/etc/kernel/postinst.d/dkms rCx -> kernel-pre-post,
/etc/kernel/postinst.d/initramfs-tools rCx -> kernel-pre-post,
/etc/kernel/postinst.d/unattended-upgrades rCx -> kernel-pre-post,
/etc/kernel/postinst.d/zz-update-grub rCx -> kernel-pre-post,
/etc/kernel/postinst.d/apt-auto-removal rCx -> kernel,
/etc/kernel/postinst.d/dkms rCx -> kernel,
/etc/kernel/postinst.d/initramfs-tools rCx -> kernel,
/etc/kernel/postinst.d/unattended-upgrades rCx -> kernel,
/etc/kernel/postinst.d/zz-update-grub rCx -> kernel,
/etc/kernel/postinst.d/xx-update-initrd-links rCx -> kernel,
/etc/kernel/postrm.d/ r,
/etc/kernel/postrm.d/initramfs-tools rCx -> kernel-pre-post,
/etc/kernel/postrm.d/zz-update-grub rCx -> kernel-pre-post,
/etc/kernel/postrm.d/initramfs-tools rCx -> kernel,
/etc/kernel/postrm.d/zz-update-grub rCx -> kernel,
/etc/kernel/preinst.d/ r,
/etc/kernel/preinst.d/intel-microcode rCx -> kernel-pre-post,
/etc/kernel/preinst.d/intel-microcode rCx -> kernel,
/etc/kernel/prerm.d/ r,
/etc/kernel/prerm.d/dkms rCx -> kernel-pre-post,
/etc/molly-guard/run.d/ r,
/etc/cron.hourly/ r,
/etc/kernel/prerm.d/dkms rCx -> kernel,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/file* rw,
profile motd {
include <abstractions/base>
/ r,
/etc/update-motd.d/[0-9]*-[a-z]* r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/find rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/id rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/uname rix,
/{usr/,}lib/ubuntu-release-upgrader/release-upgrade-motd rPx,
/{usr/,}lib/update-notifier/update-motd-fsck-at-reboot rPx,
/{usr/,}lib/update-notifier/update-motd-reboot-required rix,
/usr/share/unattended-upgrades/update-motd-unattended-upgrades rix,
/ r,
/etc/lsb-release r,
/etc/update-motd.d/[0-9]*-[a-z]* r,
/var/lib/update-notifier/updates-available r,
}
profile kernel-pre-post {
profile kernel {
include <abstractions/base>
include <abstractions/consoles>
/etc/kernel/header_postinst.d/* r,
/etc/kernel/{postinst,postrm,preinst,prerm}.d/* r,
capability sys_module,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
@ -85,17 +163,20 @@ profile run-parts @{exec_path} {
/{usr/,}bin/uname rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}{s,}bin/dkms rPx,
/{usr/,}{s,}bin/update-grub rPUx,
/{usr/,}{s,}bin/update-initramfs rPx,
/{usr/,}bin/apt-config rPx,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/systemd-detect-virt rPx,
/{usr/,}lib/dkms/dkms_autoinstaller rPx,
/{usr/,}sbin/dkms rPx,
/{usr/,}sbin/update-grub rPUx,
/{usr/,}sbin/update-initramfs rPx,
/{usr/,}lib/modules/*/updates/ w,
/{usr/,}lib/modules/*/updates/dkms/ w,
/etc/kernel/header_postinst.d/* r,
/etc/kernel/{postinst,postrm,preinst,prerm}.d/* r,
# For shell pwd
/ r,
/boot/ r,
@ -105,7 +186,8 @@ profile run-parts @{exec_path} {
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
@{run}/reboot-required.pkgs w,
@{run}/reboot-required w,
@{run}/reboot-required.pkgs rw,
@{PROC}/devices r,
@{PROC}/cmdline r,