From e6c91fdfd777f3b0ab5ac63e77f04d1de3bf8d31 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Aug 2022 21:10:10 +0100 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/abstractions/disks-write | 2 + apparmor.d/groups/apt/apt | 5 +- apparmor.d/groups/browsers/chromium-chromium | 2 + apparmor.d/groups/freedesktop/fc-cache | 3 +- apparmor.d/groups/gnome/gjs-console | 7 +- apparmor.d/groups/gnome/gnome-extensions-app | 17 +++ apparmor.d/groups/network/mullvad-gui | 1 + apparmor.d/groups/network/nm-dispatcher | 2 +- apparmor.d/groups/systemd/child-systemctl | 2 +- apparmor.d/groups/systemd/systemd-analyze | 19 +-- apparmor.d/groups/systemd/systemd-hwdb | 1 + .../groups/ubuntu/notify-reboot-required | 1 + .../groups/ubuntu/software-properties-gtk | 1 + apparmor.d/groups/ubuntu/update-notifier | 2 + apparmor.d/profiles-g-l/glib-compile-schemas | 2 + apparmor.d/profiles-g-l/install-info | 1 + apparmor.d/profiles-g-l/language-validate | 11 +- apparmor.d/profiles-m-r/rsyslogd | 27 ++--- apparmor.d/profiles-m-r/rtkit-daemon | 2 +- apparmor.d/profiles-s-z/snap | 6 +- apparmor.d/profiles-s-z/snapd | 27 +++-- apparmor.d/profiles-s-z/steam | 19 ++- apparmor.d/profiles-s-z/steam-game | 3 + apparmor.d/profiles-s-z/steam-gameoverlayui | 9 +- apparmor.d/profiles-s-z/udisksd | 111 ++++++++---------- apparmor.d/profiles-s-z/wpa-supplicant | 2 +- 26 files changed, 163 insertions(+), 122 deletions(-) diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index fd5c7b734..f6adf946d 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -8,6 +8,8 @@ # The /sys/ entries probably should be tightened /dev/ r, + /dev/block/ r, + /dev/disk/{,*/} r, # Regular disk/partition devices /dev/{s,v}d[a-z]* rwk, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index b7ee1e980..867c76795 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -28,6 +28,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { capability setgid, capability setuid, capability sys_nice, + capability sys_ptrace, signal (send) peer=apt-methods-*, @@ -46,7 +47,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { member=Inhibit peer=(name=org.freedesktop.login[0-9]), - dbus send bus=system path=/org/freedesktop/DBus + dbus send bus=system path=/org/freedesktop/DBus{,/Bus} interface=org.freedesktop.DBus{,.Introspectable} member={RequestName,GetConnectionUnixProcessID,Introspect} peer=(name=org.freedesktop.DBus), @@ -101,6 +102,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/ubuntu-advantage/apt-esm-json-hook rPx, /{usr/,}lib/update-notifier/update-motd-updates-available rPx, /usr/share/command-not-found/cnf-update-db rPx, + /usr/share/language-tools/language-options rPx, # For editing the sources.list file /{usr/,}bin/sensible-editor rCx -> editor, @@ -110,6 +112,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/sensible-pager rCx -> pager, /usr/share/xml/iso-codes/{,**} r, + /usr/share/language-selector/data/pkg_depends r, /etc/apt/sources.list rwk, /etc/machine-id r, diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium index f1cfd87dd..b6bf4ff65 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/groups/browsers/chromium-chromium @@ -32,6 +32,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=browserpass, ptrace (read) peer=chrome-gnome-shell, + ptrace (read) peer=gnome-browser-connector-host, ptrace (read) peer=keepassxc-proxy, ptrace (read) peer=lsb_release, ptrace (read) peer=xdg-settings, @@ -49,6 +50,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, /{usr/,}bin/chrome-gnome-shell rPx, + /{usr/,}bin/gnome-browser-connector-host rPx, /{usr/,}lib/chromium/chrome-sandbox rPx, /{usr/,}lib/chromium/chrome_crashpad_handler rPx, diff --git a/apparmor.d/groups/freedesktop/fc-cache b/apparmor.d/groups/freedesktop/fc-cache index 9736bc759..1bfe02a61 100644 --- a/apparmor.d/groups/freedesktop/fc-cache +++ b/apparmor.d/groups/freedesktop/fc-cache @@ -10,8 +10,9 @@ include @{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache{,-32,-v*} profile fc-cache @{exec_path} { include - include + include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index fe4e1f9d0..fc30ca94d 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -46,16 +46,17 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/gstreamer-1.0/ rw, owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw, - owner @{run}/user/@{uid}/gdm/Xauthority r, @{run}/user/@{uid}/wayland-cursor-shared-* rw, + owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{sys}/devices/system/cpu/possible r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/stat r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, /dev/ r, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index d4f5d0bc5..944782d40 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -9,6 +9,14 @@ include @{exec_path} = /{usr/,}bin/gnome-extensions-app profile gnome-extensions-app @{exec_path} { include + # include + include + include + include + include + include + include + include @{exec_path} mr, @@ -16,6 +24,15 @@ profile gnome-extensions-app @{exec_path} { /{usr/,}bin/gjs-console rix, /usr/share/terminfo/x/xterm-256color r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/gnome-shell/org.gnome.Extensions* r, + /usr/share/X11/xkb/{,**} r, + + @{sys}/devices/system/cpu/possible r, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pids}/task/@{tid}/stat r, /dev/tty rw, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 793734605..cce44eee5 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -53,6 +53,7 @@ profile mullvad-gui @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/devices/virtual/tty/tty[0-9]*/active r, @{sys}/devices/pci[0-9]*/**/{vendor,device,class,config} r, + @{sys}/devices/system/cpu/possible r, @{PROC}/ r, @{PROC}/sys/fs/inotify/max_user_watches r, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 11dfdf161..15f077331 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -8,7 +8,7 @@ include @{exec_path} = /{usr/,}lib/nm-dispatcher @{exec_path} += /{usr/,}lib/NetworkManager/nm-dispatcher -profile nm-dispatcher @{exec_path} { +profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/child-systemctl b/apparmor.d/groups/systemd/child-systemctl index d4c6def1e..99f2dee8c 100644 --- a/apparmor.d/groups/systemd/child-systemctl +++ b/apparmor.d/groups/systemd/child-systemctl @@ -27,7 +27,7 @@ profile child-systemctl flags=(attach_disconnected) { network inet stream, network inet6 stream, - dbus send bus=system path=/org/freedesktop/systemd[0-9] + dbus send bus=system path=/org/freedesktop/systemd[0-9]/Unit interface=org.freedesktop.systemd[0-9].Manager member=GetUnitFileState, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 1f0613070..2a4179786 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -10,12 +10,18 @@ include @{exec_path} = /{usr/,}bin/systemd-analyze profile systemd-analyze @{exec_path} { include + include include include capability sys_resource, capability net_admin, + network inet dgram, + network netlink raw, + + signal (send) peer=child-pager, + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member=GetAll, @@ -28,12 +34,8 @@ profile systemd-analyze @{exec_path} { interface=org.freedesktop.DBus.Properties member=GetAll, - signal (send) peer=child-pager, - - network inet dgram, - network netlink raw, - @{exec_path} mr, + /{usr/,}lib/systemd/system-environment-generators/* rix, /{usr/,}bin/pager rPx -> child-pager, @@ -68,13 +70,12 @@ profile systemd-analyze @{exec_path} { @{sys}/firmware/efi/efivars/LoaderTimeInitUSec-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/comm r, @{PROC}/swaps r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/mountinfo r, /dev/tty rw, - /dev/pts/1 rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb index 51f4ff123..6c3a80cf7 100644 --- a/apparmor.d/groups/systemd/systemd-hwdb +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/systemd-hwdb profile systemd-hwdb @{exec_path} flags=(attach_disconnected) { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/notify-reboot-required b/apparmor.d/groups/ubuntu/notify-reboot-required index 0ef30e5f2..1fc19b408 100644 --- a/apparmor.d/groups/ubuntu/notify-reboot-required +++ b/apparmor.d/groups/ubuntu/notify-reboot-required @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/update-notifier/notify-reboot-required profile notify-reboot-required @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index f5e7e6d94..69d34c76c 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -67,6 +67,7 @@ profile software-properties-gtk @{exec_path} { @{sys}/devices/**/modalias r, @{PROC}/@{pids}/mountinfo r, + @{PROC}/asound/cards r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index dbf9eba3c..63dec833f 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -38,6 +38,8 @@ profile update-notifier @{exec_path} { /usr/share/apport/apport-checkreports rPx, /usr/share/apport/apport-gtk rPx, + /{usr/,}lib/python3.[0-9]*/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, + /usr/share/applications/{,**} r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas index 3af156984..c812c59c2 100644 --- a/apparmor.d/profiles-g-l/glib-compile-schemas +++ b/apparmor.d/profiles-g-l/glib-compile-schemas @@ -19,5 +19,7 @@ profile glib-compile-schemas @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled.[A-Z0-9]* rw, /usr/share/glib-2.0/schemas/gschemas.compiled rw, + /usr/share/gnome-shell/extensions/*/schemas/org.gnome.shell.extensions.*.gschema.xml r, + include if exists } diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info index a541546cb..997a523eb 100644 --- a/apparmor.d/profiles-g-l/install-info +++ b/apparmor.d/profiles-g-l/install-info @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/install-info profile install-info @{exec_path} { include + include capability dac_read_search, diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate index 3c878be31..1737430b5 100644 --- a/apparmor.d/profiles-g-l/language-validate +++ b/apparmor.d/profiles-g-l/language-validate @@ -6,18 +6,17 @@ abi , include -@{exec_path} = /usr/share/language-tools/language-validate +@{exec_path} = /usr/share/language-tools/language-{options,validate} profile language-validate @{exec_path} { include capability setgid, - @{exec_path} mr, + @{exec_path} mrix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/grep rix, - /{usr/,}bin/locale rix, - /usr/share/language-tools/language-options rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/locale rix, /usr/share/locale-langpack/{,*} r, /usr/share/language-tools/{,*} r, diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 10fc5bd92..d586dbaca 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -20,35 +21,31 @@ profile rsyslogd @{exec_path} { capability net_admin, # For remote logs capability setgid, # For downgrading privileges capability setuid, + capability sys_nice, capability syslog, - + @{exec_path} mr, /{usr/,}lib/@{multiarch}/rsyslog/*.so mr, - # rsyslog configuration /etc/rsyslog.conf r, /etc/rsyslog.d/{,**} r, - /var/spool/rsyslog/ r, - /var/spool/rsyslog/** rw, - owner @{run}/rsyslogd.pid{,.tmp} rwk, - owner @{run}/systemd/journal/syslog w, - @{run}/systemd/notify rw, - - # log files and devices - /var/log/** rw, - @{PROC}/kmsg r, - - # a cert for gtls module /etc/CA/*.crt r, /etc/CA/*.key r, + /var/log/** rw, + /var/spool/rsyslog/ r, + /var/spool/rsyslog/** rw, + + @{run}/systemd/notify rw, + owner @{run}/rsyslogd.pid{,.tmp} rwk, + owner @{run}/systemd/journal/syslog w, + @{PROC}/1/environ r, @{PROC}/cmdline r, + @{PROC}/kmsg r, @{PROC}/sys/kernel/osrelease r, - @{run}/systemd/notify w, - include if exists } diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index 82302316e..71e444334 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -9,7 +9,7 @@ include @{exec_path} = @{libexec}/rtkit-daemon -profile rtkit-daemon @{exec_path} { +profile rtkit-daemon @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 38567f5c1..5aaf88e65 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -16,9 +16,9 @@ profile snap @{exec_path} { @{exec_path} mrix, /snap/{,**} rw, - /snap/snapd/[0-9]*/usr/lib/snapd/snap-confine rPx, - /snap/snapd/[0-9]*/usr/lib/snapd/snap-seccomp rPx, - /snap/snapd/[0-9]*/usr/lib/snapd/snapd r, + /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-confine rPx, + /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-seccomp rPx, + /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd r, /etc/fstab r, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index ef2ce90e4..cfa8d3710 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -18,8 +18,11 @@ profile snapd @{exec_path} { include capability audit_write, + capability chown, capability dac_override, capability dac_read_search, + capability fowner, + capability fsetid, capability net_admin, capability setgid, capability setuid, @@ -56,6 +59,7 @@ profile snapd @{exec_path} { /{usr/,}bin/cp rix, /{usr/,}bin/gzip rix, /{usr/,}bin/mount rix, + /{usr/,}bin/snap rPx, /{usr/,}bin/sync rix, /{usr/,}bin/systemctl rix, /{usr/,}bin/systemd-detect-virt rPx, @@ -65,15 +69,15 @@ profile snapd @{exec_path} { /{usr/,}bin/unsquashfs rix, /{usr/,}bin/update-desktop-database rPx, - /snap/snapd/[0-9]*/lib/@{multiarch}/** mr, - /snap/snapd/[0-9]*/lib/@{multiarch}/ld-*.so rix, - /snap/snapd/[0-9]*/usr/bin/snap rPx, - /snap/snapd/[0-9]*/usr/lib/snapd/snap-discard-ns rPx, - /snap/snapd/[0-9]*/usr/lib/snapd/snap-seccomp rPx, - /snap/snapd/[0-9]*/usr/lib/snapd/snap-update-ns rPx, - /snap/snapd/[0-9]*/usr/lib/snapd/snapd rix, - /snap/snapd/[0-9]*/usr/bin/fc-cache-* rPx -> fc-cache, - /snap/snapd/[0-9]*/usr/bin/xdelta3 rix, # TODO: rPx ? + /{snap/snapd/[0-9]*/,}{usr/,}lib/@{multiarch}/** mr, + /{snap/snapd/[0-9]*/,}{usr/,}lib/@{multiarch}/ld-*.so rix, + /{snap/snapd/[0-9]*/,}{usr/,}bin/snap rPx, + /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-discard-ns rPx, + /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-seccomp rPx, + /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-update-ns rPx, + /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd rix, + /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache-* rPx -> fc-cache, + /{snap/snapd/[0-9]*/,}{usr/,}bin/xdelta3 rix, # TODO: rPx ? /usr/share/bash-completion/completions/{,**} r, /usr/share/dbus-1/{system,session}.d/{,snapd*} r, @@ -104,6 +108,7 @@ profile snapd @{exec_path} { /tmp/syscheck-squashfs-[0-9]* rw, /tmp/read-file[0-9]*/{,**} rw, + /home/ r, @{HOME}/ r, @{HOME}/snap/{,**} rw, @@ -114,8 +119,8 @@ profile snapd @{exec_path} { owner @{run}/user/{,@{uid}/} r, owner @{run}/user/snap.*/{,**} rw, - @{run}/snapd-snap.socket rw, - @{run}/snapd.socket rw, + @{run}/snapd*.socket rw, + @{run}/snapd/{,**} rw, @{run}/snapd/lock/*.lock rwk, @{run}/systemd/notify rw, @{run}/systemd/private rw, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index dd688cfbb..13e39571d 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -37,12 +37,16 @@ profile steam @{exec_path} { signal (send) peer=steam-game, signal (read), + unix (receive) type=stream, + @{exec_path} mrix, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/*sum rix, /{usr/,}bin/basename rix, /{usr/,}bin/cat rix, /{usr/,}bin/cmp rix, + /{usr/,}bin/cp rix, /{usr/,}bin/cut rix, /{usr/,}bin/dirname rix, /{usr/,}bin/gawk rix, @@ -53,18 +57,23 @@ profile steam @{exec_path} { /{usr/,}bin/ldd rix, /{usr/,}bin/ln rix, /{usr/,}bin/lspci rPx, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mv rix, /{usr/,}bin/readlink rix, /{usr/,}bin/realpath rix, /{usr/,}bin/rm rix, /{usr/,}bin/sed rix, /{usr/,}bin/steam-runtime-urlopen rix, /{usr/,}bin/tail rix, + /{usr/,}bin/tar rix, + /{usr/,}bin/touch rix, /{usr/,}bin/tr rix, /{usr/,}bin/uname rix, /{usr/,}bin/which rix, /{usr/,}bin/xdg-icon-resource rPx, - - /{usr/,}lib{32,64}/ld-linux.so* rix, + /{usr/,}bin/xz rix, + /{usr/,}bin/zenity rix, + /{usr/,}lib{32,64}/ld-linux.so* rix, @{user_share_dirs}/Steam/config/widevine/linux-x64/libwidevinecdm.so mr, @{user_share_dirs}/Steam/steamapps/common/SteamLinuxRuntime_soldier/*entry-point rpx, @@ -116,6 +125,7 @@ profile steam @{exec_path} { owner @{user_share_dirs}/icons/hicolor/**/apps/steam*.png rw, owner @{user_share_dirs}/Steam/ rw, owner @{user_share_dirs}/Steam/** rwkl -> @{user_share_dirs}/Steam/**, + owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, @@ -125,6 +135,7 @@ profile steam @{exec_path} { owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, + owner /tmp/dumps/ rw, owner /tmp/dumps/{assert,crash}_[0-9]*_[0-9]*.dmp rw, owner /tmp/sh-thd.* rw, owner /tmp/steam_chrome_shmem_uid@{uid}_spid[0-9]* rw, @@ -162,6 +173,7 @@ profile steam @{exec_path} { @{sys}/power/suspend_stats/success rk, @{PROC}/ r, + @{PROC}/@{pids}/comm rk, @{PROC}/@{pids}/net/route r, @{PROC}/@{pids}/stat r, @{PROC}/sys/fs/inotify/max_user_watches r, @@ -170,7 +182,6 @@ profile steam @{exec_path} { @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/user/max_user_namespaces r, @{PROC}/version r, - owner @{PROC}/@{pid}/comm rk, owner @{PROC}/@{pid}/autogroup rw, owner @{PROC}/@{pid}/cmdline rk, owner @{PROC}/@{pid}/fd/ r, @@ -184,5 +195,7 @@ profile steam @{exec_path} { /dev/input/ r, /dev/tty rw, + audit deny /**.steam_exec_test.sh rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index 807b79594..9a7f939cf 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -36,6 +36,8 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { include include + capability dac_override, + capability dac_read_search, capability setpcap, capability sys_admin, capability sys_ptrace, @@ -159,6 +161,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { owner /dev/shm/mono.* rw, owner /dev/shm/u@{uid}-Shm_[0-9a-f]* rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, + owner /dev/shm/ValveIPCSHM_@{uid} rw, owner /dev/shm/wine-*-fsync rw, owner /tmp/.wine-@{uid}/server-*/* rwk, diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui index 35598b9db..c59845280 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -9,8 +9,9 @@ include @{exec_path} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/gameoverlayui profile steam-gameoverlayui @{exec_path} { include - include + include include + include network inet stream, network inet6 stream, @@ -34,15 +35,19 @@ profile steam-gameoverlayui @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/Steam/{,**} r, owner @{user_share_dirs}/Steam/config/DialogConfigOverlay*.vdf rw, - owner @{user_share_dirs}/Steam/public/url_list.txt rk, + owner @{user_share_dirs}/Steam/public/* rk, + owner @{user_share_dirs}/Steam/resource/{,**} rk, + owner @{user_share_dirs}/Steam/userdata/[0-9]*/{,**} rk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner /dev/shm/u@{uid}-Shm_[0-9a-f]* rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-* rwk, + owner /dev/shm/ValveIPCSHM_@{uid} rw, owner /tmp/gameoverlayui.log* rw, owner /tmp/steam_chrome_overlay_uid@{uid}_spid@{pids} rw, + owner /tmp/miles_image_* mrw, @{sys}/ r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index fd5e41692..c89a78e60 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -27,6 +27,28 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { network netlink raw, + # Allow mounting of removable devices + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/, + + # Allow mounting of loop devices (ISO files) + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/, + + # Allow mounting of cdrom + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> /media/cdrom[0-9]/, + mount fstype={iso9660,udf,ntfs3} /dev/sr[0-9]* -> /media/cdrom[0-9]/, + + # Allow mounting od sd cards + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, + + # Allow unmounting + umount @{MOUNTS}/, + umount @{MOUNTS}/*/, + umount /media/cdrom[0-9]/, + dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**} interface=org.freedesktop.{DBus*,UDisks2*}, @@ -71,85 +93,46 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/systemd-escape rPx, - # Allow mounting of removable devices - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/, - # Allow mounting of loop devices (ISO files) - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/, - # Allow mounting of cdrom - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> /media/cdrom[0-9]/, - mount fstype={iso9660,udf,ntfs3} /dev/sr[0-9]* -> /media/cdrom[0-9]/, - # Allow mounting od sd cards - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/, - mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, - # Allow unmounting - umount @{MOUNTS}/, - umount @{MOUNTS}/*/, - umount /media/cdrom[0-9]/, + /etc/udisks2/{,**} r, + /etc/libblockdev/{,**} r, + /etc/fstab r, + /etc/crypttab r, + + /var/lib/udisks2/ r, + /var/lib/udisks2/mounted-fs{,*} rw, # Be able to create/delete dirs for removable media @{MOUNTS}/ rw, @{MOUNTS}/*/ rw, - /media/cdrom[0-9]/ rw, - # Udisks2 config files - /etc/udisks2/ r, - /etc/udisks2/udisks2.conf r, - - /etc/libblockdev/conf.d/ r, - /etc/libblockdev/conf.d/[0-9][0-9]-default.cfg r, - - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/fd/ r, - @{PROC}/cmdline r, - @{PROC}/devices r, - @{PROC}/swaps r, - - # To be able to initialize device-mapper disk devices - /dev/mapper/ r, - /dev/mapper/control rw, - - # The special /dev/loop-control file can be used to create and destroy loop devices or to find - # the first available loop device. - /dev/loop-control rw, - - # To check whether the x-udisks-auth option was used to specify that additional authorization is - # required to mount/unlock a device - /etc/fstab r, - /etc/crypttab r, - - # To be able to operate on encryted devices + @{run}/ r, + @{run}/mount/utab{,.*} rw, + @{run}/mount/utab.lock rwk, + @{run}/udisks2/{,**} rw, + @{run}/systemd/seats/seat[0-9]* r, + @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/cryptsetup/ r, @{run}/cryptsetup/L* rwk, - @{sys}/fs/ r, @{sys}/bus/ r, @{sys}/class/ r, - + @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}remove rw, @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}uevent w, + @{sys}/devices/virtual/bdi/**/read_ahead_kb r, @{sys}/devices/virtual/block/*/{,**} rw, @{sys}/devices/virtual/block/loop[0-9]*/uevent rw, + @{sys}/fs/ r, - # For powering off USB devices - @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}remove rw, + @{PROC}/cmdline r, + @{PROC}/devices r, + @{PROC}/swaps r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, - @{sys}/devices/virtual/bdi/**/read_ahead_kb r, - - @{run}/ r, - - # Info on mounted devices - @{run}/mount/utab{,.*} rw, - @{run}/mount/utab.lock rwk, - /var/lib/udisks2/ r, - /var/lib/udisks2/mounted-fs{,*} rw, - - @{run}/udisks2/{,**} rw, - - @{run}/systemd/seats/seat[0-9]* r, - @{run}/systemd/inhibit/[0-9]*.ref rw, + /dev/loop-control rw, + /dev/mapper/ r, + /dev/mapper/control rw, include if exists } diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index 93e75bf29..32472fb93 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/wpa_supplicant -profile wpa-supplicant @{exec_path} { +profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { include include include