From e9496546141039abe5810a7a1c32a637b34012c9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 5 Jun 2022 22:57:29 +0100 Subject: [PATCH] feat(profiles): dbus abstactions and related rules. --- apparmor.d/groups/apt/apt | 1 + .../groups/apt/unattended-upgrade-shutdown | 1 + apparmor.d/groups/bus/ibus-daemon | 3 ++- apparmor.d/groups/bus/ibus-engine-simple | 3 +-- apparmor.d/groups/bus/ibus-extension-gtk3 | 7 +++--- apparmor.d/groups/bus/ibus-memconf | 5 +++-- apparmor.d/groups/bus/ibus-portal | 4 ++-- apparmor.d/groups/bus/ibus-x11 | 9 ++++++-- .../groups/freedesktop/at-spi2-registryd | 1 + apparmor.d/groups/freedesktop/colord-sane | 1 + apparmor.d/groups/freedesktop/dconf-service | 4 +--- apparmor.d/groups/freedesktop/pipewire | 1 + .../groups/freedesktop/polkit-agent-helper | 1 + .../groups/freedesktop/xdg-desktop-portal | 1 + .../freedesktop/xdg-desktop-portal-gnome | 2 ++ .../groups/freedesktop/xdg-desktop-portal-gtk | 3 +++ .../groups/freedesktop/xdg-permission-store | 1 + .../gnome/evolution-addressbook-factory | 2 ++ .../groups/gnome/evolution-alarm-notify | 2 ++ .../groups/gnome/evolution-calendar-factory | 2 ++ .../groups/gnome/evolution-source-registry | 1 + apparmor.d/groups/gnome/gdm-wayland-session | 1 + apparmor.d/groups/gnome/gjs-console | 1 + apparmor.d/groups/gnome/gnome-extension-ding | 2 +- apparmor.d/groups/gnome/gnome-keyring-daemon | 1 + .../groups/gnome/gnome-remote-desktop-daemon | 1 + apparmor.d/groups/gnome/gnome-session-binary | 1 + .../groups/gnome/gnome-shell-calendar-server | 1 + apparmor.d/groups/gnome/goa-daemon | 2 ++ apparmor.d/groups/gnome/goa-identity-service | 1 + apparmor.d/groups/gnome/gsd-a11y-settings | 1 + apparmor.d/groups/gnome/gsd-color | 3 +++ apparmor.d/groups/gnome/gsd-datetime | 1 + .../groups/gnome/gsd-disk-utility-notify | 1 + apparmor.d/groups/gnome/gsd-housekeeping | 1 + apparmor.d/groups/gnome/gsd-keyboard | 3 +++ apparmor.d/groups/gnome/gsd-media-keys | 6 ++--- apparmor.d/groups/gnome/gsd-power | 5 +++-- .../groups/gnome/gsd-print-notifications | 1 + apparmor.d/groups/gnome/gsd-printer | 1 + apparmor.d/groups/gnome/gsd-rfkill | 1 + apparmor.d/groups/gnome/gsd-screensaver-proxy | 1 + apparmor.d/groups/gnome/gsd-sharing | 2 ++ apparmor.d/groups/gnome/gsd-smartcard | 1 + apparmor.d/groups/gnome/gsd-sound | 1 + apparmor.d/groups/gnome/gsd-wacom | 3 +++ apparmor.d/groups/gnome/gsd-xsettings | 8 ++++--- apparmor.d/groups/gnome/nautilus | 1 + apparmor.d/groups/gnome/tracker-miner | 1 + .../groups/gvfs/gvfs-afc-volume-monitor | 1 + .../groups/gvfs/gvfs-goa-volume-monitor | 1 + .../groups/gvfs/gvfs-gphoto2-volume-monitor | 1 + .../groups/gvfs/gvfs-mtp-volume-monitor | 1 + .../groups/gvfs/gvfs-udisks2-volume-monitor | 1 + apparmor.d/groups/gvfs/gvfsd-fuse | 5 +++-- apparmor.d/groups/gvfs/gvfsd-metadata | 2 ++ apparmor.d/groups/gvfs/gvfsd-trash | 1 + apparmor.d/groups/network/networkd-dispatcher | 1 + apparmor.d/groups/ssh/sshd | 20 +---------------- apparmor.d/profiles-a-f/fwupdmgr | 1 + apparmor.d/profiles-s-z/spice-vdagent | 2 ++ apparmor.d/profiles-s-z/su | 22 +------------------ 62 files changed, 101 insertions(+), 66 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index cddabf04f..7e0c09b61 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -11,6 +11,7 @@ include profile apt @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index d93d7ea5f..b6815bd26 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index 253deed08..baa8420ce 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -9,6 +9,8 @@ include @{exec_path} = /{usr/,}bin/ibus-daemon profile ibus-daemon @{exec_path} flags=(attach_disconnected) { include + include + include include signal (receive) set=(usr1) peer=gnome-shell, @@ -25,7 +27,6 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/{,**} rw, owner @{user_cache_dirs}/ibus/{,**} rw, /var/lib/gdm{3,}/.config/ibus/{,**} rw, /var/lib/gdm{3,}/.cache/ibus/{,**} rw, diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index 390259572..eacefcd16 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/ibus-engine-simple profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include + include signal (receive) set=term peer=ibus-daemon, @@ -18,8 +19,6 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9] r, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 23f435578..ae392bd44 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -10,10 +10,12 @@ include @{exec_path} += @{libexec}/ibus-extension-gtk3 profile ibus-extension-gtk3 @{exec_path} { include + include include include include include + include include signal (receive) set=term peer=ibus-daemon, @@ -35,11 +37,10 @@ profile ibus-extension-gtk3 @{exec_path} { /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9] rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index e13dc99c9..29c689e90 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -9,14 +9,15 @@ include @{exec_path} = @{libexec}/ibus-memconf profile ibus-memconf @{exec_path} { include + include include @{exec_path} mr, + /etc/machine-id r, + /var/lib/gdm{3,}/.config/ibus/bus/ r, /var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index ba4528126..2438a72a3 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -10,6 +10,8 @@ include @{exec_path} += @{libexec}/ibus-portal profile ibus-portal @{exec_path} flags=(attach_disconnected) { include + include + include signal (receive) set=(term, hup) peer=gdm*, @@ -25,8 +27,6 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /var/lib/gdm/.config/ibus/bus/ r, /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, - owner @{user_config_dirs}/ibus/bus/ r, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r, owner /dev/tty[0-9]* rw, /dev/null rw, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index b36b22cf5..159806e3e 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -18,16 +18,21 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include include + unix (connect, receive, send) type=stream peer=(label=ibus-daemon), + @{exec_path} mr, /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, - owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, + owner @{run}/user/@{uid}/at-spi/bus rw, + owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd index 46dc955d4..63fbbd709 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/freedesktop/at-spi2-registryd @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/at-spi2-registryd profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include + include include signal (receive) set=(term hup) peer=gdm*, diff --git a/apparmor.d/groups/freedesktop/colord-sane b/apparmor.d/groups/freedesktop/colord-sane index ed183ba51..1ce827e2e 100644 --- a/apparmor.d/groups/freedesktop/colord-sane +++ b/apparmor.d/groups/freedesktop/colord-sane @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/colord-sane profile colord-sane @{exec_path} flags=(attach_disconnected,complain) { include + include include network netlink raw, diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index 4782267f2..b44496f76 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -9,9 +9,7 @@ include @{exec_path} = /{usr/,}lib/dconf/dconf-service @{libexec}/dconf-service profile dconf-service @{exec_path} flags=(attach_disconnected) { include - - # Needed? - deny capability sys_nice, + include signal (receive) set=(term kill hup) peer=dbus-daemon, signal (receive) set=(term hup) peer=gdm*, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 2eea607f0..76220f9f4 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -11,6 +11,7 @@ include profile pipewire @{exec_path} { include include + include include include diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper index e4d804aad..e04c0259e 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/polkit-agent-helper-[0-9] profile polkit-agent-helper @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index e366fd260..9fd683360 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 6b177afbf..22f60b381 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} { include + include include include include @@ -31,6 +32,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { owner @{user_share_dirs}/ r, owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{run}/user/@{uid}/wayland-cursor-shared-* rw, include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 996224760..2e94f0fff 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} { include + include include include include @@ -31,7 +32,9 @@ profile xdg-desktop-portal-gtk @{exec_path} { owner @{HOME}/@{XDG_DATA_HOME}/ r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/mount/utab r, owner @{PROC}/@{uid}/mountinfo r, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index d8dce5fd6..fd496df8a 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/xdg-permission-store profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { include + include signal (receive) set=(term hup kill) peer=dbus-daemon, signal (receive) set=(term hup kill) peer=gdm*, diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index a036ee7e8..bc3133534 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -9,6 +9,8 @@ include @{exec_path} = @{libexec}/evolution-addressbook-factory profile evolution-addressbook-factory @{exec_path} { include + include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index e1e49b087..0a7c3adf0 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/evolution-data-server/evolution-alarm-notify profile evolution-alarm-notify @{exec_path} { include + include include include include @@ -23,6 +24,7 @@ profile evolution-alarm-notify @{exec_path} { /usr/share/ubuntu/applications/ r, /usr/share/zoneinfo-icu/{,**} r, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 40661e7c2..132540ade 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -9,6 +9,8 @@ include @{exec_path} = @{libexec}/evolution-calendar-factory profile evolution-calendar-factory @{exec_path} { include + include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index e488818bb..61ab2e0be 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/evolution-source-registry profile evolution-source-registry @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index 57c084d57..b07fe0e9a 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -11,6 +11,7 @@ profile gdm-wayland-session @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 7af35a3d1..1d385bb4e 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/gjs-console profile gjs-console @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 564dba303..030e12140 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js profile gnome-extension-ding @{exec_path} { include + include include include include @@ -36,7 +37,6 @@ profile gnome-extension-ding @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/home r, owner @{user_share_dirs}/gvfs-metadata/home-*.log r, - owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 655138508..3f499354e 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/gnome-keyring-daemon profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 44844ad38..4101886e1 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gnome-remote-desktop-daemon profile gnome-remote-desktop-daemon @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 78fee1dff..917436843 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 005072d53..b50bfcb6c 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gnome-shell-calendar-server profile gnome-shell-calendar-server @{exec_path} { include + include include include diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 684080be6..9a30738ff 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -9,6 +9,8 @@ include @{exec_path} = @{libexec}/goa-daemon profile goa-daemon @{exec_path} { include + include + include include include include diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index 6a728d631..c7b98a84a 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -10,6 +10,7 @@ include profile goa-identity-service @{exec_path} { include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 8be54615f..a1388d9ff 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-a11y-settings profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index c83666a2b..3e3de47c5 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-color profile gsd-color @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -35,9 +36,11 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/icc/ r, owner @{user_share_dirs}/icc/edid-*.icc rw, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9] rw, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index e7d51d5b4..41df5db47 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-datetime profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index ccec1b6a5..f1c5d57bb 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-disk-utility-notify profile gsd-disk-utility-notify @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index d9ede44b0..e5ce47c2f 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -10,6 +10,7 @@ include profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include + include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 216a23cba..6a2037a24 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-keyboard profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -31,9 +32,11 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw, owner @{user_share_dirs}/gnome-settings-daemon/ rw, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9] rw, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 310336b25..96288a87f 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -10,6 +10,7 @@ include profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -30,9 +31,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { /usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/X11/xkb/** r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/pulse/ rw, owner @{user_share_dirs}/ r, @@ -43,9 +41,11 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { /var/lib/gdm/.config/pulse/client.conf r, /var/lib/gdm/.config/pulse/cookie rk, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/systemd/inhibit/[0-9]*.ref rw, owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index c674d1e55..41f28908a 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -10,6 +10,7 @@ include profile gsd-power @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -28,15 +29,15 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { /usr/share/icons/{,**} r, /usr/share/X11/xkb/** r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, /var/lib/gdm/.cache/event-sound-cache.tdb.* rwk, /var/lib/gdm/.config/dconf/user r, /var/lib/gdm/.config/pulse/client.conf r, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9] rw, @{run}/udev/data/+backlight:* r, @{run}/udev/data/+leds:*backlight* r, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index de6c3a28e..aa62b6f55 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-print-notifications profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index eccc41807..15590b730 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-printer profile gsd-printer @{exec_path} flags=(attach_disconnected) { include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index a44ecbbe7..3bb20459f 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-rfkill profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index b6058e222..b0d8a5526 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-screensaver-proxy profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 7cada0c72..5b20cc4f6 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -9,6 +9,8 @@ include @{exec_path} = @{libexec}/gsd-sharing profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include + include + include include include diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index fca978002..31e0cf770 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-smartcard profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 83a7520c1..e64fbb8b8 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -10,6 +10,7 @@ include profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 8585d792e..c723369bb 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-wacom profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -28,9 +29,11 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/wayland-[0-9] rw, /var/lib/gdm/.config/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 2ac7d10bb..d3f6ec900 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/gsd-xsettings profile gsd-xsettings @{exec_path} { include + include include include include @@ -49,13 +50,14 @@ profile gsd-xsettings @{exec_path} { owner @{user_cache_dirs}/mesa_shader_cache/index rw, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, - - owner @{run}/systemd/users/@{uid}/ r, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/systemd/sessions/* r, + @{run}/systemd/users/@{uid} r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 5ad4d7a0a..6c48c596f 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -10,6 +10,7 @@ include profile nautilus @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index dd45b7262..7846a4640 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -9,6 +9,7 @@ include @{exec_path} = @{libexec}/tracker-miner-fs-{,control-}3 profile tracker-miner @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 5373623e8..1baa4eda1 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/gvfs-afc-volume-monitor profile gvfs-afc-volume-monitor @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 1eaa0116a..d55fa7de2 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/gvfs-goa-volume-monitor profile gvfs-goa-volume-monitor @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index 88864385c..b5844365d 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/gvfs-gphoto2-volume-monitor profile gvfs-gphoto2-volume-monitor @{exec_path} { include + include include include diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index 94978f25e..1163dd549 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -10,6 +10,7 @@ include @{exec_path} += @{libexec}/gvfs-mtp-volume-monitor profile gvfs-mtp-volume-monitor @{exec_path} { include + include include network netlink raw, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 0f32b0161..59db2bb35 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfs-udisks2-volume-monitor profile gvfs-udisks2-volume-monitor @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 62248a594..d4a8184e3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-fuse profile gvfsd-fuse @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index 3a0e7d74a..fb46ee851 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-metadata profile gvfsd-metadata @{exec_path} { include + include include network netlink raw, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 196a07e8a..906aff694 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-trash profile gvfsd-trash @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index 0572caeec..ed8fe89c6 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -15,6 +15,7 @@ profile networkd-dispatcher @{exec_path} { @{exec_path} mr, + /{usr/,}bin/ r, /{usr/,}bin/networkctl rPx, @{run}/systemd/notify rw, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 8b4923221..a1937b016 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -19,6 +19,7 @@ include profile sshd @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -98,24 +99,5 @@ profile sshd @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, - @{run}/systemd/userdb/io.systemd.DynamicUser w, - - # DBus - @{run}/dbus/system_bus_socket rw, - - dbus send - bus=system - path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=Hello - peer=(name=org.freedesktop.DBus), - - dbus send - bus=system - path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={CreateSession,ReleaseSession} - peer=(name=org.freedesktop.login1), - include if exists } diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 127a364c5..6c75dc05d 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/fwupdmgr profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { include + include include include include diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index e0a141ea2..50344f35e 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -10,6 +10,7 @@ include profile spice-vdagent @{exec_path} { include include + include include unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), @@ -21,6 +22,7 @@ profile spice-vdagent @{exec_path} { owner @{user_config_dirs}/user-dirs.dirs r, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw, @{run}/spice-vdagentd/spice-vdagent-sock rw, diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 24654d781..b7ea89fcd 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -11,6 +11,7 @@ profile su @{exec_path} { include include include + include include include # include @@ -54,28 +55,7 @@ profile su @{exec_path} { @{PROC}/cmdline r, @{sys}/devices/virtual/tty/console/active r, - # pseudo-terminal - capability chown, - /dev/{,pts/}ptmx rw, - - @{run}/dbus/system_bus_socket rw, - - dbus (send) - bus=system - path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=Hello - peer=(name=org.freedesktop.DBus), - - dbus (send) - bus=system - path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager - member={CreateSession,ReleaseSession}, - - unix (bind) type=dgram, - /dev/tty[0-9]* rw, include if exists