felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #1 from roddhjav/main

Browse source 
Update
This commit is contained in:
curiosityseeker 2023-02-20 13:08:43 +01:00 committed by GitHub
commit f17516c34d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
65 changed files with 1015 additions and 215 deletions
Download patch file Download diff file Expand all files Collapse all files

10
Makefile
View file

@ -34,6 +34,16 @@ install:
install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \
done
auto:
@[ ${DISTRIBUTION} = Arch ] || exit 0; \
makepkg --syncdeps --install --cleanbuild --force
@[ ${DISTRIBUTION} = Ubuntu ] || exit 0; \
dch --newversion="${VERSION}" --urgency=medium --distribution=stable --controlmaint "Release ${VERSION}"; \
dpkg-buildpackage -b -d --no-sign; \
sudo dpkg -i "../apparmor.d_${VERSION}_all.deb"; \
make clean
@[ ${DISTRIBUTION} = openSUSE ] || exit 0; \
make local
local:
@./configure --complain

2
apparmor.d/abstractions/chromium
View file

@ -2,7 +2,7 @@
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# For chromium based browser. If your application require chromium ro run
# For chromium based browser. If your application requires chromium to run
# (like electron) use abstractions/chromium-common instead.
# This abstraction requires the following variables definied in the profile header:

3
apparmor.d/abstractions/nameservice-strict
View file

@ -19,6 +19,9 @@
/var/lib/nscd/group r,
/var/lib/nscd/passwd r,
/var/lib/extrausers/group r,
/var/lib/extrausers/passwd r,
@{run}/nscd/db* r,
@{run}/systemd/resolve/stub-resolv.conf r,

2
apparmor.d/abstractions/user-read
View file

@ -12,6 +12,7 @@
owner @{user_books_dirs}/{,**} r,
owner @{user_documents_dirs}/{,**} r,
owner @{user_games_dirs}/{,**} r,
owner @{user_music_dirs}/{,**} r,
owner @{user_pictures_dirs}/{,**} r,
owner @{user_projects_dirs}/{,**} r,
@ -20,6 +21,7 @@
owner @{user_templates_dirs}/{,**} r,
owner @{user_torrents_dirs}/{,**} r,
owner @{user_videos_dirs}/{,**} r,
owner @{user_vm_dirs}/{,**} r,
owner @{user_work_dirs}/{,**} r,
include if exists <abstractions/user-read.d>

2
apparmor.d/abstractions/user-write.d/complete
View file

@ -7,8 +7,10 @@
owner @{user_books_dirs}/{,**} rwl,
owner @{user_documents_dirs}/{,**} rwl,
owner @{user_games_dirs}/{,**} rwl,
owner @{user_music_dirs}/{,**} rwl,
owner @{user_pictures_dirs}/{,**} rwl,
owner @{user_projects_dirs}/{,**} rwl,
owner @{user_videos_dirs}/{,**} rwl,
owner @{user_vm_dirs}/{,**} rwl,
owner @{user_work_dirs}/{,**} rwl,

29
apparmor.d/groups/apt/apt
View file

@ -58,7 +58,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
member={CheckAuthorization,Introspect},
dbus bind bus=system
name= org.debian.apt,
name=org.debian.apt,
@{exec_path} mr,
@ -68,6 +68,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/echo rix,
/{usr/,}bin/gdbus rix,
/{usr/,}bin/id rix,
/{usr/,}bin/ischroot rix,
/{usr/,}bin/test rix,
/{usr/,}bin/touch rix,
@ -88,6 +89,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/etckeeper rPx,
/{usr/,}bin/ps rPx,
/{usr/,}bin/snap rPUx,
/{usr/,}bin/systemctl rCx -> systemctl,
/{usr/,}lib/cnf-update-db rPx,
/{usr/,}lib/needrestart/apt-pinvoke rPx,
@{libexec}/zsys-system-autosnapshot rPx,
@ -224,6 +226,31 @@ profile apt @{exec_path} flags=(attach_disconnected) {
}
profile systemctl {
include <abstractions/base>
capability sys_resource,
ptrace (read),
/{usr/,}bin/systemctl mr,
/{usr/,}bin/systemd-tty-ask-password-agent rix,
owner @{run}/systemd/ask-password/ rw,
owner @{run}/systemd/ask-password-block/* rw,
@{PROC}/1/environ r,
@{PROC}/1/sched r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/stat r,
/dev/kmsg w,
}
include if exists <local/apt>
}

61
apparmor.d/groups/apt/apt-methods-gpgv
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -27,70 +28,64 @@ profile apt-methods-gpgv @{exec_path} {
@{exec_path} mr,
# The following get "no new privs" so "rix" them
/{usr/,}bin/apt-key rix,
/{usr/,}bin/apt-config rix,
/{usr/,}bin/apt-key rix,
/{usr/,}bin/dpkg rix,
/{usr/,}bin/find rix,
/{usr/,}bin/gpg-connect-agent rix,
/{usr/,}bin/gpgconf rix,
/{usr/,}bin/find rix,
/{usr/,}bin/gpgv rix,
/{usr/,}bin/head rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/base64 rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/head rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/base64 rix,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/usr/share/keyrings/ r,
/usr/share/keyrings/*.{gpg,asc} r,
/etc/apt/apt.conf r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/keyrings/ r,
/etc/apt/keyrings/*.{gpg,asc} r,
/etc/apt/trusted.gpg r,
/etc/apt/trusted.gpg.d/{,*.gpg} r,
/etc/dpkg/dpkg.cfg r,
/etc/dpkg/dpkg.cfg.d/{,*} r,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r,
/var/lib/apt/lists/{,**} r,
/var/lib/dpkg/arch r,
/var/lib/extrepo/keys/*.{gpg,asc} r,
/var/lib/ubuntu-advantage/apt-esm/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/etc/apt/trusted.gpg.d/{,*.gpg} r,
/etc/apt/trusted.gpg r,
# For package building
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
/tmp/ r,
owner /tmp/apt-key-gpghome.*/ rw,
owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
owner /tmp/apt.{conf,sig,data}.* rw,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/dpkg/arch r,
@{PROC}/@{pid}/fd/ r,
# Local keyring storage
/etc/apt/keyrings/ r,
/etc/apt/keyrings/*.{gpg,asc} r,
/usr/share/keyrings/ r,
/usr/share/keyrings/*.{gpg,asc} r,
# Extrepo keyring storage
/var/lib/extrepo/keys/*.{gpg,asc} r,
# For package building
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,

31
apparmor.d/groups/apt/apt-methods-http
View file

@ -17,19 +17,20 @@ profile apt-methods-http @{exec_path} {
capability setgid,
capability setuid,
signal (receive) peer=apt-get,
signal (receive) peer=apt,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
signal (receive) peer=unattended-upgrade,
signal (receive) peer=update-manager,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
signal (receive) peer=apt-get,
signal (receive) peer=apt,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
signal (receive) peer=ubuntu-advantage,
signal (receive) peer=unattended-upgrade,
signal (receive) peer=update-manager,
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it
@ -47,17 +48,20 @@ profile apt-methods-http @{exec_path} {
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
/var/log/cron-apt/temp w,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
# For package building
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
# For the aptitude interactive mode
/tmp/ r,
owner /tmp/aptitude-root.*/aptitude-download-* rw,
owner /tmp/apt-changelog-*/*.changelog rw,
@{run}/resolvconf/resolv.conf r,
@ -65,12 +69,7 @@ profile apt-methods-http @{exec_path} {
@{PROC}/1/cgroup r,
@{PROC}/@{pid}/cgroup r,
# For package building
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
include if exists <local/apt-methods-http>
}

20
apparmor.d/groups/apt/dpkg-genbuildinfo
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -17,18 +18,10 @@ profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
@{exec_path} r,
/{usr/,}bin/perl r,
/etc/dpkg/origins/debian r,
# For package building
owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
/var/lib/dpkg/status r,
/usr/share/lto-disabled-list/lto-disabled-list r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
owner @{user_config_dirs}/dpkg/buildflags.conf r,
/usr/local/bin/ r,
/usr/local/sbin/ r,
/usr/local/lib/ r,
@ -36,5 +29,14 @@ profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
/usr/local/include/ r,
/usr/local/etc/ r,
/etc/dpkg/origins/* r,
/var/lib/dpkg/status r,
owner @{user_config_dirs}/dpkg/buildflags.conf r,
# For package building
owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
include if exists <local/dpkg-genbuildinfo>
}

4
apparmor.d/groups/browsers/chrome
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{chromium_name} = chrome{,-beta,-unstable}
@{chromium_name} = chrome{,-beta,-stable,-unstable}
@{chromium_domain} = com.google.Chrome
@{chromium_lib_dirs} = /opt/google/@{chromium_name}
@{chromium_config_dirs} = @{user_config_dirs}/google-@{chromium_name}
@ -22,7 +22,7 @@ profile chrome @{exec_path} {
/{usr/,}bin/man rPUx, # For "chrome --help"
@{chromium_lib_dirs}/google-chrome{,-beta,-unstable} rPx,
@{chromium_lib_dirs}/google-@{chromium_name} rPx,
@{chromium_lib_dirs}/nacl_helper rix,
@{chromium_lib_dirs}/xdg-mime rix, #-> xdg-mime,

4
apparmor.d/groups/bus/dbus-daemon
View file

@ -66,8 +66,8 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
@{system_share_dirs}/dbus-1/services/{,**} r,
# Extra rules for Snap
/var/lib/snapd/dbus-1/services/ r,
/var/lib/snapd/dbus-1/system-services/ r,
/var/lib/snapd/dbus-1/services/{,**} r,
/var/lib/snapd/dbus-1/system-services/{,**} r,
owner @{user_share_dirs}/dbus-1/{,**} r,
@{user_share_dirs}/icc/{,edid-*} r,

2
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -68,7 +68,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
peer=(name=org.freedesktop.DBus), # all peer's labels
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings
interface=org.freedesktop.{DBus.Properties,portal.Settings}
member={ReadAll,GetAll}
peer=(name=:*, label=snap.snapd-desktop-integration.snapd-desktop-integration),

3
apparmor.d/groups/gnome/gnome-terminal-server
View file

@ -33,6 +33,9 @@ profile gnome-terminal-server @{exec_path} {
/{usr/,}bin/micro rPUx,
/{usr/,}bin/nvtop rPx,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
/{usr/,}lib/gio-launch-desktop rPx -> child-open,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icu/{,**} r,
/usr/share/X11/xkb/{,**} r,

4
apparmor.d/groups/ssh/sftp-server
View file

@ -18,5 +18,9 @@ profile sftp-server @{exec_path} {
@{exec_path} mr,
# For scp
owner @{user_download_dirs}/{,**} rwl,
owner @{user_sync_dirs}/{,**} rwl,
include if exists <local/sftp-server>
}

5
apparmor.d/groups/ssh/ssh
View file

@ -22,7 +22,10 @@ profile ssh @{exec_path} {
network inet6 dgram,
network netlink raw,
@{exec_path} mr,
@{exec_path} mrix,
/{usr/,}bin/{,b,d,rb}ash rix,
/{usr/,}bin/{c,k,tc,z}sh rix,
owner @{PROC}/@{pid}/fd/ r,

18
apparmor.d/groups/ssh/ssh-agent-launch Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/openssh/agent-launch
profile ssh-agent-launch @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/{,z,ba,da}sh rix,
include if exists <local/ssh-agent-launch>
}

3
apparmor.d/groups/ssh/ssh-keygen
View file

@ -22,5 +22,8 @@ profile ssh-keygen @{exec_path} {
owner @{HOME}/@{XDG_SSH_DIR}/ w,
owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw,
/dev/tty[0-9]* rw,
/dev/ttyS[0-9]* rw,
include if exists <local/ssh-keygen>
}

8
apparmor.d/groups/ssh/sshd
View file

@ -66,23 +66,27 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/passwd rPx,
/{usr/,}lib/openssh/sftp-server rPx,
/etc/legal r,
/etc/shells r,
/etc/default/locale r,
@{etc_ro}/environment r,
/etc/gss/mech.d/{,*} r,
/etc/issue.net r,
/etc/motd r,
@{etc_rw}/motd r,
@{etc_ro}/security/limits.d/{,*.conf} r,
@{etc_ro}/ssh/sshd_config r,
@{etc_ro}/ssh/sshd_config.d/{,*} r,
/etc/ssh/ssh_host_* r,
/var/lib/extrausers/shadow r,
# For scp
owner @{user_download_dirs}/{,**} rwl,
owner @{user_sync_dirs}/{,**} rwl,
owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r,
owner @{user_cache_dirs}/{,motd*} rw,
@{run}/faillock/[a-zA-z0-9]* rwk,
@{run}/motd.d/{,*} r,
@ -108,6 +112,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/uid_map r,
/dev/ptmx rw,
/dev/tty[0-9]* rw,
/dev/ttyS[0-9]* rw,
include if exists <local/sshd>
}

9
apparmor.d/groups/systemd/hostnamectl
View file

@ -9,6 +9,15 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/hostnamectl
profile hostnamectl @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-strict>
capability net_admin,
dbus send bus=system path=/org/freedesktop/
interface=org.freedesktop.hostname1
member=Set*Hostname
peer=(name=org.freedesktop.hostname1),
@{exec_path} mr,

36
apparmor.d/groups/systemd/systemd-cryptsetup Normal file
View file

@ -0,0 +1,36 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-cryptsetup
profile systemd-cryptsetup @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>
include <abstractions/disks-write>
include <abstractions/openssl>
capability ipc_lock,
capability net_admin,
capability sys_admin,
@{exec_path} mr,
/etc/fstab r,
@{run}/ r,
@{run}/cryptsetup/ r,
@{run}/cryptsetup/* rwk,
@{run}/systemd/ask-password/* rw,
@{sys}/devices/virtual/bdi/*/read_ahead_kb r,
@{sys}/fs/ r,
@{PROC}/devices r,
owner @{PROC}/@{pid}/mountinfo r,
include if exists <local/systemd-cryptsetup>
}

2
apparmor.d/groups/systemd/systemd-environment-d-generator
View file

@ -22,6 +22,8 @@ profile systemd-environment-d-generator @{exec_path} {
@{etc_ro}/environment r,
@{etc_ro}/environment.d/{,**} r,
/snap/snapd/[0-9]*/usr/lib/environment.d/{,*.conf} r,
owner @{user_config_dirs}/environment.d/{,*.conf} r,
/dev/tty rw,

84
apparmor.d/groups/systemd/systemd-homed Normal file
View file

@ -0,0 +1,84 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-homed
profile systemd-homed @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/disks-write>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/systemd-common>
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability setfcap,
capability setgid,
capability setpcap,
capability setuid,
capability sys_admin,
capability sys_resource,
network inet dgram,
network inet6 dgram,
network inet raw,
network inet6 raw,
network netlink raw,
mount options=(rw, rslave) -> @{run}/,
mount /dev/dm-[0-9]* -> @{run}/systemd/user-home-mount/,
dbus bind bus=system name=org.freedesktop.home1,
@{exec_path} mr,
/{usr/,}lib/systemd/systemd-homework rPx,
/{usr/,}{s,}bin/mkfs.btrfs rPx,
/{usr/,}{s,}bin/mkfs.fat rPx,
/{usr/,}{s,}bin/mke2fs rPx,
/etc/machine-id r,
/etc/systemd/homed.conf r,
/etc/skel/{,**} r,
/var/lib/systemd/home/{,**} rw,
/ r,
@{HOMEDIRS}/ r,
@{HOMEDIRS}/* rw,
@{HOMEDIRS}/*.homedir/ rw,
@{run}/ r,
@{run}/cryptsetup/{,*} rwk,
@{run}/systemd/home/{,**} rw,
@{run}/systemd/userdb/io.systemd.home r,
@{run}/systemd/user-home-mount/{,**} rw,
@{sys}/bus/ r,
@{sys}/fs/ r,
@{sys}/class/ r,
@{sys}/kernel/uevent_seqnum r,
@{sys}/devices/**/read_ahead_kb r,
@{PROC}/devices r,
@{PROC}/sysvipc/{shm,sem,msg} r,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/uid_map w,
/dev/loop-control rwk,
/dev/loop[0-9]* rw,
/dev/mapper/control rw,
/dev/mqueue/ r,
/dev/shm/ r,
include if exists <local/systemd-homed>
}

22
apparmor.d/groups/systemd/systemd-homework Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-homework
profile systemd-homework @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/systemd-common>
@{exec_path} mr,
/etc/machine-id r,
@{run}/systemd/userdb/ r,
include if exists <local/systemd-homework>
}

11
apparmor.d/groups/systemd/systemd-hostnamed
View file

@ -25,19 +25,24 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
member=CheckAuthorization
peer=(name=org.freedesktop.PolicyKit1),
dbus receive bus=system path=/org/freedesktop/hostname[0-9]
dbus receive bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.{DBus.Properties,hostname1}
member={Get,GetAll,SetHostname}
peer=(name=:*),
dbus receive bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.hostname1
member=Set*Hostname
peer=(name=:*, label=hostnamectl),
dbus bind bus=system
name=org.freedesktop.hostname[0-9],
@{exec_path} mr,
/etc/.#hostname* rw,
@{etc_rw}/.#hostname* rw,
@{etc_rw}/hostname rw,
/etc/.#machine-info?????? rw,
/etc/hostname rw,
/etc/machine-info rw,
@{run}/systemd/default-hostname rw,

1
apparmor.d/groups/systemd/systemd-logind
View file

@ -65,6 +65,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
/etc/machine-id r,
/etc/systemd/logind.conf r,
/etc/systemd/sleep.conf r,
/etc/systemd/logind.conf.d/{,**} r,
/swapfile r,
/boot/{,**} r,

22
apparmor.d/groups/systemd/systemd-sulogin-shell Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-sulogin-shell
profile systemd-sulogin-shell @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>
capability net_admin,
capability sys_resource,
@{exec_path} mr,
/{usr/,}{s,}bin/sulogin rPx,
include if exists <local/systemd-sulogin-shell>
}

23
apparmor.d/groups/systemd/systemd-user-generators-autostart Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/lib/systemd/user-generators/systemd-xdg-autostart-generator
profile systemd-user-generators-autostart @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/xdg/autostart/*.desktop r,
owner @{run}/user/@{uid}/systemd/generator.late/{,**} rw,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
include if exists <local/systemd-user-generators-autostart>
}

21
apparmor.d/groups/systemd/systemd-user-generators-environment Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator
profile systemd-user-generators-environment @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/environment.d/{,**} r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
include if exists <local/systemd-user-generators-environment>
}

16
apparmor.d/groups/systemd/systemd-user-generators-flatpak Normal file
View file

@ -0,0 +1,16 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/lib/systemd/user-environment-generators/60-flatpak
profile systemd-user-generators-flatpak @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/systemd-user-generators-flatpak>
}

34
apparmor.d/groups/systemd/systemd-userdbd Normal file
View file

@ -0,0 +1,34 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-userdbd
profile systemd-userdbd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/systemd-common>
capability dac_read_search,
capability sys_resource,
network inet dgram,
network inet6 dgram,
network inet raw,
network inet6 raw,
network netlink raw,
@{exec_path} mr,
/{usr/,}lib/systemd/systemd-userwork rPx,
/etc/shadow r,
/etc/machine-id r,
@{run}/systemd/userdb/{,**} rw,
include if exists <local/systemd-userdbd>
}

22
apparmor.d/groups/systemd/systemd-userwork Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-userwork
profile systemd-userwork @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/systemd-common>
@{exec_path} mr,
/etc/machine-id r,
@{run}/systemd/userdb/ r,
include if exists <local/systemd-userwork>
}

7
apparmor.d/groups/ubuntu/apt-esm-json-hook
View file

@ -9,13 +9,20 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/ubuntu-advantage/apt-esm-json-hook
profile apt-esm-json-hook @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/consoles>
unix (receive, send) type=stream peer=(label=apt),
@{exec_path} mr,
/{usr/,}bin/dpkg rPx,
/var/lib/ubuntu-advantage/{,**} r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-esm-json-hook>
}

1
apparmor.d/groups/ubuntu/notify-reboot-required
View file

@ -15,6 +15,7 @@ profile notify-reboot-required @{exec_path} {
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/snap rPx,
/usr/share/update-notifier/notify-reboot-required r,

20
apparmor.d/groups/ubuntu/notify-updates-outdated Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/share/update-notifier/notify-updates-outdated
profile notify-updates-outdated @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gettext rix,
include if exists <local/notify-updates-outdated>
}

18
apparmor.d/groups/ubuntu/pro Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pro
profile pro @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/python>
@{exec_path} mr,
include if exists <local/pro>
}

1
apparmor.d/groups/ubuntu/software-properties-gtk
View file

@ -65,6 +65,7 @@ profile software-properties-gtk @{exec_path} {
/var/crash/*software-properties-gtk.@{uid}.crash rw,
/var/lib/snapd/desktop/icons/ r,
/var/lib/ubuntu-advantage/status.json r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,

117
apparmor.d/groups/ubuntu/subiquity-console-conf Normal file
View file

@ -0,0 +1,117 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/share/subiquity/console-conf-wrapper
profile subiquity-console-conf @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
include <abstractions/nameservice-strict>
include <abstractions/python>
include <abstractions/openssl>
capability chown,
capability fsetid,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/{,da,ba}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/sleep rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/tty rix,
/{snap/snapd/[0-9]*/,}{usr/,}bin/snap rPx, # TODO: rCx,
/{usr/,}{,s}bin/sshd rPx,
/{usr/,}bin/journalctl rCx -> journalctl,
/{usr/,}bin/ssh-keygen rPx,
/usr/lib/snapd/snap-recovery-chooser rPUx,
/usr/share/netplan/netplan.script rPUx, # TODO: rPx,
/usr/share/subiquity/{,**} r,
/usr/share/subiquity/console-conf-tui rix,
/usr/share/subiquity/console-conf-write-login-details rix,
/var/lib/extrausers/shadow r,
/var/lib/console-conf/{,**} rw,
/var/log/console-conf/{,**} rw,
@{run}/console-conf/{,**} rw,
@{run}/snapd-recovery-chooser-triggered r,
@{run}/snapd.socket rw,
@{run}/udev/data/+acpi:* r,
@{run}/udev/data/+dmi* r,
@{run}/udev/data/+drm* r,
@{run}/udev/data/+input* r, # For mouse, keyboard, touchpad
@{run}/udev/data/+leds:* r,
@{run}/udev/data/+pci* r,
@{run}/udev/data/+platform* r,
@{run}/udev/data/+sound:card* r, # For sound
@{run}/udev/data/c1:[0-9]* r, # For RAM disk
@{run}/udev/data/c4:[0-9]* r, # For TTY devices
@{run}/udev/data/c5:[0-9]* r, # For /dev/tty, /dev/console, /dev/ptmx
@{run}/udev/data/c7:[0-9]* r, # For Virtual console capture devices
@{run}/udev/data/c10:[0-9]* r, # For non-serial mice, misc features
@{run}/udev/data/c13:[0-9]* r, # For /dev/input/*
@{run}/udev/data/c29:[0-9]* r, # For /dev/fb[0-9]*
@{run}/udev/data/c89:[0-9]* r, # For I2C bus interface
@{run}/udev/data/c108:[0-9]* r, # For /dev/ppp
@{run}/udev/data/c116:[0-9]* r, # For ALSA
@{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card*
@{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:[0-9]* r,
@{run}/udev/data/c25[0-4]:[0-9]* r,
@{run}/udev/data/n[0-9]* r,
@{sys}/**/devices/ r,
@{sys}/*/*/ r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/pci[0-9]*/**/net/*/{,**} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/net/{,**} r,
@{sys}/devices/virtual/net/{,**} r,
@{PROC}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
/dev/tty rw,
/dev/tty[0-9]* rw,
/dev/ttyS[0-9]* rw,
profile journalctl {
include <abstractions/base>
/{usr/,}bin/journalctl mr,
@{run}/log/ rw,
/{run,var}/log/journal/ rw,
/{run,var}/log/journal/@{hex}/ rw,
/{run,var}/log/journal/@{hex}/system.journal* rw,
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw,
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw,
owner @{PROC}/@{pid}/stat r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
}
include if exists <local/subiquity-console-conf>
}

56
apparmor.d/groups/ubuntu/ubuntu-advantage
View file

@ -10,10 +10,15 @@ include <tunables/global>
profile ubuntu-advantage @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/python>
include <abstractions/ssl_certs>
include <abstractions/openssl>
capability dac_read_search,
capability setgid,
capability setuid,
network inet stream,
network inet6 stream,
@ -21,30 +26,69 @@ profile ubuntu-advantage @{exec_path} {
network inet6 dgram,
network netlink raw,
signal (send) set=int peer=apt-methods-http,
@{exec_path} mr,
/{usr/,}bin/ischroot rix,
/{usr/,}bin/ischroot rix,
/{usr/,}bin/apt rPx,
/{usr/,}bin/apt-cache rPx,
/{usr/,}bin/apt-config rPx,
/{usr/,}bin/apt-get rPx,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/ps rPx,
/{usr/,}bin/snap rPx,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/systemctl rCx -> systemctl,
/{usr/,}bin/systemd-detect-virt rPx,
/{usr/,}bin/ubuntu-distro-info rPx,
/{usr/,}lib/apt/apt-helper rix,
/{usr/,}lib/apt/methods/http{,s} rPx,
/{usr/,}lib/ubuntu-advantage/apt-esm-hook rPx,
/{usr/,}bin/systemd-detect-virt rPx,
/etc/apt/auth.conf.d/{,**} rw,
/etc/apt/trusted.gpg.d/{,**} rw,
/etc/apt/sources.list.d/{,**} rw,
/etc/ubuntu-advantage/{,**} r,
/var/lib/ubuntu-advantage/{,**} r,
/var/lib/ubuntu-advantage/{,**} rw,
/etc/machine-id r,
owner /tmp/tmp[0-9a-z]*/apt.conf r,
owner /tmp/[0-9a-z]*{,/} rw,
owner /tmp/[0-9a-z]*/apt-helper-output rw,
@{run}/ubuntu-advantage/{,**} rw,
@{PROC}/version_signature r,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/mounts r,
owner @{PROC}/@{pid}/fd/ r,
profile systemctl {
include <abstractions/base>
capability sys_resource,
ptrace (read),
/{usr/,}bin/systemctl mr,
/{usr/,}bin/systemd-tty-ask-password-agent rix,
owner @{run}/systemd/ask-password/ rw,
owner @{run}/systemd/ask-password-block/* rw,
@{PROC}/1/environ r,
@{PROC}/1/sched r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/stat r,
/dev/kmsg w,
}
include if exists <local/ubuntu-advantage>
}

2
apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon
View file

@ -19,7 +19,7 @@ profile ubuntu-advantage-desktop-daemon @{exec_path} flags=(attach_disconnected)
member=RequestName
peer=(name=org.freedesktop.DBus),
dbus receive bus=system path=/com/canonical/UbuntuAdvantage/{Manager,Service/*}
dbus receive bus=system path=/com/canonical/UbuntuAdvantage/{Manager,Services/*}
interface=org.freedesktop.DBus.Introspectable
member=Introspect,

18
apparmor.d/groups/ubuntu/ubuntu-distro-info Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ubuntu-distro-info
profile ubuntu-distro-info @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/usr/share/distro-info/*.csv r,
include if exists <local/ubuntu-distro-info>
}

4
apparmor.d/profiles-a-f/aa-log
View file

@ -22,8 +22,8 @@ profile aa-log @{exec_path} {
/{run,var}/log/journal/ r,
/{run,var}/log/journal/@{hex}/ r,
/{run,var}/log/journal/@{hex}/user-@{uid}*.journal* r,
/{run,var}/log/journal/@{hex}/user-@{uid}.journal r,
/{run,var}/log/journal/@{hex}/system*.journal r,
/{run,var}/log/journal/@{hex}/user*.journal r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

15
apparmor.d/profiles-a-f/agetty
View file

@ -23,14 +23,17 @@ profile agetty @{exec_path} {
/{usr/,}bin/login rPx,
/{etc,run,lib,usr/lib}/issue r,
/{etc,run,lib,usr/lib}/issue.d/{,*} r,
/{,usr/}lib/os-release r,
/etc/inittab r,
/etc/os-release r,
/usr/share/subiquity/console-conf-wrapper rPx, # only:core22
@{etc_rw}/issue r,
/{,usr/}lib/os-release r,
/{etc,run,lib,usr/lib}/issue r,
/{etc,run,lib,usr/lib}/issue.d/{,*} r,
/etc/inittab r,
/etc/os-release r,
owner @{run}/agetty.reload rw,
@{run}/resolvconf/resolv.conf r,
owner @{run}/agetty.reload rw,
/dev/tty[0-9]* rw,
owner /dev/ttyGS[0-9]* rw,

3
apparmor.d/profiles-a-f/apparmor_parser
View file

@ -24,10 +24,11 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
/usr/share/apparmor/{,**} r,
owner /snap/core[0-9]*/[0-9]*/etc/apparmor.d/{,**} r,
owner /snap/core[0-9]*/[0-9]*/etc/apparmor/* r,
owner /var/cache/apparmor/{,**} rw,
owner /var/lib/docker/tmp/docker-default[0-9]* r,
owner /var/lib/snapd/apparmor/{,**} r,
owner /var/snap/lxd/common/lxd/security/apparmor/{,**} r,
owner /var/snap/lxd/common/lxd/security/apparmor/{,**} rw,
owner /tmp/cri-containerd.apparmor.d[0-9]* r,

3
apparmor.d/profiles-a-f/fsck
View file

@ -19,7 +19,8 @@ profile fsck @{exec_path} {
@{exec_path} mr,
/{usr/,}{s,}bin/e2fsck rPx,
/{usr/,}{s,}bin/fsck.* rPx,
/{usr/,}sbin/fsck.* rPx,
/{usr/,}bin/fsck.* rPx,
/etc/fstab r,

2
apparmor.d/profiles-a-f/fsck-ext4
View file

@ -10,7 +10,7 @@ include <tunables/global>
profile fsck-ext4 @{exec_path} {
include <abstractions/base>
@{exec_path} r,
@{exec_path} rm,
/{usr/,}bin/{,ba,da}sh rix,

3
apparmor.d/profiles-a-f/fwupd
View file

@ -58,7 +58,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
dbus receive bus=system path=/
interface=org.freedesktop.DBus.Properties
member=GetAll,
member={GetAll,SetHints,GetPlugins,GetRemotes}
peer=(name=:*, label=fwupdmgr),
dbus bind bus=system
name=org.freedesktop.fwupd,

6
apparmor.d/profiles-g-l/groupadd
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -12,10 +13,7 @@ profile groupadd @{exec_path} {
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# To write records to the kernel auditing log.
capability audit_write,
# To set the right permission to the files in the /etc/ dir.
capability chown,
capability fsetid,
@ -27,8 +25,8 @@ profile groupadd @{exec_path} {
/etc/login.defs r,
/etc/{group,gshadow} rw,
/etc/{group,gshadow}.@{pid} w,
/etc/{group,gshadow}- w,
/etc/{group,gshadow}.@{pid} w,
/etc/{group,gshadow}+ rw,
/etc/group.lock wl -> /etc/group.@{pid},
/etc/gshadow.lock wl -> /etc/gshadow.@{pid},

6
apparmor.d/profiles-g-l/kmod
View file

@ -24,9 +24,11 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/false rix,
/{usr/,}{s,}bin/sysctl rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/false rix,
/{usr/,}bin/id rix,
/{usr/,}bin/true rix,
/{usr/,}lib/modprobe.d/{,*.conf} r,

4
apparmor.d/profiles-m-r/mandb
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2021-203 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -32,5 +32,7 @@ profile mandb @{exec_path} flags=(complain) {
/usr/share/**/man/man[0-9]*/*.[0-9]*.gz r,
owner @{user_share_dirs}/man/** rwk,
include if exists <local/mandb>
}

4
apparmor.d/profiles-m-r/nft
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2022-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -11,7 +12,6 @@ profile nft @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
# To be able to run the nft command.
capability net_admin,
network netlink raw,
@ -24,9 +24,9 @@ profile nft @{exec_path} {
owner /etc/nftables/**.nft r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
include if exists <local/nft>
}

57
apparmor.d/profiles-m-r/ps
View file

@ -1,66 +1,53 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2022-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
# When any of the "*ns" parameters is used, the following error will be printed:
# "Failed name lookup - disconnected path" error=-13 profile="ps" name="".
@{exec_path} = /{usr/,}bin/ps
profile ps @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# To be able to read the /proc/ files of all processes in the system.
capability dac_read_search,
capability sys_ptrace,
ptrace (read),
@{exec_path} mr,
# The "/proc/" dir is needed to avoid the following error:
# error: can not access /proc
# The "stat" file is needed to avoid the following error:
# Error, do this: mount -t proc proc /proc
# The "uptime" file is needed to avoid the following error:
# Error: /proc must be mounted
@{PROC}/ r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/task/ r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/task/@{tid}/cmdline r,
@{PROC}/@{pids}/wchan r,
@{PROC}/@{pids}/attr/current r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/statm r,
@{PROC}/@{pids}/loginuid r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/vm/min_free_kbytes r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r,
@{run}/systemd/sessions/* r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
@{sys}/devices/system/node/node[0-9]*/cpumap r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
@{PROC}/ r,
@{PROC}/@{pids}/attr/current r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/loginuid r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/statm r,
@{PROC}/@{pids}/task/ r,
@{PROC}/@{pids}/task/@{tid}/cmdline r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/wchan r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/vm/min_free_kbytes r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
owner /dev/tty[0-9]* rw,
deny @{user_share_dirs}/gvfs-metadata/* r,

37
apparmor.d/profiles-s-z/snap
View file

@ -12,10 +12,20 @@ profile snap @{exec_path} {
include <abstractions/consoles>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/disks-read>
include <abstractions/nameservice-strict>
capability sys_admin,
unix (send, receive) type=stream peer=(label=apt),
mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-[0-9]*/,
dbus (send, receive) bus=session path=/org/freedesktop/
interface=org.freedesktop.systemd1.Manager
member={StartTransientUnit,JobRemoved}
peer=(name=:*, label=unconfined),
dbus send bus=session path=/org/freedesktop/portal/documents
interface=org.freedesktop.portal.Documents
member=GetMountPoint
@ -23,6 +33,8 @@ profile snap @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/mount rix,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/snap/{,**} rw,
@ -34,27 +46,34 @@ profile snap @{exec_path} {
/var/lib/snapd/{,**} rwk,
/var/cache/snapd/commands.db rwk,
/var/cache/snapd/names r,
owner @{HOME}/snap/{,**} rw,
@{HOME}/snap/{,**} rw,
owner /tmp/snapd-auto-import-mount-[0-9]*/ rw,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/snapd-session-agent.socket rw,
owner @{run}/user/@{uid}/systemd/notify rw,
@{run}/mount/utab r,
@{run}/snapd.socket rw,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@{sys}/kernel/security/apparmor/features/ r,
owner @{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/cgroups r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/kernel/random/uuid r,
@{PROC}/sys/kernel/seccomp/actions_avail r,
@{PROC}/version r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/cgroups r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/kernel/random/uuid r,
@{PROC}/sys/kernel/seccomp/actions_avail r,
@{PROC}/version r,
/dev/tty[0-9]* rw,
/dev/ttyS[0-9]* rw,
deny @{user_share_dirs}/gvfs-metadata/* r,

1
apparmor.d/profiles-s-z/snap-device-helper
View file

@ -11,6 +11,7 @@ profile snap-device-helper @{exec_path} {
include <abstractions/base>
capability bpf,
capability dac_read_search,
capability setgid,
capability sys_resource,

5
apparmor.d/profiles-s-z/snap-discard-ns
View file

@ -11,6 +11,11 @@ profile snap-discard-ns @{exec_path} {
include <abstractions/base>
capability setgid,
capability sys_admin,
network netlink raw,
umount @{run}/snapd/ns/*.mnt,
@{exec_path} mr,

6
apparmor.d/profiles-s-z/snap-update-ns
View file

@ -14,10 +14,14 @@ profile snap-update-ns @{exec_path} {
capability sys_admin,
capability sys_chroot,
network netlink raw,
mount -> /snap/**/,
mount -> /usr/**/,
mount /snap/**/ -> /tmp/.snap/**,
mount -> /var/lib/dhcp/,
mount /snap/**/ -> /tmp/.snap/**,
umount /snap/**/,
umount /var/lib/dhcp/,
@{exec_path} mr,

20
apparmor.d/profiles-s-z/snapd
View file

@ -38,7 +38,7 @@ profile snapd @{exec_path} {
mount fstype=squashfs /dev/loop[0-9]* -> /tmp/syscheck-mountpoint-[0-9]*/,
umount /tmp/syscheck-mountpoint-[0-9]*/,
umount /snap/*/[0-9]*/,
umount /snap/*/*/,
ptrace (read) peer=snap,
ptrace (read) peer=unconfined,
@ -55,6 +55,13 @@ profile snapd @{exec_path} {
@{exec_path} mr,
/{usr/,}{s,}bin/adduser rPx,
/{usr/,}{s,}bin/groupadd rPx,
/{usr/,}{s,}bin/useradd rPx,
/{usr/,}bin/cloud-init rPUx, # TODO: rPx ? limited to ubtuntu core, otherwise out of scope
/{usr/,}bin/hostnamectl rPx,
/{usr/,}bin/ssh-keygen rPx,
/{usr/,}{s,}bin/apparmor_parser rPx,
/{usr/,}{s,}bin/runuser rCx -> runuser,
/{usr/,}bin/{,ba,da}sh rix,
@ -82,13 +89,14 @@ profile snapd @{exec_path} {
/{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-update-ns rPx,
/{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd rix,
/usr/share/bash-completion/completions/{,**} r,
/usr/share/bash-completion/{,**} r,
/usr/share/dbus-1/{system,session}.d/{,snapd*} r,
/usr/share/dbus-1/services/*snap* r,
/usr/share/polkit-1/actions/{,**/} r,
/etc/apparmor.d/*snapd.snap* r,
/etc/dbus-1/system.d/{,**/} r,
/etc/environment r,
/etc/fstab r,
/etc/mime.types r,
/etc/modprobe.d/{,**/} r,
@ -113,19 +121,26 @@ profile snapd @{exec_path} {
/tmp/syscheck-squashfs-[0-9]* rw,
/tmp/read-file[0-9]*/{,**} rw,
/boot/ r,
/boot/grub/grubenv r,
/ r,
/home/ r,
@{HOME}/ r,
@{HOME}/snap/{,**} rw,
@{HOME}/.snap*/{,**} rw,
owner @{run}/mount/ rw,
owner @{run}/mount/utab{,.*} rw,
owner @{run}/mount/utab.lock wk,
@{run}/user/ r,
@{run}/user/@{uid}/ r,
@{run}/user/@{uid}/snapd-session-agent.socket rw,
@{run}/user/snap.*/{,**} rw,
@{run}/mnt/ubuntu-seed/EFI/ubuntu/grubenv r, # only:core
@{run}/snapd*.socket rw,
@{run}/snapd/{,**} rw,
@{run}/snapd/lock/*.lock rwk,
@ -140,6 +155,7 @@ profile snapd @{exec_path} {
@{sys}/kernel/security/apparmor/features/ r,
@{sys}/kernel/security/apparmor/profiles r,
@{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r,
@{PROC}/@{pids}/cgroup r,

18
apparmor.d/profiles-s-z/sudo
View file

@ -44,15 +44,19 @@ profile sudo @{exec_path} {
member=CreateSession
peer=(name=org.freedesktop.login[0-9]),
dbus (send receive) bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd.Manager
member={JobRemoved,StartTransientUnit},
@{exec_path} mr,
/run/ r,
@{libexec}/sudo/** mr,
@{libexec}/sudo/** mr,
/{usr/,}bin/{,b,d,rb}ash rUx,
/{usr/,}bin/{c,k,tc,z}sh rUx,
/{usr/,}lib/cockpit/cockpit-askpass rPx,
/{usr/,}lib/molly-guard/molly-guard rPx,
/snap/snapd/[0-9]*/usr/bin/snap rPx,
/{usr/,}bin/{,b,d,rb}ash rUx,
/{usr/,}bin/{c,k,tc,z}sh rUx,
/{usr/,}lib/cockpit/cockpit-askpass rPx,
/{usr/,}lib/molly-guard/molly-guard rPx,
@{etc_ro}/environment r,
@{etc_ro}/security/limits.d/{,*} r,
@ -63,6 +67,7 @@ profile sudo @{exec_path} {
/etc/sudoers.d/{,*} r,
/var/db/sudo/lectured/ r,
/var/lib/extrausers/shadow r,
/var/lib/sudo/lectured/ r,
/var/lib/sudo/ts/ rw,
/var/lib/sudo/ts/* rwk,
@ -72,6 +77,7 @@ profile sudo @{exec_path} {
owner @{HOME}/.sudo_as_admin_successful rw,
owner @{HOME}/.xsession-errors w,
@{run}/ r,
@{run}/faillock/{,*} rwk,
@{run}/resolvconf/resolv.conf r,
owner @{run}/sudo/ rw,

36
apparmor.d/profiles-s-z/useradd
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -12,25 +13,12 @@ profile useradd @{exec_path} {
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# To create a user home dir and give it proper permissions:
# mkdir("/home/user", 000) = 0
# chown("/home/user", 0, 0) = 0
# chmod("/home/user", 0755) = 0
# chown("/home/user/", 1001, 1001) = 0
# chmod("/home/user/", 0755) = 0
capability chown,
capability fowner,
# To set the set-group-ID bit for the user home dir.
capability fsetid,
# To copy files from the /etc/skel/ dir to the newly created user dir, which now has a different
# owner.
capability dac_read_search,
capability dac_override,
# To write records to the kernel auditing log.
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
network netlink raw,
@ -40,21 +28,20 @@ profile useradd @{exec_path} {
/{usr/,}{s,}bin/pam_tally2 rCx -> pam_tally2,
/etc/default/useradd r,
/etc/login.defs r,
/etc/default/useradd r,
/etc/{passwd,shadow,gshadow,group,subuid,subgid} rw,
/etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w,
/etc/{passwd,shadow,gshadow,group,subuid,subgid}- w,
/etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w,
/etc/{passwd,shadow,gshadow,group,subuid,subgid}+ rw,
/etc/passwd.lock wl -> /etc/passwd.@{pid},
/etc/shadow.lock wl -> /etc/shadow.@{pid},
/etc/group.lock wl -> /etc/group.@{pid},
/etc/gshadow.lock wl -> /etc/gshadow.@{pid},
/etc/subuid.lock wl -> /etc/subuid.@{pid},
/etc/passwd.lock wl -> /etc/passwd.@{pid},
/etc/shadow.lock wl -> /etc/shadow.@{pid},
/etc/subgid.lock wl -> /etc/subgid.@{pid},
/etc/subuid.lock wl -> /etc/subuid.@{pid},
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
# modify the /etc/passwd or /etc/shadow password database.
@ -69,7 +56,6 @@ profile useradd @{exec_path} {
/var/lib/*/{,*} rw,
/etc/skel/{,.*} r,
profile pam_tally2 {
include <abstractions/base>
include <abstractions/consoles>

3
apparmor.d/tunables/extend
View file

@ -28,4 +28,7 @@
@{libexec}=/{usr/,}lib # Archlinux
@{libexec}=/{usr/,}libexec # Debian/Ubuntu
# Integration with Ubuntu Core
@{etc_rw}+=/etc/writable/
include if exists <tunables/extend.d>

51
cmd/aa-log/main.go
View file

@ -1,5 +1,5 @@
// aa-log - Review AppArmor generated messages
// Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
// Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
// SPDX-License-Identifier: GPL-2.0-only
package main
@ -20,6 +20,23 @@ import (
"strings"
)
const usage = `aa-log [-h] [--systemd] [--dbus] [--file file] [profile]
Review AppArmor generated messages in a colorful way. Supports logs from
auditd, systemd, syslog as well as dbus session events.
It can be given an optional profile name to filter the output with.
Default logs are read from '/var/log/audit/audit.log'. Other files in
'/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1'
Options:
-h, --help Show this help message and exit.
-f, --file FILE Set a logfile or a suffix to the default log file.
-s, --systemd Parse systemd logs from journalctl.
`
// Command line options
var (
help bool
@ -104,23 +121,21 @@ func getAuditLogs(path string) (io.Reader, error) {
}
// getJournalctlLogs return a reader with the logs entries from Systemd
func getJournalctlLogs(path string, user bool, useFile bool) (io.Reader, error) {
func getJournalctlLogs(path string, useFile bool) (io.Reader, error) {
var logs []SystemdLog
var stdout bytes.Buffer
var value string
if useFile {
// content, err := os.ReadFile(filepath.Clean(path))
content, err := ioutil.ReadFile(filepath.Clean(path))
if err != nil {
return nil, err
}
value = string(content)
} else {
mode := "--system"
if user {
mode = "--user"
}
cmd := exec.Command("journalctl", mode, "--boot", "--unit=dbus.service", "--output=json")
// journalctl -b -o json > systemd.log
cmd := exec.Command("journalctl", "--boot", "--output=json")
cmd.Stdout = &stdout
if err := cmd.Run(); err != nil {
return nil, err
@ -131,6 +146,7 @@ func getJournalctlLogs(path string, user bool, useFile bool) (io.Reader, error)
value = strings.Replace(value, "\n", ",\n", -1)
value = strings.TrimSuffix(value, ",\n")
value = `[` + value + `]`
// fmt.Printf("value: %v\n", value)
if err := json.Unmarshal([]byte(value), &logs); err != nil {
return nil, err
}
@ -189,7 +205,7 @@ func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs {
}
}
aa["profile"] = decodeHex(aa["profile"])
toDecode := []string{"profile", "name", "comm"}
toDecode := []string{"name", "comm"}
for _, name := range toDecode {
if value, ok := aa[name]; ok {
aa[name] = decodeHex(value)
@ -267,7 +283,7 @@ func aaLog(logger string, path string, profile string) error {
case "auditd":
file, err = getAuditLogs(path)
case "systemd":
file, err = getJournalctlLogs(path, true, path != LogFile)
file, err = getJournalctlLogs(path, path != LogFile)
default:
err = fmt.Errorf("Logger %s not supported.", logger)
}
@ -281,21 +297,18 @@ func aaLog(logger string, path string, profile string) error {
func init() {
flag.BoolVar(&help, "h", false, "Show this help message and exit.")
flag.StringVar(&path, "f", LogFile,
"Set a log`file` or a suffix to the default log file.")
flag.BoolVar(&systemd, "s", false, "Parse systemd dbus logs.")
flag.BoolVar(&help, "help", false, "Show this help message and exit.")
flag.StringVar(&path, "f", LogFile, "Set a logfile or a suffix to the default log file.")
flag.StringVar(&path, "file", LogFile, "Set a logfile or a suffix to the default log file.")
flag.BoolVar(&systemd, "s", false, "Parse systemd logs from journalctl.")
flag.BoolVar(&systemd, "systemd", false, "Parse systemd logs from journalctl.")
}
func main() {
flag.Usage = func() { fmt.Print(usage) }
flag.Parse()
if help {
fmt.Printf(`aa-log [-h] [-s] [-f file] [profile]
Review AppArmor generated messages in a colorful way.
It can be given an optional profile name to filter the output with.
`)
flag.PrintDefaults()
flag.Usage()
os.Exit(0)
}

8
cmd/aa-log/main_test.go
View file

@ -94,7 +94,7 @@ func TestAppArmorEvents(t *testing.T) {
},
},
{
name: "dbus system",
name: "dbus_system",
event: `type=USER_AVC msg=audit(1111111111.111:1111): pid=1780 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" mask="send" name="org.freedesktop.PolicyKit1" pid=1794 label="snapd" peer_pid=1790 peer_label="polkitd" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'UID="messagebus" AUID="unset" SAUID="messagebus"`,
want: AppArmorLogs{
{
@ -113,7 +113,7 @@ func TestAppArmorEvents(t *testing.T) {
},
},
{
name: "dbus session",
name: "dbus_session",
event: `apparmor="ALLOWED" operation="dbus_bind" bus="session" name="org.freedesktop.portal.Documents" mask="bind" pid=2174 label="xdg-document-portal"`,
want: AppArmorLogs{
{
@ -221,13 +221,11 @@ func Test_getJournalctlLogs(t *testing.T) {
tests := []struct {
name string
path string
user bool
useFile bool
want AppArmorLogs
}{
{
name: "gsd-xsettings",
user: true,
useFile: true,
path: "../../tests/systemd.log",
want: AppArmorLogs{
@ -255,7 +253,7 @@ func Test_getJournalctlLogs(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
reader, _ := getJournalctlLogs(tt.path, tt.user, tt.useFile)
reader, _ := getJournalctlLogs(tt.path, tt.useFile)
if got := NewApparmorLogs(reader, tt.name); !reflect.DeepEqual(got, tt.want) {
t.Errorf("NewApparmorLogs() = %v, want %v", got, tt.want)
}

136
dists/flags/main.flags
View file

@ -18,7 +18,7 @@ cc-remote-login-helper complain
cfdisk complain
cgdisk complain
child-open complain
chronyd complain
chronyd attach_disconnected,complain
cockpit-askpass complain
cockpit-bridge complain
cockpit-certificate-ensure complain
@ -210,9 +210,12 @@ systemd-cat complain
systemd-cgls complain
systemd-cgtop complain
systemd-coredump attach_disconnected,complain
systemd-cryptsetup complain
systemd-dissect complain
systemd-environment-d-generator complain
systemd-escape complain
systemd-homed attach_disconnected,complain
systemd-homework complain
systemd-hostnamed attach_disconnected,complain
systemd-hwdb attach_disconnected,complain
systemd-id128 complain
@ -236,8 +239,13 @@ systemd-timedated attach_disconnected,complain
systemd-tty-ask-password-agent complain
systemd-update-done complain
systemd-update-utmp complain
systemd-user-generators-autostart complain
systemd-user-generators-environment complain
systemd-user-generators-flatpak complain
systemd-user-runtime-dir complain
systemd-user-sessions complain
systemd-userdbd attach_disconnected,complain
systemd-userwork complain
systemd-vconsole-setup complain
systemd-xdg-autostart-generator complain
tracker-extract complain
@ -262,3 +270,129 @@ xdg-permission-store attach_disconnected,complain
xdg-user-dirs-gtk-update complain
xdm-xsession complain
xorg attach_disconnected,complain
# Profiles not commited yet
glib-genmarshal complain
glib-gettextize complain
glib-mkenums complain
gnome-session-custom-session complain
gnome-session-inhibit complain
gnome-session-quit complain
gnome-shell-extension-prefs complain
gnome-shell-extension-tool complain
gnome-shell-hotplug-sniffer complain
gnome-shell-perf-helper complain
gnome-shell-perf-tool complain
gnome-shell-portal-helper complain
gnome-tweak-tool-lid-inhibitor complain
homectl complain
loginctl complain
machinectl complain
nfsdcld complain
oomctl complain
podman attach_disconnected,complain
prime-switch complain
qrencode complain
splunkforwarder complain
systemd-bless-boot complain
systemd-boot-check-no-failures complain
systemd-cgroups-agent
systemd-export complain
systemd-growfs complain
systemd-hibernate-resume complain
systemd-import complain
systemd-import-fs complain
systemd-importd complain
systemd-journal-gatewayd complain
systemd-journal-remote complain
systemd-journal-upload complain
systemd-network-generator complain
systemd-notify complain
systemd-pstore complain
systemd-pull complain
systemd-quotacheck complain
systemd-repart complain
systemd-reply-password complain
systemd-run complain
systemd-socket-activate complain
systemd-socket-proxyd complain
systemd-stdio-bridge complain
systemd-sulogin-shell complain
systemd-sysext complain
systemd-time-wait-sync complain
systemd-xdg-autostart-condition complain
timedatectl complain
virtiofsd complain
virtlockd complain
hwsim complain
iwdmon complain
nvidia-settings complain
gkbd-keyboard-display complain
mullvad-setup complain
# Work in Progress
bwrap attach_disconnected,complain
bwrap-default attach_disconnected,mediate_deleted,complain
cni-bridge complain
cni-firewall complain
cni-portmap complain
cni-tuning complain
ctop complain
dbus-broker complain
dbus-broker-launch complain
fprintd-delete complain
fprintd-enroll complain
fprintd-list complain
fprintd-verify complain
install-catalog complain
lazydocker complain
losetup complain
modprobed-db complain
mount-ntfs-3g complain
multipathd complain
rpc.idmapd complain
rpc.mountd complain
rpc.statd complain
rpcbind complain
smbspool complain
tomb complain
tomb-kdb-pbkdf2 complain
virt-aa-helper complain
virtlogd complain
virtnetworkd complain
virtnodedevd complain
virtqemud attach_disconnected,complain
virtstoraged attach_disconnected,complain
virtxend attach_disconnected,complain
# Debian server dev
cracklib-packer complain
cron-cracklib complain
cron-etckeeper complain
cron-sysstat complain
sysstat complain
update-cracklib complain
# Ubuntu
# Whonix
mate-notification-daemon complain
# Flatpak slow dev
flatpak-oci-authenticator complain
flatpak-portal attach_disconnected,complain
flatpak-system-helper complain
flatpak-validate-icon complain
# GDM
gdm-host-chooser complain
gdm-simple-chooser complain
# Simple when used for extension, more complex for javascript based gnome app.
gjs-console attach_disconnected,complain
# Not easy
portmaster-start complain
# Require firewall rules for firewalld first
firewall-applet complain

4
docs/configuration.md
View file

@ -8,8 +8,8 @@ As there are a lot of rules, it is recommended to enable caching AppArmor profil
In `/etc/apparmor/parser.conf`, add `write-cache` and `Optimize=compress-fast`.
```sh
echo 'write-cache' | sudo tee /etc/apparmor/parser.conf
echo 'Optimize=compress-fast' | sudo tee /etc/apparmor/parser.conf
echo 'write-cache' | sudo tee -a /etc/apparmor/parser.conf
echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf
```
!!! info

24
docs/development/guidelines.md
View file

@ -33,20 +33,20 @@ follow the guidelines presented here.
The rules in the profile should be sorted in the rule ***block*** as follows:
1. `include`
1. `set rlimit`
1. `capability`
1. `network`
1. `mount`
1. `remount`
1. `umount`
1. `pivot_root`
1. `change_profile`
1. `signal`
1. [`include`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#include-statements)
1. [`set rlimit`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#rlimit-rules)
1. [`capability`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#capability-rules)
1. [`network`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#network-rules)
1. [`mount`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#mount-rules-apparmor-28-and-later)
1. [`remount`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#remount)
1. [`umount`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#umount)
1. [`pivot_root`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#pivot_root)
1. [`change_profile`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#change_profile)
1. [`signal`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#signals)
1. `ptrace`
1. `unix`
1. `dbus`
1. `file`
1. [`dbus`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#dbus-rules)
1. [`file`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#file-access-rules)
1. local include
This rule order is taken from AppArmor with minor changes as we tend to:

20
docs/development/structure.md
View file

@ -138,6 +138,26 @@ Here is an overview of the current children profile:
of the time you will need more privilege than what this profile is giving you.
## Browsers
Chromium based browsers share a similar structure. Therefore, they share the same
abstraction: [`abstractions/chromium`][chromium] that includes most of the profile content.
This abstraction requires the following variables definied in the profile header:
```sh
@{chromium_name} = chromium
@{chromium_domain} = org.chromium.Chromium
@{chromium_lib_dirs} = /{usr/,}lib/chromium
@{chromium_config_dirs} = @{user_config_dirs}/chromium
@{chromium_cache_dirs} = @{user_cache_dirs}/chromium
```
If your application requires chromium to run (like electron) use
[`abstractions/chromium-common`][chromium-common] instead.
[chromium]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/abstractions/chromium
[chromium-common]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/abstractions/chromium-common
## Udev rules
See the **[kernel docs][kernel]** to check the major block and char numbers used in `/run/udev/data/`.