diff --git a/Makefile b/Makefile index 141901982..8c31d684c 100644 --- a/Makefile +++ b/Makefile @@ -34,6 +34,16 @@ install: install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \ done +auto: + @[ ${DISTRIBUTION} = Arch ] || exit 0; \ + makepkg --syncdeps --install --cleanbuild --force + @[ ${DISTRIBUTION} = Ubuntu ] || exit 0; \ + dch --newversion="${VERSION}" --urgency=medium --distribution=stable --controlmaint "Release ${VERSION}"; \ + dpkg-buildpackage -b -d --no-sign; \ + sudo dpkg -i "../apparmor.d_${VERSION}_all.deb"; \ + make clean + @[ ${DISTRIBUTION} = openSUSE ] || exit 0; \ + make local local: @./configure --complain diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium index d87102783..d16e9a8cd 100644 --- a/apparmor.d/abstractions/chromium +++ b/apparmor.d/abstractions/chromium @@ -2,7 +2,7 @@ # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# For chromium based browser. If your application require chromium ro run +# For chromium based browser. If your application requires chromium to run # (like electron) use abstractions/chromium-common instead. # This abstraction requires the following variables definied in the profile header: diff --git a/apparmor.d/abstractions/nameservice-strict b/apparmor.d/abstractions/nameservice-strict index b3876bf84..36e0cf787 100644 --- a/apparmor.d/abstractions/nameservice-strict +++ b/apparmor.d/abstractions/nameservice-strict @@ -19,6 +19,9 @@ /var/lib/nscd/group r, /var/lib/nscd/passwd r, + /var/lib/extrausers/group r, + /var/lib/extrausers/passwd r, + @{run}/nscd/db* r, @{run}/systemd/resolve/stub-resolv.conf r, diff --git a/apparmor.d/abstractions/user-read b/apparmor.d/abstractions/user-read index 0cb72292b..007ae62b6 100644 --- a/apparmor.d/abstractions/user-read +++ b/apparmor.d/abstractions/user-read @@ -12,6 +12,7 @@ owner @{user_books_dirs}/{,**} r, owner @{user_documents_dirs}/{,**} r, + owner @{user_games_dirs}/{,**} r, owner @{user_music_dirs}/{,**} r, owner @{user_pictures_dirs}/{,**} r, owner @{user_projects_dirs}/{,**} r, @@ -20,6 +21,7 @@ owner @{user_templates_dirs}/{,**} r, owner @{user_torrents_dirs}/{,**} r, owner @{user_videos_dirs}/{,**} r, + owner @{user_vm_dirs}/{,**} r, owner @{user_work_dirs}/{,**} r, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/user-write.d/complete b/apparmor.d/abstractions/user-write.d/complete index 561067250..2bddfa7f8 100644 --- a/apparmor.d/abstractions/user-write.d/complete +++ b/apparmor.d/abstractions/user-write.d/complete @@ -7,8 +7,10 @@ owner @{user_books_dirs}/{,**} rwl, owner @{user_documents_dirs}/{,**} rwl, + owner @{user_games_dirs}/{,**} rwl, owner @{user_music_dirs}/{,**} rwl, owner @{user_pictures_dirs}/{,**} rwl, owner @{user_projects_dirs}/{,**} rwl, owner @{user_videos_dirs}/{,**} rwl, + owner @{user_vm_dirs}/{,**} rwl, owner @{user_work_dirs}/{,**} rwl, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index a4b243205..7a86245ba 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -58,7 +58,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { member={CheckAuthorization,Introspect}, dbus bind bus=system - name= org.debian.apt, + name=org.debian.apt, @{exec_path} mr, @@ -68,6 +68,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,e}grep rix, /{usr/,}bin/echo rix, /{usr/,}bin/gdbus rix, + /{usr/,}bin/id rix, /{usr/,}bin/ischroot rix, /{usr/,}bin/test rix, /{usr/,}bin/touch rix, @@ -88,6 +89,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/etckeeper rPx, /{usr/,}bin/ps rPx, /{usr/,}bin/snap rPUx, + /{usr/,}bin/systemctl rCx -> systemctl, /{usr/,}lib/cnf-update-db rPx, /{usr/,}lib/needrestart/apt-pinvoke rPx, @{libexec}/zsys-system-autosnapshot rPx, @@ -224,6 +226,31 @@ profile apt @{exec_path} flags=(attach_disconnected) { } + profile systemctl { + include + + capability sys_resource, + + ptrace (read), + + /{usr/,}bin/systemctl mr, + + /{usr/,}bin/systemd-tty-ask-password-agent rix, + + owner @{run}/systemd/ask-password/ rw, + owner @{run}/systemd/ask-password-block/* rw, + + @{PROC}/1/environ r, + @{PROC}/1/sched r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/stat r, + + /dev/kmsg w, + + } + include if exists } diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index b7a44a334..cefb8e4d7 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -27,70 +28,64 @@ profile apt-methods-gpgv @{exec_path} { @{exec_path} mr, # The following get "no new privs" so "rix" them - /{usr/,}bin/apt-key rix, /{usr/,}bin/apt-config rix, + /{usr/,}bin/apt-key rix, /{usr/,}bin/dpkg rix, + /{usr/,}bin/find rix, /{usr/,}bin/gpg-connect-agent rix, /{usr/,}bin/gpgconf rix, - /{usr/,}bin/find rix, /{usr/,}bin/gpgv rix, - /{usr/,}bin/head rix, + /{usr/,}bin/{m,g,}awk rix, + /{usr/,}bin/base64 rix, /{usr/,}bin/cat rix, /{usr/,}bin/chmod rix, /{usr/,}bin/cmp rix, /{usr/,}bin/cp rix, + /{usr/,}bin/head rix, /{usr/,}bin/mktemp rix, /{usr/,}bin/readlink rix, /{usr/,}bin/rm rix, /{usr/,}bin/sed rix, /{usr/,}bin/sort rix, /{usr/,}bin/touch rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/base64 rix, + + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + /usr/share/keyrings/ r, + /usr/share/keyrings/*.{gpg,asc} r, + + /etc/apt/apt.conf r, + /etc/apt/apt.conf.d/{,*} r, + /etc/apt/keyrings/ r, + /etc/apt/keyrings/*.{gpg,asc} r, + /etc/apt/trusted.gpg r, + /etc/apt/trusted.gpg.d/{,*.gpg} r, + /etc/dpkg/dpkg.cfg r, + /etc/dpkg/dpkg.cfg.d/{,*} r, # For shell pwd / r, /etc/ r, /root/ r, - /etc/dpkg/dpkg.cfg.d/{,*} r, - /etc/dpkg/dpkg.cfg r, + /var/lib/apt/lists/{,**} r, + /var/lib/dpkg/arch r, + /var/lib/extrepo/keys/*.{gpg,asc} r, + /var/lib/ubuntu-advantage/apt-esm/{,**} r, + owner /var/lib/apt/lists/* rw, + owner /var/lib/apt/lists/partial/* rw, - /etc/apt/apt.conf.d/{,*} r, - /etc/apt/apt.conf r, - - /etc/apt/trusted.gpg.d/{,*.gpg} r, - /etc/apt/trusted.gpg r, + # For package building + @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, /tmp/ r, owner /tmp/apt-key-gpghome.*/ rw, owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, owner /tmp/apt.{conf,sig,data}.* rw, - /var/lib/apt/lists/{,**} r, - owner /var/lib/apt/lists/* rw, - owner /var/lib/apt/lists/partial/* rw, - - /usr/share/dpkg/cputable r, - /usr/share/dpkg/tupletable r, - - /var/lib/dpkg/arch r, - @{PROC}/@{pid}/fd/ r, - # Local keyring storage - /etc/apt/keyrings/ r, - /etc/apt/keyrings/*.{gpg,asc} r, - /usr/share/keyrings/ r, - /usr/share/keyrings/*.{gpg,asc} r, - - # Extrepo keyring storage - /var/lib/extrepo/keys/*.{gpg,asc} r, - - # For package building - @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - # file_inherit owner /dev/tty[0-9]* rw, /var/log/cron-apt/temp w, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 6ed3835a9..c4c19a596 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -17,19 +17,20 @@ profile apt-methods-http @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, - signal (receive) peer=unattended-upgrade, - signal (receive) peer=update-manager, - network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, + signal (receive) peer=apt-get, + signal (receive) peer=apt, + signal (receive) peer=aptitude, + signal (receive) peer=synaptic, + signal (receive) peer=ubuntu-advantage, + signal (receive) peer=unattended-upgrade, + signal (receive) peer=update-manager, + @{exec_path} mr, # apt-helper gets "no new privs" so "rix" it @@ -47,17 +48,20 @@ profile apt-methods-http @{exec_path} { /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, + /var/cache/apt/ r, + /var/cache/apt/** rwk, + + /var/log/cron-apt/temp w, + /var/lib/apt/lists/{,**} r, owner /var/lib/apt/lists/* rw, owner /var/lib/apt/lists/partial/* rw, - /var/cache/apt/ r, - /var/cache/apt/** rwk, + # For package building + @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - # For the aptitude interactive mode /tmp/ r, owner /tmp/aptitude-root.*/aptitude-download-* rw, - owner /tmp/apt-changelog-*/*.changelog rw, @{run}/resolvconf/resolv.conf r, @@ -65,12 +69,7 @@ profile apt-methods-http @{exec_path} { @{PROC}/1/cgroup r, @{PROC}/@{pid}/cgroup r, - # For package building - @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - - # file_inherit owner /dev/tty[0-9]* rw, - /var/log/cron-apt/temp w, include if exists } diff --git a/apparmor.d/groups/apt/dpkg-genbuildinfo b/apparmor.d/groups/apt/dpkg-genbuildinfo index b0f4c86de..f2f08eda7 100644 --- a/apparmor.d/groups/apt/dpkg-genbuildinfo +++ b/apparmor.d/groups/apt/dpkg-genbuildinfo @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -17,18 +18,10 @@ profile dpkg-genbuildinfo @{exec_path} flags=(complain) { @{exec_path} r, /{usr/,}bin/perl r, - /etc/dpkg/origins/debian r, - - # For package building - owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - - /var/lib/dpkg/status r, - + /usr/share/lto-disabled-list/lto-disabled-list r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, - owner @{user_config_dirs}/dpkg/buildflags.conf r, - /usr/local/bin/ r, /usr/local/sbin/ r, /usr/local/lib/ r, @@ -36,5 +29,14 @@ profile dpkg-genbuildinfo @{exec_path} flags=(complain) { /usr/local/include/ r, /usr/local/etc/ r, + /etc/dpkg/origins/* r, + + /var/lib/dpkg/status r, + + owner @{user_config_dirs}/dpkg/buildflags.conf r, + + # For package building + owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, + include if exists } diff --git a/apparmor.d/groups/browsers/chrome b/apparmor.d/groups/browsers/chrome index 75ec18164..b82e4ba24 100644 --- a/apparmor.d/groups/browsers/chrome +++ b/apparmor.d/groups/browsers/chrome @@ -7,7 +7,7 @@ abi , include -@{chromium_name} = chrome{,-beta,-unstable} +@{chromium_name} = chrome{,-beta,-stable,-unstable} @{chromium_domain} = com.google.Chrome @{chromium_lib_dirs} = /opt/google/@{chromium_name} @{chromium_config_dirs} = @{user_config_dirs}/google-@{chromium_name} @@ -22,7 +22,7 @@ profile chrome @{exec_path} { /{usr/,}bin/man rPUx, # For "chrome --help" - @{chromium_lib_dirs}/google-chrome{,-beta,-unstable} rPx, + @{chromium_lib_dirs}/google-@{chromium_name} rPx, @{chromium_lib_dirs}/nacl_helper rix, @{chromium_lib_dirs}/xdg-mime rix, #-> xdg-mime, diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 8871d82d1..be777ebd8 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -66,8 +66,8 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{system_share_dirs}/dbus-1/services/{,**} r, # Extra rules for Snap - /var/lib/snapd/dbus-1/services/ r, - /var/lib/snapd/dbus-1/system-services/ r, + /var/lib/snapd/dbus-1/services/{,**} r, + /var/lib/snapd/dbus-1/system-services/{,**} r, owner @{user_share_dirs}/dbus-1/{,**} r, @{user_share_dirs}/icc/{,edid-*} r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 5dc0139ba..8441b5e87 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -68,7 +68,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { peer=(name=org.freedesktop.DBus), # all peer's labels dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.Settings + interface=org.freedesktop.{DBus.Properties,portal.Settings} member={ReadAll,GetAll} peer=(name=:*, label=snap.snapd-desktop-integration.snapd-desktop-integration), diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 514480b5c..2756fe36c 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -33,6 +33,9 @@ profile gnome-terminal-server @{exec_path} { /{usr/,}bin/micro rPUx, /{usr/,}bin/nvtop rPx, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + /{usr/,}lib/gio-launch-desktop rPx -> child-open, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icu/{,**} r, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/groups/ssh/sftp-server b/apparmor.d/groups/ssh/sftp-server index 5b26e496e..dc504d67f 100644 --- a/apparmor.d/groups/ssh/sftp-server +++ b/apparmor.d/groups/ssh/sftp-server @@ -18,5 +18,9 @@ profile sftp-server @{exec_path} { @{exec_path} mr, + # For scp + owner @{user_download_dirs}/{,**} rwl, + owner @{user_sync_dirs}/{,**} rwl, + include if exists } diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 4788e1906..29daf175e 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -22,7 +22,10 @@ profile ssh @{exec_path} { network inet6 dgram, network netlink raw, - @{exec_path} mr, + @{exec_path} mrix, + + /{usr/,}bin/{,b,d,rb}ash rix, + /{usr/,}bin/{c,k,tc,z}sh rix, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch new file mode 100644 index 000000000..10bebca74 --- /dev/null +++ b/apparmor.d/groups/ssh/ssh-agent-launch @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/openssh/agent-launch +profile ssh-agent-launch @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}bin/{,z,ba,da}sh rix, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index e05b6690c..1d273d86a 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -22,5 +22,8 @@ profile ssh-keygen @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/ w, owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw, + /dev/tty[0-9]* rw, + /dev/ttyS[0-9]* rw, + include if exists } diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 6ad0953a1..210b439c5 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -66,23 +66,27 @@ profile sshd @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/passwd rPx, /{usr/,}lib/openssh/sftp-server rPx, + /etc/legal r, /etc/shells r, /etc/default/locale r, @{etc_ro}/environment r, /etc/gss/mech.d/{,*} r, /etc/issue.net r, - /etc/motd r, + @{etc_rw}/motd r, @{etc_ro}/security/limits.d/{,*.conf} r, @{etc_ro}/ssh/sshd_config r, @{etc_ro}/ssh/sshd_config.d/{,*} r, /etc/ssh/ssh_host_* r, + /var/lib/extrausers/shadow r, + # For scp owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, + owner @{user_cache_dirs}/{,motd*} rw, @{run}/faillock/[a-zA-z0-9]* rwk, @{run}/motd.d/{,*} r, @@ -108,6 +112,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/uid_map r, /dev/ptmx rw, + /dev/tty[0-9]* rw, + /dev/ttyS[0-9]* rw, include if exists } diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index 51e4b3582..a6a593300 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -9,6 +9,15 @@ include @{exec_path} = /{usr/,}bin/hostnamectl profile hostnamectl @{exec_path} { include + include + include + + capability net_admin, + + dbus send bus=system path=/org/freedesktop/ + interface=org.freedesktop.hostname1 + member=Set*Hostname + peer=(name=org.freedesktop.hostname1), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup new file mode 100644 index 000000000..cde503dd7 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-cryptsetup @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/systemd-cryptsetup +profile systemd-cryptsetup @{exec_path} { + include + include + include + include + + capability ipc_lock, + capability net_admin, + capability sys_admin, + + @{exec_path} mr, + + /etc/fstab r, + + @{run}/ r, + @{run}/cryptsetup/ r, + @{run}/cryptsetup/* rwk, + @{run}/systemd/ask-password/* rw, + + @{sys}/devices/virtual/bdi/*/read_ahead_kb r, + @{sys}/fs/ r, + + @{PROC}/devices r, + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-environment-d-generator b/apparmor.d/groups/systemd/systemd-environment-d-generator index 5f4d78537..4b3b14a59 100644 --- a/apparmor.d/groups/systemd/systemd-environment-d-generator +++ b/apparmor.d/groups/systemd/systemd-environment-d-generator @@ -22,6 +22,8 @@ profile systemd-environment-d-generator @{exec_path} { @{etc_ro}/environment r, @{etc_ro}/environment.d/{,**} r, + /snap/snapd/[0-9]*/usr/lib/environment.d/{,*.conf} r, + owner @{user_config_dirs}/environment.d/{,*.conf} r, /dev/tty rw, diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed new file mode 100644 index 000000000..38aeb3a02 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-homed @@ -0,0 +1,84 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/systemd-homed +profile systemd-homed @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability setfcap, + capability setgid, + capability setpcap, + capability setuid, + capability sys_admin, + capability sys_resource, + + network inet dgram, + network inet6 dgram, + network inet raw, + network inet6 raw, + network netlink raw, + + mount options=(rw, rslave) -> @{run}/, + mount /dev/dm-[0-9]* -> @{run}/systemd/user-home-mount/, + + dbus bind bus=system name=org.freedesktop.home1, + + @{exec_path} mr, + + /{usr/,}lib/systemd/systemd-homework rPx, + /{usr/,}{s,}bin/mkfs.btrfs rPx, + /{usr/,}{s,}bin/mkfs.fat rPx, + /{usr/,}{s,}bin/mke2fs rPx, + + /etc/machine-id r, + /etc/systemd/homed.conf r, + /etc/skel/{,**} r, + + /var/lib/systemd/home/{,**} rw, + + / r, + @{HOMEDIRS}/ r, + @{HOMEDIRS}/* rw, + @{HOMEDIRS}/*.homedir/ rw, + + @{run}/ r, + @{run}/cryptsetup/{,*} rwk, + @{run}/systemd/home/{,**} rw, + @{run}/systemd/userdb/io.systemd.home r, + @{run}/systemd/user-home-mount/{,**} rw, + + @{sys}/bus/ r, + @{sys}/fs/ r, + @{sys}/class/ r, + @{sys}/kernel/uevent_seqnum r, + @{sys}/devices/**/read_ahead_kb r, + + @{PROC}/devices r, + @{PROC}/sysvipc/{shm,sem,msg} r, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/uid_map w, + + /dev/loop-control rwk, + /dev/loop[0-9]* rw, + /dev/mapper/control rw, + /dev/mqueue/ r, + /dev/shm/ r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-homework b/apparmor.d/groups/systemd/systemd-homework new file mode 100644 index 000000000..aeba866d1 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-homework @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/systemd-homework +profile systemd-homework @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + @{run}/systemd/userdb/ r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 572277302..89d7d8463 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -25,19 +25,24 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { member=CheckAuthorization peer=(name=org.freedesktop.PolicyKit1), - dbus receive bus=system path=/org/freedesktop/hostname[0-9] + dbus receive bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.{DBus.Properties,hostname1} member={Get,GetAll,SetHostname} peer=(name=:*), + dbus receive bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.hostname1 + member=Set*Hostname + peer=(name=:*, label=hostnamectl), + dbus bind bus=system name=org.freedesktop.hostname[0-9], @{exec_path} mr, - /etc/.#hostname* rw, + @{etc_rw}/.#hostname* rw, + @{etc_rw}/hostname rw, /etc/.#machine-info?????? rw, - /etc/hostname rw, /etc/machine-info rw, @{run}/systemd/default-hostname rw, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 6f56dfb9b..a8be8aca8 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -65,6 +65,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { /etc/machine-id r, /etc/systemd/logind.conf r, /etc/systemd/sleep.conf r, + /etc/systemd/logind.conf.d/{,**} r, /swapfile r, /boot/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-sulogin-shell b/apparmor.d/groups/systemd/systemd-sulogin-shell new file mode 100644 index 000000000..b6d9f899c --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-sulogin-shell @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/systemd-sulogin-shell +profile systemd-sulogin-shell @{exec_path} { + include + include + + capability net_admin, + capability sys_resource, + + @{exec_path} mr, + + /{usr/,}{s,}bin/sulogin rPx, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-user-generators-autostart b/apparmor.d/groups/systemd/systemd-user-generators-autostart new file mode 100644 index 000000000..c16806a45 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-user-generators-autostart @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/lib/systemd/user-generators/systemd-xdg-autostart-generator +profile systemd-user-generators-autostart @{exec_path} { + include + + @{exec_path} mr, + + /etc/xdg/autostart/*.desktop r, + + owner @{run}/user/@{uid}/systemd/generator.late/{,**} rw, + + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-user-generators-environment b/apparmor.d/groups/systemd/systemd-user-generators-environment new file mode 100644 index 000000000..4a7a17b9d --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-user-generators-environment @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator +profile systemd-user-generators-environment @{exec_path} { + include + + @{exec_path} mr, + + /etc/environment.d/{,**} r, + + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-user-generators-flatpak b/apparmor.d/groups/systemd/systemd-user-generators-flatpak new file mode 100644 index 000000000..4f1fe7dac --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-user-generators-flatpak @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/lib/systemd/user-environment-generators/60-flatpak +profile systemd-user-generators-flatpak @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd new file mode 100644 index 000000000..59e3dc23d --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/systemd-userdbd +profile systemd-userdbd @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability dac_read_search, + capability sys_resource, + + network inet dgram, + network inet6 dgram, + network inet raw, + network inet6 raw, + network netlink raw, + + @{exec_path} mr, + + /{usr/,}lib/systemd/systemd-userwork rPx, + + /etc/shadow r, + /etc/machine-id r, + + @{run}/systemd/userdb/{,**} rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork new file mode 100644 index 000000000..920a2eaa7 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-userwork @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/systemd/systemd-userwork +profile systemd-userwork @{exec_path} flags=(attach_disconnected) { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + @{run}/systemd/userdb/ r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index d44f5110a..f4e6f7a55 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -9,13 +9,20 @@ include @{exec_path} = /{usr/,}lib/ubuntu-advantage/apt-esm-json-hook profile apt-esm-json-hook @{exec_path} { include + include include unix (receive, send) type=stream peer=(label=apt), @{exec_path} mr, + /{usr/,}bin/dpkg rPx, + + /var/lib/ubuntu-advantage/{,**} r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + owner @{PROC}/@{pid}/fd/ r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/notify-reboot-required b/apparmor.d/groups/ubuntu/notify-reboot-required index 1fc19b408..a3c08298c 100644 --- a/apparmor.d/groups/ubuntu/notify-reboot-required +++ b/apparmor.d/groups/ubuntu/notify-reboot-required @@ -15,6 +15,7 @@ profile notify-reboot-required @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/gettext rix, + /{usr/,}bin/snap rPx, /usr/share/update-notifier/notify-reboot-required r, diff --git a/apparmor.d/groups/ubuntu/notify-updates-outdated b/apparmor.d/groups/ubuntu/notify-updates-outdated new file mode 100644 index 000000000..e04b02fe0 --- /dev/null +++ b/apparmor.d/groups/ubuntu/notify-updates-outdated @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/update-notifier/notify-updates-outdated +profile notify-updates-outdated @{exec_path} { + include + include + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gettext rix, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/pro b/apparmor.d/groups/ubuntu/pro new file mode 100644 index 000000000..52cfe5b6f --- /dev/null +++ b/apparmor.d/groups/ubuntu/pro @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/pro +profile pro @{exec_path} { + include + include + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index ba28472eb..842e50a3c 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -65,6 +65,7 @@ profile software-properties-gtk @{exec_path} { /var/crash/*software-properties-gtk.@{uid}.crash rw, /var/lib/snapd/desktop/icons/ r, + /var/lib/ubuntu-advantage/status.json r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf new file mode 100644 index 000000000..d6a105b72 --- /dev/null +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -0,0 +1,117 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/subiquity/console-conf-wrapper +profile subiquity-console-conf @{exec_path} { + include + include + include + include + include + + capability chown, + capability fsetid, + + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /{usr/,}bin/{,da,ba}sh rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/sleep rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/tty rix, + + /{snap/snapd/[0-9]*/,}{usr/,}bin/snap rPx, # TODO: rCx, + /{usr/,}{,s}bin/sshd rPx, + /{usr/,}bin/journalctl rCx -> journalctl, + /{usr/,}bin/ssh-keygen rPx, + /usr/lib/snapd/snap-recovery-chooser rPUx, + /usr/share/netplan/netplan.script rPUx, # TODO: rPx, + + /usr/share/subiquity/{,**} r, + /usr/share/subiquity/console-conf-tui rix, + /usr/share/subiquity/console-conf-write-login-details rix, + + /var/lib/extrausers/shadow r, + + /var/lib/console-conf/{,**} rw, + /var/log/console-conf/{,**} rw, + + @{run}/console-conf/{,**} rw, + @{run}/snapd-recovery-chooser-triggered r, + @{run}/snapd.socket rw, + + @{run}/udev/data/+acpi:* r, + @{run}/udev/data/+dmi* r, + @{run}/udev/data/+drm* r, + @{run}/udev/data/+input* r, # For mouse, keyboard, touchpad + @{run}/udev/data/+leds:* r, + @{run}/udev/data/+pci* r, + @{run}/udev/data/+platform* r, + @{run}/udev/data/+sound:card* r, # For sound + + @{run}/udev/data/c1:[0-9]* r, # For RAM disk + @{run}/udev/data/c4:[0-9]* r, # For TTY devices + @{run}/udev/data/c5:[0-9]* r, # For /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c7:[0-9]* r, # For Virtual console capture devices + @{run}/udev/data/c10:[0-9]* r, # For non-serial mice, misc features + @{run}/udev/data/c13:[0-9]* r, # For /dev/input/* + @{run}/udev/data/c29:[0-9]* r, # For /dev/fb[0-9]* + @{run}/udev/data/c89:[0-9]* r, # For I2C bus interface + @{run}/udev/data/c108:[0-9]* r, # For /dev/ppp + @{run}/udev/data/c116:[0-9]* r, # For ALSA + @{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card* + @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 + @{run}/udev/data/c24[0-9]:[0-9]* r, + @{run}/udev/data/c25[0-4]:[0-9]* r, + @{run}/udev/data/n[0-9]* r, + + @{sys}/**/devices/ r, + @{sys}/*/*/ r, + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/devices/**/uevent r, + @{sys}/devices/pci[0-9]*/**/net/*/{,**} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/net/{,**} r, + @{sys}/devices/virtual/net/{,**} r, + + @{PROC}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + + /dev/tty rw, + /dev/tty[0-9]* rw, + /dev/ttyS[0-9]* rw, + + profile journalctl { + include + + /{usr/,}bin/journalctl mr, + + @{run}/log/ rw, + /{run,var}/log/journal/ rw, + /{run,var}/log/journal/@{hex}/ rw, + /{run,var}/log/journal/@{hex}/system.journal* rw, + /{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw, + /{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw, + + owner @{PROC}/@{pid}/stat r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + } + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index 651091306..d54a4bc43 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -10,10 +10,15 @@ include profile ubuntu-advantage @{exec_path} { include include + include include + include include include - include + + capability dac_read_search, + capability setgid, + capability setuid, network inet stream, network inet6 stream, @@ -21,30 +26,69 @@ profile ubuntu-advantage @{exec_path} { network inet6 dgram, network netlink raw, + signal (send) set=int peer=apt-methods-http, + @{exec_path} mr, - /{usr/,}bin/ischroot rix, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/apt rPx, /{usr/,}bin/apt-cache rPx, + /{usr/,}bin/apt-config rPx, /{usr/,}bin/apt-get rPx, /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/ps rPx, /{usr/,}bin/snap rPx, - /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/systemctl rCx -> systemctl, + /{usr/,}bin/systemd-detect-virt rPx, + /{usr/,}bin/ubuntu-distro-info rPx, /{usr/,}lib/apt/apt-helper rix, /{usr/,}lib/apt/methods/http{,s} rPx, /{usr/,}lib/ubuntu-advantage/apt-esm-hook rPx, - /{usr/,}bin/systemd-detect-virt rPx, + /etc/apt/auth.conf.d/{,**} rw, + /etc/apt/trusted.gpg.d/{,**} rw, + /etc/apt/sources.list.d/{,**} rw, /etc/ubuntu-advantage/{,**} r, - /var/lib/ubuntu-advantage/{,**} r, + /var/lib/ubuntu-advantage/{,**} rw, + + /etc/machine-id r, owner /tmp/tmp[0-9a-z]*/apt.conf r, - + owner /tmp/[0-9a-z]*{,/} rw, + owner /tmp/[0-9a-z]*/apt-helper-output rw, + @{run}/ubuntu-advantage/{,**} rw, @{PROC}/version_signature r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/mounts r, owner @{PROC}/@{pid}/fd/ r, + profile systemctl { + include + + capability sys_resource, + + ptrace (read), + + /{usr/,}bin/systemctl mr, + + /{usr/,}bin/systemd-tty-ask-password-agent rix, + + owner @{run}/systemd/ask-password/ rw, + owner @{run}/systemd/ask-password-block/* rw, + + @{PROC}/1/environ r, + @{PROC}/1/sched r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/stat r, + + /dev/kmsg w, + + } + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon index f824f725f..73088ebe3 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon @@ -19,7 +19,7 @@ profile ubuntu-advantage-desktop-daemon @{exec_path} flags=(attach_disconnected) member=RequestName peer=(name=org.freedesktop.DBus), - dbus receive bus=system path=/com/canonical/UbuntuAdvantage/{Manager,Service/*} + dbus receive bus=system path=/com/canonical/UbuntuAdvantage/{Manager,Services/*} interface=org.freedesktop.DBus.Introspectable member=Introspect, diff --git a/apparmor.d/groups/ubuntu/ubuntu-distro-info b/apparmor.d/groups/ubuntu/ubuntu-distro-info new file mode 100644 index 000000000..7f390480b --- /dev/null +++ b/apparmor.d/groups/ubuntu/ubuntu-distro-info @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/ubuntu-distro-info +profile ubuntu-distro-info @{exec_path} { + include + + @{exec_path} mr, + + /usr/share/distro-info/*.csv r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log index dd5e60c88..8db82f613 100644 --- a/apparmor.d/profiles-a-f/aa-log +++ b/apparmor.d/profiles-a-f/aa-log @@ -22,8 +22,8 @@ profile aa-log @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex}/ r, - /{run,var}/log/journal/@{hex}/user-@{uid}*.journal* r, - /{run,var}/log/journal/@{hex}/user-@{uid}.journal r, + /{run,var}/log/journal/@{hex}/system*.journal r, + /{run,var}/log/journal/@{hex}/user*.journal r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index 8b18ba5d5..06447d88b 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -23,14 +23,17 @@ profile agetty @{exec_path} { /{usr/,}bin/login rPx, - /{etc,run,lib,usr/lib}/issue r, - /{etc,run,lib,usr/lib}/issue.d/{,*} r, - /{,usr/}lib/os-release r, - /etc/inittab r, - /etc/os-release r, + /usr/share/subiquity/console-conf-wrapper rPx, # only:core22 + + @{etc_rw}/issue r, + /{,usr/}lib/os-release r, + /{etc,run,lib,usr/lib}/issue r, + /{etc,run,lib,usr/lib}/issue.d/{,*} r, + /etc/inittab r, + /etc/os-release r, - owner @{run}/agetty.reload rw, @{run}/resolvconf/resolv.conf r, + owner @{run}/agetty.reload rw, /dev/tty[0-9]* rw, owner /dev/ttyGS[0-9]* rw, diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index 2382c271c..56b1c6f3e 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -24,10 +24,11 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { /usr/share/apparmor/{,**} r, owner /snap/core[0-9]*/[0-9]*/etc/apparmor.d/{,**} r, + owner /snap/core[0-9]*/[0-9]*/etc/apparmor/* r, owner /var/cache/apparmor/{,**} rw, owner /var/lib/docker/tmp/docker-default[0-9]* r, owner /var/lib/snapd/apparmor/{,**} r, - owner /var/snap/lxd/common/lxd/security/apparmor/{,**} r, + owner /var/snap/lxd/common/lxd/security/apparmor/{,**} rw, owner /tmp/cri-containerd.apparmor.d[0-9]* r, diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/profiles-a-f/fsck index 45a4c76a5..89a64ffa9 100644 --- a/apparmor.d/profiles-a-f/fsck +++ b/apparmor.d/profiles-a-f/fsck @@ -19,7 +19,8 @@ profile fsck @{exec_path} { @{exec_path} mr, /{usr/,}{s,}bin/e2fsck rPx, - /{usr/,}{s,}bin/fsck.* rPx, + /{usr/,}sbin/fsck.* rPx, + /{usr/,}bin/fsck.* rPx, /etc/fstab r, diff --git a/apparmor.d/profiles-a-f/fsck-ext4 b/apparmor.d/profiles-a-f/fsck-ext4 index aead4e49a..8d552e0e5 100644 --- a/apparmor.d/profiles-a-f/fsck-ext4 +++ b/apparmor.d/profiles-a-f/fsck-ext4 @@ -10,7 +10,7 @@ include profile fsck-ext4 @{exec_path} { include - @{exec_path} r, + @{exec_path} rm, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 2bfc5924d..ec120d250 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -58,7 +58,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { dbus receive bus=system path=/ interface=org.freedesktop.DBus.Properties - member=GetAll, + member={GetAll,SetHints,GetPlugins,GetRemotes} + peer=(name=:*, label=fwupdmgr), dbus bind bus=system name=org.freedesktop.fwupd, diff --git a/apparmor.d/profiles-g-l/groupadd b/apparmor.d/profiles-g-l/groupadd index 3b254c152..ab926783d 100644 --- a/apparmor.d/profiles-g-l/groupadd +++ b/apparmor.d/profiles-g-l/groupadd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,10 +13,7 @@ profile groupadd @{exec_path} { include include - # To write records to the kernel auditing log. capability audit_write, - - # To set the right permission to the files in the /etc/ dir. capability chown, capability fsetid, @@ -27,8 +25,8 @@ profile groupadd @{exec_path} { /etc/login.defs r, /etc/{group,gshadow} rw, - /etc/{group,gshadow}.@{pid} w, /etc/{group,gshadow}- w, + /etc/{group,gshadow}.@{pid} w, /etc/{group,gshadow}+ rw, /etc/group.lock wl -> /etc/group.@{pid}, /etc/gshadow.lock wl -> /etc/gshadow.@{pid}, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index d8d7d3d61..652101f87 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -24,9 +24,11 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/false rix, /{usr/,}{s,}bin/sysctl rPx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/false rix, + /{usr/,}bin/id rix, /{usr/,}bin/true rix, /{usr/,}lib/modprobe.d/{,*.conf} r, diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index 764778e18..25a26502c 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021-203 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -32,5 +32,7 @@ profile mandb @{exec_path} flags=(complain) { /usr/share/**/man/man[0-9]*/*.[0-9]*.gz r, + owner @{user_share_dirs}/man/** rwk, + include if exists } diff --git a/apparmor.d/profiles-m-r/nft b/apparmor.d/profiles-m-r/nft index 047a08631..eccf630c9 100644 --- a/apparmor.d/profiles-m-r/nft +++ b/apparmor.d/profiles-m-r/nft @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,7 +12,6 @@ profile nft @{exec_path} { include include - # To be able to run the nft command. capability net_admin, network netlink raw, @@ -24,9 +24,9 @@ profile nft @{exec_path} { owner /etc/nftables/**.nft r, - @{PROC}/sys/kernel/osrelease r, @{PROC}/1/environ r, @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, include if exists } diff --git a/apparmor.d/profiles-m-r/ps b/apparmor.d/profiles-m-r/ps index 90ec3046e..9233c5f54 100644 --- a/apparmor.d/profiles-m-r/ps +++ b/apparmor.d/profiles-m-r/ps @@ -1,66 +1,53 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -# When any of the "*ns" parameters is used, the following error will be printed: -# "Failed name lookup - disconnected path" error=-13 profile="ps" name="". @{exec_path} = /{usr/,}bin/ps profile ps @{exec_path} flags=(attach_disconnected) { include include include - # To be able to read the /proc/ files of all processes in the system. capability dac_read_search, - capability sys_ptrace, ptrace (read), @{exec_path} mr, - # The "/proc/" dir is needed to avoid the following error: - # error: can not access /proc - # The "stat" file is needed to avoid the following error: - # Error, do this: mount -t proc proc /proc - # The "uptime" file is needed to avoid the following error: - # Error: /proc must be mounted - - @{PROC}/ r, - - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/task/ r, - @{PROC}/@{pids}/task/@{tid}/stat r, - @{PROC}/@{pids}/task/@{tid}/status r, - @{PROC}/@{pids}/task/@{tid}/cmdline r, - - @{PROC}/@{pids}/wchan r, - @{PROC}/@{pids}/attr/current r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/statm r, - @{PROC}/@{pids}/loginuid r, - - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/sys/vm/min_free_kbytes r, - @{PROC}/tty/drivers r, - @{PROC}/uptime r, - @{run}/systemd/sessions/* r, @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node[0-9]*/meminfo r, @{sys}/devices/system/node/node[0-9]*/cpumap r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, + + @{PROC}/ r, + @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/loginuid r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/task/ r, + @{PROC}/@{pids}/task/@{tid}/cmdline r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/wchan r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/vm/min_free_kbytes r, + @{PROC}/tty/drivers r, + @{PROC}/uptime r, # file_inherit - owner /dev/tty[0-9]* rw, owner @{HOME}/.xsession-errors w, + owner /dev/tty[0-9]* rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index f7d5da9c3..d31990a1c 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -12,10 +12,20 @@ profile snap @{exec_path} { include include include + include include + capability sys_admin, + unix (send, receive) type=stream peer=(label=apt), + mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-[0-9]*/, + + dbus (send, receive) bus=session path=/org/freedesktop/ + interface=org.freedesktop.systemd1.Manager + member={StartTransientUnit,JobRemoved} + peer=(name=:*, label=unconfined), + dbus send bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.portal.Documents member=GetMountPoint @@ -23,6 +33,8 @@ profile snap @{exec_path} { @{exec_path} mrix, + /{usr/,}bin/mount rix, + /{usr/,}bin/systemctl rPx -> child-systemctl, /snap/{,**} rw, @@ -34,27 +46,34 @@ profile snap @{exec_path} { /var/lib/snapd/{,**} rwk, /var/cache/snapd/commands.db rwk, + /var/cache/snapd/names r, - owner @{HOME}/snap/{,**} rw, + @{HOME}/snap/{,**} rw, + + owner /tmp/snapd-auto-import-mount-[0-9]*/ rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/snapd-session-agent.socket rw, owner @{run}/user/@{uid}/systemd/notify rw, + @{run}/mount/utab r, @{run}/snapd.socket rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/security/apparmor/features/ r, - owner @{PROC}/@{pids}/mountinfo r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/cgroups r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/random/boot_id r, - @{PROC}/sys/kernel/random/uuid r, - @{PROC}/sys/kernel/seccomp/actions_avail r, - @{PROC}/version r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/cgroups r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/random/uuid r, + @{PROC}/sys/kernel/seccomp/actions_avail r, + @{PROC}/version r, + + /dev/tty[0-9]* rw, + /dev/ttyS[0-9]* rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-s-z/snap-device-helper b/apparmor.d/profiles-s-z/snap-device-helper index d3cdb0a93..762045232 100644 --- a/apparmor.d/profiles-s-z/snap-device-helper +++ b/apparmor.d/profiles-s-z/snap-device-helper @@ -11,6 +11,7 @@ profile snap-device-helper @{exec_path} { include capability bpf, + capability dac_read_search, capability setgid, capability sys_resource, diff --git a/apparmor.d/profiles-s-z/snap-discard-ns b/apparmor.d/profiles-s-z/snap-discard-ns index 31d36f255..7d39be686 100644 --- a/apparmor.d/profiles-s-z/snap-discard-ns +++ b/apparmor.d/profiles-s-z/snap-discard-ns @@ -11,6 +11,11 @@ profile snap-discard-ns @{exec_path} { include capability setgid, + capability sys_admin, + + network netlink raw, + + umount @{run}/snapd/ns/*.mnt, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns index 61c56784f..19cb2ea42 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -14,10 +14,14 @@ profile snap-update-ns @{exec_path} { capability sys_admin, capability sys_chroot, + network netlink raw, + mount -> /snap/**/, mount -> /usr/**/, - mount /snap/**/ -> /tmp/.snap/**, + mount -> /var/lib/dhcp/, + mount /snap/**/ -> /tmp/.snap/**, umount /snap/**/, + umount /var/lib/dhcp/, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 232168d31..08593ffd6 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -38,7 +38,7 @@ profile snapd @{exec_path} { mount fstype=squashfs /dev/loop[0-9]* -> /tmp/syscheck-mountpoint-[0-9]*/, umount /tmp/syscheck-mountpoint-[0-9]*/, - umount /snap/*/[0-9]*/, + umount /snap/*/*/, ptrace (read) peer=snap, ptrace (read) peer=unconfined, @@ -55,6 +55,13 @@ profile snapd @{exec_path} { @{exec_path} mr, + /{usr/,}{s,}bin/adduser rPx, + /{usr/,}{s,}bin/groupadd rPx, + /{usr/,}{s,}bin/useradd rPx, + /{usr/,}bin/cloud-init rPUx, # TODO: rPx ? limited to ubtuntu core, otherwise out of scope + /{usr/,}bin/hostnamectl rPx, + /{usr/,}bin/ssh-keygen rPx, + /{usr/,}{s,}bin/apparmor_parser rPx, /{usr/,}{s,}bin/runuser rCx -> runuser, /{usr/,}bin/{,ba,da}sh rix, @@ -82,13 +89,14 @@ profile snapd @{exec_path} { /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-update-ns rPx, /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd rix, - /usr/share/bash-completion/completions/{,**} r, + /usr/share/bash-completion/{,**} r, /usr/share/dbus-1/{system,session}.d/{,snapd*} r, /usr/share/dbus-1/services/*snap* r, /usr/share/polkit-1/actions/{,**/} r, /etc/apparmor.d/*snapd.snap* r, /etc/dbus-1/system.d/{,**/} r, + /etc/environment r, /etc/fstab r, /etc/mime.types r, /etc/modprobe.d/{,**/} r, @@ -113,19 +121,26 @@ profile snapd @{exec_path} { /tmp/syscheck-squashfs-[0-9]* rw, /tmp/read-file[0-9]*/{,**} rw, + + /boot/ r, + /boot/grub/grubenv r, + / r, /home/ r, @{HOME}/ r, @{HOME}/snap/{,**} rw, + @{HOME}/.snap*/{,**} rw, owner @{run}/mount/ rw, owner @{run}/mount/utab{,.*} rw, owner @{run}/mount/utab.lock wk, + @{run}/user/ r, @{run}/user/@{uid}/ r, @{run}/user/@{uid}/snapd-session-agent.socket rw, @{run}/user/snap.*/{,**} rw, + @{run}/mnt/ubuntu-seed/EFI/ubuntu/grubenv r, # only:core @{run}/snapd*.socket rw, @{run}/snapd/{,**} rw, @{run}/snapd/lock/*.lock rwk, @@ -140,6 +155,7 @@ profile snapd @{exec_path} { @{sys}/kernel/security/apparmor/features/ r, @{sys}/kernel/security/apparmor/profiles r, + @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 387aca977..e7b53038c 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -44,15 +44,19 @@ profile sudo @{exec_path} { member=CreateSession peer=(name=org.freedesktop.login[0-9]), + dbus (send receive) bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd.Manager + member={JobRemoved,StartTransientUnit}, + @{exec_path} mr, - /run/ r, + @{libexec}/sudo/** mr, - @{libexec}/sudo/** mr, - /{usr/,}bin/{,b,d,rb}ash rUx, - /{usr/,}bin/{c,k,tc,z}sh rUx, - /{usr/,}lib/cockpit/cockpit-askpass rPx, - /{usr/,}lib/molly-guard/molly-guard rPx, + /snap/snapd/[0-9]*/usr/bin/snap rPx, + /{usr/,}bin/{,b,d,rb}ash rUx, + /{usr/,}bin/{c,k,tc,z}sh rUx, + /{usr/,}lib/cockpit/cockpit-askpass rPx, + /{usr/,}lib/molly-guard/molly-guard rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*} r, @@ -63,6 +67,7 @@ profile sudo @{exec_path} { /etc/sudoers.d/{,*} r, /var/db/sudo/lectured/ r, + /var/lib/extrausers/shadow r, /var/lib/sudo/lectured/ r, /var/lib/sudo/ts/ rw, /var/lib/sudo/ts/* rwk, @@ -72,6 +77,7 @@ profile sudo @{exec_path} { owner @{HOME}/.sudo_as_admin_successful rw, owner @{HOME}/.xsession-errors w, + @{run}/ r, @{run}/faillock/{,*} rwk, @{run}/resolvconf/resolv.conf r, owner @{run}/sudo/ rw, diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index 6c464b77e..c01b53392 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,25 +13,12 @@ profile useradd @{exec_path} { include include - # To create a user home dir and give it proper permissions: - # mkdir("/home/user", 000) = 0 - # chown("/home/user", 0, 0) = 0 - # chmod("/home/user", 0755) = 0 - # chown("/home/user/", 1001, 1001) = 0 - # chmod("/home/user/", 0755) = 0 - capability chown, - capability fowner, - - # To set the set-group-ID bit for the user home dir. - capability fsetid, - - # To copy files from the /etc/skel/ dir to the newly created user dir, which now has a different - # owner. - capability dac_read_search, - capability dac_override, - - # To write records to the kernel auditing log. capability audit_write, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, network netlink raw, @@ -40,21 +28,20 @@ profile useradd @{exec_path} { /{usr/,}{s,}bin/pam_tally2 rCx -> pam_tally2, + /etc/default/useradd r, /etc/login.defs r, - /etc/default/useradd r, - /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, - /etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w, /etc/{passwd,shadow,gshadow,group,subuid,subgid}- w, + /etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w, /etc/{passwd,shadow,gshadow,group,subuid,subgid}+ rw, - /etc/passwd.lock wl -> /etc/passwd.@{pid}, - /etc/shadow.lock wl -> /etc/shadow.@{pid}, /etc/group.lock wl -> /etc/group.@{pid}, /etc/gshadow.lock wl -> /etc/gshadow.@{pid}, - /etc/subuid.lock wl -> /etc/subuid.@{pid}, + /etc/passwd.lock wl -> /etc/passwd.@{pid}, + /etc/shadow.lock wl -> /etc/shadow.@{pid}, /etc/subgid.lock wl -> /etc/subgid.@{pid}, + /etc/subuid.lock wl -> /etc/subuid.@{pid}, # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to # modify the /etc/passwd or /etc/shadow password database. @@ -69,7 +56,6 @@ profile useradd @{exec_path} { /var/lib/*/{,*} rw, /etc/skel/{,.*} r, - profile pam_tally2 { include include diff --git a/apparmor.d/tunables/extend b/apparmor.d/tunables/extend index 7614e1abb..e448d2cd7 100644 --- a/apparmor.d/tunables/extend +++ b/apparmor.d/tunables/extend @@ -28,4 +28,7 @@ @{libexec}=/{usr/,}lib # Archlinux @{libexec}=/{usr/,}libexec # Debian/Ubuntu +# Integration with Ubuntu Core +@{etc_rw}+=/etc/writable/ + include if exists \ No newline at end of file diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index 31cf72abb..ea17baa1a 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -1,5 +1,5 @@ // aa-log - Review AppArmor generated messages -// Copyright (C) 2021-2022 Alexandre Pujol +// Copyright (C) 2021-2023 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package main @@ -20,6 +20,23 @@ import ( "strings" ) +const usage = `aa-log [-h] [--systemd] [--dbus] [--file file] [profile] + + Review AppArmor generated messages in a colorful way. Supports logs from + auditd, systemd, syslog as well as dbus session events. + + It can be given an optional profile name to filter the output with. + + Default logs are read from '/var/log/audit/audit.log'. Other files in + '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' + +Options: + -h, --help Show this help message and exit. + -f, --file FILE Set a logfile or a suffix to the default log file. + -s, --systemd Parse systemd logs from journalctl. + +` + // Command line options var ( help bool @@ -104,23 +121,21 @@ func getAuditLogs(path string) (io.Reader, error) { } // getJournalctlLogs return a reader with the logs entries from Systemd -func getJournalctlLogs(path string, user bool, useFile bool) (io.Reader, error) { +func getJournalctlLogs(path string, useFile bool) (io.Reader, error) { var logs []SystemdLog var stdout bytes.Buffer var value string if useFile { + // content, err := os.ReadFile(filepath.Clean(path)) content, err := ioutil.ReadFile(filepath.Clean(path)) if err != nil { return nil, err } value = string(content) } else { - mode := "--system" - if user { - mode = "--user" - } - cmd := exec.Command("journalctl", mode, "--boot", "--unit=dbus.service", "--output=json") + // journalctl -b -o json > systemd.log + cmd := exec.Command("journalctl", "--boot", "--output=json") cmd.Stdout = &stdout if err := cmd.Run(); err != nil { return nil, err @@ -131,6 +146,7 @@ func getJournalctlLogs(path string, user bool, useFile bool) (io.Reader, error) value = strings.Replace(value, "\n", ",\n", -1) value = strings.TrimSuffix(value, ",\n") value = `[` + value + `]` + // fmt.Printf("value: %v\n", value) if err := json.Unmarshal([]byte(value), &logs); err != nil { return nil, err } @@ -189,7 +205,7 @@ func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs { } } aa["profile"] = decodeHex(aa["profile"]) - toDecode := []string{"profile", "name", "comm"} + toDecode := []string{"name", "comm"} for _, name := range toDecode { if value, ok := aa[name]; ok { aa[name] = decodeHex(value) @@ -267,7 +283,7 @@ func aaLog(logger string, path string, profile string) error { case "auditd": file, err = getAuditLogs(path) case "systemd": - file, err = getJournalctlLogs(path, true, path != LogFile) + file, err = getJournalctlLogs(path, path != LogFile) default: err = fmt.Errorf("Logger %s not supported.", logger) } @@ -281,21 +297,18 @@ func aaLog(logger string, path string, profile string) error { func init() { flag.BoolVar(&help, "h", false, "Show this help message and exit.") - flag.StringVar(&path, "f", LogFile, - "Set a log`file` or a suffix to the default log file.") - flag.BoolVar(&systemd, "s", false, "Parse systemd dbus logs.") + flag.BoolVar(&help, "help", false, "Show this help message and exit.") + flag.StringVar(&path, "f", LogFile, "Set a logfile or a suffix to the default log file.") + flag.StringVar(&path, "file", LogFile, "Set a logfile or a suffix to the default log file.") + flag.BoolVar(&systemd, "s", false, "Parse systemd logs from journalctl.") + flag.BoolVar(&systemd, "systemd", false, "Parse systemd logs from journalctl.") } func main() { + flag.Usage = func() { fmt.Print(usage) } flag.Parse() if help { - fmt.Printf(`aa-log [-h] [-s] [-f file] [profile] - - Review AppArmor generated messages in a colorful way. - It can be given an optional profile name to filter the output with. - -`) - flag.PrintDefaults() + flag.Usage() os.Exit(0) } diff --git a/cmd/aa-log/main_test.go b/cmd/aa-log/main_test.go index 75232b460..28af46c9f 100644 --- a/cmd/aa-log/main_test.go +++ b/cmd/aa-log/main_test.go @@ -94,7 +94,7 @@ func TestAppArmorEvents(t *testing.T) { }, }, { - name: "dbus system", + name: "dbus_system", event: `type=USER_AVC msg=audit(1111111111.111:1111): pid=1780 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" mask="send" name="org.freedesktop.PolicyKit1" pid=1794 label="snapd" peer_pid=1790 peer_label="polkitd" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'UID="messagebus" AUID="unset" SAUID="messagebus"`, want: AppArmorLogs{ { @@ -113,7 +113,7 @@ func TestAppArmorEvents(t *testing.T) { }, }, { - name: "dbus session", + name: "dbus_session", event: `apparmor="ALLOWED" operation="dbus_bind" bus="session" name="org.freedesktop.portal.Documents" mask="bind" pid=2174 label="xdg-document-portal"`, want: AppArmorLogs{ { @@ -221,13 +221,11 @@ func Test_getJournalctlLogs(t *testing.T) { tests := []struct { name string path string - user bool useFile bool want AppArmorLogs }{ { name: "gsd-xsettings", - user: true, useFile: true, path: "../../tests/systemd.log", want: AppArmorLogs{ @@ -255,7 +253,7 @@ func Test_getJournalctlLogs(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - reader, _ := getJournalctlLogs(tt.path, tt.user, tt.useFile) + reader, _ := getJournalctlLogs(tt.path, tt.useFile) if got := NewApparmorLogs(reader, tt.name); !reflect.DeepEqual(got, tt.want) { t.Errorf("NewApparmorLogs() = %v, want %v", got, tt.want) } diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 88d3bfc9b..ac7f578d1 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -18,7 +18,7 @@ cc-remote-login-helper complain cfdisk complain cgdisk complain child-open complain -chronyd complain +chronyd attach_disconnected,complain cockpit-askpass complain cockpit-bridge complain cockpit-certificate-ensure complain @@ -210,9 +210,12 @@ systemd-cat complain systemd-cgls complain systemd-cgtop complain systemd-coredump attach_disconnected,complain +systemd-cryptsetup complain systemd-dissect complain systemd-environment-d-generator complain systemd-escape complain +systemd-homed attach_disconnected,complain +systemd-homework complain systemd-hostnamed attach_disconnected,complain systemd-hwdb attach_disconnected,complain systemd-id128 complain @@ -236,8 +239,13 @@ systemd-timedated attach_disconnected,complain systemd-tty-ask-password-agent complain systemd-update-done complain systemd-update-utmp complain +systemd-user-generators-autostart complain +systemd-user-generators-environment complain +systemd-user-generators-flatpak complain systemd-user-runtime-dir complain systemd-user-sessions complain +systemd-userdbd attach_disconnected,complain +systemd-userwork complain systemd-vconsole-setup complain systemd-xdg-autostart-generator complain tracker-extract complain @@ -262,3 +270,129 @@ xdg-permission-store attach_disconnected,complain xdg-user-dirs-gtk-update complain xdm-xsession complain xorg attach_disconnected,complain + +# Profiles not commited yet +glib-genmarshal complain +glib-gettextize complain +glib-mkenums complain +gnome-session-custom-session complain +gnome-session-inhibit complain +gnome-session-quit complain +gnome-shell-extension-prefs complain +gnome-shell-extension-tool complain +gnome-shell-hotplug-sniffer complain +gnome-shell-perf-helper complain +gnome-shell-perf-tool complain +gnome-shell-portal-helper complain +gnome-tweak-tool-lid-inhibitor complain +homectl complain +loginctl complain +machinectl complain +nfsdcld complain +oomctl complain +podman attach_disconnected,complain +prime-switch complain +qrencode complain +splunkforwarder complain +systemd-bless-boot complain +systemd-boot-check-no-failures complain +systemd-cgroups-agent +systemd-export complain +systemd-growfs complain +systemd-hibernate-resume complain +systemd-import complain +systemd-import-fs complain +systemd-importd complain +systemd-journal-gatewayd complain +systemd-journal-remote complain +systemd-journal-upload complain +systemd-network-generator complain +systemd-notify complain +systemd-pstore complain +systemd-pull complain +systemd-quotacheck complain +systemd-repart complain +systemd-reply-password complain +systemd-run complain +systemd-socket-activate complain +systemd-socket-proxyd complain +systemd-stdio-bridge complain +systemd-sulogin-shell complain +systemd-sysext complain +systemd-time-wait-sync complain +systemd-xdg-autostart-condition complain +timedatectl complain +virtiofsd complain +virtlockd complain +hwsim complain +iwdmon complain +nvidia-settings complain +gkbd-keyboard-display complain +mullvad-setup complain + +# Work in Progress +bwrap attach_disconnected,complain +bwrap-default attach_disconnected,mediate_deleted,complain +cni-bridge complain +cni-firewall complain +cni-portmap complain +cni-tuning complain +ctop complain +dbus-broker complain +dbus-broker-launch complain +fprintd-delete complain +fprintd-enroll complain +fprintd-list complain +fprintd-verify complain +install-catalog complain +lazydocker complain +losetup complain +modprobed-db complain +mount-ntfs-3g complain +multipathd complain +rpc.idmapd complain +rpc.mountd complain +rpc.statd complain +rpcbind complain +smbspool complain +tomb complain +tomb-kdb-pbkdf2 complain +virt-aa-helper complain +virtlogd complain +virtnetworkd complain +virtnodedevd complain +virtqemud attach_disconnected,complain +virtstoraged attach_disconnected,complain +virtxend attach_disconnected,complain + +# Debian server dev +cracklib-packer complain +cron-cracklib complain +cron-etckeeper complain +cron-sysstat complain +sysstat complain +update-cracklib complain + +# Ubuntu + +# Whonix +mate-notification-daemon complain + +# Flatpak slow dev +flatpak-oci-authenticator complain +flatpak-portal attach_disconnected,complain +flatpak-system-helper complain +flatpak-validate-icon complain + +# GDM +gdm-host-chooser complain +gdm-simple-chooser complain + +# Simple when used for extension, more complex for javascript based gnome app. +gjs-console attach_disconnected,complain + +# Not easy +portmaster-start complain + +# Require firewall rules for firewalld first +firewall-applet complain diff --git a/docs/configuration.md b/docs/configuration.md index 0f375f07e..0976f43b3 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -8,8 +8,8 @@ As there are a lot of rules, it is recommended to enable caching AppArmor profil In `/etc/apparmor/parser.conf`, add `write-cache` and `Optimize=compress-fast`. ```sh -echo 'write-cache' | sudo tee /etc/apparmor/parser.conf -echo 'Optimize=compress-fast' | sudo tee /etc/apparmor/parser.conf +echo 'write-cache' | sudo tee -a /etc/apparmor/parser.conf +echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf ``` !!! info diff --git a/docs/development/guidelines.md b/docs/development/guidelines.md index e672b245a..3a87bf7f6 100644 --- a/docs/development/guidelines.md +++ b/docs/development/guidelines.md @@ -33,20 +33,20 @@ follow the guidelines presented here. The rules in the profile should be sorted in the rule ***block*** as follows: -1. `include` -1. `set rlimit` -1. `capability` -1. `network` -1. `mount` -1. `remount` -1. `umount` -1. `pivot_root` -1. `change_profile` -1. `signal` +1. [`include`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#include-statements) +1. [`set rlimit`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#rlimit-rules) +1. [`capability`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#capability-rules) +1. [`network`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#network-rules) +1. [`mount`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#mount-rules-apparmor-28-and-later) +1. [`remount`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#remount) +1. [`umount`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#umount) +1. [`pivot_root`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#pivot_root) +1. [`change_profile`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#change_profile) +1. [`signal`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#signals) 1. `ptrace` 1. `unix` -1. `dbus` -1. `file` +1. [`dbus`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#dbus-rules) +1. [`file`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#file-access-rules) 1. local include This rule order is taken from AppArmor with minor changes as we tend to: diff --git a/docs/development/structure.md b/docs/development/structure.md index 90650828a..47986346d 100644 --- a/docs/development/structure.md +++ b/docs/development/structure.md @@ -138,6 +138,26 @@ Here is an overview of the current children profile: of the time you will need more privilege than what this profile is giving you. +## Browsers + +Chromium based browsers share a similar structure. Therefore, they share the same +abstraction: [`abstractions/chromium`][chromium] that includes most of the profile content. + +This abstraction requires the following variables definied in the profile header: +```sh +@{chromium_name} = chromium +@{chromium_domain} = org.chromium.Chromium +@{chromium_lib_dirs} = /{usr/,}lib/chromium +@{chromium_config_dirs} = @{user_config_dirs}/chromium +@{chromium_cache_dirs} = @{user_cache_dirs}/chromium +``` + +If your application requires chromium to run (like electron) use +[`abstractions/chromium-common`][chromium-common] instead. + +[chromium]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/abstractions/chromium +[chromium-common]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/abstractions/chromium-common + ## Udev rules See the **[kernel docs][kernel]** to check the major block and char numbers used in `/run/udev/data/`.