felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #1 from roddhjav/main

Browse source 
Update
This commit is contained in:
curiosityseeker 2023-02-20 13:08:43 +01:00 committed by GitHub
commit f17516c34d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
65 changed files with 1015 additions and 215 deletions
Download patch file Download diff file Expand all files Collapse all files

10
Makefile
View file

@ -34,6 +34,16 @@ install:
install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \ install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \
done done
auto:
@[ ${DISTRIBUTION} = Arch ] || exit 0; \
makepkg --syncdeps --install --cleanbuild --force
@[ ${DISTRIBUTION} = Ubuntu ] || exit 0; \
dch --newversion="${VERSION}" --urgency=medium --distribution=stable --controlmaint "Release ${VERSION}"; \
dpkg-buildpackage -b -d --no-sign; \
sudo dpkg -i "../apparmor.d_${VERSION}_all.deb"; \
make clean
@[ ${DISTRIBUTION} = openSUSE ] || exit 0; \
make local
local: local:
@./configure --complain @./configure --complain

2
apparmor.d/abstractions/chromium
View file

@ -2,7 +2,7 @@
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# For chromium based browser. If your application require chromium ro run # For chromium based browser. If your application requires chromium to run
# (like electron) use abstractions/chromium-common instead. # (like electron) use abstractions/chromium-common instead.
# This abstraction requires the following variables definied in the profile header: # This abstraction requires the following variables definied in the profile header:

3
apparmor.d/abstractions/nameservice-strict
View file

@ -19,6 +19,9 @@
/var/lib/nscd/group r, /var/lib/nscd/group r,
/var/lib/nscd/passwd r, /var/lib/nscd/passwd r,
/var/lib/extrausers/group r,
/var/lib/extrausers/passwd r,
@{run}/nscd/db* r, @{run}/nscd/db* r,
@{run}/systemd/resolve/stub-resolv.conf r, @{run}/systemd/resolve/stub-resolv.conf r,

2
apparmor.d/abstractions/user-read
View file

@ -12,6 +12,7 @@
owner @{user_books_dirs}/{,**} r, owner @{user_books_dirs}/{,**} r,
owner @{user_documents_dirs}/{,**} r, owner @{user_documents_dirs}/{,**} r,
owner @{user_games_dirs}/{,**} r,
owner @{user_music_dirs}/{,**} r, owner @{user_music_dirs}/{,**} r,
owner @{user_pictures_dirs}/{,**} r, owner @{user_pictures_dirs}/{,**} r,
owner @{user_projects_dirs}/{,**} r, owner @{user_projects_dirs}/{,**} r,
@ -20,6 +21,7 @@
owner @{user_templates_dirs}/{,**} r, owner @{user_templates_dirs}/{,**} r,
owner @{user_torrents_dirs}/{,**} r, owner @{user_torrents_dirs}/{,**} r,
owner @{user_videos_dirs}/{,**} r, owner @{user_videos_dirs}/{,**} r,
owner @{user_vm_dirs}/{,**} r,
owner @{user_work_dirs}/{,**} r, owner @{user_work_dirs}/{,**} r,
include if exists <abstractions/user-read.d> include if exists <abstractions/user-read.d>

2
apparmor.d/abstractions/user-write.d/complete
View file

@ -7,8 +7,10 @@
owner @{user_books_dirs}/{,**} rwl, owner @{user_books_dirs}/{,**} rwl,
owner @{user_documents_dirs}/{,**} rwl, owner @{user_documents_dirs}/{,**} rwl,
owner @{user_games_dirs}/{,**} rwl,
owner @{user_music_dirs}/{,**} rwl, owner @{user_music_dirs}/{,**} rwl,
owner @{user_pictures_dirs}/{,**} rwl, owner @{user_pictures_dirs}/{,**} rwl,
owner @{user_projects_dirs}/{,**} rwl, owner @{user_projects_dirs}/{,**} rwl,
owner @{user_videos_dirs}/{,**} rwl, owner @{user_videos_dirs}/{,**} rwl,
owner @{user_vm_dirs}/{,**} rwl,
owner @{user_work_dirs}/{,**} rwl, owner @{user_work_dirs}/{,**} rwl,

29
apparmor.d/groups/apt/apt
View file

@ -58,7 +58,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
member={CheckAuthorization,Introspect}, member={CheckAuthorization,Introspect},
dbus bind bus=system dbus bind bus=system
name= org.debian.apt, name=org.debian.apt,
@{exec_path} mr, @{exec_path} mr,
@ -68,6 +68,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/echo rix, /{usr/,}bin/echo rix,
/{usr/,}bin/gdbus rix, /{usr/,}bin/gdbus rix,
/{usr/,}bin/id rix,
/{usr/,}bin/ischroot rix, /{usr/,}bin/ischroot rix,
/{usr/,}bin/test rix, /{usr/,}bin/test rix,
/{usr/,}bin/touch rix, /{usr/,}bin/touch rix,
@ -88,6 +89,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/etckeeper rPx, /{usr/,}bin/etckeeper rPx,
/{usr/,}bin/ps rPx, /{usr/,}bin/ps rPx,
/{usr/,}bin/snap rPUx, /{usr/,}bin/snap rPUx,
/{usr/,}bin/systemctl rCx -> systemctl,
/{usr/,}lib/cnf-update-db rPx, /{usr/,}lib/cnf-update-db rPx,
/{usr/,}lib/needrestart/apt-pinvoke rPx, /{usr/,}lib/needrestart/apt-pinvoke rPx,
@{libexec}/zsys-system-autosnapshot rPx, @{libexec}/zsys-system-autosnapshot rPx,
@ -224,6 +226,31 @@ profile apt @{exec_path} flags=(attach_disconnected) {
} }
profile systemctl {
include <abstractions/base>
capability sys_resource,
ptrace (read),
/{usr/,}bin/systemctl mr,
/{usr/,}bin/systemd-tty-ask-password-agent rix,
owner @{run}/systemd/ask-password/ rw,
owner @{run}/systemd/ask-password-block/* rw,
@{PROC}/1/environ r,
@{PROC}/1/sched r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/stat r,
/dev/kmsg w,
}
include if exists <local/apt> include if exists <local/apt>
} }

61
apparmor.d/groups/apt/apt-methods-gpgv
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -27,70 +28,64 @@ profile apt-methods-gpgv @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# The following get "no new privs" so "rix" them # The following get "no new privs" so "rix" them
/{usr/,}bin/apt-key rix,
/{usr/,}bin/apt-config rix, /{usr/,}bin/apt-config rix,
/{usr/,}bin/apt-key rix,
/{usr/,}bin/dpkg rix, /{usr/,}bin/dpkg rix,
/{usr/,}bin/find rix,
/{usr/,}bin/gpg-connect-agent rix, /{usr/,}bin/gpg-connect-agent rix,
/{usr/,}bin/gpgconf rix, /{usr/,}bin/gpgconf rix,
/{usr/,}bin/find rix,
/{usr/,}bin/gpgv rix, /{usr/,}bin/gpgv rix,
/{usr/,}bin/head rix, /{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/base64 rix,
/{usr/,}bin/cat rix, /{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix, /{usr/,}bin/chmod rix,
/{usr/,}bin/cmp rix, /{usr/,}bin/cmp rix,
/{usr/,}bin/cp rix, /{usr/,}bin/cp rix,
/{usr/,}bin/head rix,
/{usr/,}bin/mktemp rix, /{usr/,}bin/mktemp rix,
/{usr/,}bin/readlink rix, /{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,
/{usr/,}bin/sed rix, /{usr/,}bin/sed rix,
/{usr/,}bin/sort rix, /{usr/,}bin/sort rix,
/{usr/,}bin/touch rix, /{usr/,}bin/touch rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/base64 rix, /usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/usr/share/keyrings/ r,
/usr/share/keyrings/*.{gpg,asc} r,
/etc/apt/apt.conf r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/keyrings/ r,
/etc/apt/keyrings/*.{gpg,asc} r,
/etc/apt/trusted.gpg r,
/etc/apt/trusted.gpg.d/{,*.gpg} r,
/etc/dpkg/dpkg.cfg r,
/etc/dpkg/dpkg.cfg.d/{,*} r,
# For shell pwd # For shell pwd
/ r, / r,
/etc/ r, /etc/ r,
/root/ r, /root/ r,
/etc/dpkg/dpkg.cfg.d/{,*} r, /var/lib/apt/lists/{,**} r,
/etc/dpkg/dpkg.cfg r, /var/lib/dpkg/arch r,
/var/lib/extrepo/keys/*.{gpg,asc} r,
/var/lib/ubuntu-advantage/apt-esm/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
/etc/apt/apt.conf.d/{,*} r, # For package building
/etc/apt/apt.conf r, @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
/etc/apt/trusted.gpg.d/{,*.gpg} r,
/etc/apt/trusted.gpg r,
/tmp/ r, /tmp/ r,
owner /tmp/apt-key-gpghome.*/ rw, owner /tmp/apt-key-gpghome.*/ rw,
owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
owner /tmp/apt.{conf,sig,data}.* rw, owner /tmp/apt.{conf,sig,data}.* rw,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/dpkg/arch r,
@{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/fd/ r,
# Local keyring storage
/etc/apt/keyrings/ r,
/etc/apt/keyrings/*.{gpg,asc} r,
/usr/share/keyrings/ r,
/usr/share/keyrings/*.{gpg,asc} r,
# Extrepo keyring storage
/var/lib/extrepo/keys/*.{gpg,asc} r,
# For package building
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w, /var/log/cron-apt/temp w,

31
apparmor.d/groups/apt/apt-methods-http
View file

@ -17,19 +17,20 @@ profile apt-methods-http @{exec_path} {
capability setgid, capability setgid,
capability setuid, capability setuid,
signal (receive) peer=apt-get,
signal (receive) peer=apt,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
signal (receive) peer=unattended-upgrade,
signal (receive) peer=update-manager,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
signal (receive) peer=apt-get,
signal (receive) peer=apt,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
signal (receive) peer=ubuntu-advantage,
signal (receive) peer=unattended-upgrade,
signal (receive) peer=update-manager,
@{exec_path} mr, @{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it # apt-helper gets "no new privs" so "rix" it
@ -47,17 +48,20 @@ profile apt-methods-http @{exec_path} {
/usr/share/dpkg/cputable r, /usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r, /usr/share/dpkg/tupletable r,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
/var/log/cron-apt/temp w,
/var/lib/apt/lists/{,**} r, /var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw, owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw, owner /var/lib/apt/lists/partial/* rw,
/var/cache/apt/ r, # For package building
/var/cache/apt/** rwk, @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
# For the aptitude interactive mode
/tmp/ r, /tmp/ r,
owner /tmp/aptitude-root.*/aptitude-download-* rw, owner /tmp/aptitude-root.*/aptitude-download-* rw,
owner /tmp/apt-changelog-*/*.changelog rw, owner /tmp/apt-changelog-*/*.changelog rw,
@{run}/resolvconf/resolv.conf r, @{run}/resolvconf/resolv.conf r,
@ -65,12 +69,7 @@ profile apt-methods-http @{exec_path} {
@{PROC}/1/cgroup r, @{PROC}/1/cgroup r,
@{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cgroup r,
# For package building
@{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
# file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
include if exists <local/apt-methods-http> include if exists <local/apt-methods-http>
} }

20
apparmor.d/groups/apt/dpkg-genbuildinfo
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov # Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -17,18 +18,10 @@ profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/perl r, /{usr/,}bin/perl r,
/etc/dpkg/origins/debian r, /usr/share/lto-disabled-list/lto-disabled-list r,
# For package building
owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
/var/lib/dpkg/status r,
/usr/share/dpkg/cputable r, /usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r, /usr/share/dpkg/tupletable r,
owner @{user_config_dirs}/dpkg/buildflags.conf r,
/usr/local/bin/ r, /usr/local/bin/ r,
/usr/local/sbin/ r, /usr/local/sbin/ r,
/usr/local/lib/ r, /usr/local/lib/ r,
@ -36,5 +29,14 @@ profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
/usr/local/include/ r, /usr/local/include/ r,
/usr/local/etc/ r, /usr/local/etc/ r,
/etc/dpkg/origins/* r,
/var/lib/dpkg/status r,
owner @{user_config_dirs}/dpkg/buildflags.conf r,
# For package building
owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
include if exists <local/dpkg-genbuildinfo> include if exists <local/dpkg-genbuildinfo>
} }

4
apparmor.d/groups/browsers/chrome
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{chromium_name} = chrome{,-beta,-unstable} @{chromium_name} = chrome{,-beta,-stable,-unstable}
@{chromium_domain} = com.google.Chrome @{chromium_domain} = com.google.Chrome
@{chromium_lib_dirs} = /opt/google/@{chromium_name} @{chromium_lib_dirs} = /opt/google/@{chromium_name}
@{chromium_config_dirs} = @{user_config_dirs}/google-@{chromium_name} @{chromium_config_dirs} = @{user_config_dirs}/google-@{chromium_name}
@ -22,7 +22,7 @@ profile chrome @{exec_path} {
/{usr/,}bin/man rPUx, # For "chrome --help" /{usr/,}bin/man rPUx, # For "chrome --help"
@{chromium_lib_dirs}/google-chrome{,-beta,-unstable} rPx, @{chromium_lib_dirs}/google-@{chromium_name} rPx,
@{chromium_lib_dirs}/nacl_helper rix, @{chromium_lib_dirs}/nacl_helper rix,
@{chromium_lib_dirs}/xdg-mime rix, #-> xdg-mime, @{chromium_lib_dirs}/xdg-mime rix, #-> xdg-mime,

4
apparmor.d/groups/bus/dbus-daemon
View file

@ -66,8 +66,8 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
@{system_share_dirs}/dbus-1/services/{,**} r, @{system_share_dirs}/dbus-1/services/{,**} r,
# Extra rules for Snap # Extra rules for Snap
/var/lib/snapd/dbus-1/services/ r, /var/lib/snapd/dbus-1/services/{,**} r,
/var/lib/snapd/dbus-1/system-services/ r, /var/lib/snapd/dbus-1/system-services/{,**} r,
owner @{user_share_dirs}/dbus-1/{,**} r, owner @{user_share_dirs}/dbus-1/{,**} r,
@{user_share_dirs}/icc/{,edid-*} r, @{user_share_dirs}/icc/{,edid-*} r,

2
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -68,7 +68,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
peer=(name=org.freedesktop.DBus), # all peer's labels peer=(name=org.freedesktop.DBus), # all peer's labels
dbus receive bus=session path=/org/freedesktop/portal/desktop dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings interface=org.freedesktop.{DBus.Properties,portal.Settings}
member={ReadAll,GetAll} member={ReadAll,GetAll}
peer=(name=:*, label=snap.snapd-desktop-integration.snapd-desktop-integration), peer=(name=:*, label=snap.snapd-desktop-integration.snapd-desktop-integration),

3
apparmor.d/groups/gnome/gnome-terminal-server
View file

@ -33,6 +33,9 @@ profile gnome-terminal-server @{exec_path} {
/{usr/,}bin/micro rPUx, /{usr/,}bin/micro rPUx,
/{usr/,}bin/nvtop rPx, /{usr/,}bin/nvtop rPx,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
/{usr/,}lib/gio-launch-desktop rPx -> child-open,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icu/{,**} r, /usr/share/icu/{,**} r,
/usr/share/X11/xkb/{,**} r, /usr/share/X11/xkb/{,**} r,

4
apparmor.d/groups/ssh/sftp-server
View file

@ -18,5 +18,9 @@ profile sftp-server @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# For scp
owner @{user_download_dirs}/{,**} rwl,
owner @{user_sync_dirs}/{,**} rwl,
include if exists <local/sftp-server> include if exists <local/sftp-server>
} }

5
apparmor.d/groups/ssh/ssh
View file

@ -22,7 +22,10 @@ profile ssh @{exec_path} {
network inet6 dgram, network inet6 dgram,
network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mrix,
/{usr/,}bin/{,b,d,rb}ash rix,
/{usr/,}bin/{c,k,tc,z}sh rix,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

18
apparmor.d/groups/ssh/ssh-agent-launch Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/openssh/agent-launch
profile ssh-agent-launch @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/{,z,ba,da}sh rix,
include if exists <local/ssh-agent-launch>
}

3
apparmor.d/groups/ssh/ssh-keygen
View file

@ -22,5 +22,8 @@ profile ssh-keygen @{exec_path} {
owner @{HOME}/@{XDG_SSH_DIR}/ w, owner @{HOME}/@{XDG_SSH_DIR}/ w,
owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw, owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw,
/dev/tty[0-9]* rw,
/dev/ttyS[0-9]* rw,
include if exists <local/ssh-keygen> include if exists <local/ssh-keygen>
} }

8
apparmor.d/groups/ssh/sshd
View file

@ -66,23 +66,27 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/passwd rPx, /{usr/,}bin/passwd rPx,
/{usr/,}lib/openssh/sftp-server rPx, /{usr/,}lib/openssh/sftp-server rPx,
/etc/legal r,
/etc/shells r, /etc/shells r,
/etc/default/locale r, /etc/default/locale r,
@{etc_ro}/environment r, @{etc_ro}/environment r,
/etc/gss/mech.d/{,*} r, /etc/gss/mech.d/{,*} r,
/etc/issue.net r, /etc/issue.net r,
/etc/motd r, @{etc_rw}/motd r,
@{etc_ro}/security/limits.d/{,*.conf} r, @{etc_ro}/security/limits.d/{,*.conf} r,
@{etc_ro}/ssh/sshd_config r, @{etc_ro}/ssh/sshd_config r,
@{etc_ro}/ssh/sshd_config.d/{,*} r, @{etc_ro}/ssh/sshd_config.d/{,*} r,
/etc/ssh/ssh_host_* r, /etc/ssh/ssh_host_* r,
/var/lib/extrausers/shadow r,
# For scp # For scp
owner @{user_download_dirs}/{,**} rwl, owner @{user_download_dirs}/{,**} rwl,
owner @{user_sync_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl,
owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r,
owner @{user_cache_dirs}/{,motd*} rw,
@{run}/faillock/[a-zA-z0-9]* rwk, @{run}/faillock/[a-zA-z0-9]* rwk,
@{run}/motd.d/{,*} r, @{run}/motd.d/{,*} r,
@ -108,6 +112,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pid}/uid_map r,
/dev/ptmx rw, /dev/ptmx rw,
/dev/tty[0-9]* rw,
/dev/ttyS[0-9]* rw,
include if exists <local/sshd> include if exists <local/sshd>
} }

9
apparmor.d/groups/systemd/hostnamectl
View file

@ -9,6 +9,15 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/hostnamectl @{exec_path} = /{usr/,}bin/hostnamectl
profile hostnamectl @{exec_path} { profile hostnamectl @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-strict>
capability net_admin,
dbus send bus=system path=/org/freedesktop/
interface=org.freedesktop.hostname1
member=Set*Hostname
peer=(name=org.freedesktop.hostname1),
@{exec_path} mr, @{exec_path} mr,

36
apparmor.d/groups/systemd/systemd-cryptsetup Normal file
View file

@ -0,0 +1,36 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-cryptsetup
profile systemd-cryptsetup @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>
include <abstractions/disks-write>
include <abstractions/openssl>
capability ipc_lock,
capability net_admin,
capability sys_admin,
@{exec_path} mr,
/etc/fstab r,
@{run}/ r,
@{run}/cryptsetup/ r,
@{run}/cryptsetup/* rwk,
@{run}/systemd/ask-password/* rw,
@{sys}/devices/virtual/bdi/*/read_ahead_kb r,
@{sys}/fs/ r,
@{PROC}/devices r,
owner @{PROC}/@{pid}/mountinfo r,
include if exists <local/systemd-cryptsetup>
}

2
apparmor.d/groups/systemd/systemd-environment-d-generator
View file

@ -22,6 +22,8 @@ profile systemd-environment-d-generator @{exec_path} {
@{etc_ro}/environment r, @{etc_ro}/environment r,
@{etc_ro}/environment.d/{,**} r, @{etc_ro}/environment.d/{,**} r,
/snap/snapd/[0-9]*/usr/lib/environment.d/{,*.conf} r,
owner @{user_config_dirs}/environment.d/{,*.conf} r, owner @{user_config_dirs}/environment.d/{,*.conf} r,
/dev/tty rw, /dev/tty rw,

84
apparmor.d/groups/systemd/systemd-homed Normal file
View file

@ -0,0 +1,84 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-homed
profile systemd-homed @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
include <abstractions/disks-write>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/systemd-common>
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability setfcap,
capability setgid,
capability setpcap,
capability setuid,
capability sys_admin,
capability sys_resource,
network inet dgram,
network inet6 dgram,
network inet raw,
network inet6 raw,
network netlink raw,
mount options=(rw, rslave) -> @{run}/,
mount /dev/dm-[0-9]* -> @{run}/systemd/user-home-mount/,
dbus bind bus=system name=org.freedesktop.home1,
@{exec_path} mr,
/{usr/,}lib/systemd/systemd-homework rPx,
/{usr/,}{s,}bin/mkfs.btrfs rPx,
/{usr/,}{s,}bin/mkfs.fat rPx,
/{usr/,}{s,}bin/mke2fs rPx,
/etc/machine-id r,
/etc/systemd/homed.conf r,
/etc/skel/{,**} r,
/var/lib/systemd/home/{,**} rw,
/ r,
@{HOMEDIRS}/ r,
@{HOMEDIRS}/* rw,
@{HOMEDIRS}/*.homedir/ rw,
@{run}/ r,
@{run}/cryptsetup/{,*} rwk,
@{run}/systemd/home/{,**} rw,
@{run}/systemd/userdb/io.systemd.home r,
@{run}/systemd/user-home-mount/{,**} rw,
@{sys}/bus/ r,
@{sys}/fs/ r,
@{sys}/class/ r,
@{sys}/kernel/uevent_seqnum r,
@{sys}/devices/**/read_ahead_kb r,
@{PROC}/devices r,
@{PROC}/sysvipc/{shm,sem,msg} r,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/uid_map w,
/dev/loop-control rwk,
/dev/loop[0-9]* rw,
/dev/mapper/control rw,
/dev/mqueue/ r,
/dev/shm/ r,
include if exists <local/systemd-homed>
}

22
apparmor.d/groups/systemd/systemd-homework Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-homework
profile systemd-homework @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/systemd-common>
@{exec_path} mr,
/etc/machine-id r,
@{run}/systemd/userdb/ r,
include if exists <local/systemd-homework>
}

11
apparmor.d/groups/systemd/systemd-hostnamed
View file

@ -25,19 +25,24 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
member=CheckAuthorization member=CheckAuthorization
peer=(name=org.freedesktop.PolicyKit1), peer=(name=org.freedesktop.PolicyKit1),
dbus receive bus=system path=/org/freedesktop/hostname[0-9] dbus receive bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.{DBus.Properties,hostname1} interface=org.freedesktop.{DBus.Properties,hostname1}
member={Get,GetAll,SetHostname} member={Get,GetAll,SetHostname}
peer=(name=:*), peer=(name=:*),
dbus receive bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.hostname1
member=Set*Hostname
peer=(name=:*, label=hostnamectl),
dbus bind bus=system dbus bind bus=system
name=org.freedesktop.hostname[0-9], name=org.freedesktop.hostname[0-9],
@{exec_path} mr, @{exec_path} mr,
/etc/.#hostname* rw, @{etc_rw}/.#hostname* rw,
@{etc_rw}/hostname rw,
/etc/.#machine-info?????? rw, /etc/.#machine-info?????? rw,
/etc/hostname rw,
/etc/machine-info rw, /etc/machine-info rw,
@{run}/systemd/default-hostname rw, @{run}/systemd/default-hostname rw,

1
apparmor.d/groups/systemd/systemd-logind
View file

@ -65,6 +65,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
/etc/machine-id r, /etc/machine-id r,
/etc/systemd/logind.conf r, /etc/systemd/logind.conf r,
/etc/systemd/sleep.conf r, /etc/systemd/sleep.conf r,
/etc/systemd/logind.conf.d/{,**} r,
/swapfile r, /swapfile r,
/boot/{,**} r, /boot/{,**} r,

22
apparmor.d/groups/systemd/systemd-sulogin-shell Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-sulogin-shell
profile systemd-sulogin-shell @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>
capability net_admin,
capability sys_resource,
@{exec_path} mr,
/{usr/,}{s,}bin/sulogin rPx,
include if exists <local/systemd-sulogin-shell>
}

23
apparmor.d/groups/systemd/systemd-user-generators-autostart Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/lib/systemd/user-generators/systemd-xdg-autostart-generator
profile systemd-user-generators-autostart @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/xdg/autostart/*.desktop r,
owner @{run}/user/@{uid}/systemd/generator.late/{,**} rw,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
include if exists <local/systemd-user-generators-autostart>
}

21
apparmor.d/groups/systemd/systemd-user-generators-environment Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator
profile systemd-user-generators-environment @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/environment.d/{,**} r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
include if exists <local/systemd-user-generators-environment>
}

16
apparmor.d/groups/systemd/systemd-user-generators-flatpak Normal file
View file

@ -0,0 +1,16 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/lib/systemd/user-environment-generators/60-flatpak
profile systemd-user-generators-flatpak @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
include if exists <local/systemd-user-generators-flatpak>
}

34
apparmor.d/groups/systemd/systemd-userdbd Normal file
View file

@ -0,0 +1,34 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-userdbd
profile systemd-userdbd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/systemd-common>
capability dac_read_search,
capability sys_resource,
network inet dgram,
network inet6 dgram,
network inet raw,
network inet6 raw,
network netlink raw,
@{exec_path} mr,
/{usr/,}lib/systemd/systemd-userwork rPx,
/etc/shadow r,
/etc/machine-id r,
@{run}/systemd/userdb/{,**} rw,
include if exists <local/systemd-userdbd>
}

22
apparmor.d/groups/systemd/systemd-userwork Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-userwork
profile systemd-userwork @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/systemd-common>
@{exec_path} mr,
/etc/machine-id r,
@{run}/systemd/userdb/ r,
include if exists <local/systemd-userwork>
}

7
apparmor.d/groups/ubuntu/apt-esm-json-hook
View file

@ -9,13 +9,20 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/ubuntu-advantage/apt-esm-json-hook @{exec_path} = /{usr/,}lib/ubuntu-advantage/apt-esm-json-hook
profile apt-esm-json-hook @{exec_path} { profile apt-esm-json-hook @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/consoles> include <abstractions/consoles>
unix (receive, send) type=stream peer=(label=apt), unix (receive, send) type=stream peer=(label=apt),
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dpkg rPx,
/var/lib/ubuntu-advantage/{,**} r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-esm-json-hook> include if exists <local/apt-esm-json-hook>
} }

1
apparmor.d/groups/ubuntu/notify-reboot-required
View file

@ -15,6 +15,7 @@ profile notify-reboot-required @{exec_path} {
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gettext rix, /{usr/,}bin/gettext rix,
/{usr/,}bin/snap rPx,
/usr/share/update-notifier/notify-reboot-required r, /usr/share/update-notifier/notify-reboot-required r,

20
apparmor.d/groups/ubuntu/notify-updates-outdated Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/share/update-notifier/notify-updates-outdated
profile notify-updates-outdated @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gettext rix,
include if exists <local/notify-updates-outdated>
}

18
apparmor.d/groups/ubuntu/pro Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pro
profile pro @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/python>
@{exec_path} mr,
include if exists <local/pro>
}

1
apparmor.d/groups/ubuntu/software-properties-gtk
View file

@ -65,6 +65,7 @@ profile software-properties-gtk @{exec_path} {
/var/crash/*software-properties-gtk.@{uid}.crash rw, /var/crash/*software-properties-gtk.@{uid}.crash rw,
/var/lib/snapd/desktop/icons/ r, /var/lib/snapd/desktop/icons/ r,
/var/lib/ubuntu-advantage/status.json r,
owner @{run}/user/@{uid}/wayland-[0-9]* rw, owner @{run}/user/@{uid}/wayland-[0-9]* rw,

117
apparmor.d/groups/ubuntu/subiquity-console-conf Normal file
View file

@ -0,0 +1,117 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/share/subiquity/console-conf-wrapper
profile subiquity-console-conf @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
include <abstractions/nameservice-strict>
include <abstractions/python>
include <abstractions/openssl>
capability chown,
capability fsetid,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/{,da,ba}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/sleep rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/tty rix,
/{snap/snapd/[0-9]*/,}{usr/,}bin/snap rPx, # TODO: rCx,
/{usr/,}{,s}bin/sshd rPx,
/{usr/,}bin/journalctl rCx -> journalctl,
/{usr/,}bin/ssh-keygen rPx,
/usr/lib/snapd/snap-recovery-chooser rPUx,
/usr/share/netplan/netplan.script rPUx, # TODO: rPx,
/usr/share/subiquity/{,**} r,
/usr/share/subiquity/console-conf-tui rix,
/usr/share/subiquity/console-conf-write-login-details rix,
/var/lib/extrausers/shadow r,
/var/lib/console-conf/{,**} rw,
/var/log/console-conf/{,**} rw,
@{run}/console-conf/{,**} rw,
@{run}/snapd-recovery-chooser-triggered r,
@{run}/snapd.socket rw,
@{run}/udev/data/+acpi:* r,
@{run}/udev/data/+dmi* r,
@{run}/udev/data/+drm* r,
@{run}/udev/data/+input* r, # For mouse, keyboard, touchpad
@{run}/udev/data/+leds:* r,
@{run}/udev/data/+pci* r,
@{run}/udev/data/+platform* r,
@{run}/udev/data/+sound:card* r, # For sound
@{run}/udev/data/c1:[0-9]* r, # For RAM disk
@{run}/udev/data/c4:[0-9]* r, # For TTY devices
@{run}/udev/data/c5:[0-9]* r, # For /dev/tty, /dev/console, /dev/ptmx
@{run}/udev/data/c7:[0-9]* r, # For Virtual console capture devices
@{run}/udev/data/c10:[0-9]* r, # For non-serial mice, misc features
@{run}/udev/data/c13:[0-9]* r, # For /dev/input/*
@{run}/udev/data/c29:[0-9]* r, # For /dev/fb[0-9]*
@{run}/udev/data/c89:[0-9]* r, # For I2C bus interface
@{run}/udev/data/c108:[0-9]* r, # For /dev/ppp
@{run}/udev/data/c116:[0-9]* r, # For ALSA
@{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card*
@{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254
@{run}/udev/data/c24[0-9]:[0-9]* r,
@{run}/udev/data/c25[0-4]:[0-9]* r,
@{run}/udev/data/n[0-9]* r,
@{sys}/**/devices/ r,
@{sys}/*/*/ r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/pci[0-9]*/**/net/*/{,**} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/**/net/{,**} r,
@{sys}/devices/virtual/net/{,**} r,
@{PROC}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
/dev/tty rw,
/dev/tty[0-9]* rw,
/dev/ttyS[0-9]* rw,
profile journalctl {
include <abstractions/base>
/{usr/,}bin/journalctl mr,
@{run}/log/ rw,
/{run,var}/log/journal/ rw,
/{run,var}/log/journal/@{hex}/ rw,
/{run,var}/log/journal/@{hex}/system.journal* rw,
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw,
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw,
owner @{PROC}/@{pid}/stat r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
}
include if exists <local/subiquity-console-conf>
}

56
apparmor.d/groups/ubuntu/ubuntu-advantage
View file

@ -10,10 +10,15 @@ include <tunables/global>
profile ubuntu-advantage @{exec_path} { profile ubuntu-advantage @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/apt-common> include <abstractions/apt-common>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/python> include <abstractions/python>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/openssl>
capability dac_read_search,
capability setgid,
capability setuid,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
@ -21,30 +26,69 @@ profile ubuntu-advantage @{exec_path} {
network inet6 dgram, network inet6 dgram,
network netlink raw, network netlink raw,
signal (send) set=int peer=apt-methods-http,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/ischroot rix, /{usr/,}bin/ischroot rix,
/{usr/,}bin/apt rPx,
/{usr/,}bin/apt-cache rPx, /{usr/,}bin/apt-cache rPx,
/{usr/,}bin/apt-config rPx,
/{usr/,}bin/apt-get rPx, /{usr/,}bin/apt-get rPx,
/{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/ps rPx, /{usr/,}bin/ps rPx,
/{usr/,}bin/snap rPx, /{usr/,}bin/snap rPx,
/{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/systemctl rCx -> systemctl,
/{usr/,}bin/systemd-detect-virt rPx,
/{usr/,}bin/ubuntu-distro-info rPx,
/{usr/,}lib/apt/apt-helper rix, /{usr/,}lib/apt/apt-helper rix,
/{usr/,}lib/apt/methods/http{,s} rPx, /{usr/,}lib/apt/methods/http{,s} rPx,
/{usr/,}lib/ubuntu-advantage/apt-esm-hook rPx, /{usr/,}lib/ubuntu-advantage/apt-esm-hook rPx,
/{usr/,}bin/systemd-detect-virt rPx,
/etc/apt/auth.conf.d/{,**} rw,
/etc/apt/trusted.gpg.d/{,**} rw,
/etc/apt/sources.list.d/{,**} rw,
/etc/ubuntu-advantage/{,**} r, /etc/ubuntu-advantage/{,**} r,
/var/lib/ubuntu-advantage/{,**} r, /var/lib/ubuntu-advantage/{,**} rw,
/etc/machine-id r,
owner /tmp/tmp[0-9a-z]*/apt.conf r, owner /tmp/tmp[0-9a-z]*/apt.conf r,
owner /tmp/[0-9a-z]*{,/} rw,
owner /tmp/[0-9a-z]*/apt-helper-output rw,
@{run}/ubuntu-advantage/{,**} rw, @{run}/ubuntu-advantage/{,**} rw,
@{PROC}/version_signature r, @{PROC}/version_signature r,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/mounts r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
profile systemctl {
include <abstractions/base>
capability sys_resource,
ptrace (read),
/{usr/,}bin/systemctl mr,
/{usr/,}bin/systemd-tty-ask-password-agent rix,
owner @{run}/systemd/ask-password/ rw,
owner @{run}/systemd/ask-password-block/* rw,
@{PROC}/1/environ r,
@{PROC}/1/sched r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/stat r,
/dev/kmsg w,
}
include if exists <local/ubuntu-advantage> include if exists <local/ubuntu-advantage>
} }

2
apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon
View file

@ -19,7 +19,7 @@ profile ubuntu-advantage-desktop-daemon @{exec_path} flags=(attach_disconnected)
member=RequestName member=RequestName
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
dbus receive bus=system path=/com/canonical/UbuntuAdvantage/{Manager,Service/*} dbus receive bus=system path=/com/canonical/UbuntuAdvantage/{Manager,Services/*}
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable
member=Introspect, member=Introspect,

18
apparmor.d/groups/ubuntu/ubuntu-distro-info Normal file
View file

@ -0,0 +1,18 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ubuntu-distro-info
profile ubuntu-distro-info @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/usr/share/distro-info/*.csv r,
include if exists <local/ubuntu-distro-info>
}

4
apparmor.d/profiles-a-f/aa-log
View file

@ -22,8 +22,8 @@ profile aa-log @{exec_path} {
/{run,var}/log/journal/ r, /{run,var}/log/journal/ r,
/{run,var}/log/journal/@{hex}/ r, /{run,var}/log/journal/@{hex}/ r,
/{run,var}/log/journal/@{hex}/user-@{uid}*.journal* r, /{run,var}/log/journal/@{hex}/system*.journal r,
/{run,var}/log/journal/@{hex}/user-@{uid}.journal r, /{run,var}/log/journal/@{hex}/user*.journal r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

15
apparmor.d/profiles-a-f/agetty
View file

@ -23,14 +23,17 @@ profile agetty @{exec_path} {
/{usr/,}bin/login rPx, /{usr/,}bin/login rPx,
/{etc,run,lib,usr/lib}/issue r, /usr/share/subiquity/console-conf-wrapper rPx, # only:core22
/{etc,run,lib,usr/lib}/issue.d/{,*} r,
/{,usr/}lib/os-release r, @{etc_rw}/issue r,
/etc/inittab r, /{,usr/}lib/os-release r,
/etc/os-release r, /{etc,run,lib,usr/lib}/issue r,
/{etc,run,lib,usr/lib}/issue.d/{,*} r,
/etc/inittab r,
/etc/os-release r,
owner @{run}/agetty.reload rw,
@{run}/resolvconf/resolv.conf r, @{run}/resolvconf/resolv.conf r,
owner @{run}/agetty.reload rw,
/dev/tty[0-9]* rw, /dev/tty[0-9]* rw,
owner /dev/ttyGS[0-9]* rw, owner /dev/ttyGS[0-9]* rw,

3
apparmor.d/profiles-a-f/apparmor_parser
View file

@ -24,10 +24,11 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
/usr/share/apparmor/{,**} r, /usr/share/apparmor/{,**} r,
owner /snap/core[0-9]*/[0-9]*/etc/apparmor.d/{,**} r, owner /snap/core[0-9]*/[0-9]*/etc/apparmor.d/{,**} r,
owner /snap/core[0-9]*/[0-9]*/etc/apparmor/* r,
owner /var/cache/apparmor/{,**} rw, owner /var/cache/apparmor/{,**} rw,
owner /var/lib/docker/tmp/docker-default[0-9]* r, owner /var/lib/docker/tmp/docker-default[0-9]* r,
owner /var/lib/snapd/apparmor/{,**} r, owner /var/lib/snapd/apparmor/{,**} r,
owner /var/snap/lxd/common/lxd/security/apparmor/{,**} r, owner /var/snap/lxd/common/lxd/security/apparmor/{,**} rw,
owner /tmp/cri-containerd.apparmor.d[0-9]* r, owner /tmp/cri-containerd.apparmor.d[0-9]* r,

3
apparmor.d/profiles-a-f/fsck
View file

@ -19,7 +19,8 @@ profile fsck @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{s,}bin/e2fsck rPx, /{usr/,}{s,}bin/e2fsck rPx,
/{usr/,}{s,}bin/fsck.* rPx, /{usr/,}sbin/fsck.* rPx,
/{usr/,}bin/fsck.* rPx,
/etc/fstab r, /etc/fstab r,

2
apparmor.d/profiles-a-f/fsck-ext4
View file

@ -10,7 +10,7 @@ include <tunables/global>
profile fsck-ext4 @{exec_path} { profile fsck-ext4 @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} r, @{exec_path} rm,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,

3
apparmor.d/profiles-a-f/fwupd
View file

@ -58,7 +58,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
dbus receive bus=system path=/ dbus receive bus=system path=/
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll, member={GetAll,SetHints,GetPlugins,GetRemotes}
peer=(name=:*, label=fwupdmgr),
dbus bind bus=system dbus bind bus=system
name=org.freedesktop.fwupd, name=org.freedesktop.fwupd,

6
apparmor.d/profiles-g-l/groupadd
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -12,10 +13,7 @@ profile groupadd @{exec_path} {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
# To write records to the kernel auditing log.
capability audit_write, capability audit_write,
# To set the right permission to the files in the /etc/ dir.
capability chown, capability chown,
capability fsetid, capability fsetid,
@ -27,8 +25,8 @@ profile groupadd @{exec_path} {
/etc/login.defs r, /etc/login.defs r,
/etc/{group,gshadow} rw, /etc/{group,gshadow} rw,
/etc/{group,gshadow}.@{pid} w,
/etc/{group,gshadow}- w, /etc/{group,gshadow}- w,
/etc/{group,gshadow}.@{pid} w,
/etc/{group,gshadow}+ rw, /etc/{group,gshadow}+ rw,
/etc/group.lock wl -> /etc/group.@{pid}, /etc/group.lock wl -> /etc/group.@{pid},
/etc/gshadow.lock wl -> /etc/gshadow.@{pid}, /etc/gshadow.lock wl -> /etc/gshadow.@{pid},

6
apparmor.d/profiles-g-l/kmod
View file

@ -24,9 +24,11 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/false rix,
/{usr/,}{s,}bin/sysctl rPx, /{usr/,}{s,}bin/sysctl rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/false rix,
/{usr/,}bin/id rix,
/{usr/,}bin/true rix, /{usr/,}bin/true rix,
/{usr/,}lib/modprobe.d/{,*.conf} r, /{usr/,}lib/modprobe.d/{,*.conf} r,

4
apparmor.d/profiles-m-r/mandb
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov # Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-203 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -32,5 +32,7 @@ profile mandb @{exec_path} flags=(complain) {
/usr/share/**/man/man[0-9]*/*.[0-9]*.gz r, /usr/share/**/man/man[0-9]*/*.[0-9]*.gz r,
owner @{user_share_dirs}/man/** rwk,
include if exists <local/mandb> include if exists <local/mandb>
} }

4
apparmor.d/profiles-m-r/nft
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2022-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -11,7 +12,6 @@ profile nft @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
# To be able to run the nft command.
capability net_admin, capability net_admin,
network netlink raw, network netlink raw,
@ -24,9 +24,9 @@ profile nft @{exec_path} {
owner /etc/nftables/**.nft r, owner /etc/nftables/**.nft r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/1/environ r, @{PROC}/1/environ r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
include if exists <local/nft> include if exists <local/nft>
} }

57
apparmor.d/profiles-m-r/ps
View file

@ -1,66 +1,53 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2022-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
# When any of the "*ns" parameters is used, the following error will be printed:
# "Failed name lookup - disconnected path" error=-13 profile="ps" name="".
@{exec_path} = /{usr/,}bin/ps @{exec_path} = /{usr/,}bin/ps
profile ps @{exec_path} flags=(attach_disconnected) { profile ps @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
# To be able to read the /proc/ files of all processes in the system.
capability dac_read_search, capability dac_read_search,
capability sys_ptrace, capability sys_ptrace,
ptrace (read), ptrace (read),
@{exec_path} mr, @{exec_path} mr,
# The "/proc/" dir is needed to avoid the following error:
# error: can not access /proc
# The "stat" file is needed to avoid the following error:
# Error, do this: mount -t proc proc /proc
# The "uptime" file is needed to avoid the following error:
# Error: /proc must be mounted
@{PROC}/ r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/task/ r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/task/@{tid}/cmdline r,
@{PROC}/@{pids}/wchan r,
@{PROC}/@{pids}/attr/current r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/statm r,
@{PROC}/@{pids}/loginuid r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/vm/min_free_kbytes r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r,
@{run}/systemd/sessions/* r, @{run}/systemd/sessions/* r,
@{sys}/devices/system/node/ r, @{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
@{sys}/devices/system/node/node[0-9]*/cpumap r, @{sys}/devices/system/node/node[0-9]*/cpumap r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
@{PROC}/ r,
@{PROC}/@{pids}/attr/current r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/environ r,
@{PROC}/@{pids}/loginuid r,
@{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/statm r,
@{PROC}/@{pids}/task/ r,
@{PROC}/@{pids}/task/@{tid}/cmdline r,
@{PROC}/@{pids}/task/@{tid}/stat r,
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/wchan r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/vm/min_free_kbytes r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r,
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,
owner /dev/tty[0-9]* rw,
deny @{user_share_dirs}/gvfs-metadata/* r, deny @{user_share_dirs}/gvfs-metadata/* r,

37
apparmor.d/profiles-s-z/snap
View file

@ -12,10 +12,20 @@ profile snap @{exec_path} {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/disks-read>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability sys_admin,
unix (send, receive) type=stream peer=(label=apt), unix (send, receive) type=stream peer=(label=apt),
mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-[0-9]*/,
dbus (send, receive) bus=session path=/org/freedesktop/
interface=org.freedesktop.systemd1.Manager
member={StartTransientUnit,JobRemoved}
peer=(name=:*, label=unconfined),
dbus send bus=session path=/org/freedesktop/portal/documents dbus send bus=session path=/org/freedesktop/portal/documents
interface=org.freedesktop.portal.Documents interface=org.freedesktop.portal.Documents
member=GetMountPoint member=GetMountPoint
@ -23,6 +33,8 @@ profile snap @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/mount rix,
/{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/systemctl rPx -> child-systemctl,
/snap/{,**} rw, /snap/{,**} rw,
@ -34,27 +46,34 @@ profile snap @{exec_path} {
/var/lib/snapd/{,**} rwk, /var/lib/snapd/{,**} rwk,
/var/cache/snapd/commands.db rwk, /var/cache/snapd/commands.db rwk,
/var/cache/snapd/names r,
owner @{HOME}/snap/{,**} rw, @{HOME}/snap/{,**} rw,
owner /tmp/snapd-auto-import-mount-[0-9]*/ rw,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/gdm/Xauthority r,
owner @{run}/user/@{uid}/snapd-session-agent.socket rw, owner @{run}/user/@{uid}/snapd-session-agent.socket rw,
owner @{run}/user/@{uid}/systemd/notify rw, owner @{run}/user/@{uid}/systemd/notify rw,
@{run}/mount/utab r,
@{run}/snapd.socket rw, @{run}/snapd.socket rw,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@{sys}/kernel/security/apparmor/features/ r, @{sys}/kernel/security/apparmor/features/ r,
owner @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/mountinfo r,
@{PROC}/cgroups r, @{PROC}/cgroups r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/random/uuid r,
@{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/sys/kernel/seccomp/actions_avail r,
@{PROC}/version r, @{PROC}/version r,
/dev/tty[0-9]* rw,
/dev/ttyS[0-9]* rw,
deny @{user_share_dirs}/gvfs-metadata/* r, deny @{user_share_dirs}/gvfs-metadata/* r,

1
apparmor.d/profiles-s-z/snap-device-helper
View file

@ -11,6 +11,7 @@ profile snap-device-helper @{exec_path} {
include <abstractions/base> include <abstractions/base>
capability bpf, capability bpf,
capability dac_read_search,
capability setgid, capability setgid,
capability sys_resource, capability sys_resource,

5
apparmor.d/profiles-s-z/snap-discard-ns
View file

@ -11,6 +11,11 @@ profile snap-discard-ns @{exec_path} {
include <abstractions/base> include <abstractions/base>
capability setgid, capability setgid,
capability sys_admin,
network netlink raw,
umount @{run}/snapd/ns/*.mnt,
@{exec_path} mr, @{exec_path} mr,

6
apparmor.d/profiles-s-z/snap-update-ns
View file

@ -14,10 +14,14 @@ profile snap-update-ns @{exec_path} {
capability sys_admin, capability sys_admin,
capability sys_chroot, capability sys_chroot,
network netlink raw,
mount -> /snap/**/, mount -> /snap/**/,
mount -> /usr/**/, mount -> /usr/**/,
mount /snap/**/ -> /tmp/.snap/**, mount -> /var/lib/dhcp/,
mount /snap/**/ -> /tmp/.snap/**,
umount /snap/**/, umount /snap/**/,
umount /var/lib/dhcp/,
@{exec_path} mr, @{exec_path} mr,

20
apparmor.d/profiles-s-z/snapd
View file

@ -38,7 +38,7 @@ profile snapd @{exec_path} {
mount fstype=squashfs /dev/loop[0-9]* -> /tmp/syscheck-mountpoint-[0-9]*/, mount fstype=squashfs /dev/loop[0-9]* -> /tmp/syscheck-mountpoint-[0-9]*/,
umount /tmp/syscheck-mountpoint-[0-9]*/, umount /tmp/syscheck-mountpoint-[0-9]*/,
umount /snap/*/[0-9]*/, umount /snap/*/*/,
ptrace (read) peer=snap, ptrace (read) peer=snap,
ptrace (read) peer=unconfined, ptrace (read) peer=unconfined,
@ -55,6 +55,13 @@ profile snapd @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}{s,}bin/adduser rPx,
/{usr/,}{s,}bin/groupadd rPx,
/{usr/,}{s,}bin/useradd rPx,
/{usr/,}bin/cloud-init rPUx, # TODO: rPx ? limited to ubtuntu core, otherwise out of scope
/{usr/,}bin/hostnamectl rPx,
/{usr/,}bin/ssh-keygen rPx,
/{usr/,}{s,}bin/apparmor_parser rPx, /{usr/,}{s,}bin/apparmor_parser rPx,
/{usr/,}{s,}bin/runuser rCx -> runuser, /{usr/,}{s,}bin/runuser rCx -> runuser,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
@ -82,13 +89,14 @@ profile snapd @{exec_path} {
/{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-update-ns rPx, /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-update-ns rPx,
/{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd rix, /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd rix,
/usr/share/bash-completion/completions/{,**} r, /usr/share/bash-completion/{,**} r,
/usr/share/dbus-1/{system,session}.d/{,snapd*} r, /usr/share/dbus-1/{system,session}.d/{,snapd*} r,
/usr/share/dbus-1/services/*snap* r, /usr/share/dbus-1/services/*snap* r,
/usr/share/polkit-1/actions/{,**/} r, /usr/share/polkit-1/actions/{,**/} r,
/etc/apparmor.d/*snapd.snap* r, /etc/apparmor.d/*snapd.snap* r,
/etc/dbus-1/system.d/{,**/} r, /etc/dbus-1/system.d/{,**/} r,
/etc/environment r,
/etc/fstab r, /etc/fstab r,
/etc/mime.types r, /etc/mime.types r,
/etc/modprobe.d/{,**/} r, /etc/modprobe.d/{,**/} r,
@ -113,19 +121,26 @@ profile snapd @{exec_path} {
/tmp/syscheck-squashfs-[0-9]* rw, /tmp/syscheck-squashfs-[0-9]* rw,
/tmp/read-file[0-9]*/{,**} rw, /tmp/read-file[0-9]*/{,**} rw,
/boot/ r,
/boot/grub/grubenv r,
/ r, / r,
/home/ r, /home/ r,
@{HOME}/ r, @{HOME}/ r,
@{HOME}/snap/{,**} rw, @{HOME}/snap/{,**} rw,
@{HOME}/.snap*/{,**} rw,
owner @{run}/mount/ rw, owner @{run}/mount/ rw,
owner @{run}/mount/utab{,.*} rw, owner @{run}/mount/utab{,.*} rw,
owner @{run}/mount/utab.lock wk, owner @{run}/mount/utab.lock wk,
@{run}/user/ r,
@{run}/user/@{uid}/ r, @{run}/user/@{uid}/ r,
@{run}/user/@{uid}/snapd-session-agent.socket rw, @{run}/user/@{uid}/snapd-session-agent.socket rw,
@{run}/user/snap.*/{,**} rw, @{run}/user/snap.*/{,**} rw,
@{run}/mnt/ubuntu-seed/EFI/ubuntu/grubenv r, # only:core
@{run}/snapd*.socket rw, @{run}/snapd*.socket rw,
@{run}/snapd/{,**} rw, @{run}/snapd/{,**} rw,
@{run}/snapd/lock/*.lock rwk, @{run}/snapd/lock/*.lock rwk,
@ -140,6 +155,7 @@ profile snapd @{exec_path} {
@{sys}/kernel/security/apparmor/features/ r, @{sys}/kernel/security/apparmor/features/ r,
@{sys}/kernel/security/apparmor/profiles r, @{sys}/kernel/security/apparmor/profiles r,
@{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r,
@{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cgroup r,

18
apparmor.d/profiles-s-z/sudo
View file

@ -44,15 +44,19 @@ profile sudo @{exec_path} {
member=CreateSession member=CreateSession
peer=(name=org.freedesktop.login[0-9]), peer=(name=org.freedesktop.login[0-9]),
dbus (send receive) bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd.Manager
member={JobRemoved,StartTransientUnit},
@{exec_path} mr, @{exec_path} mr,
/run/ r, @{libexec}/sudo/** mr,
@{libexec}/sudo/** mr, /snap/snapd/[0-9]*/usr/bin/snap rPx,
/{usr/,}bin/{,b,d,rb}ash rUx, /{usr/,}bin/{,b,d,rb}ash rUx,
/{usr/,}bin/{c,k,tc,z}sh rUx, /{usr/,}bin/{c,k,tc,z}sh rUx,
/{usr/,}lib/cockpit/cockpit-askpass rPx, /{usr/,}lib/cockpit/cockpit-askpass rPx,
/{usr/,}lib/molly-guard/molly-guard rPx, /{usr/,}lib/molly-guard/molly-guard rPx,
@{etc_ro}/environment r, @{etc_ro}/environment r,
@{etc_ro}/security/limits.d/{,*} r, @{etc_ro}/security/limits.d/{,*} r,
@ -63,6 +67,7 @@ profile sudo @{exec_path} {
/etc/sudoers.d/{,*} r, /etc/sudoers.d/{,*} r,
/var/db/sudo/lectured/ r, /var/db/sudo/lectured/ r,
/var/lib/extrausers/shadow r,
/var/lib/sudo/lectured/ r, /var/lib/sudo/lectured/ r,
/var/lib/sudo/ts/ rw, /var/lib/sudo/ts/ rw,
/var/lib/sudo/ts/* rwk, /var/lib/sudo/ts/* rwk,
@ -72,6 +77,7 @@ profile sudo @{exec_path} {
owner @{HOME}/.sudo_as_admin_successful rw, owner @{HOME}/.sudo_as_admin_successful rw,
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,
@{run}/ r,
@{run}/faillock/{,*} rwk, @{run}/faillock/{,*} rwk,
@{run}/resolvconf/resolv.conf r, @{run}/resolvconf/resolv.conf r,
owner @{run}/sudo/ rw, owner @{run}/sudo/ rw,

36
apparmor.d/profiles-s-z/useradd
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -12,25 +13,12 @@ profile useradd @{exec_path} {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
# To create a user home dir and give it proper permissions:
# mkdir("/home/user", 000) = 0
# chown("/home/user", 0, 0) = 0
# chmod("/home/user", 0755) = 0
# chown("/home/user/", 1001, 1001) = 0
# chmod("/home/user/", 0755) = 0
capability chown,
capability fowner,
# To set the set-group-ID bit for the user home dir.
capability fsetid,
# To copy files from the /etc/skel/ dir to the newly created user dir, which now has a different
# owner.
capability dac_read_search,
capability dac_override,
# To write records to the kernel auditing log.
capability audit_write, capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
network netlink raw, network netlink raw,
@ -40,21 +28,20 @@ profile useradd @{exec_path} {
/{usr/,}{s,}bin/pam_tally2 rCx -> pam_tally2, /{usr/,}{s,}bin/pam_tally2 rCx -> pam_tally2,
/etc/default/useradd r,
/etc/login.defs r, /etc/login.defs r,
/etc/default/useradd r,
/etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw,
/etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w,
/etc/{passwd,shadow,gshadow,group,subuid,subgid}- w, /etc/{passwd,shadow,gshadow,group,subuid,subgid}- w,
/etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w,
/etc/{passwd,shadow,gshadow,group,subuid,subgid}+ rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid}+ rw,
/etc/passwd.lock wl -> /etc/passwd.@{pid},
/etc/shadow.lock wl -> /etc/shadow.@{pid},
/etc/group.lock wl -> /etc/group.@{pid}, /etc/group.lock wl -> /etc/group.@{pid},
/etc/gshadow.lock wl -> /etc/gshadow.@{pid}, /etc/gshadow.lock wl -> /etc/gshadow.@{pid},
/etc/subuid.lock wl -> /etc/subuid.@{pid}, /etc/passwd.lock wl -> /etc/passwd.@{pid},
/etc/shadow.lock wl -> /etc/shadow.@{pid},
/etc/subgid.lock wl -> /etc/subgid.@{pid}, /etc/subgid.lock wl -> /etc/subgid.@{pid},
/etc/subuid.lock wl -> /etc/subuid.@{pid},
# A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
# modify the /etc/passwd or /etc/shadow password database. # modify the /etc/passwd or /etc/shadow password database.
@ -69,7 +56,6 @@ profile useradd @{exec_path} {
/var/lib/*/{,*} rw, /var/lib/*/{,*} rw,
/etc/skel/{,.*} r, /etc/skel/{,.*} r,
profile pam_tally2 { profile pam_tally2 {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

3
apparmor.d/tunables/extend
View file

@ -28,4 +28,7 @@
@{libexec}=/{usr/,}lib # Archlinux @{libexec}=/{usr/,}lib # Archlinux
@{libexec}=/{usr/,}libexec # Debian/Ubuntu @{libexec}=/{usr/,}libexec # Debian/Ubuntu
# Integration with Ubuntu Core
@{etc_rw}+=/etc/writable/
include if exists <tunables/extend.d> include if exists <tunables/extend.d>

51
cmd/aa-log/main.go
View file

@ -1,5 +1,5 @@
// aa-log - Review AppArmor generated messages // aa-log - Review AppArmor generated messages
// Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io> // Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
// SPDX-License-Identifier: GPL-2.0-only // SPDX-License-Identifier: GPL-2.0-only
package main package main
@ -20,6 +20,23 @@ import (
"strings" "strings"
) )
const usage = `aa-log [-h] [--systemd] [--dbus] [--file file] [profile]
Review AppArmor generated messages in a colorful way. Supports logs from
auditd, systemd, syslog as well as dbus session events.
It can be given an optional profile name to filter the output with.
Default logs are read from '/var/log/audit/audit.log'. Other files in
'/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1'
Options:
-h, --help Show this help message and exit.
-f, --file FILE Set a logfile or a suffix to the default log file.
-s, --systemd Parse systemd logs from journalctl.
`
// Command line options // Command line options
var ( var (
help bool help bool
@ -104,23 +121,21 @@ func getAuditLogs(path string) (io.Reader, error) {
} }
// getJournalctlLogs return a reader with the logs entries from Systemd // getJournalctlLogs return a reader with the logs entries from Systemd
func getJournalctlLogs(path string, user bool, useFile bool) (io.Reader, error) { func getJournalctlLogs(path string, useFile bool) (io.Reader, error) {
var logs []SystemdLog var logs []SystemdLog
var stdout bytes.Buffer var stdout bytes.Buffer
var value string var value string
if useFile { if useFile {
// content, err := os.ReadFile(filepath.Clean(path))
content, err := ioutil.ReadFile(filepath.Clean(path)) content, err := ioutil.ReadFile(filepath.Clean(path))
if err != nil { if err != nil {
return nil, err return nil, err
} }
value = string(content) value = string(content)
} else { } else {
mode := "--system" // journalctl -b -o json > systemd.log
if user { cmd := exec.Command("journalctl", "--boot", "--output=json")
mode = "--user"
}
cmd := exec.Command("journalctl", mode, "--boot", "--unit=dbus.service", "--output=json")
cmd.Stdout = &stdout cmd.Stdout = &stdout
if err := cmd.Run(); err != nil { if err := cmd.Run(); err != nil {
return nil, err return nil, err
@ -131,6 +146,7 @@ func getJournalctlLogs(path string, user bool, useFile bool) (io.Reader, error)
value = strings.Replace(value, "\n", ",\n", -1) value = strings.Replace(value, "\n", ",\n", -1)
value = strings.TrimSuffix(value, ",\n") value = strings.TrimSuffix(value, ",\n")
value = `[` + value + `]` value = `[` + value + `]`
// fmt.Printf("value: %v\n", value)
if err := json.Unmarshal([]byte(value), &logs); err != nil { if err := json.Unmarshal([]byte(value), &logs); err != nil {
return nil, err return nil, err
} }
@ -189,7 +205,7 @@ func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs {
} }
} }
aa["profile"] = decodeHex(aa["profile"]) aa["profile"] = decodeHex(aa["profile"])
toDecode := []string{"profile", "name", "comm"} toDecode := []string{"name", "comm"}
for _, name := range toDecode { for _, name := range toDecode {
if value, ok := aa[name]; ok { if value, ok := aa[name]; ok {
aa[name] = decodeHex(value) aa[name] = decodeHex(value)
@ -267,7 +283,7 @@ func aaLog(logger string, path string, profile string) error {
case "auditd": case "auditd":
file, err = getAuditLogs(path) file, err = getAuditLogs(path)
case "systemd": case "systemd":
file, err = getJournalctlLogs(path, true, path != LogFile) file, err = getJournalctlLogs(path, path != LogFile)
default: default:
err = fmt.Errorf("Logger %s not supported.", logger) err = fmt.Errorf("Logger %s not supported.", logger)
} }
@ -281,21 +297,18 @@ func aaLog(logger string, path string, profile string) error {
func init() { func init() {
flag.BoolVar(&help, "h", false, "Show this help message and exit.") flag.BoolVar(&help, "h", false, "Show this help message and exit.")
flag.StringVar(&path, "f", LogFile, flag.BoolVar(&help, "help", false, "Show this help message and exit.")
"Set a log`file` or a suffix to the default log file.") flag.StringVar(&path, "f", LogFile, "Set a logfile or a suffix to the default log file.")
flag.BoolVar(&systemd, "s", false, "Parse systemd dbus logs.") flag.StringVar(&path, "file", LogFile, "Set a logfile or a suffix to the default log file.")
flag.BoolVar(&systemd, "s", false, "Parse systemd logs from journalctl.")
flag.BoolVar(&systemd, "systemd", false, "Parse systemd logs from journalctl.")
} }
func main() { func main() {
flag.Usage = func() { fmt.Print(usage) }
flag.Parse() flag.Parse()
if help { if help {
fmt.Printf(`aa-log [-h] [-s] [-f file] [profile] flag.Usage()
Review AppArmor generated messages in a colorful way.
It can be given an optional profile name to filter the output with.
`)
flag.PrintDefaults()
os.Exit(0) os.Exit(0)
} }

8
cmd/aa-log/main_test.go
View file

@ -94,7 +94,7 @@ func TestAppArmorEvents(t *testing.T) {
}, },
}, },
{ {
name: "dbus system", name: "dbus_system",
event: `type=USER_AVC msg=audit(1111111111.111:1111): pid=1780 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" mask="send" name="org.freedesktop.PolicyKit1" pid=1794 label="snapd" peer_pid=1790 peer_label="polkitd" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'UID="messagebus" AUID="unset" SAUID="messagebus"`, event: `type=USER_AVC msg=audit(1111111111.111:1111): pid=1780 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" mask="send" name="org.freedesktop.PolicyKit1" pid=1794 label="snapd" peer_pid=1790 peer_label="polkitd" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'UID="messagebus" AUID="unset" SAUID="messagebus"`,
want: AppArmorLogs{ want: AppArmorLogs{
{ {
@ -113,7 +113,7 @@ func TestAppArmorEvents(t *testing.T) {
}, },
}, },
{ {
name: "dbus session", name: "dbus_session",
event: `apparmor="ALLOWED" operation="dbus_bind" bus="session" name="org.freedesktop.portal.Documents" mask="bind" pid=2174 label="xdg-document-portal"`, event: `apparmor="ALLOWED" operation="dbus_bind" bus="session" name="org.freedesktop.portal.Documents" mask="bind" pid=2174 label="xdg-document-portal"`,
want: AppArmorLogs{ want: AppArmorLogs{
{ {
@ -221,13 +221,11 @@ func Test_getJournalctlLogs(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
path string path string
user bool
useFile bool useFile bool
want AppArmorLogs want AppArmorLogs
}{ }{
{ {
name: "gsd-xsettings", name: "gsd-xsettings",
user: true,
useFile: true, useFile: true,
path: "../../tests/systemd.log", path: "../../tests/systemd.log",
want: AppArmorLogs{ want: AppArmorLogs{
@ -255,7 +253,7 @@ func Test_getJournalctlLogs(t *testing.T) {
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
reader, _ := getJournalctlLogs(tt.path, tt.user, tt.useFile) reader, _ := getJournalctlLogs(tt.path, tt.useFile)
if got := NewApparmorLogs(reader, tt.name); !reflect.DeepEqual(got, tt.want) { if got := NewApparmorLogs(reader, tt.name); !reflect.DeepEqual(got, tt.want) {
t.Errorf("NewApparmorLogs() = %v, want %v", got, tt.want) t.Errorf("NewApparmorLogs() = %v, want %v", got, tt.want)
} }

136
dists/flags/main.flags
View file

@ -18,7 +18,7 @@ cc-remote-login-helper complain
cfdisk complain cfdisk complain
cgdisk complain cgdisk complain
child-open complain child-open complain
chronyd complain chronyd attach_disconnected,complain
cockpit-askpass complain cockpit-askpass complain
cockpit-bridge complain cockpit-bridge complain
cockpit-certificate-ensure complain cockpit-certificate-ensure complain
@ -210,9 +210,12 @@ systemd-cat complain
systemd-cgls complain systemd-cgls complain
systemd-cgtop complain systemd-cgtop complain
systemd-coredump attach_disconnected,complain systemd-coredump attach_disconnected,complain
systemd-cryptsetup complain
systemd-dissect complain systemd-dissect complain
systemd-environment-d-generator complain systemd-environment-d-generator complain
systemd-escape complain systemd-escape complain
systemd-homed attach_disconnected,complain
systemd-homework complain
systemd-hostnamed attach_disconnected,complain systemd-hostnamed attach_disconnected,complain
systemd-hwdb attach_disconnected,complain systemd-hwdb attach_disconnected,complain
systemd-id128 complain systemd-id128 complain
@ -236,8 +239,13 @@ systemd-timedated attach_disconnected,complain
systemd-tty-ask-password-agent complain systemd-tty-ask-password-agent complain
systemd-update-done complain systemd-update-done complain
systemd-update-utmp complain systemd-update-utmp complain
systemd-user-generators-autostart complain
systemd-user-generators-environment complain
systemd-user-generators-flatpak complain
systemd-user-runtime-dir complain systemd-user-runtime-dir complain
systemd-user-sessions complain systemd-user-sessions complain
systemd-userdbd attach_disconnected,complain
systemd-userwork complain
systemd-vconsole-setup complain systemd-vconsole-setup complain
systemd-xdg-autostart-generator complain systemd-xdg-autostart-generator complain
tracker-extract complain tracker-extract complain
@ -262,3 +270,129 @@ xdg-permission-store attach_disconnected,complain
xdg-user-dirs-gtk-update complain xdg-user-dirs-gtk-update complain
xdm-xsession complain xdm-xsession complain
xorg attach_disconnected,complain xorg attach_disconnected,complain
# Profiles not commited yet
glib-genmarshal complain
glib-gettextize complain
glib-mkenums complain
gnome-session-custom-session complain
gnome-session-inhibit complain
gnome-session-quit complain
gnome-shell-extension-prefs complain
gnome-shell-extension-tool complain
gnome-shell-hotplug-sniffer complain
gnome-shell-perf-helper complain
gnome-shell-perf-tool complain
gnome-shell-portal-helper complain
gnome-tweak-tool-lid-inhibitor complain
homectl complain
loginctl complain
machinectl complain
nfsdcld complain
oomctl complain
podman attach_disconnected,complain
prime-switch complain
qrencode complain
splunkforwarder complain
systemd-bless-boot complain
systemd-boot-check-no-failures complain
systemd-cgroups-agent
systemd-export complain
systemd-growfs complain
systemd-hibernate-resume complain
systemd-import complain
systemd-import-fs complain
systemd-importd complain
systemd-journal-gatewayd complain
systemd-journal-remote complain
systemd-journal-upload complain
systemd-network-generator complain
systemd-notify complain
systemd-pstore complain
systemd-pull complain
systemd-quotacheck complain
systemd-repart complain
systemd-reply-password complain
systemd-run complain
systemd-socket-activate complain
systemd-socket-proxyd complain
systemd-stdio-bridge complain
systemd-sulogin-shell complain
systemd-sysext complain
systemd-time-wait-sync complain
systemd-xdg-autostart-condition complain
timedatectl complain
virtiofsd complain
virtlockd complain
hwsim complain
iwdmon complain
nvidia-settings complain
gkbd-keyboard-display complain
mullvad-setup complain
# Work in Progress
bwrap attach_disconnected,complain
bwrap-default attach_disconnected,mediate_deleted,complain
cni-bridge complain
cni-firewall complain
cni-portmap complain
cni-tuning complain
ctop complain
dbus-broker complain
dbus-broker-launch complain
fprintd-delete complain
fprintd-enroll complain
fprintd-list complain
fprintd-verify complain
install-catalog complain
lazydocker complain
losetup complain
modprobed-db complain
mount-ntfs-3g complain
multipathd complain
rpc.idmapd complain
rpc.mountd complain
rpc.statd complain
rpcbind complain
smbspool complain
tomb complain
tomb-kdb-pbkdf2 complain
virt-aa-helper complain
virtlogd complain
virtnetworkd complain
virtnodedevd complain
virtqemud attach_disconnected,complain
virtstoraged attach_disconnected,complain
virtxend attach_disconnected,complain
# Debian server dev
cracklib-packer complain
cron-cracklib complain
cron-etckeeper complain
cron-sysstat complain
sysstat complain
update-cracklib complain
# Ubuntu
# Whonix
mate-notification-daemon complain
# Flatpak slow dev
flatpak-oci-authenticator complain
flatpak-portal attach_disconnected,complain
flatpak-system-helper complain
flatpak-validate-icon complain
# GDM
gdm-host-chooser complain
gdm-simple-chooser complain
# Simple when used for extension, more complex for javascript based gnome app.
gjs-console attach_disconnected,complain
# Not easy
portmaster-start complain
# Require firewall rules for firewalld first
firewall-applet complain

4
docs/configuration.md
View file

@ -8,8 +8,8 @@ As there are a lot of rules, it is recommended to enable caching AppArmor profil
In `/etc/apparmor/parser.conf`, add `write-cache` and `Optimize=compress-fast`. In `/etc/apparmor/parser.conf`, add `write-cache` and `Optimize=compress-fast`.
```sh ```sh
echo 'write-cache' | sudo tee /etc/apparmor/parser.conf echo 'write-cache' | sudo tee -a /etc/apparmor/parser.conf
echo 'Optimize=compress-fast' | sudo tee /etc/apparmor/parser.conf echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf
``` ```
!!! info !!! info

24
docs/development/guidelines.md
View file

@ -33,20 +33,20 @@ follow the guidelines presented here.
The rules in the profile should be sorted in the rule ***block*** as follows: The rules in the profile should be sorted in the rule ***block*** as follows:
1. `include` 1. [`include`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#include-statements)
1. `set rlimit` 1. [`set rlimit`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#rlimit-rules)
1. `capability` 1. [`capability`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#capability-rules)
1. `network` 1. [`network`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#network-rules)
1. `mount` 1. [`mount`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#mount-rules-apparmor-28-and-later)
1. `remount` 1. [`remount`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#remount)
1. `umount` 1. [`umount`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#umount)
1. `pivot_root` 1. [`pivot_root`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#pivot_root)
1. `change_profile` 1. [`change_profile`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#change_profile)
1. `signal` 1. [`signal`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#signals)
1. `ptrace` 1. `ptrace`
1. `unix` 1. `unix`
1. `dbus` 1. [`dbus`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#dbus-rules)
1. `file` 1. [`file`](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#file-access-rules)
1. local include 1. local include
This rule order is taken from AppArmor with minor changes as we tend to: This rule order is taken from AppArmor with minor changes as we tend to:

20
docs/development/structure.md
View file

@ -138,6 +138,26 @@ Here is an overview of the current children profile:
of the time you will need more privilege than what this profile is giving you. of the time you will need more privilege than what this profile is giving you.
## Browsers
Chromium based browsers share a similar structure. Therefore, they share the same
abstraction: [`abstractions/chromium`][chromium] that includes most of the profile content.
This abstraction requires the following variables definied in the profile header:
```sh
@{chromium_name} = chromium
@{chromium_domain} = org.chromium.Chromium
@{chromium_lib_dirs} = /{usr/,}lib/chromium
@{chromium_config_dirs} = @{user_config_dirs}/chromium
@{chromium_cache_dirs} = @{user_cache_dirs}/chromium
```
If your application requires chromium to run (like electron) use
[`abstractions/chromium-common`][chromium-common] instead.
[chromium]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/abstractions/chromium
[chromium-common]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/abstractions/chromium-common
## Udev rules ## Udev rules
See the **[kernel docs][kernel]** to check the major block and char numbers used in `/run/udev/data/`. See the **[kernel docs][kernel]** to check the major block and char numbers used in `/run/udev/data/`.