From f20aa4f5487d7cfb21a9cc5443abe37d582c8dff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 14 Jan 2023 13:28:21 +0000 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/bus/dbus-daemon | 1 + .../gnome/gnome-control-center-print-renderer | 1 + apparmor.d/groups/gnome/gsd-media-keys | 11 ++++--- apparmor.d/groups/gnome/gsd-xsettings | 1 + apparmor.d/groups/gnome/nautilus | 1 + .../groups/pacman/archlinux-keyring-wkd-sync | 1 + .../groups/ubuntu/check-new-release-gtk | 2 +- apparmor.d/groups/virt/docker-proxy | 22 +++++++++++++ apparmor.d/groups/virt/dockerd | 1 + apparmor.d/profiles-a-f/aa-log | 30 +++++++---------- apparmor.d/profiles-g-l/keepassxc-proxy | 7 ++-- apparmor.d/profiles-s-z/udisksd | 32 ++++++++++++------- dists/flags/main.flags | 1 + 13 files changed, 70 insertions(+), 41 deletions(-) create mode 100644 apparmor.d/groups/virt/docker-proxy diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 595dd7854..42d15afba 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -48,6 +48,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx, /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx, + /usr/share/org.gnome.Characters/org.gnome.Characters rPx, /usr/share/gnome-documents/org.gnome.Documents rPx, /etc/dbus-1/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 742c3c000..4b07ee940 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -31,6 +31,7 @@ profile gnome-control-center-print-renderer @{exec_path} { /usr/share/egl/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, + /usr/share/libdrm/*.ids r, /usr/share/mime/mime.cache r, /usr/share/pixmaps/{,**} r, /usr/share/X11/xkb/** r, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index b24ac846f..605ce14d7 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -167,17 +167,17 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { /usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/X11/xkb/** r, + /var/lib/gdm{3,}/.config/dconf/user r, + /var/lib/gdm{3,}/greeter-dconf-defaults r, + /var/lib/gdm{3,}/.config/pulse/client.conf r, + /var/lib/gdm{3,}/.config/pulse/cookie rk, + owner @{user_config_dirs}/pulse/ rw, owner @{user_share_dirs}/ r, owner @{user_share_dirs}/event-sound-cache.tdb.* rwk, owner @{user_share_dirs}/recently-used.xbel{,.*} rw, - /var/lib/gdm{3,}/.config/dconf/user r, - /var/lib/gdm{3,}/greeter-dconf-defaults r, - /var/lib/gdm{3,}/.config/pulse/client.conf r, - /var/lib/gdm{3,}/.config/pulse/cookie rk, - @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, @@ -186,6 +186,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { owner /dev/tty[0-9]* rw, @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* + @{sys}/devices/platform/**/uevent r, @{sys}/devices/**/usb[0-9]/{,**} r, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 97f284ab4..83edc8c8b 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -128,6 +128,7 @@ profile gsd-xsettings @{exec_path} { @{libexec}/ibus-x11 rPx, /usr/share/dconf/profile/gdm r, + /usr/share/gdm/greeter-dconf-defaults r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/libdrm/*.ids r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index aceca3104..a192436cb 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -85,6 +85,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/hwmon/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, @{sys}/devices/pci[0-9]*/**/revision r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r, @{PROC}/@{pids}/net/wireless r, @{PROC}/sys/dev/i915/perf_stream_paranoid r, diff --git a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync index b6ffe7f3d..1c3dc50e1 100644 --- a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync +++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync @@ -24,6 +24,7 @@ profile archlinux-keyring-wkd-sync @{exec_path} { /{usr/,}bin/bash rix, /{usr/,}bin/dirmngr rix, /{usr/,}bin/gpg rix, + /{usr/,}bin/gpg-agent rix, /{usr/,}bin/pacman-conf rix, /etc/pacman.conf r, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 62d30d46a..0b95a73d7 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -55,9 +55,9 @@ profile check-new-release-gtk @{exec_path} { owner @{run}/user/@{uid}/wayland-[0-9] rw, - owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy new file mode 100644 index 000000000..f9295420d --- /dev/null +++ b/apparmor.d/groups/virt/docker-proxy @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/docker-proxy +profile docker-proxy @{exec_path} { + include + + capability net_admin, + + @{exec_path} mr, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + @{PROC}/sys/net/core/somaxconn r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index d68950b33..78284fcaa 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -57,6 +57,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { /{usr/,}{s,}bin/xtables-nft-multi rix, /{usr/,}bin/containerd rPx, /{usr/,}bin/docker-init rix, + /{usr/,}bin/docker-proxy rPx, /{usr/,}bin/kmod rPx, /{usr/,}bin/ps rPx, /{usr/,}bin/unpigz rix, diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log index 1f8b7f015..dd5e60c88 100644 --- a/apparmor.d/profiles-a-f/aa-log +++ b/apparmor.d/profiles-a-f/aa-log @@ -13,30 +13,22 @@ profile aa-log @{exec_path} { @{exec_path} mr, - /{usr/,}bin/journalctl rCx -> journalctl, + /{usr/,}bin/journalctl rix, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, /var/log/audit/* r, + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex}/ r, + /{run,var}/log/journal/@{hex}/user-@{uid}*.journal* r, + /{run,var}/log/journal/@{hex}/user-@{uid}.journal r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - profile journalctl { - include - include - - /{usr/,}bin/journalctl mr, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex}/ r, - /{run,var}/log/journal/@{hex}/user-@{uid}*.journal* r, - /{run,var}/log/journal/@{hex}/user-@{uid}.journal r, - - @{PROC}/sys/kernel/random/boot_id r, - @{PROC}/sys/kernel/cap_last_cap r, - - } + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/cap_last_cap r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-g-l/keepassxc-proxy b/apparmor.d/profiles-g-l/keepassxc-proxy index c73a811ab..b518f128d 100644 --- a/apparmor.d/profiles-g-l/keepassxc-proxy +++ b/apparmor.d/profiles-g-l/keepassxc-proxy @@ -22,6 +22,8 @@ profile keepassxc-proxy @{exec_path} { @{exec_path} mr, + /usr/share/icons/*/index.theme r, + owner @{run}/user/@{pid}/org.keepassxc.KeePassXC.BrowserServer rw, # file_inherit @@ -29,7 +31,6 @@ profile keepassxc-proxy @{exec_path} { deny owner @{run}/user/@{uid}/kpxc_server rw, deny /dev/shm/org.chromium.* rw, deny owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* rw, - # deny owner @{HOME}/.mozilla/** rw, deny owner @{user_cache_dirs}/mozilla/** rw, deny owner @{MOUNTS}/.mozilla/** rw, @@ -38,9 +39,7 @@ profile keepassxc-proxy @{exec_path} { deny owner /tmp/tmpaddon r, deny owner @{user_config_dirs}/google-chrome/** rw, deny owner @{user_config_dirs}/chromium/** rw, - # - /usr/share/icons/*/index.theme r, - # + owner @{HOME}/.xsession-errors w, /dev/dri/renderD128 rw, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 5ac4ac51d..2ae3d0f2d 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -19,6 +19,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { capability chown, capability dac_override, capability dac_read_search, + capability fowner, + capability fsetid, capability setgid, capability setuid, capability sys_admin, @@ -44,9 +46,13 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/, mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, + # Allow mounting on temporary mount point + mount -> @{run}/udisks2/temp-mount-*/, + # Allow unmounting umount @{MOUNTS}/, umount @{MOUNTS}/*/, + umount @{run}/udisks2/temp-mount-*/, umount /media/cdrom[0-9]/, dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**} @@ -85,18 +91,20 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/umount rix, - /{usr/,}{s,}bin/dmidecode rPx, - /{usr/,}{s,}bin/dumpe2fs rPx, - /{usr/,}{s,}bin/fsck.fat rPx, - /{usr/,}{s,}bin/lvm rPUx, - /{usr/,}{s,}bin/mke2fs rPx, - /{usr/,}{s,}bin/mkfs.btrfs rPx, - /{usr/,}{s,}bin/mkfs.fat rPx, - /{usr/,}bin/eject rPx, - /{usr/,}bin/ntfs-3g rPx, - /{usr/,}bin/ntfsfix rPx, - /{usr/,}bin/systemctl rPx -> child-systemctl, - /{usr/,}bin/systemd-escape rPx, + /{usr/,}{s,}bin/dmidecode rPx, + /{usr/,}{s,}bin/dumpe2fs rPx, + /{usr/,}{s,}bin/fsck.fat rPx, + /{usr/,}{s,}bin/lvm rPUx, + /{usr/,}{s,}bin/mke2fs rPx, + /{usr/,}{s,}bin/mkfs.btrfs rPx, + /{usr/,}{s,}bin/mkfs.ext{2,3,4} rPx, + /{usr/,}{s,}bin/mkfs.fat rPx, + /{usr/,}bin/eject rPx, + /{usr/,}bin/ntfs-3g rPx, + /{usr/,}{s,}bin/sfdisk rPx, + /{usr/,}bin/ntfsfix rPx, + /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/systemd-escape rPx, /etc/udisks2/{,**} r, /etc/libblockdev/{,**} r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 8ff3b91a8..a2768d986 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -46,6 +46,7 @@ cups-browsed complain cups-pk-helper-mechanism complain cupsd attach_disconnected,complain dkms attach_disconnected,complain +docker-proxy complain dockerd attach_disconnected,complain downloadhelper complain e2fsck complain