feat(profile): move away from old or too wide abstractions.

2025-06-19 23:55:20 +02:00 · 2025-06-19 23:55:20 +02:00 · f29041576e
commit f29041576e
parent 033a7475e0
19 changed files with 84 additions and 86 deletions
--- a/apparmor.d/groups/browsers/opera-crashreporter
+++ b/apparmor.d/groups/browsers/opera-crashreporter
@ -17,7 +17,7 @@ profile opera-crashreporter @{exec_path} {
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
-  include <abstractions/nameservice>
+  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

  ptrace (trace, read) peer=opera,
--- a/apparmor.d/groups/filesystem/udiskie
+++ b/apparmor.d/groups/filesystem/udiskie
@ -11,16 +11,12 @@ include <tunables/global>
 profile udiskie @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
-  include <abstractions/X>
-  include <abstractions/fonts>
+  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
+  include <abstractions/graphics>
  include <abstractions/python>
-  include <abstractions/user-download-strict>
  include <abstractions/thumbnails-cache-read>
-  include <abstractions/mesa>
-  include <abstractions/dri-enumerate>
+  include <abstractions/user-download-strict>

  @{exec_path} r,
  @{python_path} r,
--- a/apparmor.d/groups/hyprland/hyprpm
+++ b/apparmor.d/groups/hyprland/hyprpm
@ -11,7 +11,6 @@ profile hyprpm @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
-  include <abstractions/user-tmp>

  network inet dgram,
  network inet stream,
--- a/apparmor.d/groups/network/nm-dhcp-helper
+++ b/apparmor.d/groups/network/nm-dhcp-helper
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,NetworkManager/}nm-dhcp-helper
 profile nm-dhcp-helper @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dbus>
+  include <abstractions/bus-system>

  network inet dgram,
  network inet6 dgram,
--- a/apparmor.d/groups/usb/usbguard-applet-qt
+++ b/apparmor.d/groups/usb/usbguard-applet-qt
@ -10,22 +10,21 @@ include <tunables/global>
@{exec_path} = @{bin}/usbguard-applet-qt
 profile usbguard-applet-qt @{exec_path} {
  include <abstractions/base>
-  include <abstractions/X>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
-  include <abstractions/qt5>
-  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/desktop>
  include <abstractions/dri-enumerate>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
+  include <abstractions/qt5-compose-cache-write>

  # Needed?
  ptrace (read),

  @{exec_path} mr,

+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+
  owner @{user_config_dirs}/USBGuard/ rw,
  owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#@{int},

@ -37,11 +36,6 @@ profile usbguard-applet-qt @{exec_path} {

  owner @{PROC}/@{pid}/cmdline r,

-  /usr/share/hwdata/pnp.ids r,
-
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
  include if exists <local/usbguard-applet-qt>
 }

--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -17,8 +17,9 @@ include <tunables/global>
@{exec_path} = @{sbin}/libvirtd
 profile libvirtd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
  include <abstractions/consoles>
-  include <abstractions/dbus>
  include <abstractions/devices-usb>
  include <abstractions/disks-write>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/profiles-a-f/atftpd
+++ b/apparmor.d/profiles-a-f/atftpd
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/atftpd
 profile atftpd @{exec_path} {
  include <abstractions/base>
-  include <abstractions/nameservice>
+  include <abstractions/nameservice-strict>
  # For libwrap (TCP Wrapper) support
  include <abstractions/hosts_access>

@ -18,6 +18,12 @@ profile atftpd @{exec_path} {
  capability setgid,
  capability setuid,

+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
+  network netlink raw,
+
  @{exec_path} mr,

  # FTP dirs (add "w" if you need write permissions and hence upload files)
--- a/apparmor.d/profiles-a-f/dhclient-script
+++ b/apparmor.d/profiles-a-f/dhclient-script
@ -10,13 +10,19 @@ include <tunables/global>
@{exec_path} = @{bin}/dhclient-script
 profile dhclient-script @{exec_path} {
  include <abstractions/base>
-  include <abstractions/nameservice>
+  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

  capability net_admin,
  capability sys_admin,
  audit capability sys_module,

+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
+  network netlink raw,
+
  @{exec_path} mr,

  @{sh_path}          mrix,
--- a/apparmor.d/profiles-a-f/dumpcap
+++ b/apparmor.d/profiles-a-f/dumpcap
@ -10,16 +10,14 @@ include <tunables/global>
@{exec_path} = @{bin}/dumpcap
 profile dumpcap @{exec_path} {
  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
  include <abstractions/nameservice-strict>
-  include <abstractions/dbus>
-  include <abstractions/dbus-session>

  # To capture packekts
  capability net_raw,
  capability net_admin,

-  signal (receive) peer=wireshark,
-
  network inet dgram,
  network inet6 dgram,
  network netlink raw,
@ -27,6 +25,8 @@ profile dumpcap @{exec_path} {
  network packet raw,
  network bluetooth raw,

+  signal (receive) peer=wireshark,
+
  dbus (eavesdrop) bus=session,

  @{exec_path} mr,
--- a/apparmor.d/profiles-a-f/ffplay
+++ b/apparmor.d/profiles-a-f/ffplay
@ -11,10 +11,9 @@ include <tunables/global>
 profile ffplay @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio-client>
-  include <abstractions/freedesktop.org>
+  include <abstractions/desktop>
  include <abstractions/nameservice-strict>
  include <abstractions/user-download-strict>
-  include <abstractions/X>

  network inet stream,
  network inet6 stream,
--- a/apparmor.d/profiles-a-f/fritzing
+++ b/apparmor.d/profiles-a-f/fritzing
@ -10,16 +10,13 @@ include <tunables/global>
@{exec_path} = @{bin}/fritzing{,.real}
 profile fritzing @{exec_path} {
  include <abstractions/base>
-  include <abstractions/X>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
-  include <abstractions/nameservice-strict>
-  include <abstractions/mesa>
+  include <abstractions/desktop>
  include <abstractions/dri-enumerate>
-  include <abstractions/qt5>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5>

  network inet dgram,
  network inet6 dgram,
@ -30,26 +27,25 @@ profile fritzing @{exec_path} {

  @{exec_path} mrix,

+  /usr/share/fritzing/{,**} r,
+  /usr/share/hwdata/pnp.ids r,
+
+  /etc/debian_version r,
+  /etc/fstab r,
+  /etc/machine-id r,
+  /var/lib/dbus/machine-id r,
+
  owner @{user_config_dirs}/Fritzing/ rw,
  owner @{user_config_dirs}/Fritzing/** rwkl -> @{user_config_dirs}/Fritzing/**,

  owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/ rw,
  owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/** rw,

-  /usr/share/fritzing/{,**} r,
+  owner @{run}/lock/LCK..ttyACM[0-9]* rwk,

-  /usr/share/hwdata/pnp.ids r,
-
-  owner @{PROC}/@{pid}/cmdline r,
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/mounts r,
-
-  /etc/fstab r,
-
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
-  /etc/debian_version r,
+  @{run}/udev/data/c4:@{int}   r,         # for /dev/tty[0-9]*
+  @{run}/udev/data/c5:@{int}   r,         # for /dev/tty, /dev/console, /dev/ptmx
+  @{run}/udev/data/c166:@{int} r,         # for /dev/ttyACM[0-9]*

  @{sys}/bus/ r,
  @{sys}/class/ r,
@ -57,15 +53,13 @@ profile fritzing @{exec_path} {
  @{sys}/devices/**/tty*/uevent r,
  @{sys}/devices/**/tty/**/uevent r,

-  @{run}/udev/data/c4:@{int}   r,         # for /dev/tty[0-9]*
-  @{run}/udev/data/c5:@{int}   r,         # for /dev/tty, /dev/console, /dev/ptmx
-  @{run}/udev/data/c166:@{int} r,         # for /dev/ttyACM[0-9]*
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,

  /dev/ttyS@{int} rw,
  /dev/ttyACM@{int} rw,

-  owner @{run}/lock/LCK..ttyACM[0-9]* rwk,
-
  include if exists <local/fritzing>
 }

--- a/apparmor.d/profiles-g-l/light-locker
+++ b/apparmor.d/profiles-g-l/light-locker
@ -11,19 +11,12 @@ include <tunables/global>
 profile light-locker @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
-  include <abstractions/X>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
+  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>
-  include <abstractions/wayland>

  @{exec_path} mr,

-        @{PROC}/1/cgroup r,
-  owner @{PROC}/@{pid}/cgroup r,
-
  # when locking the screen and switching/closing sessions
  @{run}/systemd/sessions/* r,

@ -33,6 +26,9 @@ profile light-locker @{exec_path} {
  @{sys}/devices/@{pci}/subsystem_vendor r,
  @{sys}/devices/@{pci}/subsystem_device r,

+        @{PROC}/1/cgroup r,
+  owner @{PROC}/@{pid}/cgroup r,
+
  # file_inherit
  owner /dev/tty@{int} rw,

--- a/apparmor.d/profiles-m-r/mkvtoolnix-gui
+++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui
@ -10,19 +10,15 @@ include <tunables/global>
@{exec_path} = @{bin}/mkvtoolnix-gui
 profile mkvtoolnix-gui @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dri-enumerate>
+  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
-  include <abstractions/qt5>
  include <abstractions/qt5-compose-cache-write>
  include <abstractions/qt5-settings-write>
+  include <abstractions/qt5>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
-  include <abstractions/X>

  signal (send) set=(term, kill) peer=mkvmerge,

--- a/apparmor.d/profiles-m-r/netstat
+++ b/apparmor.d/profiles-m-r/netstat
@ -13,12 +13,18 @@ include <tunables/global>
 profile netstat @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
-  include <abstractions/nameservice>
+  include <abstractions/nameservice-strict>

  capability dac_read_search,
  capability sys_ptrace,
  capability syslog,

+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
+  network netlink raw,
+
  ptrace (trace,read),

  @{exec_path} rmix,
--- a/apparmor.d/profiles-m-r/pcb-gtk
+++ b/apparmor.d/profiles-m-r/pcb-gtk
@ -10,13 +10,9 @@ include <tunables/global>
@{exec_path} = @{bin}/pcb-gtk
 profile pcb-gtk @{exec_path} {
  include <abstractions/base>
-  include <abstractions/X>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
+  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
-  include <abstractions/dri-enumerate>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/user-download-strict>

--- a/apparmor.d/profiles-s-z/sing-box
+++ b/apparmor.d/profiles-s-z/sing-box
@ -12,7 +12,6 @@ include <tunables/global>
 profile sing-box @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
-  include <abstractions/user-tmp>

  capability net_bind_service,

--- a/apparmor.d/profiles-s-z/tftp
+++ b/apparmor.d/profiles-s-z/tftp
@ -10,9 +10,15 @@ include <tunables/global>
@{exec_path} = @{bin}/tftp
 profile tftp @{exec_path} {
  include <abstractions/base>
-  include <abstractions/nameservice>
+  include <abstractions/nameservice-strict>
  include <abstractions/user-download-strict>

+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
+  network netlink raw,
+
  @{exec_path} mr,

  include if exists <local/tftp>
--- a/apparmor.d/profiles-s-z/vsftpd
+++ b/apparmor.d/profiles-s-z/vsftpd
@ -12,7 +12,7 @@ profile vsftpd @{exec_path} {
  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/hosts_access>
-  include <abstractions/nameservice>
+  include <abstractions/nameservice-strict>
  include <abstractions/wutmp>

  # To be able to listen on ports < 1024
@ -41,6 +41,12 @@ profile vsftpd @{exec_path} {
  capability dac_read_search,
  # If session_support=YES, vsftpd will also try and update utmp and wtmp

+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
+  network netlink raw,
+
  @{exec_path} mr,

  # To validate allowed users shells
--- a/apparmor.d/profiles-s-z/youtube-dl
+++ b/apparmor.d/profiles-s-z/youtube-dl
@ -13,13 +13,11 @@ profile youtube-dl @{exec_path} {
  include <abstractions/audio-client>
  include <abstractions/consoles>
  include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
+  include <abstractions/desktop>
  include <abstractions/nameservice-strict>
  include <abstractions/python>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
-  include <abstractions/X>

  network inet dgram,
  network inet6 dgram,