feat(profiles): general update.

2022-09-24 18:06:06 +01:00 · 2022-09-24 18:06:06 +01:00 · f2989321eb
commit f2989321eb
parent ae6cecde52
37 changed files with 120 additions and 32 deletions
--- a/apparmor.d/groups/apt/command-not-found
+++ b/apparmor.d/groups/apt/command-not-found
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -11,19 +12,23 @@ include <tunables/global>
@{exec_path} += /{usr/,}lib/command-not-found
 profile command-not-found @{exec_path} {
  include <abstractions/base>
-  include <abstractions/python>
-  include <abstractions/nameservice-strict>
  include <abstractions/apt-common>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/python>

  @{exec_path} r,
  /{usr/,}bin/python3.[0-9]* r,

  /{usr/,}bin/lsb_release rPx -> lsb_release,
+  /{usr/,}bin/snap rPx,

  /var/lib/command-not-found/commands.db rwk,

  /usr/share/command-not-found/{,**} r,

+  owner @{PROC}/@{pid}/fd/ r,
+
  # Silencer
  deny /usr/lib/ r,

--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@ -251,10 +251,11 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
       owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1
       owner @{PROC}/@{pid}/mountinfo r,
       owner @{PROC}/@{pid}/mounts r,
+       owner @{PROC}/@{pid}/oom_score_adj w,
       owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1
       owner @{PROC}/@{pid}/task/ r,
-       owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
       owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+       owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
  deny owner @{PROC}/@{pid}/smaps r,
  deny owner @{PROC}/@{pid}/stat r,
  deny owner @{PROC}/@{pid}/statm r,
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@ -22,8 +22,8 @@ profile polkitd @{exec_path} {

  ptrace (read),

-  dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/*
-       interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*}, # all members
+  dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit1/*
+       interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit1.*}, # all members

  dbus (send) bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
@ -31,7 +31,7 @@ profile polkitd @{exec_path} {
       peer=(name=org.freedesktop.DBus),

  dbus (bind) bus=system
-       name=org.freedesktop.PolicyKit[0-9],
+       name=org.freedesktop.PolicyKit1,

  @{exec_path} mr,

--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -49,6 +49,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {

  # Allowed apps to open
  /{usr/,}bin/firefox rPx -> firefox,
+  /{usr/,}bin/nautilus rPx,

  / r,
  /.flatpak-info r,
--- a/apparmor.d/groups/freedesktop/xdg-email
+++ b/apparmor.d/groups/freedesktop/xdg-email
@ -14,8 +14,10 @@ profile xdg-email @{exec_path} flags=(complain) {
  @{exec_path}  r,

  /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}bin/gio         rPx,
  /{usr/,}bin/{,e}grep    rix,
+  /{usr/,}bin/basename    rix,
+  /{usr/,}bin/gio         rPx,
+  /{usr/,}bin/readlink    rix,
  /{usr/,}bin/sed         rix,
  /{usr/,}bin/which       rix,
  /{usr/,}bin/xdg-mime    rPx,
--- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
+++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
@ -13,6 +13,7 @@ profile xdg-user-dirs-gtk-update @{exec_path} {

  @{exec_path} mr,

+  owner @{user_config_dirs}/gtk-3.0/bookmarks* rw,
  owner @{user_config_dirs}/user-dirs.dirs r,
  owner @{user_config_dirs}/user-dirs.locale r,

--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -49,6 +49,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/bwrap                                  rPUx,
  /{usr/,}bin/openvpn                                 rPx,
  /{usr/,}bin/passwd                                  rPx,
+  /{usr/,}bin/software-properties-gtk                 rPx,
  /{usr/,}lib/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
  /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
  /usr/share/language-tools/language2locale           rix,
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js
 profile gnome-extension-ding @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-gtk>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf-write>
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -164,13 +164,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  @{run}/udev/data/c226:[0-9]* r,   # for /dev/dri/card* 
  @{run}/udev/data/n[0-9]* r,

+  @{sys}/**/uevent r,
  @{sys}/bus/ r,
  @{sys}/class/ r,
  @{sys}/class/hwmon/ r,
  @{sys}/class/input/ r,
  @{sys}/class/net/ r,
  @{sys}/class/power_supply/ r,
-  @{sys}/**/uevent r,
  @{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
@ -180,6 +180,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/pci[0-9]*/**/drm/ r,
  @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r,
  @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
+  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
  @{sys}/devices/system/cpu/possible r,
  @{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r,

--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -17,6 +17,7 @@ profile gnome-terminal-server @{exec_path} {
  include <abstractions/gtk>

  signal (send) set=(term hup kill) peer=unconfined,
+  ptrace (read) peer=unconfined,

  @{exec_path} mr,

--- a/apparmor.d/groups/gnome/gsd-print-notifications
+++ b/apparmor.d/groups/gnome/gsd-print-notifications
@ -38,6 +38,12 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.Avahi.Server
       member=StateChanged,

+  dbus (send,receive) bus=session path=/org/gnome/SessionManager{,/*}
+       interface={org.freedesktop.DBus.Properties,org.gnome.SessionManager},
+
+  dbus bind bus=session
+       name=org.gnome.SettingsDaemon.PrintNotifications,
+
  @{exec_path} mr,
  @{libexec}/gsd-printer rPx,

--- a/apparmor.d/groups/gnome/gsd-sharing
+++ b/apparmor.d/groups/gnome/gsd-sharing
@ -36,6 +36,10 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.NetworkManager
       member=CheckPermissions,

+  dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
+       interface=org.freedesktop.NetworkManager.Connection.Active
+       member=StateChanged,
+
  @{exec_path} mr,

  /usr/share/dconf/profile/gdm r,
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@ -59,6 +59,8 @@ profile tracker-extract @{exec_path} {
  @{run}/udev/data/c51[0-9]:[0-9]* r,
  @{run}/mount/utab r,

+  @{sys}/devices/system/cpu/possible r,
+
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mountinfo r,

@ -67,5 +69,7 @@ profile tracker-extract @{exec_path} {
  /dev/media[0-9]* r,
  /dev/video[0-9]* rw,

+  deny owner @{user_share_dirs}/gvfs-metadata/** r,
+
  include if exists <local/tracker-extract>
 }
--- a/apparmor.d/groups/gvfs/gvfsd
+++ b/apparmor.d/groups/gvfs/gvfsd
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd
 profile gvfsd @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-gtk>
  include <abstractions/dbus-session-strict>

  @{exec_path} mr,
--- a/apparmor.d/groups/gvfs/gvfsd-fuse
+++ b/apparmor.d/groups/gvfs/gvfsd-fuse
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd-fuse
 profile gvfsd-fuse @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-gtk>
  include <abstractions/dbus-session-strict>

  unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount),
--- a/apparmor.d/groups/gvfs/gvfsd-metadata
+++ b/apparmor.d/groups/gvfs/gvfsd-metadata
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd-metadata
 profile gvfsd-metadata @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-gtk>
  include <abstractions/dbus-session-strict>
  include <abstractions/disks-read>

--- a/apparmor.d/groups/gvfs/gvfsd-trash
+++ b/apparmor.d/groups/gvfs/gvfsd-trash
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd-trash
 profile gvfsd-trash @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-gtk>
  include <abstractions/dbus-session-strict>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/network/mullvad-daemon
+++ b/apparmor.d/groups/network/mullvad-daemon
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = "/opt/Mullvad VPN/resources/mullvad-daemon"
-profile mullvad-daemon @{exec_path} {
+profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

@ -29,6 +29,9 @@ profile mullvad-daemon @{exec_path} {

  @{exec_path} mr,

+  /{usr/,}bin/ip  rix,
+
+  "/opt/Mullvad VPN/resources/openvpn" rix,
  "/opt/Mullvad VPN/resources/*" r,

  /etc/mullvad-vpn/{,*} r,
@ -47,8 +50,13 @@ profile mullvad-daemon @{exec_path} {
  @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw,
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

+  owner /tmp/@{uuid} rw,
+  owner /tmp/talpid-openvpn-@{uuid} rw,
+
  owner @{PROC}/@{pid}/mounts r,
        @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw,

+  /dev/net/tun rw,
+
  include if exists <local/mullvad-daemon>
 }
--- a/apparmor.d/groups/network/tailscaled
+++ b/apparmor.d/groups/network/tailscaled
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = /{usr/,}{,s}bin/tailscaled
-profile tailscaled @{exec_path} {
+profile tailscaled @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
@ -22,6 +22,8 @@ profile tailscaled @{exec_path} {
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
+  network inet raw,
+  network inet6 raw,
  network netlink raw,

  ptrace (read),
@ -39,8 +41,9 @@ profile tailscaled @{exec_path} {
  /etc/resolv.conf rw,
  /etc/resolv.conf.*.tmp rw,

-  owner /var/lib/tailscale/{,**} rw,
  owner @{run}/tailscale/{,**} rw,
+  owner /var/cache/{,**} rw,
+  owner /var/lib/tailscale/{,**} rw,

  @{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r,
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -91,6 +91,7 @@ profile pacman @{exec_path} {
  /{usr/,}bin/mkinitcpio                  rPx,
  /{usr/,}bin/pacdiff                     rPx,
  /{usr/,}bin/pacman-key                  rPx,
+  /{usr/,}bin/sbctl                       rPx,
  /{usr/,}bin/sysctl                      rPx,
  /{usr/,}bin/systemctl                   rPx -> child-systemctl,
  /{usr/,}bin/systemd-*                   rPx,
@ -121,7 +122,7 @@ profile pacman @{exec_path} {

  owner /var/lib/pacman/{,**} rwl,
  owner /tmp/alpm_*/{,**} rw,
-  owner /tmp/checkup-db-[0-9]*/sync/{,*.db.part} rw,
+  owner /tmp/checkup-db-[0-9]*/sync/{,*.db*} rw,
  owner /tmp/checkup-db-[0-9]*/db.lck rw,

  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/ubuntu/check-new-release-gtk
+++ b/apparmor.d/groups/ubuntu/check-new-release-gtk
@ -12,6 +12,7 @@ profile check-new-release-gtk @{exec_path} {
  include <abstractions/apt-common>
  include <abstractions/dbus-session-strict>
  include <abstractions/dconf-write>
+  include <abstractions/fonts>
  include <abstractions/gtk>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
--- a/apparmor.d/groups/ubuntu/livepatch-notification
+++ b/apparmor.d/groups/ubuntu/livepatch-notification
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/update-notifier/livepatch-notification
 profile livepatch-notification @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dconf-write>
  include <abstractions/gtk>

--- a/apparmor.d/groups/ubuntu/software-properties-dbus
+++ b/apparmor.d/groups/ubuntu/software-properties-dbus
@ -42,6 +42,7 @@ profile software-properties-dbus @{exec_path} {
  /usr/share/xml/iso-codes/{,**} r,

  owner /tmp/[a-z0-9]* rw,
+  owner /tmp/_[a-z0-9]* rw,
  owner /tmp/tmp*/{,apt.conf} rw,

  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@ -11,6 +11,7 @@ profile update-notifier @{exec_path} {
  include <abstractions/base>
  include <abstractions/apt-common>
  include <abstractions/audio>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dconf-write>
  include <abstractions/fonts>
  include <abstractions/gtk>
@ -18,6 +19,9 @@ profile update-notifier @{exec_path} {
  include <abstractions/openssl>
  include <abstractions/python>

+  dbus receive bus=session path=/org/ayatana/NotificationItem/*
+       member={GetLayout,GetGroupProperties,GetAll,AboutToShow},
+
  @{exec_path} mr,

  /{usr/,}bin/{,ba,da}sh                              rix,
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -3,11 +3,13 @@
 # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

-# Based on Libvirt Apparmor profile, it is largelly restricted from th
+# Based on Libvirt Apparmor profile, it is largelly restricted from it.
 # As upstream profile mostly focus on confining the guests. Not libvirt itself.
 # It uses a lot of profiles provided by apparmor.d
 # Source: https://gitlab.com/libvirt/libvirt/-/blob/master/src/security/apparmor/usr.sbin.libvirtd.in

+# Warning: Such a profile is limited as it gives access to a lot of resources.
+
 abi <abi/3.0>,

 include <tunables/global>
@ -213,9 +215,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  @{sys}/fs/cgroup/net_cls/machine.slice/ rw,
  @{sys}/fs/cgroup/net_cls/machine.slice/machine-qemu*.scope/{,**} rw,

-  owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/net/ip_tables_names r,
+        @{PROC}/@{pid}/cmdline r,
        @{PROC}/@{pid}/net/route r,
        @{PROC}/@{pids}/cgroup r,
        @{PROC}/@{pids}/net/dev r,
@ -227,10 +227,13 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
        @{PROC}/devices r,
        @{PROC}/mtrr w,
        @{PROC}/sys/net/ipv{4,6}/** rw,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/net/ip_tables_names r,

  /dev/dri/ r,
  /dev/hugepages/{,**} w,
-  /dev/kvm r,
+  /dev/kvm rw,
  /dev/mapper/ r,
  /dev/mapper/control rw,
  /dev/net/tun rw,
@ -268,5 +271,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
    /dev/net/tun rw,
  }

+  include if exists <usr/libvirtd>
  include if exists <local/libvirtd>
 }