diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index e92e59f7d..7294daab5 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -9,7 +9,10 @@ unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), + unix type=stream addr="@/tmp/.ICE-unix/[0-9]*", + unix type=stream addr="@/tmp/.X11-unix/X[0-9]*", /tmp/.X11-unix/* rw, + /tmp/.ICE-unix/* rw, # Available Xsessions /usr/share/xsessions/{,*.desktop} r, diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index 24f187ac6..77ac0f294 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -16,3 +16,7 @@ unix (connect, receive, send) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-*"), + + unix (connect, send, receive, accept, bind, listen) + type=stream + addr="@/home/*/.cache/ibus/dbus-*", diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete index bef2e4782..22e5a9bce 100644 --- a/apparmor.d/abstractions/python.d/complete +++ b/apparmor.d/abstractions/python.d/complete @@ -1,8 +1,10 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + /{usr/,}bin/ r, + /{usr/,}bin/python{2.[4-7],3,3.[0-9]*} r, /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]*}/{site,dist}-packages/**/ r, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 21def9d2f..f222d87c3 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}sbin/cron +@{exec_path} = /{usr/,}{s,}bin/cron profile cron @{exec_path} { include include diff --git a/apparmor.d/groups/freedesktop/colord-sane b/apparmor.d/groups/freedesktop/colord-sane index 465b88a1d..f395bb116 100644 --- a/apparmor.d/groups/freedesktop/colord-sane +++ b/apparmor.d/groups/freedesktop/colord-sane @@ -14,6 +14,8 @@ profile colord-sane @{exec_path} flags=(attach_disconnected,complain) { include include + network inet dgram, + network inet6 dgram, network netlink raw, dbus (send,receive) bus=system path=/org/freedesktop/ColorManager diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index 0ccc239e0..b994cc28f 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -24,12 +24,15 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) { /usr/share/*/*.desktop r, - /var/lib/flatpak/exports/share/applications/{,**/} r, - /var/lib/flatpak/exports/share/applications/**.desktop r, - /var/lib/flatpak/exports/share/applications/.mimeinfo.cache.* rw, - /var/lib/flatpak/exports/share/applications/mimeinfo.cache w, + /var/lib/flatpak/{app/**,}exports/share/applications/{,**/} r, + /var/lib/flatpak/{app/**,}exports/share/applications/**.desktop r, + /var/lib/flatpak/{app/**,}exports/share/applications/.mimeinfo.cache.* rw, + /var/lib/flatpak/{app/**,}exports/share/applications/mimeinfo.cache w, - /var/lib/flatpak/app/**/export/share/applications/**.desktop r, + /var/lib/snapd/desktop/applications/{,**/} r, + /var/lib/snapd/desktop/applications/**.desktop r, + /var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw, + /var/lib/snapd/desktop/applications/mimeinfo.cache w, # Inherit silencer deny network inet6 stream, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 8945157e2..0ca67990c 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -7,14 +7,28 @@ abi , include @{exec_path} = /{usr/,}lib/nm-dispatcher +@{exec_path} += /{usr/,}lib/NetworkManager/nm-dispatcher profile nm-dispatcher @{exec_path} { include + include capability sys_nice, + dbus receive bus=system path=/org/freedesktop/nm_dispatcher + interface=org.freedesktop.nm_dispatcher, + + dbus bind bus=system + name=org.freedesktop.nm_dispatcher, + @{exec_path} mr, - /etc/NetworkManager/dispatcher.d/{,**} r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/run-parts rPx, + + /etc/NetworkManager/dispatcher.d/ r, + /etc/NetworkManager/dispatcher.d/** rix, + + @{run}/systemd/notify rw, include if exists } diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 644d74088..050fdd2ce 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -70,6 +70,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/vconsole.conf r, /usr/share/kbd/keymaps/{,**} r, + /usr/share/plymouth/*.png r, /usr/share/plymouth/plymouthd.defaults r, /usr/share/plymouth/themes/{,**} r, /usr/share/terminfo/x/xterm-256color r, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index a070b1e8e..271a3eb3c 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -28,38 +28,35 @@ profile systemd-analyze @{exec_path} { /{usr/,}bin/more rPx -> child-pager, /{usr/,}bin/man rPx, + /usr/ r, + /{usr/,}lib/systemd/** r, + + /etc/default/locale r, + /etc/locale.conf r, + /etc/systemd/** r, + + owner /tmp/systemd-temporary-*/ rw, + + @{run}/systemd/system/ r, + @{run}/systemd/userdb/io.systemd.DynamicUser w, + @{run}/udev/data/* r, + @{run}/udev/tags/systemd/ r, + + @{sys}/devices/**/uevent r, + @{sys}/firmware/acpi/tables/FPDT r, + @{sys}/fs/cgroup/{,**} r, + @{sys}/fs/cgroup/{systemd,unified}/**/cgroup.procs rw, + @{sys}/fs/cgroup/unified/**/init.scope/ rw, + @{sys}/module/**/uevent r, + + @{sys}/firmware/efi/efivars/LoaderTimeInitUSec-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/comm r, @{PROC}/swaps r, - # For systemd-analyze cat-config - /etc/systemd/** r, - /{usr/,}lib/systemd/** r, - - @{sys}/fs/cgroup/{,**} r, - @{sys}/fs/cgroup/{systemd,unified}/**/cgroup.procs rw, - @{sys}/fs/cgroup/unified/**/init.scope/ rw, - @{sys}/firmware/acpi/tables/FPDT r, - - @{sys}/module/**/uevent r, - @{sys}/devices/**/uevent r, - @{run}/udev/data/* r, - - @{run}/udev/tags/systemd/ r, - @{run}/systemd/system/ r, - @{run}/systemd/userdb/io.systemd.DynamicUser w, - - owner /tmp/systemd-temporary-*/ rw, - - /usr/ r, - - /etc/default/locale r, - /etc/locale.conf r, - - @{sys}/firmware/efi/efivars/LoaderTimeInitUSec-@{uuid} r, - @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r, - /dev/tty rw, /dev/pts/1 rw, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index c095b7e1c..b37d8f5d9 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -22,6 +22,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_ptrace, + mount -> /, + @{exec_path} mr, /{usr/,}bin/* r, @@ -30,8 +32,6 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) { /opt/** r, / r, - mount -> /, - /etc/systemd/coredump.conf r, /var/lib/systemd/coredump/ r, diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index 2be0f5ac1..ba25cd0cd 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -16,6 +16,8 @@ profile hugo @{exec_path} { @{exec_path} mr, + /{usr/,}bin/git rPx, + /usr/share/mime/{,**} r, /etc/mime.types r, diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount index de1720002..9bb767dc4 100644 --- a/apparmor.d/profiles-m-r/mount +++ b/apparmor.d/profiles-m-r/mount @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -29,10 +30,14 @@ profile mount @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}bin/ntfs-3g rPx, /{usr/,}{s,}bin/lowntfs-3g rPx, - /{usr/,}bin/sshfs rPx, /{usr/,}{s,}bin/mount.* rPx, + /{usr/,}bin/ntfs-3g rPx, + /{usr/,}bin/sshfs rPx, + + /etc/fstab r, + + /var/lib/snapd/snaps/*.snap r, # Mount points @{HOME}/ r, @@ -49,19 +54,18 @@ profile mount @{exec_path} flags=(complain) { owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - # The special /dev/loop-control file can be used to create and destroy loop devices or to find - # the first available loop device. - /dev/loop-control rw, - - /etc/fstab r, - - /tmp/sanity-squashfs-[0-9]* rw, - - owner @{PROC}/@{pid}/mountinfo r, - owner @{run}/mount/ rw, owner @{run}/mount/utab{,.*} rw, owner @{run}/mount/utab.lock wk, + /tmp/sanity-squashfs-[0-9]* rw, + /tmp/syscheck-squashfs-[0-9]* rw, + + owner @{PROC}/@{pid}/mountinfo r, + + # The special /dev/loop-control file can be used to create and destroy loop + # devices or to find the first available loop device. + /dev/loop-control rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 946973096..d1877ade9 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -37,6 +37,8 @@ profile sudo @{exec_path} { @{exec_path} mr, + /run/ r, + @{libexec}/sudo/** mr, /{usr/,}bin/{,b,d,rb}ash rUx, /{usr/,}bin/{c,k,tc,z}sh rUx,