felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into unbreaking_debian

Browse source
This commit is contained in:
nobodysu 2022-10-05 23:34:37 +00:00 committed by GitHub
commit fa77fe51f4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
223 changed files with 1334 additions and 1079 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.github/workflows/main.yml vendored
View file

@ -31,3 +31,6 @@ jobs:
- name: Show AppArmor log
run: sudo aa-log
- name: Show Number of loaded profile
run: sudo aa-status --profiled

34
Makefile Normal file
View file

@ -0,0 +1,34 @@
#!/usr/bin/make -f
PKGNAME := apparmor.d
.PHONY: install lint archlinux debian ubuntu whonix clean
all:
@echo "Nothing to do."
install:
@echo "Nothing to do."
lint:
@shellcheck --shell=bash \
PKGBUILD configure pick dists/build/build.sh \
debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm
archlinux:
@bash dists/build/build.sh archlinux
debian:
@bash dists/build/build.sh debian
ubuntu:
@bash dists/build/build.sh ubuntu
whonix:
@bash dists/build/build.sh whonix
clean:
@rm -rf \
debian/.debhelper debian/debhelper* debian/*.debhelper \
${PKGNAME}-*.pkg.tar.zst.sig ${PKGNAME}-*.pkg.tar.zst \
${PKGNAME}_*.* .build

2
PKGBUILD
View file

@ -20,7 +20,7 @@ prepare() {
git clone "$startdir" "$srcdir/$pkgname"
cd "$srcdir/$pkgname"
./configure
./configure --complain
}
build() {

37
README.md
View file

@ -11,7 +11,7 @@
## Description
A set of over 1200 AppArmor profiles which aims is to confine most of Linux base
A set of over 1400 AppArmor profiles which aims is to confine most of Linux base
applications and processes.
**Goals & Purpose**
@ -44,6 +44,8 @@ This is fundamentally different from how AppArmor is used on Linux server as it
## Installation
> **Warning**: In order to not break your system, the default package configuration install all profiles in complain mode. They can be enforced later. See [Enforce Mode](#enfore-mode)
**Requirements**
* An `apparmor` based linux distribution.
* Base profiles and abstractions shipped with AppArmor are supposed to be
@ -53,8 +55,10 @@ This is fundamentally different from how AppArmor is used on Linux server as it
**Archlinux**
Build and install the package with:
`apparmor.d-git` is available in the [Arch User Repository][aur]:
```sh
git clone https://aur.archlinux.org/apparmor.d-git.git
cd apparmor.d-git
makepkg -s
sudo pacman -U apparmor.d-*.pkg.tar.zst \
--overwrite etc/apparmor.d/tunables/global \
@ -62,20 +66,21 @@ sudo pacman -U apparmor.d-*.pkg.tar.zst \
--overwrite etc/apparmor.d/abstractions/trash
```
> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)
> **Note**: The overwrite options are only required on the first install. You can use `yay` or your preferred AUR install method to update it.
The `PKGBUILD` included in this repository is intended for development only.
**Debian / Ubuntu**
Build using standard Debian package build tools:
```sh
sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git
git clone https://github.com/roddhjav/apparmor.d.git && cd apparmor.d
git clone https://github.com/roddhjav/apparmor.d.git
cd apparmor.d
dpkg-buildpackage -b -d --no-sign
sudo dpkg -i ../apparmor.d_*_all.deb
```
> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)
**Partial install**
For test purpose, you can install a specific profile with the following commands. The tool will also install required abstractions and tunables:
@ -162,18 +167,17 @@ profile, create a file `/etc/apparmor.d/local/gnome-shell` and add your rules.
Then, reload the apparmor rules with `sudo systemctl restart apparmor`.
## Troubleshooting
## Enfore Mode
**Complain mode**
On first install and for test purposes, it is recommended to pass all profiles
in *complain* mode. To do this, edit `PKGBUILD` on Archlinux or `debian/rules`
on Debian and add the `--complain` option to the configure script. Then build
the package as usual:
```sh
./configure --complain
The default package configuration installs all profile in *complain* mode.
You can easily switch to *enforce* mode. To do this, edit `PKGBUILD` on Archlinux or `debian/rules` on Debian and remove the `--complain` option to the configure script. Then build the package as usual:
```diff
- ./configure --complain
+ ./configure
```
## Troubleshooting
**AppArmor messages**
Ensure that `auditd` is installed and running on your system in order to read
@ -208,7 +212,7 @@ is the process to recover your system on Archlinux:
A full test suite to ensure compatibility across distributions and softwares is still a work in progress.
Here an overview of the current CI jobs:
Here is an overview of the current CI jobs:
**On Gitlab CI**
- Package build for all supported distribution
@ -256,6 +260,7 @@ with this program; if not, write to the Free Software Foundation, Inc.,
[quality]: https://img.shields.io/badge/go%20report-A+-brightgreen.svg?style=flat-square
[goreportcard]: https://goreportcard.com/report/github.com/roddhjav/apparmor.d
[aur]: https://aur.archlinux.org/packages/apparmor.d-git
[android_model]: https://arxiv.org/pdf/1904.05572
[clipos]: https://clip-os.org/en/
[Speed up AppArmor Start]: https://wiki.archlinux.org/title/AppArmor#Speed-up_AppArmor_start_by_caching_profiles

10
apparmor.d/abstractions/app-launcher-user
View file

@ -13,6 +13,10 @@
/usr/local/bin/ r,
/usr/local/bin/[a-zA-Z0-9]* rPUx,
# All apps in opt
/opt/*/ r,
/opt/*/[a-zA-Z0-9]* rPUx,
# Firefox
/{usr/,}lib/ r,
/{usr/,}lib/firefox/ r,
@ -34,10 +38,4 @@
/usr/share/discord/ r,
/usr/share/discord/Discord rPx,
# FreeTube
/opt/FreeTube/ r,
/opt/FreeTube/freetube rPx,
/opt/FreeTube-Vue/ r,
/opt/FreeTube-Vue/freetube-vue rPx,
include if exists <abstractions/app-launcher-user.d>

3
apparmor.d/abstractions/base.d/complete
View file

@ -19,6 +19,3 @@
ptrace (readby) peer=systemd-coredump,
# Allow to write a user defined fifo log devices
owner /dev/log-xsession w,
owner /dev/log-gnupg w,

3
apparmor.d/abstractions/dbus-gtk
View file

@ -44,3 +44,6 @@
interface=org.a11y.atspi.DeviceEventController
member={GetKeystrokeListeners,GetDeviceEventListeners}
peer=(name=org.a11y.atspi.Registry),
# Include additions to the abstraction
include if exists <abstractions/dbus-gtk.d>

36
apparmor.d/abstractions/deny-sensitive-home Normal file
View file

@ -0,0 +1,36 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# DO NOT USE IT WITHOUT EXPLICIT AUTHORISATION FROM THE PROJECT MAINTAINER
# Per the first rule of this project:
# As these are mandatory access control policies only what it explicitly required
# should be authorized. Meaning, you should not allow everything (or a large area)
# and blacklist some sub area.
# Use in this project: file browser and search engine
deny @{HOME}/.*_history rwlk,
deny @{HOME}/.*age*{,/{,**}} rwlk,
deny @{HOME}/.*cert*{,/{,**}} rwlk,
deny @{HOME}/.*key*{,/{,**}} rwlk,
deny @{HOME}/.*pass*{,/{,**}} rwlk,
deny @{HOME}/.*pki*{,/{,**}} rwlk,
deny @{HOME}/.*private*{,/{,**}} rwlk,
deny @{HOME}/.*secret*{,/{,**}} rwlk,
deny @{HOME}/.*yubi*{,/{,**}} rwlk,
deny @{HOME}/.lesshst* rwlk,
deny @{HOME}/.wget-hsts rwlk,
deny @{HOME}/@{XDG_GPG_DIR}/{,**} rwlk,
deny @{HOME}/@{XDG_SSH_DIR}/{,**} rwlk,
# Deny executable mapping in writable space as allowed in abstractions/fonts
deny @{HOME}/.{,cache/}fontconfig/ rw,
deny @{HOME}/.{,cache/}fontconfig/** mrwl,
# Deny executable mapping in writable space as allowed in abstractions/base for ecryptfs
deny @{HOME}/.Private/** mrxwlk,
deny @{HOMEDIRS}/.ecryptfs/*/.Private/** mrxwlk,
include if exists <abstractions/deny-sensitive-home.d>

4
apparmor.d/abstractions/fontconfig-cache-write
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -26,7 +27,8 @@
/usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} r,
deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w,
owner /var/cache/fontconfig/{,**} rw,
/var/cache/fontconfig/ rw,
owner /var/cache/fontconfig/** rw,
owner /var/cache/fontconfig/*.cache-[0-9]* rwk,
owner /var/cache/fontconfig/*.cache-[0-9]*.LCK rwl,
owner /var/cache/fontconfig/CACHEDIR.TAG.LCK rwl,

225
apparmor.d/abstractions/lxc/container-base
View file

@ -1,225 +0,0 @@
network,
capability,
file,
umount,
# dbus, signal, ptrace and unix are only supported by recent apparmor
# versions. Comment them if the apparmor parser doesn't recognize them.
# This also needs additional rules to reach outside of the container via
# DBus, so just let all of DBus within the container.
dbus,
# Allow us to receive signals from anywhere. Note: if per-container profiles
# are supported, for container isolation this should be changed to something
# like:
# signal (receive) peer=unconfined,
# signal (receive) peer=/usr/bin/lxc-start,
signal (receive),
# Allow us to send signals to ourselves
signal peer=@{profile_name},
# Allow other processes to read our /proc entries, futexes, perf tracing and
# kcmp for now (they will need 'read' in the first place). Administrators can
# override with:
# deny ptrace (readby) ...
ptrace (readby),
# Allow other processes to trace us by default (they will need 'trace' in
# the first place). Administrators can override with:
# deny ptrace (tracedby) ...
ptrace (tracedby),
# Allow us to ptrace ourselves
ptrace peer=@{profile_name},
# Allow receive via unix sockets from anywhere. Note: if per-container
# profiles are supported, for container isolation this should be changed to
# something like:
# unix (receive) peer=(label=unconfined),
unix (receive),
# Allow all unix in the container
unix peer=(label=@{profile_name}),
# ignore DENIED message on / remount
deny mount options=(ro, remount) -> /,
deny mount options=(ro, remount, silent) -> /,
# allow tmpfs mounts everywhere
mount fstype=tmpfs,
# allow hugetlbfs mounts everywhere
mount fstype=hugetlbfs,
# allow mqueue mounts everywhere
mount fstype=mqueue,
# allow fuse mounts everywhere
mount fstype=fuse,
mount fstype=fuse.*,
# deny access under /proc/bus to avoid e.g. messing with pci devices directly
deny @{PROC}/bus/** wklx,
# deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
deny @{PROC}/sys/fs/** wklx,
# allow efivars to be mounted, writing to it will be blocked though
mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
# block some other dangerous paths
deny @{PROC}/kcore rwklx,
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/acpi/** rwklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only)
mount fstype=fusectl -> /sys/fs/fuse/connections/,
mount fstype=securityfs -> /sys/kernel/security/,
mount fstype=debugfs -> /sys/kernel/debug/,
deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
mount fstype=proc -> /proc/,
mount fstype=sysfs -> /sys/,
mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
# deny reads from debugfs
deny /sys/kernel/debug/{,**} rwklx,
# allow paths to be made slave, shared, private or unbindable
# FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
# mount options=(rw,make-slave) -> **,
# mount options=(rw,make-rslave) -> **,
# mount options=(rw,make-shared) -> **,
# mount options=(rw,make-rshared) -> **,
# mount options=(rw,make-private) -> **,
# mount options=(rw,make-rprivate) -> **,
# mount options=(rw,make-unbindable) -> **,
# mount options=(rw,make-runbindable) -> **,
# allow bind-mounts of anything except /proc, /sys and /dev
mount options=(rw,bind) /[^spd]*{,/**},
mount options=(rw,bind) /d[^e]*{,/**},
mount options=(rw,bind) /de[^v]*{,/**},
mount options=(rw,bind) /dev/.[^l]*{,/**},
mount options=(rw,bind) /dev/.l[^x]*{,/**},
mount options=(rw,bind) /dev/.lx[^c]*{,/**},
mount options=(rw,bind) /dev/.lxc?*{,/**},
mount options=(rw,bind) /dev/[^.]*{,/**},
mount options=(rw,bind) /dev?*{,/**},
mount options=(rw,bind) /p[^r]*{,/**},
mount options=(rw,bind) /pr[^o]*{,/**},
mount options=(rw,bind) /pro[^c]*{,/**},
mount options=(rw,bind) /proc?*{,/**},
mount options=(rw,bind) /s[^y]*{,/**},
mount options=(rw,bind) /sy[^s]*{,/**},
mount options=(rw,bind) /sys?*{,/**},
# allow various ro-bind-*re*-mounts
mount options=(ro,remount,bind),
mount options=(ro,remount,bind,nosuid),
mount options=(ro,remount,bind,noexec),
mount options=(ro,remount,bind,nodev),
mount options=(ro,remount,bind,nosuid,noexec),
mount options=(ro,remount,bind,noexec,nodev),
mount options=(ro,remount,bind,nodev,nosuid),
mount options=(ro,remount,bind,nosuid,noexec,nodev),
# allow moving mounts except for /proc, /sys and /dev
mount options=(rw,move) /[^spd]*{,/**},
mount options=(rw,move) /d[^e]*{,/**},
mount options=(rw,move) /de[^v]*{,/**},
mount options=(rw,move) /dev/.[^l]*{,/**},
mount options=(rw,move) /dev/.l[^x]*{,/**},
mount options=(rw,move) /dev/.lx[^c]*{,/**},
mount options=(rw,move) /dev/.lxc?*{,/**},
mount options=(rw,move) /dev/[^.]*{,/**},
mount options=(rw,move) /dev?*{,/**},
mount options=(rw,move) /p[^r]*{,/**},
mount options=(rw,move) /pr[^o]*{,/**},
mount options=(rw,move) /pro[^c]*{,/**},
mount options=(rw,move) /proc?*{,/**},
mount options=(rw,move) /s[^y]*{,/**},
mount options=(rw,move) /sy[^s]*{,/**},
mount options=(rw,move) /sys?*{,/**},
# generated by: lxc-generate-aa-rules.py container-rules.base
deny /proc/sys/[^kn]*{,/**} wklx,
deny /proc/sys/k[^e]*{,/**} wklx,
deny /proc/sys/ke[^r]*{,/**} wklx,
deny /proc/sys/ker[^n]*{,/**} wklx,
deny /proc/sys/kern[^e]*{,/**} wklx,
deny /proc/sys/kerne[^l]*{,/**} wklx,
deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
deny /proc/sys/kernel/d[^o]*{,/**} wklx,
deny /proc/sys/kernel/do[^m]*{,/**} wklx,
deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
deny /proc/sys/kernel/domainname?*{,/**} wklx,
deny /proc/sys/kernel/h[^o]*{,/**} wklx,
deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
deny /proc/sys/kernel/host[^n]*{,/**} wklx,
deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
deny /proc/sys/kernel/hostname?*{,/**} wklx,
deny /proc/sys/kernel/m[^s]*{,/**} wklx,
deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
deny /proc/sys/kernel/msg*/** wklx,
deny /proc/sys/kernel/s[^he]*{,/**} wklx,
deny /proc/sys/kernel/se[^m]*{,/**} wklx,
deny /proc/sys/kernel/sem*/** wklx,
deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
deny /proc/sys/kernel/shm*/** wklx,
deny /proc/sys/kernel?*{,/**} wklx,
deny /proc/sys/n[^e]*{,/**} wklx,
deny /proc/sys/ne[^t]*{,/**} wklx,
deny /proc/sys/net?*{,/**} wklx,
deny /sys/[^fdc]*{,/**} wklx,
deny /sys/c[^l]*{,/**} wklx,
deny /sys/cl[^a]*{,/**} wklx,
deny /sys/cla[^s]*{,/**} wklx,
deny /sys/clas[^s]*{,/**} wklx,
deny /sys/class/[^n]*{,/**} wklx,
deny /sys/class/n[^e]*{,/**} wklx,
deny /sys/class/ne[^t]*{,/**} wklx,
deny /sys/class/net?*{,/**} wklx,
deny /sys/class?*{,/**} wklx,
deny /sys/d[^e]*{,/**} wklx,
deny /sys/de[^v]*{,/**} wklx,
deny /sys/dev[^i]*{,/**} wklx,
deny /sys/devi[^c]*{,/**} wklx,
deny /sys/devic[^e]*{,/**} wklx,
deny /sys/device[^s]*{,/**} wklx,
deny /sys/devices/[^v]*{,/**} wklx,
deny /sys/devices/v[^i]*{,/**} wklx,
deny /sys/devices/vi[^r]*{,/**} wklx,
deny /sys/devices/vir[^t]*{,/**} wklx,
deny /sys/devices/virt[^u]*{,/**} wklx,
deny /sys/devices/virtu[^a]*{,/**} wklx,
deny /sys/devices/virtua[^l]*{,/**} wklx,
deny /sys/devices/virtual/[^n]*{,/**} wklx,
deny /sys/devices/virtual/n[^e]*{,/**} wklx,
deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
deny /sys/devices/virtual/net?*{,/**} wklx,
deny /sys/devices/virtual?*{,/**} wklx,
deny /sys/devices?*{,/**} wklx,
deny /sys/f[^s]*{,/**} wklx,
deny /sys/fs/[^c]*{,/**} wklx,
deny /sys/fs/c[^g]*{,/**} wklx,
deny /sys/fs/cg[^r]*{,/**} wklx,
deny /sys/fs/cgr[^o]*{,/**} wklx,
deny /sys/fs/cgro[^u]*{,/**} wklx,
deny /sys/fs/cgrou[^p]*{,/**} wklx,
deny /sys/fs/cgroup?*{,/**} wklx,
deny /sys/fs?*{,/**} wklx,

50
apparmor.d/abstractions/lxc/start-container
View file

@ -1,50 +0,0 @@
network,
capability,
file,
# The following 3 entries are only supported by recent apparmor versions.
# Comment them if the apparmor parser doesn't recognize them.
dbus,
signal,
ptrace,
# currently blocked by apparmor bug
mount -> /usr/lib*/*/lxc/{**,},
mount -> /usr/lib*/lxc/{**,},
mount -> /usr/lib/@{multiarch}/lxc/rootfs/{,**},
mount fstype=devpts -> /dev/pts/,
mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
mount options=bind /dev/pts/** -> /dev/**,
mount options=(rw, make-slave) -> **,
mount options=(rw, make-rslave) -> **,
mount fstype=debugfs,
# allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
mount -> /var/lib/lxc/{**,},
mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
# required for some pre-mount hooks
mount fstype=overlayfs,
mount fstype=aufs,
mount fstype=ecryptfs,
# all umounts are under the original root's /mnt, but right now we
# can't allow those umounts after pivot_root. So allow all umounts
# right now. They'll be restricted for the container at least.
umount,
#umount /mnt/{**,},
# This may look a bit redundant, however it appears we need all of
# them if we want things to work properly on all combinations of kernel
# and userspace parser...
pivot_root /usr/lib*/lxc/,
pivot_root /usr/lib*/*/lxc/,
pivot_root /usr/lib*/lxc/**,
pivot_root /usr/lib*/*/lxc/**,
pivot_root /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**},
change_profile -> lxc-*,
change_profile -> lxc-**,
change_profile -> unconfined,
change_profile -> :lxc-*:unconfined,

5
apparmor.d/abstractions/systemd-common
View file

@ -1,18 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
ptrace (read),
owner @{PROC}/@{pid}/stat r,
@{PROC}/1/cgroup r,
@{PROC}/1/environ r,
@{PROC}/1/sched r,
@{PROC}/1/cgroup r,
@{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/stat r,
/dev/kmsg w,

5
apparmor.d/abstractions/user-download-strict
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -10,8 +11,4 @@
owner @{user_download_dirs}/ r,
owner @{user_download_dirs}/** rwkl -> @{user_download_dirs}/**,
# For SSHFS mounts (without owner as files in such mounts can be owned by different users)
@{HOME}/mount-sshfs/ r,
@{HOME}/mount-sshfs/** rwl,
include if exists <abstractions/user-download-strict.d>

2
apparmor.d/groups/apps/android-studio
View file

@ -264,7 +264,7 @@ profile android-studio @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,

4
apparmor.d/groups/apps/atom
View file

@ -47,7 +47,7 @@ profile atom @{exec_path} {
#/{usr/,}bin/rmdir rix,
#/{usr/,}bin/{,e}grep rix,
#/{usr/,}bin/ls rix,
#/{usr/,}bin/gawk rix,
#/{usr/,}bin/{m,g,}awk rix,
#/{usr/,}bin/tty rix,
#/{usr/,}bin/dircolors rix,
#/{usr/,}bin/cut rix,
@ -168,7 +168,7 @@ profile atom @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,

2
apparmor.d/groups/apps/calibre
View file

@ -152,7 +152,7 @@ profile calibre @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,

4
apparmor.d/groups/apps/discord
View file

@ -125,7 +125,7 @@ profile discord @{exec_path} {
/{usr/,}bin/xdg-mime mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/head rix,
@ -175,7 +175,7 @@ profile discord @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,

2
apparmor.d/groups/apps/dropbox
View file

@ -129,7 +129,7 @@ profile dropbox @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,

2
apparmor.d/groups/apps/flameshot
View file

@ -76,7 +76,7 @@ profile flameshot @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,

2
apparmor.d/groups/apps/freetube
View file

@ -105,7 +105,7 @@ profile freetube @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,

2
apparmor.d/groups/apps/okular
View file

@ -103,7 +103,7 @@ profile okular @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,

2
apparmor.d/groups/apps/telegram-desktop
View file

@ -101,7 +101,7 @@ profile telegram-desktop @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,

2
apparmor.d/groups/apt/apt-methods-gpgv
View file

@ -46,7 +46,7 @@ profile apt-methods-gpgv @{exec_path} {
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/base64 rix,
# For shell pwd

5
apparmor.d/groups/apt/command-not-found
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -11,10 +12,10 @@ include <tunables/global>
@{exec_path} += /{usr/,}lib/command-not-found
profile command-not-found @{exec_path} {
include <abstractions/base>
include <abstractions/python>
include <abstractions/apt-common>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/apt-common>
include <abstractions/python>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,

2
apparmor.d/groups/apt/debsums
View file

@ -17,7 +17,7 @@ profile debsums @{exec_path} {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{m,g,}awk rix,
/etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r,

2
apparmor.d/groups/apt/querybts
View file

@ -66,7 +66,7 @@ profile querybts @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,

2
apparmor.d/groups/apt/reportbug
View file

@ -130,7 +130,7 @@ profile reportbug @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,

2
apparmor.d/groups/avahi/avahi-autoipd
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/avahi-autoipd
profile avahi-autoipd @{exec_path} flags=(complain) {
profile avahi-autoipd @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/avahi/avahi-browse
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/avahi-browse /{usr/,}bin/avahi-browse-domains
profile avahi-browse @{exec_path} flags=(complain) {
profile avahi-browse @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-strict>

2
apparmor.d/groups/avahi/avahi-daemon
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/avahi-daemon
profile avahi-daemon @{exec_path} flags=(complain) {
profile avahi-daemon @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/avahi/avahi-publish
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/avahi-publish /{usr/,}bin/avahi-publish-address /{usr/,}bin/avahi-publish-service
profile avahi-publish @{exec_path} flags=(complain) {
profile avahi-publish @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/avahi/avahi-resolve
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/avahi-resolve /{usr/,}bin/avahi-resolve-address /{usr/,}bin/avahi-resolve-host-name
profile avahi-resolve @{exec_path} flags=(complain) {
profile avahi-resolve @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus-strict>

2
apparmor.d/groups/avahi/avahi-set-host-name
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/avahi-set-host-name
profile avahi-set-host-name @{exec_path} flags=(complain) {
profile avahi-set-host-name @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

165
apparmor.d/groups/browsers/brave
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -13,19 +14,19 @@ include <tunables/global>
@{exec_path} = @{BRAVE_INSTALLDIR}/brave{,-beta,-dev}
profile brave @{exec_path} {
include <abstractions/base>
include <abstractions/audio>
include <abstractions/chromium-common>
include <abstractions/consoles>
include <abstractions/dconf-write>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/audio>
include <abstractions/user-download-strict>
include <abstractions/nameservice-strict>
include <abstractions/opencl-intel>
include <abstractions/thumbnails-cache-read>
include <abstractions/chromium-common>
include <abstractions/user-download-strict>
capability sys_ptrace,
@ -40,44 +41,41 @@ profile brave @{exec_path} {
@{BRAVE_INSTALLDIR}/swiftshader/libEGL.so mr,
# When installing/removing extensions
/{usr/,}bin/basename rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/{,e}grep rix,
/etc/opt/chrome/ r,
deny /etc/opt/chrome/ w,
# For "brave --help"
/{usr/,}bin/man rPUx,
/{usr/,}bin/basename rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/touch rix,
# For storing passwords externally
/{usr/,}bin/keepassxc-proxy rPUx,
/{usr/,}bin/browserpass rPx,
/{usr/,}bin/lsb_release rPx -> lsb_release,
# no new privs
#deny /{usr/,}bin/xdg-desktop-menu rx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/man rPUx,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rPx -> child-open,
/{usr/,}bin/xdg-settings rPx,
/{usr/,}bin/xdg-mime rPx,
/usr/share/chromium/extensions/ r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/fstab r,
/etc/opt/chrome/ r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{HOME}/ r,
owner @{user_config_dirs}/BraveSoftware/ w,
owner @{BRAVE_HOMEDIR}/ rw,
owner @{BRAVE_HOMEDIR}/** rwk,
# For Widevine plugin
owner @{BRAVE_HOMEDIR}/WidevineCdm/libwidevinecdm.so mrw,
# Cache files
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/BraveSoftware/ rw,
owner @{BRAVE_CACHEDIR}/{,**/} rw,
@ -85,43 +83,36 @@ profile brave @{exec_path} {
owner @{BRAVE_CACHEDIR}/*/**/[a-f0-9]*_? rw,
owner @{BRAVE_CACHEDIR}/*/**/todelete_* rw,
# For importing data (bookmarks, cookies, etc) from Firefox
owner @{HOME}/.mozilla/firefox/profiles.ini r,
owner @{HOME}/.mozilla/firefox/*/ r,
owner @{HOME}/.mozilla/firefox/*/compatibility.ini r,
owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r,
owner @{HOME}/.mozilla/firefox/*/.parentlock rwk,
owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk,
owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
owner @{HOME}/.mozilla/firefox/*/logins.json r,
# For importing data from Chromium
owner "@{user_config_dirs}/chromium/Local State" r,
owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w,
owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk,
owner @{user_config_dirs}/chromium/*/ r,
owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk,
owner @{user_config_dirs}/menus/applications-merged/ r,
owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r,
/etc/fstab r,
# For importing data (bookmarks, cookies, etc) from Firefox
# owner @{HOME}/.mozilla/firefox/profiles.ini r,
# owner @{HOME}/.mozilla/firefox/*/ r,
# owner @{HOME}/.mozilla/firefox/*/compatibility.ini r,
# owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r,
# owner @{HOME}/.mozilla/firefox/*/.parentlock rwk,
# owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk,
# owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
# owner @{HOME}/.mozilla/firefox/*/logins.json r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# For importing data (bookmarks, cookies, etc) from Chromium
# owner "@{user_config_dirs}/chromium/Local State" r,
# owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w,
# owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk,
# owner @{user_config_dirs}/chromium/*/ r,
# owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk,
owner /tmp/net-export/ rw, # For brave://net-export/
# Needed or Brave crash with the following error:
# illegal hardware instruction
@{PROC}/ r,
#
deny @{PROC}/vmstat r,
deny @{PROC}/stat r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/@{pid}/fd/ r,
deny @{PROC}/@{pids}/stat r,
deny @{PROC}/@{pids}/statm r,
# To remove the following error:
# Failed to adjust OOM score of renderer with pid : Permission denied
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
#
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
deny @{PROC}/@{pids}/cmdline r,
owner @{PROC}/@{pids}/task/ r,
@{PROC}/@{pids}/task/@{tid}/status r,
@ -130,63 +121,27 @@ profile brave @{exec_path} {
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/clear_refs w,
@{PROC}/sys/fs/inotify/max_user_watches r,
deny @{PROC}filesystems r,
deny @{PROC}/filesystems r,
owner /dev/shm/org.chromium.Chromium.shmem.[A-F0-9]*._service_shmem rw,
@{run}/udev/data/* r,
@{sys}/bus/ r,
@{sys}/bus/**/devices/ r,
@{sys}/class/ r,
@{sys}/class/**/ r,
@{sys}/devices/**/uevent r,
@{sys}/devices/pci[0-9]*/**/irq r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
@{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
@{sys}/devices/system/cpu/online r,
@{sys}/devices/virtual/tty/tty[0-9]/active r,
/dev/bus/usb/[0-9]*/[0-9]* rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Udev enumeration
@{sys}/bus/ r,
@{sys}/bus/**/devices/ r,
@{sys}/devices/**/uevent r,
@{sys}/class/ r,
@{sys}/class/**/ r,
@{run}/udev/data/* r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
@{sys}/devices/virtual/tty/tty[0-9]/active r,
@{sys}/devices/system/cpu/online r,
# To remove the following error:
# pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
# The irq file is needed to render pages.
@{sys}/devices/pci[0-9]*/**/irq r,
@{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
# For brave://net-export/
owner /tmp/net-export/ rw,
# Silencer
deny @{BRAVE_INSTALLDIR}/** w,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
# file_inherit
owner @{HOME}/.xsession-errors w,
}
deny /etc/opt/chrome/ w,
include if exists <local/brave>
}

13
apparmor.d/groups/browsers/brave-browser
View file

@ -1,23 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
@{BRAVE_INSTALLDIR} = /opt/brave.com/brave{,-beta,-dev}
@{BRAVE_HOMEDIR} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}
@{BRAVE_CACHEDIR} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}
abi <abi/3.0>,
include <tunables/global>
@{BRAVE_INSTALLDIR} = /opt/brave.com/brave{,-beta,-dev}
@{BRAVE_HOMEDIR} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}
@{BRAVE_CACHEDIR} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}
@{exec_path} = @{BRAVE_INSTALLDIR}/brave-browser{,-beta,-dev}
profile brave-browser @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/which{,.debianutils} rix,
@ -26,7 +27,7 @@ profile brave-browser @{exec_path} {
@{BRAVE_INSTALLDIR}/brave rPx,
owner @{PROC}/@{pid}/fd/63 w,
owner @{PROC}/@{pid}/fd/ w,
include if exists <local/brave-browser>
}

26
apparmor.d/groups/browsers/chromium-chromium
View file

@ -63,7 +63,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/xdg-email rPx,
/{usr/,}bin/xdg-icon-resource rPx,
/{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/xdg-open rPx -> child-open,
/{usr/,}bin/xdg-settings rPx,
/usr/share/chromium/{,**} r,
@ -164,29 +164,5 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
deny /{usr/,}lib/chromium/** w,
deny @{user_share_dirs}/gvfs-metadata/* r,
profile open {
include <abstractions/base>
include <abstractions/app-launcher-user>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
# Allowed apps to open
/{usr/,}bin/smplayer rPx,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/chromium-chromium>
}

63
apparmor.d/groups/browsers/firefox
View file

@ -147,22 +147,10 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
/opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx,
# Allowed apps to open
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/exo-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
/{usr/,}bin/engrampa rPx,
/{usr/,}bin/geany rPx,
/{usr/,}bin/okular rPx,
/{usr/,}bin/qbittorrent rPx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/spacefm rPx,
/{usr/,}bin/telegram-desktop rPx,
/{usr/,}bin/thunderbird rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/vlc rPx,
/{usr/,}bin/xarchiver rPx,
/{usr/,}bin/evince rPx,
/{usr/,}bin/exo-open rPx -> child-open,
/{usr/,}bin/xdg-open rPx -> child-open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
/{usr/,}lib/gio-launch-desktop rPx -> child-open,
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
/{usr/,}lib/mozilla/plugins/ r,
@ -251,10 +239,11 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/oom_score_adj w,
owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
deny owner @{PROC}/@{pid}/smaps r,
deny owner @{PROC}/@{pid}/stat r,
deny owner @{PROC}/@{pid}/statm r,
@ -279,45 +268,5 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
deny owner @{HOME}/.* r,
deny /tmp/MozillaUpdateLock-* w,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/exo-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,m,g}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
# Allowed apps to open
/{usr/,}bin/engrampa rPx,
/{usr/,}bin/evince rPx,
/{usr/,}bin/geany rPx,
/{usr/,}bin/okular rPx,
/{usr/,}bin/qbittorrent rPx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/spacefm rPx,
/{usr/,}bin/telegram-desktop rPx,
/{usr/,}bin/thunderbird rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/vlc rPx,
/{usr/,}bin/xarchiver rPx,
/{usr/,}bin/evince rPx,
/usr/share/xfce4/exo/exo-compose-mail rPx,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# file_inherit
owner @{HOME}/.xsession-errors w,
include if exists <local/firefox_open>
}
include if exists <local/firefox>
}

129
apparmor.d/groups/browsers/google-chrome-chrome
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -13,18 +14,18 @@ include <tunables/global>
@{exec_path} = @{CHROME_INSTALLDIR}/chrome{,-beta,-unstable}
profile google-chrome-chrome @{exec_path} {
include <abstractions/base>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/mesa>
include <abstractions/audio>
include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/chromium-common>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/opencl-intel>
include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
ptrace (trace) peer=@{profile_name},
@ -44,23 +45,28 @@ profile google-chrome-chrome @{exec_path} {
@{CHROME_INSTALLDIR}/nacl_helper rix,
@{CHROME_INSTALLDIR}/xdg-mime rix,
@{CHROME_INSTALLDIR}/xdg-settings rix,
@{CHROME_INSTALLDIR}/libwidevinecdm.so mr,
@{CHROME_INSTALLDIR}/libwidevinecdmadapter.so mr,
# For "google-chrome --help"
/{usr/,}bin/man rPUx,
# For storing passwords externally
/{usr/,}bin/keepassxc-proxy rPUx,
/{usr/,}bin/browserpass rPx,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
# no new privs
deny /{usr/,}bin/xdg-desktop-menu rx,
deny /{usr/,}bin/xdg-icon-resource rx,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/xdg-open rPx -> child-open,
/{usr/,}bin/xdg-settings rPx,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/fstab r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Google Chrome home files
owner @{HOME}/ r,
owner @{CHROME_HOMEDIR}/ rw,
@ -68,50 +74,38 @@ profile google-chrome-chrome @{exec_path} {
owner @{user_share_dirs}/.com.google.Chrome.* rw,
# Cache files
owner @{user_cache_dirs}/ rw,
owner @{CHROME_CACHEDIR}/{,**/} rw,
owner @{CHROME_CACHEDIR}/*/**/{*-,}index rw,
owner @{CHROME_CACHEDIR}/*/**/[a-f0-9]*_? rw,
owner @{CHROME_CACHEDIR}/*/**/todelete_* rw,
# To remove browser history/cache
owner @{CHROME_CACHEDIR}/PnaclTranslationCache/index rw,
owner @{CHROME_CACHEDIR}/PnaclTranslationCache/data_[0-9]*[0-9] rw,
# For importing data (bookmarks, cookies, etc) from Firefox
owner @{HOME}/.mozilla/firefox/profiles.ini r,
owner @{HOME}/.mozilla/firefox/*/ r,
owner @{HOME}/.mozilla/firefox/*/compatibility.ini r,
owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r,
owner @{HOME}/.mozilla/firefox/*/.parentlock rwk,
owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk,
owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
owner @{HOME}/.mozilla/firefox/*/logins.json r,
# For importing data from Chromium
owner "@{user_config_dirs}/chromium/Local State" r,
owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w,
owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk,
owner @{user_config_dirs}/chromium/*/ r,
owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk,
# owner @{HOME}/.mozilla/firefox/profiles.ini r,
# owner @{HOME}/.mozilla/firefox/*/ r,
# owner @{HOME}/.mozilla/firefox/*/compatibility.ini r,
# owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r,
# owner @{HOME}/.mozilla/firefox/*/.parentlock rwk,
# owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk,
# owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
# owner @{HOME}/.mozilla/firefox/*/logins.json r,
/etc/fstab r,
# For importing data (bookmarks, cookies, etc) from Chromium
# owner "@{user_config_dirs}/chromium/Local State" r,
# owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w,
# owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk,
# owner @{user_config_dirs}/chromium/*/ r,
# owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Needed or Google Chrome crash with the following error:
# illegal hardware instruction
@{PROC}/ r,
#
deny @{PROC}/vmstat r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/@{pid}/fd/ r,
deny @{PROC}/@{pids}/stat r,
deny @{PROC}/@{pids}/statm r,
# To remove the following error:
# Failed to adjust OOM score of renderer with pid : Permission denied
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
#
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
deny @{PROC}/@{pids}/cmdline r,
deny owner @{PROC}/@{pids}/environ r,
owner @{PROC}/@{pid}/task/ r,
@ -123,56 +117,21 @@ profile google-chrome-chrome @{exec_path} {
owner @{PROC}/@{pid}/mounts r,
deny @{PROC}/diskstats r,
# To play DRM media (protected content)
@{CHROME_INSTALLDIR}/libwidevinecdm.so mr,
@{CHROME_INSTALLDIR}/libwidevinecdmadapter.so mr,
@{run}/udev/data/* r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Udev enumeration
@{sys}/bus/ r,
@{sys}/bus/**/devices/ r,
@{sys}/devices/**/uevent r,
@{sys}/class/ r,
@{sys}/class/**/ r,
@{run}/udev/data/* r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
deny @{sys}/devices/virtual/tty/tty[0-9]/active r,
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
# To remove the following error:
# pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
# The irq file is needed to render pages.
@{sys}/devices/**/uevent r,
@{sys}/devices/pci[0-9]*/**/irq r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
@{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
@{sys}/devices/virtual/tty/tty[0-9]/active r,
# Silencer
deny @{CHROME_INSTALLDIR}/** w,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/google-chrome-chrome>
}

123
apparmor.d/groups/browsers/opera
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -13,20 +14,20 @@ include <tunables/global>
@{exec_path} = @{OPERA_INSTALLDIR}/opera{,-beta,-developer}
profile opera @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/opencl-intel>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/mesa>
include <abstractions/audio>
include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read>
include <abstractions/chromium-common>
include <abstractions/dconf-write>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/opencl-intel>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/chromium-common>
include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
ptrace (trace) peer=@{profile_name},
@ -41,25 +42,32 @@ profile opera @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/which{,.debianutils} rix,
@{OPERA_INSTALLDIR}/opera_sandbox rPx,
@{OPERA_INSTALLDIR}/opera_crashreporter rPx,
@{OPERA_INSTALLDIR}/opera_autoupdate krix,
/opt/google/chrome{,-beta,-unstable}/libwidevinecdm.so mr,
/opt/google/chrome{,-beta,-unstable}/libwidevinecdmadapter.so mr,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-mime rPx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/xdg-open rPx -> child-open,
/{usr/,}bin/xdg-settings rPx,
/{usr/,}bin/xdg-desktop-menu rPx,
/{usr/,}bin/xdg-icon-resource rPx,
# Opera home files
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/fstab r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{HOME}/ r,
owner @{OPERA_HOMEDIR}/ rw,
owner @{OPERA_HOMEDIR}/** rwk,
# Cache files
owner @{user_cache_dirs}/ rw,
owner @{OPERA_CACHEDIR}/{,**/} rw,
owner @{OPERA_CACHEDIR}/**/{*-,}index rw,
@ -67,38 +75,31 @@ profile opera @{exec_path} {
owner @{OPERA_CACHEDIR}/**/todelete_* rw,
# For importing data (bookmarks, cookies, etc) from Firefox
owner @{HOME}/.mozilla/firefox/profiles.ini r,
owner @{HOME}/.mozilla/firefox/*/ r,
owner @{HOME}/.mozilla/firefox/*/compatibility.ini r,
owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r,
owner @{HOME}/.mozilla/firefox/*/.parentlock rwk,
owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk,
owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
owner @{HOME}/.mozilla/firefox/*/logins.json r,
# For importing data from Chromium
owner "@{user_config_dirs}/chromium/Local State" r,
owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w,
owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk,
owner @{user_config_dirs}/chromium/*/ r,
owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk,
# owner @{HOME}/.mozilla/firefox/profiles.ini r,
# owner @{HOME}/.mozilla/firefox/*/ r,
# owner @{HOME}/.mozilla/firefox/*/compatibility.ini r,
# owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r,
# owner @{HOME}/.mozilla/firefox/*/.parentlock rwk,
# owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk,
# owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
# owner @{HOME}/.mozilla/firefox/*/logins.json r,
/etc/fstab r,
# For importing data (bookmarks, cookies, etc) from Chromium
# owner "@{user_config_dirs}/chromium/Local State" r,
# owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w,
# owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk,
# owner @{user_config_dirs}/chromium/*/ r,
# owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner /tmp/opera-crashlog-[0-9]*-[0-9]*.txt rw,
# Needed or opera crashes with the following error:
# illegal hardware instruction
@{PROC}/ r,
#
deny @{PROC}/vmstat r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/@{pid}/fd/ r,
deny @{PROC}/@{pids}/stat r,
deny @{PROC}/@{pids}/statm r,
# To remove the following error:
# Failed to adjust OOM score of renderer with pid : Permission denied
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
#
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
deny owner @{PROC}/@{pids}/cmdline r,
deny owner @{PROC}/@{pids}/environ r,
owner @{PROC}/@{pid}/task/ r,
@ -110,60 +111,22 @@ profile opera @{exec_path} {
owner @{PROC}/@{pid}/mounts r,
@{PROC}/sys/fs/inotify/max_user_watches r,
# To play DRM media (protected content)
/opt/google/chrome{,-beta,-unstable}/libwidevinecdm.so mr,
/opt/google/chrome{,-beta,-unstable}/libwidevinecdmadapter.so mr,
@{run}/udev/data/* r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Udev enumeration
@{sys}/bus/ r,
@{sys}/bus/**/devices/ r,
@{sys}/devices/**/uevent r,
@{sys}/class/ r,
@{sys}/class/**/ r,
@{run}/udev/data/* r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
deny @{sys}/devices/virtual/tty/tty[0-9]/active r,
# To remove the following error:
# pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
# The irq file is needed to render pages.
@{sys}/devices/**/uevent r,
@{sys}/devices/pci[0-9]*/**/irq r,
# For crashreporter
owner /tmp/opera-crashlog-[0-9]*-[0-9]*.txt rw,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
@{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
@{sys}/devices/virtual/tty/tty[0-9]/active r,
/dev/ r,
# Silencer
deny @{OPERA_INSTALLDIR}/** w,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/opera>
}

75
apparmor.d/groups/children/child-open Normal file
View file

@ -0,0 +1,75 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Note: This profile does not specify an attachment path because it is
# intended to be used only via "Px -> child-open-X" exec transitions
# from other profiles.
# Instead of allowing the run of all software in /{usr/,}bin/, the purpose of
# this profile is to list all GUI program that can open resources.
# Ultimatelly, only sandbox manager program like bwrap, snap, flatpak, firejail
# should be present here. Until this day, this profile will be a controlled mess.
abi <abi/3.0>,
include <tunables/global>
# App allowed to open
profile child-open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/exo-open mr,
/{usr/,}bin/xdg-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}lib/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,m,g}awk rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/readlink rix,
# Sandbox managers
/{usr/,}bin/firejail rPUx,
/{usr/,}bin/flatpak rPUx,
/{usr/,}bin/snap rPUx,
# Browsers
/{usr/,}bin/chromium rPx,
/{usr/,}bin/firefox rPx,
/{usr/,}lib/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer} rPx,
/{usr/,}lib/chromium/chromium rPx,
/opt/brave.com/brave{,-beta,-dev}/brave{,-beta,-dev} rPx,
/opt/google/chrome{,-beta,-unstable}/chrome{,-beta,-unstable} rPx,
# Text editors
/{usr/,}bin/code rPx,
/{usr/,}bin/gedit rPUx,
/usr/share/code/{bin/,}code rPx,
# Others
/{usr/,}bin/discord{,-ptb} rPx,
/{usr/,}bin/draw.io rPUx,
/{usr/,}bin/dropbox rPx,
/{usr/,}bin/engrampa rPx,
/{usr/,}bin/evince rPx,
/{usr/,}bin/filezilla rPx,
/{usr/,}bin/flameshot rPx,
/{usr/,}bin/geany rPx,
/{usr/,}bin/okular rPx,
/{usr/,}bin/qbittorrent rPx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/smplayer rPx,
/{usr/,}bin/spacefm rPx,
/{usr/,}bin/telegram-desktop rPx,
/{usr/,}bin/thunderbird rPx,
/{usr/,}bin/transmission-gtk rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/vlc rPx,
/{usr/,}bin/xarchiver rPx,
include if exists <usr/child-open.d>
include if exists <local/child-open>
}

0
apparmor.d/profiles-a-f/child-pager → apparmor.d/groups/children/child-pager
View file

0
apparmor.d/groups/systemd/child-systemctl → apparmor.d/groups/children/child-systemctl
View file

2
apparmor.d/groups/cron/cron-apt
View file

@ -33,7 +33,7 @@ profile cron-apt @{exec_path} {
/{usr/,}bin/cp rix,
/{usr/,}bin/dd rix,
/{usr/,}bin/cksum rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/sleep rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/logger rix,

11
apparmor.d/groups/freedesktop/plymouth-set-default-theme
View file

@ -7,16 +7,17 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/plymouth-set-default-theme
profile plymouth-set-default-theme @{exec_path} {
profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/gawk rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/plymouth rPx,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/plymouth rPx,
/{usr/,}bin/{,ba,da}sh rix,
/etc/plymouth/{,*} r,
include if exists <local/plymouth-set-default-theme>
}
}

4
apparmor.d/groups/freedesktop/plymouthd
View file

@ -30,6 +30,10 @@ profile plymouthd @{exec_path} {
/etc/plymouth/plymouthd.conf r,
/etc/vconsole.conf r,
/var/lib/plymouth/{,**} rw,
@{run}/plymouth/{,**} rw,
@{run}/udev/data/+drm:* r,
@{run}/udev/data/c226:* r,
@{run}/udev/data/c29:* r,

6
apparmor.d/groups/freedesktop/polkitd
View file

@ -22,8 +22,8 @@ profile polkitd @{exec_path} {
ptrace (read),
dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/*
interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*}, # all members
dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit1/*
interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit1.*}, # all members
dbus (send) bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
@ -31,7 +31,7 @@ profile polkitd @{exec_path} {
peer=(name=org.freedesktop.DBus),
dbus (bind) bus=system
name=org.freedesktop.PolicyKit[0-9],
name=org.freedesktop.PolicyKit1,
@{exec_path} mr,

4
apparmor.d/groups/freedesktop/xdg-dbus-proxy
View file

@ -13,8 +13,6 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw,
owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw,
owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-[0-9A-Z]* rw,
@ -25,5 +23,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
/dev/dri/card[0-9]* rw,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/xdg-dbus-proxy>
}

2
apparmor.d/groups/freedesktop/xdg-desktop-menu
View file

@ -23,7 +23,7 @@ profile xdg-desktop-menu @{exec_path} flags=(complain) {
/{usr/,}bin/cp rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/whoami rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,e}grep rix,

6
apparmor.d/groups/freedesktop/xdg-desktop-portal
View file

@ -105,8 +105,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/snap rPx,
# Allowed apps to open
/{usr/,}bin/firefox rPx -> firefox,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
/{usr/,}lib/gio-launch-desktop rPx -> child-open,
/{usr/,}bin/nautilus rPx,
/ r,
/.flatpak-info r,

1
apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
View file

@ -18,6 +18,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
include <abstractions/gtk>
include <abstractions/user-download>
include <abstractions/user-read>
include <abstractions/vulkan>
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus

4
apparmor.d/groups/freedesktop/xdg-email
View file

@ -14,8 +14,10 @@ profile xdg-email @{exec_path} flags=(complain) {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gio rPx,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/gio rPx,
/{usr/,}bin/readlink rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/which rix,
/{usr/,}bin/xdg-mime rPx,

3
apparmor.d/groups/freedesktop/xdg-mime
View file

@ -39,7 +39,6 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
owner @{HOME}/.Xauthority r,
owner @{user_config_dirs}/mimeapps.list{,.new} rw,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{run}/user/@{uid}/ r,
@ -60,6 +59,8 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
deny /{usr/,}bin/dbus-launch rx,
deny /{usr/,}bin/dbus-send rx,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
profile dbus {
include <abstractions/base>
include <abstractions/nameservice-strict>

22
apparmor.d/groups/freedesktop/xdg-open
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -9,8 +10,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/xdg-open
profile xdg-open @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/app-launcher-user>
include <abstractions/consoles>
@{exec_path} r,
@ -29,27 +30,16 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/gio rPx,
#/{usr/,}bin/kde-open5 rPUx,
# When xdg-open is run as root, it wants to exec dbus-launch, and hence it creates the two
# following root processes:
# dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr
# /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
#
# Should this be allowed? Xdg-open works fine without this.
#/{usr/,}bin/dbus-launch rCx -> dbus,
#/{usr/,}bin/dbus-send rCx -> dbus,
deny /{usr/,}bin/dbus-launch rx,
deny /{usr/,}bin/dbus-send rx,
/{usr/,}bin/dbus-launch rCx -> dbus,
/{usr/,}bin/dbus-send rCx -> dbus,
/usr/share/applications/*.desktop r,
owner @{user_share_dirs}/applications/ r,
owner @{HOME}/.Xauthority r,
/** r,
owner /** rw,
# file_inherit
/dev/dri/card[0-9]* rw,
owner @{user_share_dirs}/applications/ r,
/dev/tty rw,
profile dbus {

1
apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
View file

@ -13,6 +13,7 @@ profile xdg-user-dirs-gtk-update @{exec_path} {
@{exec_path} mr,
owner @{user_config_dirs}/gtk-3.0/bookmarks* rw,
owner @{user_config_dirs}/user-dirs.dirs r,
owner @{user_config_dirs}/user-dirs.locale r,

0
apparmor.d/groups/browsers/chrome-gnome-shell → apparmor.d/groups/gnome/chrome-gnome-shell
View file

3
apparmor.d/groups/gnome/evolution-source-registry
View file

@ -27,11 +27,12 @@ profile evolution-source-registry @{exec_path} {
owner @{user_config_dirs}/evolution/sources/{,*} rw,
owner @{user_share_dirs}/evolution/{,**} r,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{user_cache_dirs}/evolution/{,**} rwk,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/cmdline r,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/evolution-source-registry>
}

3
apparmor.d/groups/gnome/gio-launch-desktop
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gio
@{exec_path} += /{usr/,}bin/gio-launch-desktop
@{exec_path} += /{usr/,}lib/gio-launch-desktop
@{exec_path} += /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop
profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>

27
apparmor.d/groups/gnome/gnome-browser-connector-host Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-browser-connector-host
profile gnome-browser-connector-host @{exec_path} {
include <abstractions/base>
include <abstractions/python>
include <abstractions/dconf-write>
@{exec_path} mr,
/{usr/,}bin/env rix,
/{usr/,}bin/python3.[0-9]* rix,
/{usr/,}lib/python3.[0-9]*/site-packages/gnome_browser_connector/__pycache__/{,**} rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/gnome-browser-connector-host>
}

7
apparmor.d/groups/gnome/gnome-control-center
View file

@ -77,6 +77,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/bwrap rPUx,
/{usr/,}bin/openvpn rPx,
/{usr/,}bin/passwd rPx,
/{usr/,}bin/software-properties-gtk rPx,
/{usr/,}lib/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
/{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
/usr/share/language-tools/language2locale rix,
@ -117,10 +118,9 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
owner @{user_cache_dirs}/gnome-control-center/{,**} rw,
owner @{user_cache_dirs}/thumbnails/{,**} rw,
owner @{user_config_dirs}/gnome-control-center/{,**} rw,
owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix{,-wayland}-[0-9]} r,
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]} r,
owner @{user_config_dirs}/mimeapps.list.* rw,
owner @{user_share_dirs}/backgrounds/{,**} rw,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{user_share_dirs}/icc/{,edid-*} r,
owner @{user_share_dirs}/sounds/__custom/{,*} rw,
owner @{user_share_dirs}/webkitgtk/{,**} r,
@ -153,6 +153,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
@{sys}/class/ r,
@{sys}/class/input/ r,
@{sys}/devices/**/{name,vendor,product,uevent} r,
@{sys}/devices/**/power_supply/{,**} r,
@{sys}/devices/platform/**/uevent r,
@{sys}/devices/system/cpu/possible r,
@{sys}/devices/virtual/**/uevent r,
@ -178,5 +179,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
/dev/media[0-9]* r,
/dev/video[0-9]* rw,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/gnome-control-center>
}

2
apparmor.d/groups/gnome/gnome-extension-ding
View file

@ -171,5 +171,7 @@ profile gnome-extension-ding @{exec_path} {
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/gnome-extension-ding>
}

37
apparmor.d/groups/gnome/gnome-extension-manager Normal file
View file

@ -0,0 +1,37 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/extension-manager
profile gnome-extension-manager @{exec_path} {
include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/dri-common>
include <abstractions/dri-enumerate>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/opencl>
include <abstractions/ssl_certs>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/gjs-console rix,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/gnome-shell/org.gnome.Shell.Extensions r,
/usr/share/X11/xkb/{,**} r,
include if exists <local/gnome-extension-manager>
}

6
apparmor.d/groups/gnome/gnome-music
View file

@ -15,6 +15,9 @@ profile gnome-music @{exec_path} {
include <abstractions/gstreamer>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/opencl-intel>
include <abstractions/opencl-mesa>
include <abstractions/opencl-nvidia>
include <abstractions/openssl>
include <abstractions/p11-kit>
include <abstractions/python>
@ -45,7 +48,6 @@ profile gnome-music @{exec_path} {
owner @{user_cache_dirs}/media-art/album-*.jpeg rw,
owner @{user_share_dirs}/grilo-plugins/ rwk,
owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
owner @{user_share_dirs}/gvfs-metadata/root{,-*.log} r,
owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw,
@{run}/systemd/inhibit/[0-9]*.ref rw,
@ -54,5 +56,7 @@ profile gnome-music @{exec_path} {
owner @{PROC}/@{pid}/mounts r,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/gnome-music>
}

49
apparmor.d/groups/gnome/gnome-shell
View file

@ -23,6 +23,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
include <abstractions/ibus>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/opencl-intel>
include <abstractions/opencl-mesa>
include <abstractions/opencl-nvidia>
include <abstractions/p11-kit>
include <abstractions/ssl_certs>
@ -43,12 +45,17 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
signal (receive) set=(term, hup) peer=gdm*,
signal (send),
unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding),
unix (send,receive) type=stream addr=none peer=(label=xkbcomp),
unix (send,receive) type=stream addr=none peer=(label=xwayland),
unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-*", label=ibus-daemon),
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName,ListNames}
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus send bus=session path=/ interface=org.freedesktop.DBus
member=ListNames
peer=(name=org.freedesktop.DBus label=dbus-daemon),
@ -62,14 +69,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.DBus
member=GetConnectionUnixUser,
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName,ListNames}
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]{,/**}
interface=org.freedesktop.{DBus.Properties,login[0-9].*},
dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.{DBus.Properties,PolicyKit[0-9].Authority}
member={CheckAuthorization,RegisterAuthenticationAgent,Changed,GetAll},
@ -228,7 +227,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:* label=xdg-desktop-portal-*),
dbus receive bus=session path=/org/gnome/Shell/Introspect
interface=org.freedesktop.DBus.Properties
member=Get
@ -459,29 +458,17 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
member={List,IsSupported}
peer=(name=:*, label=gvfs-*-volume-monitor),
dbus bind bus=session
name=org.gnome.Shell{,*},
dbus bind bus=session name=com.rastersoft.dingextension,
dbus bind bus=session
name=com.rastersoft.dingextension,
dbus bind bus=session name=com.canonical.Unity,
dbus bind bus=session
name=org.gnome.Mutter.{DisplayConfig,IdleMonitor,ScreenCast,RemoteDesktop},
dbus bind bus=session name=org.kde.StatusNotifierWatcher,
dbus bind bus=session
name=org.gtk.MountOperationHandler,
dbus bind bus=session name=org.gtk.MountOperationHandler,
dbus bind bus=session
name=org.gtk.Notifications,
dbus bind bus=session name=org.gtk.Notifications,
dbus bind bus=session
name=org.gnome.keyring.SystemPrompter,
dbus bind bus=session
name=com.canonical.Unity,
dbus bind bus=session
name=org.kde.StatusNotifierWatcher,
dbus bind bus=session name=org.gnome.*,
@{exec_path} mr,
@ -554,7 +541,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/desktop-directories/{,**} r,
owner @{user_share_dirs}/gnome-shell/{,**} rw,
owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r,
owner @{user_cache_dirs}/gnome-boxes/*.png r,
@ -601,13 +587,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card*
@{run}/udev/data/n[0-9]* r,
@{sys}/**/uevent r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/class/hwmon/ r,
@{sys}/class/input/ r,
@{sys}/class/net/ r,
@{sys}/class/power_supply/ r,
@{sys}/**/uevent r,
@{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r,
@{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r,
@{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
@ -617,6 +603,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/pci[0-9]*/**/drm/ r,
@{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r,
@{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
@{sys}/devices/system/cpu/possible r,
@{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r,
@ -639,5 +626,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
/dev/input/event[0-9]* rw,
/dev/tty[0-9]* rw,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/gnome-shell>
}

4
apparmor.d/groups/gnome/gnome-system-monitor
View file

@ -37,8 +37,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
/var/lib/snapd/desktop/icons/ r,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{run}/user/@{uid}/doc/ rw,
@{run}/systemd/sessions/* r,
@ -69,5 +67,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pids}/wchan r,
@{PROC}/vmstat r,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/gnome-system-monitor>
}

1
apparmor.d/groups/gnome/gnome-terminal-server
View file

@ -17,6 +17,7 @@ profile gnome-terminal-server @{exec_path} {
include <abstractions/gtk>
signal (send) set=(term hup kill) peer=unconfined,
ptrace (read) peer=unconfined,
dbus bind bus=session
name=org.gnome.Terminal,

3
apparmor.d/groups/gnome/gnome-tweaks
View file

@ -33,11 +33,12 @@ profile gnome-tweaks @{exec_path} {
owner @{user_config_dirs}/autostart/*.desktop r,
owner @{user_share_dirs}/backgrounds/{,**} r,
owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r,
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
owner @{user_share_dirs}/recently-used.xbel* rw,
owner @{user_share_dirs}/sounds/ r,
owner @{PROC}/@{pid}/fd/ r,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/gnome-tweaks>
}

4
apparmor.d/groups/gnome/gsd-sharing
View file

@ -99,6 +99,10 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
dbus bind bus=session
name=org.gnome.SettingsDaemon.Sharing,
dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
interface=org.freedesktop.NetworkManager.Connection.Active
member=StateChanged,
@{exec_path} mr,
/usr/share/dconf/profile/gdm r,

3
apparmor.d/groups/gnome/nautilus
View file

@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/nautilus
profile nautilus @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/app-launcher-user>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
@ -38,6 +37,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}lib/gio-launch-desktop rPx -> child-open,
/usr/share/nautilus/{,**} r,
/usr/share/poppler/{,**} r,
@ -57,6 +57,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
owner /tmp/{,**} rw,
# Silence non user's data
include <abstractions/deny-sensitive-home>
deny /boot/{,**} r,
deny /opt/{,**} r,
deny /root/{,**} r,

7
apparmor.d/groups/gnome/tracker-extract
View file

@ -64,6 +64,7 @@ profile tracker-extract @{exec_path} {
@{exec_path} mr,
/usr/share/applications/*.desktop r,
/usr/share/applications/mimeinfo.cache r,
/usr/share/dconf/profile/gdm r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/hwdata/*.ids r,
@ -84,6 +85,7 @@ profile tracker-extract @{exec_path} {
/var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
/var/lib/gdm{3,}/greeter-dconf-defaults r,
/var/lib/flatpak/exports/share/applications/mimeinfo.cache r,
/var/lib/snapd/desktop/applications/*.desktop r,
# Allow to search user files
@ -92,7 +94,6 @@ profile tracker-extract @{exec_path} {
owner /tmp/*/{,**} r,
owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
owner @{user_share_dirs}/gvfs-metadata/** r,
owner /tmp/tracker-extract-3-files.*/{,*} rw,
@ -104,6 +105,8 @@ profile tracker-extract @{exec_path} {
@{run}/udev/data/c51[0-9]:[0-9]* r,
@{run}/mount/utab r,
@{sys}/devices/system/cpu/possible r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
@ -112,6 +115,8 @@ profile tracker-extract @{exec_path} {
/dev/media[0-9]* r,
/dev/video[0-9]* rw,
deny owner @{user_share_dirs}/gvfs-metadata/** r,
# file_inherit
owner /dev/tty[0-9]* rw,

1
apparmor.d/groups/gnome/tracker-miner
View file

@ -12,6 +12,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write>
include <abstractions/deny-sensitive-home>
include <abstractions/disks-read>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>

1
apparmor.d/groups/gvfs/gvfsd
View file

@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd
profile gvfsd @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-gtk>
include <abstractions/dbus-session-strict>
dbus send bus=session path=/org/freedesktop/DBus

1
apparmor.d/groups/gvfs/gvfsd-fuse
View file

@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd-fuse
profile gvfsd-fuse @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-gtk>
include <abstractions/dbus-session-strict>
unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount),

1
apparmor.d/groups/gvfs/gvfsd-metadata
View file

@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd-metadata
profile gvfsd-metadata @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-gtk>
include <abstractions/dbus-session-strict>
include <abstractions/disks-read>

1
apparmor.d/groups/gvfs/gvfsd-trash
View file

@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd-trash
profile gvfsd-trash @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-gtk>
include <abstractions/dbus-session-strict>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>

10
apparmor.d/groups/network/mullvad-daemon
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = "/opt/Mullvad VPN/resources/mullvad-daemon"
profile mullvad-daemon @{exec_path} {
profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -29,6 +29,9 @@ profile mullvad-daemon @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/ip rix,
"/opt/Mullvad VPN/resources/openvpn" rix,
"/opt/Mullvad VPN/resources/*" r,
/etc/mullvad-vpn/{,*} r,
@ -47,8 +50,13 @@ profile mullvad-daemon @{exec_path} {
@{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
owner /tmp/@{uuid} rw,
owner /tmp/talpid-openvpn-@{uuid} rw,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw,
/dev/net/tun rw,
include if exists <local/mullvad-daemon>
}

4
apparmor.d/groups/network/mullvad-gui
View file

@ -46,7 +46,7 @@ profile mullvad-gui @{exec_path} {
/var/lib/dbus/machine-id r,
owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk,
owner @{user_share_dirs}/gvfs-metadata/* r,
owner @{user_cache_dirs}/dconf/user rw,
owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw,
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
@ -73,5 +73,7 @@ profile mullvad-gui @{exec_path} {
/dev/tty rw,
deny owner @{user_share_dirs}/gvfs-metadata/* r,
include if exists <local/mullvad-gui>
}

5
apparmor.d/groups/network/networkd-dispatcher
View file

@ -13,6 +13,11 @@ profile networkd-dispatcher @{exec_path} {
include <abstractions/nameservice-strict>
include <abstractions/python>
dbus receive bus=system path=/org/freedesktop/network1/link/*
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name=:*),
@{exec_path} mr,
/{usr/,}bin/ r,

7
apparmor.d/groups/network/tailscaled
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{,s}bin/tailscaled
profile tailscaled @{exec_path} {
profile tailscaled @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
@ -22,6 +22,8 @@ profile tailscaled @{exec_path} {
network inet6 dgram,
network inet stream,
network inet6 stream,
network inet raw,
network inet6 raw,
network netlink raw,
ptrace (read),
@ -39,8 +41,9 @@ profile tailscaled @{exec_path} {
/etc/resolv.conf rw,
/etc/resolv.conf.*.tmp rw,
owner /var/lib/tailscale/{,**} rw,
owner @{run}/tailscale/{,**} rw,
owner /var/cache/{,**} rw,
owner /var/lib/tailscale/{,**} rw,
@{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

39
apparmor.d/groups/pacman/archlinux-keyring-wkd-sync Normal file
View file

@ -0,0 +1,39 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/archlinux-keyring-wkd-sync
profile archlinux-keyring-wkd-sync @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/p11-kit>
include <abstractions/ssl_certs>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
@{exec_path} mr,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/bash rix,
/{usr/,}bin/gpg rix,
/{usr/,}bin/pacman-conf rix,
/{usr/,}bin/dirmngr rix,
/etc/pacman.conf r,
/etc/pacman.d/*-mirrorlist r,
/etc/pacman.d/gnupg/ rw,
/etc/pacman.d/gnupg/** rwk -> /etc/pacman.d/gnupg/**,
/etc/pacman.d/mirrorlist r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
include if exists <local/archlinux-keyring-wkd-sync>
}

23
apparmor.d/groups/pacman/aurpublish
View file

@ -16,15 +16,36 @@ profile aurpublish @{exec_path} {
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/date rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/git rPx,
/{usr/,}bin/makepkg rUx,
/{usr/,}bin/gpg rPUx,
/{usr/,}bin/grep rix,
/{usr/,}bin/makepkg rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/nproc rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sha512sum rix,
/{usr/,}bin/wc rix,
/usr/share/makepkg/{,**} r,
/etc/makepkg.conf r,
owner @{user_build_dirs}/**/ w,
owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw,
owner @{user_projects_dirs}/**/.SRCINFO rw,
owner @{user_projects_dirs}/**/PKGBUILD r,
owner @{user_cache_dirs}/makepkg/src/* r,
owner @{user_config_dirs}/pacman/makepkg.conf r,
owner /tmp/tmp.* rw,
owner @{PROC}/@{pid}/maps r,
/dev/tty rw,
include if exists <local/aurpublish>

2
apparmor.d/groups/pacman/mkinitcpio
View file

@ -29,7 +29,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/find rix,
/{usr/,}bin/findmnt rPx,
/{usr/,}bin/fsck rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/hexdump rix,
/{usr/,}bin/install rix,

4
apparmor.d/groups/pacman/paccache
View file

@ -18,7 +18,7 @@ profile paccache @{exec_path} {
/{usr/,}bin/bash rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/pacman rPx,
/{usr/,}bin/pacman-conf rPx,
@ -38,4 +38,4 @@ profile paccache @{exec_path} {
/dev/tty rw,
include if exists <local/paccache>
}
}

7
apparmor.d/groups/pacman/pacdiff
View file

@ -22,10 +22,15 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/cat rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/find rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/locate rix,
/{usr/,}bin/pacman rix,
/{usr/,}bin/pacman-conf rPx,
/{usr/,}bin/pacsort rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/tput rix,
/{usr/,}bin/vim rix,
# packages files
/ r,

3
apparmor.d/groups/pacman/pacman
View file

@ -91,6 +91,7 @@ profile pacman @{exec_path} {
/{usr/,}bin/mkinitcpio rPx,
/{usr/,}bin/pacdiff rPx,
/{usr/,}bin/pacman-key rPx,
/{usr/,}bin/sbctl rPx,
/{usr/,}bin/sysctl rPx,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/systemd-* rPx,
@ -121,7 +122,7 @@ profile pacman @{exec_path} {
owner /var/lib/pacman/{,**} rwl,
owner /tmp/alpm_*/{,**} rw,
owner /tmp/checkup-db-[0-9]*/sync/{,*.db.part} rw,
owner /tmp/checkup-db-[0-9]*/sync/{,*.db*} rw,
owner /tmp/checkup-db-[0-9]*/db.lck rw,
owner @{PROC}/@{pid}/fd/ r,

3
apparmor.d/groups/pacman/pacman-conf
View file

@ -11,9 +11,6 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
network inet stream,
network inet6 stream,
@{exec_path} mr,
/etc/pacman.conf r,

2
apparmor.d/groups/pacman/pacman-key
View file

@ -19,7 +19,7 @@ profile pacman-key @{exec_path} {
/{usr/,}bin/basename rix,
/{usr/,}bin/bash rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/gpg rCx -> gpg,
/{usr/,}bin/grep rix,

4
apparmor.d/groups/systemd/bootctl
View file

@ -20,7 +20,9 @@ profile bootctl @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
/{boot,efi}/ r,
/{boot,efi}/EFI/{,**} r,

27
apparmor.d/groups/systemd/busctl Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/busctl
profile busctl @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
ptrace (read),
@{exec_path} mr,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/comm r,
@{PROC}/@{pids}/stat r,
include if exists <local/busctl>
}

2
apparmor.d/groups/systemd/coredumpctl
View file

@ -17,9 +17,9 @@ profile coredumpctl @{exec_path} flags=(complain) {
/{usr/,}bin/gdb rCx -> gdb,
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
owner /tmp/*.coredump w,
owner /tmp/core.* w,

2
apparmor.d/groups/systemd/journalctl
View file

@ -23,9 +23,9 @@ profile journalctl @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
/var/lib/dbus/machine-id r,
/etc/machine-id r,

23
apparmor.d/groups/systemd/localectl Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/localectl
profile localectl @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>
@{exec_path} mr,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
/usr/share/kbd/keymaps/{,**} r,
include if exists <local/localectl>
}

6
apparmor.d/groups/systemd/networkctl
View file

@ -31,9 +31,9 @@ profile networkctl @{exec_path} flags=(attach_disconnected,complain) {
@{exec_path} mr,
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
/etc/udev/hwdb.bin r,
/var/lib/dbus/machine-id r,

6
apparmor.d/groups/systemd/systemd-cgls
View file

@ -14,9 +14,9 @@ profile systemd-cgls @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
@{sys}/fs/cgroup/{,**} r,

6
apparmor.d/groups/systemd/systemd-cgtop
View file

@ -12,9 +12,9 @@ profile systemd-cgtop @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
@{sys}/fs/cgroup/{,**} r,

44
apparmor.d/groups/systemd/systemd-dissect Normal file
View file

@ -0,0 +1,44 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-dissect
profile systemd-dissect @{exec_path} {
include <abstractions/base>
capability dac_read_search,
capability sys_admin,
capability sys_resource,
mount options=(rw, rslave) -> /,
mount options=(rw, nodev) -> /mnt/*/,
@{exec_path} mr,
/{usr/,}bin/fsck rPx,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
# Location of file system OS images
@{user_build_dirs}/{,**} r,
@{user_pkg_dirs}/{,**} r,
@{user_projects_dirs}/{,**} r,
@{user_vm_dirs}/{,**} r,
owner /tmp/dissect-*/{,**} rw,
@{sys}/devices/virtual/block/loop[0-9]*/{,**} r,
@{sys}/kernel/uevent_seqnum r,
@{PROC}/@{pids}/cgroup r,
/dev/loop-control rwk,
/dev/loop* rwk,
include if exists <local/systemd-dissect>
}

2
apparmor.d/groups/systemd/systemd-environment-d-generator
View file

@ -17,7 +17,7 @@ profile systemd-environment-d-generator @{exec_path} {
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/flatpak rPUx,
/{usr/,}bin/gpgconf rPx,
/{usr/,}bin/mawk rix,
/{usr/,}bin/{m,g,}awk rix,
/etc/environment r,
/etc/environment.d/{,**} r,

4
apparmor.d/groups/systemd/systemd-hwdb
View file

@ -13,8 +13,8 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/usr/lib/udev/.#hwdb.bin[0-9a-zA-Z]* w,
/usr/lib/udev/hwdb.bin w,
/{usr/,}lib/udev/.#hwdb.bin[0-9a-zA-Z]* w,
/{usr/,}lib/udev/hwdb.bin w,
/etc/udev/hwdb.d/{,*} r,

20
apparmor.d/groups/systemd/systemd-id128 Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-id128
profile systemd-id128 @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/machine-id r,
@{PROC}/sys/kernel/random/boot_id r,
include if exists <local/systemd-id128>
}

2
apparmor.d/groups/systemd/systemd-machined
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-machined
profile systemd-machined @{exec_path} flags=(complain) {
profile systemd-machined @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>

2
apparmor.d/groups/systemd/systemd-mount
View file

@ -14,9 +14,9 @@ profile systemd-mount @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
@{sys}/bus/ r,
@{sys}/class/ r,

Some files were not shown because too many files have changed in this diff Show more