From 78a180b2f61ecc690a0a7459f17032f32e44f421 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 11 Sep 2022 19:40:34 +0000 Subject: [PATCH 01/41] bulk cross-OS awk (#75) --- apparmor.d/groups/apps/android-studio | 2 +- apparmor.d/groups/apps/atom | 4 ++-- apparmor.d/groups/apps/calibre | 2 +- apparmor.d/groups/apps/discord | 4 ++-- apparmor.d/groups/apps/dropbox | 2 +- apparmor.d/groups/apps/flameshot | 2 +- apparmor.d/groups/apps/freetube | 2 +- apparmor.d/groups/apps/okular | 2 +- apparmor.d/groups/apps/telegram-desktop | 2 +- apparmor.d/groups/apt/apt-methods-gpgv | 2 +- apparmor.d/groups/apt/debsums | 2 +- apparmor.d/groups/apt/querybts | 2 +- apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/browsers/brave | 2 +- apparmor.d/groups/browsers/chromium-chromium | 2 +- apparmor.d/groups/browsers/google-chrome-chrome | 2 +- apparmor.d/groups/browsers/opera | 2 +- apparmor.d/groups/cron/cron-apt | 2 +- apparmor.d/groups/freedesktop/plymouth-set-default-theme | 4 ++-- apparmor.d/groups/freedesktop/xdg-desktop-menu | 2 +- apparmor.d/groups/pacman/mkinitcpio | 2 +- apparmor.d/groups/pacman/paccache | 4 ++-- apparmor.d/groups/pacman/pacdiff | 2 +- apparmor.d/groups/pacman/pacman-key | 2 +- apparmor.d/groups/systemd/systemd-environment-d-generator | 2 +- apparmor.d/profiles-a-f/anki | 2 +- apparmor.d/profiles-a-f/anyremote | 2 +- apparmor.d/profiles-a-f/arduino | 2 +- apparmor.d/profiles-a-f/birdtray | 2 +- apparmor.d/profiles-a-f/blueman | 2 +- apparmor.d/profiles-a-f/cawbird | 2 +- apparmor.d/profiles-a-f/check-support-status | 3 +-- apparmor.d/profiles-a-f/conky | 2 +- apparmor.d/profiles-a-f/czkawka-gui | 2 +- apparmor.d/profiles-a-f/deltachat-desktop | 2 +- apparmor.d/profiles-a-f/dlocate | 3 +-- apparmor.d/profiles-a-f/engrampa | 2 +- apparmor.d/profiles-g-l/ganyremote | 2 +- apparmor.d/profiles-g-l/gparted | 2 +- apparmor.d/profiles-g-l/gpartedbin | 2 +- apparmor.d/profiles-g-l/gpodder | 2 +- apparmor.d/profiles-g-l/gtk-youtube-viewer | 2 +- apparmor.d/profiles-g-l/hardinfo | 2 +- apparmor.d/profiles-g-l/hw-probe | 2 +- apparmor.d/profiles-g-l/i3lock-fancy | 2 +- apparmor.d/profiles-g-l/initd-kexec-load | 3 +-- apparmor.d/profiles-g-l/jdownloader | 2 +- apparmor.d/profiles-g-l/jdownloader-install | 2 +- apparmor.d/profiles-g-l/kanyremote | 2 +- apparmor.d/profiles-g-l/keepassxc | 2 +- apparmor.d/profiles-m-r/mediainfo-gui | 2 +- apparmor.d/profiles-m-r/megasync | 4 ++-- apparmor.d/profiles-m-r/minitube | 2 +- apparmor.d/profiles-m-r/monitorix | 2 +- apparmor.d/profiles-m-r/mumble | 2 +- apparmor.d/profiles-m-r/on-ac-power | 2 +- apparmor.d/profiles-m-r/orage | 2 +- apparmor.d/profiles-m-r/psi | 2 +- apparmor.d/profiles-m-r/psi-plus | 2 +- apparmor.d/profiles-m-r/qnapi | 2 +- apparmor.d/profiles-m-r/qpdfview | 2 +- apparmor.d/profiles-m-r/qtox | 2 +- apparmor.d/profiles-m-r/quiterss | 2 +- apparmor.d/profiles-s-z/sddm-xsession | 2 +- apparmor.d/profiles-s-z/smtube | 2 +- apparmor.d/profiles-s-z/steam | 2 +- apparmor.d/profiles-s-z/strawberry | 2 +- apparmor.d/profiles-s-z/syncthing | 2 +- apparmor.d/profiles-s-z/ucf | 3 +-- apparmor.d/profiles-s-z/udiskie | 2 +- apparmor.d/profiles-s-z/unhide-posix | 2 +- apparmor.d/profiles-s-z/update-initramfs | 3 +-- apparmor.d/profiles-s-z/utox | 2 +- apparmor.d/profiles-s-z/vidcutter | 2 +- apparmor.d/profiles-s-z/whdd | 2 +- apparmor.d/profiles-s-z/wireshark | 2 +- apparmor.d/profiles-s-z/x11-xsession | 2 +- apparmor.d/profiles-s-z/xarchiver | 2 +- apparmor.d/profiles-s-z/xinit | 2 +- apparmor.d/profiles-s-z/zed | 2 +- 80 files changed, 85 insertions(+), 90 deletions(-) diff --git a/apparmor.d/groups/apps/android-studio b/apparmor.d/groups/apps/android-studio index ca89cceca..e7565917d 100644 --- a/apparmor.d/groups/apps/android-studio +++ b/apparmor.d/groups/apps/android-studio @@ -264,7 +264,7 @@ profile android-studio @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/groups/apps/atom b/apparmor.d/groups/apps/atom index 2733f1ec3..efdd05cc1 100644 --- a/apparmor.d/groups/apps/atom +++ b/apparmor.d/groups/apps/atom @@ -47,7 +47,7 @@ profile atom @{exec_path} { #/{usr/,}bin/rmdir rix, #/{usr/,}bin/{,e}grep rix, #/{usr/,}bin/ls rix, - #/{usr/,}bin/gawk rix, + #/{usr/,}bin/{m,g,}awk rix, #/{usr/,}bin/tty rix, #/{usr/,}bin/dircolors rix, #/{usr/,}bin/cut rix, @@ -168,7 +168,7 @@ profile atom @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre index f851720ec..b2b00cb00 100644 --- a/apparmor.d/groups/apps/calibre +++ b/apparmor.d/groups/apps/calibre @@ -152,7 +152,7 @@ profile calibre @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/groups/apps/discord b/apparmor.d/groups/apps/discord index ccfe78bf9..afed0b7ce 100644 --- a/apparmor.d/groups/apps/discord +++ b/apparmor.d/groups/apps/discord @@ -125,7 +125,7 @@ profile discord @{exec_path} { /{usr/,}bin/xdg-mime mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/cut rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/head rix, @@ -175,7 +175,7 @@ profile discord @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/groups/apps/dropbox b/apparmor.d/groups/apps/dropbox index e199bfb8c..893470b41 100644 --- a/apparmor.d/groups/apps/dropbox +++ b/apparmor.d/groups/apps/dropbox @@ -129,7 +129,7 @@ profile dropbox @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/groups/apps/flameshot b/apparmor.d/groups/apps/flameshot index 3c125dd3d..d31869246 100644 --- a/apparmor.d/groups/apps/flameshot +++ b/apparmor.d/groups/apps/flameshot @@ -76,7 +76,7 @@ profile flameshot @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/groups/apps/freetube b/apparmor.d/groups/apps/freetube index 17512fec0..cdfa5269e 100644 --- a/apparmor.d/groups/apps/freetube +++ b/apparmor.d/groups/apps/freetube @@ -105,7 +105,7 @@ profile freetube @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/groups/apps/okular b/apparmor.d/groups/apps/okular index f65c6f561..bb9025322 100644 --- a/apparmor.d/groups/apps/okular +++ b/apparmor.d/groups/apps/okular @@ -103,7 +103,7 @@ profile okular @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/groups/apps/telegram-desktop index d20ff1181..39f7072dd 100644 --- a/apparmor.d/groups/apps/telegram-desktop +++ b/apparmor.d/groups/apps/telegram-desktop @@ -101,7 +101,7 @@ profile telegram-desktop @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index 74786b57b..b7a44a334 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -46,7 +46,7 @@ profile apt-methods-gpgv @{exec_path} { /{usr/,}bin/sed rix, /{usr/,}bin/sort rix, /{usr/,}bin/touch rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/base64 rix, # For shell pwd diff --git a/apparmor.d/groups/apt/debsums b/apparmor.d/groups/apt/debsums index d8d01fcdb..872738ff9 100644 --- a/apparmor.d/groups/apt/debsums +++ b/apparmor.d/groups/apt/debsums @@ -17,7 +17,7 @@ profile debsums @{exec_path} { @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /etc/dpkg/dpkg.cfg.d/{,*} r, /etc/dpkg/dpkg.cfg r, diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index 6dfc4f34d..f423a5c43 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -66,7 +66,7 @@ profile querybts @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index ad0867c92..cfca54195 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -130,7 +130,7 @@ profile reportbug @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 870bbd13f..100dfc9ca 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -173,7 +173,7 @@ profile brave @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium index b6bf4ff65..b0ca98a50 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/groups/browsers/chromium-chromium @@ -172,7 +172,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/groups/browsers/google-chrome-chrome b/apparmor.d/groups/browsers/google-chrome-chrome index 5fde39231..f94d60d67 100644 --- a/apparmor.d/groups/browsers/google-chrome-chrome +++ b/apparmor.d/groups/browsers/google-chrome-chrome @@ -159,7 +159,7 @@ profile google-chrome-chrome @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/groups/browsers/opera b/apparmor.d/groups/browsers/opera index 01e1bf9bd..4d9c45e5c 100644 --- a/apparmor.d/groups/browsers/opera +++ b/apparmor.d/groups/browsers/opera @@ -150,7 +150,7 @@ profile opera @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt index 5fd391c38..80740a7e9 100644 --- a/apparmor.d/groups/cron/cron-apt +++ b/apparmor.d/groups/cron/cron-apt @@ -33,7 +33,7 @@ profile cron-apt @{exec_path} { /{usr/,}bin/cp rix, /{usr/,}bin/dd rix, /{usr/,}bin/cksum rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/sleep rix, /{usr/,}bin/mv rix, /{usr/,}bin/logger rix, diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme index b53b39fe6..abf116a41 100644 --- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme +++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme @@ -12,11 +12,11 @@ profile plymouth-set-default-theme @{exec_path} { @{exec_path} mr, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/grep rix, /{usr/,}bin/plymouth rPx, /etc/plymouth/{,*} r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-menu b/apparmor.d/groups/freedesktop/xdg-desktop-menu index 463926a4e..7d2b17987 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-menu +++ b/apparmor.d/groups/freedesktop/xdg-desktop-menu @@ -23,7 +23,7 @@ profile xdg-desktop-menu @{exec_path} flags=(complain) { /{usr/,}bin/cp rix, /{usr/,}bin/cat rix, /{usr/,}bin/touch rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/whoami rix, /{usr/,}bin/mv rix, /{usr/,}bin/{,e}grep rix, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index acb81dbc0..a64bb9cf9 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -29,7 +29,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/find rix, /{usr/,}bin/findmnt rPx, /{usr/,}bin/fsck rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/grep rix, /{usr/,}bin/hexdump rix, /{usr/,}bin/install rix, diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index 2dd92c43d..802d5d345 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -18,7 +18,7 @@ profile paccache @{exec_path} { /{usr/,}bin/bash rix, /{usr/,}bin/cat rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/gettext rix, /{usr/,}bin/pacman rPx, /{usr/,}bin/pacman-conf rPx, @@ -38,4 +38,4 @@ profile paccache @{exec_path} { /dev/tty rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index 2ab106458..ced0cd3ec 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -22,7 +22,7 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/cat rix, /{usr/,}bin/cmp rix, /{usr/,}bin/find rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/locate rix, /{usr/,}bin/pacman-conf rPx, /{usr/,}bin/tput rix, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 3f427b9a3..fdf5a975a 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -19,7 +19,7 @@ profile pacman-key @{exec_path} { /{usr/,}bin/basename rix, /{usr/,}bin/bash rix, /{usr/,}bin/chmod rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/gettext rix, /{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/grep rix, diff --git a/apparmor.d/groups/systemd/systemd-environment-d-generator b/apparmor.d/groups/systemd/systemd-environment-d-generator index e007b6dcb..d5c5d99bf 100644 --- a/apparmor.d/groups/systemd/systemd-environment-d-generator +++ b/apparmor.d/groups/systemd/systemd-environment-d-generator @@ -17,7 +17,7 @@ profile systemd-environment-d-generator @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/flatpak rPUx, /{usr/,}bin/gpgconf rPx, - /{usr/,}bin/mawk rix, + /{usr/,}bin/{m,g,}awk rix, /etc/environment r, /etc/environment.d/{,**} r, diff --git a/apparmor.d/profiles-a-f/anki b/apparmor.d/profiles-a-f/anki index 43497f364..cbdba787d 100644 --- a/apparmor.d/profiles-a-f/anki +++ b/apparmor.d/profiles-a-f/anki @@ -194,7 +194,7 @@ profile anki @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index 76f648ede..d84ebc37a 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -34,7 +34,7 @@ profile anyremote @{exec_path} { /{usr/,}bin/tr rix, /{usr/,}bin/mkdir rix, /{usr/,}bin/tail rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/sed rix, /{usr/,}bin/md5sum rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-a-f/arduino b/apparmor.d/profiles-a-f/arduino index 60fe89ffb..829c16fdf 100644 --- a/apparmor.d/profiles-a-f/arduino +++ b/apparmor.d/profiles-a-f/arduino @@ -118,7 +118,7 @@ profile arduino @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index e2a83cb35..113d364a9 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -79,7 +79,7 @@ profile birdtray @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index 362666f71..551c87d67 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -79,7 +79,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/basename rix, /{usr/,}bin/dbus-send rix, /{usr/,}bin/file rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/mimetype rix, /{usr/,}bin/readlink rix, /{usr/,}bin/uname rix, diff --git a/apparmor.d/profiles-a-f/cawbird b/apparmor.d/profiles-a-f/cawbird index 3696fd261..f68b10463 100644 --- a/apparmor.d/profiles-a-f/cawbird +++ b/apparmor.d/profiles-a-f/cawbird @@ -56,7 +56,7 @@ profile cawbird @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-a-f/check-support-status b/apparmor.d/profiles-a-f/check-support-status index 64f9384ec..3cc421ffd 100644 --- a/apparmor.d/profiles-a-f/check-support-status +++ b/apparmor.d/profiles-a-f/check-support-status @@ -24,14 +24,13 @@ profile check-support-status @{exec_path} { /{usr/,}bin/fold rix, /{usr/,}bin/mktemp rix, /{usr/,}bin/rm rix, - /{usr/,}bin/awk rix, /{usr/,}bin/comm rix, /{usr/,}bin/mkdir rix, /{usr/,}bin/mv rix, /{usr/,}bin/find rix, /{usr/,}bin/wc rix, /{usr/,}bin/basename rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/sort rix, /{usr/,}bin/head rix, /{usr/,}bin/gettext rix, diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky index c412fb540..d8d0ddf68 100644 --- a/apparmor.d/profiles-a-f/conky +++ b/apparmor.d/profiles-a-f/conky @@ -37,7 +37,7 @@ profile conky @{exec_path} { /{usr/,}bin/rm rix, /{usr/,}bin/sed rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/tr rix, /{usr/,}bin/uniq rix, /{usr/,}bin/head rix, diff --git a/apparmor.d/profiles-a-f/czkawka-gui b/apparmor.d/profiles-a-f/czkawka-gui index 774208fb9..ffb7f3369 100644 --- a/apparmor.d/profiles-a-f/czkawka-gui +++ b/apparmor.d/profiles-a-f/czkawka-gui @@ -46,7 +46,7 @@ profile czkawka-gui @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index a0771b1ee..d5057cfd3 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -90,7 +90,7 @@ profile deltachat-desktop @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-a-f/dlocate b/apparmor.d/profiles-a-f/dlocate index 98f181f70..79f66b581 100644 --- a/apparmor.d/profiles-a-f/dlocate +++ b/apparmor.d/profiles-a-f/dlocate @@ -17,13 +17,12 @@ profile dlocate @{exec_path} { /{usr/,}bin/getopt rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/awk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/cat rix, /{usr/,}bin/sort rix, /{usr/,}bin/sed rix, /{usr/,}bin/stty rix, /{usr/,}bin/grep-dctrl rix, - /{usr/,}bin/gawk rix, /{usr/,}bin/cut rix, /{usr/,}bin/xargs rix, /{usr/,}bin/ls rix, diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 7f35caeb5..ce8dbeff1 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -156,7 +156,7 @@ profile engrampa @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote index cc43f74d6..fd25e07f4 100644 --- a/apparmor.d/profiles-g-l/ganyremote +++ b/apparmor.d/profiles-g-l/ganyremote @@ -33,7 +33,7 @@ profile ganyremote @{exec_path} { /{usr/,}bin/id rix, /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/tr rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/anyremote rPx, /{usr/,}bin/ps rPx, diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index 9201def60..231f15b93 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -24,7 +24,7 @@ profile gparted @{exec_path} { /{usr/,}bin/sed rix, /{usr/,}bin/mkdir rix, /{usr/,}bin/rm rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}lib/udisks2/udisks2-inhibit rix, @{libexec}/udisks2/udisks2-inhibit rix, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 7cd08c626..b183d9119 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -218,7 +218,7 @@ profile gpartedbin @{exec_path} { /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index 6a8a65ee4..6addba7cd 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -77,7 +77,7 @@ profile gpodder @{exec_path} { /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-g-l/gtk-youtube-viewer b/apparmor.d/profiles-g-l/gtk-youtube-viewer index 67e1baec6..2eea836f7 100644 --- a/apparmor.d/profiles-g-l/gtk-youtube-viewer +++ b/apparmor.d/profiles-g-l/gtk-youtube-viewer @@ -101,7 +101,7 @@ profile gtk-youtube-viewer @{exec_path} { /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 501596437..f25228be3 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -166,7 +166,7 @@ profile hardinfo @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 71dc7ece9..962ec0dd1 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -22,7 +22,7 @@ profile hw-probe @{exec_path} { /{usr/,}bin/pwd rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/sleep rix, /{usr/,}bin/md5sum rix, /{usr/,}bin/uname rix, diff --git a/apparmor.d/profiles-g-l/i3lock-fancy b/apparmor.d/profiles-g-l/i3lock-fancy index 4b8e47c0c..7d692d61b 100644 --- a/apparmor.d/profiles-g-l/i3lock-fancy +++ b/apparmor.d/profiles-g-l/i3lock-fancy @@ -20,7 +20,7 @@ profile i3lock-fancy @{exec_path} { /{usr/,}bin/fc-match rix, /{usr/,}bin/getopt rix, /{usr/,}bin/mktemp rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/basename rix, /{usr/,}bin/env rix, diff --git a/apparmor.d/profiles-g-l/initd-kexec-load b/apparmor.d/profiles-g-l/initd-kexec-load index feeb7e329..7ed9bc2f9 100644 --- a/apparmor.d/profiles-g-l/initd-kexec-load +++ b/apparmor.d/profiles-g-l/initd-kexec-load @@ -15,8 +15,7 @@ profile initd-kexec-load @{exec_path} { /{usr/,}bin/{,e}grep rix, /{usr/,}bin/cat rix, - /{usr/,}bin/awk rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/cut rix, /{usr/,}bin/tail rix, /{usr/,}bin/sed rix, diff --git a/apparmor.d/profiles-g-l/jdownloader b/apparmor.d/profiles-g-l/jdownloader index cafeb2dab..6d1b017ad 100644 --- a/apparmor.d/profiles-g-l/jdownloader +++ b/apparmor.d/profiles-g-l/jdownloader @@ -105,7 +105,7 @@ profile jdownloader @{exec_path} { /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-g-l/jdownloader-install b/apparmor.d/profiles-g-l/jdownloader-install index f714676d0..f6a39bba5 100644 --- a/apparmor.d/profiles-g-l/jdownloader-install +++ b/apparmor.d/profiles-g-l/jdownloader-install @@ -30,7 +30,7 @@ profile jdownloader-install @{exec_path} { /{usr/,}bin/gunzip rix, /{usr/,}bin/gzip rix, /{usr/,}bin/tar rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/ls rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/df rix, diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote index 0b893ad6a..ea027dab3 100644 --- a/apparmor.d/profiles-g-l/kanyremote +++ b/apparmor.d/profiles-g-l/kanyremote @@ -36,7 +36,7 @@ profile kanyremote @{exec_path} { /{usr/,}bin/id rix, /{usr/,}bin/which{,.debianutils} rix, /{usr/,}bin/tr rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/head rix, /{usr/,}bin/find rix, diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index fbd38420a..399102ada 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -115,7 +115,7 @@ profile keepassxc @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-m-r/mediainfo-gui b/apparmor.d/profiles-m-r/mediainfo-gui index 3337a719b..a14fdf542 100644 --- a/apparmor.d/profiles-m-r/mediainfo-gui +++ b/apparmor.d/profiles-m-r/mediainfo-gui @@ -64,7 +64,7 @@ profile mediainfo-gui @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-m-r/megasync b/apparmor.d/profiles-m-r/megasync index 1513de37d..2e4eef9da 100644 --- a/apparmor.d/profiles-m-r/megasync +++ b/apparmor.d/profiles-m-r/megasync @@ -34,7 +34,7 @@ profile megasync @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/xrdb rPx, /{usr/,}bin/xdg-mime rPx, @@ -90,7 +90,7 @@ profile megasync @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube index 22bee6fb4..a13d4edbd 100644 --- a/apparmor.d/profiles-m-r/minitube +++ b/apparmor.d/profiles-m-r/minitube @@ -105,7 +105,7 @@ profile minitube @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index 4475f4a2a..0ffaf702f 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -38,7 +38,7 @@ profile monitorix @{exec_path} { /{usr/,}bin/df rix, /{usr/,}bin/cat rix, /{usr/,}bin/tail rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/free rix, /{usr/,}bin/ss rix, /{usr/,}bin/who rix, diff --git a/apparmor.d/profiles-m-r/mumble b/apparmor.d/profiles-m-r/mumble index 30bb31b30..dcbcc2a00 100644 --- a/apparmor.d/profiles-m-r/mumble +++ b/apparmor.d/profiles-m-r/mumble @@ -84,7 +84,7 @@ profile mumble @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index 7434eef22..634af9fb5 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -13,7 +13,7 @@ profile on-ac-power @{exec_path} { @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/awk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/cat rix, @{sys}/class/power_supply/ r, diff --git a/apparmor.d/profiles-m-r/orage b/apparmor.d/profiles-m-r/orage index 4d8eff768..e4c1caec0 100644 --- a/apparmor.d/profiles-m-r/orage +++ b/apparmor.d/profiles-m-r/orage @@ -50,7 +50,7 @@ profile orage @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index f074e1b11..5c75127b2 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -137,7 +137,7 @@ profile psi @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index 1d6bb1e62..0a08c88c6 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -137,7 +137,7 @@ profile psi-plus @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index cf2b3acfa..7942f025e 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -129,7 +129,7 @@ profile qnapi @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview index 951a3db5e..a7ddef9a2 100644 --- a/apparmor.d/profiles-m-r/qpdfview +++ b/apparmor.d/profiles-m-r/qpdfview @@ -103,7 +103,7 @@ profile qpdfview @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-m-r/qtox b/apparmor.d/profiles-m-r/qtox index 5d6548632..9df04520f 100644 --- a/apparmor.d/profiles-m-r/qtox +++ b/apparmor.d/profiles-m-r/qtox @@ -76,7 +76,7 @@ profile qtox @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index 31b990b72..9e6f80385 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -83,7 +83,7 @@ profile quiterss @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-s-z/sddm-xsession b/apparmor.d/profiles-s-z/sddm-xsession index 13dc21b7b..06f8b9cc2 100644 --- a/apparmor.d/profiles-s-z/sddm-xsession +++ b/apparmor.d/profiles-s-z/sddm-xsession @@ -24,7 +24,7 @@ profile sddm-xsession @{exec_path} { /{usr/,}bin/id rix, /{usr/,}bin/chmod rix, /{usr/,}bin/date rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/tempfile rix, /{usr/,}bin/mktemp rix, diff --git a/apparmor.d/profiles-s-z/smtube b/apparmor.d/profiles-s-z/smtube index be2f3e8df..f9fe696de 100644 --- a/apparmor.d/profiles-s-z/smtube +++ b/apparmor.d/profiles-s-z/smtube @@ -87,7 +87,7 @@ profile smtube @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 42bb30791..22857ba5d 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -49,7 +49,7 @@ profile steam @{exec_path} { /{usr/,}bin/cp rix, /{usr/,}bin/cut rix, /{usr/,}bin/dirname rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/getopt rix, /{usr/,}bin/grep rix, /{usr/,}bin/head rix, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index a00d4bfc8..ea6393f7c 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -111,7 +111,7 @@ profile strawberry @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 682e55fc3..02f84919f 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -48,7 +48,7 @@ profile syncthing @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 26ce8ce24..fdf79a68a 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -20,10 +20,9 @@ profile ucf @{exec_path} flags=(complain) { /{usr/,}bin/cat rix, /{usr/,}bin/cp rix, /{usr/,}bin/dirname rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/getopt rix, /{usr/,}bin/id rix, - /{usr/,}bin/mawk rix, /{usr/,}bin/md5sum rix, /{usr/,}bin/mkdir rix, /{usr/,}bin/mv rix, diff --git a/apparmor.d/profiles-s-z/udiskie b/apparmor.d/profiles-s-z/udiskie index 009a5c1fc..9a3b6f40f 100644 --- a/apparmor.d/profiles-s-z/udiskie +++ b/apparmor.d/profiles-s-z/udiskie @@ -52,7 +52,7 @@ profile udiskie @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-s-z/unhide-posix b/apparmor.d/profiles-s-z/unhide-posix index d100c4e2c..ff6c2e07c 100644 --- a/apparmor.d/profiles-s-z/unhide-posix +++ b/apparmor.d/profiles-s-z/unhide-posix @@ -19,7 +19,7 @@ profile unhide-posix @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/ps rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/{,e}grep rix, @{PROC}/ r, diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index e8114a1f4..bc5827be1 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -20,11 +20,10 @@ profile update-initramfs @{exec_path} { /{usr/,}sbin/ r, /{usr/,}bin/cat rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/getopt rix, /{usr/,}bin/ischroot rix, /{usr/,}bin/ln rix, - /{usr/,}bin/mawk rix, /{usr/,}bin/mv rix, /{usr/,}bin/rm rix, /{usr/,}bin/sha1sum rix, diff --git a/apparmor.d/profiles-s-z/utox b/apparmor.d/profiles-s-z/utox index 6b7244bd6..82bbd73ee 100644 --- a/apparmor.d/profiles-s-z/utox +++ b/apparmor.d/profiles-s-z/utox @@ -47,7 +47,7 @@ profile utox @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 659a5833e..e24ddd288 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -140,7 +140,7 @@ profile vidcutter @{exec_path} { /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-s-z/whdd b/apparmor.d/profiles-s-z/whdd index 1dc791016..660ac0405 100644 --- a/apparmor.d/profiles-s-z/whdd +++ b/apparmor.d/profiles-s-z/whdd @@ -20,7 +20,7 @@ profile whdd @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/tr rix, # To read SMART attributes diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index e15085639..4a1bb3697 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -94,7 +94,7 @@ profile wireshark @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-s-z/x11-xsession b/apparmor.d/profiles-s-z/x11-xsession index 03a41ba91..b651106c9 100644 --- a/apparmor.d/profiles-s-z/x11-xsession +++ b/apparmor.d/profiles-s-z/x11-xsession @@ -22,7 +22,7 @@ profile x11-xsession @{exec_path} { /{usr/,}bin/id rix, /{usr/,}bin/chmod rix, /{usr/,}bin/date rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/tempfile rix, /{usr/,}bin/sed rix, /{usr/,}bin/head rix, diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 05f7a3dbf..26bed31f7 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -81,7 +81,7 @@ profile xarchiver @{exec_path} { /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 4ee25604c..616ccf6b1 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -33,7 +33,7 @@ profile xinit @{exec_path} { /{usr/,}bin/date rix, /{usr/,}bin/chmod rix, /{usr/,}bin/head rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/id rix, /{usr/,}bin/tail rix, diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index e75951e69..ad26f34e7 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -25,7 +25,7 @@ profile zed @{exec_path} { /{usr/,}bin/hostname rix, /{usr/,}bin/ls rix, /{usr/,}bin/logger rix, - /{usr/,}bin/mawk rix, + /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/mktemp rix, /{usr/,}bin/rm rix, /{usr/,}bin/realpath rix, From 8ff5ed7a695a119442243b8d8411972c253e0be3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 11 Sep 2022 20:45:14 +0100 Subject: [PATCH 02/41] feat(profiles): general update. --- apparmor.d/abstractions/base.d/complete | 3 --- apparmor.d/abstractions/dbus-gtk | 3 +++ apparmor.d/abstractions/systemd-common | 5 ++-- apparmor.d/abstractions/user-download-strict | 5 +--- apparmor.d/groups/gnome/gnome-control-center | 2 +- apparmor.d/groups/pacman/aurpublish | 23 ++++++++++++++++++- apparmor.d/groups/pacman/pacdiff | 5 ++++ apparmor.d/groups/ubuntu/apport-gtk | 24 +++++++++++++------- apparmor.d/groups/virt/libvirtd | 1 + apparmor.d/profiles-a-f/amarok | 2 +- apparmor.d/profiles-a-f/findmnt | 6 ++++- apparmor.d/profiles-a-f/fwupd | 2 ++ apparmor.d/profiles-m-r/plocate-build | 2 +- apparmor.d/profiles-s-z/sddm-greeter | 4 ++-- apparmor.d/profiles-s-z/sddm-xsession | 2 +- apparmor.d/profiles-s-z/steam-game | 4 ++++ 16 files changed, 68 insertions(+), 25 deletions(-) diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 39988d60a..21649e8df 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -19,6 +19,3 @@ ptrace (readby) peer=systemd-coredump, - # Allow to write a user defined fifo log devices - owner /dev/log-xsession w, - owner /dev/log-gnupg w, diff --git a/apparmor.d/abstractions/dbus-gtk b/apparmor.d/abstractions/dbus-gtk index b4f0b9213..817e4fc69 100644 --- a/apparmor.d/abstractions/dbus-gtk +++ b/apparmor.d/abstractions/dbus-gtk @@ -44,3 +44,6 @@ interface=org.a11y.atspi.DeviceEventController member={GetKeystrokeListeners,GetDeviceEventListeners} peer=(name=org.a11y.atspi.Registry), + + # Include additions to the abstraction + include if exists diff --git a/apparmor.d/abstractions/systemd-common b/apparmor.d/abstractions/systemd-common index 6f6ce8b5a..fcbf16eba 100644 --- a/apparmor.d/abstractions/systemd-common +++ b/apparmor.d/abstractions/systemd-common @@ -1,18 +1,19 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , ptrace (read), - owner @{PROC}/@{pid}/stat r, + @{PROC}/1/cgroup r, @{PROC}/1/environ r, @{PROC}/1/sched r, - @{PROC}/1/cgroup r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/stat r, /dev/kmsg w, diff --git a/apparmor.d/abstractions/user-download-strict b/apparmor.d/abstractions/user-download-strict index 0f4d183e3..315f81e01 100644 --- a/apparmor.d/abstractions/user-download-strict +++ b/apparmor.d/abstractions/user-download-strict @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,8 +11,4 @@ owner @{user_download_dirs}/ r, owner @{user_download_dirs}/** rwkl -> @{user_download_dirs}/**, - # For SSHFS mounts (without owner as files in such mounts can be owned by different users) - @{HOME}/mount-sshfs/ r, - @{HOME}/mount-sshfs/** rwl, - include if exists \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 58aa25a73..c15aca6f0 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -88,7 +88,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/gnome-control-center/{,**} rw, owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw, - owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r, + owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, owner @{user_config_dirs}/mimeapps.list.* rw, owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index 879199f59..2415744dd 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -16,15 +16,36 @@ profile aurpublish @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/cat rix, + /{usr/,}bin/chmod rix, + /{usr/,}bin/date rix, + /{usr/,}bin/gettext rix, /{usr/,}bin/git rPx, - /{usr/,}bin/makepkg rUx, + /{usr/,}bin/gpg rPUx, + /{usr/,}bin/grep rix, + /{usr/,}bin/makepkg rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/nproc rix, /{usr/,}bin/rm rix, + /{usr/,}bin/sha512sum rix, /{usr/,}bin/wc rix, + /usr/share/makepkg/{,**} r, + + /etc/makepkg.conf r, + + owner @{user_build_dirs}/**/ w, owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw, owner @{user_projects_dirs}/**/.SRCINFO rw, owner @{user_projects_dirs}/**/PKGBUILD r, + owner @{user_cache_dirs}/makepkg/src/* r, + owner @{user_config_dirs}/pacman/makepkg.conf r, + + owner /tmp/tmp.* rw, + + owner @{PROC}/@{pid}/maps r, + /dev/tty rw, include if exists diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index 2ab106458..03762a1ed 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -24,8 +24,13 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/find rix, /{usr/,}bin/gawk rix, /{usr/,}bin/locate rix, + /{usr/,}bin/pacman rix, /{usr/,}bin/pacman-conf rPx, + /{usr/,}bin/pacsort rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, /{usr/,}bin/tput rix, + /{usr/,}bin/vim rix, # packages files / r, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 97c3a1f4c..766c37503 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -19,7 +19,9 @@ profile apport-gtk @{exec_path} { include include + capability fowner, capability sys_ptrace, + capability syslog, network inet stream, network inet6 stream, @@ -28,26 +30,28 @@ profile apport-gtk @{exec_path} { @{exec_path} mr, + @{libexec}/colord-sane rPx, /{usr/,}{s,}bin/killall5 rix, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{f,}grep rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/ischroot rix, - /{usr/,}bin/ldd rix, - /{usr/,}bin/md5sum rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}lib/@{multiarch}/ld*.so* rix, - /{usr/,}bin/dpkg-query rpx, - /{usr/,}bin/pkexec rPx, # TODO: rCx or something /{usr/,}bin/apt-cache rPx, + /{usr/,}bin/cut rix, /{usr/,}bin/dpkg rPx, /{usr/,}bin/dpkg-divert rPx, + /{usr/,}bin/dpkg-query rpx, /{usr/,}bin/gdb rCx -> gdb, /{usr/,}bin/gsettings rPx, + /{usr/,}bin/ischroot rix, /{usr/,}bin/journalctl rPx, /{usr/,}bin/kmod rPx, + /{usr/,}bin/ldd rix, /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/md5sum rix, + /{usr/,}bin/pkexec rPx, # TODO: rCx or something /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/which{,.debianutils} rix, + /{usr/,}lib/@{multiarch}/ld*.so* rix, + /usr/share/apport/root_info_wrapper rix, /usr/share/alsa/{,**} r, /usr/share/apport/{,**} r, @@ -68,11 +72,13 @@ profile apport-gtk @{exec_path} { /var/crash/{,*.@{uid}.crash} rw, /var/lib/dpkg/info/ r, /var/lib/dpkg/info/*.list r, + /var/lib/usbutils/*.ids r, /var/lib/dpkg/info/*.md5sums r, /var/log/installer/media-info r, @{run}/snapd.socket rw, owner @{run}/user/@{uid}/wayland-[0-9] rw, + owner @{run}/user/.mutter-Xwaylandauth.* rw, /tmp/[a-z0-9]* rw, /tmp/apport_core_* rw, @@ -99,6 +105,8 @@ profile apport-gtk @{exec_path} { /{usr/,}bin/iconv rix, /{usr/,}{s,}bin/* r, + /usr/share/gcc/python/**/__pycache__/{,**} rw, + /usr/share/gdb/{,**} r, /usr/share/themes/{,**} r, /usr/share/gnome-shell/{,**} r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 4a3f57beb..37ef9d7a6 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -130,6 +130,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /usr/share/mime/mime.cache r, /usr/share/qemu/{,**} r, + /etc/apparmor.d/libvirt/libvirt-@{uuid} r, /etc/libvirt/{,**} rw, /etc/mdevctl.d/{,**} r, /etc/xml/catalog r, diff --git a/apparmor.d/profiles-a-f/amarok b/apparmor.d/profiles-a-f/amarok index b562dcf56..2a5bd0bd2 100644 --- a/apparmor.d/profiles-a-f/amarok +++ b/apparmor.d/profiles-a-f/amarok @@ -107,7 +107,7 @@ profile amarok @{exec_path} { owner @{HOME}/.kde{,4}/share/apps/amarok/ rw, owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/ rw, owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/ rw, - owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/[0-9]*@[0-9a-f]* rw, + owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/[0-9]*@@{hex} rw, owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache/[0-9]*@nocover.png rw, owner @{HOME}/.kde{,4}/share/apps/amarok/albumcovers/cache rw, diff --git a/apparmor.d/profiles-a-f/findmnt b/apparmor.d/profiles-a-f/findmnt index 36c2cea56..3180ef655 100644 --- a/apparmor.d/profiles-a-f/findmnt +++ b/apparmor.d/profiles-a-f/findmnt @@ -7,10 +7,12 @@ abi , include @{exec_path} = /{usr/,}bin/findmnt -profile findmnt @{exec_path} flags=(complain) { +profile findmnt @{exec_path} flags=(attach_disconnected,complain) { include include + capability dac_read_search, + @{exec_path} mr, /etc/fstab r, @@ -18,5 +20,7 @@ profile findmnt @{exec_path} flags=(complain) { @{PROC}/@{pids}/mountinfo r, + deny /apparmor/.null rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 045dfdad2..a82c49dde 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -65,6 +65,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { @{exec_path} mr, + /{usr/,}lib/fwupd/fwupd-detect-cet rix, + /{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpgsm rCx -> gpg, diff --git a/apparmor.d/profiles-m-r/plocate-build b/apparmor.d/profiles-m-r/plocate-build index a26157b84..da0fd3a3b 100644 --- a/apparmor.d/profiles-m-r/plocate-build +++ b/apparmor.d/profiles-m-r/plocate-build @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}sbin/plocate-build +@{exec_path} = /{usr/,}{s,}bin/plocate-build profile plocate-build @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/sddm-greeter b/apparmor.d/profiles-s-z/sddm-greeter index bf271b1ec..b05ba000d 100644 --- a/apparmor.d/profiles-s-z/sddm-greeter +++ b/apparmor.d/profiles-s-z/sddm-greeter @@ -58,9 +58,9 @@ profile sddm-greeter @{exec_path} { owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], owner @{user_config_dirs}/qt5ct/{,**} r, /usr/share/qt5ct/** r, diff --git a/apparmor.d/profiles-s-z/sddm-xsession b/apparmor.d/profiles-s-z/sddm-xsession index 13dc21b7b..a3446bdd4 100644 --- a/apparmor.d/profiles-s-z/sddm-xsession +++ b/apparmor.d/profiles-s-z/sddm-xsession @@ -121,7 +121,7 @@ profile sddm-xsession @{exec_path} { @{PROC}/1/environ r, @{PROC}/sys/kernel/osrelease r, - @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*[0-9a-f]* r, + @{sys}/firmware/efi/efivars/SecureBoot-@{hex}-@{hex}-@{hex}@{hex} r, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index e5885ce26..b098df0c4 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -105,6 +105,8 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { @{user_share_dirs}/Steam/steamapps/compatdata/[0-9]*/pfx/**.dll rm, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/{,**} r, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/**.so* mr, + @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-launch-wrapper rm, + @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib{exec,}/** mrix, @{run}/host/usr/bin/ldconfig rix, @{run}/host/usr/lib{,32,64}/**.so* rm, @@ -141,6 +143,8 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/Steam/ r, owner @{user_share_dirs}/Steam/* r, owner @{user_share_dirs}/Steam/*log* rw, + owner @{user_share_dirs}/Steam/config/config.vdf* rw, + owner @{user_share_dirs}/Steam/logs/{,*} rw, owner @{user_share_dirs}/Steam/shader_cache_temp*/fozpipelinesv*/{,**} rw, owner @{user_share_dirs}/Steam/steamapps/ r, owner @{user_share_dirs}/Steam/steamapps/common/ r, From 80a8be6d9e234d32811115a9b7564b58fe7c58e1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 11 Sep 2022 20:47:49 +0100 Subject: [PATCH 03/41] feat(profiles): move some flags definition in main.flags --- apparmor.d/groups/avahi/avahi-autoipd | 2 +- apparmor.d/groups/avahi/avahi-browse | 2 +- apparmor.d/groups/avahi/avahi-daemon | 2 +- apparmor.d/groups/avahi/avahi-publish | 2 +- apparmor.d/groups/avahi/avahi-resolve | 2 +- apparmor.d/groups/avahi/avahi-set-host-name | 2 +- apparmor.d/groups/systemd/systemd-machined | 2 +- apparmor.d/profiles-g-l/lvm | 2 +- apparmor.d/profiles-g-l/lvmconfig | 2 +- apparmor.d/profiles-g-l/lvmdump | 2 +- apparmor.d/profiles-g-l/lvmpolld | 2 +- dists/flags/main.flags | 16 ++++++++++++++++ 12 files changed, 27 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/avahi/avahi-autoipd b/apparmor.d/groups/avahi/avahi-autoipd index ddb4a1f5a..c44d9adaf 100644 --- a/apparmor.d/groups/avahi/avahi-autoipd +++ b/apparmor.d/groups/avahi/avahi-autoipd @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/avahi-autoipd -profile avahi-autoipd @{exec_path} flags=(complain) { +profile avahi-autoipd @{exec_path} { include include diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse index 837961c3b..abdb5ba67 100644 --- a/apparmor.d/groups/avahi/avahi-browse +++ b/apparmor.d/groups/avahi/avahi-browse @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/avahi-browse /{usr/,}bin/avahi-browse-domains -profile avahi-browse @{exec_path} flags=(complain) { +profile avahi-browse @{exec_path} { include include include diff --git a/apparmor.d/groups/avahi/avahi-daemon b/apparmor.d/groups/avahi/avahi-daemon index 5a972463e..e3db92e1a 100644 --- a/apparmor.d/groups/avahi/avahi-daemon +++ b/apparmor.d/groups/avahi/avahi-daemon @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/avahi-daemon -profile avahi-daemon @{exec_path} flags=(complain) { +profile avahi-daemon @{exec_path} { include include diff --git a/apparmor.d/groups/avahi/avahi-publish b/apparmor.d/groups/avahi/avahi-publish index 5895d6a8f..f66e28ec5 100644 --- a/apparmor.d/groups/avahi/avahi-publish +++ b/apparmor.d/groups/avahi/avahi-publish @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/avahi-publish /{usr/,}bin/avahi-publish-address /{usr/,}bin/avahi-publish-service -profile avahi-publish @{exec_path} flags=(complain) { +profile avahi-publish @{exec_path} { include include diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve index fe279ac7e..f9a55dcc1 100644 --- a/apparmor.d/groups/avahi/avahi-resolve +++ b/apparmor.d/groups/avahi/avahi-resolve @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/avahi-resolve /{usr/,}bin/avahi-resolve-address /{usr/,}bin/avahi-resolve-host-name -profile avahi-resolve @{exec_path} flags=(complain) { +profile avahi-resolve @{exec_path} { include include include diff --git a/apparmor.d/groups/avahi/avahi-set-host-name b/apparmor.d/groups/avahi/avahi-set-host-name index ead18ed2e..c9b47f768 100644 --- a/apparmor.d/groups/avahi/avahi-set-host-name +++ b/apparmor.d/groups/avahi/avahi-set-host-name @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/avahi-set-host-name -profile avahi-set-host-name @{exec_path} flags=(complain) { +profile avahi-set-host-name @{exec_path} { include include diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 6193d904c..1ee109bf1 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-machined -profile systemd-machined @{exec_path} flags=(complain) { +profile systemd-machined @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm index 31cbff60b..1d5ccac2e 100644 --- a/apparmor.d/profiles-g-l/lvm +++ b/apparmor.d/profiles-g-l/lvm @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/lvm -profile lvm @{exec_path} flags=(complain) { +profile lvm @{exec_path} { include include include diff --git a/apparmor.d/profiles-g-l/lvmconfig b/apparmor.d/profiles-g-l/lvmconfig index ad5922e95..3172a4575 100644 --- a/apparmor.d/profiles-g-l/lvmconfig +++ b/apparmor.d/profiles-g-l/lvmconfig @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/lvmconfig -profile lvmconfig @{exec_path} flags=(complain) { +profile lvmconfig @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/lvmdump b/apparmor.d/profiles-g-l/lvmdump index 991f25704..4b975b064 100644 --- a/apparmor.d/profiles-g-l/lvmdump +++ b/apparmor.d/profiles-g-l/lvmdump @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/lvmdump -profile lvmdump @{exec_path} flags=(complain) { +profile lvmdump @{exec_path} { include include include diff --git a/apparmor.d/profiles-g-l/lvmpolld b/apparmor.d/profiles-g-l/lvmpolld index 39758a73d..ea2c8d088 100644 --- a/apparmor.d/profiles-g-l/lvmpolld +++ b/apparmor.d/profiles-g-l/lvmpolld @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/lvmpolld -profile lvmpolld @{exec_path} flags=(complain) { +profile lvmpolld @{exec_path} { include include include diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 804f7d4ab..e5bc95ee7 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -8,6 +8,12 @@ atd complain auditctl complain auditd attach_disconnected,complain augenrules complain +avahi-autoipd complain +avahi-browse complain +avahi-daemon complain +avahi-publish complain +avahi-resolve complain +avahi-set-host-name complain busctl complain cfdisk complain cgdisk complain @@ -21,6 +27,7 @@ cockpit-ssh complain cockpit-tls complain cockpit-ws complain cockpit-wsinstance-factory complain +containerd-shim-runc-v2 attach_disconnected,complain cups-backend-beh complain cups-backend-brf complain cups-backend-dnssd complain @@ -37,6 +44,7 @@ cups-browsed complain cups-pk-helper-mechanism complain cupsd attach_disconnected,complain dkms attach_disconnected,complain +docker attach_disconnected,complain downloadhelper complain e2fsck complain etckeeper complain @@ -58,6 +66,7 @@ glib-compile-resources complain glib-genmarshal complain glib-gettextize complain glib-mkenums complain +gnome-browser-connector-host complain gnome-control-center attach_disconnected,complain gnome-control-center-goa-helper complain gnome-disk-image-mounter complain @@ -102,6 +111,10 @@ locale-gen complain localectl complain login complain loginctl complain +lvm complain +lvmconfig complain +lvmdump complain +lvmpolld complain lvmpolld complain machinectl complain man complain @@ -130,6 +143,7 @@ pinentry-gtk-2 complain pkttyagent complain plymouth complain plymouth-set-default-theme complain +plymouthd complain podman attach_disconnected,complain power-profiles-daemon attach_disconnected,complain prime-switch complain @@ -250,6 +264,8 @@ userdbctl complain virt-manager attach_disconnected,complain virtiofsd complain virtlockd complain +wg complain +wg-quick complain xdg-dbus-proxy attach_disconnected,complain xdg-desktop-icon complain xdg-desktop-portal attach_disconnected,complain From 5f49ffeb9463e96299bfff9d5a475ac744f93611 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 13 Sep 2022 12:23:58 +0100 Subject: [PATCH 04/41] feat: update pick to last changes. --- pick | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/pick b/pick index f9b1518b9..c5607b1af 100755 --- a/pick +++ b/pick @@ -30,10 +30,13 @@ _install_tunables() { for path in apparmor.d/tunables/*; do install -Dm0644 "$path" "/etc/apparmor.d/tunables/$(basename "$path")" done - if [[ "$DISTRIBUTION" != "arch" ]]; then - sed -i -e '/Archlinux/d' /etc/apparmor.d/tunables/extend - sed -i -e '/etc/d' /etc/apparmor.d/tunables/global - fi + case "$DISTRIBUTION" in + arch) + sed -i -e '/Debian/d' /etc/apparmor.d/tunables/extend ;; + debian|ubuntu|whonix) + sed -i -e '/Archlinux/d' /etc/apparmor.d/tunables/extend ;; + *) _die "$DISTRIBUTION is not a supported distribution." ;; + esac } _reload_apparmor() { @@ -46,7 +49,12 @@ pick() { path="$(find apparmor.d -iname "$profile" -type f -not -path './apparmor.d/tunables/*' -not -path './apparmor.d/abstractions/*')" if [[ -f "$path" ]]; then install -Dm0644 "$path" "/etc/apparmor.d/$profile" - [[ "$COMPLAIN" == 1 ]] && _set_complain "/etc/apparmor.d/$profile" + if [[ "$COMPLAIN" == 1 ]]; then + _set_complain "/etc/apparmor.d/$profile" + fi + if [[ "$DISTRIBUTION" == debian ]]; then + sed -i -e '/abi /d' "/etc/apparmor.d/$profile" + fi fi done } From 0177b683080a052e8e43ff3b15794e72230ef073 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 13 Sep 2022 18:14:58 +0100 Subject: [PATCH 05/41] build: default to complain mode. --- PKGBUILD | 2 +- README.md | 22 ++++++++++------------ debian/rules | 2 +- 3 files changed, 12 insertions(+), 14 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index 407ff648d..71187a671 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -20,7 +20,7 @@ prepare() { git clone "$startdir" "$srcdir/$pkgname" cd "$srcdir/$pkgname" - ./configure + ./configure --complain } build() { diff --git a/README.md b/README.md index 01a0bfb41..1733bd4f6 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,8 @@ This is fundamentally different from how AppArmor is used on Linux server as it ## Installation +> **Warning**: In order to not break your system, the default package configuration install all profiles in complain mode. They can be enforced later. See [Enforce Mode](#enfore_mode) + **Requirements** * An `apparmor` based linux distribution. * Base profiles and abstractions shipped with AppArmor are supposed to be @@ -62,7 +64,6 @@ sudo pacman -U apparmor.d-*.pkg.tar.zst \ --overwrite etc/apparmor.d/abstractions/trash ``` -> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting) **Debian / Ubuntu** @@ -74,8 +75,6 @@ dpkg-buildpackage -b -d --no-sign sudo dpkg -i ../apparmor.d_*_all.deb ``` -> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting) - **Partial install** For test purpose, you can install a specific profile with the following commands. The tool will also install required abstractions and tunables: @@ -162,18 +161,17 @@ profile, create a file `/etc/apparmor.d/local/gnome-shell` and add your rules. Then, reload the apparmor rules with `sudo systemctl restart apparmor`. -## Troubleshooting +## Enfore Mode -**Complain mode** - -On first install and for test purposes, it is recommended to pass all profiles -in *complain* mode. To do this, edit `PKGBUILD` on Archlinux or `debian/rules` -on Debian and add the `--complain` option to the configure script. Then build -the package as usual: -```sh -./configure --complain +The default package configuration installs all profile in *complain* mode. +You can easily swicth to *enforce* mode. To do this, edit `PKGBUILD` on Archlinux or `debian/rules` on Debian and remove the `--complain` option to the configure script. Then build the package as usual: +```diff +- ./configure --complain ++ ./configure ``` +## Troubleshooting + **AppArmor messages** Ensure that `auditd` is installed and running on your system in order to read diff --git a/debian/rules b/debian/rules index 2772b4bc6..a2bb88e4a 100755 --- a/debian/rules +++ b/debian/rules @@ -13,7 +13,7 @@ go build ./cmd/aa-log override_dh_auto_configure: - ./configure + ./configure --complain override_dh_install: mv systemd system From 80bb01ad3cf93ed627b84634a3f93657761f70fb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 13 Sep 2022 18:15:47 +0100 Subject: [PATCH 06/41] feat(aa-log): add bash & improve zsh completion. --- .../share/bash-completion/completions/aa-log | 26 +++++++++++++++++++ root/usr/share/zsh/site-functions/_aa-log.zsh | 17 ++++++------ 2 files changed, 35 insertions(+), 8 deletions(-) create mode 100644 root/usr/share/bash-completion/completions/aa-log diff --git a/root/usr/share/bash-completion/completions/aa-log b/root/usr/share/bash-completion/completions/aa-log new file mode 100644 index 000000000..bd367d80c --- /dev/null +++ b/root/usr/share/bash-completion/completions/aa-log @@ -0,0 +1,26 @@ +# aa-log completion + +_aa-log() { + COMPREPLY=() + local cur="${COMP_WORDS[COMP_CWORD]}" + local args=(-f -d -h) + local lastarg="${COMP_WORDS[$COMP_CWORD-1]}" + COMPREPLY+=($(compgen -W "${args[*]}" -- ${cur})) + if [[ $lastarg == "-f" ]]; then + COMPREPLY+=($(compgen -W "$(__aa_files)" -- ${cur})) + COMPREPLY+=($(compgen -o filenames -A file -- ${cur})) + else + COMPREPLY+=($(compgen -W "${args[*]}" -- ${cur})) + COMPREPLY+=($(compgen -W "$(__aa_profiles)" -- ${cur})) + fi +} + +__aa_files() { + find /var/log/audit/ -type f -printf '%P\n' | cut -d '.' -f 3 +} + +__aa_profiles() { + find -L /etc/apparmor.d -maxdepth 1 -type f -printf '%P\n' | sort +} + +complete -F _aa-log aa-log diff --git a/root/usr/share/zsh/site-functions/_aa-log.zsh b/root/usr/share/zsh/site-functions/_aa-log.zsh index 0e0603fcb..2e77a0774 100644 --- a/root/usr/share/zsh/site-functions/_aa-log.zsh +++ b/root/usr/share/zsh/site-functions/_aa-log.zsh @@ -1,22 +1,23 @@ #compdef aa-log #autoload -_aa-log () { +_aa-log() { local IFS=$'\n' _arguments : \ - -f'[set a logfile or a prefix to the default log file]:_files' \ + -f'[set a logfile or a prefix to the default log file]:FILE:__aa_files' \ + -d'[show dbus session event]' \ -h'[display help information]' _values -C 'profile names' ${$(__aa_profiles):-""} } +__aa_files() { + find /var/log/audit/ -type f -printf '%P\n' | cut -d '.' -f 3 + _files +} + __aa_profiles() { - find -L /etc/apparmor.d -type f -printf '%P\n' \ - | sed -e '/abi/d' \ - -e '/abstractions/d' \ - -e '/local/d' \ - -e '/tunables/d' \ - | sort + find -L /etc/apparmor.d -maxdepth 1 -type f -printf '%P\n' | sort } _aa-log From 3c7dda50602e26ade9891e278283cbf49ecff007 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 13 Sep 2022 18:17:11 +0100 Subject: [PATCH 07/41] feat(profiles): allow most dbus access to gnome. --- apparmor.d/groups/gnome/gnome-shell | 70 ++--------------------------- 1 file changed, 3 insertions(+), 67 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 1ff379b48..f824b4057 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -47,74 +47,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { unix (send,receive) type=stream addr=none peer=(label=xkbcomp), unix (send,receive) type=stream addr=none peer=(label=xwayland), - dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]{,/**} - interface=org.freedesktop.{DBus.Properties,login[0-9].*}, + dbus (send,receive) bus=system, + dbus (send,receive) bus=session, + dbus bind bus=session name=org.gnome.*, - dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.{DBus.Properties,PolicyKit[0-9].Authority} - member={CheckAuthorization,RegisterAuthenticationAgent,Changed,GetAll}, - - dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*} - interface=org.freedesktop.{DBus.Properties,Accounts*} - member={GetAll,FindUserByName,Changed,PropertiesChanged}, - - dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged}, - - dbus (send,receive) bus=system path=/org/freedesktop/GeoClue2/{Agent,Manager} - interface=org.freedesktop.{DBus.Properties,GeoClue2.Manager} - member={PropertiesChanged,AddAgent,GetAll}, - - dbus send bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects, - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=GetConnectionUnixUser, - - dbus send bus=system path=/org/freedesktop/PackageKit - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]* - interface=org.freedesktop.NetworkManager.Settings.Connection - member=GetSettings, - - dbus send bus=system path=/org/gnome/DisplayManager/Manager - interface=org.{freedesktop.DBus.Properties,gnome.DisplayManager.Manager} - member={RegisterSession,Get,GetAll,OpenReauthenticationChannel}, - - dbus send bus=system path=/net/hadess/{PackageKit,PowerProfiles,SwitcherooControl} - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/net/reactivated/Fprint/Manager - interface=net.reactivated.Fprint.Manager - member=GetDefaultDevice, - - dbus send bus=system path=/org/freedesktop/NetworkManager{,/AgentManager} - interface=org.freedesktop.NetworkManager{,.AgentManager} - member={Unregister,RegisterWithCapabilities,GetPermissions}, - - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member=CheckPermissions, - - dbus receive bus=system path=/org/freedesktop/NetworkManager/{Devices,DHCP{4,6}Config,IP{4,6}Config}/[0-9]* - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, - - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, - - dbus receive bus=system - path=/org/freedesktop/PolicyKit[0-9]/AuthenticationAgent - interface=org.freedesktop.PolicyKit[0-9].AuthenticationAgent - member=BeginAuthentication, - @{exec_path} mr, /{usr/,}bin/Xwayland rPx, From c242a59996937b6ea933f1cbe8145159611653d5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 13 Sep 2022 18:19:42 +0100 Subject: [PATCH 08/41] fix(profiles): remove not yet commited profiles from flag definition. --- dists/flags/main.flags | 64 ------------------------------------------ 1 file changed, 64 deletions(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index e5bc95ee7..d64674c06 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -14,7 +14,6 @@ avahi-daemon complain avahi-publish complain avahi-resolve complain avahi-set-host-name complain -busctl complain cfdisk complain cgdisk complain cockpit-askpass complain @@ -63,10 +62,6 @@ gdm-x-session attach_disconnected,complain gdm-xsession complain git complain glib-compile-resources complain -glib-genmarshal complain -glib-gettextize complain -glib-mkenums complain -gnome-browser-connector-host complain gnome-control-center attach_disconnected,complain gnome-control-center-goa-helper complain gnome-disk-image-mounter complain @@ -74,27 +69,15 @@ gnome-disks complain gnome-music complain gnome-photos-thumbnailer complain gnome-remote-desktop-daemon complain -gnome-session complain -gnome-session-custom-session complain -gnome-session-inhibit complain -gnome-session-quit complain gnome-shell attach_disconnected,complain -gnome-shell-extension-prefs complain -gnome-shell-extension-tool complain -gnome-shell-hotplug-sniffer complain -gnome-shell-perf-helper complain -gnome-shell-perf-tool complain -gnome-shell-portal-helper complain gnome-system-monitor attach_disconnected,complain gnome-terminal-server complain -gnome-tweak-tool-lid-inhibitor complain gnome-tweaks complain gpg complain gsd-media-keys attach_disconnected,complain gsd-print-notifications attach_disconnected,complain gsd-printer attach_disconnected,complain gvfsd-dav complain -homectl complain hostnamectl complain ibus-engine-table complain ibus-memconf complain @@ -108,15 +91,12 @@ lastlog complain libvirt-dbus complain libvirtd attach_disconnected,complain locale-gen complain -localectl complain login complain -loginctl complain lvm complain lvmconfig complain lvmdump complain lvmpolld complain lvmpolld complain -machinectl complain man complain mdevctl complain mke2fs complain @@ -129,11 +109,9 @@ nautilus complain needrestart attach_disconnected,complain needrestart-iucode-scan-versions complain networkd-dispatcher complain -nfsdcld complain nft complain nmap complain nullmailer-send complain -oomctl complain pass complain pass-import complain pinentry complain @@ -144,11 +122,8 @@ pkttyagent complain plymouth complain plymouth-set-default-theme complain plymouthd complain -podman attach_disconnected,complain power-profiles-daemon attach_disconnected,complain -prime-switch complain qemu-ga complain -qrencode complain repo complain resolvconf complain run-parts complain @@ -166,7 +141,6 @@ snap-update-ns complain snapd complain spice-vdagent complain spice-vdagentd attach_disconnected,complain -splunkforwarder complain ss complain ssh complain sshd attach_disconnected,complain @@ -187,31 +161,13 @@ sysctl complain systemd-analyze complain systemd-ask-password complain systemd-binfmt attach_disconnected,complain -systemd-bless-boot complain -systemd-boot-check-no-failures complain -systemd-cat complain systemd-cgls complain -systemd-cgroups-agent systemd-cgtop complain systemd-coredump attach_disconnected,complain -systemd-dissect complain systemd-environment-d-generator complain systemd-escape complain -systemd-export complain -systemd-growfs complain -systemd-hibernate-resume complain -systemd-homed complain -systemd-homework complain systemd-hostnamed attach_disconnected,complain systemd-hwdb attach_disconnected,complain -systemd-id128 complain -systemd-import complain -systemd-import-fs complain -systemd-importd complain -systemd-inhibit -systemd-journal-gatewayd complain -systemd-journal-remote complain -systemd-journal-upload complain systemd-localed attach_disconnected,complain systemd-logind attach_disconnected,complain systemd-machine-id-setup complain @@ -219,41 +175,23 @@ systemd-machined complain systemd-makefs complain systemd-modules-load complain systemd-mount complain -systemd-network-generator complain -systemd-notify complain systemd-oomd attach_disconnected,complain systemd-path complain systemd-portabled complain -systemd-pstore complain -systemd-pull complain -systemd-quotacheck complain systemd-random-seed complain systemd-remount-fs complain -systemd-repart complain -systemd-reply-password complain systemd-resolve complain systemd-resolved attach_disconnected,complain -systemd-run complain systemd-sleep complain -systemd-socket-activate complain -systemd-socket-proxyd complain -systemd-stdio-bridge complain -systemd-sulogin-shell complain -systemd-sysext complain -systemd-time-wait-sync complain systemd-timedated attach_disconnected,complain systemd-tty-ask-password-agent complain systemd-update-done complain systemd-update-utmp complain systemd-user-runtime-dir complain systemd-user-sessions complain -systemd-userdbd complain -systemd-userwork complain systemd-vconsole-setup complain -systemd-xdg-autostart-condition complain systemd-xdg-autostart-generator complain tailscaled complain -timedatectl complain tracker-extract complain udisksctl complain udisksd attach_disconnected,complain @@ -262,8 +200,6 @@ umount.udisks2 complain uptimed complain userdbctl complain virt-manager attach_disconnected,complain -virtiofsd complain -virtlockd complain wg complain wg-quick complain xdg-dbus-proxy attach_disconnected,complain From a47278b89cddc6b5a2d04bfad544969c4430127b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 13 Sep 2022 18:28:27 +0100 Subject: [PATCH 09/41] doc: recommand using the AUR to install on Archlinux. --- README.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 1733bd4f6..59607f5ee 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ This is fundamentally different from how AppArmor is used on Linux server as it ## Installation -> **Warning**: In order to not break your system, the default package configuration install all profiles in complain mode. They can be enforced later. See [Enforce Mode](#enfore_mode) +> **Warning**: In order to not break your system, the default package configuration install all profiles in complain mode. They can be enforced later. See [Enforce Mode](#enfore-mode) **Requirements** * An `apparmor` based linux distribution. @@ -55,8 +55,10 @@ This is fundamentally different from how AppArmor is used on Linux server as it **Archlinux** -Build and install the package with: +`apparmor.d-git` is available in the [Arch User Repository][aur]: ```sh +git clone https://aur.archlinux.org/apparmor.d-git.git +cd apparmor.d-git makepkg -s sudo pacman -U apparmor.d-*.pkg.tar.zst \ --overwrite etc/apparmor.d/tunables/global \ @@ -64,13 +66,17 @@ sudo pacman -U apparmor.d-*.pkg.tar.zst \ --overwrite etc/apparmor.d/abstractions/trash ``` +> **Note**: The overwrite options are only required on the first install. You can use `yay` or your preferred AUR install method to update it. + +The `PKGBUILD` included in this repository is intended for development only. **Debian / Ubuntu** Build using standard Debian package build tools: ```sh sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git -git clone https://github.com/roddhjav/apparmor.d.git && cd apparmor.d +git clone https://github.com/roddhjav/apparmor.d.git +cd apparmor.d dpkg-buildpackage -b -d --no-sign sudo dpkg -i ../apparmor.d_*_all.deb ``` @@ -164,7 +170,7 @@ Then, reload the apparmor rules with `sudo systemctl restart apparmor`. ## Enfore Mode The default package configuration installs all profile in *complain* mode. -You can easily swicth to *enforce* mode. To do this, edit `PKGBUILD` on Archlinux or `debian/rules` on Debian and remove the `--complain` option to the configure script. Then build the package as usual: +You can easily switch to *enforce* mode. To do this, edit `PKGBUILD` on Archlinux or `debian/rules` on Debian and remove the `--complain` option to the configure script. Then build the package as usual: ```diff - ./configure --complain + ./configure @@ -254,6 +260,7 @@ with this program; if not, write to the Free Software Foundation, Inc., [quality]: https://img.shields.io/badge/go%20report-A+-brightgreen.svg?style=flat-square [goreportcard]: https://goreportcard.com/report/github.com/roddhjav/apparmor.d +[aur]: https://aur.archlinux.org/packages/apparmor.d-git [android_model]: https://arxiv.org/pdf/1904.05572 [clipos]: https://clip-os.org/en/ [Speed up AppArmor Start]: https://wiki.archlinux.org/title/AppArmor#Speed-up_AppArmor_start_by_caching_profiles From 4920922394b515f271e798826dbc0b8733e1017b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 13 Sep 2022 18:39:41 +0100 Subject: [PATCH 10/41] feat(profiles): add busctl. --- apparmor.d/groups/systemd/busctl | 16 ++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 17 insertions(+) create mode 100644 apparmor.d/groups/systemd/busctl diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl new file mode 100644 index 000000000..e7841b7df --- /dev/null +++ b/apparmor.d/groups/systemd/busctl @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/busctl +profile busctl @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index d64674c06..68d66e12b 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -14,6 +14,7 @@ avahi-daemon complain avahi-publish complain avahi-resolve complain avahi-set-host-name complain +busctl complain cfdisk complain cgdisk complain cockpit-askpass complain From a432d656c839aedcd440bd0d403aa81903480047 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 Sep 2022 11:21:33 +0100 Subject: [PATCH 11/41] feat(profiles): add sbctl. --- apparmor.d/profiles-s-z/sbctl | 36 +++++++++++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 37 insertions(+) create mode 100644 apparmor.d/profiles-s-z/sbctl diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl new file mode 100644 index 000000000..dcfd7c1e0 --- /dev/null +++ b/apparmor.d/profiles-s-z/sbctl @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/sbctl +profile sbctl @{exec_path} { + include + + capability dac_read_search, + capability linux_immutable, + + @{exec_path} mr, + + /{usr/,}bin/lsblk rPx, + + /usr/share/secureboot/{,**} rw, + + /{boot,efi}/{,**} r, + /{boot,efi}/EFI/{,**} rw, + /{usr/,}lib/fwupd/efi/{,**} rw, + /boot/vmlinuz-linux* rw, + + @{sys}/firmware/efi/efivars/db-@{uuid} rw, + @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, + @{sys}/firmware/efi/efivars/PK-@{uuid} rw, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, + @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 68d66e12b..717b33b7b 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -130,6 +130,7 @@ resolvconf complain run-parts complain runuser complain s3fs complain +sbctl complain scrcpy complain sftp-server complain slirp4netns attach_disconnected,complain From cc7dd22244bce50776d74764bbe3296208a22717 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 Sep 2022 11:22:19 +0100 Subject: [PATCH 12/41] build: make the complain mode faster to enable. --- configure | 33 +++++++++++++++++++++++++++------ 1 file changed, 27 insertions(+), 6 deletions(-) diff --git a/configure b/configure index 913517bf9..7f0d971a0 100755 --- a/configure +++ b/configure @@ -112,18 +112,39 @@ flags() { done } -# Set complain flag on all profile (Dev only) -complain() { - _msg "Set complain flag on all profiles" - for path in "${ROOT:?}/apparmor.d/"*; do - [[ -d "$path" ]] && continue +# Internal complain process +_complain() { + local start="$1" end="$2"; shift 2 + files=("$@") + ii="$start" + while [[ $ii -le $end && $ii -lt $len ]]; do + path="${files[$ii]}" + (( ii = ii + 1 )) + [[ -f "$path" ]] || continue flags="$(grep -o -m 1 'flags=(.*)' "$path" | cut -d '(' -f2 | cut -d ')' -f1)" [[ "$flags" =~ complain ]] && continue - echo -n . sed -e "s/flags=(.*)//" \ -e "s/ {$/ flags=(complain $flags) {/" \ -i "$path" done +} + +# Set complain flag on all profile (Dev only) +complain() { + local len nprof nproc + _msg "Set complain flag on all profiles" + mapfile -t files < <(find "${ROOT:?}/apparmor.d" -type f) + len="${#files[@]}" + nproc=$(nproc) + (( nprof = len/nproc + 1 )) + start=0 + end=$nprof + for ((ii = 0 ; ii < nproc ; ii++)); do + _complain $start $end "${files[@]}" & + (( start = end + 1 )) + (( end = end + nprof )) + done + wait echo } From 0667c43be6579ca693200edf68d14ec8fe3959f4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 Sep 2022 12:48:30 +0100 Subject: [PATCH 13/41] build: track abstractions/trash as overwrittenfile. --- configure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure b/configure index 7f0d971a0..802c43a40 100755 --- a/configure +++ b/configure @@ -76,7 +76,8 @@ configure() { sed -i -e '/Archlinux/d' "$ROOT/apparmor.d/tunables/extend" _msg "Displace overwritten files." - _displace_files apparmor.d/tunables/global apparmor.d/tunables/xdg-user-dirs + _displace_files apparmor.d/tunables/global \ + apparmor.d/tunables/xdg-user-dirs apparmor.d/abstractions/trash ;; @@ -145,7 +146,6 @@ complain() { (( end = end + nprof )) done wait - echo } # Set AppArmor for full system policy From fcee586e9ef4f4b4296eb6dd259dd019df57c7ae Mon Sep 17 00:00:00 2001 From: beroal Date: Sat, 24 Sep 2022 14:13:21 +0300 Subject: [PATCH 14/41] viewing DjVu and PostScript files (#78) --- apparmor.d/profiles-a-f/evince | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 0190d4190..de2ea0967 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -24,12 +24,15 @@ profile evince @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/gio-launch-desktop rPx, + /usr/share/djvu/{,**} r, /usr/share/evince/{,**} r, + /usr/share/ghostscript/{,**} r, /usr/share/poppler/{,**} r, /usr/share/thumbnailers/{,*} r, /usr/share/themes/{,**} r, owner @{user_share_dirs}/ r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_cache_dirs}/thumbnails/{,**} rw, owner @{user_config_dirs}/evince/{,*} rw, @@ -42,5 +45,7 @@ profile evince @{exec_path} { /dev/tty rw, + deny /{usr/,}lib/ r, # asks when viewing PostScript files + include if exists } From ae6cecde52c31116ebd3bed080527a1228f65449 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 24 Sep 2022 17:59:20 +0100 Subject: [PATCH 15/41] feat(profiles): deny gvfs-metadata when possible. --- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 4 ++-- apparmor.d/groups/freedesktop/xdg-mime | 3 ++- apparmor.d/groups/gnome/evolution-source-registry | 3 ++- apparmor.d/groups/gnome/gnome-control-center | 3 ++- apparmor.d/groups/gnome/gnome-extension-ding | 5 ++--- apparmor.d/groups/gnome/gnome-music | 3 ++- apparmor.d/groups/gnome/gnome-shell | 3 ++- apparmor.d/groups/gnome/gnome-system-monitor | 4 ++-- apparmor.d/groups/gnome/gnome-tweaks | 3 ++- apparmor.d/groups/gnome/tracker-extract | 1 - apparmor.d/groups/network/mullvad-gui | 4 +++- apparmor.d/groups/ubuntu/update-manager | 3 ++- apparmor.d/profiles-a-f/atril | 5 ++--- apparmor.d/profiles-a-f/blueman | 4 ++-- apparmor.d/profiles-a-f/engrampa | 3 ++- apparmor.d/profiles-a-f/font-manager | 2 +- apparmor.d/profiles-g-l/hostname | 2 ++ apparmor.d/profiles-s-z/steam | 2 +- apparmor.d/profiles-s-z/steam-fossilize | 3 ++- apparmor.d/profiles-s-z/steam-game | 4 ++-- apparmor.d/profiles-s-z/steam-gameoverlayui | 3 ++- apparmor.d/profiles-s-z/steam-reaper | 3 ++- apparmor.d/profiles-s-z/virt-manager | 2 +- 23 files changed, 42 insertions(+), 30 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index 4585ecf35..5f7aeec13 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -13,8 +13,6 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, - owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw, owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw, owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-[0-9A-Z]* rw, @@ -25,5 +23,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { /dev/dri/card[0-9]* rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 139a09699..771679da9 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -39,7 +39,6 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.Xauthority r, owner @{user_config_dirs}/mimeapps.list{,.new} rw, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{run}/user/@{uid}/ r, @@ -60,6 +59,8 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { deny /{usr/,}bin/dbus-launch rx, deny /{usr/,}bin/dbus-send rx, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + profile dbus { include include diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 0280ccf30..463470b2d 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -27,11 +27,12 @@ profile evolution-source-registry @{exec_path} { owner @{user_config_dirs}/evolution/sources/{,*} rw, owner @{user_share_dirs}/evolution/{,**} r, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_cache_dirs}/evolution/{,**} rwk, @{PROC}/sys/kernel/osrelease r, @{PROC}/cmdline r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index c15aca6f0..4619ca5cc 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -91,7 +91,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]} r, owner @{user_config_dirs}/mimeapps.list.* rw, owner @{user_share_dirs}/backgrounds/{,**} rw, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/icc/{,edid-*} r, owner @{user_share_dirs}/sounds/__custom/{,*} rw, owner @{user_share_dirs}/webkitgtk/{,**} r, @@ -148,5 +147,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /dev/media[0-9]* r, /dev/video[0-9]* rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 3db55197d..c2c118a96 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -60,12 +60,11 @@ profile gnome-extension-ding @{exec_path} { owner @{user_share_dirs}/nautilus/scripts/ r, - owner @{user_share_dirs}/gvfs-metadata/home r, - owner @{user_share_dirs}/gvfs-metadata/home-*.log r, - owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 19c42c252..cfd50ca05 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -45,7 +45,6 @@ profile gnome-music @{exec_path} { owner @{user_cache_dirs}/media-art/album-*.jpeg rw, owner @{user_share_dirs}/grilo-plugins/ rwk, owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk, - owner @{user_share_dirs}/gvfs-metadata/root{,-*.log} r, owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw, @{run}/systemd/inhibit/[0-9]*.ref rw, @@ -54,5 +53,7 @@ profile gnome-music @{exec_path} { owner @{PROC}/@{pid}/mounts r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index f824b4057..93e434a14 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -118,7 +118,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/desktop-directories/{,**} r, owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r, owner @{user_cache_dirs}/gnome-boxes/*.png r, @@ -203,5 +202,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { /dev/input/event[0-9]* rw, /dev/tty[0-9]* rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index a24ecee82..31aeb1208 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -37,8 +37,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { /var/lib/snapd/desktop/icons/ r, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, - owner @{run}/user/@{uid}/doc/ rw, @{run}/systemd/sessions/* r, @@ -69,5 +67,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/wchan r, @{PROC}/vmstat r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index cfe4e9d6f..e8bd2935f 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -33,11 +33,12 @@ profile gnome-tweaks @{exec_path} { owner @{user_config_dirs}/autostart/*.desktop r, owner @{user_share_dirs}/backgrounds/{,**} r, owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/recently-used.xbel* rw, owner @{user_share_dirs}/sounds/ r, owner @{PROC}/@{pid}/fd/ r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 99799a9c4..979be8317 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -48,7 +48,6 @@ profile tracker-extract @{exec_path} { owner /tmp/*/{,**} r, owner @{user_cache_dirs}/tracker3/files/{,**} rwk, - owner @{user_share_dirs}/gvfs-metadata/** r, owner /tmp/tracker-extract-3-files.*/{,*} rw, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 0ca97d327..426890f4b 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -46,7 +46,7 @@ profile mullvad-gui @{exec_path} { /var/lib/dbus/machine-id r, owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk, - owner @{user_share_dirs}/gvfs-metadata/* r, + owner @{user_cache_dirs}/dconf/user rw, owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r, @@ -73,5 +73,7 @@ profile mullvad-gui @{exec_path} { /dev/tty rw, + deny owner @{user_share_dirs}/gvfs-metadata/* r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 32f2e4f21..ce4818eba 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -87,7 +87,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /var/lib/update-manager/{,**} rw, owner @{user_cache_dirs}/update-manager-core/{,**} rw, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, @@ -99,5 +98,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index bc7b93e82..e76a019d7 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -73,9 +73,6 @@ profile atril @{exec_path} { owner @{user_cache_dirs}/atril/{,**} rw, - owner @{user_share_dirs}/gvfs-metadata/home r, - owner @{user_share_dirs}/gvfs-metadata/home-*.log r, - owner /tmp/gtkprint_* rw, owner /tmp/settings*.ini rw, owner /tmp/settings*.ini.* rw, @@ -95,5 +92,7 @@ profile atril @{exec_path} { owner /tmp/atril-@{pid}/*/content.opf rw, owner /tmp/atril-@{pid}/*/META-INF/calibre_bookmarks.txt rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index 551c87d67..fc4013421 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -56,8 +56,6 @@ profile blueman @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/obexd/ rw, owner @{user_cache_dirs}/obexd/* rw, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, - owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{PROC}/@{pid}/fd/ r, @@ -69,6 +67,8 @@ profile blueman @{exec_path} flags=(attach_disconnected) { /dev/shm/ r, /dev/tty rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + profile open { include include diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index ce8dbeff1..f37fc6991 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -117,7 +117,6 @@ profile engrampa @{exec_path} { owner @{user_config_dirs}/mimeapps.list{,.*} rw, owner @{user_share_dirs}/ r, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, /usr/share/engrampa/{,**} r, @@ -148,6 +147,8 @@ profile engrampa @{exec_path} { # file_inherit owner /dev/tty[0-9]* rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + profile open { include include diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index 8bf1bb58b..aab78cc28 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -47,7 +47,6 @@ profile font-manager @{exec_path} { owner "@{user_share_dirs}/fonts/Google Fonts/**" rw, owner @{user_share_dirs}/ r, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/firmware/acpi/pm_profile r, @@ -63,6 +62,7 @@ profile font-manager @{exec_path} { # Silencer owner /var/cache/fontconfig/ w, deny /var/cache/fontconfig/ w, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists } diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname index 4e0d4de6f..15075dc3a 100644 --- a/apparmor.d/profiles-g-l/hostname +++ b/apparmor.d/profiles-g-l/hostname @@ -20,5 +20,7 @@ profile hostname @{exec_path} { @{run}/resolvconf/resolv.conf r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 22857ba5d..a529e7f3b 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -121,7 +121,6 @@ profile steam @{exec_path} { owner @{user_share_dirs}/ r, owner @{user_share_dirs}/applications/*.desktop w, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/icons/hicolor/**/apps/steam*.png rw, owner @{user_share_dirs}/Steam/ rw, owner @{user_share_dirs}/Steam/** rwkl -> @{user_share_dirs}/Steam/**, @@ -203,6 +202,7 @@ profile steam @{exec_path} { /dev/uinput w, audit deny /**.steam_exec_test.sh rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists } diff --git a/apparmor.d/profiles-s-z/steam-fossilize b/apparmor.d/profiles-s-z/steam-fossilize index 8b3236796..86202bd42 100644 --- a/apparmor.d/profiles-s-z/steam-fossilize +++ b/apparmor.d/profiles-s-z/steam-fossilize @@ -26,7 +26,6 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/nvidiav[0-9]*/GLCache/ rw, owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/nvidiav[0-9]*/GLCache/** rwk, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, @@ -40,5 +39,7 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) { @{PROC}/pressure/io r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index b098df0c4..3ea772b0d 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -155,8 +155,6 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/Steam/steamapps/shadercache/{,**} rwk, owner @{user_share_dirs}/Steam/userdata/**/remotecache.vdf rw, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, - @{run}/host/fonts/{,**} r, @{run}/host/share/{,**} r, @{run}/host/usr/{,**} r, @@ -223,5 +221,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { /dev/input/ r, /dev/tty rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui index affe238d1..659d63ee5 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -32,7 +32,6 @@ profile steam-gameoverlayui @{exec_path} { owner @{HOME}/ r, owner @{HOME}/.steam/registry.vdf rk, owner @{HOME}/.steam/steam.pipe r, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/Steam/{,**} r, owner @{user_share_dirs}/Steam/config/DialogConfigOverlay*.vdf rw, owner @{user_share_dirs}/Steam/public/* rk, @@ -55,5 +54,7 @@ profile steam-gameoverlayui @{exec_path} { @{PROC}/version r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } diff --git a/apparmor.d/profiles-s-z/steam-reaper b/apparmor.d/profiles-s-z/steam-reaper index 30953a570..ee50df52e 100644 --- a/apparmor.d/profiles-s-z/steam-reaper +++ b/apparmor.d/profiles-s-z/steam-reaper @@ -23,11 +23,12 @@ profile steam-reaper @{exec_path} { owner @{HOME}/.steam/steam.pipe r, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_share_dirs}/Steam/userdata/**/remotecache.vdf rw, owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 104756567..467fce94e 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -69,7 +69,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/virt-manager/ rw, owner @{user_cache_dirs}/virt-manager/** rw, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, # For disk images @{MOUNTS}/ r, @@ -103,6 +102,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { # Silence the noise deny /usr/share/virt-manager/{,**} w, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists } From f2989321ebf12bd84fdb108ba4869719853d227d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 24 Sep 2022 18:06:06 +0100 Subject: [PATCH 16/41] feat(profiles): general update. --- apparmor.d/groups/apt/command-not-found | 9 +++++++-- apparmor.d/groups/browsers/firefox | 3 ++- apparmor.d/groups/freedesktop/polkitd | 6 +++--- apparmor.d/groups/freedesktop/xdg-desktop-portal | 1 + apparmor.d/groups/freedesktop/xdg-email | 4 +++- .../groups/freedesktop/xdg-user-dirs-gtk-update | 1 + apparmor.d/groups/gnome/gio-launch-desktop | 2 +- apparmor.d/groups/gnome/gnome-control-center | 1 + apparmor.d/groups/gnome/gnome-extension-ding | 1 + apparmor.d/groups/gnome/gnome-shell | 3 ++- apparmor.d/groups/gnome/gnome-terminal-server | 1 + apparmor.d/groups/gnome/gsd-print-notifications | 6 ++++++ apparmor.d/groups/gnome/gsd-sharing | 4 ++++ apparmor.d/groups/gnome/tracker-extract | 4 ++++ apparmor.d/groups/gvfs/gvfsd | 1 + apparmor.d/groups/gvfs/gvfsd-fuse | 1 + apparmor.d/groups/gvfs/gvfsd-metadata | 1 + apparmor.d/groups/gvfs/gvfsd-trash | 1 + apparmor.d/groups/network/mullvad-daemon | 10 +++++++++- apparmor.d/groups/network/tailscaled | 7 +++++-- apparmor.d/groups/pacman/pacman | 3 ++- apparmor.d/groups/ubuntu/check-new-release-gtk | 1 + apparmor.d/groups/ubuntu/livepatch-notification | 1 + apparmor.d/groups/ubuntu/software-properties-dbus | 1 + apparmor.d/groups/ubuntu/update-notifier | 4 ++++ apparmor.d/groups/virt/libvirtd | 14 +++++++++----- apparmor.d/profiles-a-f/blueman | 3 ++- apparmor.d/profiles-g-l/git | 1 + apparmor.d/profiles-g-l/glxinfo | 5 +++-- apparmor.d/profiles-g-l/gtk-update-icon-cache | 6 +++++- apparmor.d/profiles-g-l/lspci | 2 +- apparmor.d/profiles-m-r/mtools | 2 ++ apparmor.d/profiles-s-z/snap | 5 +++-- apparmor.d/profiles-s-z/snap-seccomp | 4 ++-- apparmor.d/profiles-s-z/spice-vdagent | 9 +++++++++ apparmor.d/profiles-s-z/steam | 11 +++++++++-- apparmor.d/profiles-s-z/steam-game | 13 ++++++++++--- 37 files changed, 120 insertions(+), 32 deletions(-) diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 0af31a95f..27a870fdc 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,19 +12,23 @@ include @{exec_path} += /{usr/,}lib/command-not-found profile command-not-found @{exec_path} { include - include - include include + include + include + include @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/snap rPx, /var/lib/command-not-found/commands.db rwk, /usr/share/command-not-found/{,**} r, + owner @{PROC}/@{pid}/fd/ r, + # Silencer deny /usr/lib/ r, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index f2421d3af..2ae6c0533 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -251,10 +251,11 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_score_adj w, owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 deny owner @{PROC}/@{pid}/smaps r, deny owner @{PROC}/@{pid}/stat r, deny owner @{PROC}/@{pid}/statm r, diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index b88b613ca..341e0300b 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -22,8 +22,8 @@ profile polkitd @{exec_path} { ptrace (read), - dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/* - interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*}, # all members + dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit1/* + interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit1.*}, # all members dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus @@ -31,7 +31,7 @@ profile polkitd @{exec_path} { peer=(name=org.freedesktop.DBus), dbus (bind) bus=system - name=org.freedesktop.PolicyKit[0-9], + name=org.freedesktop.PolicyKit1, @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 322257051..0f116b010 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -49,6 +49,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { # Allowed apps to open /{usr/,}bin/firefox rPx -> firefox, + /{usr/,}bin/nautilus rPx, / r, /.flatpak-info r, diff --git a/apparmor.d/groups/freedesktop/xdg-email b/apparmor.d/groups/freedesktop/xdg-email index 8fc5ecc72..5de0dd912 100644 --- a/apparmor.d/groups/freedesktop/xdg-email +++ b/apparmor.d/groups/freedesktop/xdg-email @@ -14,8 +14,10 @@ profile xdg-email @{exec_path} flags=(complain) { @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gio rPx, /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/gio rPx, + /{usr/,}bin/readlink rix, /{usr/,}bin/sed rix, /{usr/,}bin/which rix, /{usr/,}bin/xdg-mime rPx, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 04af0cbab..d3adb24c8 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -13,6 +13,7 @@ profile xdg-user-dirs-gtk-update @{exec_path} { @{exec_path} mr, + owner @{user_config_dirs}/gtk-3.0/bookmarks* rw, owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 8214e4ba0..e28c11b0a 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 4619ca5cc..a8789538f 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -49,6 +49,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/bwrap rPUx, /{usr/,}bin/openvpn rPx, /{usr/,}bin/passwd rPx, + /{usr/,}bin/software-properties-gtk rPx, /{usr/,}lib/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, /usr/share/language-tools/language2locale rix, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index c2c118a96..122ac39a2 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js profile gnome-extension-ding @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 93e434a14..f6931ba90 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -164,13 +164,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* @{run}/udev/data/n[0-9]* r, + @{sys}/**/uevent r, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/hwmon/ r, @{sys}/class/input/ r, @{sys}/class/net/ r, @{sys}/class/power_supply/ r, - @{sys}/**/uevent r, @{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r, @{sys}/devices/**/hwmon/{,name,temp*,fan*} r, @@ -180,6 +180,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/drm/ r, @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r, @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r, @{sys}/devices/system/cpu/possible r, @{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 20ca500e2..10efb895c 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -17,6 +17,7 @@ profile gnome-terminal-server @{exec_path} { include signal (send) set=(term hup kill) peer=unconfined, + ptrace (read) peer=unconfined, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index cf9a4654e..152ef7a07 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -38,6 +38,12 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.Avahi.Server member=StateChanged, + dbus (send,receive) bus=session path=/org/gnome/SessionManager{,/*} + interface={org.freedesktop.DBus.Properties,org.gnome.SessionManager}, + + dbus bind bus=session + name=org.gnome.SettingsDaemon.PrintNotifications, + @{exec_path} mr, @{libexec}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 0973a395b..16c4c3e50 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -36,6 +36,10 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.NetworkManager member=CheckPermissions, + dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]* + interface=org.freedesktop.NetworkManager.Connection.Active + member=StateChanged, + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 979be8317..938d6f331 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -59,6 +59,8 @@ profile tracker-extract @{exec_path} { @{run}/udev/data/c51[0-9]:[0-9]* r, @{run}/mount/utab r, + @{sys}/devices/system/cpu/possible r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, @@ -67,5 +69,7 @@ profile tracker-extract @{exec_path} { /dev/media[0-9]* r, /dev/video[0-9]* rw, + deny owner @{user_share_dirs}/gvfs-metadata/** r, + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index 18f55c822..01da7aa17 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd profile gvfsd @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index eff619259..9ea20cfa9 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-fuse profile gvfsd-fuse @{exec_path} { include + include include unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index fb46ee851..3d0c16962 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-metadata profile gvfsd-metadata @{exec_path} { include + include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 7b2913f15..7cc4cab82 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,6 +11,7 @@ include @{exec_path} += @{libexec}/gvfsd-trash profile gvfsd-trash @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 4f7fe0cc7..0b94c533f 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -7,7 +7,7 @@ abi , include @{exec_path} = "/opt/Mullvad VPN/resources/mullvad-daemon" -profile mullvad-daemon @{exec_path} { +profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { include include @@ -29,6 +29,9 @@ profile mullvad-daemon @{exec_path} { @{exec_path} mr, + /{usr/,}bin/ip rix, + + "/opt/Mullvad VPN/resources/openvpn" rix, "/opt/Mullvad VPN/resources/*" r, /etc/mullvad-vpn/{,*} r, @@ -47,8 +50,13 @@ profile mullvad-daemon @{exec_path} { @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + owner /tmp/@{uuid} rw, + owner /tmp/talpid-openvpn-@{uuid} rw, + owner @{PROC}/@{pid}/mounts r, @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, + /dev/net/tun rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index 6025ed127..3bdef0d68 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{,s}bin/tailscaled -profile tailscaled @{exec_path} { +profile tailscaled @{exec_path} flags=(attach_disconnected) { include include include @@ -22,6 +22,8 @@ profile tailscaled @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, + network inet raw, + network inet6 raw, network netlink raw, ptrace (read), @@ -39,8 +41,9 @@ profile tailscaled @{exec_path} { /etc/resolv.conf rw, /etc/resolv.conf.*.tmp rw, - owner /var/lib/tailscale/{,**} rw, owner @{run}/tailscale/{,**} rw, + owner /var/cache/{,**} rw, + owner /var/lib/tailscale/{,**} rw, @{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 81ba8b56a..29684946b 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -91,6 +91,7 @@ profile pacman @{exec_path} { /{usr/,}bin/mkinitcpio rPx, /{usr/,}bin/pacdiff rPx, /{usr/,}bin/pacman-key rPx, + /{usr/,}bin/sbctl rPx, /{usr/,}bin/sysctl rPx, /{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/systemd-* rPx, @@ -121,7 +122,7 @@ profile pacman @{exec_path} { owner /var/lib/pacman/{,**} rwl, owner /tmp/alpm_*/{,**} rw, - owner /tmp/checkup-db-[0-9]*/sync/{,*.db.part} rw, + owner /tmp/checkup-db-[0-9]*/sync/{,*.db*} rw, owner /tmp/checkup-db-[0-9]*/db.lck rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 755dcce4e..fb5607311 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -12,6 +12,7 @@ profile check-new-release-gtk @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index 2b6c6da52..cdbd7e90f 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}lib/update-notifier/livepatch-notification profile livepatch-notification @{exec_path} { include + include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index 0bea79d98..977553243 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -42,6 +42,7 @@ profile software-properties-dbus @{exec_path} { /usr/share/xml/iso-codes/{,**} r, owner /tmp/[a-z0-9]* rw, + owner /tmp/_[a-z0-9]* rw, owner /tmp/tmp*/{,apt.conf} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 63dec833f..09f9f4338 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -11,6 +11,7 @@ profile update-notifier @{exec_path} { include include include + include include include include @@ -18,6 +19,9 @@ profile update-notifier @{exec_path} { include include + dbus receive bus=session path=/org/ayatana/NotificationItem/* + member={GetLayout,GetGroupProperties,GetAll,AboutToShow}, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 37ef9d7a6..480b0d7c6 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -3,11 +3,13 @@ # Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Based on Libvirt Apparmor profile, it is largelly restricted from th +# Based on Libvirt Apparmor profile, it is largelly restricted from it. # As upstream profile mostly focus on confining the guests. Not libvirt itself. # It uses a lot of profiles provided by apparmor.d # Source: https://gitlab.com/libvirt/libvirt/-/blob/master/src/security/apparmor/usr.sbin.libvirtd.in +# Warning: Such a profile is limited as it gives access to a lot of resources. + abi , include @@ -213,9 +215,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/net_cls/machine.slice/ rw, @{sys}/fs/cgroup/net_cls/machine.slice/machine-qemu*.scope/{,**} rw, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/net/ip_tables_names r, + @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/net/route r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/net/dev r, @@ -227,10 +227,13 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{PROC}/devices r, @{PROC}/mtrr w, @{PROC}/sys/net/ipv{4,6}/** rw, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/net/ip_tables_names r, /dev/dri/ r, /dev/hugepages/{,**} w, - /dev/kvm r, + /dev/kvm rw, /dev/mapper/ r, /dev/mapper/control rw, /dev/net/tun rw, @@ -268,5 +271,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /dev/net/tun rw, } + include if exists include if exists } diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index fc4013421..1ee6a8fe5 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -29,7 +29,8 @@ profile blueman @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - /{usr/,}bin/{b,d}ash rix, + /{usr/,}bin/{b,d}ash rix, + /{usr/,}lib/gio-launch-desktop rix, /{usr/,}bin/blueman-tray rPx, /{usr/,}bin/xdg-open rCx -> open, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index f361e8df4..8a9d0c581 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -67,6 +67,7 @@ profile git @{exec_path} { /{usr/,}bin/man rPx, /{usr/,}bin/meld rPUx, /{usr/,}lib/code/extensions/git/dist/askpass.sh rPx, + /{usr/,}lib/code/extensions/git/dist/git-editor.sh rPx, /usr/share/aurpublish/*.hook rPx, /{usr/,}bin/gpg rCx -> gpg, diff --git a/apparmor.d/profiles-g-l/glxinfo b/apparmor.d/profiles-g-l/glxinfo index 0241c5474..82139919d 100644 --- a/apparmor.d/profiles-g-l/glxinfo +++ b/apparmor.d/profiles-g-l/glxinfo @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,10 +15,10 @@ profile glxinfo @{exec_path} { include include include + include capability sys_admin, - # Needed? - deny capability sys_nice, + audit capability sys_nice, @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index f0dd86d9d..db7feb06c 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -22,6 +22,10 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { /var/lib/flatpak/exports/share/icons/hicolor/.icon-theme.cache rw, /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache w, + owner @{user_share_dirs}/** r, + owner @{user_share_dirs}/**/.icon-theme.cache rw, + owner @{user_share_dirs}/**/icon-theme.cache rw, + deny /apparmor/.null rw, include if exists diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci index e3308c76a..6bcceaca1 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/lspci -profile lspci @{exec_path} { +profile lspci @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-m-r/mtools b/apparmor.d/profiles-m-r/mtools index 5f7b20c99..862f6f03a 100644 --- a/apparmor.d/profiles-m-r/mtools +++ b/apparmor.d/profiles-m-r/mtools @@ -28,6 +28,8 @@ profile mtools @{exec_path} { owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, + owner /dev/shm/*/**.{iso,img,bin,mdf,nrg} rwk, + owner /dev/shm/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 5aaf88e65..1d5637212 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -9,9 +9,10 @@ include @{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/snap profile snap @{exec_path} { include - include - include include + include + include + include @{exec_path} mrix, diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/profiles-s-z/snap-seccomp index 767c76a40..791d716c9 100644 --- a/apparmor.d/profiles-s-z/snap-seccomp +++ b/apparmor.d/profiles-s-z/snap-seccomp @@ -22,9 +22,9 @@ profile snap-seccomp @{exec_path} { @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - deny @{user_share_dirs}/gvfs-metadata/* r, - owner @{PROC}/@{pids}/mountinfo r, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 17d71d8b2..b3e3d27bf 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -15,6 +15,15 @@ profile spice-vdagent @{exec_path} { include include + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.gnome.Mutter.DisplayConfig + member=GetCurrentState, + @{exec_path} mr, /etc/pipewire/client.conf r, diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index a529e7f3b..b365ced03 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -81,6 +81,7 @@ profile steam @{exec_path} { @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/*driverquery rix, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/fossilize_replay rPx, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/gameoverlayui rpx, + @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/panorama/** rm, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/reaper rpx, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam rix, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime-heavy.sh rix, @@ -107,6 +108,9 @@ profile steam @{exec_path} { /{usr/,}lib{,32,64}/ r, /etc/ r, /home/ r, + /run/ r, + /usr/bin/ r, + /var/ r, owner @{HOME}/ r, owner @{HOME}/.local/ r, @@ -115,6 +119,8 @@ profile steam @{exec_path} { owner @{HOME}/.steampath rw, owner @{HOME}/.steampid rw, + owner @{user_games_dirs}/{,**} rwkl, + owner @{user_config_dirs}/ r, owner @{user_config_dirs}/autostart/ r, owner @{user_config_dirs}/unity3d/{,**} rwk, @@ -136,10 +142,11 @@ profile steam @{exec_path} { owner /tmp/dumps/ rw, owner /tmp/dumps/{assert,crash}_[0-9]*_[0-9]*.dmp rw, - owner /tmp/sh-thd.* rw, - owner /tmp/steam_chrome_shmem_uid@{uid}_spid[0-9]* rw, + owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw, owner /tmp/miles_image_* mrw, owner /tmp/runtime-info.txt.* rw, + owner /tmp/sh-thd.* rw, + owner /tmp/steam_chrome_shmem_uid@{uid}_spid[0-9]* rw, @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad @{run}/udev/data/+sound* r, diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game index 3ea772b0d..a891ab7e7 100644 --- a/apparmor.d/profiles-s-z/steam-game +++ b/apparmor.d/profiles-s-z/steam-game @@ -25,7 +25,6 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -108,6 +107,9 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-launch-wrapper rm, @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib{exec,}/** mrix, + @{user_games_dirs}/*/* mr, + @{user_games_dirs}/*/**.dll mr, + @{run}/host/usr/bin/ldconfig rix, @{run}/host/usr/lib{,32,64}/**.so* rm, @{run}/host/usr/bin/localedef rix, @@ -136,6 +138,9 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.steam/steam.pid r, owner @{HOME}/.steam/steam.pipe r, + owner @{user_games_dirs}/{,*/} r, + owner @{user_games_dirs}/*/{,**} rwkl, + owner @{user_config_dirs}/ r, owner @{user_config_dirs}/unity3d/{,**} rwk, @@ -151,7 +156,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/Steam/steamapps/common/*/ r, owner @{user_share_dirs}/Steam/steamapps/common/*/** rwkl, owner @{user_share_dirs}/Steam/steamapps/common/Proton*/files/share/{,**} r, - owner @{user_share_dirs}/Steam/steamapps/compatdata/[0-9]*/{,**} rwk, + owner @{user_share_dirs}/Steam/steamapps/compatdata/{,**} rwk, owner @{user_share_dirs}/Steam/steamapps/shadercache/{,**} rwk, owner @{user_share_dirs}/Steam/userdata/**/remotecache.vdf rw, @@ -161,6 +166,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { owner @{run}/pressure-vessel/{,**} rw, owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + owner @{run}/user/@{uid}/orcexec.* mrw, # gstreamer owner /dev/shm/#[0-9]* rw, owner /dev/shm/mono.* rw, @@ -206,12 +212,13 @@ profile steam-game @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/overflowuid r, @{PROC}/uptime r, @{PROC}/version r, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/gid_map rw, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/setgroups rw, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, From a02e67d980ae829a4440224029c3b675603e3a66 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 24 Sep 2022 18:08:00 +0100 Subject: [PATCH 17/41] feat(profiles): askpass -> code-askpass. --- .../profiles-a-f/{askpass => code-askpass} | 4 ++-- apparmor.d/profiles-a-f/code-git-editor | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+), 2 deletions(-) rename apparmor.d/profiles-a-f/{askpass => code-askpass} (89%) create mode 100644 apparmor.d/profiles-a-f/code-git-editor diff --git a/apparmor.d/profiles-a-f/askpass b/apparmor.d/profiles-a-f/code-askpass similarity index 89% rename from apparmor.d/profiles-a-f/askpass rename to apparmor.d/profiles-a-f/code-askpass index 67938a929..cbcfd7b69 100644 --- a/apparmor.d/profiles-a-f/askpass +++ b/apparmor.d/profiles-a-f/code-askpass @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}lib/code/extensions/git/dist/askpass.sh -profile askpass @{exec_path} { +profile code-askpass @{exec_path} { include network inet dgram, @@ -27,5 +27,5 @@ profile askpass @{exec_path} { /dev/tty rw, - include if exists + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/code-git-editor b/apparmor.d/profiles-a-f/code-git-editor new file mode 100644 index 000000000..c278becb6 --- /dev/null +++ b/apparmor.d/profiles-a-f/code-git-editor @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/code/extensions/git/dist/git-editor.sh +profile code-git-editor @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}lib/electron[0-9]*/electron rUx, + + include if exists +} \ No newline at end of file From 8ff571549a7c4bcb04bb8df3f532b833c38eddd2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 24 Sep 2022 18:09:05 +0100 Subject: [PATCH 18/41] feat(profiles): add gnome-extension-manager. --- .../groups/gnome/gnome-extension-manager | 37 +++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 38 insertions(+) create mode 100644 apparmor.d/groups/gnome/gnome-extension-manager diff --git a/apparmor.d/groups/gnome/gnome-extension-manager b/apparmor.d/groups/gnome/gnome-extension-manager new file mode 100644 index 000000000..b456a2e85 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-extension-manager @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/extension-manager +profile gnome-extension-manager @{exec_path} { + include + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /{usr/,}bin/gjs-console rix, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/gnome-shell/org.gnome.Shell.Extensions r, + /usr/share/X11/xkb/{,**} r, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 717b33b7b..908c127df 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -67,6 +67,7 @@ gnome-control-center attach_disconnected,complain gnome-control-center-goa-helper complain gnome-disk-image-mounter complain gnome-disks complain +gnome-extension-manager complain gnome-music complain gnome-photos-thumbnailer complain gnome-remote-desktop-daemon complain From 060ea3acc94089e00e14c21b9062eab0b85a24bd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 24 Sep 2022 18:21:56 +0100 Subject: [PATCH 19/41] feat(profiles): add archlinux-keyring-wkd-sync. --- .../groups/pacman/archlinux-keyring-wkd-sync | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 apparmor.d/groups/pacman/archlinux-keyring-wkd-sync diff --git a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync new file mode 100644 index 000000000..12254a2cc --- /dev/null +++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/archlinux-keyring-wkd-sync +profile archlinux-keyring-wkd-sync @{exec_path} { + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + @{exec_path} mr, + + /{usr/,}bin/{m,g,}awk rix, + /{usr/,}bin/bash rix, + /{usr/,}bin/gpg rix, + /{usr/,}bin/pacman-conf rix, + /{usr/,}bin/dirmngr rix, + + /etc/pacman.conf r, + /etc/pacman.d/*-mirrorlist r, + /etc/pacman.d/gnupg/ rw, + /etc/pacman.d/gnupg/** rwk -> /etc/pacman.d/gnupg/**, + /etc/pacman.d/mirrorlist r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + include if exists +} \ No newline at end of file From 42f305b244c0cd360482f9d23133f6f1a7fedb56 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 24 Sep 2022 18:23:11 +0100 Subject: [PATCH 20/41] feat(profiles): add XDG_GAMES_DIR and user_games_dirs variables. --- apparmor.d/tunables/xdg-user-dirs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/tunables/xdg-user-dirs b/apparmor.d/tunables/xdg-user-dirs index 98a55a7c1..c2719353c 100644 --- a/apparmor.d/tunables/xdg-user-dirs +++ b/apparmor.d/tunables/xdg-user-dirs @@ -26,6 +26,7 @@ @{XDG_SCREENSHOTS_DIR}="@{XDG_PICTURES_DIR}/Screenshots" @{XDG_SYNC_DIR}="Sync" @{XDG_TORRENTS_DIR}="Torrents" +@{XDG_GAMES_DIR}=".games" @{XDG_VM_DIR}=".vm" @{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers" @@ -55,6 +56,7 @@ @{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR} @{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR} @{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR} +@{user_games_dirs}=@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR} @{user_music_dirs}=@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR} @{user_pictures_dirs}=@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR} @{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR} From 205c2d71843ff016a918f3e31c9caec3805b8887 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 Sep 2022 14:59:18 +0100 Subject: [PATCH 21/41] feat(profiles): new children group. This group is reserved for profile without an attachment path because it is ended to be used only via "Px -> ". --- apparmor.d/{profiles-a-f => groups/children}/child-pager | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename apparmor.d/{profiles-a-f => groups/children}/child-pager (100%) diff --git a/apparmor.d/profiles-a-f/child-pager b/apparmor.d/groups/children/child-pager similarity index 100% rename from apparmor.d/profiles-a-f/child-pager rename to apparmor.d/groups/children/child-pager From 9f2b68dd5dfcc2e80289fb41f27797daebc71d3c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 Sep 2022 14:59:54 +0100 Subject: [PATCH 22/41] feat(profiles): add ubuntu-advantage-desktop-daemon. --- .../ubuntu/ubuntu-advantage-desktop-daemon | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon new file mode 100644 index 000000000..cd8016de8 --- /dev/null +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{libexec}/ubuntu-advantage-desktop-daemon +profile ubuntu-advantage-desktop-daemon @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability sys_nice, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName + peer=(name=org.freedesktop.DBus), + + dbus receive bus=system path=/com/canonical/UbuntuAdvantage/Manager + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects, + + dbus bind bus=system + name=com.canonical.UbuntuAdvantage, + + @{exec_path} mr, + + include if exists +} \ No newline at end of file From 4bc84436d771290da44c96586c556d9fa63b56de Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 Sep 2022 15:06:03 +0100 Subject: [PATCH 23/41] doc: over 1400 profiles. --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 59607f5ee..c42028b8a 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ ## Description -A set of over 1200 AppArmor profiles which aims is to confine most of Linux base +A set of over 1400 AppArmor profiles which aims is to confine most of Linux base applications and processes. **Goals & Purpose** @@ -212,7 +212,7 @@ is the process to recover your system on Archlinux: A full test suite to ensure compatibility across distributions and softwares is still a work in progress. -Here an overview of the current CI jobs: +Here is an overview of the current CI jobs: **On Gitlab CI** - Package build for all supported distribution From 768e50c6abe8e72264e3876e4904e6c6ab056244 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 28 Sep 2022 11:54:29 +0100 Subject: [PATCH 24/41] fix: remove not modified lxc rules. Fix #79 --- apparmor.d/abstractions/lxc/container-base | 225 ------------------ apparmor.d/abstractions/lxc/start-container | 50 ---- apparmor.d/profiles-g-l/lxc-containers | 7 - apparmor.d/profiles-g-l/lxc/lxc-default | 11 - apparmor.d/profiles-g-l/lxc/lxc-default-cgns | 13 - .../lxc/lxc-default-with-mounting | 14 -- .../profiles-g-l/lxc/lxc-default-with-nesting | 15 -- apparmor.d/profiles-s-z/usr.bin.lxc-start | 5 - 8 files changed, 340 deletions(-) delete mode 100644 apparmor.d/abstractions/lxc/container-base delete mode 100644 apparmor.d/abstractions/lxc/start-container delete mode 100644 apparmor.d/profiles-g-l/lxc-containers delete mode 100644 apparmor.d/profiles-g-l/lxc/lxc-default delete mode 100644 apparmor.d/profiles-g-l/lxc/lxc-default-cgns delete mode 100644 apparmor.d/profiles-g-l/lxc/lxc-default-with-mounting delete mode 100644 apparmor.d/profiles-g-l/lxc/lxc-default-with-nesting delete mode 100644 apparmor.d/profiles-s-z/usr.bin.lxc-start diff --git a/apparmor.d/abstractions/lxc/container-base b/apparmor.d/abstractions/lxc/container-base deleted file mode 100644 index a242aa424..000000000 --- a/apparmor.d/abstractions/lxc/container-base +++ /dev/null @@ -1,225 +0,0 @@ - network, - capability, - file, - umount, - - # dbus, signal, ptrace and unix are only supported by recent apparmor - # versions. Comment them if the apparmor parser doesn't recognize them. - - # This also needs additional rules to reach outside of the container via - # DBus, so just let all of DBus within the container. - dbus, - - # Allow us to receive signals from anywhere. Note: if per-container profiles - # are supported, for container isolation this should be changed to something - # like: - # signal (receive) peer=unconfined, - # signal (receive) peer=/usr/bin/lxc-start, - signal (receive), - - # Allow us to send signals to ourselves - signal peer=@{profile_name}, - - # Allow other processes to read our /proc entries, futexes, perf tracing and - # kcmp for now (they will need 'read' in the first place). Administrators can - # override with: - # deny ptrace (readby) ... - ptrace (readby), - - # Allow other processes to trace us by default (they will need 'trace' in - # the first place). Administrators can override with: - # deny ptrace (tracedby) ... - ptrace (tracedby), - - # Allow us to ptrace ourselves - ptrace peer=@{profile_name}, - - # Allow receive via unix sockets from anywhere. Note: if per-container - # profiles are supported, for container isolation this should be changed to - # something like: - # unix (receive) peer=(label=unconfined), - unix (receive), - - # Allow all unix in the container - unix peer=(label=@{profile_name}), - - # ignore DENIED message on / remount - deny mount options=(ro, remount) -> /, - deny mount options=(ro, remount, silent) -> /, - - # allow tmpfs mounts everywhere - mount fstype=tmpfs, - - # allow hugetlbfs mounts everywhere - mount fstype=hugetlbfs, - - # allow mqueue mounts everywhere - mount fstype=mqueue, - - # allow fuse mounts everywhere - mount fstype=fuse, - mount fstype=fuse.*, - - # deny access under /proc/bus to avoid e.g. messing with pci devices directly - deny @{PROC}/bus/** wklx, - - # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted - mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, - deny @{PROC}/sys/fs/** wklx, - - # allow efivars to be mounted, writing to it will be blocked though - mount fstype=efivarfs -> /sys/firmware/efi/efivars/, - - # block some other dangerous paths - deny @{PROC}/kcore rwklx, - deny @{PROC}/sysrq-trigger rwklx, - deny @{PROC}/acpi/** rwklx, - - # deny writes in /sys except for /sys/fs/cgroup, also allow - # fusectl, securityfs and debugfs to be mounted there (read-only) - mount fstype=fusectl -> /sys/fs/fuse/connections/, - mount fstype=securityfs -> /sys/kernel/security/, - mount fstype=debugfs -> /sys/kernel/debug/, - deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, - mount fstype=proc -> /proc/, - mount fstype=sysfs -> /sys/, - mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, - deny /sys/firmware/efi/efivars/** rwklx, - deny /sys/kernel/security/** rwklx, - mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/, - - # deny reads from debugfs - deny /sys/kernel/debug/{,**} rwklx, - - # allow paths to be made slave, shared, private or unbindable - # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts. -# mount options=(rw,make-slave) -> **, -# mount options=(rw,make-rslave) -> **, -# mount options=(rw,make-shared) -> **, -# mount options=(rw,make-rshared) -> **, -# mount options=(rw,make-private) -> **, -# mount options=(rw,make-rprivate) -> **, -# mount options=(rw,make-unbindable) -> **, -# mount options=(rw,make-runbindable) -> **, - - # allow bind-mounts of anything except /proc, /sys and /dev - mount options=(rw,bind) /[^spd]*{,/**}, - mount options=(rw,bind) /d[^e]*{,/**}, - mount options=(rw,bind) /de[^v]*{,/**}, - mount options=(rw,bind) /dev/.[^l]*{,/**}, - mount options=(rw,bind) /dev/.l[^x]*{,/**}, - mount options=(rw,bind) /dev/.lx[^c]*{,/**}, - mount options=(rw,bind) /dev/.lxc?*{,/**}, - mount options=(rw,bind) /dev/[^.]*{,/**}, - mount options=(rw,bind) /dev?*{,/**}, - mount options=(rw,bind) /p[^r]*{,/**}, - mount options=(rw,bind) /pr[^o]*{,/**}, - mount options=(rw,bind) /pro[^c]*{,/**}, - mount options=(rw,bind) /proc?*{,/**}, - mount options=(rw,bind) /s[^y]*{,/**}, - mount options=(rw,bind) /sy[^s]*{,/**}, - mount options=(rw,bind) /sys?*{,/**}, - - # allow various ro-bind-*re*-mounts - mount options=(ro,remount,bind), - mount options=(ro,remount,bind,nosuid), - mount options=(ro,remount,bind,noexec), - mount options=(ro,remount,bind,nodev), - mount options=(ro,remount,bind,nosuid,noexec), - mount options=(ro,remount,bind,noexec,nodev), - mount options=(ro,remount,bind,nodev,nosuid), - mount options=(ro,remount,bind,nosuid,noexec,nodev), - - # allow moving mounts except for /proc, /sys and /dev - mount options=(rw,move) /[^spd]*{,/**}, - mount options=(rw,move) /d[^e]*{,/**}, - mount options=(rw,move) /de[^v]*{,/**}, - mount options=(rw,move) /dev/.[^l]*{,/**}, - mount options=(rw,move) /dev/.l[^x]*{,/**}, - mount options=(rw,move) /dev/.lx[^c]*{,/**}, - mount options=(rw,move) /dev/.lxc?*{,/**}, - mount options=(rw,move) /dev/[^.]*{,/**}, - mount options=(rw,move) /dev?*{,/**}, - mount options=(rw,move) /p[^r]*{,/**}, - mount options=(rw,move) /pr[^o]*{,/**}, - mount options=(rw,move) /pro[^c]*{,/**}, - mount options=(rw,move) /proc?*{,/**}, - mount options=(rw,move) /s[^y]*{,/**}, - mount options=(rw,move) /sy[^s]*{,/**}, - mount options=(rw,move) /sys?*{,/**}, - # generated by: lxc-generate-aa-rules.py container-rules.base - deny /proc/sys/[^kn]*{,/**} wklx, - deny /proc/sys/k[^e]*{,/**} wklx, - deny /proc/sys/ke[^r]*{,/**} wklx, - deny /proc/sys/ker[^n]*{,/**} wklx, - deny /proc/sys/kern[^e]*{,/**} wklx, - deny /proc/sys/kerne[^l]*{,/**} wklx, - deny /proc/sys/kernel/[^smhd]*{,/**} wklx, - deny /proc/sys/kernel/d[^o]*{,/**} wklx, - deny /proc/sys/kernel/do[^m]*{,/**} wklx, - deny /proc/sys/kernel/dom[^a]*{,/**} wklx, - deny /proc/sys/kernel/doma[^i]*{,/**} wklx, - deny /proc/sys/kernel/domai[^n]*{,/**} wklx, - deny /proc/sys/kernel/domain[^n]*{,/**} wklx, - deny /proc/sys/kernel/domainn[^a]*{,/**} wklx, - deny /proc/sys/kernel/domainna[^m]*{,/**} wklx, - deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx, - deny /proc/sys/kernel/domainname?*{,/**} wklx, - deny /proc/sys/kernel/h[^o]*{,/**} wklx, - deny /proc/sys/kernel/ho[^s]*{,/**} wklx, - deny /proc/sys/kernel/hos[^t]*{,/**} wklx, - deny /proc/sys/kernel/host[^n]*{,/**} wklx, - deny /proc/sys/kernel/hostn[^a]*{,/**} wklx, - deny /proc/sys/kernel/hostna[^m]*{,/**} wklx, - deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx, - deny /proc/sys/kernel/hostname?*{,/**} wklx, - deny /proc/sys/kernel/m[^s]*{,/**} wklx, - deny /proc/sys/kernel/ms[^g]*{,/**} wklx, - deny /proc/sys/kernel/msg*/** wklx, - deny /proc/sys/kernel/s[^he]*{,/**} wklx, - deny /proc/sys/kernel/se[^m]*{,/**} wklx, - deny /proc/sys/kernel/sem*/** wklx, - deny /proc/sys/kernel/sh[^m]*{,/**} wklx, - deny /proc/sys/kernel/shm*/** wklx, - deny /proc/sys/kernel?*{,/**} wklx, - deny /proc/sys/n[^e]*{,/**} wklx, - deny /proc/sys/ne[^t]*{,/**} wklx, - deny /proc/sys/net?*{,/**} wklx, - deny /sys/[^fdc]*{,/**} wklx, - deny /sys/c[^l]*{,/**} wklx, - deny /sys/cl[^a]*{,/**} wklx, - deny /sys/cla[^s]*{,/**} wklx, - deny /sys/clas[^s]*{,/**} wklx, - deny /sys/class/[^n]*{,/**} wklx, - deny /sys/class/n[^e]*{,/**} wklx, - deny /sys/class/ne[^t]*{,/**} wklx, - deny /sys/class/net?*{,/**} wklx, - deny /sys/class?*{,/**} wklx, - deny /sys/d[^e]*{,/**} wklx, - deny /sys/de[^v]*{,/**} wklx, - deny /sys/dev[^i]*{,/**} wklx, - deny /sys/devi[^c]*{,/**} wklx, - deny /sys/devic[^e]*{,/**} wklx, - deny /sys/device[^s]*{,/**} wklx, - deny /sys/devices/[^v]*{,/**} wklx, - deny /sys/devices/v[^i]*{,/**} wklx, - deny /sys/devices/vi[^r]*{,/**} wklx, - deny /sys/devices/vir[^t]*{,/**} wklx, - deny /sys/devices/virt[^u]*{,/**} wklx, - deny /sys/devices/virtu[^a]*{,/**} wklx, - deny /sys/devices/virtua[^l]*{,/**} wklx, - deny /sys/devices/virtual/[^n]*{,/**} wklx, - deny /sys/devices/virtual/n[^e]*{,/**} wklx, - deny /sys/devices/virtual/ne[^t]*{,/**} wklx, - deny /sys/devices/virtual/net?*{,/**} wklx, - deny /sys/devices/virtual?*{,/**} wklx, - deny /sys/devices?*{,/**} wklx, - deny /sys/f[^s]*{,/**} wklx, - deny /sys/fs/[^c]*{,/**} wklx, - deny /sys/fs/c[^g]*{,/**} wklx, - deny /sys/fs/cg[^r]*{,/**} wklx, - deny /sys/fs/cgr[^o]*{,/**} wklx, - deny /sys/fs/cgro[^u]*{,/**} wklx, - deny /sys/fs/cgrou[^p]*{,/**} wklx, - deny /sys/fs/cgroup?*{,/**} wklx, - deny /sys/fs?*{,/**} wklx, diff --git a/apparmor.d/abstractions/lxc/start-container b/apparmor.d/abstractions/lxc/start-container deleted file mode 100644 index 9e2e8f2ec..000000000 --- a/apparmor.d/abstractions/lxc/start-container +++ /dev/null @@ -1,50 +0,0 @@ - network, - capability, - file, - - # The following 3 entries are only supported by recent apparmor versions. - # Comment them if the apparmor parser doesn't recognize them. - dbus, - signal, - ptrace, - - # currently blocked by apparmor bug - mount -> /usr/lib*/*/lxc/{**,}, - mount -> /usr/lib*/lxc/{**,}, - mount -> /usr/lib/@{multiarch}/lxc/rootfs/{,**}, - mount fstype=devpts -> /dev/pts/, - mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/, - mount options=bind /dev/pts/** -> /dev/**, - mount options=(rw, make-slave) -> **, - mount options=(rw, make-rslave) -> **, - mount fstype=debugfs, - # allow pre-mount hooks to stage mounts under /var/lib/lxc// - mount -> /var/lib/lxc/{**,}, - - mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id, - mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id, - - # required for some pre-mount hooks - mount fstype=overlayfs, - mount fstype=aufs, - mount fstype=ecryptfs, - - # all umounts are under the original root's /mnt, but right now we - # can't allow those umounts after pivot_root. So allow all umounts - # right now. They'll be restricted for the container at least. - umount, - #umount /mnt/{**,}, - - # This may look a bit redundant, however it appears we need all of - # them if we want things to work properly on all combinations of kernel - # and userspace parser... - pivot_root /usr/lib*/lxc/, - pivot_root /usr/lib*/*/lxc/, - pivot_root /usr/lib*/lxc/**, - pivot_root /usr/lib*/*/lxc/**, - pivot_root /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**}, - - change_profile -> lxc-*, - change_profile -> lxc-**, - change_profile -> unconfined, - change_profile -> :lxc-*:unconfined, diff --git a/apparmor.d/profiles-g-l/lxc-containers b/apparmor.d/profiles-g-l/lxc-containers deleted file mode 100644 index 4e94d77e8..000000000 --- a/apparmor.d/profiles-g-l/lxc-containers +++ /dev/null @@ -1,7 +0,0 @@ -# This file exists only to ensure that all per-container policies -# listed under /etc/apparmor.d/lxc get loaded at boot. Please do -# not edit this file. - -include - -include diff --git a/apparmor.d/profiles-g-l/lxc/lxc-default b/apparmor.d/profiles-g-l/lxc/lxc-default deleted file mode 100644 index 266edc196..000000000 --- a/apparmor.d/profiles-g-l/lxc/lxc-default +++ /dev/null @@ -1,11 +0,0 @@ -# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which -# will source all profiles under /etc/apparmor.d/lxc - -profile lxc-container-default flags=(attach_disconnected,mediate_deleted) { - include - - # the container may never be allowed to mount devpts. If it does, it - # will remount the host's devpts. We could allow it to do it with - # the newinstance option (but, right now, we don't). - deny mount fstype=devpts, -} diff --git a/apparmor.d/profiles-g-l/lxc/lxc-default-cgns b/apparmor.d/profiles-g-l/lxc/lxc-default-cgns deleted file mode 100644 index d582a407d..000000000 --- a/apparmor.d/profiles-g-l/lxc/lxc-default-cgns +++ /dev/null @@ -1,13 +0,0 @@ -# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which -# will source all profiles under /etc/apparmor.d/lxc - -profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) { - include - - # the container may never be allowed to mount devpts. If it does, it - # will remount the host's devpts. We could allow it to do it with - # the newinstance option (but, right now, we don't). - deny mount fstype=devpts, - mount fstype=cgroup -> /sys/fs/cgroup/**, - mount fstype=cgroup2 -> /sys/fs/cgroup/**, -} diff --git a/apparmor.d/profiles-g-l/lxc/lxc-default-with-mounting b/apparmor.d/profiles-g-l/lxc/lxc-default-with-mounting deleted file mode 100644 index 7b5db2ca1..000000000 --- a/apparmor.d/profiles-g-l/lxc/lxc-default-with-mounting +++ /dev/null @@ -1,14 +0,0 @@ -# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which -# will source all profiles under /etc/apparmor.d/lxc - -profile lxc-container-default-with-mounting flags=(attach_disconnected,mediate_deleted) { - include - -# allow standard blockdevtypes. -# The concern here is in-kernel superblock parsers bringing down the -# host with bad data. However, we continue to disallow proc, sys, securityfs, -# etc to nonstandard locations. - mount fstype=ext*, - mount fstype=xfs, - mount fstype=btrfs, -} diff --git a/apparmor.d/profiles-g-l/lxc/lxc-default-with-nesting b/apparmor.d/profiles-g-l/lxc/lxc-default-with-nesting deleted file mode 100644 index 25e3feffc..000000000 --- a/apparmor.d/profiles-g-l/lxc/lxc-default-with-nesting +++ /dev/null @@ -1,15 +0,0 @@ -# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which -# will source all profiles under /etc/apparmor.d/lxc - -profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_deleted) { - include - include - - deny /dev/.lxc/proc/** rw, - deny /dev/.lxc/sys/** rw, - mount fstype=proc -> /var/cache/lxc/**, - mount fstype=sysfs -> /var/cache/lxc/**, - mount options=(rw,bind), - mount fstype=cgroup -> /sys/fs/cgroup/**, - mount fstype=cgroup2 -> /sys/fs/cgroup/**, -} diff --git a/apparmor.d/profiles-s-z/usr.bin.lxc-start b/apparmor.d/profiles-s-z/usr.bin.lxc-start deleted file mode 100644 index e9fdd43b6..000000000 --- a/apparmor.d/profiles-s-z/usr.bin.lxc-start +++ /dev/null @@ -1,5 +0,0 @@ -include - -profile lxc-start /usr/bin/lxc-start flags=(attach_disconnected) { - include -} From 5580a34184750da4d9fe0560b915b0ff45bfb988 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Oct 2022 18:38:29 +0100 Subject: [PATCH 25/41] refactor: move chrome-gnome-shell to the gnome group. --- apparmor.d/groups/{browsers => gnome}/chrome-gnome-shell | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename apparmor.d/groups/{browsers => gnome}/chrome-gnome-shell (100%) diff --git a/apparmor.d/groups/browsers/chrome-gnome-shell b/apparmor.d/groups/gnome/chrome-gnome-shell similarity index 100% rename from apparmor.d/groups/browsers/chrome-gnome-shell rename to apparmor.d/groups/gnome/chrome-gnome-shell From 79cd5f09f797b37f83ef8288135dcea6f0169230 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Oct 2022 18:39:20 +0100 Subject: [PATCH 26/41] ci: show number of profile loaded. --- .github/workflows/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 0d36ff978..6ad274f63 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -31,3 +31,6 @@ jobs: - name: Show AppArmor log run: sudo aa-log + + - name: Show Number of loaded profile + run: sudo aa-status --profiled From 4681a495b3c79f165d3c5b0bd317cefdc160a034 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Oct 2022 18:45:08 +0100 Subject: [PATCH 27/41] feat(profiles): general update. --- .../groups/freedesktop/plymouth-set-default-theme | 9 +++++---- apparmor.d/groups/freedesktop/plymouthd | 4 ++++ .../groups/freedesktop/xdg-desktop-portal-gnome | 1 + apparmor.d/groups/gnome/gnome-control-center | 1 + apparmor.d/groups/gnome/gnome-shell | 2 ++ apparmor.d/groups/gnome/tracker-extract | 2 ++ apparmor.d/groups/network/networkd-dispatcher | 5 +++++ apparmor.d/groups/pacman/pacman-conf | 3 --- apparmor.d/groups/systemd/systemd-hwdb | 4 ++-- apparmor.d/groups/systemd/systemd-rfkill | 11 +++++------ apparmor.d/groups/systemd/systemd-timesyncd | 5 +++++ apparmor.d/groups/systemd/systemd-udevd | 10 ++++++---- apparmor.d/profiles-a-f/blkdeactivate | 15 +++++++++------ apparmor.d/profiles-a-f/flatpak-system-helper | 4 ++++ apparmor.d/profiles-a-f/losetup | 1 + apparmor.d/profiles-m-r/mandb | 4 ++-- apparmor.d/profiles-m-r/mtools | 4 ++-- apparmor.d/profiles-m-r/pacmd | 6 +++++- apparmor.d/profiles-m-r/pactl | 7 +++++-- apparmor.d/profiles-m-r/pass-import | 6 ++++++ apparmor.d/profiles-m-r/run-parts | 4 +++- apparmor.d/profiles-s-z/steam-gameoverlayui | 1 + 22 files changed, 76 insertions(+), 33 deletions(-) diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme index abf116a41..8eabdeeee 100644 --- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme +++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme @@ -7,14 +7,15 @@ abi , include @{exec_path} = /{usr/,}bin/plymouth-set-default-theme -profile plymouth-set-default-theme @{exec_path} { +profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) { include @{exec_path} mr, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/grep rix, - /{usr/,}bin/plymouth rPx, + /{usr/,}bin/{m,g,}awk rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/plymouth rPx, + /{usr/,}bin/{,ba,da}sh rix, /etc/plymouth/{,*} r, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index b1e1d39d8..9c702149d 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -30,6 +30,10 @@ profile plymouthd @{exec_path} { /etc/plymouth/plymouthd.conf r, /etc/vconsole.conf r, + /var/lib/plymouth/{,**} rw, + + @{run}/plymouth/{,**} rw, + @{run}/udev/data/+drm:* r, @{run}/udev/data/c226:* r, @{run}/udev/data/c29:* r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 611f2e2b2..96471bdb5 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -18,6 +18,7 @@ profile xdg-desktop-portal-gnome @{exec_path} { include include include + include dbus send bus=system path=/org/freedesktop/Accounts/User[0-9]* interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index a8789538f..c6ea079e8 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -123,6 +123,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{sys}/class/ r, @{sys}/class/input/ r, @{sys}/devices/**/{name,vendor,product,uevent} r, + @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/platform/**/uevent r, @{sys}/devices/system/cpu/possible r, @{sys}/devices/virtual/**/uevent r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index f6931ba90..de80727b8 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -22,6 +22,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 938d6f331..a8ce89742 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -24,6 +24,7 @@ profile tracker-extract @{exec_path} { @{exec_path} mr, /usr/share/applications/*.desktop r, + /usr/share/applications/mimeinfo.cache r, /usr/share/dconf/profile/gdm r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/hwdata/*.ids r, @@ -40,6 +41,7 @@ profile tracker-extract @{exec_path} { /var/lib/gdm{3,}/.cache/tracker3/{,**} rw, /var/lib/gdm{3,}/greeter-dconf-defaults r, + /var/lib/flatpak/exports/share/applications/mimeinfo.cache r, /var/lib/snapd/desktop/applications/*.desktop r, # Allow to search user files diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index be5b456ee..c7ead87f0 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -13,6 +13,11 @@ profile networkd-dispatcher @{exec_path} { include include + dbus receive bus=system path=/org/freedesktop/network1/link/* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*), + @{exec_path} mr, /{usr/,}bin/ r, diff --git a/apparmor.d/groups/pacman/pacman-conf b/apparmor.d/groups/pacman/pacman-conf index 517637e3d..f99affdd4 100644 --- a/apparmor.d/groups/pacman/pacman-conf +++ b/apparmor.d/groups/pacman/pacman-conf @@ -11,9 +11,6 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) { include include - network inet stream, - network inet6 stream, - @{exec_path} mr, /etc/pacman.conf r, diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb index 6c3a80cf7..86b063f9b 100644 --- a/apparmor.d/groups/systemd/systemd-hwdb +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -13,8 +13,8 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/lib/udev/.#hwdb.bin[0-9a-zA-Z]* w, - /usr/lib/udev/hwdb.bin w, + /{usr/,}lib/udev/.#hwdb.bin[0-9a-zA-Z]* w, + /{usr/,}lib/udev/hwdb.bin w, /etc/udev/hwdb.d/{,*} r, diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index acbb572e4..b4c252ecb 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -19,15 +19,14 @@ profile systemd-rfkill @{exec_path} { @{exec_path} mr, - /dev/rfkill rw, - - @{sys}/devices/**/rfkill[0-9]*/{uevent,name} r, - /var/lib/systemd/rfkill/* rw, @{run}/systemd/notify rw, - @{run}/udev/data/+rfkill:* r, + @{sys}/devices/**/rfkill[0-9]*/{uevent,name} r, + + /dev/rfkill rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index f8663cb31..df4dd41ce 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -21,6 +21,11 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName + peer=(name=org.freedesktop.DBus), + dbus bind bus=system name=org.freedesktop.timesync1, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 54adc87e8..4fdd42e05 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -37,15 +37,17 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/perl rix, + /{usr/,}bin/{,e}grep rix, /{usr/,}bin/chgrp rix, /{usr/,}bin/chmod rix, - /{usr/,}bin/setfacl rix, + /{usr/,}bin/ln rix, /{usr/,}bin/logger rix, /{usr/,}bin/nohup rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/ln rix, + /{usr/,}bin/perl rix, /{usr/,}bin/readlink rix, + /{usr/,}bin/setfacl rix, + /{usr/,}bin/unshare rix, + /{usr/,}bin/snap rPx, /{usr/,}{s,}bin/* rPUx, diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index 7f6de8b2e..149bbbd24 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022 Jeroen Rijken +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,12 +13,14 @@ profile blkdeactivate @{exec_path} flags=(complain) { include @{exec_path} rm, - /{usr/,}{s,}bin/dmsetup rPUx, - /{usr/,}bin/grep rix, - /{usr/,}bin/lsblk rPx, - /{usr/,}{s,}bin/lvm rPx, - /{usr/,}bin/sort rix, - /{usr/,}bin/umount rPx, + + /{usr/,}{s,}bin/multipathd rPx, + /{usr/,}{s,}bin/dmsetup rPUx, + /{usr/,}{s,}bin/lvm rPx, + /{usr/,}bin/grep rix, + /{usr/,}bin/lsblk rPx, + /{usr/,}bin/sort rix, + /{usr/,}bin/umount rPx, @{sys}/devices/virtual/block/*/holders/ r, diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index 0d507eccc..7e9cd9e18 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -19,6 +19,9 @@ profile flatpak-system-helper @{exec_path} { capability setgid, capability setuid, capability sys_nice, + capability sys_ptrace, + + ptrace (read), @{exec_path} mr, @@ -40,6 +43,7 @@ profile flatpak-system-helper @{exec_path} { owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/stat r, profile gpg { include diff --git a/apparmor.d/profiles-a-f/losetup b/apparmor.d/profiles-a-f/losetup index 41a5958e5..b1f8a162e 100644 --- a/apparmor.d/profiles-a-f/losetup +++ b/apparmor.d/profiles-a-f/losetup @@ -17,6 +17,7 @@ profile losetup @{exec_path} { @{exec_path} mr, + @{sys}/devices/**/usb[0-9]/{,**} r, @{sys}/devices/system/cpu/possible r, /dev/loop-control rw, diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index c2b04c096..764778e18 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -27,8 +27,8 @@ profile mandb @{exec_path} flags=(complain) { /usr/local/man/{,**} r, /usr/local/share/man/{,**} r, - /usr/{,/share}/man/{,**} r, - /usr/local/{,/share/}/man/{,**} r, + /usr/{,share/}man/{,**} r, + /usr/local/{,share/}man/{,**} r, /usr/share/**/man/man[0-9]*/*.[0-9]*.gz r, diff --git a/apparmor.d/profiles-m-r/mtools b/apparmor.d/profiles-m-r/mtools index 862f6f03a..c0a59bcf1 100644 --- a/apparmor.d/profiles-m-r/mtools +++ b/apparmor.d/profiles-m-r/mtools @@ -28,8 +28,8 @@ profile mtools @{exec_path} { owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk, owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk, owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk, - owner /dev/shm/*/**.{iso,img,bin,mdf,nrg} rwk, - owner /dev/shm/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, + /dev/shm/*/**.{iso,img,bin,mdf,nrg} rwk, + /dev/shm/*/**.{ISO,IMG,BIN,MDF,NRG} rwk, include if exists } diff --git a/apparmor.d/profiles-m-r/pacmd b/apparmor.d/profiles-m-r/pacmd index 5a8ab571c..cd4cf7f10 100644 --- a/apparmor.d/profiles-m-r/pacmd +++ b/apparmor.d/profiles-m-r/pacmd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,12 +14,15 @@ profile pacmd @{exec_path} { include #capability sys_ptrace, + ptrace peer=pulseaudio, ptrace (read) peer=pipewire, signal (send) peer=pulseaudio, - /{usr/,}bin/pacmd mr, + @{exec_path} mr, + + /app/lib/libzypak*.so* mr, owner @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/profiles-m-r/pactl b/apparmor.d/profiles-m-r/pactl index 075381592..c1f552af4 100644 --- a/apparmor.d/profiles-m-r/pactl +++ b/apparmor.d/profiles-m-r/pactl @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,16 +10,18 @@ include @{exec_path} = /{usr/,}bin/pactl profile pactl @{exec_path} { include - include include + include @{exec_path} mr, - owner @{HOME}/.Xauthority r, + /app/lib/libzypak*.so* mr, /var/lib/dbus/machine-id r, /etc/machine-id r, + owner @{HOME}/.Xauthority r, + owner @{user_config_dirs}/pulse/ rw, # file_inherit diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index c02d9d370..76b653e50 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -11,6 +11,12 @@ profile pass-import @{exec_path} { include include include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index de6c971e7..e0654836c 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -15,7 +15,8 @@ profile run-parts @{exec_path} { @{exec_path} mr, - /usr/share/update-notifier/notify-reboot-required rPx, + /usr/share/update-notifier/notify-reboot-required rPx, + /usr/share/update-notifier/notify-updates-outdated rPx, # Crontrab /etc/cron.{hourly,daily,weekly,monthly}/ r, @@ -133,6 +134,7 @@ profile run-parts @{exec_path} { /{usr/,}lib/update-notifier/update-motd-fsck-at-reboot rPx, /{usr/,}lib/update-notifier/update-motd-reboot-required rix, /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, + /usr/share/update-notifier/notify-updates-outdated rPx, / r, /etc/default/motd-news r, diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui index 659d63ee5..a8b7a7bea 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -36,6 +36,7 @@ profile steam-gameoverlayui @{exec_path} { owner @{user_share_dirs}/Steam/config/DialogConfigOverlay*.vdf rw, owner @{user_share_dirs}/Steam/public/* rk, owner @{user_share_dirs}/Steam/resource/{,**} rk, + owner @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/fontconfig/{,**} rw, owner @{user_share_dirs}/Steam/userdata/[0-9]*/{,**} rk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, From 7c3fcf260ceb13bab0936c22c118d7b745ec8582 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Oct 2022 18:46:32 +0100 Subject: [PATCH 28/41] feat(profiles): add systemd-id128. --- apparmor.d/groups/systemd/systemd-id128 | 20 ++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 21 insertions(+) create mode 100644 apparmor.d/groups/systemd/systemd-id128 diff --git a/apparmor.d/groups/systemd/systemd-id128 b/apparmor.d/groups/systemd/systemd-id128 new file mode 100644 index 000000000..34e44382d --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-id128 @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/systemd-id128 +profile systemd-id128 @{exec_path} { + include + + @{exec_path} mr, + + /etc/machine-id r, + + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 908c127df..5c751c8fb 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -171,6 +171,7 @@ systemd-environment-d-generator complain systemd-escape complain systemd-hostnamed attach_disconnected,complain systemd-hwdb attach_disconnected,complain +systemd-id128 complain systemd-localed attach_disconnected,complain systemd-logind attach_disconnected,complain systemd-machine-id-setup complain From 65bf8278bcec0f715561ab5ac40e1135c67dc2ba Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Oct 2022 18:47:49 +0100 Subject: [PATCH 29/41] feat(profiles): add gnome-browser-connector-host. --- .../groups/gnome/gnome-browser-connector-host | 27 +++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 28 insertions(+) create mode 100644 apparmor.d/groups/gnome/gnome-browser-connector-host diff --git a/apparmor.d/groups/gnome/gnome-browser-connector-host b/apparmor.d/groups/gnome/gnome-browser-connector-host new file mode 100644 index 000000000..abc4601b9 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-browser-connector-host @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/gnome-browser-connector-host +profile gnome-browser-connector-host @{exec_path} { + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/env rix, + /{usr/,}bin/python3.[0-9]* rix, + + /{usr/,}lib/python3.[0-9]*/site-packages/gnome_browser_connector/__pycache__/{,**} rw, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + owner @{PROC}/@{pid}/mounts r, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 5c751c8fb..2b95c34b5 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -63,6 +63,7 @@ gdm-x-session attach_disconnected,complain gdm-xsession complain git complain glib-compile-resources complain +gnome-browser-connector-host complain gnome-control-center attach_disconnected,complain gnome-control-center-goa-helper complain gnome-disk-image-mounter complain From 1a73271a1acf1505ebf8f0e7b0fedcc5283e19cc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Oct 2022 18:53:11 +0100 Subject: [PATCH 30/41] feat(profiles): add localectl. --- apparmor.d/groups/systemd/localectl | 23 +++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 24 insertions(+) create mode 100644 apparmor.d/groups/systemd/localectl diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl new file mode 100644 index 000000000..68171dd85 --- /dev/null +++ b/apparmor.d/groups/systemd/localectl @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/localectl +profile localectl @{exec_path} { + include + include + + @{exec_path} mr, + + /{usr/,}bin/pager rPx -> child-pager, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, + + /usr/share/kbd/keymaps/{,**} r, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 2b95c34b5..d05d22828 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -94,6 +94,7 @@ lastlog complain libvirt-dbus complain libvirtd attach_disconnected,complain locale-gen complain +localectl complain login complain lvm complain lvmconfig complain From 39740f93690ce293832132da8ba31404019b2ae2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Oct 2022 18:56:02 +0100 Subject: [PATCH 31/41] feat(profiles): add systemd-dissect. --- apparmor.d/groups/systemd/systemd-dissect | 44 +++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 45 insertions(+) create mode 100644 apparmor.d/groups/systemd/systemd-dissect diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect new file mode 100644 index 000000000..61696e1f6 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -0,0 +1,44 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/systemd-dissect +profile systemd-dissect @{exec_path} { + include + + capability dac_read_search, + capability sys_admin, + capability sys_resource, + + mount options=(rw, rslave) -> /, + mount options=(rw, nodev) -> /mnt/*/, + + @{exec_path} mr, + + /{usr/,}bin/fsck rPx, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, + /{usr/,}bin/pager rPx -> child-pager, + + # Location of file system OS images + @{user_build_dirs}/{,**} r, + @{user_pkg_dirs}/{,**} r, + @{user_projects_dirs}/{,**} r, + @{user_vm_dirs}/{,**} r, + + owner /tmp/dissect-*/{,**} rw, + + @{sys}/devices/virtual/block/loop[0-9]*/{,**} r, + @{sys}/kernel/uevent_seqnum r, + + @{PROC}/@{pids}/cgroup r, + + /dev/loop-control rwk, + /dev/loop* rwk, + + include if exists +} diff --git a/dists/flags/main.flags b/dists/flags/main.flags index d05d22828..58916ada8 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -169,6 +169,7 @@ systemd-binfmt attach_disconnected,complain systemd-cgls complain systemd-cgtop complain systemd-coredump attach_disconnected,complain +systemd-dissect complain systemd-environment-d-generator complain systemd-escape complain systemd-hostnamed attach_disconnected,complain From e7d73243afafd30494fb22c525a684dd058ece96 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Oct 2022 19:04:35 +0100 Subject: [PATCH 32/41] refactor: move child-systemctl the children group. --- apparmor.d/groups/{systemd => children}/child-systemctl | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename apparmor.d/groups/{systemd => children}/child-systemctl (100%) diff --git a/apparmor.d/groups/systemd/child-systemctl b/apparmor.d/groups/children/child-systemctl similarity index 100% rename from apparmor.d/groups/systemd/child-systemctl rename to apparmor.d/groups/children/child-systemctl From 7d3c52036b13cc2b26d7f22009519e02a65b48ab Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Oct 2022 19:05:44 +0100 Subject: [PATCH 33/41] feat(profiles): add child-open. --- apparmor.d/groups/children/child-open | 75 +++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 76 insertions(+) create mode 100644 apparmor.d/groups/children/child-open diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open new file mode 100644 index 000000000..280a1058c --- /dev/null +++ b/apparmor.d/groups/children/child-open @@ -0,0 +1,75 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Note: This profile does not specify an attachment path because it is +# intended to be used only via "Px -> child-open-X" exec transitions +# from other profiles. + +# Instead of allowing the run of all software in /{usr/,}bin/, the purpose of +# this profile is to list all GUI program that can open resources. + +# Ultimatelly, only sandbox manager program like bwrap, snap, flatpak, firejail +# should be present here. Until this day, this profile will be a controlled mess. + +abi , + +include + +# App allowed to open +profile child-open { + include + include + + /{usr/,}bin/exo-open mr, + /{usr/,}bin/xdg-open mr, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + /{usr/,}lib/gio-launch-desktop mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,m,g}awk rix, + /{usr/,}bin/basename rix, + /{usr/,}bin/readlink rix, + + # Sandbox managers + /{usr/,}bin/firejail rPUx, + /{usr/,}bin/flatpak rPUx, + /{usr/,}bin/snap rPUx, + + # Browsers + /{usr/,}bin/chromium rPx, + /{usr/,}bin/firefox rPx, + /{usr/,}lib/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer} rPx, + /{usr/,}lib/chromium/chromium rPx, + /opt/brave.com/brave{,-beta,-dev}/brave{,-beta,-dev} rPx, + /opt/google/chrome{,-beta,-unstable}/chrome{,-beta,-unstable} rPx, + + # Text editors + /{usr/,}bin/code rPx, + /{usr/,}bin/gedit rPUx, + /usr/share/code/{bin/,}code rPx, + + # Others + /{usr/,}bin/discord{,-ptb} rPx, + /{usr/,}bin/draw.io rPUx, + /{usr/,}bin/dropbox rPx, + /{usr/,}bin/engrampa rPx, + /{usr/,}bin/evince rPx, + /{usr/,}bin/filezilla rPx, + /{usr/,}bin/flameshot rPx, + /{usr/,}bin/geany rPx, + /{usr/,}bin/okular rPx, + /{usr/,}bin/qbittorrent rPx, + /{usr/,}bin/qpdfview rPx, + /{usr/,}bin/smplayer rPx, + /{usr/,}bin/spacefm rPx, + /{usr/,}bin/telegram-desktop rPx, + /{usr/,}bin/thunderbird rPx, + /{usr/,}bin/transmission-gtk rPx, + /{usr/,}bin/viewnior rPUx, + /{usr/,}bin/vlc rPx, + /{usr/,}bin/xarchiver rPx, + + include if exists + include if exists +} diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 58916ada8..cc51e5dd2 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -17,6 +17,7 @@ avahi-set-host-name complain busctl complain cfdisk complain cgdisk complain +child-open complain cockpit-askpass complain cockpit-bridge complain cockpit-certificate-ensure complain From b29f9675ebb9967dad64d9949d5fd9a4a01f1ace Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Oct 2022 19:08:15 +0100 Subject: [PATCH 34/41] feat(profiles): browser - add child-open integration & cleanup. --- apparmor.d/groups/browsers/brave | 165 +++++++----------- apparmor.d/groups/browsers/brave-browser | 13 +- apparmor.d/groups/browsers/chromium-chromium | 26 +-- apparmor.d/groups/browsers/firefox | 60 +------ .../groups/browsers/google-chrome-chrome | 129 +++++--------- apparmor.d/groups/browsers/opera | 123 +++++-------- 6 files changed, 159 insertions(+), 357 deletions(-) diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 100dfc9ca..7eecfb995 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,19 +14,19 @@ include @{exec_path} = @{BRAVE_INSTALLDIR}/brave{,-beta,-dev} profile brave @{exec_path} { include + include + include include include - include - include - include - include include + include + include + include include - include - include include + include include - include + include capability sys_ptrace, @@ -40,44 +41,41 @@ profile brave @{exec_path} { @{BRAVE_INSTALLDIR}/swiftshader/libEGL.so mr, # When installing/removing extensions - /{usr/,}bin/basename rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/touch rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/cat rix, /{usr/,}bin/{,e}grep rix, - - /etc/opt/chrome/ r, - deny /etc/opt/chrome/ w, - - # For "brave --help" - /{usr/,}bin/man rPUx, + /{usr/,}bin/basename rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/touch rix, # For storing passwords externally /{usr/,}bin/keepassxc-proxy rPUx, + /{usr/,}bin/browserpass rPx, - /{usr/,}bin/lsb_release rPx -> lsb_release, - - # no new privs - #deny /{usr/,}bin/xdg-desktop-menu rx, - - /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/man rPUx, + /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/xdg-open rPx -> child-open, /{usr/,}bin/xdg-settings rPx, /{usr/,}bin/xdg-mime rPx, /usr/share/chromium/extensions/ r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /etc/fstab r, + /etc/opt/chrome/ r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, owner @{HOME}/ r, owner @{user_config_dirs}/BraveSoftware/ w, owner @{BRAVE_HOMEDIR}/ rw, owner @{BRAVE_HOMEDIR}/** rwk, - # For Widevine plugin owner @{BRAVE_HOMEDIR}/WidevineCdm/libwidevinecdm.so mrw, - # Cache files owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/BraveSoftware/ rw, owner @{BRAVE_CACHEDIR}/{,**/} rw, @@ -85,43 +83,36 @@ profile brave @{exec_path} { owner @{BRAVE_CACHEDIR}/*/**/[a-f0-9]*_? rw, owner @{BRAVE_CACHEDIR}/*/**/todelete_* rw, - # For importing data (bookmarks, cookies, etc) from Firefox - owner @{HOME}/.mozilla/firefox/profiles.ini r, - owner @{HOME}/.mozilla/firefox/*/ r, - owner @{HOME}/.mozilla/firefox/*/compatibility.ini r, - owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r, - owner @{HOME}/.mozilla/firefox/*/.parentlock rwk, - owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk, - owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, - owner @{HOME}/.mozilla/firefox/*/logins.json r, - # For importing data from Chromium - owner "@{user_config_dirs}/chromium/Local State" r, - owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w, - owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk, - owner @{user_config_dirs}/chromium/*/ r, - owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r, - /etc/fstab r, + # For importing data (bookmarks, cookies, etc) from Firefox + # owner @{HOME}/.mozilla/firefox/profiles.ini r, + # owner @{HOME}/.mozilla/firefox/*/ r, + # owner @{HOME}/.mozilla/firefox/*/compatibility.ini r, + # owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r, + # owner @{HOME}/.mozilla/firefox/*/.parentlock rwk, + # owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk, + # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, + # owner @{HOME}/.mozilla/firefox/*/logins.json r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + # For importing data (bookmarks, cookies, etc) from Chromium + # owner "@{user_config_dirs}/chromium/Local State" r, + # owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w, + # owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk, + # owner @{user_config_dirs}/chromium/*/ r, + # owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk, + + owner /tmp/net-export/ rw, # For brave://net-export/ - # Needed or Brave crash with the following error: - # illegal hardware instruction @{PROC}/ r, - # deny @{PROC}/vmstat r, deny @{PROC}/stat r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/@{pid}/fd/ r, deny @{PROC}/@{pids}/stat r, deny @{PROC}/@{pids}/statm r, - # To remove the following error: - # Failed to adjust OOM score of renderer with pid : Permission denied - deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, - # + owner @{PROC}/@{pid}/oom_{,score_}adj rw, deny @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/task/@{tid}/status r, @@ -130,63 +121,27 @@ profile brave @{exec_path} { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/clear_refs w, @{PROC}/sys/fs/inotify/max_user_watches r, - deny @{PROC}filesystems r, + deny @{PROC}/filesystems r, - owner /dev/shm/org.chromium.Chromium.shmem.[A-F0-9]*._service_shmem rw, + @{run}/udev/data/* r, + + @{sys}/bus/ r, + @{sys}/bus/**/devices/ r, + @{sys}/class/ r, + @{sys}/class/**/ r, + @{sys}/devices/**/uevent r, + @{sys}/devices/pci[0-9]*/**/irq r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, + @{sys}/devices/system/cpu/online r, + @{sys}/devices/virtual/tty/tty[0-9]/active r, /dev/bus/usb/[0-9]*/[0-9]* rw, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # Udev enumeration - @{sys}/bus/ r, - @{sys}/bus/**/devices/ r, - @{sys}/devices/**/uevent r, - @{sys}/class/ r, - @{sys}/class/**/ r, - @{run}/udev/data/* r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, - - @{sys}/devices/virtual/tty/tty[0-9]/active r, - @{sys}/devices/system/cpu/online r, - - # To remove the following error: - # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied - # The irq file is needed to render pages. - @{sys}/devices/pci[0-9]*/**/irq r, - - @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, - - # For brave://net-export/ - owner /tmp/net-export/ rw, - # Silencer deny @{BRAVE_INSTALLDIR}/** w, - - - profile open { - include - include - - /{usr/,}bin/xdg-open mr, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } + deny /etc/opt/chrome/ w, include if exists } diff --git a/apparmor.d/groups/browsers/brave-browser b/apparmor.d/groups/browsers/brave-browser index 9e544d35a..3faaaf3a5 100644 --- a/apparmor.d/groups/browsers/brave-browser +++ b/apparmor.d/groups/browsers/brave-browser @@ -1,23 +1,24 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -@{BRAVE_INSTALLDIR} = /opt/brave.com/brave{,-beta,-dev} -@{BRAVE_HOMEDIR} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} -@{BRAVE_CACHEDIR} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} - abi , include +@{BRAVE_INSTALLDIR} = /opt/brave.com/brave{,-beta,-dev} +@{BRAVE_HOMEDIR} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} +@{BRAVE_CACHEDIR} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} + @{exec_path} = @{BRAVE_INSTALLDIR}/brave-browser{,-beta,-dev} profile brave-browser @{exec_path} { include include @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/readlink rix, /{usr/,}bin/dirname rix, /{usr/,}bin/which{,.debianutils} rix, @@ -26,7 +27,7 @@ profile brave-browser @{exec_path} { @{BRAVE_INSTALLDIR}/brave rPx, - owner @{PROC}/@{pid}/fd/63 w, + owner @{PROC}/@{pid}/fd/ w, include if exists } diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium index b0ca98a50..4f7e8a67a 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/groups/browsers/chromium-chromium @@ -63,7 +63,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/xdg-email rPx, /{usr/,}bin/xdg-icon-resource rPx, /{usr/,}bin/xdg-mime rPx, - /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/xdg-open rPx -> child-open, /{usr/,}bin/xdg-settings rPx, /usr/share/chromium/{,**} r, @@ -164,29 +164,5 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { deny /{usr/,}lib/chromium/** w, deny @{user_share_dirs}/gvfs-metadata/* r, - profile open { - include - include - include - - /{usr/,}bin/xdg-open mr, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, - - # Allowed apps to open - /{usr/,}bin/smplayer rPx, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 2ae6c0533..23958f420 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -147,22 +147,10 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, # Allowed apps to open - /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}bin/exo-open rCx -> open, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, - /{usr/,}bin/engrampa rPx, - /{usr/,}bin/geany rPx, - /{usr/,}bin/okular rPx, - /{usr/,}bin/qbittorrent rPx, - /{usr/,}bin/qpdfview rPx, - /{usr/,}bin/smplayer rPx, - /{usr/,}bin/spacefm rPx, - /{usr/,}bin/telegram-desktop rPx, - /{usr/,}bin/thunderbird rPx, - /{usr/,}bin/viewnior rPUx, - /{usr/,}bin/vlc rPx, - /{usr/,}bin/xarchiver rPx, - /{usr/,}bin/evince rPx, + /{usr/,}bin/exo-open rPx -> child-open, + /{usr/,}bin/xdg-open rPx -> child-open, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + /{usr/,}lib/gio-launch-desktop rPx -> child-open, /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, /{usr/,}lib/mozilla/plugins/ r, @@ -280,45 +268,5 @@ profile firefox @{exec_path} flags=(attach_disconnected) { deny owner @{HOME}/.* r, deny /tmp/MozillaUpdateLock-* w, - profile open { - include - include - - /{usr/,}bin/xdg-open mr, - /{usr/,}bin/exo-open mr, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{,m,g}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, - - # Allowed apps to open - /{usr/,}bin/engrampa rPx, - /{usr/,}bin/evince rPx, - /{usr/,}bin/geany rPx, - /{usr/,}bin/okular rPx, - /{usr/,}bin/qbittorrent rPx, - /{usr/,}bin/qpdfview rPx, - /{usr/,}bin/smplayer rPx, - /{usr/,}bin/spacefm rPx, - /{usr/,}bin/telegram-desktop rPx, - /{usr/,}bin/thunderbird rPx, - /{usr/,}bin/viewnior rPUx, - /{usr/,}bin/vlc rPx, - /{usr/,}bin/xarchiver rPx, - /{usr/,}bin/evince rPx, - /usr/share/xfce4/exo/exo-compose-mail rPx, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/browsers/google-chrome-chrome b/apparmor.d/groups/browsers/google-chrome-chrome index f94d60d67..229d4b32d 100644 --- a/apparmor.d/groups/browsers/google-chrome-chrome +++ b/apparmor.d/groups/browsers/google-chrome-chrome @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,18 +14,18 @@ include @{exec_path} = @{CHROME_INSTALLDIR}/chrome{,-beta,-unstable} profile google-chrome-chrome @{exec_path} { include - include - include - include - include - include - include include - include - include - include - include include + include + include + include + include + include + include + include + include + include + include ptrace (trace) peer=@{profile_name}, @@ -44,23 +45,28 @@ profile google-chrome-chrome @{exec_path} { @{CHROME_INSTALLDIR}/nacl_helper rix, @{CHROME_INSTALLDIR}/xdg-mime rix, @{CHROME_INSTALLDIR}/xdg-settings rix, + @{CHROME_INSTALLDIR}/libwidevinecdm.so mr, + @{CHROME_INSTALLDIR}/libwidevinecdmadapter.so mr, # For "google-chrome --help" /{usr/,}bin/man rPUx, # For storing passwords externally /{usr/,}bin/keepassxc-proxy rPUx, + /{usr/,}bin/browserpass rPx, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/xdg-open rCx -> open, - - # no new privs - deny /{usr/,}bin/xdg-desktop-menu rx, - deny /{usr/,}bin/xdg-icon-resource rx, - + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/xdg-mime rPx, + /{usr/,}bin/xdg-open rPx -> child-open, /{usr/,}bin/xdg-settings rPx, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /etc/fstab r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + # Google Chrome home files owner @{HOME}/ r, owner @{CHROME_HOMEDIR}/ rw, @@ -68,50 +74,38 @@ profile google-chrome-chrome @{exec_path} { owner @{user_share_dirs}/.com.google.Chrome.* rw, - # Cache files owner @{user_cache_dirs}/ rw, owner @{CHROME_CACHEDIR}/{,**/} rw, owner @{CHROME_CACHEDIR}/*/**/{*-,}index rw, owner @{CHROME_CACHEDIR}/*/**/[a-f0-9]*_? rw, owner @{CHROME_CACHEDIR}/*/**/todelete_* rw, - - # To remove browser history/cache owner @{CHROME_CACHEDIR}/PnaclTranslationCache/index rw, owner @{CHROME_CACHEDIR}/PnaclTranslationCache/data_[0-9]*[0-9] rw, # For importing data (bookmarks, cookies, etc) from Firefox - owner @{HOME}/.mozilla/firefox/profiles.ini r, - owner @{HOME}/.mozilla/firefox/*/ r, - owner @{HOME}/.mozilla/firefox/*/compatibility.ini r, - owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r, - owner @{HOME}/.mozilla/firefox/*/.parentlock rwk, - owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk, - owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, - owner @{HOME}/.mozilla/firefox/*/logins.json r, - # For importing data from Chromium - owner "@{user_config_dirs}/chromium/Local State" r, - owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w, - owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk, - owner @{user_config_dirs}/chromium/*/ r, - owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk, + # owner @{HOME}/.mozilla/firefox/profiles.ini r, + # owner @{HOME}/.mozilla/firefox/*/ r, + # owner @{HOME}/.mozilla/firefox/*/compatibility.ini r, + # owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r, + # owner @{HOME}/.mozilla/firefox/*/.parentlock rwk, + # owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk, + # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, + # owner @{HOME}/.mozilla/firefox/*/logins.json r, - /etc/fstab r, + # For importing data (bookmarks, cookies, etc) from Chromium + # owner "@{user_config_dirs}/chromium/Local State" r, + # owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w, + # owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk, + # owner @{user_config_dirs}/chromium/*/ r, + # owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - - # Needed or Google Chrome crash with the following error: - # illegal hardware instruction @{PROC}/ r, - # deny @{PROC}/vmstat r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/@{pid}/fd/ r, deny @{PROC}/@{pids}/stat r, deny @{PROC}/@{pids}/statm r, - # To remove the following error: - # Failed to adjust OOM score of renderer with pid : Permission denied - deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, - # + owner @{PROC}/@{pid}/oom_{,score_}adj rw, deny @{PROC}/@{pids}/cmdline r, deny owner @{PROC}/@{pids}/environ r, owner @{PROC}/@{pid}/task/ r, @@ -123,56 +117,21 @@ profile google-chrome-chrome @{exec_path} { owner @{PROC}/@{pid}/mounts r, deny @{PROC}/diskstats r, - # To play DRM media (protected content) - @{CHROME_INSTALLDIR}/libwidevinecdm.so mr, - @{CHROME_INSTALLDIR}/libwidevinecdmadapter.so mr, + @{run}/udev/data/* r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # Udev enumeration @{sys}/bus/ r, @{sys}/bus/**/devices/ r, - @{sys}/devices/**/uevent r, @{sys}/class/ r, @{sys}/class/**/ r, - @{run}/udev/data/* r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, - - deny @{sys}/devices/virtual/tty/tty[0-9]/active r, - deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, - - # To remove the following error: - # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied - # The irq file is needed to render pages. + @{sys}/devices/**/uevent r, @{sys}/devices/pci[0-9]*/**/irq r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, + @{sys}/devices/virtual/tty/tty[0-9]/active r, # Silencer deny @{CHROME_INSTALLDIR}/** w, - - profile open { - include - include - - /{usr/,}bin/xdg-open mr, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/groups/browsers/opera b/apparmor.d/groups/browsers/opera index 4d9c45e5c..b793e5027 100644 --- a/apparmor.d/groups/browsers/opera +++ b/apparmor.d/groups/browsers/opera @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,20 +14,20 @@ include @{exec_path} = @{OPERA_INSTALLDIR}/opera{,-beta,-developer} profile opera @{exec_path} { include - include - include - include - include - include - include - include include - include - include + include + include + include + include + include + include + include include + include include include - include + include + include ptrace (trace) peer=@{profile_name}, @@ -41,25 +42,32 @@ profile opera @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/which{,.debianutils} rix, + /{usr/,}bin/which{,.debianutils} rix, @{OPERA_INSTALLDIR}/opera_sandbox rPx, @{OPERA_INSTALLDIR}/opera_crashreporter rPx, @{OPERA_INSTALLDIR}/opera_autoupdate krix, + /opt/google/chrome{,-beta,-unstable}/libwidevinecdm.so mr, + /opt/google/chrome{,-beta,-unstable}/libwidevinecdmadapter.so mr, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/xdg-mime rPx, - /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/xdg-open rPx -> child-open, /{usr/,}bin/xdg-settings rPx, /{usr/,}bin/xdg-desktop-menu rPx, /{usr/,}bin/xdg-icon-resource rPx, - # Opera home files + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + /etc/fstab r, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + owner @{HOME}/ r, owner @{OPERA_HOMEDIR}/ rw, owner @{OPERA_HOMEDIR}/** rwk, - # Cache files owner @{user_cache_dirs}/ rw, owner @{OPERA_CACHEDIR}/{,**/} rw, owner @{OPERA_CACHEDIR}/**/{*-,}index rw, @@ -67,38 +75,31 @@ profile opera @{exec_path} { owner @{OPERA_CACHEDIR}/**/todelete_* rw, # For importing data (bookmarks, cookies, etc) from Firefox - owner @{HOME}/.mozilla/firefox/profiles.ini r, - owner @{HOME}/.mozilla/firefox/*/ r, - owner @{HOME}/.mozilla/firefox/*/compatibility.ini r, - owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r, - owner @{HOME}/.mozilla/firefox/*/.parentlock rwk, - owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk, - owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, - owner @{HOME}/.mozilla/firefox/*/logins.json r, - # For importing data from Chromium - owner "@{user_config_dirs}/chromium/Local State" r, - owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w, - owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk, - owner @{user_config_dirs}/chromium/*/ r, - owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk, + # owner @{HOME}/.mozilla/firefox/profiles.ini r, + # owner @{HOME}/.mozilla/firefox/*/ r, + # owner @{HOME}/.mozilla/firefox/*/compatibility.ini r, + # owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r, + # owner @{HOME}/.mozilla/firefox/*/.parentlock rwk, + # owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk, + # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, + # owner @{HOME}/.mozilla/firefox/*/logins.json r, - /etc/fstab r, + # For importing data (bookmarks, cookies, etc) from Chromium + # owner "@{user_config_dirs}/chromium/Local State" r, + # owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w, + # owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk, + # owner @{user_config_dirs}/chromium/*/ r, + # owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner /tmp/opera-crashlog-[0-9]*-[0-9]*.txt rw, - # Needed or opera crashes with the following error: - # illegal hardware instruction @{PROC}/ r, - # deny @{PROC}/vmstat r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/@{pid}/fd/ r, deny @{PROC}/@{pids}/stat r, deny @{PROC}/@{pids}/statm r, - # To remove the following error: - # Failed to adjust OOM score of renderer with pid : Permission denied - deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, - # + owner @{PROC}/@{pid}/oom_{,score_}adj rw, deny owner @{PROC}/@{pids}/cmdline r, deny owner @{PROC}/@{pids}/environ r, owner @{PROC}/@{pid}/task/ r, @@ -110,60 +111,22 @@ profile opera @{exec_path} { owner @{PROC}/@{pid}/mounts r, @{PROC}/sys/fs/inotify/max_user_watches r, - # To play DRM media (protected content) - /opt/google/chrome{,-beta,-unstable}/libwidevinecdm.so mr, - /opt/google/chrome{,-beta,-unstable}/libwidevinecdmadapter.so mr, + @{run}/udev/data/* r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # Udev enumeration @{sys}/bus/ r, @{sys}/bus/**/devices/ r, - @{sys}/devices/**/uevent r, @{sys}/class/ r, @{sys}/class/**/ r, - @{run}/udev/data/* r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, - - deny @{sys}/devices/virtual/tty/tty[0-9]/active r, - - # To remove the following error: - # pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied - # The irq file is needed to render pages. + @{sys}/devices/**/uevent r, @{sys}/devices/pci[0-9]*/**/irq r, - - # For crashreporter - owner /tmp/opera-crashlog-[0-9]*-[0-9]*.txt rw, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, + @{sys}/devices/virtual/tty/tty[0-9]/active r, /dev/ r, # Silencer deny @{OPERA_INSTALLDIR}/** w, - - profile open { - include - include - - /{usr/,}bin/xdg-open mr, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } From f45c07dfa17305315b05d2a7a253163b6226e28d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Oct 2022 19:10:00 +0100 Subject: [PATCH 35/41] feat(profiles): child-open integration 2/2 --- apparmor.d/groups/freedesktop/xdg-desktop-portal | 5 +++-- apparmor.d/groups/gnome/nautilus | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 0f116b010..6a26e66c2 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -47,8 +47,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/snap rPx, - # Allowed apps to open - /{usr/,}bin/firefox rPx -> firefox, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + /{usr/,}lib/gio-launch-desktop rPx -> child-open, + /{usr/,}bin/nautilus rPx, / r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 93c4e7280..1fb5d94cd 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -38,6 +38,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}lib/gio-launch-desktop rPx -> child-open, /usr/share/nautilus/{,**} r, /usr/share/poppler/{,**} r, From 8a55eb8330c0ffeccdb8693d0b94593caa4235e5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Oct 2022 19:11:19 +0100 Subject: [PATCH 36/41] fix(profile): fontconfig-cache-write needs /var/cache/fontconfig/ access. --- apparmor.d/abstractions/fontconfig-cache-write | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write index b539ddad6..db2be5ac3 100644 --- a/apparmor.d/abstractions/fontconfig-cache-write +++ b/apparmor.d/abstractions/fontconfig-cache-write @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -26,7 +27,8 @@ /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} r, deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w, - owner /var/cache/fontconfig/{,**} rw, + /var/cache/fontconfig/ rw, + owner /var/cache/fontconfig/** rw, owner /var/cache/fontconfig/*.cache-[0-9]* rwk, owner /var/cache/fontconfig/*.cache-[0-9]*.LCK rwl, owner /var/cache/fontconfig/CACHEDIR.TAG.LCK rwl, From d0a8030af8ed1d63c3045a2be3edd4422d4e597e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Oct 2022 19:18:54 +0100 Subject: [PATCH 37/41] fix(profile): add deny-sensitive-home abstraction. --- apparmor.d/abstractions/deny-sensitive-home | 36 +++++++++++++++++++++ apparmor.d/groups/gnome/nautilus | 1 + apparmor.d/groups/gnome/tracker-miner | 1 + 3 files changed, 38 insertions(+) create mode 100644 apparmor.d/abstractions/deny-sensitive-home diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home new file mode 100644 index 000000000..6fa612e86 --- /dev/null +++ b/apparmor.d/abstractions/deny-sensitive-home @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# DO NOT USE IT WITHOUT EXPLICIT AUTHORISATION FROM THE PROJECT MAINTAINER + +# Per the first rule of this project: +# As these are mandatory access control policies only what it explicitly required +# should be authorized. Meaning, you should not allow everything (or a large area) +# and blacklist some sub area. + +# Use in this project: file browser and search engine + + deny @{HOME}/.*_history rwlk, + deny @{HOME}/.*age*{,/{,**}} rwlk, + deny @{HOME}/.*cert*{,/{,**}} rwlk, + deny @{HOME}/.*key*{,/{,**}} rwlk, + deny @{HOME}/.*pass*{,/{,**}} rwlk, + deny @{HOME}/.*pki*{,/{,**}} rwlk, + deny @{HOME}/.*private*{,/{,**}} rwlk, + deny @{HOME}/.*secret*{,/{,**}} rwlk, + deny @{HOME}/.*yubi*{,/{,**}} rwlk, + deny @{HOME}/.lesshst* rwlk, + deny @{HOME}/.wget-hsts rwlk, + deny @{HOME}/@{XDG_GPG_DIR}/{,**} rwlk, + deny @{HOME}/@{XDG_SSH_DIR}/{,**} rwlk, + + # Deny executable mapping in writable space as allowed in abstractions/fonts + deny @{HOME}/.{,cache/}fontconfig/ rw, + deny @{HOME}/.{,cache/}fontconfig/** mrwl, + + # Deny executable mapping in writable space as allowed in abstractions/base for ecryptfs + deny @{HOME}/.Private/** mrxwlk, + deny @{HOMEDIRS}/.ecryptfs/*/.Private/** mrxwlk, + + include if exists diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 1fb5d94cd..a25a92e0f 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -58,6 +58,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner /tmp/{,**} rw, # Silence non user's data + include deny /boot/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 4102052d6..53c8e1085 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -12,6 +12,7 @@ profile tracker-miner @{exec_path} { include include include + include include include include From ac47e292ac8dbc57c5a01983d738268fffc292b7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Oct 2022 21:11:13 +0100 Subject: [PATCH 38/41] feat(profiles): general update. --- apparmor.d/abstractions/app-launcher-user | 10 ++++------ apparmor.d/groups/freedesktop/xdg-open | 22 ++++++---------------- apparmor.d/groups/gnome/gio-launch-desktop | 1 + apparmor.d/groups/gnome/gnome-music | 3 +++ apparmor.d/groups/gnome/nautilus | 1 - apparmor.d/groups/systemd/bootctl | 4 +++- apparmor.d/groups/systemd/busctl | 11 +++++++++++ apparmor.d/groups/systemd/coredumpctl | 2 +- apparmor.d/groups/systemd/journalctl | 2 +- apparmor.d/groups/systemd/localectl | 2 +- apparmor.d/groups/systemd/networkctl | 6 +++--- apparmor.d/groups/systemd/systemd-cgls | 6 +++--- apparmor.d/groups/systemd/systemd-cgtop | 6 +++--- apparmor.d/groups/systemd/systemd-mount | 2 +- apparmor.d/profiles-m-r/pkttyagent | 3 +++ 15 files changed, 44 insertions(+), 37 deletions(-) diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 7bf9094ce..22d0c7861 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -13,6 +13,10 @@ /usr/local/bin/ r, /usr/local/bin/[a-zA-Z0-9]* rPUx, + # All apps in opt + /opt/*/ r, + /opt/*/[a-zA-Z0-9]* rPUx, + # Firefox /{usr/,}lib/ r, /{usr/,}lib/firefox/ r, @@ -34,10 +38,4 @@ /usr/share/discord/ r, /usr/share/discord/Discord rPx, - # FreeTube - /opt/FreeTube/ r, - /opt/FreeTube/freetube rPx, - /opt/FreeTube-Vue/ r, - /opt/FreeTube-Vue/freetube-vue rPx, - include if exists \ No newline at end of file diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open index 9d96d6b07..96a8e67b2 100644 --- a/apparmor.d/groups/freedesktop/xdg-open +++ b/apparmor.d/groups/freedesktop/xdg-open @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,8 +10,8 @@ include @{exec_path} = /{usr/,}bin/xdg-open profile xdg-open @{exec_path} flags=(attach_disconnected) { include - include include + include @{exec_path} r, @@ -29,27 +30,16 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/gio rPx, #/{usr/,}bin/kde-open5 rPUx, - # When xdg-open is run as root, it wants to exec dbus-launch, and hence it creates the two - # following root processes: - # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr - # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session - # - # Should this be allowed? Xdg-open works fine without this. - #/{usr/,}bin/dbus-launch rCx -> dbus, - #/{usr/,}bin/dbus-send rCx -> dbus, - deny /{usr/,}bin/dbus-launch rx, - deny /{usr/,}bin/dbus-send rx, + /{usr/,}bin/dbus-launch rCx -> dbus, + /{usr/,}bin/dbus-send rCx -> dbus, /usr/share/applications/*.desktop r, - owner @{user_share_dirs}/applications/ r, - - owner @{HOME}/.Xauthority r, /** r, owner /** rw, - # file_inherit - /dev/dri/card[0-9]* rw, + owner @{user_share_dirs}/applications/ r, + /dev/tty rw, profile dbus { diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index e28c11b0a..22bcffe5d 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/gio @{exec_path} += /{usr/,}bin/gio-launch-desktop +@{exec_path} += /{usr/,}lib/gio-launch-desktop @{exec_path} += /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index cfd50ca05..f82dfbb1e 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -15,6 +15,9 @@ profile gnome-music @{exec_path} { include include include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index a25a92e0f..e74728041 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -9,7 +9,6 @@ include @{exec_path} = /{usr/,}bin/nautilus profile nautilus @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index ff1aa886a..6771e8db0 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -20,7 +20,9 @@ profile bootctl @{exec_path} { @{exec_path} mr, - /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, + /{usr/,}bin/pager rPx -> child-pager, /{boot,efi}/ r, /{boot,efi}/EFI/{,**} r, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index e7841b7df..6cd88e780 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -9,8 +9,19 @@ include @{exec_path} = /{usr/,}bin/busctl profile busctl @{exec_path} { include + include + + ptrace (read), @{exec_path} mr, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, + /{usr/,}bin/pager rPx -> child-pager, + + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/stat r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index 5bf16d3b7..9a027e435 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -17,9 +17,9 @@ profile coredumpctl @{exec_path} flags=(complain) { /{usr/,}bin/gdb rCx -> gdb, - /{usr/,}bin/pager rPx -> child-pager, /{usr/,}bin/less rPx -> child-pager, /{usr/,}bin/more rPx -> child-pager, + /{usr/,}bin/pager rPx -> child-pager, owner /tmp/*.coredump w, owner /tmp/core.* w, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index a8527160b..772c7c4b6 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -23,9 +23,9 @@ profile journalctl @{exec_path} { @{exec_path} mr, - /{usr/,}bin/pager rPx -> child-pager, /{usr/,}bin/less rPx -> child-pager, /{usr/,}bin/more rPx -> child-pager, + /{usr/,}bin/pager rPx -> child-pager, /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index 68171dd85..2b3821dfe 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -13,9 +13,9 @@ profile localectl @{exec_path} { @{exec_path} mr, - /{usr/,}bin/pager rPx -> child-pager, /{usr/,}bin/less rPx -> child-pager, /{usr/,}bin/more rPx -> child-pager, + /{usr/,}bin/pager rPx -> child-pager, /usr/share/kbd/keymaps/{,**} r, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 7006a77f5..7fc78f745 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -31,9 +31,9 @@ profile networkctl @{exec_path} flags=(attach_disconnected,complain) { @{exec_path} mr, - /{usr/,}bin/pager rPx -> child-pager, - /{usr/,}bin/less rPx -> child-pager, - /{usr/,}bin/more rPx -> child-pager, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, + /{usr/,}bin/pager rPx -> child-pager, /etc/udev/hwdb.bin r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls index 16aeb1898..10b1671f3 100644 --- a/apparmor.d/groups/systemd/systemd-cgls +++ b/apparmor.d/groups/systemd/systemd-cgls @@ -14,9 +14,9 @@ profile systemd-cgls @{exec_path} { @{exec_path} mr, - /{usr/,}bin/pager rPx -> child-pager, - /{usr/,}bin/less rPx -> child-pager, - /{usr/,}bin/more rPx -> child-pager, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, + /{usr/,}bin/pager rPx -> child-pager, @{sys}/fs/cgroup/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-cgtop b/apparmor.d/groups/systemd/systemd-cgtop index 9bfdc4131..edb6b8443 100644 --- a/apparmor.d/groups/systemd/systemd-cgtop +++ b/apparmor.d/groups/systemd/systemd-cgtop @@ -12,9 +12,9 @@ profile systemd-cgtop @{exec_path} { @{exec_path} mr, - /{usr/,}bin/pager rPx -> child-pager, - /{usr/,}bin/less rPx -> child-pager, - /{usr/,}bin/more rPx -> child-pager, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, + /{usr/,}bin/pager rPx -> child-pager, @{sys}/fs/cgroup/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-mount b/apparmor.d/groups/systemd/systemd-mount index 9ac10bc75..3db963123 100644 --- a/apparmor.d/groups/systemd/systemd-mount +++ b/apparmor.d/groups/systemd/systemd-mount @@ -14,9 +14,9 @@ profile systemd-mount @{exec_path} { @{exec_path} mr, - /{usr/,}bin/pager rPx -> child-pager, /{usr/,}bin/less rPx -> child-pager, /{usr/,}bin/more rPx -> child-pager, + /{usr/,}bin/pager rPx -> child-pager, @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent index 021c12925..339e4b733 100644 --- a/apparmor.d/profiles-m-r/pkttyagent +++ b/apparmor.d/profiles-m-r/pkttyagent @@ -38,6 +38,9 @@ profile pkttyagent @{exec_path} { @{exec_path} mr, + @{libexec}/polkit-agent-helper-[0-9] rPx, + /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + owner @{PROC}/@{pids}/stat r, /dev/tty rw, From 027a506eec27851b69c08858ad40588569e027f5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Oct 2022 21:18:07 +0100 Subject: [PATCH 39/41] feat(systemd): simplify service overwride. --- systemd/haveged.service | 2 +- systemd/systemd-journald.service | 2 +- systemd/systemd-networkd.service | 2 +- systemd/systemd-timesyncd.service | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/systemd/haveged.service b/systemd/haveged.service index 900b67e7b..544fb7da8 100644 --- a/systemd/haveged.service +++ b/systemd/haveged.service @@ -1,2 +1,2 @@ [Unit] -After=apparmor.service systemd-tmpfiles-setup-dev.service +After=apparmor.service diff --git a/systemd/systemd-journald.service b/systemd/systemd-journald.service index ff4fe4178..cd2840571 100644 --- a/systemd/systemd-journald.service +++ b/systemd/systemd-journald.service @@ -1,2 +1,2 @@ [Unit] -After=apparmor.service systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket syslog.socket +After=apparmor.service \ No newline at end of file diff --git a/systemd/systemd-networkd.service b/systemd/systemd-networkd.service index ec24f8e7c..cd2840571 100644 --- a/systemd/systemd-networkd.service +++ b/systemd/systemd-networkd.service @@ -1,2 +1,2 @@ [Unit] -After=apparmor.service systemd-udevd.service network-pre.target systemd-sysusers.service systemd-sysctl.service +After=apparmor.service \ No newline at end of file diff --git a/systemd/systemd-timesyncd.service b/systemd/systemd-timesyncd.service index d390b5a7d..cd2840571 100644 --- a/systemd/systemd-timesyncd.service +++ b/systemd/systemd-timesyncd.service @@ -1,2 +1,2 @@ [Unit] -After=apparmor.service systemd-sysusers.service +After=apparmor.service \ No newline at end of file From fa1f71a1512f19d78cf37c799b9fb69fa0a17358 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Oct 2022 23:17:11 +0100 Subject: [PATCH 40/41] build: allow to build the package in a clean container. --- dists/build/archlinux/Dockerfile | 13 ++++ dists/build/build.sh | 104 +++++++++++++++++++++++++++++++ dists/build/debian/Dockerfile | 23 +++++++ dists/build/ubuntu/Dockerfile | 19 ++++++ 4 files changed, 159 insertions(+) create mode 100644 dists/build/archlinux/Dockerfile create mode 100644 dists/build/build.sh create mode 100644 dists/build/debian/Dockerfile create mode 100644 dists/build/ubuntu/Dockerfile diff --git a/dists/build/archlinux/Dockerfile b/dists/build/archlinux/Dockerfile new file mode 100644 index 000000000..a0698962c --- /dev/null +++ b/dists/build/archlinux/Dockerfile @@ -0,0 +1,13 @@ +FROM archlinux:base-devel + +RUN pacman -Syu --noconfirm --noprogressbar --quiet \ + devtools git pacman-contrib \ + go git rsync lsb-release && \ + paccache -r -k 0 && \ + pacman -Rscn --noconfirm --noprogressbar pacman-contrib && \ + useradd -m -s /bin/bash -u 1000 build && \ + echo "build ALL=NOPASSWD: ALL" >> /etc/sudoers && \ + chown -R build:build /home/build + +USER build +CMD ["/bin/bash"] diff --git a/dists/build/build.sh b/dists/build/build.sh new file mode 100644 index 000000000..12e6789ce --- /dev/null +++ b/dists/build/build.sh @@ -0,0 +1,104 @@ +#!/usr/bin/env bash +# Build the package in a clean Archlinux/Debian/Ubuntu container +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Usage: make + +set -eu + +readonly BASEIMAGE="${BASEIMAGE:-}" +readonly PKGNAME=apparmor.d +readonly VOLUME=/tmp/build +readonly BUILDIR=/home/build/tmp +readonly COMMAND="$1" +VERSION="0.$(git rev-list --count HEAD)-1" +PACKAGER="$(git config user.name) <$(git config user.email)>" +readonly VERSION PACKAGER + +_start() { + local name="$1" + docker start "$name" +} + +_is_running() { + local name="$1" + res="$(docker inspect -f '{{ .State.Running }}' "$name")" &>/dev/null + exist=$? + if [[ $exist -ne 0 ]]; then + return $exist + elif [[ "$res" == true ]]; then + return 0 + else + return 1 + fi +} + +_exist() { + local name="$1" + docker inspect -f '{{ .State.Running }}' "$name" &>/dev/null +} + +sync() { + mkdir -p "$VOLUME" + rsync -ra --delete . "$VOLUME/$PKGNAME" +} + +build_in_docker_makepkg() { + local name="$1" + + if _exist "$name"; then + if ! _is_running "$name"; then + _start "$name" + fi + else + docker build -t "$BASEIMAGE$name" "dists/build/$name" + docker run -tid --name "$name" --volume "$VOLUME:$BUILDIR" \ + --env MAKEFLAGS="-j$(nproc)" --env PACKAGER="$PACKAGER" \ + --env PKGDEST="$BUILDIR" --env DIST="$name" \ + "$BASEIMAGE$name" + fi + + docker exec -i --workdir="$BUILDIR/$PKGNAME" "$name" \ + makepkg -sfC --noconfirm --noprogressbar + mv "$VOLUME/$PKGNAME"-*.pkg.* . +} + +build_in_docker_dpkg() { + local name="$1" + + if _exist "$name"; then + if ! _is_running "$name"; then + _start "$name" + fi + else + docker build -t "$BASEIMAGE$name" "dists/build/$name" + docker run -tid --name "$name" --volume "$VOLUME:$BUILDIR" \ + --env DEBIAN_FRONTEND=noninteractive --env DIST="$name" \ + "$BASEIMAGE$name" + fi + + docker exec --workdir="$BUILDIR/$PKGNAME" "$name" \ + dch --newversion="$VERSION" --urgency=medium --distribution=stable --controlmaint "Release $VERSION" + docker exec --workdir="$BUILDIR/$PKGNAME" "$name" \ + dpkg-buildpackage -b -d --no-sign + mv "$VOLUME/${PKGNAME}_${VERSION}"_*.* . +} + +main() { + case "$COMMAND" in + archlinux) + sync + build_in_docker_makepkg "$COMMAND" + ;; + + debian | ubuntu | whonix) + sync + build_in_docker_dpkg "$COMMAND" + ;; + + *) ;; + esac +} + +main "$@" diff --git a/dists/build/debian/Dockerfile b/dists/build/debian/Dockerfile new file mode 100644 index 000000000..85f8c2cf9 --- /dev/null +++ b/dists/build/debian/Dockerfile @@ -0,0 +1,23 @@ +FROM debian:11 + +ENV DEBIAN_FRONTEND=noninteractive \ + TERM=xterm + +# hadolint ignore=DL3008 +RUN echo 'deb http://deb.debian.org/debian bullseye-backports main contrib non-free' >> /etc/apt/sources.list && \ + apt-get update -y && apt-get -qq -y --no-install-recommends upgrade && \ + apt-get -qq -y --no-install-recommends install \ + build-essential devscripts debhelper fakeroot config-package-dev \ + git lsb-release rsync && \ + apt-get -qq -y --no-install-recommends install \ + golang-1.19-go -t bullseye-backports && \ + apt-get -qy autoremove && \ + apt-get -qq --purge remove -y .\*-doc$ && \ + apt-get clean && \ + rm -rf /usr/share/doc /usr/share/man /var/lib/apt/lists/* /tmp/* /var/tmp/* && \ + ln -s /usr/lib/go-1.19/bin/go /usr/bin/go && \ + useradd -m -s /bin/bash -u 1000 build && \ + chown -R build:build /home/build + +USER build +CMD ["/bin/bash"] diff --git a/dists/build/ubuntu/Dockerfile b/dists/build/ubuntu/Dockerfile new file mode 100644 index 000000000..aea5f4471 --- /dev/null +++ b/dists/build/ubuntu/Dockerfile @@ -0,0 +1,19 @@ +FROM ubuntu:22.04 + +ENV DEBIAN_FRONTEND=noninteractive \ + TERM=xterm + +# hadolint ignore=DL3008 +RUN apt-get update -y && apt-get -qq -y --no-install-recommends upgrade && \ + apt-get -qq -y --no-install-recommends install \ + build-essential devscripts debhelper fakeroot config-package-dev \ + git lsb-release rsync golang-go && \ + apt-get -qy autoremove && \ + apt-get -qq --purge remove -y .\*-doc$ && \ + apt-get clean && \ + rm -rf /usr/share/doc /usr/share/man /var/lib/apt/lists/* /tmp/* /var/tmp/* && \ + useradd -m -s /bin/bash -u 1000 build && \ + chown -R build:build /home/build + +USER build +CMD ["/bin/bash"] From 9a016bd1a06c368748ef5c72ab21798f1884ba65 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Oct 2022 23:17:52 +0100 Subject: [PATCH 41/41] build: add initial makefile. --- Makefile | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 Makefile diff --git a/Makefile b/Makefile new file mode 100644 index 000000000..fdbfff7d6 --- /dev/null +++ b/Makefile @@ -0,0 +1,34 @@ +#!/usr/bin/make -f + +PKGNAME := apparmor.d + +.PHONY: install lint archlinux debian ubuntu whonix clean + +all: + @echo "Nothing to do." + +install: + @echo "Nothing to do." + +lint: + @shellcheck --shell=bash \ + PKGBUILD configure pick dists/build/build.sh \ + debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm + +archlinux: + @bash dists/build/build.sh archlinux + +debian: + @bash dists/build/build.sh debian + +ubuntu: + @bash dists/build/build.sh ubuntu + +whonix: + @bash dists/build/build.sh whonix + +clean: + @rm -rf \ + debian/.debhelper debian/debhelper* debian/*.debhelper \ + ${PKGNAME}-*.pkg.tar.zst.sig ${PKGNAME}-*.pkg.tar.zst \ + ${PKGNAME}_*.* .build