From fe1e3c3be805ec965e60f8b477f14d46da61e1ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 7 May 2024 17:25:43 +0100 Subject: [PATCH] feat(profile): add some new profile. --- apparmor.d/groups/gnome/gnome-text-editor | 26 ++++++++ apparmor.d/groups/gnome/tracker-writeback | 20 ++++++ apparmor.d/groups/gvfs/gvfsd-wsdd | 16 +++++ apparmor.d/groups/network/nm-priv-helper | 20 ++++++ .../groups/systemd/systemd-network-generator | 21 +++++++ apparmor.d/profiles-a-f/alacarte | 36 +++++++++++ apparmor.d/profiles-a-f/at | 32 ++++++++++ apparmor.d/profiles-m-r/metadata-cleaner | 63 +++++++++++++++++++ apparmor.d/profiles-s-z/switcherooctl | 20 ++++++ dists/flags/main.flags | 10 +++ 10 files changed, 264 insertions(+) create mode 100644 apparmor.d/groups/gnome/gnome-text-editor create mode 100644 apparmor.d/groups/gnome/tracker-writeback create mode 100644 apparmor.d/groups/gvfs/gvfsd-wsdd create mode 100644 apparmor.d/groups/network/nm-priv-helper create mode 100644 apparmor.d/groups/systemd/systemd-network-generator create mode 100644 apparmor.d/profiles-a-f/alacarte create mode 100644 apparmor.d/profiles-a-f/at create mode 100644 apparmor.d/profiles-m-r/metadata-cleaner create mode 100644 apparmor.d/profiles-s-z/switcherooctl diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor new file mode 100644 index 000000000..bfd2ed5f3 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gnome-text-editor +profile gnome-text-editor @{exec_path} { + include + include + include + include + include + + @{exec_path} mr, + + owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, + + owner @{PROC}/@{pid}/mountinfo r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/gnome/tracker-writeback b/apparmor.d/groups/gnome/tracker-writeback new file mode 100644 index 000000000..da75e3db0 --- /dev/null +++ b/apparmor.d/groups/gnome/tracker-writeback @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/tracker-writeback +profile tracker-writeback @{exec_path} { + include + include + include + + #aa:dbus own bus=session name=org.freedesktop.Tracker3.Writeback + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd new file mode 100644 index 000000000..4c13c1e1d --- /dev/null +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/{,gvfs/}gvfsd-wsdd +profile gvfsd-wsdd @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/network/nm-priv-helper b/apparmor.d/groups/network/nm-priv-helper new file mode 100644 index 000000000..0f7e851e6 --- /dev/null +++ b/apparmor.d/groups/network/nm-priv-helper @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/nm-priv-helper +profile nm-priv-helper @{exec_path} { + include + + capability dac_override, + + #aa:dbus own bus=system name=org.freedesktop.nm_priv_helper + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/systemd/systemd-network-generator b/apparmor.d/groups/systemd/systemd-network-generator new file mode 100644 index 000000000..6ded09b14 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-network-generator @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-network-generator +profile systemd-network-generator @{exec_path} { + include + include + + capability net_admin, + + @{exec_path} mr, + + owner @{run}/systemd/network/{,**} rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte new file mode 100644 index 000000000..8497cb986 --- /dev/null +++ b/apparmor.d/profiles-a-f/alacarte @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/alacarte +profile alacarte @{exec_path} { + include + include + include + include + + @{exec_path} mr, + @{bin}/python3.@{int} rix, + + @{lib}/python3.@{int}/site-packages/Alacarte/{,**/}__pycache__/*.cpython-@{int}.*.pyc.@{int} w, + + /usr/share/alacarte/{,**} r, + /usr/share/desktop-directories/{,**} r, + + /etc/xdg/menus/{,**} r, + + owner @{user_config_dirs}/menus/{,**} r, + + owner @{user_share_dirs}/applications/{,**} rw, + owner @{user_share_dirs}/desktop-directories/{,**} r, + + owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, + + owner @{PROC}/@{pid}/mounts r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/at b/apparmor.d/profiles-a-f/at new file mode 100644 index 000000000..23d5d30d6 --- /dev/null +++ b/apparmor.d/profiles-a-f/at @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/at @{bin}/atq @{bin}/atrm @{bin}/batch +profile at @{exec_path} { + include + include + include + + capability fsetid, + + signal (send) set=(hup) peer=atd, + + @{exec_path} mr, + + /etc/at.deny r, + /etc/at.allow r, + + /var/spool/cron/atjobs/{,*} rwk, + /var/spool/cron/atspool/{,*} rwk, + + @{run}/atd.pid r, + + @{PROC}/@{pid}/loginuid r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner new file mode 100644 index 000000000..63bea0ac2 --- /dev/null +++ b/apparmor.d/profiles-m-r/metadata-cleaner @@ -0,0 +1,63 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/metadata-cleaner +profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + + @{exec_path} mr, + @{bin}/python3.@{int} rix, + + @{bin}/bwrap rCx -> bwrap, + @{open_path} rPx -> child-open-help, + + /usr/share/metadata-cleaner/{,**} r, + /usr/share/metadata-cleaner/src/metadatacleaner/{,*/}__pycache__/ w, + + /usr/share/poppler/{,**} r, + + /etc/httpd/conf/mime.types r, + /etc/mime.types r, + + owner @{tmp}/@{hex64}.png r, + owner @{tmp}/@{hex64}.png w, + owner @{tmp}/@{rand8} rw, + owner @{tmp}/tmp@{rand4}_*/{,**} rw, + owner @{tmp}/tmp@{rand8}/{,**} rw, + + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mountinfo r, + + deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_cache_dirs}/thumbnails/** r, + + profile bwrap flags=(attach_disconnected) { + include + include + include + + signal (receive) set=(kill) peer=metadata-cleaner, + + @{bin}/bwrap mr, + @{bin}/vendor_perl/exiftool rix, + + include if exists + } + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/switcherooctl b/apparmor.d/profiles-s-z/switcherooctl new file mode 100644 index 000000000..1afd61d9c --- /dev/null +++ b/apparmor.d/profiles-s-z/switcherooctl @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/switcherooctl +profile switcherooctl @{exec_path} { + include + include + include + + #aa:dbus own bus=system name=net.hadess.SwitcherooControl + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 4c9ab25a2..f7a12592a 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -28,10 +28,12 @@ akonadi_newmailnotifier_agent complain akonadi_notes_agent complain akonadi_sendlater_agent complain akonadi_unifiedmailbox_agent complain +alacarte complain anacron complain appimagelauncherd complain apport attach_disconnected,complain apt-helper complain +at complain at-spi-bus attach_disconnected,complain at-spi2-registryd attach_disconnected,complain atd complain @@ -114,6 +116,7 @@ flatpak-portal attach_disconnected,complain flatpak-session-helper attach_disconnected,complain flatpak-system-helper complain flatpak-validate-icon complain +foliate attach_disconnected,complain fuse-overlayfs complain fusermount complain gcr-ssh-agent complain @@ -137,6 +140,7 @@ gnome-session complain gnome-software complain gnome-system-monitor attach_disconnected,complain gnome-terminal-server complain +gnome-text-editor complain gnome-tweaks complain grub-bios-setup complain grub-editenv complain @@ -170,6 +174,7 @@ gsd-wwan complain gsettings complain gvfs-udisks2-volume-monitor attach_disconnected,complain gvfsd-dav complain +gvfsd-wsdd complain hostnamectl complain ibus-engine-table complain ibus-memconf complain @@ -214,6 +219,7 @@ landscape-sysinfo.wrapper complain language-validate attach_disconnected,complain last complain lastlog complain +libreoffice complain libvirt-dbus complain libvirtd attach_disconnected,complain lightdm attach_disconnected,complain @@ -230,6 +236,7 @@ lvmpolld complain man complain mate-notification-daemon complain mdevctl complain +metadata-cleaner attach_disconnected,complain mke2fs complain ModemManager attach_disconnected,complain mount attach_disconnected,complain @@ -241,6 +248,7 @@ networkctl attach_disconnected,complain networkd-dispatcher complain nm-online complain nm-openvpn-service-openvpn-helper complain +nm-priv-helper complain nmap complain nmcli complain nvidia-detector complain @@ -297,6 +305,7 @@ steam-game attach_disconnected,complain steam-gameoverlayui complain steam-reaper complain sulogin complain +switcherooctl complain swtpm complain swtpm_ioctl complain swtpm_localca complain @@ -363,6 +372,7 @@ systemd-userwork attach_disconnected,complain systemd-vconsole-setup complain systemsettings complain terminator complain +tracker-writeback complain udev-dmi-memory-id complain udisksctl complain udisksd attach_disconnected,complain