felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): various small improvment.

Browse source
This commit is contained in:
Alexandre Pujol 2025-04-05 22:46:19 +02:00
parent 6b5e586d83
commit feaf61fb0b
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
17 changed files with 56 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/apt/command-not-found
View file

@ -26,7 +26,7 @@ profile command-not-found @{exec_path} {
@{bin}/snap rPx, @{bin}/snap rPx,
@{lib}/ r, @{lib}/ r,
@{lib}/@{python_name}/dist-packages/CommandNotFound/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} w, @{lib}/@{python_name}/dist-packages/CommandNotFound/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int}@{int} w,
/usr/share/command-not-found/{,**} r, /usr/share/command-not-found/{,**} r,

2
apparmor.d/groups/bus/dbus-system
View file

@ -31,7 +31,7 @@ profile dbus-system flags=(attach_disconnected) {
network bluetooth stream, network bluetooth stream,
network bluetooth seqpacket, network bluetooth seqpacket,
ptrace (read) peer=@{p_systemd}, ptrace read peer=@{p_systemd},
#aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus}
dbus receive bus=system path=/org/freedesktop/DBus dbus receive bus=system path=/org/freedesktop/DBus

6
apparmor.d/groups/kde/sddm
View file

@ -70,9 +70,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{lib}/@{multiarch}/sddm/sddm-helper rix, @{lib}/@{multiarch}/sddm/sddm-helper rix,
@{lib}/plasma-dbus-run-session-if-needed rix, @{lib}/plasma-dbus-run-session-if-needed rix,
@{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed rix, @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed rix,
@{lib}/sddm/sddm-helper rix, @{lib}/{,sddm/}sddm-helper rix,
@{lib}/sddm/sddm-helper-start-wayland rix, @{lib}/{,sddm/}sddm-helper-start-wayland rix,
@{lib}/sddm/sddm-helper-start-x11user rix, @{lib}/{,sddm/}sddm-helper-start-x11user rix,
@{shells_path} rix, @{shells_path} rix,
@{bin}/cat rix, @{bin}/cat rix,

6
apparmor.d/groups/network/netplan-generate
View file

@ -31,16 +31,16 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) {
@{run}/systemd/generator/netplan.stamp w, @{run}/systemd/generator/netplan.stamp w,
@{run}/systemd/generator/network-online.target.wants/ w, @{run}/systemd/generator/network-online.target.wants/ w,
@{run}/systemd/generator/network-online.target.wants/systemd-networkd-wait-online.service w, @{run}/systemd/generator/network-online.target.wants/systemd-networkd-wait-online.service w,
@{run}/systemd/network/ r, @{run}/systemd/network/ rw,
@{run}/systemd/network/@{int}-netplan{,-*}.{network,link}{,.@{rand6}} rw, @{run}/systemd/network/@{int}-netplan{,-*}.{network,link}{,.@{rand6}} rw,
@{run}/systemd/system/ r, @{run}/systemd/system/ r,
@{run}/systemd/system/netplan-* rw, @{run}/systemd/system/netplan-* rw,
@{run}/systemd/system/systemd-networkd-wait-online.service.d/ r, @{run}/systemd/system/systemd-networkd-wait-online.service.d/ rw,
@{run}/systemd/system/systemd-networkd-wait-online.service.d/@{int}-netplan.conf{,.@{rand6}} rw, @{run}/systemd/system/systemd-networkd-wait-online.service.d/@{int}-netplan.conf{,.@{rand6}} rw,
@{run}/systemd/system/systemd-networkd.service.wants/ rw, @{run}/systemd/system/systemd-networkd.service.wants/ rw,
@{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw, @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw,
@{run}/udev/rules.d/ r, @{run}/udev/rules.d/ rw,
@{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw, @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw,
@{sys}/devices/**/net/*/address r, @{sys}/devices/**/net/*/address r,

2
apparmor.d/groups/ssh/sshd
View file

@ -53,8 +53,6 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
ptrace (read,trace) peer=@{p_systemd}, ptrace (read,trace) peer=@{p_systemd},
unix (bind) type=stream addr=@@{udbus}/bus/sshd/system,
dbus send bus=system path=/org/freedesktop/login1 dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager interface=org.freedesktop.login1.Manager
member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} member={CreateSession,ReleaseSession,CreateSessionWithPIDFD}

6
apparmor.d/groups/systemd/coredumpctl
View file

@ -10,6 +10,8 @@ include <tunables/global>
@{exec_path} = @{bin}/coredumpctl @{exec_path} = @{bin}/coredumpctl
profile coredumpctl @{exec_path} flags=(complain) { profile coredumpctl @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/bus-system>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability dac_read_search, capability dac_read_search,
@ -31,9 +33,7 @@ profile coredumpctl @{exec_path} flags=(complain) {
/{run,var}/log/journal/ r, /{run,var}/log/journal/ r,
/{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/ r,
/{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, /{run,var}/log/journal/@{hex32}/* r,
/{run,var}/log/journal/@{hex32}/system.journal* r,
/{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r,
owner @{tmp}/*.coredump w, owner @{tmp}/*.coredump w,
owner @{tmp}/core.* w, owner @{tmp}/core.* w,

2
apparmor.d/groups/systemd/systemd-oomd
View file

@ -15,7 +15,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
capability dac_override, capability dac_override,
capability kill, capability kill,
unix (bind) type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom, unix bind type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom,
#aa:dbus own bus=system name=org.freedesktop.oom1 #aa:dbus own bus=system name=org.freedesktop.oom1

2
apparmor.d/groups/systemd/systemd-sleep
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-sleep @{exec_path} = @{lib}/systemd/systemd-sleep
profile systemd-sleep @{exec_path} { profile systemd-sleep @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

1
apparmor.d/groups/systemd/systemd-tty-ask-password-agent
View file

@ -21,6 +21,7 @@ profile systemd-tty-ask-password-agent @{exec_path} {
signal receive set=(term cont) peer=deb-systemd-invoke, signal receive set=(term cont) peer=deb-systemd-invoke,
signal receive set=(term cont) peer=default, signal receive set=(term cont) peer=default,
signal receive set=(term cont) peer=logrotate, signal receive set=(term cont) peer=logrotate,
signal receive set=(term cont) peer=makepkg//sudo,
signal receive set=(term cont) peer=role_*, signal receive set=(term cont) peer=role_*,
signal receive set=(term cont) peer=rpm, signal receive set=(term cont) peer=rpm,

4
apparmor.d/groups/ubuntu/apport
View file

@ -27,10 +27,11 @@ profile apport @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{bin}/gdbus rix,
@{bin}/{,e,f}grep rix, @{bin}/{,e,f}grep rix,
@{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
@{bin}/dpkg-divert rPx -> child-dpkg-divert, @{bin}/dpkg-divert rPx -> child-dpkg-divert,
@{bin}/gdbus rix,
@{bin}/md5sum rix,
/usr/share/apport/{,**} r, /usr/share/apport/{,**} r,
@ -39,6 +40,7 @@ profile apport @{exec_path} flags=(attach_disconnected) {
/var/lib/dpkg/info/ r, /var/lib/dpkg/info/ r,
/var/lib/dpkg/info/*.list r, /var/lib/dpkg/info/*.list r,
/var/lib/dpkg/info/*.md5sums r,
/var/crash/ rw, /var/crash/ rw,
/var/crash/*.@{uid}.crash rw, /var/crash/*.@{uid}.crash rw,

2
apparmor.d/groups/utils/dmesg
View file

@ -8,7 +8,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/dmesg @{exec_path} = @{bin}/dmesg
profile dmesg @{exec_path} { profile dmesg @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

2
apparmor.d/groups/utils/fstrim
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/fstrim @{exec_path} = @{bin}/fstrim
profile fstrim @{exec_path} { profile fstrim @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/disks-write> include <abstractions/disks-write>

2
apparmor.d/profiles-a-f/freetube
View file

@ -39,6 +39,8 @@ profile freetube @{exec_path} flags=(attach_disconnected) {
#aa:stack X xdg-settings #aa:stack X xdg-settings
@{bin}/xdg-settings rPx -> freetube//&xdg-settings, @{bin}/xdg-settings rPx -> freetube//&xdg-settings,
deny @{sys}/devices/@{pci}/usb@{int}/** r,
include if exists <local/freetube> include if exists <local/freetube>
} }

27
apparmor.d/profiles-g-l/localsend Normal file
View file

@ -0,0 +1,27 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/localsend
profile localsend @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>
include <abstractions/bus-system>
include <abstractions/desktop>
include <abstractions/graphics>
include <abstractions/user-download-strict>
# --system-talk-name=org.freedesktop.NetworkManager
# - --system-talk-name=org.freedesktop.hostname1
# --talk-name=org.kde.StatusNotifierWatcher
@{exec_path} mr,
include if exists <local/localsend>
}
# vim:syntax=apparmor

5
apparmor.d/profiles-g-l/logrotate
View file

@ -80,6 +80,11 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
capability net_admin, capability net_admin,
capability sys_ptrace, capability sys_ptrace,
dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=KillUnit
peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
@{run}/utmp rk, @{run}/utmp rk,
include if exists <local/logrotate_systemctl> include if exists <local/logrotate_systemctl>

2
apparmor.d/profiles-m-r/mkinitramfs
View file

@ -92,7 +92,7 @@ profile mkinitramfs @{exec_path} {
/var/tmp/modules_@{rand6} rw, /var/tmp/modules_@{rand6} rw,
owner /var/tmp/mkinitramfs_@{rand6} rw, owner /var/tmp/mkinitramfs_@{rand6} rw,
owner /var/tmp/mkinitramfs_@{rand6}/ rw, owner /var/tmp/mkinitramfs_@{rand6}/ rw,
owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_*/**, owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**,
owner /var/tmp/mkinitramfs-@{rand6} rw, owner /var/tmp/mkinitramfs-@{rand6} rw,
owner /var/tmp/mkinitramfs-*_@{rand6} rw, owner /var/tmp/mkinitramfs-*_@{rand6} rw,

3
apparmor.d/tunables/multiarch.d/profiles
View file

@ -28,6 +28,7 @@
@{p_snap}=snap @{p_snap}=snap
@{p_systemd_logind}=systemd-logind @{p_systemd_logind}=systemd-logind
@{p_xdg_desktop_portal}=xdg-desktop-portal @{p_xdg_desktop_portal}=xdg-desktop-portal
@{p_gsd_media_keys}=gsd-media-keys
@{p_rtkit_daemon}=rtkit-daemon
# vim:syntax=apparmor # vim:syntax=apparmor