feat(profile): various small improvment.

2025-04-05 22:46:19 +02:00 · 2025-04-05 22:46:19 +02:00 · feaf61fb0b
commit feaf61fb0b
parent 6b5e586d83
17 changed files with 56 additions and 20 deletions
--- a/apparmor.d/groups/apt/command-not-found
+++ b/apparmor.d/groups/apt/command-not-found
@ -26,7 +26,7 @@ profile command-not-found @{exec_path} {
  @{bin}/snap         rPx,

  @{lib}/ r,
-  @{lib}/@{python_name}/dist-packages/CommandNotFound/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} w,
+  @{lib}/@{python_name}/dist-packages/CommandNotFound/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int}@{int} w,

  /usr/share/command-not-found/{,**} r,

--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@ -31,7 +31,7 @@ profile dbus-system flags=(attach_disconnected) {
  network bluetooth stream,
  network bluetooth seqpacket,

-  ptrace (read) peer=@{p_systemd},
+  ptrace read peer=@{p_systemd},

  #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus}
  dbus receive bus=system path=/org/freedesktop/DBus
--- a/apparmor.d/groups/kde/sddm
+++ b/apparmor.d/groups/kde/sddm
@ -70,9 +70,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  @{lib}/@{multiarch}/sddm/sddm-helper      rix,
  @{lib}/plasma-dbus-run-session-if-needed  rix,
  @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed  rix,
-  @{lib}/sddm/sddm-helper                   rix,
-  @{lib}/sddm/sddm-helper-start-wayland     rix,
-  @{lib}/sddm/sddm-helper-start-x11user     rix,
+  @{lib}/{,sddm/}sddm-helper                rix,
+  @{lib}/{,sddm/}sddm-helper-start-wayland  rix,
+  @{lib}/{,sddm/}sddm-helper-start-x11user  rix,

  @{shells_path}       rix,
  @{bin}/cat           rix,
--- a/apparmor.d/groups/network/netplan-generate
+++ b/apparmor.d/groups/network/netplan-generate
@ -31,16 +31,16 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) {
  @{run}/systemd/generator/netplan.stamp w,
  @{run}/systemd/generator/network-online.target.wants/ w,
  @{run}/systemd/generator/network-online.target.wants/systemd-networkd-wait-online.service w,
-  @{run}/systemd/network/ r,
+  @{run}/systemd/network/ rw,
  @{run}/systemd/network/@{int}-netplan{,-*}.{network,link}{,.@{rand6}} rw,
  @{run}/systemd/system/ r,
  @{run}/systemd/system/netplan-* rw,
-  @{run}/systemd/system/systemd-networkd-wait-online.service.d/ r,
+  @{run}/systemd/system/systemd-networkd-wait-online.service.d/ rw,
  @{run}/systemd/system/systemd-networkd-wait-online.service.d/@{int}-netplan.conf{,.@{rand6}} rw,
  @{run}/systemd/system/systemd-networkd.service.wants/ rw,
  @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw,

-  @{run}/udev/rules.d/ r,
+  @{run}/udev/rules.d/ rw,
  @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw,

  @{sys}/devices/**/net/*/address r,
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -53,8 +53,6 @@ profile sshd @{exec_path} flags=(attach_disconnected) {

  ptrace (read,trace) peer=@{p_systemd},

-  unix (bind) type=stream addr=@@{udbus}/bus/sshd/system,
-
  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
       member={CreateSession,ReleaseSession,CreateSessionWithPIDFD}
--- a/apparmor.d/groups/systemd/coredumpctl
+++ b/apparmor.d/groups/systemd/coredumpctl
@ -10,6 +10,8 @@ include <tunables/global>
@{exec_path} = @{bin}/coredumpctl
 profile coredumpctl @{exec_path} flags=(complain) {
  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/bus-system>
  include <abstractions/nameservice-strict>

  capability dac_read_search,
@ -31,9 +33,7 @@ profile coredumpctl @{exec_path} flags=(complain) {

  /{run,var}/log/journal/ r,
  /{run,var}/log/journal/@{hex32}/ r,
-  /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r,
-  /{run,var}/log/journal/@{hex32}/system.journal* r,
-  /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r,
+  /{run,var}/log/journal/@{hex32}/* r,

  owner @{tmp}/*.coredump w,
  owner @{tmp}/core.* w,
--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@ -15,7 +15,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
  capability dac_override,
  capability kill,

-  unix (bind) type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom,
+  unix bind type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom,

  #aa:dbus own bus=system name=org.freedesktop.oom1

--- a/apparmor.d/groups/systemd/systemd-sleep
+++ b/apparmor.d/groups/systemd/systemd-sleep
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>

@{exec_path} = @{lib}/systemd/systemd-sleep
-profile systemd-sleep @{exec_path} {
+profile systemd-sleep @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
+++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
@ -21,6 +21,7 @@ profile systemd-tty-ask-password-agent @{exec_path} {
  signal receive set=(term cont) peer=deb-systemd-invoke,
  signal receive set=(term cont) peer=default,
  signal receive set=(term cont) peer=logrotate,
+  signal receive set=(term cont) peer=makepkg//sudo,
  signal receive set=(term cont) peer=role_*,
  signal receive set=(term cont) peer=rpm,

--- a/apparmor.d/groups/ubuntu/apport
+++ b/apparmor.d/groups/ubuntu/apport
@ -27,10 +27,11 @@ profile apport @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  @{bin}/gdbus        rix,
  @{bin}/{,e,f}grep   rix,
  @{bin}/dpkg         rPx -> child-dpkg,
  @{bin}/dpkg-divert  rPx -> child-dpkg-divert,
+  @{bin}/gdbus        rix,
+  @{bin}/md5sum       rix,

  /usr/share/apport/{,**} r,

@ -39,6 +40,7 @@ profile apport @{exec_path} flags=(attach_disconnected) {

  /var/lib/dpkg/info/ r,
  /var/lib/dpkg/info/*.list r,
+  /var/lib/dpkg/info/*.md5sums r,

        /var/crash/ rw,
        /var/crash/*.@{uid}.crash rw,
--- a/apparmor.d/groups/utils/dmesg
+++ b/apparmor.d/groups/utils/dmesg
@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>

@{exec_path} = @{bin}/dmesg
-profile dmesg @{exec_path} {
+profile dmesg @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>

--- a/apparmor.d/groups/utils/fstrim
+++ b/apparmor.d/groups/utils/fstrim
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>

@{exec_path} = @{bin}/fstrim
-profile fstrim @{exec_path} {
+profile fstrim @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/disks-write>

--- a/apparmor.d/profiles-a-f/freetube
+++ b/apparmor.d/profiles-a-f/freetube
@ -39,6 +39,8 @@ profile freetube @{exec_path} flags=(attach_disconnected) {
  #aa:stack X xdg-settings
  @{bin}/xdg-settings  rPx -> freetube//&xdg-settings,

+  deny @{sys}/devices/@{pci}/usb@{int}/** r,
+
  include if exists <local/freetube>
 }

--- a/apparmor.d/profiles-g-l/localsend
+++ b/apparmor.d/profiles-g-l/localsend
@ -0,0 +1,27 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/localsend
+profile localsend @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
+  include <abstractions/desktop>
+  include <abstractions/graphics>
+  include <abstractions/user-download-strict>
+
+#  --system-talk-name=org.freedesktop.NetworkManager
+#   - --system-talk-name=org.freedesktop.hostname1
+# --talk-name=org.kde.StatusNotifierWatcher
+
+  @{exec_path} mr,
+
+  include if exists <local/localsend>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/profiles-g-l/logrotate
+++ b/apparmor.d/profiles-g-l/logrotate
@ -80,6 +80,11 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
    capability net_admin,
    capability sys_ptrace,

+    dbus send bus=system path=/org/freedesktop/systemd1
+         interface=org.freedesktop.systemd1.Manager
+         member=KillUnit
+         peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
+
    @{run}/utmp rk,

    include if exists <local/logrotate_systemctl>
--- a/apparmor.d/profiles-m-r/mkinitramfs
+++ b/apparmor.d/profiles-m-r/mkinitramfs
@ -92,7 +92,7 @@ profile mkinitramfs @{exec_path} {
        /var/tmp/modules_@{rand6} rw,
  owner /var/tmp/mkinitramfs_@{rand6} rw,
  owner /var/tmp/mkinitramfs_@{rand6}/ rw,
-  owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_*/**,
+  owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**,
  owner /var/tmp/mkinitramfs-@{rand6} rw,
  owner /var/tmp/mkinitramfs-*_@{rand6} rw,

--- a/apparmor.d/tunables/multiarch.d/profiles
+++ b/apparmor.d/tunables/multiarch.d/profiles
@ -28,6 +28,7 @@
@{p_snap}=snap
@{p_systemd_logind}=systemd-logind
@{p_xdg_desktop_portal}=xdg-desktop-portal
-
+@{p_gsd_media_keys}=gsd-media-keys
+@{p_rtkit_daemon}=rtkit-daemon

 # vim:syntax=apparmor