diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 8a57149d5..90b709a31 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -3,48 +3,61 @@ name: Ubuntu on: [push, pull_request, workflow_dispatch] jobs: - build: - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: - # - ubuntu-24.04 - - ubuntu-22.04 - mode: - - default - - full-system-policy + check: + runs-on: ubuntu-24.04 steps: - - name: Check out repository code uses: actions/checkout@v4 - - name: Install Build dependencies + - name: Install linter dependencies + run: | + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH + + - name: Run basic profile linter check + run: | + just check + + build: + runs-on: ${{ matrix.os }} + needs: check + strategy: + matrix: + include: + - os: ubuntu-24.04 + mode: default + - os: ubuntu-24.04 + mode: full-system-policy + steps: + - name: Check out repository code + uses: actions/checkout@v4 + + - name: Install Build dependencies run: | sudo apt-get update -q sudo apt-get install -y \ devscripts debhelper config-package-dev \ auditd apparmor-profiles apparmor-utils + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real - name: Build the apparmor.d package run: | if [[ ${{ matrix.mode }} == full-system-policy ]]; then - echo -e "\noverride_dh_auto_build:\n\tmake full" >> debian/rules + sed -e "s/just complain/just fsp-complain/" -i debian/rules fi - VERSION="0.$(git rev-list --count HEAD)-1" - dch --newversion="$VERSION" --urgency=medium --distribution=stable --controlmaint "Release $VERSION" - dpkg-buildpackage -b -d --no-sign + bash dists/build.sh dpkg - name: Install apparmor.d - run: sudo dpkg --install ../apparmor.d_*_amd64.deb || true + run: sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true - name: Reload AppArmor - run: | - sudo systemctl restart apparmor.service || true - sudo systemctl status apparmor.service - - - name: Ensure compatibility with some AppArmor userspace tools - run: sudo aa-enforce /etc/apparmor.d/aa-notify + run: | + if ! sudo systemctl restart apparmor.service; then + sudo journalctl -xeu apparmor.service + exit 1 + fi - name: Show AppArmor log and rules run: | @@ -54,3 +67,83 @@ jobs: - name: Show Number of loaded profile run: sudo aa-status --profiled + + - name: Cache the build package + if: matrix.mode == 'default' && matrix.os == 'ubuntu-24.04' + uses: actions/cache/save@v4 + with: + path: .pkg/apparmor.d_*_amd64.deb + key: ${{ matrix.os }}-${{ matrix.mode }}-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }} + + tests: + runs-on: ubuntu-24.04 + needs: build + if: github.ref_name == 'dev' || github.event_name == 'workflow_dispatch' + steps: + - name: Check out repository code + uses: actions/checkout@v4 + + - name: Restore the cached build package + uses: actions/cache/restore@v4 + with: + fail-on-cache-miss: true + path: .pkg/apparmor.d_*_amd64.deb + key: ubuntu-24.04-default-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }} + restore-keys: | + ubuntu-24.04-default- + + - name: Install Tests dependencies + run: | + sudo apt-get update -q + sudo apt-get install -y \ + apparmor-profiles apparmor-utils \ + bats bats-support + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH + + - name: Install apparmor.d + run: | + sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true + sudo systemctl restart apparmor.service + sudo systemctl daemon-reload + systemctl --user daemon-reload + + - name: Restart some services to ensure they are confined + run: | + services=( + containerd cron + dbus docker + ModemManager multipathd + networkd-dispatcher + packagekit polkit + snapd + systemd-journald systemd-hostnamed systemd-logind systemd-networkd + systemd-resolved systemd-udevd + udisks2 + ) + sudo systemctl daemon-reload + for service in "${services[@]}"; do + sudo systemctl restart "$service" || systemctl status "$service.service" || true + done + systemctl restart --user dbus || systemctl status --user "dbus.service" || true + sudo ps auxZ | grep -v '\[.*\]' + sudo aa-log -s --raw + + - name: Install integration dependencies + run: | + just init + find /usr/sbin/ -type f + + - name: Run the integration tests + run: | + just integration + + - name: Show final AppArmor logs + if: always() + run: | + sudo aa-log -s --raw + + - name: Show final processes security context + if: always() + run: | + sudo ps auxZ | grep -v '\[.*\]' diff --git a/.gitignore b/.gitignore index d888d6d5c..077d62cbf 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,7 @@ # Build .build .logs +.pkg tests/tldr tests/tldr.tar.gz diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ffc9dded0..80dc69c7b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -4,7 +4,7 @@ include: - template: Security/SAST.gitlab-ci.yml variables: - PKGDEST: $CI_PROJECT_DIR/packages + PKGDEST: $CI_PROJECT_DIR/.pkg PACKAGER: 'Alexandre Pujol ' stages: @@ -23,14 +23,14 @@ bash: image: koalaman/shellcheck-alpine script: - shellcheck --shell=bash - PKGBUILD dists/build.sh dists/docker.sh - tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh + PKGBUILD dists/build.sh dists/docker.sh tests/check.sh + tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh golangci-lint: stage: lint image: golangci/golangci-lint script: - - golangci-lint run --skip-dirs pkg/paths + - golangci-lint run packer: stage: lint @@ -54,7 +54,6 @@ tests: image: golang coverage: '/Coverage: \d+.\d+/' script: - - apt update && apt install -y rsync - cp tests/journalctl /usr/bin/journalctl - chmod 755 /usr/bin/journalctl - mkdir -p /var/log/audit/ @@ -63,6 +62,11 @@ tests: - go test $(go list ./pkg/... | grep -v /pkg/paths) -v -cover -coverprofile=coverage.out - go tool cover -func=coverage.out +check: + stage: test + image: registry.gitlab.com/roddhjav/builders/archlinux + script: + - just check # Package Build # ------------- @@ -80,13 +84,12 @@ archlinux: debian: stage: build - image: registry.gitlab.com/roddhjav/builders/debian + image: registry.gitlab.com/roddhjav/builders/debian:trixie script: - sudo chown -R build:build /builds/ - git config --global --add safe.directory $CI_PROJECT_DIR - mkdir -p "$PKGDEST" - - sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync - - sudo apt-get install -y -t bookworm-backports golang-go + - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl - bash dists/build.sh dpkg artifacts: expire_in: 1 day @@ -95,12 +98,13 @@ debian: ubuntu: stage: build - image: registry.gitlab.com/roddhjav/builders/ubuntu + image: registry.gitlab.com/roddhjav/builders/ubuntu:24.04 + variables: + GOFLAGS: "-buildvcs=false" script: - - sudo chown -R ubuntu:ubuntu /builds/ - git config --global --add safe.directory $CI_PROJECT_DIR - mkdir -p "$PKGDEST" - - sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync golang-go + - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl - bash dists/build.sh dpkg artifacts: expire_in: 1 day @@ -112,14 +116,14 @@ whonix: variables: DISTRIBUTION: whonix before_script: - - echo "\noverride_dh_auto_build:\n\tmake full" >> debian/rules + - sed -e "s/just complain/just fsp-complain/" -i debian/rules opensuse: stage: build image: registry.gitlab.com/roddhjav/builders/opensuse script: - mkdir -p "$PKGDEST" - - sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles + - sudo zypper install -y distribution-release golang-packaging apparmor-profiles - bash dists/build.sh rpm artifacts: expire_in: 1 day @@ -142,7 +146,7 @@ preprocess-archlinux: preprocess-debian: stage: preprocess - image: debian + image: debian:trixie dependencies: - debian script: @@ -162,7 +166,7 @@ preprocess-ubuntu: - dpkg --install $PKGDEST/* - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null -preprocess-whonix: +.preprocess-whonix: extends: preprocess-debian dependencies: - whonix @@ -190,7 +194,7 @@ pages: GIT_DEPTH: 0 script: - pip install -r requirements.txt - - mkdocs build --strict --site-dir public + - mkdocs build --site-dir public artifacts: paths: - public diff --git a/.golangci.yaml b/.golangci.yaml index 7718ccda2..6861d253d 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -1,5 +1,15 @@ --- -linters-settings: - staticcheck: - checks: ["all", "-SA1019" ] +version: "2" +linters: + settings: + staticcheck: + checks: + - all + - -SA1019 + - -ST1000 + exclusions: + paths: + - pkg/paths + - tests/cmd/ + diff --git a/Justfile b/Justfile new file mode 100644 index 000000000..64e333079 --- /dev/null +++ b/Justfile @@ -0,0 +1,399 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Usage: `just` +# See https://apparmor.pujol.io/development/ for more information. + +# Build settings +destdir := "/" +build := ".build" +pkgdest := `pwd` / ".pkg" +pkgname := "apparmor.d" + +# Admin username +username := "user" + +# Default admin password +password := "user" + +# Disk size of the VM to build +disk_size := "40G" + +# Virtual machine CPU +vcpus := "6" + +# Virtual machine RAM +ram := "4096" + +# Path to the ssh key +ssh_keyname := "id_ed25519" +ssh_privatekey := home_dir() / ".ssh/" + ssh_keyname +ssh_publickey := ssh_privatekey + ".pub" + +# Where the VM are stored +vm := home_dir() / ".vm" + +# Where the VM images are stored +base_dir := home_dir() / ".libvirt/base" + +# Where the packer temporary output is stored +output_dir := base_dir / "packer" + +# SSH options +sshopt := "-i " + ssh_privatekey + " -o IdentitiesOnly=yes -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" + +# Libvirt connection address +c := "--connect=qemu:///system" + +# VM prefix +prefix := "aa-" + +# Show this help message +help: + @just --list --unsorted + @printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information." + +# Build the go programs +[group('build')] +build: + @go build -o {{build}}/ ./cmd/aa-log + @go build -o {{build}}/ ./cmd/prebuild + +# Prebuild the profiles in enforced mode +[group('build')] +enforce: build + @./{{build}}/prebuild --buildir {{build}} + +# Prebuild the profiles in enforce mode (test) +enforce-test: build + @./{{build}}/prebuild --buildir {{build}} --test + +# Prebuild the profiles in complain mode +[group('build')] +complain: build + ./{{build}}/prebuild --buildir {{build}} --complain + +# Prebuild the profiles in complain mode (test) +complain-test: build + @./{{build}}/prebuild --buildir {{build}} --complain --test + +# Prebuild the profiles in FSP mode +[group('build')] +fsp: build + @./{{build}}/prebuild --buildir {{build}} --full + +# Prebuild the profiles in FSP mode (complain) +[group('build')] +fsp-complain: build + @./{{build}}/prebuild --buildir {{build}} --complain --full + +# Prebuild the profiles in FSP mode (debug) +[group('build')] +fsp-debug: build + @./{{build}}/prebuild --buildir {{build}} --complain --full --debug + +# Install prebuild profiles +[group('install')] +install: + #!/usr/bin/env bash + set -eu -o pipefail + install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log + mapfile -t share < <(find "{{build}}/share" -type f -not -name "*.md" -printf "%P\n") + for file in "${share[@]}"; do + install -Dm0644 "{{build}}/share/$file" "{{destdir}}/usr/share/$file" + done + mapfile -t aa < <(find "{{build}}/apparmor.d" -type f -printf "%P\n") + for file in "${aa[@]}"; do + install -Dm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" + done + mapfile -t links < <(find "{{build}}/apparmor.d" -type l -printf "%P\n") + for file in "${links[@]}"; do + mkdir -p "{{destdir}}/etc/apparmor.d/disable" + cp -d "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" + done + for file in "{{build}}/systemd/system/"*; do + service="$(basename "$file")" + install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/system/$service.d/apparmor.conf" + done + for file in "{{build}}/systemd/user/"*; do + service="$(basename "$file")" + install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf" + done + +# Locally install prebuild profiles +[group('install')] +local +names: + #!/usr/bin/env bash + set -eu -o pipefail + install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log + mapfile -t abs < <(find "{{build}}/apparmor.d/abstractions" -type f -printf "%P\n") + for file in "${abs[@]}"; do + install -Dm0644 "{{build}}/apparmor.d/abstractions/$file" "{{destdir}}/etc/apparmor.d/abstractions/$file" + done; + mapfile -t tunables < <(find "{{build}}/apparmor.d/tunables" -type f -printf "%P\n") + for file in "${tunables[@]}"; do + install -Dm0644 "{{build}}/apparmor.d/tunables/$file" "{{destdir}}/etc/apparmor.d/tunables/$file" + done; + echo "Warning: profile dependencies fallback to unconfined." + for file in {{names}}; do + grep -Ei 'rPx|rpx' "{{build}}/apparmor.d/$file" || true + sed -i -e "s/rPx/rPUx/g" "{{build}}/apparmor.d/$file" + install -Dvm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" + done; + systemctl restart apparmor || sudo journalctl -xeu apparmor.service + +# Prebuild, install, and load a dev profile +[group('install')] +dev name: + go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}` + sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}} + sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service + +# Build & install apparmor.d on Arch based systems +[group('packages')] +pkg: + @makepkg --syncdeps --install --cleanbuild --force --noconfirm + +# Build & install apparmor.d on Debian based systems +[group('packages')] +dpkg: + @bash dists/build.sh dpkg + @sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb + +# Build & install apparmor.d on OpenSUSE based systems +[group('packages')] +rpm: + @bash dists/build.sh rpm + @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm + +# Run the unit tests +[group('tests')] +tests: + @go test ./cmd/... -v -cover -coverprofile=coverage.out + @go test ./pkg/... -v -cover -coverprofile=coverage.out + @go tool cover -func=coverage.out + +# Run the linters +[group('linter')] +lint: + golangci-lint run + packer fmt tests/packer/ + packer validate --syntax-only tests/packer/ + shellcheck --shell=bash \ + PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \ + tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \ + debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm + +# Run style checks on the profiles +[group('linter')] +check: + @bash tests/check.sh + +# Generate the man pages +[group('docs')] +man: + @pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md + +# Build the documentation +[group('docs')] +docs: + @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict + +# Serve the documentation +[group('docs')] +serve: + @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve + +# Remove all build artifacts +clean: + @rm -rf \ + debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ + {{pkgdest}}/{{pkgname}}* {{build}} coverage.out + +# Build the package in a clean OCI container +[group('packages')] +package dist: + #!/usr/bin/env bash + set -eu -o pipefail + dist="{{dist}}" + version="" + if [[ $dist =~ ubuntu([0-9]+) ]]; then + version="${BASH_REMATCH[1]}.04" + dist="ubuntu" + elif [[ $dist == debian* ]]; then + version="trixie" + dist="debian" + fi + bash dists/docker.sh $dist $version + +# Build the VM image +[group('vm')] +img dist flavor: (package dist) + @mkdir -p {{base_dir}} + packer build -force \ + -var dist={{dist}} \ + -var flavor={{flavor}} \ + -var prefix={{prefix}} \ + -var username={{username}} \ + -var password={{password}} \ + -var ssh_publickey={{ssh_publickey}} \ + -var disk_size={{disk_size}} \ + -var cpus={{vcpus}} \ + -var ram={{ram}} \ + -var base_dir={{base_dir}} \ + -var output_dir={{output_dir}} \ + tests/packer/ + +# Create the machine +[group('vm')] +create dist flavor: + @cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 + @virt-install {{c}} \ + --import \ + --name {{prefix}}{{dist}}-{{flavor}} \ + --vcpus {{vcpus}} \ + --ram {{ram}} \ + --machine q35 \ + {{ if dist == "archlinux" { "" } else { "--boot uefi" } }} \ + --memorybacking source.type=memfd,access.mode=shared \ + --disk path={{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \ + --filesystem "`pwd`,0a31bc478ef8e2461a4b1cc10a24cc4",accessmode=passthrough,driver.type=virtiofs \ + --os-variant "`just _get_osinfo {{dist}}`" \ + --graphics spice \ + --audio id=1,type=spice \ + --sound model=ich9 \ + --noautoconsole + +# Start a machine +[group('vm')] +up dist flavor: + @virsh {{c}} start {{prefix}}{{dist}}-{{flavor}} + +# Stops the machine +[group('vm')] +halt dist flavor: + @virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}} + +# Reboot the machine +[group('vm')] +reboot dist flavor: + @virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}} + +# Destroy the machine +[group('vm')] +destroy dist flavor: + @virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true + @virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram + @rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 + +# Connect to the machine +[group('vm')] +ssh dist flavor: + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` + +# Mount the shared directory on the machine +[group('vm')] +mount dist flavor: + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ + sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4' + +# Unmout the shared directory on the machine +[group('vm')] +umount dist flavor: + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ + sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true' + +# List the machines +[group('vm')] +list: + @printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State" + @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' + +# List the VM images +[group('vm')] +images: + #!/usr/bin/env bash + set -eu -o pipefail + mkdir -p {{base_dir}} + ls -lh {{base_dir}} | awk ' + BEGIN { + printf("{{BOLD}}%-18s %-10s %-5s %s{{NORMAL}}\n", "Distribution", "Flavor", "Size", "Date") + } + { + if ($9 ~ /^{{prefix}}.*\.qcow2$/) { + split($9, arr, "-|\\.") + printf("%-18s %-10s %-5s %s %s %s\n", arr[2], arr[3], $5, $6, $7, $8) + } + } + ' + +# List the VM images that can be created +[group('vm')] +available: + #!/usr/bin/env bash + set -eu -o pipefail + ls -lh tests/cloud-init | awk ' + BEGIN { + printf("{{BOLD}}%-18s %s{{NORMAL}}\n", "Distribution", "Flavor") + } + { + if ($9 ~ /^.*\.user-data.yml$/) { + split($9, arr, "-|\\.") + printf("%-18s %s\n", arr[1], arr[2]) + } + } + ' + +# Install dependencies for the integration tests +[group('tests')] +init: + @bash tests/requirements.sh + +# Run the integration tests +[group('tests')] +integration name="": + bats --recursive --timing --print-output-on-failure tests/integration/{{name}} + +# Install dependencies for the integration tests (machine) +[group('tests')] +tests-init dist flavor: + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ + just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init + +# Synchronize the integration tests (machine) +[group('tests')] +tests-sync dist flavor: + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ + rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/ + +# Re-synchronize the integration tests (machine) +[group('tests')] +tests-resync dist flavor: (mount dist flavor) \ + (tests-sync dist flavor) \ + (umount dist flavor) + +# Run the integration tests (machine) +[group('tests')] +tests-run dist flavor name="": (tests-resync dist flavor) + ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ + bats --recursive --pretty --timing --print-output-on-failure \ + /home/{{username}}/Projects/tests/integration/{{name}} + +_get_ip dist flavor: + @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ + head -1 | \ + grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' + +_get_osinfo dist: + #!/usr/bin/env python3 + osinfo = { + "archlinux": "archlinux", + "debian12": "debian12", + "debian13": "debian13", + "ubuntu22": "ubuntu22.04", + "ubuntu24": "ubuntu24.04", + "ubuntu25": "ubuntu25.04", + "opensuse": "opensusetumbleweed", + } + print(osinfo.get("{{dist}}", "{{dist}}")) diff --git a/Makefile b/Makefile deleted file mode 100644 index 85a4a7190..000000000 --- a/Makefile +++ /dev/null @@ -1,106 +0,0 @@ -#!/usr/bin/make -f -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -DESTDIR ?= / -BUILD := .build -PKGDEST := /tmp/pkg -PKGNAME := apparmor.d -P = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*))) - -.PHONY: all build enforce full install local $(P) pkg dpkg rpm tests lint clean - -all: build - @./${BUILD}/prebuild --complain - -build: - @go build -o ${BUILD}/ ./cmd/aa-log - @go build -o ${BUILD}/ ./cmd/prebuild - -enforce: build - @./${BUILD}/prebuild - -full: build - @./${BUILD}/prebuild --complain --full - -ROOT = $(shell find "${BUILD}/root" -type f -printf "%P\n") -PROFILES = $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n") -DISABLES = $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n") -install: - @install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log - @for file in ${ROOT}; do \ - install -Dm0644 "${BUILD}/root/$${file}" "${DESTDIR}/$${file}"; \ - done; - @for file in ${PROFILES}; do \ - install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ - done; - @for file in ${DISABLES}; do \ - mkdir -p "${DESTDIR}/etc/apparmor.d/disable"; \ - cp -d "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ - done; - @for file in ${BUILD}/systemd/system/*; do \ - service="$$(basename "$$file")"; \ - install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/system/$${service}.d/apparmor.conf"; \ - done; - @for file in ${BUILD}/systemd/user/*; do \ - service="$$(basename "$$file")"; \ - install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \ - done - -local: - @make - @sudo make install - @sudo systemctl restart apparmor || sudo systemctl status apparmor - -ABSTRACTIONS = $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n") -TUNABLES = $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n") -$(P): - @[ -f ${BUILD}/aa-log ] || exit 0; install -Dm755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log - @for file in ${ABSTRACTIONS}; do \ - install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \ - done; - @for file in ${TUNABLES}; do \ - install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \ - done; - @echo "Warning: profile dependencies fallback to unconfined." - @for file in ${@}; do \ - grep 'rPx' "${BUILD}/apparmor.d/$${file}"; \ - sed -i -e "s/rPx/rPUx/g" "${BUILD}/apparmor.d/$${file}"; \ - install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ - done; - @systemctl restart apparmor || systemctl status apparmor - -dist ?= archlinux -package: - @bash dists/docker.sh ${dist} - -pkg: - @makepkg --syncdeps --install --cleanbuild --force --noconfirm - -dpkg: - @bash dists/build.sh dpkg - @sudo dpkg -i ${PKGDEST}/${PKGNAME}_*.deb - -rpm: - @bash dists/build.sh rpm - @sudo rpm -ivh --force ${PKGDEST}/${PKGNAME}-*.rpm - -tests: - @go test ./cmd/... -v -cover -coverprofile=coverage.out - @go test ./pkg/... -v -cover -coverprofile=coverage.out - @go tool cover -func=coverage.out - -lint: - @golangci-lint run - @make --directory=tests lint - @shellcheck --shell=bash \ - PKGBUILD dists/build.sh dists/docker.sh \ - tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \ - debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm - -clean: - @rm -rf \ - debian/.debhelper debian/debhelper* debian/*.debhelper debian/${PKGNAME} \ - ${PKGNAME}-*.pkg.tar.zst.sig ${PKGNAME}-*.pkg.tar.zst coverage.out \ - ${PKGNAME}_*.* ${PKGNAME}-*.rpm ${BUILD} diff --git a/PKGBUILD b/PKGBUILD index 5bac14835..a68ba817d 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -3,19 +3,25 @@ # Warning: for development only, use https://aur.archlinux.org/packages/apparmor.d-git for production use. -pkgname=apparmor.d -pkgver=0.001 +pkgbase=apparmor.d +pkgname=( + apparmor.d + # apparmor.d.enforced + # apparmor.d.fsp apparmor.d.fsp.enforced + # apparmor.d.server apparmor.d.server.enforced + # apparmor.d.server.fsp apparmor.d.server.fsp.enforced +) +pkgver=0.0001 pkgrel=1 pkgdesc="Full set of apparmor profiles" -arch=("x86_64") -url="https://github.com/roddhjav/$pkgname" -license=('GPL2') -depends=('apparmor') -makedepends=('go' 'git' 'rsync') -conflicts=("$pkgname-git") +arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') +url="https://github.com/roddhjav/apparmor.d" +license=('GPL-2.0-only') +depends=('apparmor>=4.1.0' 'apparmor<5.0.0') +makedepends=('go' 'git' 'rsync' 'just') pkgver() { - cd "$srcdir/$pkgname" + cd "$srcdir/$pkgbase" echo "0.$(git rev-list --count HEAD)" } @@ -24,16 +30,104 @@ prepare() { } build() { - cd "$srcdir/$pkgname" + cd "$srcdir/$pkgbase" export CGO_CPPFLAGS="${CPPFLAGS}" export CGO_CFLAGS="${CFLAGS}" export CGO_CXXFLAGS="${CXXFLAGS}" export CGO_LDFLAGS="${LDFLAGS}" + export GOPATH="${srcdir}" export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw" - make DISTRIBUTION=arch + export DISTRIBUTION=arch + local -A modes=( + # Mapping of modes to just build target. + [default]=complain + # [enforced]=enforce + # [fsp]=fsp-complain + # [fsp.enforced]=fsp + # [server]=server-complain + # [server.enforced]=server + # [server.fsp]=server-fsp-complain + # [server.fsp.enforced]=server-fsp + ) + for mode in "${!modes[@]}"; do + just build=".build/$mode" "${modes[$mode]}" + done } -package() { - cd "$srcdir/$pkgname" - make install DESTDIR="$pkgdir" +_conflicts() { + local mode="$1" + local pattern=".$mode" + if [[ "$mode" == "default" ]]; then + pattern="" + else + echo "$pkgbase" + fi + for pkg in "${pkgname[@]}"; do + if [[ "$pkg" == "${pkgbase}${pattern}" ]]; then + continue + fi + echo "$pkg" + done +} + +_install() { + local mode="${1:?}" + cd "$srcdir/$pkgbase" + just build=".build/$mode" destdir="$pkgdir" install +} + +package_apparmor.d() { + mode=default + pkgdesc="$pkgdesc (complain mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.enforced() { + mode=enforced + pkgdesc="$pkgdesc (enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.fsp() { + mode="fsp" + pkgdesc="$pkgdesc (FSP mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.fsp.enforced() { + mode="fsp.enforced" + pkgdesc="$pkgdesc (FSP enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server() { + mode="server" + pkgdesc="$pkgdesc (server complain mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server.enforced() { + mode="server.enforced" + pkgdesc="$pkgdesc (server enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server.fsp() { + mode="server.fsp" + pkgdesc="$pkgdesc (server FSP complain mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server.fsp.enforced() { + mode="server.fsp.enforced" + pkgdesc="$pkgdesc (server FSP enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode } diff --git a/README.md b/README.md index ae9899b70..c1c7726c5 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # apparmor.d -[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link] +[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link] [![][play]][play-link] **Full set of AppArmor profiles** @@ -27,16 +27,19 @@ - Target both desktops and servers - Support all distributions that support AppArmor: - * Arch Linux - * Ubuntu 22.04 - * Debian 12 - * OpenSUSE Tumbleweed + * [Arch Linux](https://apparmor.pujol.io/install#archlinux) + * [Ubuntu 24.04/22.04](https://apparmor.pujol.io/install#ubuntu) + * [Debian 12](https://apparmor.pujol.io/install#debian) + * [OpenSUSE Tumbleweed](https://apparmor.pujol.io/install#opensuse) - Support for all major desktop environments: - * Gnome - * KDE - * XFCE *(work in progress)* -- Fully tested (Work in progress) + * Gnome (GDM) + * KDE (SDDM) + * XFCE (Lightdm) *(work in progress)* +- [Fully tested](https://apparmor.pujol.io/development/tests/) +**Demo** + +You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/ > This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments. @@ -59,6 +62,10 @@ Building the largest set of AppArmor profiles: - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* +Lessons learned while making an AppArmor Play machine: + +- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))* + ## Installation Please see [apparmor.pujol.io/install](https://apparmor.pujol.io/install) @@ -93,6 +100,8 @@ and thus has the same license (GPL2). [goreportcard]: https://goreportcard.com/report/github.com/roddhjav/apparmor.d [matrix]: https://img.shields.io/badge/Matrix-%23apparmor.d-blue?style=flat-square&logo=matrix [matrix-link]: https://matrix.to/#/#apparmor.d:matrix.org +[play]: https://img.shields.io/badge/Live_Demo-play.pujol.io-blue?style=flat-square +[play-link]: https://play.pujol.io [android_model]: https://arxiv.org/pdf/1904.05572 [clipos]: https://clip-os.org/en/ diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 0998bbb44..a92058206 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -2,28 +2,32 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + # The unix socket to use to connect to the display - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), - unix type=stream addr="@/tmp/.ICE-unix/[0-9]*", - unix type=stream addr="@/tmp/.X11-unix/X[0-9]*", + unix (connect, receive, send) type=stream peer=(addr=@/tmp/.ICE-unix/@{int}), + unix (connect, receive, send) type=stream peer=(addr=@/tmp/.X11-unix/X@{int}), + unix type=stream addr=@/tmp/.ICE-unix/@{int}, + unix type=stream addr=@/tmp/.X11-unix/X@{int}, /usr/share/X11/{,**} r, /usr/share/xsessions/{,*.desktop} r, # Available Xsessions + /usr/share/xkeyboard-config-2/{,**} r, /etc/X11/cursors/{,**} r, - owner @{HOME}/.ICEauthority rw, # ICEauthority files required for X authentication, per user + owner @{HOME}/.ICEauthority r, # ICEauthority files required for X authentication, per user owner @{HOME}/.Xauthority rw, # Xauthority files required for X connections, per user owner @{HOME}/.xsession-errors rw, - /tmp/.ICE-unix/* rw, + /tmp/.ICE-unix/@{int} rw, /tmp/.X@{int}-lock rw, - /tmp/.X11-unix/* rw, + /tmp/.X11-unix/X@{int} rw, owner @{tmp}/xauth_@{rand6} rl -> @{tmp}/#@{int}, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, owner @{run}/user/@{uid}/ICEauthority r, owner @{run}/user/@{uid}/X11/Xauthority r, owner @{run}/user/@{uid}/xauth_@{rand6} rl -> @{run}/user/@{uid}/#@{int}, diff --git a/apparmor.d/abstractions/accessibility b/apparmor.d/abstractions/accessibility new file mode 100644 index 000000000..894ee467e --- /dev/null +++ b/apparmor.d/abstractions/accessibility @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow communication with Assistive Technology Service Provider Interface (AT-SPI) + + abi , + + include + include + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/amdgpu b/apparmor.d/abstractions/amdgpu new file mode 100644 index 000000000..181d86864 --- /dev/null +++ b/apparmor.d/abstractions/amdgpu @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Kernel Fusion Driver for AMD GPUs + + abi , + + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, + + @{sys}/devices/virtual/kfd/kfd/dev r, + @{sys}/devices/virtual/kfd/kfd/topology/ r, + @{sys}/devices/virtual/kfd/kfd/topology/generation_id r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/caches/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/gpu_id r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/io_links/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/mem_banks/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/system_properties r, + @{sys}/devices/virtual/kfd/kfd/uevent r, + @{sys}/module/amdgpu/initstate r, + + /dev/kfd rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/ansible b/apparmor.d/abstractions/ansible new file mode 100644 index 000000000..579783096 --- /dev/null +++ b/apparmor.d/abstractions/ansible @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + owner @{HOME}/.ansible/tmp/ansible-tmp-*/* rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index c31d328fb..7f7e2a673 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -3,13 +3,13 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - @{bin}/* PUx, - /usr/local/{s,}bin/* PUx, + abi , - @{bin}/ r, - / r, - /usr/ r, - /usr/local/{s,}bin/ r, + include + + @{bin}/** PUx, + @{sbin}/** PUx, + /usr/local/{s,}bin/** PUx, include if exists diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 5e7c50824..3f35d5882 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -3,10 +3,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - @{bin}/* PUx, + abi , + + include + + @{bin}/** PUx, /opt/*/** PUx, - /usr/share/*/* PUx, - /usr/local/bin/* PUx, + /usr/share/** PUx, + /usr/local/bin/** PUx, @{brave_path} Px, @{chrome_path} Px, @@ -16,10 +20,7 @@ @{thunderbird_path} Px, @{offices_path} PUx, - @{bin}/ r, - / r, - /usr/ r, - /usr/local/bin/ r, + @{user_bin_dirs}/** PUx, include if exists diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 513924de6..e0c8d3d59 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -8,47 +8,58 @@ # Ultimately, only sandbox manager such as like bwrap, snap, flatpak, firejail # should be present here. Until this day, this profile will be a controlled mess. + abi , + # Sandbox managers - @{bin}/bwrap rPUx, - @{bin}/firejail rPUx, - @{bin}/flatpak rPUx, - @{bin}/snap rPUx, + @{bin}/bwrap PUx, + @{bin}/firejail PUx, + @{bin}/flatpak Px, + @{bin}/snap Px, # Labeled programs - @{archive_viewers_path} rPUx, - @{browsers_path} rPx, - @{document_viewers_path} rPUx, - @{emails_path} rPUx, - @{file_explorers_path} rPx, - @{image_viewers_path} rPUx, - @{offices_path} rPUx, - @{text_editors_path} rPUx, + @{archive_viewers_path} PUx, + @{backup_path} PUx, + @{browsers_path} Px, + @{document_viewers_path} PUx, + @{emails_path} PUx, + @{file_explorers_path} Px, + @{help_path} Px, + @{image_viewers_path} PUx, + @{offices_path} PUx, + @{terminal_path} Px, + @{text_editors_path} PUx, # Others - @{bin}/blueman-tray rPx, - @{bin}/discord{,-ptb} rPx, - @{bin}/draw.io rPUx, - @{bin}/dropbox rPx, - @{bin}/element-desktop rPx, - @{bin}/extension-manager rPx, - @{bin}/filezilla rPx, - @{bin}/flameshot rPx, - @{bin}/gimp* rPUx, - @{bin}/gnome-calculator rPUx, - @{bin}/gnome-disk-image-mounter rPx, - @{bin}/gnome-disks rPx, - @{bin}/gwenview rPUx, - @{bin}/kgx rPx, - @{bin}/qbittorrent rPx, - @{bin}/qpdfview rPx, - @{bin}/smplayer rPx, - @{bin}/steam-runtime rPUx, - @{bin}/telegram-desktop rPx, - @{bin}/transmission-gtk rPx, - @{bin}/viewnior rPUx, - @{bin}/vlc rPUx, - @{bin}/xbrlapi rPx, + @{bin}/amule Px, + @{bin}/blueman-tray Px, + @{bin}/discord{,-ptb} Px, + @{bin}/draw.io PUx, + @{bin}/dropbox Px, + @{bin}/ebook-edit PUx, + @{bin}/element-desktop Px, + @{bin}/extension-manager Px, + @{bin}/filezilla Px, + @{bin}/flameshot Px, + @{bin}/gimp{,-3.0} Px, + @{bin}/gnome-calculator Px, + @{bin}/gnome-disk-image-mounter Px, + @{bin}/gnome-disks Px, + @{bin}/gnome-session-quit Px, + @{bin}/gnome-software Px, + @{bin}/gwenview PUx, + @{bin}/keepassxc Px, + @{bin}/qbittorrent Px, + @{bin}/qpdfview Px, + @{bin}/smplayer Px, + @{bin}/steam-runtime PUx, + @{bin}/telegram-desktop Px, + @{bin}/transmission-gtk Px, + @{bin}/viewnior PUx, + @{bin}/vlc Px, + @{bin}/xbrlapi Px, + #aa:only opensuse + @{lib}/YaST2/** PUx, include if exists diff --git a/apparmor.d/abstractions/app/bus b/apparmor.d/abstractions/app/bus new file mode 100644 index 000000000..8c7e6e98b --- /dev/null +++ b/apparmor.d/abstractions/app/bus @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Minimal set of rules for dbus-send/dbus-launch. + + abi , + + include + include + + @{bin}/dbus-launch mix, + @{bin}/dbus-send mrix, + + @{bin}/dbus-daemon Px -> dbus-session, + + owner @{HOME}/.dbus/session-bus/@{hex}-@{int} w, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index d7ffd9fa7..dcb29fecb 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -1,6 +1,12 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: name +# NEEDS-VARIABLE: domain +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs +# NEEDS-VARIABLE: cache_dirs # Full set of rules for all chromium based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the @@ -16,38 +22,35 @@ # or abstractions/common/electron instead. # + abi , + include + include include include - include - include include - include - include - include - include - include - include + include + include + include + include + include include include - include + include + include include - include + include include + include + include + include + include include include include + include include include - include - - # userns, - - capability setgid, - capability setuid, - capability sys_admin, - capability sys_chroot, - capability sys_ptrace, network inet dgram, network inet6 dgram, @@ -73,7 +76,7 @@ @{lib_dirs}/chrome-sandbox rPx, # Desktop integration - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/xdg-desktop-menu rPx, @{bin}/xdg-email rPx, @{bin}/xdg-icon-resource rPx, @@ -81,16 +84,11 @@ @{bin}/xdg-open rPx -> child-open, @{bin}/xdg-settings rPx, - # Installing/removing extensions & applications - @{bin}/{,e}grep rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/mkdir rix, - @{bin}/mktemp rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/touch rix, + # Installing/removing extensions, applications, and stacked xdg menus + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{coreutils_path} ix, # For storing passwords externally @{bin}/keepassxc-proxy rix, # as a temporary solution - see issue #128 @@ -110,24 +108,14 @@ /etc/@{name}/{,**} r, /etc/fstab r, - /etc/{,opensc/}opensc.conf r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, / r, owner @{HOME}/ r, - owner @{HOME}/.pki/ rw, - owner @{HOME}/.pki/nssdb/ rw, - owner @{HOME}/.pki/nssdb/pkcs11.txt rw, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - - owner @{user_config_dirs}/gtk-3.0/servers r, - owner @{user_share_dirs}/.@{domain}.* rw, owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, - owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/gtk-3.0/servers r, + + owner @{user_share_dirs}/icons/hicolor/.xdg-icon-resource-dummy w, owner @{config_dirs}/ rw, owner @{config_dirs}/** rwk, @@ -135,6 +123,10 @@ owner @{cache_dirs}/{,**} rw, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_config_dirs}/menus/applications-merged/*.menu rw, + # For importing data (bookmarks, cookies, etc) from Firefox # owner @{HOME}/.mozilla/firefox/profiles.ini r, # owner @{HOME}/.mozilla/firefox/*/ r, @@ -147,10 +139,8 @@ /tmp/ r, /var/tmp/ r, - owner @{tmp}/.@{domain}.* rw, - owner @{tmp}/.@{domain}*/{,**} rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, - owner @{tmp}/scoped_dir@{rand6}/{,**} rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{tmp}/tmp.@{rand6} rw, owner @{tmp}/tmp.@{rand6}/ rw, owner @{tmp}/tmp.@{rand6}/** rwk, @@ -158,9 +148,6 @@ owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw, - /dev/shm/ r, - owner /dev/shm/.@{domain}* rw, - @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{sys}/bus/ r, @@ -168,39 +155,31 @@ @{sys}/class/**/ r, @{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r, @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/**/uevent r, - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/**/report_descriptor r, - @{sys}/devices/virtual/dmi/id/{sys_vendor,product_name} r, - @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/statm r, - @{PROC}/@{pids}/task/@{tid}/stat r, - @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/statm r, + @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/pressure/{memory,cpu,io} r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/vmstat r, - owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/clear_refs w, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/smaps_rollup r, + owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/uid_map w, - owner @{PROC}/@{pids}/clear_refs w, - owner @{PROC}/@{pids}/cmdline r, - owner @{PROC}/@{pids}/environ r, - owner @{PROC}/@{pids}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, /dev/ r, - /dev/hidraw@{int} rw, /dev/tty rw, owner /dev/tty@{int} rw, diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index f0972f3e7..b33dbc7f4 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -1,29 +1,43 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # Copyright (C) 2024 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , include + include - @{bin}/sensible-editor mr, - @{bin}/vim{,.*} mrix, - @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{sh_path} rix, + @{bin}/nvim mrix, + @{bin}/sensible-editor mr, + @{bin}/vim* mrix, + @{bin}/which{,.debianutils} rix, - /usr/share/vim/{,**} r, + /usr/share/doc/{,**} r, + /usr/share/nvim/{,**} r, /usr/share/terminfo/** r, + /usr/share/vim/{,**} r, - /etc/vimrc r, /etc/vim/{,**} r, + /etc/vimrc r, + /etc/xdg/nvim/* r, owner @{HOME}/.selected_editor r, + owner @{HOME}/.vim/{after/,}spell/{,**} rw, + owner @{HOME}/.vim/** r, owner @{HOME}/.viminf@{c}{,.tmp} rw, owner @{HOME}/.vimrc r, - # Vim swap file owner @{HOME}/ r, owner @{user_cache_dirs}/ r, owner @{user_cache_dirs}/vim/{,**} rw, owner @{user_config_dirs}/vim/{,**} r, + owner @{user_state_dirs}/nvim/{,**} rw, + owner @{user_config_dirs}/nvim/{,**} rw, + + owner @{run}/user/@{uid}/nvim.* rw, include if exists diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index bf86f419c..0648e68d1 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -1,6 +1,11 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: name +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs +# NEEDS-VARIABLE: cache_dirs # Full set of rules for all firefox based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the @@ -12,25 +17,31 @@ # @{cache_dirs} = @{user_cache_dirs}/mozilla/ # + abi , + include include include - include include + include + include + include + include include include include + include include include - include + include include include + include include include - include - include + include - # userns, + userns, capability sys_admin, # If kernel.unprivileged_userns_clone = 1 capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 @@ -46,6 +57,8 @@ signal (send) set=(term, kill) peer=@{profile_name}-*, + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + @{sh_path} rix, @{bin}/basename rix, @{bin}/dirname rix, @@ -54,14 +67,12 @@ @{lib_dirs}/{,**} r, @{lib_dirs}/*.so mr, @{lib_dirs}/crashreporter rPx, - @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, @{lib_dirs}/minidump-analyzer rPx, @{lib_dirs}/pingsender rPx, @{lib_dirs}/plugin-container rPx, - @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, # Desktop integration - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/@{name}/{,**} r, /usr/share/doc/{,**} r, @@ -71,9 +82,9 @@ /etc/@{name}/{,**} r, /etc/fstab r, + /etc/lsb-release r, /etc/mailcap r, /etc/mime.types r, - /etc/{,opensc/}opensc.conf r, /etc/sysconfig/proxy r, /etc/xdg/* r, /etc/xul-ext/kwallet5.js r, @@ -88,18 +99,28 @@ owner @{cache_dirs}/ rw, owner @{cache_dirs}/** rwk, - /tmp/ r, + /tmp/ rw, /var/tmp/ r, owner @{tmp}/@{name}/ rw, owner @{tmp}/@{name}/* rwk, + owner @{tmp}/@{rand6}.tmp rw, owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/* rwk, + owner @{tmp}/mozilla* rw, + owner @{tmp}/mozilla*/ rw, + owner @{tmp}/mozilla*/* rwk, + owner @{tmp}/remote-settings-startup-bundle- rw, + owner @{tmp}/remote-settings-startup-bundle-.tmp rw, owner @{tmp}/Temp-@{uuid}/ rw, owner @{tmp}/Temp-@{uuid}/* rwk, - owner @{tmp}/tmp-???.xpi rw, - owner @{tmp}/tmpaddon r, + owner @{tmp}/tmp-*.xpi rw, + owner @{tmp}/tmpaddon rw, owner @{tmp}/tmpaddon-@{int} r, + owner /dev/shm/org.chromium.@{rand6} rw, + owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, + owner /dev/shm/wayland.mozilla.ipc.@{int} rw, + @{run}/mount/utab r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @@ -116,8 +137,10 @@ @{sys}/devices/**/uevent r, @{sys}/devices/power/events/energy-* r, @{sys}/devices/power/type r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_sku r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, @{PROC}/@{pid}/net/arp r, @@ -141,18 +164,13 @@ owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 /dev/ r, - /dev/hidraw@{int} rw, /dev/tty rw, /dev/video@{int} rw, - owner /dev/shm/org.chromium.* rw, - owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, - owner /dev/shm/wayland.mozilla.ipc.@{int} rw, owner /dev/tty@{int} rw, # File Inherit # Silencer deny dbus send bus=system path=/org/freedesktop/hostname1, deny /tmp/MozillaUpdateLock-* w, - deny owner @{HOME}/ r, deny owner @{HOME}/.* r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny @{run}/user/@{uid}/gnome-shell-disable-extensions w, diff --git a/apparmor.d/abstractions/app/fusermount b/apparmor.d/abstractions/app/fusermount new file mode 100644 index 000000000..a394e2528 --- /dev/null +++ b/apparmor.d/abstractions/app/fusermount @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Minimal set of rules for fusermount subprofiles. Path to mount/unmount should +# be defined in the calling profile. + + abi , + + include + include + + capability dac_override, + capability dac_read_search, + capability sys_admin, # To mount anything + + @{bin}/fusermount{,3} mr, + + @{bin}/mount rix, + @{bin}/umount rix, + + @{etc_ro}/fuse{,3}.conf r, + + @{run}/mount/utab r, + @{run}/mount/utab.* rwk, + + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/mounts r, + + /dev/fuse rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index ae6b1cd78..b6beeb7f6 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -1,10 +1,13 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , include - @{bin}/kmod mr, + @{bin}/kmod mr, @{lib}/modprobe.d/ r, @{lib}/modprobe.d/*.conf r, diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index f93a1c444..8dffc39b9 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -1,17 +1,46 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no -# Full set of rules for child-open-* profiles. +# Full set of rules for desktop generic open-* used in child-open-* profiles. + abi , + + include + include include - @{open_path} mrix, + # We cannot use `@{open_path} mrix,` here because it includes: + # @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop + # And `@{multiarch}` has a wildcard that cannot be merged and that will generate + # "has merged rule with conflicting x modifiers" error when used with other + # wilcard over PUx transition. + @{bin}/exo-open mrix, + @{bin}/xdg-open mrix, + @{bin}/gio mrix, + @{bin}/kde-open mrix, + @{bin}/gio-launch-desktop mrix, + @{lib}/gio-launch-desktop mrix, + @{bin}/env rix, @{sh_path} r, /dev/tty rw, + # if @{DE} == kde + + include + include + include + + owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + + @{PROC}/sys/kernel/random/boot_id r, + + # fi + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/pager b/apparmor.d/abstractions/app/pager new file mode 100644 index 000000000..30acc5612 --- /dev/null +++ b/apparmor.d/abstractions/app/pager @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Minimal set of rules for pagers. + + abi , + + include + + capability dac_override, + capability dac_read_search, + + signal receive set=(stop, cont, term, kill), + + @{bin}/ r, + @{pager_path} mrix, + + @{system_share_dirs}/terminfo/{,**} r, + /usr/share/file/misc/** r, + /usr/share/nvim/{,**} r, + + @{etc_ro}/lesskey.bin r, + + @{HOME}/.lesshst r, + + owner @{HOME}/ r, + owner @{HOME}/.lesshs* rw, + owner @{HOME}/.terminfo/@{int}/* r, + owner @{user_cache_dirs}/lesshs* rw, + owner @{user_state_dirs}/ r, + owner @{user_state_dirs}/lesshs* rw, + + /dev/tty@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index 4bab75387..f563712ca 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -1,8 +1,11 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no -# Minimal set of rules for pgrep. +# Minimal set of rules for pgrep/pkill. + + abi , include @@ -16,10 +19,13 @@ @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, + @{PROC}/@{pid}/status r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/stat r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/tty/drivers r, @{PROC}/uptime r, include if exists diff --git a/apparmor.d/abstractions/app/pkexec b/apparmor.d/abstractions/app/pkexec new file mode 100644 index 000000000..87b3ea842 --- /dev/null +++ b/apparmor.d/abstractions/app/pkexec @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Minimal set of rules for pkexec. + + abi , + + include + include + include + include + include + + capability audit_write, + capability dac_override, + capability dac_read_search, + capability net_admin, + capability setgid, + capability setuid, + capability sys_ptrace, + capability sys_resource, + + network netlink raw, # PAM + + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1.Authority label=polkitd + + @{bin}/pkexec mr, + + /etc/shells r, + + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/loginuid r, + + owner /dev/tty@{int} rw, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 6fba1adfd..1c47490cd 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -1,14 +1,18 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no -# Minimal set of rules for sudo. Interactive sudo need more rules. +# Minimal set of rules for sudo. + + abi , include include include include include + include capability audit_write, capability dac_override, @@ -20,10 +24,10 @@ network netlink raw, # PAM - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.logi1.Manager - member=CreateSession - peer=(name=org.freedesktop.login1, label=systemd-logind), + unix type=stream addr=@@{udbus}/bus/sudo/system, + + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus (send receive) bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd.Manager @@ -32,8 +36,6 @@ @{bin}/sudo mr, @{lib}/sudo/** mr, - @{etc_ro}/environment r, - @{etc_ro}/security/limits.d/{,*} r, @{etc_ro}/sudo.conf r, @{etc_ro}/sudoers r, @{etc_ro}/sudoers.d/{,*} r, @@ -41,12 +43,17 @@ / r, /etc/machine-id r, - owner /var/lib/sudo/ts/ rw, + /var/db/sudo/lectured/ r, + owner /var/lib/sudo/ts/ rw, owner /var/lib/sudo/ts/@{uid} rwk, owner /var/log/sudo.log wk, owner @{HOME}/.sudo_as_admin_successful rw, + # yubikey support + @{HOME}/.yubico/ r, + owner @{HOME}/.yubico/challenge-* rw, + @{run}/faillock/ rw, @{run}/faillock/@{user} rwk, owner @{run}/sudo/ rw, @@ -56,8 +63,6 @@ @{PROC}/@{pid}/limits r, @{PROC}/@{pid}/loginuid r, @{PROC}/@{pid}/stat r, - @{PROC}/sys/kernel/cap_last_cap r, - @{PROC}/sys/kernel/ngroups_max r, @{PROC}/sys/kernel/seccomp/actions_avail r, /dev/ r, diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl index 62b4aafdf..b707add4d 100644 --- a/apparmor.d/abstractions/app/systemctl +++ b/apparmor.d/abstractions/app/systemctl @@ -1,16 +1,22 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , include include - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex16}/bus/systemctl/, + unix bind type=stream addr=@@{udbus}/bus/systemctl/, + unix bind type=stream addr=@@{udbus}/bus/systemctl/system, @{bin}/systemctl mr, + @{att}/@{run}/systemd/private rw, + owner @{run}/systemd/private rw, @{PROC}/1/cgroup r, diff --git a/apparmor.d/abstractions/app/udevadm b/apparmor.d/abstractions/app/udevadm index 72fb4c61b..d659143d6 100644 --- a/apparmor.d/abstractions/app/udevadm +++ b/apparmor.d/abstractions/app/udevadm @@ -1,6 +1,9 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , ptrace read peer=@{p_systemd}, @@ -8,7 +11,8 @@ /etc/udev/udev.conf r, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/** r, diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/apt similarity index 71% rename from apparmor.d/abstractions/common/apt rename to apparmor.d/abstractions/apt index 77c5a0b7e..25106ad6e 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/apt @@ -3,8 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + /usr/share/dpkg/cputable r, + /usr/share/dpkg/ostable r, /usr/share/dpkg/tupletable r, + /usr/share/dpkg/varianttable r, /etc/apt/apt.conf r, /etc/apt/apt.conf.d/{,*} r, @@ -16,6 +20,9 @@ /etc/apt/sources.list.d/ r, /etc/apt/sources.list.d/*.{sources,list} r, + /etc/apt/trusted.gpg r, + /etc/apt/trusted.gpg.d/{,*} r, + /var/lib/apt/lists/{,**} r, /var/lib/apt/extended_states r, @@ -23,11 +30,14 @@ /var/cache/apt/srcpkgcache.bin r, /var/lib/dpkg/status r, - /var/lib/ubuntu-advantage/apt-esm/{,**} r, + /var/lib/ubuntu-advantage/apt-esm/{,**} r, #aa:only ubuntu owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, - include if exists + #aa:only test + /tmp/autopkgtest.@{rand6}/** rwk, + + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base new file mode 100644 index 000000000..8741942ff --- /dev/null +++ b/apparmor.d/abstractions/attached/base @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + # Do not use it manually, It automatically replaces the base abstraction in a + # profile with the attach_disconnected flag set and the re-attached path enabled. + + abi , + + include + + @{att}/@{run}/systemd/journal/dev-log w, + @{att}/@{run}/systemd/journal/socket w, + @{att}/@{run}/systemd/journal/stdout rw, + + @{att}/dev/null rw, + + /apparmor/.null rw, + @{att}/apparmor/.null rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/attached/consoles b/apparmor.d/abstractions/attached/consoles new file mode 100644 index 000000000..f306c2273 --- /dev/null +++ b/apparmor.d/abstractions/attached/consoles @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + # Do not use it manually, It automatically replaces the consoles abstraction in a + # profile with the attach_disconnected flag set and the re-attached path enabled. + + abi , + + # There are the common ways to refer to consoles + /dev/console rw, + /dev/tty rw, + /dev/tty@{u8} rw, + @{att}/dev/tty rw, + @{att}/dev/tty@{u8} rw, + + # These entries are a bit unfortunate; /dev/tty will always be + # associated with the controlling terminal by the kernel, but if a + # program uses the /dev/pts/ interface, it actually has access to + # -all- xterm, sshd, etc, terminals on the system. + /dev/pts/ r, + owner /dev/pts/@{u16} rw, + @{att}/pts/ r, + owner @{att}/dev/pts/@{u16} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index ca4a8e16c..1ebdf4c76 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -5,10 +5,13 @@ # Most programs do not need access to audio devices, audio-client only includes # configuration files to be used by client applications. - /usr/share/alsa/** r, + abi , + + /usr/share/alsa/{,**} r, /usr/share/openal/hrtf/{,**} r, /usr/share/pipewire/client-rt.conf r, /usr/share/pipewire/client.conf r, + /usr/share/pipewire/jack.conf r, /usr/share/sounds/{,**} r, /etc/alsa/conf.d/{,**} r, @@ -17,7 +20,8 @@ /etc/libao.conf r, /etc/openal/alsoft.conf r, /etc/pipewire/client{,-rt}.conf r, - /etc/pipewire/client.conf.d/{,**} r, + /etc/pipewire/client{,-rt}.conf.d/{,**} r, + /etc/pipewire/jack.conf.d/{,**} r, /etc/pulse/client.conf r, /etc/pulse/client.conf.d/{,**} r, /etc/wildmidi/wildmidi.cfg r, @@ -45,6 +49,7 @@ owner @{user_config_dirs}/pipewire/client.conf r, owner @{user_share_dirs}/openal/hrtf/{,**} r, + owner @{user_share_dirs}/sounds/ r, owner @{user_share_dirs}/sounds/__custom/index.theme r, owner @{run}/user/@{uid}/pipewire-@{int} rw, @@ -52,11 +57,19 @@ owner @{run}/user/@{uid}/pulse/ rw, owner @{run}/user/@{uid}/pulse/native rw, + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/+sound:card@{int} r, # For sound card + + @{sys}/class/ r, @{sys}/class/sound/ r, /dev/shm/ r, owner /dev/shm/pulse-shm-@{int} rw, + /dev/snd/controlC@{int} r, + /dev/snd/pcmC@{int}D@{int}[cp] r, + /dev/snd/timer r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/audio-server b/apparmor.d/abstractions/audio-server index 619ba1111..a7f89b91b 100644 --- a/apparmor.d/abstractions/audio-server +++ b/apparmor.d/abstractions/audio-server @@ -3,19 +3,12 @@ # SPDX-License-Identifier: GPL-2.0-only # Provide access to audio devices. It should only be used by audio servers that -# need direct access to them. +# need direct access to them. + + abi , include - /usr/share/alsa/{,**} r, - - /etc/alsa/conf.d/{,**} r, - - @{run}/udev/data/+sound:card@{int} r, # for sound card - - @{sys}/class/ r, - @{sys}/class/sound/ r, - @{PROC}/asound/** rw, /dev/admmidi* rw, diff --git a/apparmor.d/abstractions/authentication.d/complete b/apparmor.d/abstractions/authentication.d/complete index 63819cc1b..a4ed65e8c 100644 --- a/apparmor.d/abstractions/authentication.d/complete +++ b/apparmor.d/abstractions/authentication.d/complete @@ -3,13 +3,14 @@ # SPDX-License-Identifier: GPL-2.0-only @{bin}/pam-tmpdir-helper rPx, + @{lib}/pam-tmpdir/pam-tmpdir-helper rPx, - #aa:exclude ubuntu opensuse - @{bin}/unix_chkpwd rPx, + #aa:only abi3 + @{sbin}/unix_chkpwd rPx, #aa:only whonix - @{lib}/security-misc/pam_faillock_not_if_x rPx, - @{lib}/security-misc/pam-abort-on-locked-password rPx, - @{lib}/security-misc/pam-info rPx, + @{lib}/security-misc/pam-abort-on-locked-password rPx, + @{lib}/security-misc/pam-info rPx, + @{lib}/security-misc/pam_faillock_not_if_x rPx, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/avahi-observe b/apparmor.d/abstractions/avahi-observe new file mode 100644 index 000000000..aac14fa7d --- /dev/null +++ b/apparmor.d/abstractions/avahi-observe @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2016 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows domain, record, service, and service type browsing as well as address, +# host and service resolving + + abi , + + include + + include + include + include + include + include + include + include + + @{run}/avahi-daemon/socket rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict new file mode 100644 index 000000000..22ca5ec5e --- /dev/null +++ b/apparmor.d/abstractions/base-strict @@ -0,0 +1,132 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + # Do not use it manually, It automatically replaces the base abstraction in + # profiles when the re-attached mode is enabled. + + # For now, it is only a restructuring of the base abstraction with awareness + # of the apparmor.d architecture. + + abi , + + include + include + include + include + + # Allow us to signal ourselves + signal peer=@{profile_name}, + + # Checking for PID existence is quite common so add it by default for now + signal (receive, send) set=exists, + + #aa:exclude RBAC + # Allow unconfined processes to send us signals by default + signal receive peer=unconfined, + + # Systemd: allow to receive any signal from the systemd profiles stack + signal receive peer=@{p_systemd}, + signal receive peer=@{p_systemd_user}, + + # Htop like programs can send any signal to any process + signal receive peer=btop, + signal receive peer=htop, + signal receive peer=top, + signal receive set=(cont,term,kill,stop) peer=gnome-system-monitor, + + # Allow to receive termination signal from manager such as sudo, login, shutdown or systemd + signal receive peer=su, + signal receive peer=sudo, + signal receive set=(cont,term,kill,stop) peer=gnome-shell, + signal receive set=(cont,term,kill,stop) peer=login, + signal receive set=(cont,term,kill,stop) peer=openbox, + signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, + signal receive set=(cont,term,kill,stop) peer=xinit, + + # Allow other processes to read our /proc entries, futexes, perf tracing and + # kcmp for now (they will need 'read' in the first place). Administrators can + # override with: + # deny ptrace readby ... + ptrace readby, + + # Allow other processes to trace us by default (they will need 'trace' in + # the first place). Administrators can override with: + # deny ptrace tracedby ... + ptrace tracedby, + + # Allow us to ptrace read ourselves + ptrace read peer=@{profile_name}, + + # Allow us to create and use abstract and anonymous sockets + unix peer=(label=@{profile_name}), + + # Allow unconfined processes to us via unix sockets + unix receive peer=(label=unconfined), + + # Allow communication to children and stacked profiles + signal peer=@{profile_name}//*, + signal peer=@{profile_name}//&*, + unix type=stream peer=(label=@{profile_name}//*), + + # Allow us to create abstract and anonymous sockets + unix create, + + # Allow us to getattr, getopt, setop and shutdown on unix sockets + unix (getattr, getopt, setopt, shutdown), + + # Allow all programs to use common libraries + @{lib}/** r, + @{lib}/**.so* m, + @{lib}/@{multiarch}/**.so* m, + @{lib}/@{multiarch}/** r, + + # Some applications will display license information + /usr/share/common-licenses/** r, + + # Allow access to the uuidd daemon (this daemon is a thin wrapper around + # time and getrandom()/{,u}random and, when available, runs under an + # unprivilged, dedicated user). + @{run}/uuidd/request r, + + # Transparent hugepage support + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + # Systemd's equivalent of /dev/log + @{run}/systemd/journal/dev-log w, + + # Systemd native journal API (see sd_journal_print(4)) + @{run}/systemd/journal/socket w, + + # Nested containers and anything using systemd-cat need this. 'r' shouldn't + # be required but applications fail without it. journald doesn't leak + # anything when reading so this is ok. + @{run}/systemd/journal/stdout rw, + + # Allow determining the highest valid capability of the running kernel + @{PROC}/sys/kernel/cap_last_cap r, + + # Controls how core dump files are named + @{PROC}/sys/kernel/core_pattern r, + + # Sometimes used to determine kernel/user interfaces to use + @{PROC}/sys/kernel/version r, + + # Harmless and frequently used + /dev/null rw, + /dev/random r, + /dev/urandom r, + /dev/zero rw, + + # The __canary_death_handler function writes a time-stamped log + # message to /dev/log for logging by syslogd. So, /dev/log, timezones, + # and localisations of date should be available EVERYWHERE, so + # StackGuard, FormatGuard, etc., alerts can be properly logged. + /dev/log w, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index e9761b843..d89688b70 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -3,23 +3,25 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + # Systemd: allow to receive any signal from the systemd profiles stack + signal receive peer=@{p_systemd}, + signal receive peer=@{p_systemd_user}, + # Allow to receive some signals from new well-known profiles - signal (receive) peer=btop, - signal (receive) peer=htop, - signal (receive) peer=sudo, - signal (receive) peer=top, - signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, - signal (receive) set=(cont,term) peer=@{p_systemd_user}, - signal (receive) set=(cont,term) peer=@{p_systemd}, - signal (receive) set=(hup) peer=xinit, - signal (receive) set=(term,kill) peer=gnome-shell, - signal (receive) set=(term,kill) peer=gnome-system-monitor, - signal (receive) set=(term,kill) peer=openbox, - signal (receive) set=(term,kill) peer=su, + signal receive peer=btop, + signal receive peer=htop, + signal receive peer=pkill, + signal receive peer=sudo, + signal receive peer=top, + signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, + signal receive set=(hup term) peer=login, + signal receive set=(hup) peer=xinit, + signal receive set=(term,kill) peer=gnome-shell, + signal receive set=(term,kill) peer=gnome-system-monitor, + signal receive set=(term,kill) peer=openbox, + signal receive set=(term,kill) peer=su, - ptrace (readby) peer=systemd-coredump, - - /usr/share/locale/ r, + ptrace readby peer=@{p_systemd_coredump}, @{etc_rw}/localtime r, /etc/locale.conf r, @@ -28,6 +30,6 @@ @{PROC}/sys/kernel/core_pattern r, - deny /apparmor/.null rw, + /apparmor/.null rw, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bash-strict b/apparmor.d/abstractions/bash-strict index eb4f65230..cd4a7c8a7 100644 --- a/apparmor.d/abstractions/bash-strict +++ b/apparmor.d/abstractions/bash-strict @@ -2,9 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when an interactive shell is started. +# This abstraction is only required when .bashrc is loaded (e.g. interactive shell). # Classic shell scripts do not need it. + abi , + /usr/share/bash-completion/{,**} r, /usr/share/terminfo/{,**} r, @@ -24,6 +26,7 @@ owner @{HOME}/.alias r, owner @{HOME}/.bash_aliases r, + owner @{HOME}/.bash_complete r, owner @{HOME}/.bash_history rw, owner @{HOME}/.bash_profile r, owner @{HOME}/.bashrc r, diff --git a/apparmor.d/abstractions/bus-accessibility b/apparmor.d/abstractions/bus-accessibility index f032f842b..70850b2ba 100644 --- a/apparmor.d/abstractions/bus-accessibility +++ b/apparmor.d/abstractions/bus-accessibility @@ -2,15 +2,12 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=accessibility path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-accessibility), + abi , dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-accessibility), + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), owner @{run}/user/@{uid}/at-spi/ rw, owner @{run}/user/@{uid}/at-spi/bus rw, diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index d5ca957e8..a1226d8e7 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -2,19 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - unix (bind, listen) type=stream addr="@/tmp/dbus-*", - unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*", - unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-*"), + abi , - dbus send bus=session path=/org/freedesktop/DBus + unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/session, + + dbus send bus=session path=/org/freedesktop/{dbus,DBus} interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-session), - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/abstractions/bus-system b/apparmor.d/abstractions/bus-system index 0148d0711..d05c018c7 100644 --- a/apparmor.d/abstractions/bus-system +++ b/apparmor.d/abstractions/bus-system @@ -2,17 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + + unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/system, + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-system), - - @{run}/dbus/system_bus_socket rw, + @{run}/dbus/system_bus_socket rw, + @{att}/@{run}/dbus/system_bus_socket rw, include if exists diff --git a/apparmor.d/abstractions/bus/accessibility/org.a11y b/apparmor.d/abstractions/bus/accessibility/org.a11y new file mode 100644 index 000000000..0145fc494 --- /dev/null +++ b/apparmor.d/abstractions/bus/accessibility/org.a11y @@ -0,0 +1,65 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # Allow the accessibility services in the user session to send us any events + + dbus receive bus=accessibility + peer=(label="@{p_at_spi2_registryd}"), + + # Allow querying for capabilities and registering + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member=NotifyListenersSync + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + # org.a11y.atspi is not designed for application isolation and these rules + # can be used to send change events for other processes. + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Event.Object + member=ChildrenChanged + peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Accessible + member=Get* + peer=(label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int} + interface=org.a11y.atspi.Event.Object + member={ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved} + peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/cache + interface=org.a11y.atspi.Cache + member={AddAccessible,RemoveAccessible} + peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/accessibility/own b/apparmor.d/abstractions/bus/accessibility/own new file mode 100644 index 000000000..d1eab1ce7 --- /dev/null +++ b/apparmor.d/abstractions/bus/accessibility/own @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. + +# Allow owning a name on DBus public bus + + abi , + + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), + + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/ca.desrt.dconf.Writer b/apparmor.d/abstractions/bus/ca.desrt.dconf.Writer new file mode 100644 index 000000000..9bad3655d --- /dev/null +++ b/apparmor.d/abstractions/bus/ca.desrt.dconf.Writer @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member=Change + peer=(name=ca.desrt.dconf), # no peer's labels + + dbus receive bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member=Notify + peer=(name=@{busname}, label=dconf-service), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry index 3eceb53ab..9363bb757 100644 --- a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry +++ b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry @@ -4,6 +4,8 @@ # Access required for connecting to/communicating with the Unity Launcher + abi , + dbus send bus=session path=/com/canonical/unity/launcherentry/@{int} interface=com.canonical.Unity.LauncherEntry member=Update @@ -12,12 +14,12 @@ dbus receive bus=session path=/com/canonical/unity/launcherentry/@{int} interface=com.canonical.dbusmenu member={GetLayout,GetGroupProperties} - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), dbus receive bus=session path=/com/canonical/unity/launcherentry/@{int} interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), include if exists diff --git a/apparmor.d/abstractions/bus/com.canonical.dbusmenu b/apparmor.d/abstractions/bus/com.canonical.dbusmenu index 290a86de8..61ce81111 100644 --- a/apparmor.d/abstractions/bus/com.canonical.dbusmenu +++ b/apparmor.d/abstractions/bus/com.canonical.dbusmenu @@ -2,6 +2,12 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + + dbus send bus=session path=/com/canonical/unity/launcherentry/** + interface=com.canonical.dbusmenu + member={GetGroupProperties,GetLayout} + peer=(name=@{busname}, label=nautilus), include if exists diff --git a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 index a8e3d52a5..7989ea4c5 100644 --- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 @@ -2,50 +2,39 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=system path=/fi/w1/wpa_supplicant1 - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=wpa-supplicant), + abi , + + #aa:dbus common bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=org.freedesktop.DBus.Properties - member={GetAll,Set} - peer=(name=:*, label=wpa-supplicant), + member=Set + peer=(name="@{busname}", label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1 interface=fi.w1.wpa_supplicant1.Interface member=CreateInterface - peer=(name=:*, label=wpa-supplicant), + peer=(name="@{busname}", label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface member={AddNetwork,Disconnect,RemoveNetwork,Scan,SelectNetwork} - peer=(name=:*, label=wpa-supplicant), + peer=(name="@{busname}", label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface.P2PDevice member=Cancel - peer=(name=:*, label=wpa-supplicant), + peer=(name="@{busname}", label=wpa-supplicant), dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved - peer=(name=:*, label=wpa-supplicant), + peer=(name="@{busname}", label=wpa-supplicant), dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged} - peer=(name=:*, label=wpa-supplicant), - - dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=wpa-supplicant), - - dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}/BSSs/@{int} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=wpa-supplicant), + peer=(name="@{busname}", label=wpa-supplicant), include if exists diff --git a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles index b4032e033..7e7560992 100644 --- a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles +++ b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles @@ -2,10 +2,9 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=system path=/net/hadess/PowerProfiles - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=power-profiles-daemon), + abi , + + #aa:dbus common bus=system name=net.hadess.PowerProfiles label="@{p_power_profiles_daemon}" include if exists diff --git a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl index 55e4f414d..df65417da 100644 --- a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl +++ b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl @@ -2,10 +2,9 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=system path=/net/hadess/SwitcherooControl - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=switcheroo-control), + abi , + + #aa:dbus common bus=system name=net.hadess.SwitcherooControl label=switcheroo-control include if exists diff --git a/apparmor.d/abstractions/bus/net.reactivated.Fprint b/apparmor.d/abstractions/bus/net.reactivated.Fprint index 7e7b21565..0241fc889 100644 --- a/apparmor.d/abstractions/bus/net.reactivated.Fprint +++ b/apparmor.d/abstractions/bus/net.reactivated.Fprint @@ -2,10 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + + #aa:dbus common bus=system name=net.reactivated.Fprint label="@{p_fprintd}" + dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} - peer=(name=:*, label=fprintd), + peer=(name="@{busname}", label="@{p_fprintd}"), dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager @@ -15,7 +19,7 @@ dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} - peer=(name=net.reactivated.Fprint, label=fprintd), + peer=(name=net.reactivated.Fprint, label="@{p_fprintd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y deleted file mode 100644 index 5103361c9..000000000 --- a/apparmor.d/abstractions/bus/org.a11y +++ /dev/null @@ -1,46 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - # Accessibility bus - - dbus receive bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=EventListenerDeregistered - peer=(name=:*, label=at-spi2-registryd), - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), - - dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name=:*, label=at-spi2-registryd), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), - - # Session bus - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus, label=dbus-accessibility), - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts index 10a9e8fc0..e77f17b88 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts +++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts @@ -2,30 +2,29 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + + #aa:dbus common bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts - member={FindUserByName,ListCachedUsers} - peer=(name=:*, label=accounts-daemon), - - dbus send bus=system path=/org/freedesktop/Accounts{,/User@{uid}} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=accounts-daemon), + member={FindUserByName,ListCachedUsers,FindUserById} + peer=(name="{@{busname},org.freedesktop.Accounts}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=*Changed - peer=(name=:*, label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member=UserAdded - peer=(name=:*, label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.DBus.Properties member=*Changed - peer=(name=:*, label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index 8b24700db..4ddf95af3 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -2,25 +2,44 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + + #aa:dbus common bus=system name=org.freedesktop.Avahi label="@{p_avahi_daemon}" + dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi), dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server member={GetAPIVersion,GetState,Service*New} - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member=Free - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser - member={ItemNew,AllForNow,CacheExhausted} - peer=(name=:*, label=avahi-daemon), + member={ItemNew,ItemRemove,AllForNow,CacheExhausted} + peer=(name="@{busname}", label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=StateChanged + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Found + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager deleted file mode 100644 index 3950b77aa..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - dbus send bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member=GetDevices - peer=(name=:*, label=colord), - - dbus send bus=system path=/org/freedesktop/ColorManager{,/**} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=colord), - - dbus send bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member=CreateDevice - peer=(name=:*, label=colord), - - dbus receive bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member={DeviceAdded,DeviceRemoved} - peer=(name=:*, label=colord), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 index b4e985b9e..a08c98b26 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 @@ -2,15 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=session path=/org/freedesktop/FileManager1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=nautilus), + abi , - dbus receive bus=session path=/org/freedesktop/FileManager1 - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=nautilus), + #aa:dbus common bus=session name=org.freedesktop.FileManager1 label=nautilus + + dbus send bus=session path=/org/freedesktop/FileManager1 + interface=org.freedesktop.FileManager1 + member=ShowItems + peer=(name=org.freedesktop.FileManager1, label=nautilus), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 index 836e99d94..9957c7b67 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 @@ -2,35 +2,28 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=system path=/org/freedesktop/GeoClue2/Manager - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=geoclue), + abi , + #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" dbus send bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=org.freedesktop.DBus, label=geoclue), + peer=(name=org.freedesktop.DBus, label="@{p_geoclue}"), dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=geoclue), - + peer=(name="@{busname}", label="@{p_geoclue}"), + dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.GeoClue2.Manager member=AddAgent - peer=(name=:*, label=geoclue), - - dbus receive bus=system path=/org/freedesktop/GeoClue2/Manager - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 index 217b588a4..4f53ba497 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 @@ -2,20 +2,19 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=system path=/org/freedesktop/ModemManager1 - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=org.freedesktop.ModemManager1, label=ModemManager), + abi , + + #aa:dbus common bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=ModemManager), + peer=(name=org.freedesktop.ModemManager1, label="@{p_ModemManager}"), dbus send bus=system path=/org/freedesktop/ModemManager1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=ModemManager), + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name="@{busname}", label="@{p_ModemManager}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index 0fa92d3cc..a22a235fb 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -2,75 +2,59 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + + #aa:dbus common bus=system name=org.freedesktop.NetworkManager label=NetworkManager + dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), - - dbus send bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + member={GetManagedObjects,InterfacesRemoved} + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member={GetDevices,GetPermissions} - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings interface=org.freedesktop.NetworkManager.Settings member=ListConnections - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} interface=org.freedesktop.NetworkManager.Settings.Connection member=GetSettings - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), - - dbus send bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), - - dbus send bus=system path=/org/freedesktop/NetworkManager/Devices/@{int} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), - - dbus send bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), - - dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + member={InterfacesAdded,InterfacesRemoved} + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=CheckPermissions - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=CheckPermissions - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged} - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} interface=org.freedesktop.NetworkManager.Settings.Connection member=Updated - peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} + interface=org.freedesktop.NetworkManager.Connection.Active + member=StateChanged + peer=(name=@{busname}, label=NetworkManager), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/org.freedesktop.Notifications deleted file mode 100644 index 90ee1aefc..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - dbus send bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gjs-console), - - dbus send bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member={GetCapabilities,GetServerInformation,Notify} - peer=(name=:*, label=gjs-console), - - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member={GetAll,NotificationClosed,CloseNotification} - peer=(name=:*, label=gjs-console), - - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member=Notify - peer=(name=org.freedesktop.DBus, label=gjs-console), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit index 7cdd9a3ce..a4f9ba9b9 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit +++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit @@ -2,15 +2,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=system path=/org/freedesktop/PackageKit - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=packagekitd), +# Allow communication with PackageKit transactions. Transactions are exported +# with random object paths that currently take the form /@{int}_@{hex8}. + + abi , + + #aa:dbus common bus=system name=org.freedesktop.PackageKit label=packagekitd - dbus send bus=system path=/org/freedesktop/PackageKit - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.freedesktop.PackageKit, label=packagekitd), dbus send bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -19,7 +17,15 @@ dbus send bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.PackageKit member=StateHasChanged - peer=(name=org.freedesktop.PackageKit, label=packagekitd), + peer=(name=org.freedesktop.PackageKit), + + dbus send bus=system path=/@{int}_@{hex8} + interface=org.freedesktop.PackageKit.Transaction + peer=(label=packagekitd), + + dbus receive bus=system path=/@{int}_@{hex8} + interface=org.freedesktop.PackageKit.Transaction + peer=(label=packagekitd), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index 3201e48ce..2a4e8c1e5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -2,34 +2,26 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Can talk to polkitd's CheckAuthorization API + + abi , + + #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" + dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=Changed - peer=(name=:*, label=polkitd), - - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=polkitd), + peer=(name="@{busname}", label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1, label=polkitd), + member={CheckAuthorization,CancelCheckAuthorization} + peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name=:*, label=polkitd), - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1), - - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=polkitd), + member=RegisterAuthenticationAgentWithOptions + peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index 474c4c625..f66fdb20a 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -2,30 +2,25 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow setting realtime priorities. + + abi , + + #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label="@{p_rtkit_daemon}" dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.freedesktop.RealtimeKit1), dbus send bus=system path=/org/freedesktop/RealtimeKit1 - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name=:*, label=rtkit-daemon), + interface=org.freedesktop.RealtimeKit1 + member={MakeThreadHighPriority,MakeThreadRealtime} + peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 - member=MakeThread* - peer=(name=:*, label=rtkit-daemon), - - dbus send bus=system path=/org/freedesktop/RealtimeKit1 - interface=org.freedesktop.RealtimeKit1 - member=MakeThread* - peer=(name=org.freedesktop.RealtimeKit1), - - dbus send bus=system path=/org/freedesktop/RealtimeKit1 - interface=org.freedesktop.RealtimeKit1 - member=MakeThread* - peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon), + member={MakeThreadHighPriorityWithPID,MakeThreadRealtimeWithPID} + peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver deleted file mode 100644 index 842057a1d..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver +++ /dev/null @@ -1,12 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - dbus send bus=session path=/ScreenSaver - interface=org.freedesktop.ScreenSaver - member={Inhibit,UnInhibit} - peer=(name=org.freedesktop.ScreenSaver), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files index 567740a35..c55736c1e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files +++ b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files @@ -2,15 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), + peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"), dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.Tracker3.Endpoint member=Query - peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), + peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 index 79b882e51..c97e83d71 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 @@ -2,55 +2,39 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + + #aa:dbus common bus=system name=org.freedesktop.UDisks2 label=udisksd + dbus send bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), - - dbus send bus=system path=/org/freedesktop/UDisks2/** - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/ interface=org.freedesktop.DBus.Properties member=Get - peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), - - dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), - - dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/* - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), dbus receive bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=InterfacesAdded - peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), dbus receive bus=system path=/org/freedesktop/UDisks2/jobs/@{int} interface=org.freedesktop.UDisks2.Job member=Completed - peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), - - dbus receive bus=system path=/org/freedesktop/UDisks2/block_devices/* - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower deleted file mode 100644 index d8341d33c..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ /dev/null @@ -1,46 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - dbus send bus=system path=/org/freedesktop/UPower - interface=org.freedesktop.UPower - member=EnumerateDevices - peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), - - dbus send bus=system path=/org/freedesktop/UPower{,/**} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), - dbus send bus=system path=/org/freedesktop/UPower{,/**} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name=org.freedesktop.UPower, label=upowerd), - - dbus send bus=system path=/org/freedesktop/UPower - interface=org.freedesktop.DBus.Properties - member=GetDisplayDevice - peer=(name=org.freedesktop.UPower, label=upowerd), - - dbus send bus=system path=/org/freedesktop/UPower/devices/* - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), - - dbus send bus=system path=/org/freedesktop/UPower/devices/* - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), - - dbus receive bus=system path=/org/freedesktop/UPower - interface=org.freedesktop.UPower - member=DeviceAdded - peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), - - dbus receive bus=system path=/org/freedesktop/UPower/devices/* - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles new file mode 100644 index 000000000..45e88b103 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor index 5f951381b..0f371f79b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor +++ b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor @@ -2,15 +2,9 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=session path=/org/freedesktop/background/monitor - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=xdg-desktop-portal), + abi , - dbus receive bus=session path=/org/freedesktop/background/monitor - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=xdg-desktop-portal), + #aa:dbus common bus=session name=org.freedesktop.background.Monitor label=xdg-desktop-portal include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index 54196d16b..165e3ae6e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -2,14 +2,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{:*,org.freedesktop.hostname1}", label=systemd-hostnamed), + abi , + + #aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties - member={Get,GetAll} + member=Get peer=(name=org.freedesktop.hostname1), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore index 6b965a2f5..22886c8a5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore +++ b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore @@ -2,15 +2,19 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=xdg-permission-store), + abi , + + #aa:dbus common bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore interface=org.freedesktop.impl.portal.PermissionStore member=Lookup - peer=(name=:*, label=xdg-permission-store), + peer=(name="@{busname}", label=xdg-permission-store), + + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.impl.portal.PermissionStore + member=Lookup + peer=(name=org.freedesktop.impl.portal.PermissionStore, label=xdg-permission-store), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index fdceceea4..ad368ed98 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -2,35 +2,24 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), + abi , - dbus receive bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), + #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID} - peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager - member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareFor*} - peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), + member={SessionNew,SessionRemoved,UserNew,UserRemoved,SeatNew,PrepareFor*} + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member=PauseDeviceComplete - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session index 24d5c1452..f60c69301 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session @@ -2,40 +2,24 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + + #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession - peer=(name=:*, label=systemd-logind), - - dbus send bus=system path=/org/freedesktop/login1{,session/*,seat/*} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), - - dbus send bus=system path=/org/freedesktop/login1/session/* - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name=:*, label=systemd-logind), + peer=(name="@{busname}", label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint} - peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), - - dbus send bus=system path=/org/freedesktop/login1/seat/* - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), - - dbus receive bus=system path=/org/freedesktop/login1/session/* - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus receive bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={PauseDevice,Unlock} - peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.network1 b/apparmor.d/abstractions/bus/org.freedesktop.network1 index 268a21dea..7583a3e9d 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.network1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.network1 @@ -2,10 +2,9 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=system path=/org/freedesktop/network1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.network1, label=systemd-networkd), + abi , + + #aa:dbus common bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index a2a1a94a0..4778dd6dc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -2,30 +2,59 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + + #aa:dbus common bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties - member={Get,GetAll,Read} - peer=(name="{:*,org.freedesktop.portal.Desktop}", label=xdg-desktop-portal), + member=Read + peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=xdg-desktop-portal), dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member={Read,ReadAll} - peer=(name=:*, label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member=SettingChanged - peer=(name=:*, label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), - dbus receive bus=session path=/org/freedesktop/portal/desktop + dbus receive bus=session path=/org/freedesktop/portal/desktop{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=:*, label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings member={Read,ReadAll} - peer=(name=:*, label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.host.portal.Registry + member=Register + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + + dbus receive bus=session path=/org/freedesktop/portal/desktop/** + interface=org.freedesktop.portal.Request + member=Response + peer=(name=@{busname}, label=xdg-desktop-portal), + + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Inhibit + member={StateChanged,CreateMonitor} + peer=(name=@{busname}, label=xdg-desktop-portal), + + dbus receive bus=session path=/org/freedesktop/portal/desktop/session/** + interface=org.freedesktop.impl.portal.Session + member=Close + peer=(name=@{busname}, label=xdg-desktop-portal), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 deleted file mode 100644 index 3057282c9..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ /dev/null @@ -1,12 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - dbus send bus=system path=/org/freedesktop/resolve1 - interface=org.freedesktop.resolve1.Manager - member={SetLink*,ResolveHostname} - peer=(name="{:*,org.freedesktop.resolve1}", label=systemd-resolved), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.secrets b/apparmor.d/abstractions/bus/org.freedesktop.secrets index 01ecf0786..e30e7b1c2 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.secrets +++ b/apparmor.d/abstractions/bus/org.freedesktop.secrets @@ -2,15 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=session path=/org/freedesktop/secrets{,/**} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-keyring-daemon), + abi , + + #aa:dbus common bus=session name=org.freedesktop.secrets label=gnome-keyring-daemon dbus send bus=session path=/org/freedesktop/secrets interface=org.freedesktop.Secret.Service - member={OpenSession,GetSecrets,SearchItems,ReadAlias} - peer=(name=:*, label=gnome-keyring-daemon), + member={OpenSession,GetSecrets,SearchItems,Unlock,ReadAlias} + peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), dbus send bus=session path=/org/freedesktop/secrets/aliases/default interface=org.freedesktop.Secret.Collection @@ -20,12 +19,7 @@ dbus receive bus=session path=/org/freedesktop/secrets/collection/login interface=org.freedesktop.Secret.Collection member=ItemCreated - peer=(name=:*, label=gnome-keyring-daemon), - - dbus receive bus=session path=/org/freedesktop/secrets/collection/login - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=gnome-keyring-daemon), + peer=(name="@{busname}", label=gnome-keyring-daemon), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 49e4b014d..167e66d65 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -2,14 +2,18 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + + #aa:dbus common bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" + dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} + interface=org.freedesktop.systemd1.Manager + member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - dbus send bus=session path=/org/freedesktop/systemd1 + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager - member={GetUnit,StartUnit,StartTransientUnit} + member=ListUnitsByPatterns peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), dbus send bus=session path=/org/freedesktop/systemd1 diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session deleted file mode 100644 index c0e852662..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name=org.freedesktop.systemd1), - - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{:*,org.freedesktop.systemd1}", label="@{p_systemd_user}"), - - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=GetUnit - peer=(name="{:*,org.freedesktop.systemd1}", label="@{p_systemd_user}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 index 883c5c165..8f6118355 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 @@ -2,21 +2,9 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=system path=/org/freedesktop/timedate1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.timedate1, label=systemd-timedated), + abi , - # FIXME: should be under the systemd-timedated label - dbus send bus=system path=/org/freedesktop/timedate1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.timedate1, label=unconfined), - - dbus send bus=system path=/org/freedesktop/timedate1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=systemd-timedated), + #aa:dbus common bus=system name=org.freedesktop.timedate1 label="@{p_systemd_timedated}" include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.DisplayManager b/apparmor.d/abstractions/bus/org.gnome.DisplayManager deleted file mode 100644 index 05945a253..000000000 --- a/apparmor.d/abstractions/bus/org.gnome.DisplayManager +++ /dev/null @@ -1,12 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - dbus send bus=system path=/org/gnome/DisplayManager/Manager - interface=org.gnome.DisplayManager.Manager - member=RegisterDisplay - peer=(name=:*, label=gdm), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig index d701792a6..f275850cd 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig @@ -2,30 +2,24 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + + #aa:dbus common bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member={GetResources,GetCrtcGamma} - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), dbus send bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member=GetCurrentState - peer=(name="{:*,org.gnome.Mutter.DisplayConfig}", label=gnome-shell), - - dbus send bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=gnome-shell), - - dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=gnome-shell), + peer=(name="{@{busname},org.gnome.Mutter.DisplayConfig}", label=gnome-shell), dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member=MonitorsChanged - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor index 7ada64f05..d1ff350fc 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor @@ -2,20 +2,24 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + + #aa:dbus common bus=session name=org.gnome.Mutter.IdleMonitor label=gnome-shell + dbus send bus=session path=/org/gnome/Mutter/IdleMonitor interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor - member={AddIdleWatch,AddUserActiveWatch,RemoveWatch} - peer=(name=:*, label=gnome-shell), + member={AddIdleWatch,AddUserActiveWatch,RemoveWatch,GetIdletime} + peer=(name="{@{busname},org.gnome.Mutter.IdleMonitor}", label=gnome-shell), dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor member=WatchFired - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 deleted file mode 100644 index e547ab2c5..000000000 --- a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - dbus send bus=session path=/org/gnome/Nautilus/FileOperations2 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=nautilus), - - dbus send bus=session path=/org/gnome/Nautilus/FileOperations2 - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=nautilus), - - dbus receive bus=session path=/org/gnome/Nautilus/FileOperations2 - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=nautilus), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver deleted file mode 100644 index 3e228ad1f..000000000 --- a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gjs-console), - - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member=GetActive - peer=(name=:*, label=gjs-console), - - dbus receive bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member={ActiveChanged,WakeUpScreen} - peer=(name=:*, label=gjs-console), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/org.gnome.SessionManager deleted file mode 100644 index 4197fb4cf..000000000 --- a/apparmor.d/abstractions/bus/org.gnome.SessionManager +++ /dev/null @@ -1,64 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# FIXME: Too large, restrict it. - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={RegisterClient,IsSessionRunning} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={Setenv,IsSessionRunning} - peer=(name=org.gnome.SessionManager, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager/Client@{int} - interface=org.gnome.SessionManager.ClientPrivate - member=EndSessionResponse - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} - interface=org.gnome.SessionManager.ClientPrivate - member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager/Client@{int} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Presence - interface=org.gnome.SessionManager.Presence - member=StatusChanged - peer=(name=:*, label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.gnome.SessionManager, label=gnome-session-binary), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect index 72e4525bc..b53acf610 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect @@ -2,30 +2,19 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=session path=/org/gnome/Shell/Introspect - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), + abi , - dbus send bus=session path=/org/gnome/Shell/Introspect - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.gnome.Shell.Introspect, label=gnome-shell), + #aa:dbus common bus=session name=org.gnome.Shell.Introspect label=gnome-shell dbus send bus=session path=/org/gnome/Shell/Introspect interface=org.gnome.Shell.Introspect member=GetRunningApplications - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), dbus receive bus=session path=/org/gnome/Shell/Introspect interface=org.gnome.Shell.Introspect member={RunningApplicationsChanged,WindowsChanged} - peer=(name=:*, label=gnome-shell), - - dbus receive bus=session path=/org/gnome/Shell/Introspect - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 new file mode 100644 index 000000000..ae8b68448 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell + + dbus receive bus=session path=/org/gnome/Characters/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + member={GetInitialResultSet,GetSubsearchResultSet,GetResultMetas} + peer=(name=@{busname}, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Characters/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + member=*Cancel + peer=(name=@{busname}, label=gnome-shell), + + include if exists + +# vim:syntax=apparmor + diff --git a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter new file mode 100644 index 000000000..0816b046f --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow accessing the GNOME crypto services prompt APIs as used by +# applications using libgcr (such as pinentry-gnome3) for secure pin +# entry to unlock GPG keys etc. See: +# https://developer.gnome.org/gcr/unstable/GcrPrompt.html +# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html +# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711 + + abi , + + unix type=stream peer=(label=gnome-keyring-daemon), + + dbus send bus=session path=/org/gnome/keyring/Prompter + interface=org.gnome.keyring.internal.Prompter + member={BeginPrompting,PerformPrompt,StopPrompting} + peer=(name=@{busname}, label=pinentry-*), + + dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} + interface=org.gnome.keyring.internal.Prompter.Callback + member={PromptReady,PromptDone} + peer=(name=@{busname}, label=pinentry-*), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon deleted file mode 100644 index 35cd640d6..000000000 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon +++ /dev/null @@ -1,12 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member={GetConnection,ListMonitorImplementations,ListMountableInfo} - peer=(name=:*, label=gvfsd), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata deleted file mode 100644 index 33d3c1c36..000000000 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata +++ /dev/null @@ -1,17 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gvfsd-metadata), - - dbus receive bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member=AttributeChanged - peer=(name=:*, label=gvfsd-metadata), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem deleted file mode 100644 index 4fca40e84..000000000 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem +++ /dev/null @@ -1,8 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher index 67ac1fb6d..90a78d2ed 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher @@ -2,20 +2,52 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=session path=/StatusNotifierWatcher - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), +# Allow to display Status Notifier Items in the KDE Plasma systray - dbus send bus=session path=/StatusNotifierWatcher - interface=org.kde.StatusNotifierWatcher - member=RegisterStatusNotifierItem - peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell), + abi , + + #aa-dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus receive bus=session path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(label="@{pp_app_indicator}"), + + + dbus send bus=session path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu} + interface=com.canonical.dbusmenu + member={LayoutUpdated,ItemsPropertiesUpdated} + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + + dbus receive bus=session path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**} + interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu} + member={Get*,AboutTo*,Event*} + peer=(label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.kde.StatusNotifierWatcher + member=RegisterStatusNotifierItem + peer=(label="@{pp_app_indicator}"), + + dbus receive bus=session path=/StatusNotifierItem + interface=org.kde.StatusNotifierItem + member={ProvideXdgActivationToken,Activate} + peer=(label="@{pp_app_indicator}"), + + dbus receive bus=session path=/MenuBar + interface=com.canonical.dbusmenu + member={AboutToShow,GetLayout,Event} + peer=(label="@{pp_app_indicator}"), include if exists diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher b/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher new file mode 100644 index 000000000..ca2bf92c8 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow use of snapd's internal xdg-open + + abi , + + dbus send bus=session path=/ + interface=com.canonical.SafeLauncher + member=OpenURL + peer=(name=@{busname}, label=snap), + + dbus send bus=session path=/io/snapcraft/Launcher + interface=io.snapcraft.Launcher + member={OpenURL,OpenFile} + peer=(name=@{busname}, label=snap), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher b/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher new file mode 100644 index 000000000..704d9010d --- /dev/null +++ b/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Can identify and launch other snaps. + + abi , + + dbus send bus=session path=/io/snapcraft/PrivilegedDesktopLauncher + interface=io.snapcraft.PrivilegedDesktopLauncher + member=OpenDesktopEntry + peer=(name=io.snapcraft.Launcher, label=snap), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.Settings b/apparmor.d/abstractions/bus/session/io.snapcraft.Settings new file mode 100644 index 000000000..c50753cd6 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/io.snapcraft.Settings @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow use of snapd's internal 'xdg-settings' + + abi , + + dbus send bus=session path=/io/snapcraft/Settings + interface=io.snapcraft.Settings + member={Check,CheckSub,Get,GetSub,Set,SetSub} + peer=(name=io.snapcraft.Settings, label=snap), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.a11y b/apparmor.d/abstractions/bus/session/org.a11y new file mode 100644 index 000000000..8f517fe99 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.a11y @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=Get + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal b/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal new file mode 100644 index 000000000..e7c0f9cef --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow access to the IBus portal + + abi , + + dbus send bus=session path=/org/freedesktop/IBus + interface=org.freedesktop.IBus.Portal + member=CreateInputContext + peer=(name=org.freedesktop.portal.IBus), + + dbus send bus=session path=/org/freedesktop/IBus/InputContext_@{int} + interface=org.freedesktop.IBus.InputContext + peer=(label=ibus-daemon), + + dbus receive bus=session path=/org/freedesktop/IBus/InputContext_@{int} + interface=org.freedesktop.IBus.InputContext + peer=(label=ibus-daemon), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications new file mode 100644 index 000000000..b51c4bdcb --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.freedesktop.Notifications label="@{pp_notification}" + + dbus send bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.Notifications + member={GetCapabilities,GetServerInformation,Notify,CloseNotification} + peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), + + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.Notifications + member={ActionInvoked,NotificationClosed,NotificationReplied} + peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver new file mode 100644 index 000000000..ee837b886 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow checking status, activating and locking the screensaver + + abi , + + dbus send bus=session path=/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={Inhibit,UnInhibit} + peer=(name=org.freedesktop.ScreenSaver), + + dbus send bus=session path=/{,org/freedesktop/}ScreenSaver + interface=org.freedesktop.ScreenSaver + member={GetActive,GetActiveTime,Lock,SetActive} + peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), + + dbus receive bus=session path=/org/freedesktop/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={ActiveChanged,WakeUpScreen} + peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret new file mode 100644 index 000000000..8ded1b6d7 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Provide full access to the secret-service API: +# - https://standards.freedesktop.org/secret-service/) +# +# The secret-service allows managing (add/delete/lock/etc) collections and +# (add/delete/etc) items within collections. The API also has the concept of +# aliases for collections which is typically used to access the default +# collection. While it would be possible for an application developer to use a +# snap-specific collection and mediate by object path, application developers +# are meant to instead to treat collections (typically the default collection) +# as a database of key/value attributes each with an associated secret that +# applications may query. Because AppArmor does not mediate member data, +# typical and recommended usage of the API does not allow for application +# isolation. For details, see: +# - https://standards.freedesktop.org/secret-service/ch03.html +# + + abi , + + #aa:dbus common bus=session name=org.freedesktop.{S,s}ecret label=gnome-keyring-daemon + + dbus send bus=session path=/org/freedesktop/secrets{,/**} + interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} + peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), + + dbus receive bus=session path=/org/freedesktop/secrets{,/**} + interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} + peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), + + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-keyring-daemon), + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.Secret.Service + member=ReadAlias + peer=(name=org.freedesktop.secrets, label=gnome-keyring-daemon), + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.Secret.Service + member=SearchItems + peer=(name=@{busname}, label=gnome-keyring-daemon), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings new file mode 100644 index 000000000..01cf21c46 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=Read + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=ReadAll + peer=(name=@{busname}, label=xdg-desktop-portal), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 new file mode 100644 index 000000000..0c8185be6 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" + + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnit + peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"), + + dbus send bus=session path=/org/freedesktop/systemd1/unit/app_* + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=StartTransientUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 similarity index 52% rename from apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 rename to apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 index 9953ee8bf..f69667e08 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 @@ -2,16 +2,15 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=session path=/org/gnome/ArchiveManager1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=file-roller), + abi , + + #aa:dbus common bus=session name=org.gnome.ArchiveManager1 label="@{p_file_roller}" dbus send bus=session path=/org/gnome/ArchiveManager1 interface=org.gnome.ArchiveManager1 member=GetSupportedTypes - peer=(name=:*, label=file-roller), + peer=(name="@{busname}", label="@{p_file_roller}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 new file mode 100644 index 000000000..8a3e7d74e --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.gnome.Nautilus.FileOperations2 label=nautilus + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver new file mode 100644 index 000000000..27c456637 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow checking status, activating and locking the screensaver (GNOME version) + + abi , + + dbus send bus=session path=/{,org/gnome/}ScreenSaver + interface=org.gnome.ScreenSaver + member={GetActive,GetActiveTime,Lock,SetActive} + peer=(name=@{busname}, label=gjs-console), + + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member={ActiveChanged,WakeUpScreen} + peer=(name=@{busname}, label=gjs-console), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager new file mode 100644 index 000000000..4c641776b --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager @@ -0,0 +1,46 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={RegisterClient,IsSessionRunning} + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={Inhibit,Uninhibit} + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={Setenv,IsSessionRunning} + peer=(name=org.gnome.SessionManager, label="{gnome-session-binary,gnome-session-service}"), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + + dbus send bus=session path=/org/gnome/SessionManager/Client@{int} + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + + dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + + dbus receive bus=session path=/org/gnome/SessionManager/Presence + interface=org.gnome.SessionManager.Presence + member=StatusChanged + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys b/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys new file mode 100644 index 000000000..93d830828 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow requesting interest in receiving media key events. This tells Gnome +# settings that our application should be notified when key events we are +# interested in are pressed, and allows us to receive those events. + + abi , + + # DBus.Properties: read all properties from the interface + dbus send bus=session path=/org/gnome/SettingsDaemon/MediaKeys + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), + + dbus (receive, send) bus=session path=/org/gnome/SettingsDaemon/MediaKeys + interface=org.gnome.SettingsDaemon.MediaKeys + peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Actions b/apparmor.d/abstractions/bus/session/org.gtk.Actions new file mode 100644 index 000000000..899f244a8 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Actions @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-shell), + + dbus receive bus=session + interface=org.gtk.Actions + member={Activate,DescribeAll,SetState}, + + dbus send bus=session + interface=org.gtk.Actions + member=Changed, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Menus b/apparmor.d/abstractions/bus/session/org.gtk.Menus new file mode 100644 index 000000000..b21c08067 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Menus @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session + interface=org.gtk.Menus + member={Start,End} + peer=(name=@{busname}), + + dbus send bus=session + interface=org.gtk.Menus + member=Changed, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler b/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler new file mode 100644 index 000000000..3fce0d719 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/MountOperationHandler + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-shell), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Notifications b/apparmor.d/abstractions/bus/session/org.gtk.Notifications new file mode 100644 index 000000000..151c642a8 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Notifications @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.gtk.Notifications label=gnome-shell + + dbus send bus=session path=/org/gtk/Notifications + interface=org.gtk.Notifications + member={AddNotification,RemoveNotification} + peer=(name=org.gtk.Notifications, label=gnome-shell), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor b/apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor similarity index 72% rename from apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor rename to apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor index 73d958513..b8160dcb2 100644 --- a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor +++ b/apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor @@ -2,21 +2,23 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={List,IsSupported,VolumeChanged,VolumeMount,MountAdded} - peer=(name=:*, label=gvfs-*-volume-monitor), + peer=(name="@{busname}", label=gvfs-*-volume-monitor), dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={MountAdded,MountChanged,VolumeChanged,VolumeRemoved} - peer=(name=:*, label=gvfs-*-volume-monitor), + peer=(name="@{busname}", label=gvfs-*-volume-monitor), dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={VolumeAdded,DriveDisconnected,DriveConnected,DriveChanged} - peer=(name=:*, label=gvfs-*-volume-monitor), + peer=(name="@{busname}", label=gvfs-*-volume-monitor), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Settings b/apparmor.d/abstractions/bus/session/org.gtk.Settings new file mode 100644 index 000000000..9d2dd282a --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Settings @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gsd-xsettings), + dbus receive bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=gsd-xsettings), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon new file mode 100644 index 000000000..edf954ac5 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Each daemon (main and for mounts) implement this. + + abi , + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member={GetConnection,ListMonitorImplementations,ListMountableInfo} + peer=(name=@{busname}, label=gvfsd), + + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata new file mode 100644 index 000000000..9f1a77daf --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=system name=org.gtk.vfs.Metadata path=/org/gtk/vfs/metadata label=gvfsd-metadata + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gvfsd-metadata), + + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member={Set,Move,GetTreeFromDevice,Remove} + peer=(name=@{busname}, label=gvfsd-metadata), + + dbus receive bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member=AttributeChanged + peer=(name=@{busname}, label=gvfsd-metadata), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation new file mode 100644 index 000000000..54dfc837f --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session path=/org/gtk/gvfs/mountop/@{int} + interface=org.gtk.vfs.MountOperation + member={AskPassword,AskQuestion} + peer=(name=@{busname}, label=gvfsd-*), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker similarity index 53% rename from apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker rename to apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker index 4d59f0afc..107c3dc13 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker @@ -2,21 +2,30 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# The mount tracking interface. + + abi , + dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker - member=ListMountableInfo - peer=(name=:*, label=gvfsd), + member=LookupMount + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=ListMounts2 - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name="@{busname}", label=gvfsd), dbus receive bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker - member=Mounted - peer=(name=:*, label=gvfsd), + member={Mounted,Unmounted} + peer=(name="@{busname}", label=gvfsd), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable new file mode 100644 index 000000000..603ef709b --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=@{busname}, label=gvfsd), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner new file mode 100644 index 000000000..7090afe24 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=@{busname}, label=gvfsd), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem new file mode 100644 index 000000000..d017d44e3 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + + dbus bind bus=session name=org.kde.StatusNotifierItem-@{int}, + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.kde.StatusNotifierWatcher + member=RegisterStatusNotifierItem + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + + dbus send bus=session path=/{StatusNotifierItem,org/ayatana/NotificationItem/*} + interface=org.kde.StatusNotifierItem + member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.kde.kwalletd b/apparmor.d/abstractions/bus/session/org.kde.kwalletd new file mode 100644 index 000000000..0afce1cdf --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.kde.kwalletd @@ -0,0 +1,9 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player new file mode 100644 index 000000000..b2b934074 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # DBus.Properties: read all properties from the interface + dbus send bus=system path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}), + + # DBus.Properties: receive property changed events + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}), + + # DBus.Introspectable: allow clients to introspect the service + dbus send bus=system path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}), + + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.Player + member={Seeked,Next,PlayPause} + peer=(name=@{busname}), + + # https://specifications.freedesktop.org/mpris-spec/latest/Player_Interface.html#Signal:Seeked + dbus send bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.Player + member=Seeked + peer=(name=org.freedesktop.DBus), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/own b/apparmor.d/abstractions/bus/session/own new file mode 100644 index 000000000..d975ebb48 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/own @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. + +# Allow owning a name on DBus public bus + + abi , + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/system/org.bluez similarity index 54% rename from apparmor.d/abstractions/bus/org.bluez rename to apparmor.d/abstractions/bus/system/org.bluez index 7c86817f5..acaa7bb36 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/system/org.bluez @@ -2,46 +2,40 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + + #aa:dbus common bus=system name=org.bluez label="@{p_bluetoothd}" + dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved - peer=(name="{:*,org.bluez}", label=bluetoothd), - - dbus receive bus=system path=/org/bluez/hci@{int}{,/**} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="{:*,org.bluez}", label=bluetoothd), + member={InterfacesAdded,InterfacesRemoved} + peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{:*,org.bluez}", label=bluetoothd), + peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez interface=org.bluez.AgentManager@{int} member={RegisterAgent,RequestDefaultAgent,UnregisterAgent} - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez interface=org.bluez.ProfileManager@{int} member=RegisterProfile - peer=(name=org.bluez, label=bluetoothd), - - dbus send bus=system path=/org/bluez/hci@{int} - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name="{:*,org.bluez}", label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.BatteryProviderManager@{int} member=RegisterProfile - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.Media@{int} member=RegisterApplication - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver new file mode 100644 index 000000000..f6a1a251c --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Address resolving + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=AddressResolverNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser new file mode 100644 index 000000000..39f5e4496 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Domain browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=DomainBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/DomainBrowser@{int} + interface=org.freedesktop.Avahi.DomainBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/DomainBrowser@{int} + interface=org.freedesktop.Avahi.DomainBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver new file mode 100644 index 000000000..403a4db0f --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Hostname resolving + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=HostNameResolverNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/HostNameResolver@{int} + interface=org.freedesktop.Avahi.HostNameResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/HostNameResolver@{int} + interface=org.freedesktop.Avahi.HostNameResolver + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser new file mode 100644 index 000000000..bff079b13 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Record browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=RecordBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server new file mode 100644 index 000000000..bfc87b3cc --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + # Allow service introspection + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + # Allow accessing DBus properties and resolving + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={Get*,Resolve*,IsNSSSupportAvailable} + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + # Allow receiving anything from the Avahi server + dbus receive bus=system + interface=org.freedesktop.Avahi.Server + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser new file mode 100644 index 000000000..6a3b1510d --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=ServiceBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} + interface=org.freedesktop.Avahi.ServiceBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} + interface=org.freedesktop.Avahi.ServiceBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver new file mode 100644 index 000000000..d90e9ca14 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Service resolving + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=ServiceResolverNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser new file mode 100644 index 000000000..93affdc51 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Service type browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=ServiceTypeBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceTypeBrowser@{int} + interface=org.freedesktop.Avahi.ServiceTypeBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} + interface=org.freedesktop.Avahi.ServiceTypeBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager new file mode 100644 index 000000000..4b5dcc746 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow for color managed applications to communicate with colord + + abi , + + #aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}" + + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=GetDevices + peer=(name="@{busname}", label="@{p_colord}"), + + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member={CreateProfile,CreateDevice,DeleteDevice} + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), + + dbus receive bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member={DeviceAdded,DeviceRemoved} + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), + + dbus (receive, send) bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member={FindDeviceByProperty,FindDeviceById} + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower new file mode 100644 index 000000000..aa6a61371 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Can query UPower for power devices, history and statistics. + + abi , + + #aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + + # Find all devices monitored by UPower + dbus send bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.UPower + member=EnumerateDevices + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), + + dbus send bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.DBus.Properties + member={GetDisplayDevice,GetCriticalAction} + peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), + + dbus send bus=system path=/org/freedesktop/UPower/devices/** + interface=org.freedesktop.UPower.Device + member={GetHistory,Refresh} + peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), + + dbus receive bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.UPower + member={DeviceAdded,DeviceRemoved} + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 similarity index 59% rename from apparmor.d/abstractions/bus/org.freedesktop.locale1 rename to apparmor.d/abstractions/bus/system/org.freedesktop.locale1 index a2865c7c9..e2377a14b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 @@ -2,15 +2,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=system path=/org/freedesktop/locale1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=systemd-localed), + abi , + dbus send bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.locale1), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager b/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager new file mode 100644 index 000000000..4833b1512 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=system name=org.gnome.DisplayManager label=gdm + + dbus send bus=system path=/org/gnome/DisplayManager/Manager + interface=org.gnome.DisplayManager.Manager + member=RegisterDisplay + peer=(name="@{busname}", label=gdm), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/own b/apparmor.d/abstractions/bus/system/own new file mode 100644 index 000000000..2b1130b32 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/own @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. + +# Allow owning a name on DBus public bus + + abi , + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/camera b/apparmor.d/abstractions/camera new file mode 100644 index 000000000..0f5cff363 --- /dev/null +++ b/apparmor.d/abstractions/camera @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows access to all cameras + + abi , + + # Allow detection of cameras. Leaks plugged in USB device info + @{sys}/bus/usb/devices/ r, + @{sys}/devices/@{pci}/usb@{int}/**/busnum r, + @{sys}/devices/@{pci}/usb@{int}/**/devnum r, + @{sys}/devices/@{pci}/usb@{int}/**/idProduct r, + @{sys}/devices/@{pci}/usb@{int}/**/idVendor r, + @{sys}/devices/@{pci}/usb@{int}/**/interface r, + @{sys}/devices/@{pci}/usb@{int}/**/modalias r, + @{sys}/devices/@{pci}/usb@{int}/**/speed r, + + @{sys}/class/video4linux/ r, + @{sys}/devices/**/video4linux/** r, + @{sys}/devices/**/video4linux/video@{int}/ r, + @{sys}/devices/**/video4linux/video@{int}/uevent r, + + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/c81:@{int} r, # For video4linux + + # VideoCore cameras (shared device with VideoCore/EGL) + /dev/vchiq rw, + + # Access to video /dev devices + /dev/video@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index e44d8509c..28badc6db 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -2,6 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: att # Common rules for applications sandboxed using bwrap. @@ -9,41 +10,44 @@ # applications (bwrap) that have no way to restrict access depending on the # application being confined. + abi , + include - include + include include include - include + include include include include + include include include include - include + include include include + include include + include include + include + include + include + include include - include dbus bus=accessibility, dbus bus=session, dbus bus=system, - /usr/cache/** r, - /usr/local/** r, + /usr/** rk, /usr/share/** rk, /etc/{,**} r, - / r, /.* r, - /*/ r, - @{bin}/ r, @{lib}/ r, - /usr/local/bin/ r, owner /_@{int}_/ w, owner /@{uuid}/ w, owner /var/cache/ldconfig/{,**} rw, @@ -54,17 +58,20 @@ @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @{MOUNTS}/** rwl, + owner @{HOME}/ r, owner @{HOME}/.var/app/** rmix, - owner @{HOME}/{,**} rwlk, - owner @{run}/user/@{uid}/{,**} rw, - owner @{user_config_dirs}/** rwkl, - owner @{user_share_dirs}/** rwkl, - owner @{user_games_dirs}/{,**} rm, + owner @{HOME}/** rwmlk -> @{HOME}/**, + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too-wide + owner @{user_games_dirs}/** rmix, + #aa:lint ignore=too-wide owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, + owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, + + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket. @{run}/host/{,**} r, @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @{run}/utmp rk, @@ -73,8 +80,12 @@ @{sys}/block/ r, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, + @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, + @{sys}/bus/pci/slots/@{int}/address r, @{sys}/class/*/ r, @{sys}/devices/** r, + @{sys}/devices/virtual/dmi/id/bios_version k, @{sys}/fs/cgroup/user.slice/* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/* r, @@ -84,16 +95,19 @@ @{PROC}/ r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/comm rk, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/net/** r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, + @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/@{tid}/stat r, @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/bus/pci/devices r, + @{PROC}/cmdline r, @{PROC}/driver/** r, @{PROC}/locks r, @{PROC}/pressure/cpu r, @@ -104,6 +118,8 @@ @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/sys/net/core/bpf_jit_enable r, + @{PROC}/sys/net/core/somaxconn r, @{PROC}/uptime r, @{PROC}/version r, @{PROC}/zoneinfo r, @@ -114,20 +130,27 @@ owner @{PROC}/@{pid}/fd/@{int} rw, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/io r, + owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/oom_score_adj rw, + owner @{PROC}/@{pid}/pagemap r, + owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/hidraw@{int} rw, - /dev/input/ r, + @{att}/dev/dri/card@{int} rw, + @{att}/dev/dri/renderD128 rw, + @{att}/dev/dri/renderD129 rw, + owner @{att}/dev/shm/@{uuid} r, + /dev/ptmx rw, /dev/pts/ptmx rw, /dev/tty rw, + /dev/udmabuf rw, include if exists diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index a73626bb1..2d3ab179f 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -1,13 +1,16 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: att -# A minimal set of rules for sandboxed programs using bwrap. +# A minimal set of rules for sandboxed programs using bwrap. # A profile using this abstraction still needs to set: # - the flag: attach_disconnected # - bwrap execution: '@{bin}/bwrap rix,' - # userns, + abi , + + userns, capability net_admin, capability setpcap, @@ -36,21 +39,27 @@ pivot_root oldroot=/newroot/ /newroot/, pivot_root oldroot=/tmp/oldroot/ /tmp/, - owner / r, owner /newroot/{,**} w, owner /tmp/newroot/ w, owner /tmp/oldroot/ w, + @{att}/ r, + @{att}/@{run}/.userns r, + @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, - @{PROC}/sys/user/max_user_namespaces rw, - owner @{PROC}/@{pid}/cgroup r, + @{PROC}/sys/user/max_user_namespaces r, + @{PROC}/sys/kernel/seccomp/actions_avail r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/gid_map rw, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/setgroups rw, - owner @{PROC}/@{pid}/uid_map rw, + + @{att}/@{PROC}/sys/user/max_user_namespaces rw, + owner @{att}/@{PROC}/@{pid}/cgroup r, + owner @{att}/@{PROC}/@{pid}/fd/ r, + owner @{att}/@{PROC}/@{pid}/gid_map rw, + owner @{att}/@{PROC}/@{pid}/mountinfo r, + owner @{att}/@{PROC}/@{pid}/setgroups rw, + owner @{att}/@{PROC}/@{pid}/uid_map rw, include if exists diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 2e98c515a..23f4544a3 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -2,15 +2,29 @@ # Copyright (C) 2022 Mikhail Morfikov # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: domain # This abstraction is for chromium based application. Chromium based browsers -# need to use abstractions/chromium instead. +# need to use abstractions/app/chromium instead. - # userns, +# It works as a *function* and requires a variable to be provided as *arguments* +# and set in the header of the calling profile. Example: +# +# @{domain} = org.chromium.Chromium +# + abi , + + userns, + + # Required for dropping into PID namespace. Keep in mind that until the + # process drops this capability it can escape confinement, but once it + # drops CAP_SYS_ADMIN we are ok. + capability sys_admin, + + # All of these are for sanely dropping from root and chrooting capability setgid, # If kernel.unprivileged_userns_clone = 1 capability setuid, # If kernel.unprivileged_userns_clone = 1 - capability sys_admin, capability sys_chroot, capability sys_ptrace, @@ -20,19 +34,26 @@ owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw, + owner @{user_share_dirs}/.@{domain}.@{rand6} rw, - /tmp/ r, - /var/tmp/ r, - owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/{,**} rw, - owner @{tmp}/scoped_dir*/ rw, - owner @{tmp}/scoped_dir*/SingletonCookie w, - owner @{tmp}/scoped_dir*/SingletonSocket w, - owner @{tmp}/scoped_dir*/SS w, + owner @{tmp}/.@{domain}.@{rand6} rw, + owner @{tmp}/.@{domain}.@{rand6}/ rw, + owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie rw, + owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket rw, + owner @{tmp}/scoped_dir@{rand6}/ rw, + owner @{tmp}/scoped_dir@{rand6}/SingletonCookie rw, + owner @{tmp}/scoped_dir@{rand6}/SingletonSocket rw, + owner @{tmp}/scoped_dir@{rand6}/SS rw, /dev/shm/ r, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + owner /dev/shm/.@{domain}.@{rand6} rw, + + @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/tty/tty@{int}/active r, + + # Allow getting the manufacturer and model of the computer where chromium is currently running. + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/setgroups w, diff --git a/apparmor.d/abstractions/common/debconf b/apparmor.d/abstractions/common/debconf new file mode 100644 index 000000000..1d9a6d145 --- /dev/null +++ b/apparmor.d/abstractions/common/debconf @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + include + include + include + + @{sh_path} rix, + @{bin}/locale ix, + @{bin}/whiptail Px, + + /usr/share/debconf/frontend rix, + /usr/share/debconf/confmodule r, + + /etc/debconf.conf r, + + /var/ r, + /var/cache/ r, + /var/cache/debconf/ r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 732129c26..dd4976f5e 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -1,31 +1,35 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: name +# NEEDS-VARIABLE: domain +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs +# NEEDS-VARIABLE: cache_dirs -# Minimal set of rules for all electron based UI application. It works as a -# *function* and requires some variables to be provided as *arguments* and set +# Minimal set of rules for all electron based UI application. It works as a +# *function* and requires some variables to be provided as *arguments* and set # in the header of the calling profile. Example: # # @{name} = spotify -# @{lib_dirs} = /opt/@{name} +# @{domain} = org.chromium.chromium +# @{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ # @{config_dirs} = @{user_config_dirs}/@{name} # @{cache_dirs} = @{user_cache_dirs}/@{name} # + abi , + + include + include include include + include include include include - # userns, - - capability setgid, # If kernel.unprivileged_userns_clone = 1 - capability setuid, # If kernel.unprivileged_userns_clone = 1 - capability sys_admin, - capability sys_chroot, - capability sys_ptrace, - + @{bin}/electron rix, @{bin}/electron@{int} rix, @{lib}/electron@{int}/{,**} r, @{lib}/electron@{int}/electron rix, @@ -44,47 +48,31 @@ owner @{cache_dirs}/ rw, owner @{cache_dirs}/** rwlk -> @{cache_dirs}/**, - owner @{HOME}/.pki/ rw, - owner @{HOME}/.pki/nssdb/ rw, - owner @{HOME}/.pki/nssdb/pkcs11.txt rw, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + owner @{user_config_dirs}/electron-flags.conf r, - owner @{user_share_dirs}/.org.chromium.Chromium.* rw, - - owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/ rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonCookie w, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonSocket w, - owner @{tmp}/scoped_dir@{rand6}/ rw, - owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, - owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, - owner @{tmp}/scoped_dir@{rand6}/SS w, - - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, - - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/tty/tty@{int}/active r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, @{PROC}/ r, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/status r, - owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 + + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game new file mode 100644 index 000000000..2198c8537 --- /dev/null +++ b/apparmor.d/abstractions/common/game @@ -0,0 +1,113 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Core set of resources for any games on Linux. Runtimes such as sandboxing, +# wine, proton, game launchers should use this abstraction. + +# This abstraction uses the following tunables: +# - @{XDG_GAMESSTUDIO_DIR}/ for game studio and game engines specific directories +# (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d") +# - @{user_games_dirs}/ for user specific game directories (eg: steam storage dir) + + abi , + + include + include + include + include + include + include + include + include + include + + @{bin}/uname rix, + @{bin}/xdg-settings rPx, + @{browsers_path} rPx, + + @{bin}/env r, + + @{lib}/ r, + / r, + /home/ r, + /usr/ r, + /usr/local/ r, + /usr/local/lib/ r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + owner @{HOME}/ r, + + owner @{user_games_dirs}/ r, + owner @{user_games_dirs}/*/ r, + owner @{user_games_dirs}/*/** rwlk, + + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + + @{tmp}/ r, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + owner @{tmp}/#@{int} rw, + owner @{tmp}/AsyncGPUReadbackPlugin_*.log w, + owner @{tmp}/CASESENSITIVETEST@{hex32} rw, + owner @{tmp}/crashes/ rw, + owner @{tmp}/crashes/** rwk, + owner @{tmp}/miles_image_@{rand6} mrw, + owner @{tmp}/runtime-info.txt.@{rand6} rw, + owner @{tmp}/tmp@{rand6}.tmp rw, + owner @{tmp}/tmp@{rand6}@{h}.tmp rw, + owner @{tmp}/tmp@{rand8}.tmp rw, + owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, + + owner /dev/shm/mono.@{int} rw, + owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, + + @{sys}/ r, + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/hidraw/ r, + @{sys}/class/input/ r, + @{sys}/devices/ r, + @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/net/*/carrier r, + @{sys}/devices/**/input@{int}/ r, + @{sys}/devices/**/input@{int}/**/{vendor,product} r, + @{sys}/devices/**/input/input@{int}/ r, + @{sys}/devices/**/uevent r, + @{sys}/devices/system/ r, + @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, + @{sys}/devices/system/cpu/cpu@{int}/ r, + @{sys}/devices/virtual/dmi/id/* r, + @{sys}/devices/virtual/net/*/carrier r, + @{sys}/kernel/ r, + + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + @{PROC}/uptime r, + @{PROC}/version r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/pagemap r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + /dev/ r, + /dev/hidraw@{int} rw, + /dev/tty rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index c93f9bc05..6dcb26860 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -4,25 +4,35 @@ # Minimal set of rules for all gnome based UI application. + abi , + include + include include include include - @{open_path} rPx -> child-open-help, - /usr/share/@{profile_name}/{,**} r, + / r, + owner @{user_cache_dirs}/@{profile_name}/ rw, - owner @{user_cache_dirs}/@{profile_name}/** rwlk, + owner @{user_cache_dirs}/@{profile_name}/** rwlk -> @{user_cache_dirs}/@{profile_name}/**, owner @{user_config_dirs}/@{profile_name}/ rw, - owner @{user_config_dirs}/@{profile_name}/** rwlk, + owner @{user_config_dirs}/@{profile_name}/** rwlk -> @{user_config_dirs}/@{profile_name}/**, owner @{user_share_dirs}/@{profile_name}/ rw, - owner @{user_share_dirs}/@{profile_name}/** rwlk, + owner @{user_share_dirs}/@{profile_name}/** rwlk -> @{user_share_dirs}/@{profile_name}/**, + + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game index 9c1df7d51..851588220 100644 --- a/apparmor.d/abstractions/common/steam-game +++ b/apparmor.d/abstractions/common/steam-game @@ -1,46 +1,21 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: app_dirs +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: share_dirs - include - include - include - include - include - include - include + abi , - @{bin}/uname rix, - @{bin}/xdg-settings rPx, - @{browsers_path} rPx, + include - @{bin}/env r, - - @{app_dirs}/ r, @{lib_dirs}/ r, - @{lib}/ r, - / r, - /home/ r, - /usr/ r, - /usr/local/ r, - /usr/local/lib/ r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - - owner @{HOME}/ r, owner @{HOME}/.steam/steam.pid r, owner @{HOME}/.steam/steam.pipe r, - owner @{user_games_dirs}/ r, - owner @{user_games_dirs}/*/ r, - owner @{user_games_dirs}/*/{,**} rwkl, - - owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, - owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, - - owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, - owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + owner @{app_dirs}/ r, + owner @{app_dirs}/[^S]*/** rwlk, # No access to "SteamLinuxRuntime_sniper" owner @{share_dirs}/ r, owner @{share_dirs}/* r, @@ -51,23 +26,9 @@ owner @{share_dirs}/logs/* rwk, owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw, owner @{share_dirs}/steamapps/ r, - owner @{share_dirs}/steamapps/common/ r, - owner @{share_dirs}/steamapps/common/[^S]*/** rwlk, + owner @{share_dirs}/steamapps/appmanifest_* rw, owner @{share_dirs}/steamapps/shadercache/{,**} rwk, - @{tmp}/ r, - owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, - owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, - owner @{tmp}/#@{int} rw, - owner @{tmp}/CASESENSITIVETEST@{hex32} rw, - owner @{tmp}/crashes/ rw, - owner @{tmp}/crashes/** rwk, - owner @{tmp}/miles_image_@{rand6} mrw, - owner @{tmp}/runtime-info.txt.@{rand6} rw, - owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, - - owner /dev/shm/mono.@{int} rw, - owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex6} rw, owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, @@ -75,53 +36,6 @@ owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/input/ r, - @{sys}/devices/ r, - @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/net/*/carrier r, - @{sys}/devices/**/input@{int}/ r, - @{sys}/devices/**/input@{int}/**/{vendor,product} r, - @{sys}/devices/**/input@{int}/capabilities/* r, - @{sys}/devices/**/input/input@{int}/ r, - @{sys}/devices/**/uevent r, - @{sys}/devices/system/ r, - @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, - @{sys}/devices/system/cpu/cpu@{int}/ r, - @{sys}/devices/virtual/dmi/id/* r, - @{sys}/devices/virtual/net/*/carrier r, - @{sys}/kernel/ r, - - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - - @{PROC}/uptime r, - @{PROC}/version r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/pagemap r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - /dev/ r, - /dev/hidraw@{int} rw, - /dev/input/ r, - /dev/input/event@{int} rw, - /dev/tty rw, - /dev/uinput rw, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/systemd b/apparmor.d/abstractions/common/systemd index 0ed3a824b..f4a10076e 100644 --- a/apparmor.d/abstractions/common/systemd +++ b/apparmor.d/abstractions/common/systemd @@ -3,9 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - ptrace (read) peer=@{p_systemd}, + abi , + + ptrace read peer=@{p_systemd}, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, + @{sys}/fs/cgroup/system.slice/@{profile_name}.service/ r, @{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw, @{PROC}/1/cgroup r, diff --git a/apparmor.d/abstractions/consoles.d/complete b/apparmor.d/abstractions/consoles.d/complete new file mode 100644 index 000000000..b8b7ad90f --- /dev/null +++ b/apparmor.d/abstractions/consoles.d/complete @@ -0,0 +1,8 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + # There are the common ways to refer to consoles + /dev/tty@{u8} rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/crypto.d/complete b/apparmor.d/abstractions/crypto.d/complete index a163af66d..8fb84d261 100644 --- a/apparmor.d/abstractions/crypto.d/complete +++ b/apparmor.d/abstractions/crypto.d/complete @@ -4,7 +4,15 @@ include + # FIPS-140-2 versions of some crypto libraries need to access their + # associated integrity verification file, or they will abort. + @{lib}/.lib*.so*.hmac r, + @{lib}/@{multiarch}/.lib*.so*.hmac r, + @{etc_ro}/gnutls/config r, @{etc_ro}/gnutls/pkcs11.conf r, + # Used to determine if Linux is running in FIPS mode + @{PROC}/sys/crypto/fips_enabled r, + # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dbus-accessibility-strict.d/complete b/apparmor.d/abstractions/dbus-accessibility-strict.d/complete new file mode 100644 index 000000000..f71f7d869 --- /dev/null +++ b/apparmor.d/abstractions/dbus-accessibility-strict.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + include + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dbus-session-strict.d/complete b/apparmor.d/abstractions/dbus-session-strict.d/complete new file mode 100644 index 000000000..8d82bd277 --- /dev/null +++ b/apparmor.d/abstractions/dbus-session-strict.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + include + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dbus-strict.d/complete b/apparmor.d/abstractions/dbus-strict.d/complete new file mode 100644 index 000000000..d35c7822a --- /dev/null +++ b/apparmor.d/abstractions/dbus-strict.d/complete @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + @{run}/dbus/system_bus_socket rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dconf-write b/apparmor.d/abstractions/dconf-write index f25e1c3e6..72a943527 100644 --- a/apparmor.d/abstractions/dconf-write +++ b/apparmor.d/abstractions/dconf-write @@ -5,24 +5,15 @@ # Permissions for querying dconf settings with write access; use the dconf # abstraction first, and dconf-write only for specific application's profile. - dbus send bus=session path=/ca/desrt/dconf/Writer/user - interface=ca.desrt.dconf.Writer - member=Change - peer=(name=ca.desrt.dconf), # no peer's labels + abi , - dbus receive bus=session path=/ca/desrt/dconf/Writer/user - interface=ca.desrt.dconf.Writer - member=Notify - peer=(name=:*, label=dconf-service), + include + include - /usr/share/dconf/profile/gdm r, + owner @{user_config_dirs}/glib-2.0/settings/keyfile w, # When GSETTINGS_BACKEND=keyfile - /etc/dconf/** r, - - owner @{user_config_dirs}/dconf/user r, - - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/dconf/ w, + owner @{run}/user/@{uid}/dconf/user w, include if exists diff --git a/apparmor.d/abstractions/dconf.d/complete b/apparmor.d/abstractions/dconf.d/complete new file mode 100644 index 000000000..1796c7ca0 --- /dev/null +++ b/apparmor.d/abstractions/dconf.d/complete @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + /usr/share/dconf/profile/gdm r, + + owner @{user_config_dirs}/glib-2.0/settings/keyfile r, # When GSETTINGS_BACKEND=keyfile + + owner @{run}/user/@{uid}/dconf/ r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home index d8e1fdfb8..68c013a51 100644 --- a/apparmor.d/abstractions/deny-sensitive-home +++ b/apparmor.d/abstractions/deny-sensitive-home @@ -11,42 +11,58 @@ # The only legitimate use in this project is for file browser and search engine. - deny @{HOME}/.*.bak mrwkl, - deny @{HOME}/.*.swp mrwkl, - deny @{HOME}/.*~ mrwkl, - deny @{HOME}/.*~1~ mrwkl, + abi , + + # User defined private directories + deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, + deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, + deny @{user_private_dirs}/{,**} mrxwlk, + + # Files with secret paswords and tokens deny @{HOME}/.*age*{,/{,**}} mrwkl, deny @{HOME}/.*aws*{,/{,**}} mrwkl, deny @{HOME}/.*cert*{,/{,**}} mrwkl, - deny @{HOME}/.*history mrwkl, deny @{HOME}/.*key*{,/{,**}} mrwkl, deny @{HOME}/.*pass*{,/{,**}} mrwkl, deny @{HOME}/.*pki*{,/{,**}} mrwkl, deny @{HOME}/.*private*{,/{,**}} mrwkl, deny @{HOME}/.*secret*{,/{,**}} mrwkl, deny @{HOME}/.*yubi*{,/{,**}} mrwkl, + deny @{HOME}/.aws/{,**} mrwkl, + deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl, + deny @{HOME}/@{XDG_GPG_DIR}/{,**} mrwkl, + deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl, + deny @{run}/user/@{uid}/keyring** mrwkl, + deny @{user_config_dirs}/*-store/{,**} mrwkl, + deny @{user_passwordstore_dirs}/{,**} mrwkl, + deny @{user_share_dirs}/kwalletd/{,**} mrwkl, + + # Privacy violations + deny @{HOME}/.*.bak mrwkl, + deny @{HOME}/.*.swp mrwkl, + deny @{HOME}/.*~ mrwkl, + deny @{HOME}/.*~1~ mrwkl, + deny @{HOME}/.*history mrwkl, + deny @{HOME}/.evolution/{,**} mrwkl, deny @{HOME}/.fetchmail* mrwkl, + deny @{HOME}/.gnome2_private/{,**} mrwkl, + deny @{HOME}/.gnome2/keyrings/{,**} mrwkl, deny @{HOME}/.lesshst* mrwkl, deny @{HOME}/.mozilla/{,**} mrwkl, - deny @{HOME}/.mutt* mrwkl, + deny @{HOME}/.mutt** mrwkl, deny @{HOME}/.thunderbird/{,**} mrwkl, deny @{HOME}/.viminfo* mrwkl, deny @{HOME}/.wget-hsts mrwkl, - deny @{HOME}/@{XDG_GPG_DIR}/{,**} mrwkl, - deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl, - deny @{user_config_dirs}/*-store/{,**} mrwkl, deny @{user_config_dirs}/chromium/{,**} mrwkl, - deny @{user_password_store_dirs}/{,**} mrwkl, - deny @{user_share_dirs}/kwalletd/{,**} mrwkl, - - # User defined private directories - deny @{user_private_dirs}/{,**} mrxwlk, - deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, - deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, + deny @{user_config_dirs}/evolution/{,**} mrwkl, # Deny executable mapping in writable space as allowed in abstractions/fonts - deny @{HOME}/.{,cache/}fontconfig/ rw, - deny @{HOME}/.{,cache/}fontconfig/** mrwl, + deny @{HOME}/.{,cache/}fontconfig/ rw, + deny @{HOME}/.{,cache/}fontconfig/** mrwl, + + # special attention to (potentially) executable files + deny @{HOME}/bin wl, + deny @{HOME}/bin/{,**} wl, include if exists diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index befea8bcb..c4abbd574 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -7,28 +7,37 @@ # When supported in apparmor, condition will be used in this abstraction to filter # resources specific for supported DE. + abi , + + include + include include - include - include + include + include + include + include include + include + include + include include include + include # if @{DE} == gnome dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + member=Introspect + peer=(name=@{busname}, label=gnome-shell), - /usr/{local/,}share/ r, - /usr/{local/,}share/glib-@{int}.@{int}/schemas/** r, - /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, + @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, /etc/gnome/* r, - /etc/xdg/{,*-}mimeapps.list r, - /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, + / r, + + owner @{user_share_dirs}/gnome-shell/session.gvdb rw, # else if @{DE} == kde @@ -36,32 +45,44 @@ @{lib}/kde{,3,4}/plugins/*/ r, @{lib}/kde{,3,4}/plugins/*/*.so mr, + /usr/share/knotifications{5,6}/*.notifyrc r, + + /etc/xdg/baloofilerc r, + /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, + owner @{user_cache_dirs}/#@{int} rw, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, + + owner @{user_config_dirs}/baloofilerc r, + owner @{user_config_dirs}/dolphinrc r, + owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/ r, + owner @{user_config_dirs}/kdedefaults/kcminputrc r, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/session/ rw, + owner @{user_config_dirs}/session/@{profile_name}* rwlk, + owner @{user_config_dirs}/session/#@{int} rw, + owner @{user_config_dirs}/trashrc r, # else if @{DE} == xfce - /usr/share/xfce4/ r, + /usr/share/xfce{,4}/ r, owner @{user_config_dirs}/xfce4/help{,ers}.rc rw, owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw, # end - /usr/share/hwdata/*.ids r, + /usr/share/desktop-base/{,**} r, + /usr/share/hwdata/*.ids r, # FIXME: a bit too wide /usr/share/icu/@{int}.@{int}/*.dat r, - owner @{HOME}/.local/ rw, - owner @{user_cache_dirs}/ rw, - owner @{user_config_dirs}/ rw, - owner @{user_share_dirs}/ rw, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/desktop-files b/apparmor.d/abstractions/desktop-files new file mode 100644 index 000000000..9c0a8b941 --- /dev/null +++ b/apparmor.d/abstractions/desktop-files @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/applications/{,**} r, + @{system_share_dirs}/*ubuntu/applications/{,**} r, + @{system_share_dirs}/gnome/applications/{,**} r, + @{system_share_dirs}/xfce4/applications/{,**} r, + + /etc/gnome/defaults.list r, + /etc/xfce4/defaults.list r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/{,**} r, + + /var/lib/snapd/desktop/applications/{,**} r, + + owner @{user_share_dirs}/applications/{,**} r, + + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/devices-u2f b/apparmor.d/abstractions/devices-u2f new file mode 100644 index 000000000..c707d66e0 --- /dev/null +++ b/apparmor.d/abstractions/devices-u2f @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows access to Universal 2nd Factor (U2F) devices + + abi , + + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) + + # Needed for dynamic assignment of U2F devices + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{sys}/devices/**/i2c*/**/report_descriptor r, + @{sys}/devices/**/usb@{int}/**/report_descriptor r, + + # Allow raw access HDI (Human Interface Devices) wich is how U2F devices are exposed + /dev/hidraw@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb index 5a2a8b742..3361f10ec 100644 --- a/apparmor.d/abstractions/devices-usb +++ b/apparmor.d/abstractions/devices-usb @@ -3,24 +3,22 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - /dev/ r, - /dev/bus/usb/ r, - /dev/bus/usb/@{int}/ r, - /dev/bus/usb/@{int}/@{int} rwk, +# Allow raw access to all connected USB devices - @{sys}/class/ r, - @{sys}/class/usbmisc/ r, + abi , - @{sys}/bus/ r, - @{sys}/bus/usb/ r, - @{sys}/bus/usb/devices/{,**} r, + include - @{sys}/devices/**/usb@{int}/{,**} rw, + @{PROC}/tty/drivers r, - # Udev data about usb devices (~equal to content of lsusb -v) - @{run}/udev/data/+usb:* r, - @{run}/udev/data/c16[6,7]:@{int} r, # USB modems - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} wk, + + # Allow access to all ttyUSB devices too + /dev/ttyACM@{int} wk, + /dev/ttyUSB@{int} wk, + + # Allow raw access to USB printers (i.e. for receipt printers in POS systems). + /dev/usb/lp@{int} wk, include if exists diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read new file mode 100644 index 000000000..ea3131d59 --- /dev/null +++ b/apparmor.d/abstractions/devices-usb-read @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow detection of usb devices. Leaks plugged in USB device info + + abi , + + @{sys}/class/ r, + @{sys}/class/usbmisc/ r, + + @{sys}/bus/ r, + @{sys}/bus/usb/ r, + @{sys}/bus/usb/devices/ r, + @{sys}/devices/**/usb@{int}/ r, + @{sys}/devices/**/usb@{int}/** r, + + # Udev data about usb devices (~equal to content of lsusb -v) + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/b180:@{int} r, # USB block devices + @{run}/udev/data/c16{6,7}:@{d} r, # ACM USB modems + @{run}/udev/data/c18{0,8,9}:@{int} r, # USB character devices + + /dev/ r, + /dev/bus/usb/ r, + /dev/bus/usb/@{int}/ r, + /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 10beb258d..e33ec2c3f 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -5,6 +5,8 @@ # The /sys/ entries probably should be tightened + abi , + /dev/ r, /dev/block/ r, /dev/disk/{,*/} r, @@ -18,6 +20,7 @@ @{sys}/devices/@{pci}/host@{int}/** r, @{sys}/devices/@{pci}/usb@{int}/** r, @{sys}/devices/@{pci}/virtio@{int}/** r, + @{sys}/devices/**/host@{int}/** r, # SSD Nvme devices /dev/nvme[0-9]* rk, @@ -41,6 +44,12 @@ @{sys}/devices/virtual/block/loop@{int}/ r, @{sys}/devices/virtual/block/loop@{int}/** r, + # Xen PVH devices + @{sys}/devices/vbd-@{int}/block/** r, + + # Channel subsystem for IBM Z + @{sys}/devices/css@{int}/** r, + # LUKS/LVM (device-mapper) devices /dev/dm-@{int} rk, /dev/mapper/{,*} r, @@ -72,8 +81,13 @@ # CD-ROM /dev/sr@{int} rk, + # MD RAID devices + /dev/md@{int} rk, + @{sys}/devices/virtual/block/md@{int}/ r, + @{sys}/devices/virtual/block/md@{int}/** r, + # Lookup block device by major:minor numbers - # See: https://apparmor.pujol.io/development/structure/#udev-rules + # See: https://apparmor.pujol.io/development/internal/#udev-rules @{sys}/block/ r, @{sys}/class/block/ r, @@ -82,17 +96,18 @@ @{run}/udev/data/b2:@{int} r, # for /dev/fd* @{run}/udev/data/b7:@{int} r, # for /dev/loop* @{run}/udev/data/b8:@{int} r, # for /dev/sd* + @{run}/udev/data/b9:@{int} r, # for /dev/md* @{run}/udev/data/b11:@{int} r, # for /dev/sr* @{run}/udev/data/b43:@{int} r, # for /dev/nbd* @{run}/udev/data/b179:@{int} r, # for /dev/mmcblk* @{run}/udev/data/b230:@{int} r, # for /dev/zvol* - @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254 - @{run}/udev/data/b25[0-4]:@{int} r, - @{run}/udev/data/b259:@{int} r, + @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 + @{run}/udev/data/b25[0-4]:@{int} r, # to 254 + @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/+usb:* r, # for disk over usb hub + @{run}/udev/data/+usb:* r, # Identifies all USB devices include if exists diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index 361b60d82..a52518042 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -3,96 +3,46 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - # The /sys/ entries probably should be tightened + abi , - /dev/ r, - /dev/block/ r, - /dev/disk/{,*/} r, + include # Regular disk/partition devices - /dev/{s,v}d[a-z]* rwk, - /dev/{s,v}d[a-z]*@{int} rwk, - @{sys}/devices/@{pci}/ata@{int}/** r, - @{sys}/devices/@{pci}/block/{s,v}d[a-z]/ r, - @{sys}/devices/@{pci}/block/{s,v}d[a-z]/** r, - @{sys}/devices/@{pci}/host@{int}/** r, - @{sys}/devices/@{pci}/usb@{int}/** r, - @{sys}/devices/@{pci}/virtio@{int}/** r, + /dev/{s,v}d[a-z]* w, + /dev/{s,v}d[a-z]*@{int} w, # SSD Nvme devices - /dev/nvme[0-9]* rwk, - @{sys}/devices/@{pci}/nvme/nvme@{int}/{,**} r, + /dev/nvme[0-9]* w, # SD card devices - /dev/mmcblk[0-9]* rwk, - /dev/mmcblk[0-9]*p@{int} rwk, - @{sys}/devices/@{pci}/block/mmcblk@{int}/ r, - @{sys}/devices/@{pci}/block/mmcblk@{int}/** r, - @{sys}/devices/@{pci}/mmc@{int}/mmc*/ r, - @{sys}/devices/@{pci}/mmc@{int}/mmc*/** r, - @{sys}/devices/platform/**/block/mmcblk@{int}/ r, - @{sys}/devices/platform/**/block/mmcblk@{int}/** r, - @{sys}/devices/platform/**/mmc@{int}/ r, - @{sys}/devices/platform/**/mmc@{int}/** r, + /dev/mmcblk[0-9]* w, + /dev/mmcblk[0-9]*p@{int} w, # Loop devices - /dev/loop[0-9]* rwk, - /dev/loop[0-9]*p@{int} rwk, - @{sys}/devices/virtual/block/loop@{int}/ r, - @{sys}/devices/virtual/block/loop@{int}/** r, + /dev/loop[0-9]* w, + /dev/loop[0-9]*p@{int} w, # LUKS/LVM (device-mapper) devices - /dev/dm-@{int} rwk, - /dev/mapper/{,*} rw, - @{sys}/devices/virtual/block/dm-@{int}/ r, - @{sys}/devices/virtual/block/dm-@{int}/** r, + /dev/dm-@{int} w, + /dev/mapper/{,*} w, # ZFS devices - /dev/zd@{int} rwk, - /dev/*pool/ r, - /dev/zvol/{,*/} r, - @{sys}/devices/virtual/block/zd@{int}/ r, - @{sys}/devices/virtual/block/zd@{int}/** r, + /dev/zd@{int} w, # ZRAM devices - /dev/zram@{int} rwk, - @{sys}/devices/virtual/block/zram@{int}/ r, - @{sys}/devices/virtual/block/zram@{int}/** r, + /dev/zram@{int} w, # NBD devices - /dev/nbd* rwk, - @{sys}/devices/virtual/block/nbd@{int}/ r, - @{sys}/devices/virtual/block/nbd@{int}/** r, + /dev/nbd* w, # Floppy disks - /dev/fd@{int} rwk, - @{sys}/devices/platform/floppy.@{int}/block/fd@{int}/ r, - @{sys}/devices/platform/floppy.@{int}/block/fd@{int}/** r, + /dev/fd@{int} w, # CD-ROM - /dev/sr@{int} rwk, + /dev/sr@{int} w, - # Lookup block device by major:minor numbers - # See: https://apparmor.pujol.io/development/structure/#udev-rules - - @{sys}/block/ r, - @{sys}/class/block/ r, - @{sys}/dev/block/ r, - - @{run}/udev/data/b2:@{int} r, # for /dev/fd* - @{run}/udev/data/b7:@{int} r, # for /dev/loop* - @{run}/udev/data/b8:@{int} r, # for /dev/sd* - @{run}/udev/data/b11:@{int} r, # for /dev/sr* - @{run}/udev/data/b43:@{int} r, # for /dev/nbd* - @{run}/udev/data/b179:@{int} r, # for /dev/mmcblk* - @{run}/udev/data/b230:@{int} r, # for /dev/zvol* - @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254 - @{run}/udev/data/b25[0-4]:@{int} r, - @{run}/udev/data/b259:@{int} r, - - @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - - @{run}/udev/data/+usb:* r, # for disk over usb hub + # MD RAID devices + /dev/md@{int} w, include if exists diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index a1eb1cd41..128da00d0 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -3,9 +3,11 @@ # SPDX-License-Identifier: GPL-2.0-only # The Direct Rendering Infrastructure (DRI) is the framework comprising the modern -# Linux graphics stack which allows unprivileged user-space programs to issue +# Linux graphics stack which allows unprivileged user-space programs to issue # commands to graphics hardware without conflicting with other programs. + abi , + @{lib}/dri/** mr, @{lib}/@{multiarch}/dri/** mr, @{lib}/fglrx/dri/** mr, @@ -26,8 +28,11 @@ @{sys}/devices/@{pci}/uevent r, @{sys}/devices/@{pci}/vendor r, + # Allow access to all cards /dev/dri/ r, /dev/dri/card@{int} rw, + + # Video Acceleration API /dev/dri/renderD128 rw, /dev/dri/renderD129 rw, diff --git a/apparmor.d/abstractions/fish b/apparmor.d/abstractions/fish index fe3cab891..65f97f9f2 100644 --- a/apparmor.d/abstractions/fish +++ b/apparmor.d/abstractions/fish @@ -2,9 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when an interactive shell is started. +# This abstraction is only required when zshrc is loaded (e.g. interactive shell). # Classic shell scripts do not need it. + abi , + /usr/share/fish/{,**} r, /etc/fish/{,**} r, diff --git a/apparmor.d/abstractions/fontconfig-cache-read b/apparmor.d/abstractions/fontconfig-cache-read index 216075648..306787378 100644 --- a/apparmor.d/abstractions/fontconfig-cache-read +++ b/apparmor.d/abstractions/fontconfig-cache-read @@ -9,6 +9,8 @@ # fontconfig cache if some cache files are missing, so if this behavior is desirable, you can use # the "fontconfig-cache-write" abstraction. + abi , + owner @{user_cache_dirs}/fontconfig/ r, deny @{user_cache_dirs}/fontconfig/ w, deny @{user_cache_dirs}/fontconfig/** w, diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write index 19fa7c53a..922a15a6a 100644 --- a/apparmor.d/abstractions/fontconfig-cache-write +++ b/apparmor.d/abstractions/fontconfig-cache-write @@ -3,6 +3,8 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + owner @{user_cache_dirs}/fontconfig/ rw, owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw, owner @{user_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk, diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index 3e669f4dc..df445cef5 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -13,14 +13,19 @@ @{system_share_dirs}/ r, @{system_share_dirs}/mime/ r, - /usr/share/mime/ r, + /opt/*/**.{desktop,png} r, /etc/gnome/defaults.list r, - /etc/xfce4/defaults.list r, + /etc/xfce4/defaults.list r, /var/lib/snapd/desktop/applications/{,**} r, /var/lib/snapd/desktop/icons/{,**} r, owner @{HOME}/.icons/{,**} r, + owner @{user_share_dirs}/#@{int} rw, + owner @{user_share_dirs}/recently-used.xbel rw, + owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, + owner @{user_share_dirs}/recently-used.xbel.lock rwk, + # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.kwalletd b/apparmor.d/abstractions/glfw similarity index 59% rename from apparmor.d/abstractions/bus/org.kde.kwalletd rename to apparmor.d/abstractions/glfw index c0d2ecba2..5dbda197d 100644 --- a/apparmor.d/abstractions/bus/org.kde.kwalletd +++ b/apparmor.d/abstractions/glfw @@ -2,6 +2,10 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - include if exists + abi , + + owner @{run}/user/@{uid}/glfw-shared-@{rand6} rw, + + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/glibc b/apparmor.d/abstractions/glibc new file mode 100644 index 000000000..8536470bd --- /dev/null +++ b/apparmor.d/abstractions/glibc @@ -0,0 +1,47 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # Used by Glibc when binding to ephemeral ports + @{etc_ro}/bindresvport.blacklist r, + + # Depending on which Glibc routine uses this file, base may not be the + # best place -- but many profiles require it, and it is quite harmless. + @{PROC}/sys/kernel/ngroups_max r, + + # Glibc's sysconf(3) routine to determine free memory, etc + @{sys}/devices/system/cpu/ r, + @{sys}/devices/system/cpu/online r, + @{sys}/devices/system/cpu/possible r, + @{PROC}/cpuinfo r, + @{PROC}/meminfo r, + @{PROC}/stat r, + + # Glibc's *printf protections read the maps file + owner @{PROC}/@{pid}/auxv r, + owner @{PROC}/@{pid}/maps r, + owner @{PROC}/@{pid}/status r, + + # @{PROC}/@{pid}/map_files/ contains the same info than @{PROC}/@{pid}/maps, + # but in a format that is simpler to manage, because it doesn't require to + # parse the text data inside a file, but just reading the contents of + # a directory. + owner @{PROC}/@{pid}/map_files/ r, + + # Glibc statvfs + @{PROC}/filesystems r, + + # Glibc malloc (man 5 proc) + @{PROC}/sys/vm/overcommit_memory r, + + # Recent glibc uses /dev/full in preference to /dev/null for programs + # that don't have open fds at exec() + /dev/full rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 891e5a573..227377f3a 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -2,30 +2,39 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + + include + include include - include - include + include + include + include + include + include + include + include + include include include + include dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + member=Introspect + peer=(name=@{busname}, label=gnome-shell), - /usr/{local/,}share/ r, - /usr/{local/,}share/glib-@{int}.@{int}/schemas/** r, - /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, + /usr/share/desktop-base/{,**} r, + /usr/share/hwdata/*.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, + + @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, /etc/gnome/* r, - /etc/xdg/{,*-}mimeapps.list r, - /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, + / r, - owner @{HOME}/.local/ rw, - owner @{user_cache_dirs}/ rw, - owner @{user_config_dirs}/ rw, - owner @{user_share_dirs}/ rw, + owner @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 90f705ac7..3d4b47f9f 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - include + include dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + member=Introspect + peer=(name=@{busname}, label=gnome-shell), /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index 9b7954f0d..c4edd09b4 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -2,22 +2,33 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + include include include include - /etc/igfx_user_feature{,_next}.txt w, + /etc/igfx_user_feature{,_next,_report}.txt w, /etc/libva.conf r, @{sys}/bus/pci/devices/ r, - @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/* r, + + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/id r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/level r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/size r, + @{sys}/devices/system/cpu/cpu@{int}/cpu_capacity r, @{sys}/devices/system/cpu/cpu@{int}/online r, - @{sys}/devices/system/cpu/cpu@{int}/topology/* r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/* r, + @{sys}/devices/system/cpu/cpu@{int}/topology/core_cpus r, + @{sys}/devices/system/cpu/cpu@{int}/topology/physical_package_id r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, @{sys}/devices/system/cpu/present r, + @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/system/node/node@{int}/cpumap r, include if exists diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index fe2d2001c..de5f865b5 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -2,11 +2,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + + include include + include /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - /dev/nvidia-uvm rw, - /dev/nvidia-uvm-tools rw, include if exists diff --git a/apparmor.d/abstractions/gschemas b/apparmor.d/abstractions/gschemas new file mode 100644 index 000000000..21a4d860c --- /dev/null +++ b/apparmor.d/abstractions/gschemas @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/ r, + @{system_share_dirs}/glib-2.0/schemas/ r, + @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 60bac614e..5a14b6f7a 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -3,15 +3,18 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + @{lib}/@{multiarch}/libproxy/*/modules/*.so mr, - @{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr, + @{lib}/@{multiarch}/libvisual-@{version}/*/*.so mr, @{lib}/frei0r-@{int}/*.so mr, - # FIXME: not compatible with FSP mode due conflicting x modifiers @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rix, @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rix, @{lib}/gstreamer-1.0/gst-plugin-scanner rix, + /usr/share/gstreamer-1.0/presets/Gst*Enc.prs r, + /etc/openni2/OpenNI.ini r, /tmp/ r, @@ -29,14 +32,14 @@ # If one is blocked the next is used instead. # The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec flag. owner @{run}/user/@{uid}/orcexec.@{rand6} mrw, - #owner /tmp/orcexec.* mrw, + owner @{tmp}/orcexec.@{rand6} mrw, #owner @{HOME}/orcexec.* mrw, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c189:@{int} r, # For USB serial converters + @{run}/udev/data/c189:@{int} r, # For USB serial converters @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{sys}/bus/ r, @@ -45,13 +48,23 @@ @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/video4linux/ r, - @{sys}/devices/@{pci}/{busnum,config,devnum,descriptors,speed,uevent} r, + @{sys}/devices/@{pci}/busnum r, + @{sys}/devices/@{pci}/config r, + @{sys}/devices/@{pci}/descriptors r, + @{sys}/devices/@{pci}/devnum r, + @{sys}/devices/@{pci}/numa_node r, + @{sys}/devices/@{pci}/speed r, + @{sys}/devices/@{pci}/uevent r, @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/system/node/node@{int}/meminfo r, + @{PROC}/devices r, + /dev/ r, /dev/bus/usb/ r, /dev/dri/ r, + /dev/nvidia-uvm rw, include if exists diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict new file mode 100644 index 000000000..0bf0ab41c --- /dev/null +++ b/apparmor.d/abstractions/gtk-strict @@ -0,0 +1,74 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + include + include + include + + @{lib}/{,@{multiarch}/}gtk-2.0/{,**} mr, + @{lib}/{,@{multiarch}/}gtk-3.0/{,**} mr, + @{lib}/{,@{multiarch}/}gtk-4.0/{,**} mr, + + /usr/share/gtksourceview-2.0/{,**} r, + /usr/share/gtksourceview-3.0/{,**} r, + /usr/share/gtksourceview-4/{,**} r, + /usr/share/gtksourceview-5/{,**} r, + + /usr/share/gtk-2.0/ r, + /usr/share/gtk-2.0/gtkrc r, + + /usr/share/gtk-3.0/ r, + /usr/share/gtk-3.0/settings.ini r, + + /usr/share/gtk-4.0/ r, + /usr/share/gtk-4.0/settings.ini r, + + /etc/gtk/gtkrc r, + + /etc/gtk-2.0/ r, + /etc/gtk-2.0/gtkrc r, + + /etc/gtk-3.0/ r, + /etc/gtk-3.0/*.conf r, + /etc/gtk-3.0/settings.ini r, + + /etc/gtk-4.0/ r, + /etc/gtk-4.0/*.conf r, + /etc/gtk-4.0/settings.ini r, + + owner @{HOME}/.gtk r, + owner @{HOME}/.gtkrc r, + owner @{HOME}/.gtkrc-2.0 r, + owner @{HOME}/.gtk-bookmarks r, + + owner @{user_cache_dirs}/gtk-4.0/ rw, + owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/{,*} rw, + owner @{user_cache_dirs}/gtkrc r, + owner @{user_cache_dirs}/gtkrc-2.0 r, + + owner @{user_config_dirs}/gtk-2.0/ rw, + owner @{user_config_dirs}/gtk-2.0/gtkfilechooser.ini* rw, + + owner @{user_config_dirs}/gtk-3.0/ rw, + owner @{user_config_dirs}/gtk-3.0/bookmarks r, + owner @{user_config_dirs}/gtk-3.0/colors.css r, + owner @{user_config_dirs}/gtk-3.0/gtk.css r, + owner @{user_config_dirs}/gtk-3.0/servers r, + owner @{user_config_dirs}/gtk-3.0/settings.ini r, + owner @{user_config_dirs}/gtk-3.0/window_decorations.css r, + + owner @{user_config_dirs}/gtk-4.0/ rw, + owner @{user_config_dirs}/gtk-4.0/bookmarks r, + owner @{user_config_dirs}/gtk-4.0/colors.css r, + owner @{user_config_dirs}/gtk-4.0/gtk.css r, + owner @{user_config_dirs}/gtk-4.0/servers r, + owner @{user_config_dirs}/gtk-4.0/settings.ini r, + owner @{user_config_dirs}/gtk-4.0/window_decorations.css r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index ac702a70f..0b69d8ee1 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -2,32 +2,9 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=session - interface=org.gtk.Actions - member=DescribeAll - peer=(name=:*), - dbus send bus=session - interface=org.gtk.Actions - member=DescribeAll - peer=(label=gnome-shell), - - dbus receive bus=session - interface=org.gtk.Actions - member=Changed - peer=(name=:*), - dbus receive bus=session - interface=org.gtk.Actions - member=Changed - peer=(label=gnome-shell), - - dbus send bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gsd-xsettings), - dbus receive bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=gsd-xsettings), + include + include + include @{lib}/{,@{multiarch}/}gtk*/** mr, diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index 33d034b5a..3ecd8c36d 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -8,6 +8,7 @@ type=stream peer=(addr="@/tmp/ibus/dbus-????????"), + #aa:lint ignore=tunables # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{user_cache_dirs}) # This should use this, but due to LP: #1856738 we cannot #unix (connect, receive, send) @@ -16,11 +17,15 @@ unix (connect, receive, send) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????"), - unix (connect, send, receive, accept, bind, listen) type=stream addr="@/home/*/.cache/ibus/dbus-????????", + dbus receive bus=session path=/org/freedesktop/IBus + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=@{busname}, label=ibus-daemon), + owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/icons b/apparmor.d/abstractions/icons new file mode 100644 index 000000000..6a721b837 --- /dev/null +++ b/apparmor.d/abstractions/icons @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/icons/{,**} r, + @{system_share_dirs}/pixmaps/{,**} r, + + /opt/**/share/icons/{,**} r, + /opt/*/**.desktop r, + /opt/*/**/*.png r, + + /var/lib/snapd/desktop/icons/{,**} r, + + owner @{HOME}/.icons/{,**} r, + + owner @{user_share_dirs}/icons/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/input b/apparmor.d/abstractions/input new file mode 100644 index 000000000..57905fd0c --- /dev/null +++ b/apparmor.d/abstractions/input @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Canonical Ltd +# Copyright (C) 2022-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow reading and writing to raw input devices + + abi , + + # network netlink raw, + + # Allow reading for supported event reports for all input devices. See + # https://www.kernel.org/doc/Documentation/input/event-codes.txt + @{sys}/devices/**/input@{int}/capabilities/* r, + + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + /dev/input/ r, + /dev/input/event@{int} rw, + /dev/input/mice rw, + /dev/input/mouse@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/java b/apparmor.d/abstractions/java new file mode 100644 index 000000000..91472d21e --- /dev/null +++ b/apparmor.d/abstractions/java @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /usr/share/java/{,**} r, + + /etc/java/{,**} r, + /etc/java-*/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-open5.d/complete b/apparmor.d/abstractions/kde-open5.d/complete index 37038b129..adeb9a4bb 100644 --- a/apparmor.d/abstractions/kde-open5.d/complete +++ b/apparmor.d/abstractions/kde-open5.d/complete @@ -6,6 +6,6 @@ owner @{user_config_dirs}/menus/{,**} r, - owner @{run}/user/@{uid}/kioclient*.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index c164bd434..79e97b23f 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -2,29 +2,44 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + + include + include include - include + include + include + include + include include + include + include + include include include + include @{lib}/kde{,3,4}/*.so mr, @{lib}/kde{,3,4}/plugins/*/ r, @{lib}/kde{,3,4}/plugins/*/*.so mr, - /usr/share/hwdata/pnp.ids r, + /usr/share/desktop-base/{,**} r, + /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/desktop-base/kf{5,6}-settings/kdeglobals r, + /usr/share/knotifications{5,6}/*.notifyrc r, + /usr/share/kubuntu-default-settings/{,**} r, #aa:only ubuntu + /etc/xdg/baloofilerc r, /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, - owner @{HOME}/.local/ rw, - owner @{user_cache_dirs}/ rw, - owner @{user_config_dirs}/ rw, - owner @{user_share_dirs}/ rw, + owner @{user_cache_dirs}/#@{int} rw, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, + owner @{user_config_dirs}/baloofilerc r, + owner @{user_config_dirs}/dolphinrc r, owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/ r, owner @{user_config_dirs}/kdedefaults/kcminputrc r, @@ -32,6 +47,12 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/session/ rw, + owner @{user_config_dirs}/session/*_* rwlk, + owner @{user_config_dirs}/session/#@{int} rw, + owner @{user_config_dirs}/trashrc r, + + owner @{user_share_dirs}/#@{int} rw, include if exists diff --git a/apparmor.d/abstractions/ld b/apparmor.d/abstractions/ld new file mode 100644 index 000000000..21ac745e2 --- /dev/null +++ b/apparmor.d/abstractions/ld @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + # ld.so.cache and ld are used to load shared libraries. + # As such, they can be used everywhere + + abi , + + /opt/*-linux-uclibc/lib/ld-uClibc*so* mr, + + @{etc_ro}/ld.so.cache mr, + @{etc_ro}/ld.so.conf r, + @{etc_ro}/ld.so.conf.d/ r, + @{etc_ro}/ld.so.conf.d/*.conf r, + @{etc_ro}/ld.so.preload r, + @{etc_ro}/ld-musl-*.path r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/locale b/apparmor.d/abstractions/locale new file mode 100644 index 000000000..873c303f5 --- /dev/null +++ b/apparmor.d/abstractions/locale @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{etc_ro}/locale.alias r, + @{etc_ro}/locale.conf r, + @{etc_ro}/locale/** r, + @{etc_ro}/localtime r, + @{etc_rw}/localtime r, + + /usr/share/**/locale/** r, + /usr/share/locale-bundle/** r, + /usr/share/locale-langpack/** r, + /usr/share/locale/ r, + /usr/share/locale/** r, + /usr/share/X11/locale/** r, + /usr/share/zoneinfo{,-icu}/ r, + /usr/share/zoneinfo{,-icu}/** r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt new file mode 100644 index 000000000..913ab3eb3 --- /dev/null +++ b/apparmor.d/abstractions/lxqt @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + include + include + include + include + include + include + include + include + include + + signal (receive) set=(kill, term) peer=lxqt-session, + + /usr/share/hwdata/pnp.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/lxqt/** r, + + owner @{HOME}/.Xdefaults r, + + owner @{user_cache_dirs}/lxqt-notificationd/* r, + + owner @{user_config_dirs}/lxqt/*.conf rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/login b/apparmor.d/abstractions/mapping/login new file mode 100644 index 000000000..7ccc2d678 --- /dev/null +++ b/apparmor.d/abstractions/mapping/login @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for login based hat mapping. + + abi , + + include + include + include + include + + capability audit_write, + capability chown, + capability fowner, + capability setgid, + capability setuid, + capability fsetid, + + deny capability net_admin, + + network netlink raw, + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=ReleaseSession + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + + @{etc_ro}/security/group.conf r, + @{etc_ro}/security/limits.conf r, + @{etc_ro}/security/limits.d/{,*} r, + @{etc_ro}/security/pam_env.conf r, + + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, + @{etc_ro}/security/capability.conf r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/shadow b/apparmor.d/abstractions/mapping/shadow new file mode 100644 index 000000000..5bf542c17 --- /dev/null +++ b/apparmor.d/abstractions/mapping/shadow @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for shadow based hat mapping. + + abi , + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/sshd b/apparmor.d/abstractions/mapping/sshd new file mode 100644 index 000000000..0f7512710 --- /dev/null +++ b/apparmor.d/abstractions/mapping/sshd @@ -0,0 +1,58 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for sshd based hat mapping. Similar to sshd-session + + abi , + + include + include + include + include + include + + capability audit_write, + capability chown, + capability dac_read_search, + capability fowner, + capability fsetid, + capability kill, + capability setgid, + capability setuid, + capability sys_resource, + + # sshd doesn't require net_admin. libpam-systemd tries to + # use it if available to set the send/receive buffers size, + # but will fall back to a non-privileged version if it fails. + deny capability net_admin, + + network inet stream, + network inet6 stream, + network netlink raw, + + signal receive set=exists peer=@{p_systemd_journald}, + signal receive set=hup peer=@{p_systemd}, + + unix bind type=stream addr=@@{udbus}/bus/sshd-session/system, + unix bind type=stream addr=@@{udbus}/bus/sshd/system, + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + + /etc/motd r, + /etc/locale.conf r, + + @{run}/motd.dynamic rw, + @{run}/motd.dynamic.new rw, + + @{PROC}/1/limits r, + + /dev/ptmx rw, + /dev/pts/@{int} k, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/sudo b/apparmor.d/abstractions/mapping/sudo new file mode 100644 index 000000000..3347a91af --- /dev/null +++ b/apparmor.d/abstractions/mapping/sudo @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for su/sudo based hat mapping. + + abi , + + capability audit_write, + capability setgid, + capability setuid, + + network netlink raw, + + @{etc_ro}/login.defs r, + /etc/passwd r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/media-control b/apparmor.d/abstractions/media-control new file mode 100644 index 000000000..1cdcf66f2 --- /dev/null +++ b/apparmor.d/abstractions/media-control @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows access to media controller such as microphones, and video capture hardware. +# See: https://www.kernel.org/doc/Documentation/userspace-api/media/mediactl/media-controller-intro.rst + + abi , + + # Control of media devices + /dev/media@{int} rwk, + + # Access to V4L subnodes configuration + # See https://www.kernel.org/doc/html/v4.12/media/uapi/v4l/dev-subdev.html + /dev/v4l-subdev@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mediakeys b/apparmor.d/abstractions/mediakeys new file mode 100644 index 000000000..d9aafa764 --- /dev/null +++ b/apparmor.d/abstractions/mediakeys @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow requesting interest in receiving media key events. This tells Gnome +# settings that our application should be notified when key events we are +# interested in are pressed, and allows us to receive those events. + + abi , + + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index ed3306e42..02a48114c 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -2,8 +2,28 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + # Fallback location when @{user_cache_dirs} is not available + /var/cache/mesa_shader_cache_db/ rw, + /var/cache/mesa_shader_cache_db/index rw, + /var/cache/mesa_shader_cache_db/marker rw, + /var/cache/mesa_shader_cache_db/part@{int}/ rw, + /var/cache/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk, + /var/cache/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk, + /var/cache/mesa_shader_cache/ rw, + /var/cache/mesa_shader_cache/@{hex2}/ rw, + /var/cache/mesa_shader_cache/@{hex2}/@{hex38} rw, + /var/cache/mesa_shader_cache/@{hex2}/@{hex38}.tmp rwk, + /var/cache/mesa_shader_cache/index rw, + /var/cache/mesa_shader_cache/marker rw, + # Extra Mesa rules for desktop environments owner @{desktop_cache_dirs}/ w, + owner @{desktop_cache_dirs}/mesa_shader_cache_db/ rw, + owner @{desktop_cache_dirs}/mesa_shader_cache_db/index rw, + owner @{desktop_cache_dirs}/mesa_shader_cache_db/marker rw, + owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/ rw, + owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk, + owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk, owner @{desktop_cache_dirs}/mesa_shader_cache/ rw, owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/ rw, owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38} rw, @@ -11,4 +31,17 @@ owner @{desktop_cache_dirs}/mesa_shader_cache/index rw, owner @{desktop_cache_dirs}/mesa_shader_cache/marker rw, + owner @{user_cache_dirs}/mesa_shader_cache/marker rw, + + owner @{user_cache_dirs}/mesa_shader_cache_db/ w, + owner @{user_cache_dirs}/mesa_shader_cache_db/index rw, + owner @{user_cache_dirs}/mesa_shader_cache_db/marker rw, + owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/ rw, + owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk, + owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk, + + @{PROC}/sys/dev/xe/observation_paranoid r, + + /dev/udmabuf rw, # In upstream, but not released yet + # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mime b/apparmor.d/abstractions/mime new file mode 100644 index 000000000..9a70edaf8 --- /dev/null +++ b/apparmor.d/abstractions/mime @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/ r, + @{system_share_dirs}/mime/{,**} r, + + /etc/mime.types r, + /etc/xdg/{,*-}mimeapps.list r, + + /var/cache/gio-@{version}/{,*-}-mimeapps.list r, + + owner @{user_config_dirs}/mimeapps.list r, + + owner @{user_share_dirs}/mime/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mpris b/apparmor.d/abstractions/mpris new file mode 100644 index 000000000..f06c8560e --- /dev/null +++ b/apparmor.d/abstractions/mpris @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow operating as an MPRIS player. + + abi , + + include + + # Allow binding to the well-known DBus mpris interface based on the app's name + # See: https://specifications.freedesktop.org/mpris-spec/latest/ + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.@{profile_name} + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/nameservice-strict b/apparmor.d/abstractions/nameservice-strict index b1d474717..5f49a63d9 100644 --- a/apparmor.d/abstractions/nameservice-strict +++ b/apparmor.d/abstractions/nameservice-strict @@ -6,6 +6,10 @@ # Many programs wish to perform nameservice-like operations, such as looking up # users by name or id, groups by name or id, hosts by name or IP, etc. + abi , + + include + @{etc_ro}/default/nss r, @{etc_ro}/gai.conf r, @{etc_ro}/group r, @@ -31,23 +35,6 @@ @{run}/systemd/resolve/resolv.conf r, @{run}/systemd/resolve/stub-resolv.conf r, - # NSS records from systemd-userdbd.service - # - # Allow User/Group lookups via common VarLink socket APIs. Applications need - # to either consult all of them or the io.systemd.Multiplexer frontend. - # - # https://systemd.io/USER_GROUP_API/ - # https://systemd.io/USER_RECORD/ - # https://www.freedesktop.org/software/systemd/man/nss-systemd.html - # - @{run}/systemd/userdb/ r, - @{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users - @{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs - @{run}/systemd/userdb/io.systemd.Machine rw, # systemd-machined - @{run}/systemd/userdb/io.systemd.Multiplexer rw, - @{run}/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS - @{PROC}/sys/kernel/random/boot_id r, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/notifications b/apparmor.d/abstractions/notifications new file mode 100644 index 000000000..81d5cc94c --- /dev/null +++ b/apparmor.d/abstractions/notifications @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index 6521c9840..a14691a9c 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -2,33 +2,56 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, + /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so{,.*} mr, + /usr/share/nvidia/nvidia-application-profiles-* r, /etc/nvidia/nvidia-application-profiles-* r, /etc/vdpau_wrapper.cfg r, - owner @{HOME}/.cache/nvidia/ w, - owner @{HOME}/.cache/nvidia/GLCache/ rw, - owner @{HOME}/.cache/nvidia/GLCache/** rwk, + owner @{HOME}/.nv/ w, owner @{HOME}/.nv/ComputeCache/ w, owner @{HOME}/.nv/ComputeCache/** rw, owner @{HOME}/.nv/ComputeCache/index rwk, owner @{HOME}/.nv/nvidia-application-profiles-* r, + @{user_cache_dirs}/nvidia/GLCache/@{hex32}/ rw, + owner @{user_cache_dirs}/nvidia/ w, + owner @{user_cache_dirs}/nvidia/GLCache/ rw, + owner @{user_cache_dirs}/nvidia/GLCache/** rwk, + + @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/memory/block_size_bytes r, @{sys}/module/nvidia/version r, - @{PROC}/driver/nvidia/params r, - @{PROC}/sys/vm/max_map_count r, - @{PROC}/sys/vm/mmap_min_addr r, - @{PROC}/modules r, - owner @{PROC}/@{pid}/comm r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + @{PROC}/driver/nvidia/gpus/@{pci_id}/information r, + @{PROC}/driver/nvidia/params r, + @{PROC}/modules r, + @{PROC}/sys/vm/max_map_count r, + @{PROC}/sys/vm/mmap_min_addr r, - /dev/char/195:@{int} w, # Nvidia graphics devices + @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/task/@{tid}/comm r, + + /dev/char/195:@{u8} w, # Nvidia graphics devices + + # Nvidia proprietary modset driver /dev/nvidia-modeset rw, + + # Nvidia graphics devices /dev/nvidia@{int} rw, + + # Nvidia's Unified Memory driver + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools rw, + + # Nvidia's control device /dev/nvidiactl rw, deny owner @{HOME}/.nv/.local/share/gvfs-metadata/* r, diff --git a/apparmor.d/abstractions/nvidia.d/complete b/apparmor.d/abstractions/nvidia.d/complete index ef9d0c40d..e00385efd 100644 --- a/apparmor.d/abstractions/nvidia.d/complete +++ b/apparmor.d/abstractions/nvidia.d/complete @@ -8,6 +8,6 @@ /etc/nvidia/nvidia-application-profiles* r, - /dev/char/195:@{int} rw, # Nvidia graphics devices + /dev/char/195:@{u8} rw, # Nvidia graphics devices # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/oneapi b/apparmor.d/abstractions/oneapi new file mode 100644 index 000000000..17225ef03 --- /dev/null +++ b/apparmor.d/abstractions/oneapi @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Intel oneAPI compiler libraries + + abi , + + /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, + /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/openssl.d/complete b/apparmor.d/abstractions/openssl.d/complete new file mode 100644 index 000000000..600a030e5 --- /dev/null +++ b/apparmor.d/abstractions/openssl.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + /usr/share/ssl/ r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/path b/apparmor.d/abstractions/path new file mode 100644 index 000000000..dee241b29 --- /dev/null +++ b/apparmor.d/abstractions/path @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Common directories in $PATH, used by launchers and interactive shells. + + abi , + + @{bin}/ r, + @{bin}/*/ r, + @{sbin}/ r, + @{sbin}/*/ r, + + / r, + /usr/ r, + /usr/local/bin/ r, + /usr/local/sbin/ r, + + @{user_bin_dirs}/ r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/pcscd b/apparmor.d/abstractions/pcscd new file mode 100644 index 000000000..33a981279 --- /dev/null +++ b/apparmor.d/abstractions/pcscd @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows interacting with PC/SC Smart Card Daemon + + abi , + + # Configuration file for OPENSC + /etc/opensc.conf r, + /etc/opensc/opensc.conf r, + + # Socket for communication between PCSCD and PS/SC API library + @{run}/pcscd/pcscd.comm rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/perl.d/complete b/apparmor.d/abstractions/perl.d/complete new file mode 100644 index 000000000..0031356a1 --- /dev/null +++ b/apparmor.d/abstractions/perl.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + @{bin}/perl rix, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete index e6eea6744..e372c312c 100644 --- a/apparmor.d/abstractions/python.d/complete +++ b/apparmor.d/abstractions/python.d/complete @@ -4,11 +4,12 @@ # SPDX-License-Identifier: GPL-2.0-only @{bin}/ r, - @{bin}/python{2.[4-7],3,3.[0-9],3.1[0-9]} r, + @{python_path} rm, - owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so} mr, - owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r, - owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r, - owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/**/ r, + owner @{user_lib_dirs}/@{python_name}/ r, + owner @{user_lib_dirs}/@{python_name}/**.{egg,py,pyi,pth} r, + owner @{user_lib_dirs}/@{python_name}/**.{pyc,so} mr, + owner @{user_lib_dirs}/@{python_name}/{site,dist}-packages/ r, + owner @{user_lib_dirs}/@{python_name}/{site,dist}-packages/**/ r, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/qt5-shader-cache b/apparmor.d/abstractions/qt5-shader-cache index 4ac0f7f1d..d40aa3766 100644 --- a/apparmor.d/abstractions/qt5-shader-cache +++ b/apparmor.d/abstractions/qt5-shader-cache @@ -3,13 +3,15 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + owner @{user_cache_dirs}/ w, owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/#@{int} rw, - owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int}, + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/ rw, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int}, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl, include if exists diff --git a/apparmor.d/abstractions/recently-used b/apparmor.d/abstractions/recently-used new file mode 100644 index 000000000..66a80867b --- /dev/null +++ b/apparmor.d/abstractions/recently-used @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + owner @{HOME}/.recently-used.xbel rw, + owner @{HOME}/.recently-used.xbel.@{rand6} rwl, + owner @{HOME}/.recently-used.xbel.lock rwk, + + owner @{user_share_dirs}/#@{int} rw, + owner @{user_share_dirs}/recently-used.xbel rw, + owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, + owner @{user_share_dirs}/recently-used.xbel.lock rwk, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/screensaver b/apparmor.d/abstractions/screensaver new file mode 100644 index 000000000..1a9369091 --- /dev/null +++ b/apparmor.d/abstractions/screensaver @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow checking status, activating and locking the screensaver + + abi , + + include if exists + include if exists + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/secrets-service b/apparmor.d/abstractions/secrets-service new file mode 100644 index 000000000..083672cc9 --- /dev/null +++ b/apparmor.d/abstractions/secrets-service @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Provide full access to the secret-service API: +# - https://standards.freedesktop.org/secret-service/) +# +# The secret-service allows managing (add/delete/lock/etc) collections and +# (add/delete/etc) items within collections. The API also has the concept of +# aliases for collections which is typically used to access the default +# collection. While it would be possible for an application developer to use a +# snap-specific collection and mediate by object path, application developers +# are meant to instead to treat collections (typically the default collection) +# as a database of key/value attributes each with an associated secret that +# applications may query. Because AppArmor does not mediate member data, +# typical and recommended usage of the API does not allow for application +# isolation. For details, see: +# - https://standards.freedesktop.org/secret-service/ch03.html +# + + abi , + + include + include + + dbus send bus=session path=/org/gnome/keyring/daemon + interface=org.gnome.keyring.Daemon + member=GetEnvironment + peer=(name=org.gnome.keyring, label=gnome-keyring-daemon), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/shells b/apparmor.d/abstractions/shells index b269f2335..35d3a580a 100644 --- a/apparmor.d/abstractions/shells +++ b/apparmor.d/abstractions/shells @@ -5,6 +5,8 @@ # This abstraction is only required when an interactive shell is started. # Classic shell scripts do not need it. + abi , + include include include diff --git a/apparmor.d/abstractions/sqlite b/apparmor.d/abstractions/sqlite new file mode 100644 index 000000000..690417f87 --- /dev/null +++ b/apparmor.d/abstractions/sqlite @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# SQlite temporary files (hexadecimal from 12 to 16 characters) + + abi , + + owner /var/tmp/etilqs_@{hex12} rw, + owner /var/tmp/etilqs_@{hex12}@{h} rw, + owner /var/tmp/etilqs_@{hex12}@{hex2} rw, + owner /var/tmp/etilqs_@{hex15} rw, + owner /var/tmp/etilqs_@{hex16} rw, + + owner @{tmp}/etilqs_@{hex12} rw, + owner @{tmp}/etilqs_@{hex12}@{h} rw, + owner @{tmp}/etilqs_@{hex12}@{hex2} rw, + owner @{tmp}/etilqs_@{hex15} rw, + owner @{tmp}/etilqs_@{hex16} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/themes b/apparmor.d/abstractions/themes new file mode 100644 index 000000000..13fe70bc6 --- /dev/null +++ b/apparmor.d/abstractions/themes @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /usr/share/themes/{,**} r, + + owner @{HOME}/.themes/{,**} r, + owner @{user_share_dirs}/themes/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/thumbnails-cache-read b/apparmor.d/abstractions/thumbnails-cache-read index dc164c6ba..22982e1f4 100644 --- a/apparmor.d/abstractions/thumbnails-cache-read +++ b/apparmor.d/abstractions/thumbnails-cache-read @@ -3,13 +3,15 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + owner @{user_cache_dirs}/thumbnails/ r, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ r, - owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ r, - owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/*.png r, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png r, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png.@{rand6} r, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int} r, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ r, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/*.png r, include if exists diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write index 01de0407e..e3b559418 100644 --- a/apparmor.d/abstractions/thumbnails-cache-write +++ b/apparmor.d/abstractions/thumbnails-cache-write @@ -3,13 +3,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - owner @{user_cache_dirs}/thumbnails/ rw, - owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ rw, - owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ rw, - owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/*.png rw, - owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png rwl -> @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int}, - owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png.@{rand6} rw, - owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int} rw, + abi , + + include + + owner @{user_cache_dirs}/thumbnails/ w, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ w, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png wl, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png.@{rand6} wl, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int} w, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ w, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/*.png w, include if exists diff --git a/apparmor.d/abstractions/tpm b/apparmor.d/abstractions/tpm new file mode 100644 index 000000000..ef7b30a2b --- /dev/null +++ b/apparmor.d/abstractions/tpm @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2016-2017 Canonical Ltd +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Communication to the system TPM chip over /dev/tpm@{int} and kernel TPM +# resource manager /dev/tpmrm@{int} + + abi , + + /dev/tpm@{int} rw, + /dev/tpmrm@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/trash-strict b/apparmor.d/abstractions/trash-strict index 1f4202818..a2b024d3e 100644 --- a/apparmor.d/abstractions/trash-strict +++ b/apparmor.d/abstractions/trash-strict @@ -9,6 +9,8 @@ # There is no 'owner' rule on expunged folders because some internally sandboxed # app (using bwrap) run on a different private user. + abi , + owner @{user_config_dirs}/#@{int} rwk, owner @{user_config_dirs}/trashrc rw, owner @{user_config_dirs}/trashrc.* rwl, diff --git a/apparmor.d/abstractions/uim b/apparmor.d/abstractions/uim index 03ae9e3e8..4a40e965e 100644 --- a/apparmor.d/abstractions/uim +++ b/apparmor.d/abstractions/uim @@ -3,13 +3,15 @@ # Copyright (C) 2024 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only + abi , + /usr/share/uim/* r, - + /var/lib/uim/* r, - + owner @{HOME}/.uim.d/customs/* r, owner @{HOME}/.XCompose r, - + owner @{run}/user/@{uid}/uim/socket/uim-helper rw, include if exists diff --git a/apparmor.d/abstractions/uinput b/apparmor.d/abstractions/uinput new file mode 100644 index 000000000..b97d1eb8a --- /dev/null +++ b/apparmor.d/abstractions/uinput @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2020 Canonical Ltd +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow write access to the uinput device for emulating input devices from +# userspace for sending input events. + + abi , + + /dev/uinput rw, + /dev/input/uinput rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/upower-observe b/apparmor.d/abstractions/upower-observe new file mode 100644 index 000000000..67478bb6d --- /dev/null +++ b/apparmor.d/abstractions/upower-observe @@ -0,0 +1,13 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Can query UPower for power devices, history and statistics. + + abi , + + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-data b/apparmor.d/abstractions/user-data new file mode 100644 index 000000000..6406b3e84 --- /dev/null +++ b/apparmor.d/abstractions/user-data @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Gives access to non-hidden files in user's $HOME. +# Warning: experiemental, only for abi 4+, requires a prompting client. + + abi , + + # Allow accessing the GNOME crypto services prompt APIs as used by + # applications using libgcr (such as pinentry-gnome3) for secure pin + # entry to unlock GPG keys etc. See: + # https://developer.gnome.org/gcr/unstable/GcrPrompt.html + # https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html + # https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711 + dbus send bus=session path=/org/gnome/keyring/Prompter + interface=org.gnome.keyring.internal.Prompter + member={BeginPrompting,PerformPrompt,StopPrompting} + peer=(name="{@{busname}", label=pinentry-*), + dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} + interface=org.gnome.keyring.internal.Prompter.Callback + member={PromptReady,PromptDone} + peer=(name="{@{busname}", label=pinentry-*), + + # Allow read access to toplevel $HOME & mounts for the user. + prompt owner @{HOME}/ r, + prompt owner @{MOUNTS}/ r, + + # Allow read/write access to all files in @{HOME}, except snap application + # data in @{HOME}/snap and toplevel hidden directories in @{HOME}. + prompt owner @{HOME}/[^s.]** rwlk, + prompt owner @{HOME}/s[^n]** rwlk, + prompt owner @{HOME}/sn[^a]** rwlk, + prompt owner @{HOME}/sna[^p]** rwlk, + prompt owner @{HOME}/snap[^/]** rwlk, + prompt owner @{HOME}/{s,sn,sna}{,/} rwlk, + + # Allow access to mounts (/mnt/*/, /media/*/, @{run}/media/@{user}/*/, gvfs) + # for non-hidden files owned by the user. + prompt owner @{MOUNTS}/[^.]** rwlk, + + # Disallow writes to the well-known directory included in + # the user's PATH on several distributions + audit deny @{HOME}/bin/{,**} wl, + audit deny @{HOME}/bin wl, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-dirs b/apparmor.d/abstractions/user-dirs new file mode 100644 index 000000000..189f8eb38 --- /dev/null +++ b/apparmor.d/abstractions/user-dirs @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /etc/xdg/user-dirs.conf r, + /etc/xdg/user-dirs.defaults r, + + owner @{user_config_dirs}/user-dirs.dirs r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-download-strict b/apparmor.d/abstractions/user-download-strict index 3feed5cd8..ab0e05f0a 100644 --- a/apparmor.d/abstractions/user-download-strict +++ b/apparmor.d/abstractions/user-download-strict @@ -3,6 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + owner @{HOME}/@{XDG_DESKTOP_DIR}/ w, owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ w, diff --git a/apparmor.d/abstractions/user-read b/apparmor.d/abstractions/user-read index 4187ab9e2..bd350186b 100644 --- a/apparmor.d/abstractions/user-read +++ b/apparmor.d/abstractions/user-read @@ -4,6 +4,8 @@ # Warning: This abstraction gives unrestricted read access on all non hidden user directories. + abi , + owner @{HOME}/ r, owner @{MOUNTS}/ r, diff --git a/apparmor.d/abstractions/user-read-strict b/apparmor.d/abstractions/user-read-strict index 5211b0345..9626bb0bc 100644 --- a/apparmor.d/abstractions/user-read-strict +++ b/apparmor.d/abstractions/user-read-strict @@ -5,7 +5,10 @@ # This abstraction gives read access on all defined user directories. It should # only be used if access to **ALL** folders is required. + abi , + owner @{HOME}/ r, + owner @{HOME}/[^.]* rk, owner @{MOUNTS}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} rk, diff --git a/apparmor.d/abstractions/user-write-strict b/apparmor.d/abstractions/user-write-strict index 223fc660a..88d52203e 100644 --- a/apparmor.d/abstractions/user-write-strict +++ b/apparmor.d/abstractions/user-write-strict @@ -5,7 +5,10 @@ # This abstraction gives write only access on all defined user directories. It should # only be used if access to **ALL** folders is required. + abi , + owner @{HOME}/ r, + owner @{HOME}/[^.]* wl, owner @{MOUNTS}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} wl, diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict index fd86f1e81..d4dd2fae6 100644 --- a/apparmor.d/abstractions/vulkan-strict +++ b/apparmor.d/abstractions/vulkan-strict @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + /usr/share/egl/egl_external_platform.d/{,*.json} r, /usr/share/glvnd/egl_vendor.d/{,*.json} r, /usr/share/libdrm/*.ids r, @@ -14,7 +16,10 @@ /etc/vulkan/icd.d/{,*.json} r, /etc/vulkan/implicit_layer.d/{,*.json} r, + owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/.goutputstream-@{rand6} rw, + owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/@{uuid}.@{int} rw, owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache + owner @{user_cache_dirs}/radv_builtin_shaders{32,64}@{rand6} w, owner @{user_share_dirs}/vulkan/ rw, owner @{user_share_dirs}/vulkan/implicit_layer.d/ rw, @@ -29,5 +34,4 @@ include if exists - # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/vulkan.d/complete b/apparmor.d/abstractions/vulkan.d/complete index 8e5b68c08..67f83516e 100644 --- a/apparmor.d/abstractions/vulkan.d/complete +++ b/apparmor.d/abstractions/vulkan.d/complete @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only /etc/glvnd/egl_vendor.d/{,*.json} r, diff --git a/apparmor.d/abstractions/wayland.d/complete b/apparmor.d/abstractions/wayland.d/complete index 245b9238d..f0c712634 100644 --- a/apparmor.d/abstractions/wayland.d/complete +++ b/apparmor.d/abstractions/wayland.d/complete @@ -9,7 +9,10 @@ owner @{run}/user/@{uid}/wayland-@{int}.lock rwk, owner @{run}/user/@{uid}/wayland-proxy-@{int} rw, - owner /dev/shm/sway* rw, + owner /dev/shm/@{uuid} rw, owner /dev/shm/dunst-@{rand6} rw, + owner /dev/shm/grim-@{rand6} rw, + owner /dev/shm/sway* rw, + owner /dev/shm/wlroots-@{rand6} rw, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/webkit b/apparmor.d/abstractions/webkit new file mode 100644 index 000000000..c9a275250 --- /dev/null +++ b/apparmor.d/abstractions/webkit @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for webkit GTK UI. + + abi , + + mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, + + @{bin}/xdg-dbus-proxy rix, # TODO: stack me + + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, + + owner /bindfile@{rand6} rw, + owner @{att}/.flatpak-info r, + + owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, + + owner @{run}/user/@{uid}/.flatpak/ w, + owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, + + owner @{run}/user/@{uid}/webkitgtk/ w, + owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, + + @{sys}/firmware/acpi/pm_profile r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine new file mode 100644 index 000000000..145cd763a --- /dev/null +++ b/apparmor.d/abstractions/wine @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Basic set of resources for wine regardless of the installation method (system or through a game launcher). + + abi , + + owner @{user_share_dirs}/applications/wine/ rw, + owner @{user_share_dirs}/applications/wine/**/ rw, + + owner @{att}/@{tmp}/.wine-@{uid}/ rw, + owner @{att}/@{tmp}/.wine-@{uid}/** rwk, + owner @{att}/@{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, + + owner /dev/shm/wine-@{hex6}-fsync rw, + owner /dev/shm/wine-@{hex6}@{h}-fsync rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index 067de9148..df13363fc 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -2,22 +2,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + abi , + + include include include - include + include + include include include + include - /usr/share/xfce4/ r, + /usr/share/xfce{,4}/ r, owner @{user_config_dirs}/xfce4/help{,ers}.rc rw, owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw, - owner @{HOME}/.local/ rw, - owner @{user_cache_dirs}/ rw, - owner @{user_config_dirs}/ rw, - owner @{user_share_dirs}/ rw, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index 15711713c..7c734a45b 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -3,29 +3,48 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when an interactive shell is started. +# This abstraction is only required when zshrc is loaded (e.g. interactive shell). # Classic shell scripts do not need it. + abi , + @{lib}/@{multiarch}/zsh/@{int}/zsh/*.so mr, - /usr/share/zsh/{,**} r, /usr/local/share/zsh/{,**} r, + /usr/share/oh-my-zsh/{,**} r, + /usr/share/zsh-theme-*/{,**} r, + /usr/share/zsh/{,**} r, /etc/zsh/* r, - owner @{HOME}/.zshrc r, - owner @{HOME}/.zshenv r, + owner @{HOME}/.zcompdump-* rw, owner @{HOME}/.zsh_history rw, owner @{HOME}/.zsh_history.LOCK rwk, + owner @{HOME}/.zsh_history.new rw, + owner @{HOME}/.zshenv r, + owner @{HOME}/.zshrc r, owner @{HOME}/.oh-my-zsh/{,**} r, owner @{HOME}/.oh-my-zsh/log/update.lock/ w, - owner @{HOME}/.zcompdump-* rw, + owner @{user_cache_dirs}/oh-my-zsh/{,**} r, + owner @{user_cache_dirs}/p10k-@{user}/{,**} rw, + owner @{user_cache_dirs}/p10k-dump-@{user}.zsh{,.*} rw, + owner @{user_cache_dirs}/p10k-instant-prompt-@{user}.zsh{,.*} rw, owner @{user_config_dirs}/zsh/.zcompdump-* rw, owner @{user_config_dirs}/zsh/{,**} r, + owner @{user_share_dirs}/zsh/history rw, + owner @{user_share_dirs}/zsh/history.LOCK rwk, + owner @{user_share_dirs}/zsh/history.new rw, + + owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo rw, + owner @{tmp}/gitstatus.POWERLEVEL9K.*.lock rwk, + + @{PROC}/version r, + owner @{PROC}/@{pid}/loginuid r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap deleted file mode 100644 index e9ad60683..000000000 --- a/apparmor.d/groups/_full/bwrap +++ /dev/null @@ -1,56 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for bwrap. - -abi , - -include - -@{exec_path} = @{bin}/bwrap -profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) { - include - include - include - include - include - - capability dac_override, - capability dac_read_search, - capability sys_resource, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - - ptrace peer=bwrap//&bwrap-app, - - signal peer=bwrap//&bwrap-app, - signal (receive) set=(kill), - - @{bin}/** rm, - @{lib}/** rm, - /opt/*/** rm, - /usr/share/*/* rm, - - @{bin}/** Px -> bwrap//&bwrap-app, - @{bin}/xdg-dbus-proxy Px -> bwrap//&xdg-dbus-proxy, - # @{lib}/** Px -> bwrap//&bwrap-app, - /opt/*/** Px -> bwrap//&bwrap-app, - /usr/share/*/* Px -> bwrap//&bwrap-app, - - /usr/.ref rk, - - /bindfile@{rand6} rw, - - owner /var/cache/ w, - - owner @{run}/ld-so-cache-dir/* rw, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/bwrap-app b/apparmor.d/groups/_full/bwrap-app deleted file mode 100644 index bfe12e560..000000000 --- a/apparmor.d/groups/_full/bwrap-app +++ /dev/null @@ -1,37 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for user sandboxed application - -abi , - -include - -profile bwrap-app flags=(attach_disconnected,mediate_deleted) { - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - ptrace peer=bwrap//&bwrap-app, - - signal peer=bwrap//&bwrap-app, - - @{bin}/** rmix, - @{lib}/** rmix, - /opt/*/** rmix, - /usr/share/*/* rmix, - - owner /var/cache/ w, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default deleted file mode 100644 index 8e0a3a535..000000000 --- a/apparmor.d/groups/_full/default +++ /dev/null @@ -1,127 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for unconfined programs - -abi , - -include - -@{exec_path} = /** -profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { - include - include - include - include - include - include - include - include - include - include - include - include - include - - capability dac_override, - capability dac_read_search, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink dgram, - network netlink raw, - - signal (receive) set=(hup), - - @{bin}/bwrap rPx -> bwrap, - @{bin}/pipewire-pulse rPx -> systemd//&pipewire-pulse, - @{bin}/pulseaudio rPx -> systemd//&pulseaudio, - @{bin}/su rPx -> default-sudo, - @{bin}/sudo rPx -> default-sudo, - @{bin}/systemctl rix, - @{coreutils_path} rix, - @{shells_path} rix, - - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, - -# @{open_path} rPx -> child-open, - - audit @{bin}/** Pix, - audit @{lib}/** Pix, - audit /opt/*/** Pix, - audit /usr/share/*/* Pix, - - @{bin}/{,**} r, - @{lib}/{,**} r, - /usr/share/** r, - - /etc/xdg/** r, - - # Full access to user's data - / r, - /*/ r, - @{MOUNTDIRS}/ r, - @{MOUNTS}/ r, - @{MOUNTS}/** rwl, - owner @{HOME}/{,**} rwlk, - owner @{run}/user/@{uid}/{,**} rw, - owner @{user_config_dirs}/** rwkl, - owner @{user_share_dirs}/** rwkl, - owner @{tmp}/{,**} rwk, - - owner @{run}/user/@{uid}/{,**} rw, - - @{run}/motd.dynamic.new rw, - - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/bus/pci/devices/ r, - @{sys}/class/ r, - @{sys}/class/drm/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/input/ r, - @{sys}/class/power_supply/ r, - @{sys}/devices/**/input@{int}/ r, - @{sys}/devices/**/input@{int}/capabilities/* r, - @{sys}/devices/**/input/input@{int}/ r, - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/firmware/acpi/pm_profile r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, - - @{PROC}/cmdline r, - @{PROC}/sys/kernel/seccomp/actions_avail r, - @{PROC}/zoneinfo r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/gid_map w, - owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/mem r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pids}/cmdline r, - owner @{PROC}/@{pids}/environ r, - owner @{PROC}/@{pids}/task/ r, - - /dev/ r, - /dev/ptmx rwk, - /dev/tty rwk, - owner /dev/tty@{int} rw, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/default-sudo b/apparmor.d/groups/_full/default-sudo deleted file mode 100644 index 36cebc626..000000000 --- a/apparmor.d/groups/_full/default-sudo +++ /dev/null @@ -1,42 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -profile default-sudo { - include - include - - capability chown, - capability mknod, - capability sys_ptrace, - - network inet dgram, - network inet6 dgram, - - ptrace (read), - - @{bin}/su mr, - - @{bin}/** Px, - @{lib}/** Px, - /opt/*/** Px, - - /var/db/sudo/lectured/ r, - /var/lib/extrausers/shadow r, - /var/lib/sudo/lectured/ r, - owner /var/db/sudo/lectured/@{uid} rw, - owner /var/lib/sudo/lectured/* rw, - - owner @{HOME}/.sudo_as_admin_successful rw, - - @{run}/ r, - @{run}/systemd/sessions/* r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd new file mode 100644 index 000000000..ccdbf338b --- /dev/null +++ b/apparmor.d/groups/_full/sd @@ -0,0 +1,256 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd is a profile for SystemD-executor run as root, it is used to run all services +# files and to encapsulate stacked services profiles (hence the short name). +# It aims at reducing the size of the systemd profile. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd.d directory + +abi , + +include + +@{exec_path} = @{bin}/systemd-executor +profile sd flags=(attach_disconnected,mediate_deleted,complain) { + include + include + include + include + include + include + include + include + + userns, + + capability audit_control, + capability audit_write, + capability bpf, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability kill, + capability linux_immutable, + capability mknod, + capability net_admin, + capability net_bind_service, + capability net_raw, + capability perfmon, + capability setfcap, + capability setgid, + capability setpcap, + capability setuid, + capability sys_admin, + capability sys_nice, + capability sys_ptrace, + capability sys_rawio, + capability sys_resource, + capability sys_time, + capability sys_tty_config, + capability syslog, + + network alg seqpacket, + network bluetooth, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 raw, + network inet6 stream, + network netlink raw, + network packet dgram, + network packet raw, + network qipcrtr dgram, + + mount -> @{run}/systemd/mount-rootfs/{,**}, + mount -> @{run}/systemd/namespace-@{rand6}/{,**}, + mount options=(rw move) /dev/shm/ -> @{run}/credentials/*/, + mount options=(rw rshared) -> /, + mount options=(rw rslave) -> /, + mount options=(rw rslave) -> /dev/, + mount options=(rw slave) -> @{run}/systemd/incoming/, + mount fstype=tmpfs options=(rw nodev noexec nosuid nosymfollow) tmpfs -> /dev/shm/, + mount fstype=tmpfs options=(rw nodev strictatime) tmpfs -> @{run}/systemd/unit-private-tmp/, + + remount /dev/shm/, + remount @{run}/systemd/mount-rootfs/{,**}, + + umount /, + umount /dev/shm/, + umount @{run}/systemd/mount-rootfs/{,**}, + umount @{run}/systemd/namespace-@{rand6}/{,**}, + + pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, + + change_profile, + + mqueue (read getattr) type=posix /, + + signal peer=sd//&*, + signal receive peer=@{p_systemd}, + signal send, + + ptrace read, + + unix type=dgram peer=(label=@{p_systemd}), + unix type=dgram peer=(label=systemd-timesyncd), + unix type=stream, + + dbus bus=system, + + @{exec_path} mr, + + @{bin}/** mPx, + @{sbin}/** mPx, + @{lib}/** Px, + /etc/cron.*/* Px, + /etc/init.d/* Px, + /etc/update-motd.d/* Px, + /usr/share/*/** Px, + + # Systemd user: systemd --user + @{lib}/systemd/systemd px -> systemd-user, + + # Mount operations from services and systemd + @{bin}/mount Px -> sd-mount, + @{bin}/umount Px -> sd-umount, + + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + + # Unit services + @{bin}/kill Cx -> kill, + + # Used by very basic services, ideally should be replaced by a unit profiles + @{sh_path} ix, + @{bin}/false ix, + @{bin}/true ix, + + # Required due to stacked profiles + @{bin}/find ix, + @{bin}/gzip ix, + @{bin}/install ix, + @{bin}/readlink ix, + @{lib}/colord-sane ix, + @{lib}/systemd/systemd-nsresourcework ix, + @{lib}/systemd/systemd-userwork ix, + @{sbin}/grpck ix, + @{sbin}/pwck ix, + + / r, + @{att}/ r, + @{bin}/{,**} r, + @{lib}/{,**} r, + @{sbin}/{,*} r, + /usr/local/{,**} r, + /usr/share/** r, + /etc/*/ w, + /etc/** rk, + /home/ r, + + @{efi}/ r, + @{efi}/** rw, + + @{att}/var/lib/systemd/*/ r, + + /var/cache/*/ rw, + /var/cache/*/** rwk, + /var/lib/*/ rw, + /var/lib/*/** rwk, + /var/lib/systemd/*/ r, + /var/log/ r, + /var/log/** rw, + /var/log/journal/** rwl -> /var/log/journal/**, + + @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, + + @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, + @{att}/@{run}/systemd/notify rw, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Home rw, + @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, + + @{run}/ rw, + @{run}/* rw, + @{run}/*/ rw, + @{run}/*/* rw, + @{run}/systemd/{,**} rw, + owner @{run}/*/** rw, + + @{run}/udev/**/ r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + + @{sys}/** r, + @{sys}/fs/bpf/systemd/{,**} w, + @{sys}/firmware/efi/efivars/** w, + @{sys}/fs/cgroup/{,**} w, + + @{PROC}/@{pids}/attr/apparmor/exec w, + @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/fdinfo/@{int} r, + @{PROC}/@{pids}/gid_map w, + @{PROC}/@{pids}/limits r, + @{PROC}/@{pids}/loginuid rw, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/oom_score_adj rw, + @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/setgroups r, + @{PROC}/@{pids}/setgroups w, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/uid_map r, + @{PROC}/@{pids}/uid_map w, + @{PROC}/cmdline r, + @{PROC}/interrupts r, + @{PROC}/irq/@{int}/node r, + @{PROC}/irq/@{int}/smp_affinity r, + @{PROC}/kmsg r, + @{PROC}/modules r, + @{PROC}/pressure/* r, + @{PROC}/swaps r, + @{PROC}/sys/** r, + @{PROC}/sys/kernel/random/write_wakeup_threshold w, + @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/sysvipc/* r, + @{PROC}/version_signature r, + + /dev/** rwk, + + profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { + include + include + + include if exists + include if exists + } + + profile kill flags=(attach_disconnected,mediate_deleted,complain) { + include + + signal send, + + @{bin}/kill mr, + + include if exists + } + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/sd-mount b/apparmor.d/groups/_full/sd-mount new file mode 100644 index 000000000..1572a8f6d --- /dev/null +++ b/apparmor.d/groups/_full/sd-mount @@ -0,0 +1,71 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd-mount is a subprofile of sd responsible to handle mounting operation. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd-mount.d directory + +abi , + +include + +@{exec_path} = @{bin}/mount +profile sd-mount flags=(complain) { + include + include + + capability dac_read_search, + capability sys_admin, + + mount -> @{efi}/, + mount -> @{HOME}/{,**}, + mount -> @{HOMEDIRS}/, + mount -> @{MOUNTDIRS}/, + mount -> @{MOUNTS}/{,**}, + mount fstype=binfmt_misc options=(rw nodev noexec nosuid) binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/, + mount fstype=configfs options=(rw nodev noexec nosuid) configfs -> @{sys}/kernel/config/, + mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/, + mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/, + mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, + mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, + mount fstype=squashfs options=(ro nodev) /dev/loop@{int} -> /snap/*/@{int}/, + mount fstype=tmpfs options=(rw nodev noexec nosuid) tmpfs -> @{run}/lock/, + mount fstype=tmpfs options=(rw nodev nosuid strictatime) tmpfs -> /tmp/, + mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, + + mount options=(rw move) -> @{efi}, + mount options=(rw move) -> @{HOME}/{,**}, + mount options=(rw move) -> @{HOMEDIRS}/, + mount options=(rw move) -> @{MOUNTDIRS}/, + mount options=(rw move) -> @{MOUNTS}/{,**}, + mount options=(rw move) -> @{sys}/fs/fuse/connections/, + mount options=(rw move) -> @{sys}/kernel/config/, + mount options=(rw move) -> @{sys}/kernel/debug/, + mount options=(rw move) -> @{sys}/kernel/tracing/, + mount options=(rw move) -> /dev/hugepages/, + mount options=(rw move) -> /dev/mqueue/, + mount options=(rw move) -> /tmp/, + + @{exec_path} mr, + + /var/lib/snapd/snaps/*.snap r, + + @{run}/ r, + owner @{run}/mount/ rw, + owner @{run}/mount/utab{,.*} rwk, + + @{PROC}/@{pid}/mountinfo r, + + /dev/loop-control rw, + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/sd-umount b/apparmor.d/groups/_full/sd-umount new file mode 100644 index 000000000..e5d67f0a9 --- /dev/null +++ b/apparmor.d/groups/_full/sd-umount @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd-umount is a subprofile of sd responsible to handle unmounting operation. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd-umount.d directory + +abi , + +include + +@{exec_path} = @{bin}/umount +profile sd-umount flags=(complain) { + include + + capability sys_admin, + + umount @{efi}, + + @{exec_path} mr, + + @{PROC}/@{pid}/mountinfo r, + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu new file mode 100644 index 000000000..f9c50b65f --- /dev/null +++ b/apparmor.d/groups/_full/sdu @@ -0,0 +1,141 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd-user profile. + +# sdu is a profile for SystemD-executor run as User, it is used to run all services +# files and to encapsulate stacked services profiles (hence the short name). +# It aims at reducing the size of the systemd-user profile. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sdu.d directory + +abi , + +include + +@{exec_path} = @{bin}/systemd-executor +profile sdu flags=(attach_disconnected,mediate_deleted) { + include + include + include + include + include + include + include + + network netlink raw, + + change_profile, + + ptrace read, + + unix type=dgram peer=(label=@{p_systemd_user}), + + dbus bus=session, + + @{exec_path} mr, + + @{bin}/** mPx, + @{sbin}/** mPx, + @{lib}/** Px, + /etc/cron.*/* Px, + /opt/*/** Px, + /usr/share/*/** Px, + + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + + # Shell based user unit services + @{sh_path} Cx -> shell, + + # Dbus needs to be started without environment scrubbing + @{bin}/dbus-broker px -> dbus-session, + @{bin}/dbus-broker-launch px -> dbus-session, + @{bin}/dbus-daemon px -> dbus-session, + @{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session, + + / r, + @{bin}/* r, + @{sbin}/* r, + /usr/share/** r, + + owner @{desktop_local_dirs}/ w, + owner @{desktop_local_dirs}/state/ w, + owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, + + owner @{run}/user/@{uid}/pipewire-@{int} rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, + owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, + owner @{run}/user/@{uid}/pulse/pid rw, + + owner @{user_state_dirs}/wireplumber/ rw, + owner @{user_state_dirs}/wireplumber/stream-properties rw, + owner @{user_state_dirs}/wireplumber/stream-properties.@{rand6} rw, + + @{run}/systemd/users/@{uid} r, + @{run}/systemd/users/@{int} r, + + @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) + @{run}/udev/data/c81:@{int} r, # For video4linux + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{sys}/bus/ r, + @{sys}/bus/media/devices/ r, + @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, + @{sys}/devices/**/device:*/{,**/}path r, + @{sys}/devices/**/sound/**/pcm_class r, + @{sys}/devices/**/sound/**/uevent r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/sound/seq/uevent r, + @{sys}/devices/virtual/sound/timer/uevent r, + + @{sys}/module/apparmor/parameters/enabled r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, + + @{PROC}/pressure/* r, + @{PROC}/sys/fs/nr_open r, + owner @{PROC}/@{pid}/attr/apparmor/exec w, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_score_adj rw, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/kmsg w, + + deny capability net_admin, + + profile shell flags=(attach_disconnected,mediate_deleted,complain) { + include + + @{sh_path} mr, + @{bin}/systemctl Px -> sdu//systemctl, + + include if exists + } + + profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { + include + include + + owner @{run}/user/@{uid}/systemd/private rw, + + deny capability net_admin, + + include if exists + include if exists + } + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index aa1f1729d..d1ee8fd1f 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -11,13 +11,47 @@ # Distributions and other programs can add rules in the usr/systemd.d directory -abi , +# Overall architecture of the systemd profiles: +# systemd # PID 1, entrypoint, requires "Early policy" +# ├── systemd # To restart itself +# ├── systemd-generators-* # Systemd system and environment generators +# └── sd # Internal service starter and config handler, handles all services +# ├── Px or px, # Any service with profile +# ├── Px -> # Any service without profile defined in the unit file (see systemd/full/systemd) +# ├── &* # Stacked service as defined in the unit file (see systemd/full/systemd) +# ├── sd-mount # Handles all mounts from services +# ├── sd//systemctl # Internal system systemctl +# └── systemd-user # Profile for 'systemd --user' +# ├── systemd-user # To restart itself +# ├── systemd-user-generators-* # Systemd user and environment generators +# └── sdu # Handles all user services +# ├── Px or px, # Any user service with profile +# ├── Px -> # Any user service without profile defined in the unit file (see systemd/full/systemd) +# ├── &* # Stacked user service as defined in the unit file (see systemd/full/systemd) +# └── sdu//systemctl # Internal user systemctl + +# Advantages: +# - Differentiate systemd (PID 1) and `system --user` +# - Keep `systemd` and systemd-user as mininal as possible, and transition to less privileged profiles. +# - Allow the executor profiles to handled stacked profiles. +# - Most additions need to be done in the `sd`/`sdu` profile, not in `systemd`/`systemd-user`. +# - Dedicated `sd-mount` profile for most mount from the unit services. + + +# TODO: rework this to get a controlled environment: +# - No global allow anymore: in high security environments, we must manage the list +# of program/service that can be started by systemd and ensure that they are all +# listed and confined. Programs not listed will not be able to start. +# - Outside common systemd service, the list may have to be automatically +# generated at install time, in `/etc/apparmor.d/usr/systemd.d/exec` + +abi , include -profile systemd flags=(attach_disconnected,mediate_deleted) { +@{exec_path} = @{lib}/systemd/systemd +profile systemd flags=(attach_disconnected,mediate_deleted,complain) { include - include include include include @@ -32,16 +66,13 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { capability dac_read_search, capability fowner, capability fsetid, - capability mknod, + capability kill, capability net_admin, + capability net_bind_service, capability perfmon, - capability setfcap, - capability setgid, capability setpcap, - capability setuid, capability sys_admin, - capability sys_chroot, - capability sys_nice, + capability sys_boot, capability sys_ptrace, capability sys_resource, capability sys_tty_config, @@ -51,190 +82,124 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { network inet6 dgram, network inet6 stream, network netlink raw, + network vsock stream, mount fstype=autofs systemd-1 -> @{PROC}/sys/fs/binfmt_misc/, - mount fstype=autofs systemd-1 -> /efi/, - mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, - mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/, - mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/, - mount fstype=tmpfs tmpfs -> /dev/shm/, + mount fstype=autofs systemd-1 -> @{efi}/, mount fstype=tmpfs tmpfs -> /tmp/, - mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/, - mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, - mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, - mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, - mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**, - mount options=(rw bind) @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/, - mount options=(rw move) -> @{sys}/fs/fuse/connections/, - mount options=(rw move) -> @{sys}/kernel/config/, - mount options=(rw move) -> @{sys}/kernel/debug/, - mount options=(rw move) -> @{sys}/kernel/tracing/, - mount options=(rw move) -> /dev/hugepages/, - mount options=(rw move) -> /dev/mqueue/, - mount options=(rw move) -> /efi/, - mount options=(rw move) -> /tmp/, - mount options=(rw move) @{run}/systemd/namespace-@{rand6}/{,**} -> @{run}/systemd/mount-rootfs/{,**}, - mount options=(rw rbind) -> @{run}/systemd/mount-rootfs/{,**}, - mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**}, - mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, - mount options=(rw rslave) -> /dev/, - mount options=(rw slave) -> @{run}/systemd/incoming/, remount @{HOME}/{,**}, remount @{HOMEDIRS}/, remount @{MOUNTDIRS}/, remount @{MOUNTS}/{,**}, - remount @{run}/systemd/mount-rootfs/{,**}, - remount @{run}/systemd/unit-root/{,**}, - remount /, remount /snap/{,**}, - remount options=(ro noexec noatime bind) /var/snap/{,**}, - remount options=(ro nosuid bind) /dev/, - remount options=(ro nosuid nodev bind) /dev/hugepages/, - remount options=(ro nosuid nodev bind) /var/, - remount options=(ro nosuid nodev noexec bind) /boot/, - remount options=(ro nosuid nodev noexec bind) /dev/mqueue/, - remount options=(ro nosuid nodev noexec bind) /efi/, - remount options=(ro nosuid noexec bind) /dev/pts/, + remount options=(ro bind nodev noexec nosuid) /dev/mqueue/, + remount options=(ro bind nodev nosuid) /dev/hugepages/, + remount options=(ro bind noexec nosuid) /dev/pts/, + remount options=(ro bind nosuid) /dev/, + remount options=(ro bind) @{efi}/, + remount options=(ro bind) /, - umount /, - umount /dev/shm/, umount @{PROC}/sys/fs/binfmt_misc/, - umount @{run}/systemd/mount-rootfs/{,**}, - umount @{run}/systemd/namespace-@{rand6}/{,**}, - umount @{run}/systemd/unit-root/{,**}, + umount @{run}/credentials/*/, - pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, - pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/, + mqueue (read getattr) type=posix /, - change_profile, - - signal (receive) set=(rtmin+23) peer=plymouthd, - signal (receive) set=(term, hup, cont), - signal (send), + signal send, ptrace (read, readby), - unix (send) type=dgram, - - unix (receive) type=dgram addr=none peer=(label=systemd-timesyncd, addr=none), - unix (send, receive, connect) type=stream addr=none peer=(label=plymouthd, addr=@/org/freedesktop/plymouthd), + unix type=dgram, + unix type=stream, #aa:dbus own bus=system name=org.freedesktop.systemd1 - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=GetConnectionUnixUser - peer=(name=org.freedesktop.DBus, label=dbus-system), + @{exec_path} mrix, + @{sh_path} mr, - @{bin}/systemctl rix, - @{bin}/mount rix, + # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor mPx -> sd, - @{lib}/systemd/systemd-executor rix, - @{lib}/systemd/systemd rpx -> systemd-user, - - @{bin}/ldconfig rPx -> systemd-service, - @{bin}/mandb rPx -> systemd-service, - @{bin}/savelog rPx -> systemd-service, - @{coreutils_path} rPx -> systemd-service, - @{sh_path} rPx -> systemd-service, - - @{bin}/** Px, - @{lib}/** Px, - /etc/cron.*/* Px, - /etc/init.d/* Px, - /usr/share/*/** Px, - - #aa:stack systemd-networkd systemd-oomd systemd-resolved systemd-timesyncd - @{lib}/systemd/systemd-networkd rPx -> systemd//&systemd-networkd, - @{lib}/systemd/systemd-oomd rPx -> systemd//&systemd-oomd, - @{lib}/systemd/systemd-resolved rPx -> systemd//&systemd-resolved, - @{lib}/systemd/systemd-timesyncd rPx -> systemd//&systemd-timesyncd, - - @{lib}/ r, - / r, - /boot/ r, - /boot/efi/ r, - /efi/ r, - /snap/ r, - /snap/*/@{int}/ r, - /tmp/ r, - /usr/ r, - /var/cache/*/ r, - /var/lib/*/ r, - /var/tmp/ r, + # Systemd system generators. Profiles must exist + @{lib}/netplan/generate mPx, + @{lib}/systemd/system-environment-generators/* mPx, + @{lib}/systemd/system-generators/* mPx, + @{etc_ro}/environment r, + @{etc_ro}/environment.d/{,**} r, + /etc/acpi/events/{,**} r, /etc/binfmt.d/{,**} r, /etc/conf.d/{,**} r, - /etc/credstore.encrypted/{,**} r, - /etc/credstore/{,**} r, - /etc/environment r, - /etc/environment.d/{,**} r, + /etc/default/{,**} r, /etc/machine-id r, /etc/modules-load.d/{,**} r, + /etc/networkd-dispatcher/{,**} r, /etc/systemd/{,**} r, + /etc/systemd/system/** w, /etc/udev/hwdb.d/{,**} r, - /var/lib/systemd/{,**} rw, + #aa:only pacman + # It is unclear why this is needed here and not in sd + /etc/pacman.d/gnupg/S.dirmngr w, + /etc/pacman.d/gnupg/S.gpg-agent w, + /etc/pacman.d/gnupg/S.gpg-agent.browser w, + /etc/pacman.d/gnupg/S.gpg-agent.extra w, + /etc/pacman.d/gnupg/S.gpg-agent.ssh w, + /etc/pacman.d/gnupg/S.keyboxd w, + + @{efi}/ r, + /snap/*/@{int}/ r, + + /tmp/ r, + /var/tmp/ r, + owner /tmp/systemd-private-*/{,**} rw, owner /var/tmp/systemd-private-*/{,**} rw, - /tmp/namespace-dev-@{rand6}/{,**} rw, - /tmp/systemd-private-*/{,**} rw, + @{att}/@{run}/systemd/journal/dev-log r, + @{att}/@{run}/systemd/journal/socket r, + @{att}/@{run}/systemd/notify r, @{run}/ rw, + @{run}/* rw, @{run}/*/ rw, @{run}/*/* rw, - @{run}/auditd.pid r, @{run}/credentials/{,**} rw, - @{run}/initctl rw, @{run}/systemd/{,**} rw, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, - - @{run}/udev/data/+module:configfs r, - @{run}/udev/data/+module:fuse r, + @{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{run}/udev/tags/systemd/ r, + @{sys}/**/uevent r, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/power_supply/ r, - @{sys}/class/sound/ r, - @{sys}/devices/@{pci}/** r, - @{sys}/devices/**/net/** r, - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/console/active r, + @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/fuse/connections/ r, @{sys}/fs/pstore/ r, @{sys}/kernel/**/ r, - @{sys}/module/**/uevent r, @{sys}/module/apparmor/parameters/enabled r, + @{sys}/module/vt/parameters/default_utf8 r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/coredump_filter r, - @{PROC}/@{pid}/environ r, @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/gid_map rw, - @{PROC}/@{pid}/loginuid rw, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/setgroups rw, @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/uid_map rw, @{PROC}/cmdline r, @{PROC}/devices r, @{PROC}/pressure/* r, @@ -242,20 +207,31 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/fs/binfmt_misc/ r, @{PROC}/sys/fs/nr_open r, @{PROC}/sys/kernel/* r, - @{PROC}/sysvipc/{shm,sem,msg} r, - owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/oom_score_adj rw, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sysvipc/msg r, + @{PROC}/sysvipc/sem r, + @{PROC}/sysvipc/shm r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/1/coredump_filter r, + owner @{PROC}/1/fdinfo/@{int} r, + owner @{PROC}/1/gid_map r, + owner @{PROC}/1/oom_score_adj rw, + owner @{PROC}/1/setgroups r, + owner @{PROC}/1/uid_map r, /dev/autofs r, + /dev/dri/card@{int} rw, + /dev/initctl w, + /dev/input/ r, /dev/kmsg w, + /dev/tty rw, + /dev/tty@{int} rw, owner /dev/console rwk, - owner /dev/dri/card@{int} rw, owner /dev/hugepages/ rw, - owner /dev/initctl rw, owner /dev/input/event@{int} rw, owner /dev/mqueue/ rw, owner /dev/rfkill rw, - owner /dev/shm/ rw, + owner /dev/shm/ r, owner /dev/ttyS@{int} rwk, include if exists diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service deleted file mode 100644 index 3a72cfe7e..000000000 --- a/apparmor.d/groups/_full/systemd-service +++ /dev/null @@ -1,72 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Profile for generic systemd unit services. Only used by tiny systemd services -# that start a shell or use context specific programs. - -# It does not specify an attachment path because it is intended to be used only -# via "Px -> systemd-service" exec transitions from the systemd profile. - -abi , - -include - -profile systemd-service flags=(attach_disconnected) { - include - include - include - - capability chown, - capability fsetid, - - @{bin}/ldconfig rix, - @{bin}/savelog rix, - @{bin}/systemctl rix, - @{bin}/gzip rix, - @{coreutils_path} rix, - @{sh_path} rmix, - - # ifup@.service - @{bin}/ifup rPx, - - # shadow.service - @{bin}/pwck rPx, - @{bin}/grpck rPx, - - @{bin}/grub-editenv rPx, - @{bin}/ibus-daemon rPx, - - @{bin}/* r, - @{lib}/ r, - - /var/cache/ldconfig/{,**} rw, - - /boot/grub/grubenv rw, - /boot/grub/ w, - - /var/log/ r, - /var/log/dmesg rw, - /var/log/dmesg.* rwl -> /var/log/dmesg, - - # man-db.service - /usr/{,local/}share/man/{,**} r, - /etc/manpath.config r, - /var/cache/man/{,**} rwk, - - # snapd.system-shutdown.service - @{run}/initramfs/shutdown rw, - @{run}/initramfs/ rw, - - # cockpit.socket - @{run}/cockpit/@{rand8} rw, - @{run}/cockpit/motd w, - - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index f88604124..b3d751be1 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -11,12 +11,12 @@ # Distributions and other programs can add rules in the usr/systemd-user.d directory -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd -profile systemd-user flags=(attach_disconnected,mediate_deleted) { +profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { include include include @@ -25,84 +25,61 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { network netlink raw, - signal (send) set=(term, cont, kill), - signal (receive) set=(hup) peer=@{p_systemd}, + signal send, - ptrace (read) peer=@{p_systemd}, + ptrace read, - unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-system, - unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-api-user, + unix type=dgram peer=(label=@{p_sdu}), + + unix bind type=stream addr=@@{udbus}/bus/systemd/bus-system, + unix bind type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus own bus=session name=org.freedesktop.systemd1 - @{exec_path} mr, + @{exec_path} mrix, - @{bin}/dbus-broker rpx -> dbus-session, - @{bin}/dbus-broker-launch rpx -> dbus-session, - @{bin}/dbus-daemon rpx -> dbus-session, - @{lib}/dbus-1.0/dbus-daemon-launch-helper rpx -> dbus-session, + # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor mPx -> sdu, - @{bin}/systemctl rCx -> systemctl, - @{lib}/systemd/systemd-executor rix, - @{sh_path} rix, # Should be handled by default profile? - @{bin}/grep rix, - @{bin}/sleep rix, - - @{bin}/** Px, - @{lib}/** Px, - /opt/*/** Px, - /usr/share/*/** Px, - - #aa:stack pipewire pipewire-media-session pipewire-pulse pulseaudio wireplumber - @{bin}/pipewire rPx -> systemd-user//&pipewire, - @{bin}/pipewire-media-session rPx -> systemd-user//&pipewire-media-session, - @{bin}/pipewire-pulse rPx -> systemd-user//&pipewire-pulse, - @{bin}/pulseaudio rPx -> systemd-user//&pulseaudio, - @{bin}/wireplumber rPx -> systemd-user//&wireplumber, - - /usr/ r, - /usr/share/defaults/**.conf r, + # Systemd user generators. Profiles must exist + @{lib}/systemd/user-environment-generators/* Px, + @{lib}/systemd/user-generators/* Px, + @{etc_ro}/environment r, /etc/systemd/user.conf r, /etc/systemd/user.conf.d/{,**} r, /etc/systemd/user/{,**} r, - / r, - - owner @{HOME}/.local/ w, - owner @{user_config_dirs}/systemd/user/{,**} rw, - @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/ rw, owner @{run}/user/@{uid}/** rwkl, @{run}/mount/utab r, @{run}/systemd/notify w, + @{run}/systemd/oom/io.systemd.ManagedOOM rw, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, - @{run}/udev/data/+module:configfs r, - @{run}/udev/data/+module:fuse r, - @{run}/udev/data/b254:@{int} r, # for /dev/zram* + @{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features + @{run}/udev/data/c116:@{int} r, # for ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{run}/udev/tags/systemd/ r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/**/uevent r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r, - @{sys}/module/apparmor/parameters/enabled r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/stat r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/stat r, @{PROC}/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, @@ -111,27 +88,25 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/threads-max r, - owner @{PROC}/@{pid}/coredump_filter r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/gid_map r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pids}/fd/ r, - owner @{PROC}/@{pids}/oom_score_adj rw, - /dev/tty rw, - - profile systemctl { - include - include - - include if exists - include if exists - } + deny capability bpf, + deny capability dac_override, + deny capability dac_read_search, + deny capability mknod, + deny capability net_admin, + deny capability perfmon, + deny capability sys_admin, + deny capability sys_boot, + deny capability sys_resource, include if exists include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_akonotes_resource b/apparmor.d/groups/akonadi/akonadi_akonotes_resource index 8b9e434a5..0471cd8f4 100644 --- a/apparmor.d/groups/akonadi/akonadi_akonotes_resource +++ b/apparmor.d/groups/akonadi/akonadi_akonotes_resource @@ -2,40 +2,25 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_akonotes_resource profile akonadi_akonotes_resource @{exec_path} { include - include - include include + include include - include - include @{exec_path} mr, - /usr/share/hwdata/*.ids r, - - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, - - owner @{user_cache_dirs}/icon-cache.kcache rw, - - owner @{user_config_dirs}/akonadi_akonotes_resource_[0-9]rc r, + owner @{user_config_dirs}/akonadi_akonotes_resource_@{int}rc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, owner @{user_share_dirs}/notes/**/ r, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_archivemail_agent b/apparmor.d/groups/akonadi/akonadi_archivemail_agent index 5d305062d..ed72aa21b 100644 --- a/apparmor.d/groups/akonadi/akonadi_archivemail_agent +++ b/apparmor.d/groups/akonadi/akonadi_archivemail_agent @@ -2,30 +2,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_archivemail_agent profile akonadi_archivemail_agent @{exec_path} { include - include - include include + include include - include - include @{exec_path} mr, /usr/share/akonadi/plugins/serializer/{,*.desktop} r, - /usr/share/hwdata/*.ids r, /etc/machine-id r, - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, - - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akonadi_archivemail_agentrc r, @@ -34,12 +26,8 @@ profile akonadi_archivemail_agent @{exec_path} { owner @{user_config_dirs}/emaildefaults r, owner @{user_config_dirs}/emailidentities.lock rwk, owner @{user_config_dirs}/emailidentities{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kmail2rc r, - owner @{user_config_dirs}/kwinrc r, - + owner @{user_share_dirs}/akonadi/file_db_data/{,**} r, /dev/tty r, diff --git a/apparmor.d/groups/akonadi/akonadi_birthdays_resource b/apparmor.d/groups/akonadi/akonadi_birthdays_resource index a4adaf453..d3bf2074c 100644 --- a/apparmor.d/groups/akonadi/akonadi_birthdays_resource +++ b/apparmor.d/groups/akonadi/akonadi_birthdays_resource @@ -2,39 +2,25 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_birthdays_resource profile akonadi_birthdays_resource @{exec_path} { include - include - include include + include include - include - include @{exec_path} mr, /usr/share/akonadi/plugins/{,**} r, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, - - owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/akonadi_birthdays_resourcerc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_contacts_resource b/apparmor.d/groups/akonadi/akonadi_contacts_resource index 9646d1ca4..58c7443fc 100644 --- a/apparmor.d/groups/akonadi/akonadi_contacts_resource +++ b/apparmor.d/groups/akonadi/akonadi_contacts_resource @@ -2,40 +2,25 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_contacts_resource profile akonadi_contacts_resource @{exec_path} { include - include - include include + include include - include - include @{exec_path} mr, /usr/share/akonadi/plugins/serializer/{,*.desktop} r, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, - - owner @{user_cache_dirs}/icon-cache.kcache rw, - - owner @{user_config_dirs}/akonadi_contacts_resource_[0-9]rc r, + owner @{user_config_dirs}/akonadi_contacts_resource_@{int}rc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, - owner @{user_share_dirs}/contacts/ r, owner @{user_share_dirs}/contacts/*.vcf w, diff --git a/apparmor.d/groups/akonadi/akonadi_control b/apparmor.d/groups/akonadi/akonadi_control index 444fb5199..945cc82b9 100644 --- a/apparmor.d/groups/akonadi/akonadi_control +++ b/apparmor.d/groups/akonadi/akonadi_control @@ -2,19 +2,16 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_control profile akonadi_control @{exec_path} { include - include - include include + include include - include - include @{exec_path} mr, @@ -22,24 +19,17 @@ profile akonadi_control @{exec_path} { @{bin}/akonadiserver rPx, /usr/share/akonadi/{,**} r, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, /etc/machine-id r, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/akonadi/{,**} rwl, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk, owner @{user_share_dirs}/akonadi/{,**} rwl, - + /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_followupreminder_agent b/apparmor.d/groups/akonadi/akonadi_followupreminder_agent index 4c13bcbe0..be897ee9e 100644 --- a/apparmor.d/groups/akonadi/akonadi_followupreminder_agent +++ b/apparmor.d/groups/akonadi/akonadi_followupreminder_agent @@ -2,19 +2,16 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_followupreminder_agent profile akonadi_followupreminder_agent @{exec_path} { include - include - include include + include include - include - include network inet dgram, network inet6 dgram, @@ -22,22 +19,10 @@ profile akonadi_followupreminder_agent @{exec_path} { @{exec_path} mr, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, - - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/akonadi_followupreminder_agentrc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, - + /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_ical_resource b/apparmor.d/groups/akonadi/akonadi_ical_resource index fea2fb594..2a5c95729 100644 --- a/apparmor.d/groups/akonadi/akonadi_ical_resource +++ b/apparmor.d/groups/akonadi/akonadi_ical_resource @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,27 +10,19 @@ include profile akonadi_ical_resource @{exec_path} { include include + include include - include - include @{exec_path} mr, - /usr/share/hwdata/*.ids r, - /usr/share/icons/{,**} r, - /usr/share/mime/{,**} r, + owner @{user_cache_dirs}/akonadi_ical_resource_@{int}/{,*} rwl, - owner @{user_cache_dirs}/akonadi_ical_resource_[0-9]/{,*} rwl, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/akonadi_ical_resource_[0-9]rc rwl, + owner @{user_config_dirs}/akonadi_ical_resource_@{int}rc rwl, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, + owner @{user_share_dirs}/apps/korganizer/{,**} rw, - + /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_indexing_agent b/apparmor.d/groups/akonadi/akonadi_indexing_agent index 9a5cc32f2..32a332793 100644 --- a/apparmor.d/groups/akonadi/akonadi_indexing_agent +++ b/apparmor.d/groups/akonadi/akonadi_indexing_agent @@ -2,19 +2,16 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_indexing_agent profile akonadi_indexing_agent @{exec_path} { include - include - include include + include include - include - include @{exec_path} mr, @@ -22,14 +19,8 @@ profile akonadi_indexing_agent @{exec_path} { /usr/share/akonadi/plugins/serializer/ r, /usr/share/akonadi/plugins/serializer/*.desktop r, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, /etc/machine-id r, - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, - - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akonadi_indexing_agentrc rw, @@ -37,10 +28,6 @@ profile akonadi_indexing_agent @{exec_path} { owner @{user_config_dirs}/akonadi_indexing_agentrc.lock rwk, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, owner @{user_share_dirs}/akonadi/ rw, owner @{user_share_dirs}/akonadi/** rwlk -> @{user_share_dirs}/akonadi/**, diff --git a/apparmor.d/groups/akonadi/akonadi_maildir_resource b/apparmor.d/groups/akonadi/akonadi_maildir_resource index a04ee16bf..be9621437 100644 --- a/apparmor.d/groups/akonadi/akonadi_maildir_resource +++ b/apparmor.d/groups/akonadi/akonadi_maildir_resource @@ -2,40 +2,28 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_maildir_resource profile akonadi_maildir_resource @{exec_path} { include - include - include include + include include - include - include @{exec_path} mr, /usr/share/akonadi/plugins/serializer/{,*.desktop} r, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, + owner @{user_mail_dirs}/{,**} rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, - - owner @{user_config_dirs}/akonadi_maildir_resource_[0-9]rc r, + owner @{user_config_dirs}/akonadi_maildir_resource_@{int}rc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, - owner @{user_share_dirs}/akonadi_maildir_resource_[0-9]/{,**} rw, + owner @{user_share_dirs}/akonadi_maildir_resource_@{int}/{,**} rw, owner @{user_share_dirs}/akonadi/{,**} rwk, owner @{user_share_dirs}/local-mail*/{,**} rw, diff --git a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent index cc19a136f..c353ea819 100644 --- a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent +++ b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent @@ -2,20 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_maildispatcher_agent profile akonadi_maildispatcher_agent @{exec_path} { include - include - include include + include include - include include - include network inet dgram, network inet6 dgram, @@ -27,24 +24,13 @@ profile akonadi_maildispatcher_agent @{exec_path} { @{exec_path} mr, /usr/share/akonadi/plugins/{,**} r, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/knotifications{5,6}/akonadi_maildispatcher_agent.notifyrc r, - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, /etc/machine-id r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/akonadi_maildispatcher_agent.notifyrc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/ksslcertificatemanager r, - owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/mailtransports r, owner @{user_config_dirs}/specialmailcollectionsrc r, diff --git a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent index 8d8c30343..d1a2f008f 100644 --- a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent +++ b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent @@ -2,19 +2,16 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_mailfilter_agent profile akonadi_mailfilter_agent @{exec_path} { include - include - include include + include include - include - include ptrace (read) peer=akonadi_archivemail_agent, @@ -23,14 +20,7 @@ profile akonadi_mailfilter_agent @{exec_path} { /usr/share/akonadi/plugins/serializer/ r, /usr/share/akonadi/plugins/serializer/*.desktop r, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - /etc/machine-id r, - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, - - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/agent_config_akonadi_mailfilter_agent r, @@ -43,12 +33,8 @@ profile akonadi_mailfilter_agent @{exec_path} { owner @{user_config_dirs}/emailidentities.lock rwk, owner @{user_config_dirs}/emailidentities* rwl, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kmail2rc r, - owner @{user_config_dirs}/kwinrc r, - + owner @{tmp}/#@{int} rw, owner @{tmp}/akonadi_mailfilter_agent.* rwl, diff --git a/apparmor.d/groups/akonadi/akonadi_mailmerge_agent b/apparmor.d/groups/akonadi/akonadi_mailmerge_agent index fd9012142..2083318e7 100644 --- a/apparmor.d/groups/akonadi/akonadi_mailmerge_agent +++ b/apparmor.d/groups/akonadi/akonadi_mailmerge_agent @@ -2,19 +2,16 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_mailmerge_agent profile akonadi_mailmerge_agent @{exec_path} { include - include - include include + include include - include - include network inet dgram, network inet6 dgram, @@ -23,22 +20,9 @@ profile akonadi_mailmerge_agent @{exec_path} { @{exec_path} mr, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, - - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_migration_agent b/apparmor.d/groups/akonadi/akonadi_migration_agent index 832e5760b..55fedf4ea 100644 --- a/apparmor.d/groups/akonadi/akonadi_migration_agent +++ b/apparmor.d/groups/akonadi/akonadi_migration_agent @@ -2,40 +2,25 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_migration_agent profile akonadi_migration_agent @{exec_path} { include - include - include include + include include - include - include @{exec_path} mr, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, - - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/akonadi-migrationrc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, owner @{user_share_dirs}/akonadi_migration_agent/{,**} rw, - + /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent index b5a0d7577..28ce1123c 100644 --- a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent +++ b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,12 +16,9 @@ profile akonadi_newmailnotifier_agent @{exec_path} { @{exec_path} mr, /usr/share/akonadi/plugins/serializer/{,*.desktop} r, - /usr/share/knotifications{5,6}/akonadi_newmailnotifier_agent.notifyrc r, /etc/machine-id r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akonadi_newmailnotifier_agentrc r, owner @{user_config_dirs}/akonadi/ rw, @@ -29,7 +26,6 @@ profile akonadi_newmailnotifier_agent @{exec_path} { owner @{user_config_dirs}/emaildefaults r, owner @{user_config_dirs}/emailidentities.lock rwk, owner @{user_config_dirs}/emailidentities* rwl, - owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kmail2rc r, owner @{user_config_dirs}/specialmailcollectionsrc r, diff --git a/apparmor.d/groups/akonadi/akonadi_notes_agent b/apparmor.d/groups/akonadi/akonadi_notes_agent index d2c1fe059..8e8665e40 100644 --- a/apparmor.d/groups/akonadi/akonadi_notes_agent +++ b/apparmor.d/groups/akonadi/akonadi_notes_agent @@ -2,19 +2,16 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_notes_agent profile akonadi_notes_agent @{exec_path} { include - include - include include + include include - include - include network inet dgram, network inet6 dgram, @@ -23,21 +20,9 @@ profile akonadi_notes_agent @{exec_path} { @{exec_path} mr, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, - - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/akonadi_*_agentrc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, /dev/tty r, diff --git a/apparmor.d/groups/akonadi/akonadi_sendlater_agent b/apparmor.d/groups/akonadi/akonadi_sendlater_agent index f640ca86f..2053bf298 100644 --- a/apparmor.d/groups/akonadi/akonadi_sendlater_agent +++ b/apparmor.d/groups/akonadi/akonadi_sendlater_agent @@ -2,19 +2,16 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_sendlater_agent profile akonadi_sendlater_agent @{exec_path} { include - include - include include + include include - include - include network inet dgram, network inet6 dgram, @@ -23,23 +20,10 @@ profile akonadi_sendlater_agent @{exec_path} { @{exec_path} mr, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, - - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/akonadi_sendlater_agentrc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent b/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent index cc0807a6b..4e0e5820a 100644 --- a/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent +++ b/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent @@ -2,37 +2,23 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_unifiedmailbox_agent profile akonadi_unifiedmailbox_agent @{exec_path} { include - include - include include + include include - include - include @{exec_path} mr, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, - - owner @{user_cache_dirs}/icon-cache.kcache rw, - + owner "@{user_config_dirs}/Unknown Organization/akonadi_unifiedmailbox_agent.conf_changes.dat" r, # see https://bugs.kde.org/show_bug.cgi?id=452565 owner @{user_config_dirs}/akonadi_unifiedmailbox_agentrc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, /dev/tty r, diff --git a/apparmor.d/profiles-a-f/aa-enabled b/apparmor.d/groups/apparmor/aa-enabled similarity index 96% rename from apparmor.d/profiles-a-f/aa-enabled rename to apparmor.d/groups/apparmor/aa-enabled index d5ebe0c10..fe350b2f6 100644 --- a/apparmor.d/profiles-a-f/aa-enabled +++ b/apparmor.d/groups/apparmor/aa-enabled @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/groups/apparmor/aa-enforce similarity index 69% rename from apparmor.d/profiles-a-f/aa-enforce rename to apparmor.d/groups/apparmor/aa-enforce index a6f3d2b9e..1f8368045 100644 --- a/apparmor.d/profiles-a-f/aa-enforce +++ b/apparmor.d/groups/apparmor/aa-enforce @@ -2,11 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/aa-enforce @{bin}/aa-complain +@{exec_path} = @{sbin}/aa-enforce @{sbin}/aa-complain @{sbin}/aa-audit @{sbin}/aa-disable profile aa-enforce @{exec_path} { include include @@ -16,8 +16,8 @@ profile aa-enforce @{exec_path} { @{exec_path} mr, - @{bin}/ r, - @{bin}/apparmor_parser rPx, + @{sbin}/ r, + @{sbin}/apparmor_parser rPx, /usr/share/terminfo/** r, @@ -25,11 +25,15 @@ profile aa-enforce @{exec_path} { /etc/apparmor.d/{,**} rw, @{etc_ro}/inputrc r, + @{etc_ro}/inputrc.keys r, owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} rw, owner /var/lib/snapd/apparmor/{,**} rw, - owner @{PROC}/@{pid}/fd r, + owner @{tmp}/@{rand8} rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, + + @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/groups/apparmor/aa-log similarity index 55% rename from apparmor.d/profiles-a-f/aa-log rename to apparmor.d/groups/apparmor/aa-log index 6d1f690f6..1a3e0aeff 100644 --- a/apparmor.d/profiles-a-f/aa-log +++ b/apparmor.d/groups/apparmor/aa-log @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,23 +16,32 @@ profile aa-log @{exec_path} { @{exec_path} mr, - @{bin}/journalctl rix, - - /etc/machine-id r, - /var/lib/dbus/machine-id r, + @{bin}/journalctl rCx -> journalctl, /var/log/audit/* r, /var/log/syslog* r, - /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex32}/{,*} r, - - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - - @{PROC}/sys/kernel/cap_last_cap r, - /dev/tty@{int} rw, + profile journalctl { + include + include + + capability sys_resource, + + @{bin}/journalctl mr, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/{,*} r, + + @{PROC}/sys/kernel/random/boot_id r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify new file mode 100644 index 000000000..07706d052 --- /dev/null +++ b/apparmor.d/groups/apparmor/aa-notify @@ -0,0 +1,112 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/aa-notify +profile aa-notify @{exec_path} { + include + include + include + include + include + include + include + + capability setgid, + capability setuid, + capability sys_ptrace, + + ptrace read, + + @{exec_path} mr, + + @{bin}/gtk-launch ix, + @{bin}/pkexec Cx -> pkexec, + @{bin}/xdg-mime Px, + @{open_path} Cx -> open, + + @{bin}/ r, + + /usr/share/apparmor/** r, + /usr/share/terminfo/** r, + + @{etc_ro}/inputrc r, + @{etc_ro}/inputrc.keys r, + /etc/apparmor.d/{,**} r, + /etc/apparmor/*.conf r, + + /var/log/audit/audit.log r, + + owner @{HOME}/.inputrc r, + owner @{HOME}/.terminfo/@{int}/dumb r, + + owner @{tmp}/@{word8} rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, + + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/cmdline r, + + profile open { + include + include + + @{editor_ui_path} rPx -> aa-notify//editor, + + include if exists + } + + profile editor { + include + include + include + include + include + + @{editor_ui_path} rix, + @{open_path} rPx -> child-open-help, + + /etc/apparmor.d/{,**} r, + + owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, + + owner @{PROC}/@{pid}/mountinfo r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists + } + + profile pkexec { + include + include + include + + ptrace read peer=aa-notify, + + @{sbin}/apparmor_parser Px, + @{lib}/@{python_name}/site-packages/apparmor/update_profile.py ix, + + /usr/share/apparmor/** r, + /usr/share/terminfo/** r, + + @{etc_ro}/inputrc r, + @{etc_ro}/inputrc.keys r, + + /etc/apparmor.d/ r, + /etc/apparmor.d/** rw, + /etc/apparmor/* r, + + @{PROC}/@{pid}/mounts r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aa-status b/apparmor.d/groups/apparmor/aa-status similarity index 79% rename from apparmor.d/profiles-a-f/aa-status rename to apparmor.d/groups/apparmor/aa-status index 5d5840f6f..9badb78c1 100644 --- a/apparmor.d/profiles-a-f/aa-status +++ b/apparmor.d/groups/apparmor/aa-status @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/aa-status @{bin}/apparmor_status +@{exec_path} = @{sbin}/aa-status @{sbin}/apparmor_status profile aa-status @{exec_path} { include include @@ -22,8 +22,8 @@ profile aa-status @{exec_path} { @{sys}/module/apparmor/parameters/enabled r, @{PROC}/ r, - @{PROC}/@{pids}/attr/apparmor/current r, - @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pid}/attr/apparmor/current r, + @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/mounts r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-a-f/aa-teardown b/apparmor.d/groups/apparmor/aa-teardown similarity index 90% rename from apparmor.d/profiles-a-f/aa-teardown rename to apparmor.d/groups/apparmor/aa-teardown index 263c7b9af..059766181 100644 --- a/apparmor.d/profiles-a-f/aa-teardown +++ b/apparmor.d/groups/apparmor/aa-teardown @@ -2,11 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/aa-teardown +@{exec_path} = @{sbin}/aa-teardown profile aa-teardown @{exec_path} { include include diff --git a/apparmor.d/groups/apparmor/aa-unconfined b/apparmor.d/groups/apparmor/aa-unconfined new file mode 100644 index 000000000..7308a5ef0 --- /dev/null +++ b/apparmor.d/groups/apparmor/aa-unconfined @@ -0,0 +1,44 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/aa-unconfined +profile aa-unconfined @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability dac_read_search, + capability sys_ptrace, + + ptrace read, + + @{exec_path} mr, + + @{bin}/ r, + @{bin}/netstat Px, + @{sbin}/ss Px, + + /usr/share/terminfo/** r, + + /etc/apparmor/logprof.conf r, + @{etc_ro}/inputrc r, + + owner @{tmp}/@{rand8} rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, + owner /var/tmp/@{rand8} rw, + + @{PROC}/ r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pids}/attr/apparmor/current r, + @{PROC}/@{pids}/attr/current r, + owner @{PROC}/@{pid}/mounts r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/apparmor.systemd b/apparmor.d/groups/apparmor/apparmor.systemd similarity index 75% rename from apparmor.d/profiles-a-f/apparmor.systemd rename to apparmor.d/groups/apparmor/apparmor.systemd index a6d517b2a..f58512a02 100644 --- a/apparmor.d/profiles-a-f/apparmor.systemd +++ b/apparmor.d/groups/apparmor/apparmor.systemd @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/apparmor/apparmor.systemd -profile apparmor.systemd @{exec_path} flags=(complain) { +profile apparmor.systemd @{exec_path} { include include include @@ -19,14 +19,14 @@ profile apparmor.systemd @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/{,e}grep rix, - @{bin}/aa-status rPx, - @{bin}/apparmor_parser rPx, + @{sbin}/aa-status rPx, + @{sbin}/apparmor_parser rPx, @{bin}/getconf rix, @{bin}/ls rix, @{bin}/sed rix, @{bin}/cat rix, @{bin}/sort rix, - @{bin}/sysctl rix, + @{sbin}/sysctl rCx -> sysctl, @{bin}/systemd-detect-virt rPx, @{bin}/xargs rix, @@ -43,10 +43,19 @@ profile apparmor.systemd @{exec_path} flags=(complain) { @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mounts r, @{PROC}/mounts r, - @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r, /dev/tty rw, + profile sysctl { + include + + @{sbin}/sysctl mr, + + @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser similarity index 80% rename from apparmor.d/profiles-a-f/apparmor_parser rename to apparmor.d/groups/apparmor/apparmor_parser index 82acd0d0f..a5769931c 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/groups/apparmor/apparmor_parser @@ -2,13 +2,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} -@{exec_path} = @{bin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser +@{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser profile apparmor_parser @{exec_path} flags=(attach_disconnected) { include include @@ -17,6 +17,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{lib_dirs}/@{multiarch}/** mr, @{lib_dirs}/snapd/apparmor.d/{,**} r, @{lib_dirs}/snapd/apparmor/{,**} r, @@ -44,6 +45,9 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/mounts r, + deny network netlink raw, # file_inherit + /opt/Mullvad*/resources/apparmor_mullvad r, # FIXME: WTF you thing you are doing mullvad? + include if exists } diff --git a/apparmor.d/groups/apps/freetube-chrome-sandbox b/apparmor.d/groups/apps/freetube-chrome-sandbox deleted file mode 100644 index 5dc20400e..000000000 --- a/apparmor.d/groups/apps/freetube-chrome-sandbox +++ /dev/null @@ -1,35 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{name} = {F,f}reetube{,-vue} -@{lib_dirs} = @{lib}/@{name} /opt/@{name} - -@{exec_path} = @{lib_dirs}/chrome-sandbox -profile freetube-chrome-sandbox @{exec_path} { - include - include - - capability sys_admin, - capability setgid, - capability setuid, - capability sys_chroot, - - @{exec_path} mr, - - # Has to be lower "P" - @{lib_dirs}/@{name} rpx, - - @{PROC}/@{pids}/ r, - owner @{PROC}/@{pid}/oom_{,score_}adj r, - deny owner @{PROC}/@{pid}/oom_{,score_}adj w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index dcc6303c8..8581fe724 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -3,17 +3,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/apt @{bin}/apt-get @{bin}/aptd +@{exec_path} = @{bin}/apt @{bin}/apt-get @{sbin}/aptd profile apt @{exec_path} flags=(attach_disconnected) { include - include + include include include - include include include include @@ -34,16 +33,24 @@ profile apt @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-*, - unix (bind) type=stream addr=@@{hex16}/bus/apt/system, + unix bind type=stream addr=@@{udbus}/bus/apt-get/system, + unix bind type=stream addr=@@{udbus}/bus/apt/system, + + unix type=stream peer=(label=@{p_snap}), unix (send, receive) type=stream peer=(label=apt-esm-json-hook), unix (send, receive) type=stream peer=(label=snapd), #aa:dbus own bus=system name=org.debian.apt - dbus send bus=system path=/org/freedesktop/DBus/Bus - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser} - peer=(name=org.freedesktop.DBus, label=dbus-system), + #aa:dbus talk bus=system name=org.freedesktop.PackageKit label=packagekitd + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.freedesktop.PackageKit), + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.PackageKit + member=StateHasChanged + peer=(name=org.freedesktop.PackageKit), dbus send bus=system interface=org.freedesktop.DBus.Introspectable @@ -51,15 +58,16 @@ profile apt @{exec_path} flags=(attach_disconnected) { peer=(name="{:*,org.freedesktop.DBus}"), @{exec_path} mr, + @{python_path} mr, @{bin}/ r, @{sh_path} rix, @{bin}/{,e}grep rix, + @{bin}/cat rix, @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/id rix, - @{bin}/ischroot rix, @{bin}/test rix, @{bin}/touch rix, @@ -72,14 +80,15 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/df rPx, @{bin}/dmesg rPx, @{bin}/dpkg rPx, - @{bin}/dpkg-preconfigure rPx, @{bin}/dpkg-source rcx -> dpkg-source, @{bin}/etckeeper rPx, + @{bin}/ischroot rPx, @{bin}/localepurge rPx, @{bin}/ps rPx, - @{bin}/snap rPUx, - @{bin}/systemctl rCx -> systemctl, + @{bin}/snap rPx, + @{bin}/systemctl rCx -> systemctl, @{bin}/update-command-not-found rPx, + @{sbin}/dpkg-preconfigure rPx, @{lib}/cnf-update-db rPx, @{lib}/needrestart/apt-pinvoke rPx, @{lib}/zsys-system-autosnapshot rPx, @@ -99,11 +108,10 @@ profile apt @{exec_path} flags=(attach_disconnected) { /usr/share/language-tools/language-options rPx, # For editing the sources.list file - @{bin}/sensible-editor rCx -> editor, - @{bin}/vim.* rCx -> editor, + @{editor_path} rCx -> editor, # For changelogs - @{bin}/sensible-pager rCx -> pager, + @{pager_path} rCx -> pager, #aa:only whonix @{lib}/uwt/uwtwrapper rix, @@ -129,6 +137,9 @@ profile apt @{exec_path} flags=(attach_disconnected) { /var/lib/update-notifier/dpkg-run-stamp rw, /var/log/apt/{,**} rw, + /var/log/ubuntu-advantage-apt-hook.log w, + + @{efi}/ r, # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, @@ -136,12 +147,15 @@ profile apt @{exec_path} flags=(attach_disconnected) { /tmp/ r, /tmp/apt-changelog-*/ w, /tmp/apt-changelog-*/*.changelog w, + /tmp/apt-tmp-index.@{rand6} rw, owner @{tmp}/apt-changelog-*/.apt-acquire-privs-test.* rw, owner @{tmp}/apt-dpkg-install-*/ rw, owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, owner @{tmp}/apt.conf.* rw, owner @{tmp}/apt.data.* rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, @@ -149,8 +163,6 @@ profile apt @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, - @{run}/systemd/inhibit/[0-9]*.ref rw, - profile editor flags=(complain) { include include @@ -162,19 +174,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { profile pager { include - include - - capability dac_read_search, - - @{bin}/ r, - @{sh_path} rix, - @{bin}/less rix, - @{bin}/sensible-pager mr, - @{bin}/which{,.debianutils} rix, - - /root/ r, # For shell pwd - - owner @{HOME}/.less* rw, + include owner @{tmp}/apt-changelog-*/ r, owner @{tmp}/apt-changelog-*/*.changelog r, @@ -188,10 +188,10 @@ profile apt @{exec_path} flags=(attach_disconnected) { include @{bin}/dpkg-source mr, - @{bin}/perl r, @{bin}/bunzip2 rix, @{bin}/chmod rix, + @{bin}/bzip2 rix, @{bin}/gunzip rix, @{bin}/gzip rix, @{bin}/patch rix, @@ -199,7 +199,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/tar rix, @{bin}/xz rix, - /etc/dpkg/origins/debian r, + /etc/dpkg/origins/* r, owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, owner @{HOME}/** rwkl -> @{HOME}/**, diff --git a/apparmor.d/groups/apt/apt-cache b/apparmor.d/groups/apt/apt-cache index 0c11fbfb2..afd34f7e5 100644 --- a/apparmor.d/groups/apt/apt-cache +++ b/apparmor.d/groups/apt/apt-cache @@ -3,14 +3,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/apt-cache profile apt-cache @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom index a2268648b..0ce146261 100644 --- a/apparmor.d/groups/apt/apt-cdrom +++ b/apparmor.d/groups/apt/apt-cdrom @@ -3,14 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/apt-cdrom profile apt-cdrom @{exec_path} flags=(complain) { include - include + include include capability dac_read_search, @@ -18,26 +18,25 @@ profile apt-cdrom @{exec_path} flags=(complain) { @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/mount rCx -> mount, @{bin}/umount rCx -> umount, /etc/fstab r, - # Are all of these needed? (#FIXME#) - @{sys}/bus/ r, - @{sys}/bus/*/devices/ r, - @{sys}/class/ r, - @{sys}/class/*/ r, - @{sys}/devices/**/uevent r, - # @{run}/udev/data/* r, + /etc/apt/sources.list{,.new} rw, + /etc/apt/sources.list~ w, + + /var/lib/apt/lists/** rw, + + /var/lib/apt/cdroms.list{,.new} rw, + /var/lib/apt/cdroms.list~ w, # For cd-roms - /media/cdrom[0-9]/ r, - /media/cdrom[0-9]/**/ r, - /media/cdrom[0-9]/.disk/info r, - /media/cdrom[0-9]/dists/**/binary-*/Packages{,.gz} r, - /media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r, + /media/cdrom@{int}/ r, + /media/cdrom@{int}/**/ r, + /media/cdrom@{int}/.disk/info r, + /media/cdrom@{int}/dists/**/binary-*/Packages{,.gz} r, + /media/cdrom@{int}/dists/**/i18n/Translation-en{,.gz} r, # For pendrives @{MOUNTS}/ r, @@ -46,16 +45,15 @@ profile apt-cdrom @{exec_path} flags=(complain) { @{MOUNTS}/dists/**/binary-*/Packages{,.gz} r, @{MOUNTS}/dists/**/i18n/Translation-en{,.gz} r, - /var/lib/apt/lists/** rw, + # Are all of these needed? (#FIXME#) + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, + @{sys}/class/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/uevent r, owner @{PROC}/@{pid}/fd/ r, - /var/lib/apt/cdroms.list{,.new} rw, - /var/lib/apt/cdroms.list~ w, - - /etc/apt/sources.list{,.new} rw, - /etc/apt/sources.list~ w, - profile mount flags=(complain) { include @@ -63,7 +61,7 @@ profile apt-cdrom @{exec_path} flags=(complain) { /etc/fstab r, - /media/cdrom[0-9]/ r, + /media/cdrom@{int}/ r, include if exists } diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config index 48a540043..834bcbd8c 100644 --- a/apparmor.d/groups/apt/apt-config +++ b/apparmor.d/groups/apt/apt-config @@ -3,14 +3,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/apt-config profile apt-config @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index f958d2575..6fbfad65b 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -3,15 +3,15 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/apt-extracttemplates +@{exec_path} = @{bin}/apt-extracttemplates @{lib}/apt/apt-extracttemplates profile apt-extracttemplates @{exec_path} { include + include include - include capability dac_read_search, diff --git a/apparmor.d/groups/apt/apt-file b/apparmor.d/groups/apt/apt-file index bc6e523b4..6551f21a7 100644 --- a/apparmor.d/groups/apt/apt-file +++ b/apparmor.d/groups/apt/apt-file @@ -3,18 +3,17 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/apt-file profile apt-file @{exec_path} { include - include + include include @{exec_path} r, - @{bin}/perl r, @{bin}/fgrep rix, @{bin}/{,e}grep rix, diff --git a/apparmor.d/groups/apt/apt-forktracer b/apparmor.d/groups/apt/apt-forktracer index ea687173f..3eec09d60 100644 --- a/apparmor.d/groups/apt/apt-forktracer +++ b/apparmor.d/groups/apt/apt-forktracer @@ -3,14 +3,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/apt-forktracer profile apt-forktracer @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-ftparchive b/apparmor.d/groups/apt/apt-ftparchive index 4b8e45799..f7e9b4651 100644 --- a/apparmor.d/groups/apt/apt-ftparchive +++ b/apparmor.d/groups/apt/apt-ftparchive @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper index d6d4b5d7b..18b6d7241 100644 --- a/apparmor.d/groups/apt/apt-helper +++ b/apparmor.d/groups/apt/apt-helper @@ -2,14 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/apt/apt-helper profile apt-helper @{exec_path} { include - include + include @{exec_path} mr, @@ -22,9 +22,11 @@ profile apt-helper @{exec_path} { profile systemctl { include include - + capability net_admin, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/groups/apt/apt-key b/apparmor.d/groups/apt/apt-key index 2d0f6a664..12a7b3a67 100644 --- a/apparmor.d/groups/apt/apt-key +++ b/apparmor.d/groups/apt/apt-key @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -78,7 +78,7 @@ profile apt-key @{exec_path} { @{bin}/gpg-connect-agent rix, /usr/share/gnupg/sks-keyservers.netCA.pem r, - + /etc/hosts r, /etc/inputrc r, @@ -96,13 +96,13 @@ profile apt-key @{exec_path} { owner @{tmp}/apt-key-gpghome.*/ rw, owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, owner @{tmp}/apt-key-gpghome.*/gpgoutput.{log,err} w, - + owner @{run}/user/@{uid}/gnupg/d.*/ rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/apt/apt-listbugs b/apparmor.d/groups/apt/apt-listbugs index a04bd459a..a60457ec8 100644 --- a/apparmor.d/groups/apt/apt-listbugs +++ b/apparmor.d/groups/apt/apt-listbugs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,7 +23,7 @@ profile apt-listbugs @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/ruby[0-9].@{int} rix, + @{bin}/ruby@{int}.@{int} rix, @{sh_path} rix, @{bin}/logname rix, @@ -34,7 +34,7 @@ profile apt-listbugs @{exec_path} { # shared object file): ignored. @{bin}/dpkg-query rpx, - /usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r, + /usr/local/lib/site_ruby/@{d}.@{d}.@{d}/**.rb r, /usr/share/rubygems-integration/*/specifications/ r, /usr/share/rubygems-integration/*/specifications/*.gemspec rwk, @@ -53,7 +53,7 @@ profile apt-listbugs @{exec_path} { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/apt/apt-listbugs-aptcleanup b/apparmor.d/groups/apt/apt-listbugs-aptcleanup index 3500ead6c..ccf56a603 100644 --- a/apparmor.d/groups/apt/apt-listbugs-aptcleanup +++ b/apparmor.d/groups/apt/apt-listbugs-aptcleanup @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-listbugs-migratepins b/apparmor.d/groups/apt/apt-listbugs-migratepins index f8eca9dfb..d7089b76a 100644 --- a/apparmor.d/groups/apt/apt-listbugs-migratepins +++ b/apparmor.d/groups/apt/apt-listbugs-migratepins @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile apt-listbugs-migratepins @{exec_path} { include @{exec_path} r, - @{bin}/ruby[0-9].@{int} rix, + @{bin}/ruby@{int}.@{int} rix, /usr/share/rubygems-integration/*/specifications/ r, /usr/share/rubygems-integration/*/specifications/*.gemspec rwk, diff --git a/apparmor.d/groups/apt/apt-listbugs-prefclean b/apparmor.d/groups/apt/apt-listbugs-prefclean index 461edace9..7dc4ea09e 100644 --- a/apparmor.d/groups/apt/apt-listbugs-prefclean +++ b/apparmor.d/groups/apt/apt-listbugs-prefclean @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile apt-listbugs-prefclean @{exec_path} { include @{exec_path} r, - @{bin}/ruby[0-9].@{int} rix, + @{bin}/ruby@{int}.@{int} rix, @{bin}/date rix, @{bin}/cat rix, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 8613f2280..0ee42f5a4 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,10 +14,10 @@ profile apt-listchanges @{exec_path} { include include - #capability sys_tty_config, + capability dac_read_search, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, @@ -26,11 +26,11 @@ profile apt-listchanges @{exec_path} { # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-deb rpx, - # - @{bin}/sensible-pager rCx -> pager, - # Send results using email - @{bin}/exim4 rPx, + @{bin}/dpkg-deb px, + + @{pager_path} Cx -> pager, + @{bin}/dpkg Px -> child-dpkg, + @{sbin}/exim4 Px, # Send results using email /usr/share/apt-listchanges/{,**} r, @@ -50,54 +50,20 @@ profile apt-listchanges @{exec_path} { /var/cache/apt/archives/ r, - owner @{PROC}/@{pid}/fd/ r, - /tmp/ r, - owner @{tmp}/* rw, - owner @{tmp}/apt-listchanges*/ rw, - owner @{tmp}/apt-listchanges*/**/ rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.Debian*.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/NEWS.Debian.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/changelog_to_file rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/*-local/debian/changelog rw, - - # The following is needed when apt-listchanges uses debcconf GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - owner @{PROC}/@{pid}/mounts r, - @{HOME}/.Xauthority r, + owner @{tmp}/@{word8} rw, + owner @{tmp}/apt-listchanges@{word8}/ rw, + owner @{tmp}/apt-listchanges@{word8}/** rw, + owner @{PROC}/@{pid}/fd/ r, profile pager { include - include + include - capability dac_read_search, - #capability sys_tty_config, - - @{bin}/sensible-pager mr, - - @{bin}/ r, - @{sh_path} rix, - @{bin}/which{,.debianutils} rix, - @{bin}/less rix, - - owner @{HOME}/.less* rw, - - # For shell pwd - /root/ r, - - /tmp/ r, owner @{tmp}/apt-listchanges-tmp*.txt r, + include if exists } include if exists diff --git a/apparmor.d/groups/apt/apt-mark b/apparmor.d/groups/apt/apt-mark index f76159e78..c174267f5 100644 --- a/apparmor.d/groups/apt/apt-mark +++ b/apparmor.d/groups/apt/apt-mark @@ -3,14 +3,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/apt-mark profile apt-mark @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-cdrom b/apparmor.d/groups/apt/apt-methods-cdrom index 222f7540c..96ce36a72 100644 --- a/apparmor.d/groups/apt/apt-methods-cdrom +++ b/apparmor.d/groups/apt/apt-methods-cdrom @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,10 +19,10 @@ profile apt-methods-cdrom @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-copy b/apparmor.d/groups/apt/apt-methods-copy index 2cd44be7b..e2878e108 100644 --- a/apparmor.d/groups/apt/apt-methods-copy +++ b/apparmor.d/groups/apt/apt-methods-copy @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,10 +20,10 @@ profile apt-methods-copy @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-file b/apparmor.d/groups/apt/apt-methods-file index ef49d144f..781f9714e 100644 --- a/apparmor.d/groups/apt/apt-methods-file +++ b/apparmor.d/groups/apt/apt-methods-file @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,18 +20,19 @@ profile apt-methods-file @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=synaptic, @{exec_path} mr, @{lib}/apt/apt-helper rix, - /etc/apt/apt.conf.d/{,*} r, + /etc/apt/apt-mirrors.txt r, /etc/apt/apt.conf r, + /etc/apt/apt.conf.d/{,*} r, /etc/apt/mirrors/* r, /usr/share/dpkg/cputable r, diff --git a/apparmor.d/groups/apt/apt-methods-ftp b/apparmor.d/groups/apt/apt-methods-ftp index d57cc71f2..e753b4cf8 100644 --- a/apparmor.d/groups/apt/apt-methods-ftp +++ b/apparmor.d/groups/apt/apt-methods-ftp @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,10 +19,10 @@ profile apt-methods-ftp @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index e2a7ed2b7..5f3654f6e 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,11 +20,12 @@ profile apt-methods-gpgv @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=role_*, + signal receive peer=synaptic, @{exec_path} mr, @@ -84,6 +85,7 @@ profile apt-methods-gpgv @{exec_path} { owner @{tmp}/apt-key-gpghome.*/ rw, owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, owner @{tmp}/apt.{conf,sig,data}.* rw, + owner @{tmp}/apt.@{rand6}.gpg rw, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 72b39e719..77a418b07 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -3,12 +3,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/apt/methods/http{,s} -profile apt-methods-http @{exec_path} { +profile apt-methods-http @{exec_path} flags=(attach_disconnected) { include include include @@ -23,14 +23,16 @@ profile apt-methods-http @{exec_path} { network inet6 stream, network netlink raw, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, - signal (receive) peer=ubuntu-advantage, - signal (receive) peer=unattended-upgrade, - signal (receive) peer=update-manager, + signal receive peer=@{p_apt_news}, + signal receive peer=@{p_packagekitd}, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=role_*, + signal receive peer=synaptic, + signal receive peer=ubuntu-advantage, + signal receive peer=unattended-upgrade, + signal receive peer=update-manager, ptrace (read), @@ -69,7 +71,10 @@ profile apt-methods-http @{exec_path} { owner @{tmp}/aptitude-root.*/aptitude-download-* rw, owner @{tmp}/apt-changelog-*/*.changelog rw, - @{run}/ubuntu-advantage/aptnews.json rw, + @{run}/ubuntu-advantage/aptnews.json rw, + owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw, + + @{run}/systemd/resolve/io.systemd.Resolve rw, @{PROC}/1/cgroup r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/apt/apt-methods-mirror b/apparmor.d/groups/apt/apt-methods-mirror index 31656857f..025a1c01b 100644 --- a/apparmor.d/groups/apt/apt-methods-mirror +++ b/apparmor.d/groups/apt/apt-methods-mirror @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,14 +20,15 @@ profile apt-methods-mirror @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=synaptic, @{exec_path} mr, + /etc/apt/apt-mirrors.txt r, /etc/apt/mirrors/* r, # For shell pwd diff --git a/apparmor.d/groups/apt/apt-methods-rred b/apparmor.d/groups/apt/apt-methods-rred index e5dc4d609..1aadac2ec 100644 --- a/apparmor.d/groups/apt/apt-methods-rred +++ b/apparmor.d/groups/apt/apt-methods-rred @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,11 +20,11 @@ profile apt-methods-rred @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, - signal (receive) set=(int) peer=packagekitd, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, + signal receive set=(int) peer=@{p_packagekitd}, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-rsh b/apparmor.d/groups/apt/apt-methods-rsh index bf51e32f7..1b76551b9 100644 --- a/apparmor.d/groups/apt/apt-methods-rsh +++ b/apparmor.d/groups/apt/apt-methods-rsh @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,10 +19,10 @@ profile apt-methods-rsh @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-sqv b/apparmor.d/groups/apt/apt-methods-sqv new file mode 100644 index 000000000..0dcd7da0d --- /dev/null +++ b/apparmor.d/groups/apt/apt-methods-sqv @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/apt/methods/sqv +profile apt-methods-sqv @{exec_path} { + include + include + include + + # To handle the _apt user + capability setgid, + capability setuid, + + signal receive set=int peer=apt, + signal receive set=int peer=packagekitd, + + @{exec_path} mr, + + @{bin}/sqv ix, + + /usr/share/apt/default-sequoia.config r, + /usr/share/keyrings/debian-archive-keyring.gpg r, + /usr/share/keyrings/debian-archive-keyring.pgp r, + + owner /var/lib/apt/lists/{,**} r, + + owner /tmp/apt.data.@{rand6} rw, + owner /tmp/apt.sig.@{rand6} rw, + owner /tmp/apt.sqverr.@{rand6} rw, + owner /tmp/apt.sqvout.@{rand6} rw, + + @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/apt-methods-store b/apparmor.d/groups/apt/apt-methods-store index a3d2ce33a..a6875a432 100644 --- a/apparmor.d/groups/apt/apt-methods-store +++ b/apparmor.d/groups/apt/apt-methods-store @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,11 +20,12 @@ profile apt-methods-store @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=role_*, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-overlay b/apparmor.d/groups/apt/apt-overlay index fb567a5ef..7f59635eb 100644 --- a/apparmor.d/groups/apt/apt-overlay +++ b/apparmor.d/groups/apt/apt-overlay @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,7 +22,6 @@ profile apt-overlay @{exec_path} { owner @{bin}/env r, @{lib}/ruby/{,**} r, - @{lib}/locale/locale-archive r, @{lib}/ruby/gems/3.0.0/specifications/default/*.gemspec rwk, /usr/share/rubygems-integration/{,**} r, @@ -31,7 +30,6 @@ profile apt-overlay @{exec_path} { /root/ r, owner @{PROC}/@{pids}/loginuid r, - owner @{PROC}/@{pids}/maps r, include if exists } diff --git a/apparmor.d/groups/apt/apt-show-versions b/apparmor.d/groups/apt/apt-show-versions index b060e0a12..514b952ff 100644 --- a/apparmor.d/groups/apt/apt-show-versions +++ b/apparmor.d/groups/apt/apt-show-versions @@ -3,19 +3,18 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/apt-show-versions profile apt-show-versions @{exec_path} { include + include include include - include @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/groups/apt/apt-sortpkgs b/apparmor.d/groups/apt/apt-sortpkgs index 56162c9d2..af5ec2ef0 100644 --- a/apparmor.d/groups/apt/apt-sortpkgs +++ b/apparmor.d/groups/apt/apt-sortpkgs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index 7ebb4da0b..4f0d4e36b 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,7 +25,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/env rix, @{bin}/find rix, @{bin}/flock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gzip rix, @{bin}/ls rix, @{bin}/mv rix, @@ -37,7 +37,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/touch rix, @{bin}/uniq rix, @{bin}/wc rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/xargs rix, @{bin}/apt-config rPx, @@ -59,7 +59,7 @@ profile apt-systemd-daily @{exec_path} { /var/backups/ r, /var/backups/apt.extended_states rw, /var/backups/apt.extended_states.@{int} rw, - /var/backups/apt.extended_states.@{int}.gz w, + /var/backups/apt.extended_states.@{int}.gz rw, /var/cache/apt/ r, /var/cache/apt/archives/ r, diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index 12bd0efb1..b3f411c84 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -3,16 +3,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/aptitude{,-curses} profile aptitude @{exec_path} flags=(complain) { include + include include include - include # To remove the following errors: # W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory @@ -75,7 +75,7 @@ profile aptitude @{exec_path} flags=(complain) { @{bin}/apt-listbugs rPx, @{bin}/apt-listchanges rPx, @{bin}/apt-show-versions rPx, - @{bin}/dpkg-preconfigure rPx, + @{sbin}/dpkg-preconfigure rPx, @{bin}/debtags rPx, @{bin}/localepurge rPx, @{bin}/appstreamcli rPx, @@ -105,15 +105,15 @@ profile aptitude @{exec_path} flags=(complain) { owner @{user_cache_dirs}/aptitude/ rw, owner @{user_cache_dirs}/aptitude/metadata-download{,-journal} rw, owner @{user_cache_dirs}/aptitude/metadata-download rwk, - @{bin}/sensible-pager rCx -> pager, + @{pager_path} rCx -> pager, # For aptitude-run-state-bundle owner @{tmp}/aptitudebug.*/ r, owner @{tmp}/aptitudebug.*/** rwk, /var/lib/apt-xapian-index/index r, - /var/cache/apt-xapian-index/index.[0-9]/*.glass r, - /var/cache/apt-xapian-index/index.[0-9]/iamglass r, + /var/cache/apt-xapian-index/index.@{int}/*.glass r, + /var/cache/apt-xapian-index/index.@{int}/iamglass r, /var/lib/dpkg/** r, /var/lib/dpkg/lock{,-frontend} rwk, @@ -169,22 +169,11 @@ profile aptitude @{exec_path} flags=(complain) { profile pager { include - include - - @{bin}/ r, - @{bin}/sensible-pager mr, - @{sh_path} rix, - - @{bin}/which{,.debianutils} rix, - @{bin}/less rix, - - owner @{HOME}/.less* rw, + include owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, - # For shell pwd - /root/ r, - + include if exists } include if exists diff --git a/apparmor.d/groups/apt/aptitude-changelog-parser b/apparmor.d/groups/apt/aptitude-changelog-parser index 039de3095..cde501bd5 100644 --- a/apparmor.d/groups/apt/aptitude-changelog-parser +++ b/apparmor.d/groups/apt/aptitude-changelog-parser @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,6 @@ profile aptitude-changelog-parser @{exec_path} { include @{exec_path} r, - @{bin}/perl r, /etc/dpkg/origins/debian r, diff --git a/apparmor.d/groups/apt/aptitude-create-state-bundle b/apparmor.d/groups/apt/aptitude-create-state-bundle index a81c3dafb..a2f5e2050 100644 --- a/apparmor.d/groups/apt/aptitude-create-state-bundle +++ b/apparmor.d/groups/apt/aptitude-create-state-bundle @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile aptitude-create-state-bundle @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/tar rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/groups/apt/aptitude-run-state-bundle b/apparmor.d/groups/apt/aptitude-run-state-bundle index 9119e243c..fa3a45315 100644 --- a/apparmor.d/groups/apt/aptitude-run-state-bundle +++ b/apparmor.d/groups/apt/aptitude-run-state-bundle @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 6650ccedf..6d09e34c0 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,18 +12,21 @@ include @{exec_path} += @{lib}/command-not-found profile command-not-found @{exec_path} { include - include + include include include include + capability dac_read_search, + @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/snap rPUx, + @{bin}/lsb_release rPx, + @{bin}/snap rPx, - @{lib}/python3/dist-packages/CommandNotFound/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, + @{lib}/ r, + @{lib}/@{python_name}/dist-packages/CommandNotFound/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int}@{int} w, /usr/share/command-not-found/{,**} r, diff --git a/apparmor.d/groups/apt/deb-systemd-helper b/apparmor.d/groups/apt/deb-systemd-helper new file mode 100644 index 000000000..d6e89f9a0 --- /dev/null +++ b/apparmor.d/groups/apt/deb-systemd-helper @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/deb-systemd-helper +profile deb-systemd-helper @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{bin}/systemctl rCx -> systemctl, + + /etc/systemd/system/{,**} rw, + /etc/systemd/user/{,**} rw, + + /var/lib/systemd/deb-systemd-helper-enabled/{,**} rw, + /var/lib/systemd/deb-systemd-helper-masked/{,**} rw, + /var/lib/systemd/deb-systemd-user-helper-enabled/{,**} rw, + + profile systemctl { + include + include + + capability net_admin, + + /etc/ r, + /etc/systemd/ r, + /etc/systemd/system/ r, + /etc/systemd/system/* rw, + /etc/systemd/system/*.wants/ rw, + /etc/systemd/system/*.wants/* rw, + /etc/systemd/user/ r, + /etc/systemd/user/*.wants/ rw, + /etc/systemd/user/*.wants/* rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke new file mode 100644 index 000000000..824d3b4dd --- /dev/null +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/deb-systemd-invoke +profile deb-systemd-invoke @{exec_path} { + include + include + include + + capability net_admin, + capability sys_resource, + + ptrace read peer=@{p_systemd}, + + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/systemctl rix, #aa:lint ignore=transition + @{bin}/systemd-tty-ask-password-agent Px, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/debconf-apt-progress b/apparmor.d/groups/apt/debconf-apt-progress index 31b55a24e..1d88c829b 100644 --- a/apparmor.d/groups/apt/debconf-apt-progress +++ b/apparmor.d/groups/apt/debconf-apt-progress @@ -3,51 +3,19 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/debconf-apt-progress profile debconf-apt-progress @{exec_path} flags=(complain) { include - include + include @{exec_path} r, - @{bin}/perl r, @{bin}/apt-get rPx, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, - - - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - @{bin}/perl r, - - @{bin}/debconf-apt-progress rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - /etc/shadow r, - - } - include if exists } diff --git a/apparmor.d/groups/apt/debconf-escape b/apparmor.d/groups/apt/debconf-escape new file mode 100644 index 000000000..c64401bb0 --- /dev/null +++ b/apparmor.d/groups/apt/debconf-escape @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/debconf-escape +profile debconf-escape @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend new file mode 100644 index 000000000..0a7706fe1 --- /dev/null +++ b/apparmor.d/groups/apt/debconf-frontend @@ -0,0 +1,74 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/debconf/frontend +profile debconf-frontend @{exec_path} flags=(complain) { + include + include + include + include + include + include + + capability dac_read_search, + + @{exec_path} r, + + @{bin}/hostname ix, + @{bin}/lsb_release Px, + @{bin}/stty ix, + @{sbin}/update-secureboot-policy Px, + + # Debconf apps + @{bin}/adequate Px, + @{bin}/debconf-apt-progress Px, + @{bin}/linux-check-removal Px, + @{bin}/ucf Px, + @{sbin}/aspell-autobuildhash Px, + @{sbin}/pam-auth-update Px, + @{lib}/tasksel/tasksel-debconf Px -> tasksel, + /usr/share/debian-security-support/check-support-status.hook Px, + + # Grub + @{lib}/grub/grub-multi-install Px, + /usr/share/grub/grub-check-signatures Px, + + # Package maintainer's scripts + /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, + /var/lib/dpkg/info/*.control r, + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px -> dpkg-scripts, + + # DKMS scipts + @{lib}/dkms/common.postinst rPUx, + @{lib}/dkms/dkms-* rPUx, + @{lib}/dkms/dkms_* rPUx, + + /etc/libpaper.d/texlive-base rPUx, + + /usr/share/debconf/{,**} r, + + /etc/inputrc r, + /etc/shadow r, + + owner /var/cache/debconf/* rwk, + + owner @{tmp}/file* w, + owner @{tmp}/tmp.@{rand10} rw, + owner @{tmp}/updateppds.@{rand6} rw, + + @{HOME}/.Xauthority r, + + @{run}/user/@{uid}/pk-debconf-socket rw, + + owner @{PROC}/@{pid}/mounts r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/debconf-show b/apparmor.d/groups/apt/debconf-show index 709e76f1f..ed9cf9094 100644 --- a/apparmor.d/groups/apt/debconf-show +++ b/apparmor.d/groups/apt/debconf-show @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,6 @@ profile debconf-show @{exec_path} { include @{exec_path} r, - @{bin}/perl r, @{bin}/locale rix, diff --git a/apparmor.d/groups/apt/deborphan b/apparmor.d/groups/apt/deborphan index 76068b32d..236069e99 100644 --- a/apparmor.d/groups/apt/deborphan +++ b/apparmor.d/groups/apt/deborphan @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/debsecan b/apparmor.d/groups/apt/debsecan index ab391f72e..c67b1dfb5 100644 --- a/apparmor.d/groups/apt/debsecan +++ b/apparmor.d/groups/apt/debsecan @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,13 +21,13 @@ profile debsecan @{exec_path} { network inet6 stream, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, # Send results using email - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, diff --git a/apparmor.d/groups/apt/debsign b/apparmor.d/groups/apt/debsign index 7ed318aa7..635076069 100644 --- a/apparmor.d/groups/apt/debsign +++ b/apparmor.d/groups/apt/debsign @@ -3,13 +3,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/debsign profile debsign @{exec_path} { include + include @{exec_path} r, @@ -27,14 +28,13 @@ profile debsign @{exec_path} { @{bin}/md5sum rix, @{bin}/mktemp rix, @{bin}/mv rix, - @{bin}/perl rix, @{bin}/rm rix, @{bin}/sed rix, @{bin}/sha{1,256,512}sum rix, @{bin}/stty rix, @{bin}/gpg{,2} rCx -> gpg, - + /etc/devscripts.conf r, owner @{HOME}/.devscripts r, diff --git a/apparmor.d/groups/apt/debsums b/apparmor.d/groups/apt/debsums index ee371bee8..8c0087770 100644 --- a/apparmor.d/groups/apt/debsums +++ b/apparmor.d/groups/apt/debsums @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,28 +12,20 @@ profile debsums @{exec_path} { include include - # Needed to read files owned by other users than root. capability dac_read_search, @{exec_path} r, @{sh_path} rix, - @{bin}/{m,g,}awk rix, + @{bin}/{m,g,}awk ix, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-query rpx, + @{bin}/dpkg-query px, # - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/dpkg-divert rPx -> child-dpkg-divert, - - /etc/dpkg/dpkg.cfg.d/{,*} r, - /etc/dpkg/dpkg.cfg r, - - /etc/locale.nopurge r, - - /var/lib/dpkg/info/* r, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/dpkg-divert Px -> child-dpkg-divert, # For shell pwd / r, @@ -45,7 +37,7 @@ profile debsums @{exec_path} { /etc/{,**} r, /var/lib/{,**} r, /opt/{,**} r, - /boot/{,**} r, + @{efi}/{,**} r, /lib*/{,**} r, include if exists diff --git a/apparmor.d/groups/apt/debtags b/apparmor.d/groups/apt/debtags index dff64bed3..53e5964bd 100644 --- a/apparmor.d/groups/apt/debtags +++ b/apparmor.d/groups/apt/debtags @@ -3,21 +3,21 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/debtags profile debtags @{exec_path} { include + include include - include include #capability sys_tty_config, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index b8e577833..986c6f188 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,49 +18,39 @@ profile dpkg @{exec_path} { capability fowner, capability fsetid, capability setgid, + capability sys_ptrace, + + ptrace read peer=apt, @{exec_path} mr, - @{sh_path} rix, - @{bin}/cat rix, - @{bin}/rm rix, + @{sh_path} rix, + @{bin}/cat ix, + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/rm ix, - @{bin}/deb-systemd-helper rix, - @{bin}/deb-systemd-invoke rix, - @{bin}/dpkg-deb rpx, - @{bin}/dpkg-query rpx, - @{bin}/dpkg-split rPx, - @{bin}/systemctl rCx -> systemctl, - @{lib}/needrestart/dpkg-status rPx, - /usr/share/debian-security-support/check-support-status.hook rPx, - - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/diff rPx -> child-pager, + @{bin}/dpkg-deb px, + @{bin}/dpkg-query px, + @{bin}/dpkg-split px, + @{bin}/systemctl Cx -> systemctl, + @{lib}/needrestart/dpkg-status Px, + @{pager_path} Px -> child-pager, + /usr/share/debian-security-support/check-support-status.hook Px, # Package maintainer's scripts - # Move it to a child profile once more transitions will be available - /var/lib/dpkg/info/*.{config,templates} rPUx, - /var/lib/dpkg/info/*.{preinst,postinst} rPUx, - /var/lib/dpkg/info/*.{prerm,postrm} rPUx, - /var/lib/dpkg/tmp.ci/{config,templates} rPUx, - /var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx, - /var/lib/dpkg/tmp.ci/{prerm,postrm} rPUx, - #/var/lib/dpkg/info/*.{config,templates} rCx -> scripts, - #/var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts, - #/var/lib/dpkg/info/*.{prerm,postrm} rCx -> scripts, - #/var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts, - #/var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts, - #/var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts, + /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, + /var/lib/dpkg/info/*.control r, + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, # For shell pwd /root/ r, + #aa:lint ignore=too-wide # Install/update packages / r, /*{,/} rw, - /boot/** rwl -> /boot/**, + @{efi}/** rwl -> @{efi}/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, diff --git a/apparmor.d/groups/apt/dpkg-architecture b/apparmor.d/groups/apt/dpkg-architecture index ce6dfe8d5..b1a23f222 100644 --- a/apparmor.d/groups/apt/dpkg-architecture +++ b/apparmor.d/groups/apt/dpkg-architecture @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,10 +16,9 @@ profile dpkg-architecture @{exec_path} { capability dac_read_search, @{exec_path} r, - /usr/bin/perl r, - @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{lib}/llvm-[0-9]*/bin/clang rix, + @{bin}/{,@{multiarch}-}gcc-[0-9]* ix, + @{lib}/llvm-[0-9]*/bin/clang ix, @{bin}/ccache rCx -> ccache, @{bin}/dpkg rPx -> child-dpkg, @@ -28,9 +27,7 @@ profile dpkg-architecture @{exec_path} { /etc/debian_version r, - # file_inherit - owner @{tmp}/* rw, - + audit owner @{tmp}/* rw, profile ccache { include @@ -45,6 +42,7 @@ profile dpkg-architecture @{exec_path} { /etc/debian_version r, + include if exists } include if exists diff --git a/apparmor.d/groups/apt/dpkg-buildflags b/apparmor.d/groups/apt/dpkg-buildflags index 39271db07..1a4055f77 100644 --- a/apparmor.d/groups/apt/dpkg-buildflags +++ b/apparmor.d/groups/apt/dpkg-buildflags @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,12 +13,14 @@ profile dpkg-buildflags @{exec_path} flags=(complain) { include @{exec_path} r, - @{bin}/perl r, - /etc/dpkg/origins/debian r, + /usr/share/lto-disabled-list/lto-disabled-list r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, + /usr/share/dpkg/abitable r, + + /etc/dpkg/origins/* r, owner @{user_config_dirs}/dpkg/buildflags.conf r, diff --git a/apparmor.d/groups/apt/dpkg-checkbuilddeps b/apparmor.d/groups/apt/dpkg-checkbuilddeps index 8c2ff03cf..297a45f84 100644 --- a/apparmor.d/groups/apt/dpkg-checkbuilddeps +++ b/apparmor.d/groups/apt/dpkg-checkbuilddeps @@ -3,25 +3,29 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/dpkg-checkbuilddeps profile dpkg-checkbuilddeps @{exec_path} flags=(complain) { include + include include @{exec_path} r, - @{bin}/perl r, - /etc/dpkg/origins/debian r, - - /var/lib/dpkg/status r, + @{bin}/dpkg rPx, + @{bin}/@{multiarch}gcc-@{int} mrix, + /usr/share/dpkg/ostable r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, + /etc/dpkg/origins/* r, + + /var/lib/dpkg/status r, + # For package building owner @{user_build_dirs}/**/debian/control r, diff --git a/apparmor.d/groups/apt/dpkg-db-backup b/apparmor.d/groups/apt/dpkg-db-backup new file mode 100644 index 000000000..8e99e70c5 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-db-backup @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/dpkg/dpkg-db-backup +profile dpkg-db-backup @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/cmp rix, + @{bin}/cp rix, + @{bin}/date rix, + @{bin}/dirname rix, + @{bin}/gzip rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/savelog rix, + @{bin}/tar rix, + @{bin}/touch rix, + + /usr/share/dpkg/{,**} r, + + /var/lib/dpkg/ r, + /var/lib/dpkg/alternatives/{,*} r, + /var/lib/dpkg/diversions r, + /var/lib/dpkg/statoverride r, + + /var/backups/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-deb b/apparmor.d/groups/apt/dpkg-deb index 6f9c2600b..4fedbcd5f 100644 --- a/apparmor.d/groups/apt/dpkg-deb +++ b/apparmor.d/groups/apt/dpkg-deb @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/dpkg-divert b/apparmor.d/groups/apt/dpkg-divert index a770662a7..e2d386804 100644 --- a/apparmor.d/groups/apt/dpkg-divert +++ b/apparmor.d/groups/apt/dpkg-divert @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,6 +22,7 @@ profile dpkg-divert @{exec_path} { /var/lib/dpkg/diversions-new rw, /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, + #aa:lint ignore=too-wide /etc/** rw, include if exists diff --git a/apparmor.d/groups/apt/dpkg-genbuildinfo b/apparmor.d/groups/apt/dpkg-genbuildinfo index 47d7f6ece..b9853ca32 100644 --- a/apparmor.d/groups/apt/dpkg-genbuildinfo +++ b/apparmor.d/groups/apt/dpkg-genbuildinfo @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,7 +17,6 @@ profile dpkg-genbuildinfo @{exec_path} { @{exec_path} r, - @{bin}/perl r, /usr/local/bin/ r, /usr/local/etc/ r, /usr/local/include/ r, diff --git a/apparmor.d/groups/apt/dpkg-genchanges b/apparmor.d/groups/apt/dpkg-genchanges index 27991261c..7c7ad1681 100644 --- a/apparmor.d/groups/apt/dpkg-genchanges +++ b/apparmor.d/groups/apt/dpkg-genchanges @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,6 @@ profile dpkg-genchanges @{exec_path} flags=(complain) { include @{exec_path} r, - @{bin}/perl r, /etc/dpkg/origins/debian r, diff --git a/apparmor.d/groups/apt/dpkg-maintscript-helper b/apparmor.d/groups/apt/dpkg-maintscript-helper new file mode 100644 index 000000000..aa9232c73 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-maintscript-helper @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/dpkg-maintscript-helper +profile dpkg-maintscript-helper @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/dpkg rCx -> dpkg, + + /usr/share/dpkg/sh/* r, + + profile dpkg { + include + include + include + + capability dac_read_search, + + @{bin}/dpkg mr, + @{bin}/dpkg-query rpx, + + /etc/dpkg/dpkg.cfg r, + /etc/dpkg/dpkg.cfg.d/{,*} r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index d57d3d42d..2e32af979 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -3,46 +3,64 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/dpkg-preconfigure +@{exec_path} = @{sbin}/dpkg-preconfigure profile dpkg-preconfigure @{exec_path} { include include - include include + include + include - #capability sys_tty_config, + capability dac_read_search, @{exec_path} r, - @{bin}/perl r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,g,m}awk rix, - @{bin}/cat rix, - @{bin}/dialog rix, - @{bin}/locale rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/stty rix, - @{bin}/tr rix, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{,g,m}awk ix, + @{bin}/cat ix, + @{bin}/debconf-escape Px, + @{bin}/dialog ix, + @{bin}/expr ix, + @{bin}/find ix, + @{bin}/head ix, + @{bin}/locale ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/sed ix, + @{bin}/sort ix, + @{bin}/stty ix, + @{bin}/tr ix, + @{bin}/uniq ix, + @{bin}/which{,.debianutils} rix, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/apt-extracttemplates rPx, - @{bin}/whiptail rPx, + @{bin}/apt-extracttemplates Px, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/findmnt Px, + @{bin}/whiptail Px, + @{lib}/apt/apt-extracttemplates Px, /usr/share/debconf/confmodule r, + /usr/share/dictionaries-common/{,*} r, + /etc/cloud/cloud.cfg.d/90_dpkg.cfg r, /etc/debconf.conf r, /etc/default/grub r, + /etc/default/mdadm r, /etc/inputrc r, + /etc/locale.gen r, + /etc/mdadm/mdadm.conf r, /etc/shadow r, + /etc/ssh/sshd_config r, + /etc/X11/Xwrapper.config r, - owner @{tmp}/*.template.* rw, - owner @{tmp}/*.config.* rwPUx, + /var/lib/locales/supported.d/{,*} r, + + /var/cache/debconf/tmp.ci/ w, /var/lib/dbus/machine-id r, owner /var/cache/debconf/ rw, @@ -52,24 +70,17 @@ profile dpkg-preconfigure @{exec_path} { owner /var/cache/debconf/tmp.ci/*.config.@{rand6} w, owner /var/cache/debconf/tmp.ci/*.passwords.@{rand6} w, owner /var/cache/debconf/tmp.ci/*.template.@{rand6} w, + owner /var/cache/dictionaries-common/flag-wordlist-new w, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + owner @{tmp}/*.template.* rw, + owner @{tmp}/*.config.* rwPUx, + @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, @{run}/user/@{uid}/pk-debconf-socket rw, owner @{PROC}/@{pid}/fd/ r, - # The following is needed when dpkg-preconfigure uses debcconf GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - @{HOME}/.Xauthority r, - owner @{PROC}/@{pid}/mounts r, - include if exists } diff --git a/apparmor.d/groups/apt/dpkg-query b/apparmor.d/groups/apt/dpkg-query index f8150cc37..e0f4dbcdf 100644 --- a/apparmor.d/groups/apt/dpkg-query +++ b/apparmor.d/groups/apt/dpkg-query @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,9 +16,7 @@ profile dpkg-query @{exec_path} { @{sh_path} rix, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, + @{pager_path} rPx -> child-pager, /var/lib/dpkg/** r, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts new file mode 100644 index 000000000..2434c9db9 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -0,0 +1,188 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/** +profile dpkg-scripts @{exec_path} { + include + include + include + include + + capability chown, + capability dac_read_search, + capability fowner, + capability fsetid, + capability setgid, + capability setuid, + + @{exec_path} mrix, + + # Common program found in maintainer scripts + @{sh_path} rix, + @{coreutils_path} rix, + @{python_path} rix, + @{bin}/run-parts rix, + + @{bin}/envsubst ix, + @{bin}/file ix, + @{bin}/getent ix, + @{bin}/gzip ix, + @{bin}/helpztags ix, + @{bin}/setpriv ix, + @{bin}/tput ix, + @{bin}/zcat ix, + @{lib}/ubuntu-advantage/cloud-id-shim.sh ix, + @{lib}/ubuntu-advantage/postinst-migrations.sh ix, + + @{bin}/dbus-send Cx -> bus, + @{bin}/kmod Cx -> kmod, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/invoke-rc.d Cx -> rc, + @{sbin}/ldconfig Cx -> ldconfig, + @{sbin}/ldconfig.real Cx -> ldconfig, + @{sbin}/update-rc.d Cx -> rc, + + #aa:lint ignore=too-wide + # Maintainer scripts can legitimately start/restart anything + # PU is only used as a safety fallback. + @{bin}/** PUx, + @{sbin}/** PUx, + @{lib}/** PUx, + /etc/** PUx, + /usr/share/** PUx, + + #aa:lint ignore=too-wide + # Maintainer's scripts can update a lot of files + / r, + /*/ r, + @{bin}/ r, + @{bin}/* w, + @{sbin}/ r, + @{sbin}/* w, + @{lib}/ r, + @{lib}/** wl -> @{lib}/**, + /opt/*/** rw, + + #aa:lint ignore=too-wide + /etc/ r, + /etc/** rw, + /usr/share/*/{,**} rw, + /usr/local/share/*/{,**} rw, + /var/** rw, + @{run}/** rw, + @{efi}/grub/* rw, + + /tmp/fmtutil.@{rand8} rw, + /tmp/grub.@{rand10} rw, + /tmp/sed@{rand6} rw, + /tmp/tmp.@{rand10} rw, + /tmp/updateppds.@{rand6} rw, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, + + profile bus { + include + include + include + + capability dac_read_search, + + dbus send bus=system path=/ + interface=org.freedesktop.DBus + member=ReloadConfig + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + include if exists + } + + profile kmod { + include + include + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + capability sys_resource, + + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + ptrace read peer=@{p_systemd}, + + @{bin}/systemd-tty-ask-password-agent Px, + @{pager_path} Px -> child-pager, + + /etc/machine-id r, + + /var/lib/systemd/catalog/database r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + + @{run}/utmp rk, + + include if exists + } + + profile rc { + include + include + include + + @{sbin}/update-rc.d mr, + @{sbin}/invoke-rc.d mr, + + @{coreutils_path} rix, + @{sh_path} rix, + @{bin}/systemctl rPx -> dpkg-scripts//systemctl, + + /etc/ r, + /etc/init.d/* r, + /etc/rc@{c}.d/ r, + /etc/rc@{c}.d/* rw, + /etc/rc@{int}.d/ r, + /etc/rc@{int}.d/* rw, + + include if exists + } + + profile ldconfig { + include + include + + @{sh_path} rix, + @{sbin}/ldconfig mrix, + @{sbin}/ldconfig.real rix, + + @{lib}/ r, + /usr/local/ r, + /usr/local/lib/ r, + + /var/cache/ldconfig/ rw, + owner /var/cache/ldconfig/aux-cache* rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-split b/apparmor.d/groups/apt/dpkg-split index 551b84c03..e307e9867 100644 --- a/apparmor.d/groups/apt/dpkg-split +++ b/apparmor.d/groups/apt/dpkg-split @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/dpkg-statoverride b/apparmor.d/groups/apt/dpkg-statoverride new file mode 100644 index 000000000..804e1675b --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-statoverride @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/dpkg-statoverride +profile dpkg-statoverride @{exec_path} flags=(complain) { + include + include + include + + @{exec_path} mr, + + /var/lib/dpkg/statoverride r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-trigger b/apparmor.d/groups/apt/dpkg-trigger index 3aa674d0b..547123cf2 100644 --- a/apparmor.d/groups/apt/dpkg-trigger +++ b/apparmor.d/groups/apt/dpkg-trigger @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/dpkg-vendor b/apparmor.d/groups/apt/dpkg-vendor index 5a786e815..70d2199f2 100644 --- a/apparmor.d/groups/apt/dpkg-vendor +++ b/apparmor.d/groups/apt/dpkg-vendor @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,6 @@ profile dpkg-vendor @{exec_path} { include @{exec_path} r, - /usr/bin/perl r, /etc/dpkg/origins/* r, diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index ba91e898a..87967d164 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -3,21 +3,21 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/querybts profile querybts @{exec_path} { include - include - include + include include + include include + include include include include - include network inet dgram, network inet6 dgram, @@ -26,14 +26,14 @@ profile querybts @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, @{bin}/stty rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open-browsers, @{bin}/dpkg rPx -> child-dpkg, @@ -46,41 +46,14 @@ profile querybts @{exec_path} { /etc/dpkg/origins/ r, /etc/dpkg/origins/debian r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/fd/ r, - /etc/fstab r, /var/lib/dbus/machine-id r, /etc/machine-id r, - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index e7b8e1d29..a6584a23d 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -3,14 +3,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/reportbug profile reportbug @{exec_path} { include - include + include include include include @@ -28,9 +28,9 @@ profile reportbug @{exec_path} { @{exec_path} r, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/selinuxenabled rix, @{sh_path} rix, @{bin}/aa-enabled rix, @@ -40,17 +40,15 @@ profile reportbug @{exec_path} { @{bin}/stty rix, /usr/share/reportbug/handle_bugscript rix, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, @{bin}/apt-cache rPx, @{bin}/debconf-show rPx, @{bin}/debsums rPx, @{bin}/dlocate rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg-query rpx, - @{bin}/less rPx -> child-pager, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{bin}/lsb_release rPx, + @{pager_path} rPx -> child-pager, @{bin}/systemctl rCx -> systemctl, @{lib}/firefox/firefox rPUx, # App allowed to open /usr/share/bug/* rPUx, @@ -59,12 +57,12 @@ profile reportbug @{exec_path} { @{bin}/run-parts rCx -> run-parts, @{open_path} rPx -> child-open, - @{lib}/python3/dist-packages/pylocales/locales.db rk, + @{lib}/@{python_name}/dist-packages/pylocales/locales.db rk, /usr/share/bug/*/{control,presubj} r, + #aa:lint ignore=too-wide /etc/** r, - /etc/reportbug.conf r, owner @{HOME}/ r, # For shell pwd owner @{HOME}/.reportbugrc{,~} rw, @@ -110,7 +108,7 @@ profile reportbug @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index fcfa2ef7c..c48286299 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -3,181 +3,118 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/synaptic @{bin}/synaptic-pkexec profile synaptic @{exec_path} { include + include include - include - include - include - include - include + include include - # To remove the following errors: - # W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory - # (1: Operation not permitted) - # W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory - # (1: Operation not permitted) - # W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed - - # Item::QueueURI (1: Operation not permitted) - capability fowner, - - # To remove the following errors: - # W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory - # (1: Operation not permitted) - # W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory - # (1: Operation not permitted) capability chown, - - # To remove the following errors: - # E: setgroups 65534 failed - setgroups (1: Operation not permitted) - # E: setegid 65534 failed - setegid (1: Operation not permitted) - # E: seteuid 100 failed - seteuid (1: Operation not permitted) - # E: setgroups 0 failed - setgroups (1: Operation not permitted) - capability setuid, - capability setgid, - - # To remove the following errors: - # W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease - - # PrepareFiles (13: Permission denied) - # E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied) - capability dac_read_search, - - # To remove the following errors: - # E: Failed to fetch https://**.deb rename failed, Permission denied - # (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb). - # E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing? capability dac_override, - - # Needed? (##FIXME##) - capability kill, + capability dac_read_search, + capability fowner, capability fsetid, - deny capability net_admin, - deny capability sys_nice, + capability kill, + capability net_admin, + capability setgid, + capability setuid, + capability sys_nice, - signal (send) peer=apt-methods-*, + signal send peer=apt-methods-*, @{exec_path} mr, @{sh_path} rix, @{bin}/{,e,f}grep rix, - @{bin}/test rix, @{bin}/echo rix, - - # For update-apt-xapian-index - @{bin}/nice rix, @{bin}/ionice rix, + @{bin}/nice rix, + @{bin}/test rix, - # When synaptic is run as root, it wants to exec dbus-launch, and hence it creates the two - # following root processes: - # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr - # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session - # - # Should this be allowed? Synaptic works fine without this. - #@{bin}/dbus-launch rCx -> dbus, - #@{bin}/dbus-send rCx -> dbus, - deny @{bin}/dbus-launch rx, - deny @{bin}/dbus-send rx, - deny @{bin}/gdbus rx, - - @{bin}/ps rPx, - @{bin}/dpkg rPx, + @{bin}/adequate rPx, + @{bin}/appstreamcli rPx, @{bin}/apt-listbugs rPx, @{bin}/apt-listchanges rPx, @{bin}/apt-show-versions rPx, - @{bin}/dpkg-preconfigure rPx, + @{bin}/deborphan rPx, @{bin}/debtags rPx, + @{bin}/dpkg rPx, + @{sbin}/dpkg-preconfigure rPx, @{bin}/localepurge rPx, - @{bin}/appstreamcli rPx, - @{bin}/adequate rPx, + @{bin}/lsb_release rPx, + @{bin}/pkexec rCx -> pkexec, + @{bin}/ps rPx, + @{bin}/software-properties-gtk rPx, + @{bin}/tasksel rPx, + @{bin}/update-apt-xapian-index rPx, @{bin}/update-command-not-found rPx, /usr/share/command-not-found/cnf-update-db rPx, - @{bin}/update-apt-xapian-index rPx, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/deborphan rPx, - @{bin}/tasksel rPx, - @{bin}/pkexec rPx, - @{bin}/software-properties-gtk rPx, # Methods to use to download packages from the net @{lib}/apt/methods/* rPx, - /var/lib/apt/lists/** rw, - /var/lib/apt/lists/lock rwk, - /var/lib/apt/extended_states{,.*} rw, + /usr/share/synaptic/{,**} r, /etc/apt/apt.conf.d/99synaptic rw, + # For editing the sources.list file + /etc/apt/sources.list rwk, + /etc/apt/sources.list.d/ r, + /etc/apt/sources.list.d/*.list rw, + + /etc/fstab r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + /var/log/apt/eipp.log.xz w, /var/log/apt/{term,history}.log w, - # For editing the sources.list file - /etc/apt/sources.list.d/ r, - /etc/apt/sources.list.d/*.list rw, - /etc/apt/sources.list rwk, + /var/cache/apt/ r, + /var/cache/apt/** rwk, + /var/cache/apt-xapian-index/index.@{int}/*.glass r, + /var/cache/apt-xapian-index/index.@{int}/iamglass r, /var/lib/apt-xapian-index/index r, - /var/cache/apt-xapian-index/index.[0-9]/*.glass r, - /var/cache/apt-xapian-index/index.[0-9]/iamglass r, - /var/lib/dpkg/** r, /var/lib/dpkg/lock{,-frontend} rwk, + /var/lib/apt/lists/** rw, + /var/lib/apt/lists/lock rwk, + /var/lib/apt/extended_states{,.*} rw, - /var/lib/dbus/machine-id r, - /etc/machine-id r, + # For package building + @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, + + owner @{HOME}/.synaptic/ rw, + owner @{HOME}/.synaptic/** rwk, /tmp/ r, owner @{tmp}/apt-dpkg-install-*/ rw, owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, - /var/cache/apt/ r, - /var/cache/apt/** rwk, - - /usr/share/synaptic/{,**} r, - owner @{HOME}/.synaptic/ rw, - owner @{HOME}/.synaptic/** rwk, @{run}/synaptic.socket w, - @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, - # To remove the following error: - # Internal Error: impossible to fork children. Synaptics is going to stop. Please report. - # errorcode: 2 - /dev/ptmx rw, - - /etc/fstab r, - - # Synaptic is a GUI app started by root, so without "owner" - @{HOME}/.Xauthority r, - - # For package building - @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - - # file_inherit + /dev/ptmx rw, owner /dev/tty@{int} rw, + deny @{bin}/dbus-launch x, + deny @{bin}/dbus-send x, + deny @{bin}/gdbus x, deny @{user_share_dirs}/gvfs-metadata/{*,} r, - profile dbus { + profile pkexec { include - include + include - @{bin}/dbus-launch mr, - @{bin}/dbus-send mr, - @{bin}/dbus-daemon rPUx, - - # for dbus-launch - owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, - - @{HOME}/.Xauthority r, + include if exists } include if exists diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index f5caa7b65..d2da77bc3 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -3,20 +3,21 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/unattended-upgrade profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include - include + include include include include include include include + include include capability chown, @@ -29,43 +30,57 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_nice, + network inet dgram, + network inet6 dgram, network netlink raw, - signal (send) peer=apt-methods-http, + signal send peer=apt-methods-http, - unix type=stream addr=@@{hex16}/bus/unattended-upgr/system, + unix type=stream addr=@@{udbus}/bus/unattended-upgr/system, + + #aa:dbus own bus=system name=com.ubuntu.UnattendedUpgrade @{exec_path} mr, @{bin}/ r, @{sh_path} rix, - @{bin}/echo rix, - @{bin}/gdbus rix, - @{bin}/ischroot rix, - @{bin}/python3.@{int} rix, - @{bin}/test rix, - @{bin}/touch rix, - @{bin}/uname rix, + @{python_path} rix, + @{bin}/echo ix, + @{bin}/gdbus ix, + @{bin}/md5sum ix, + @{bin}/tar ix, + @{bin}/test ix, + @{bin}/touch ix, + @{bin}/uname ix, - @{bin}/apt-listchanges rPx, - @{bin}/dpkg rPx, - @{bin}/dpkg-preconfigure rPx, - @{bin}/etckeeper rPx, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/on_ac_power rPx, - @{bin}/sendmail rPUx, - @{lib}/apt/methods/http{,s} rPx, - @{lib}/needrestart/apt-pinvoke rPx, - @{lib}/update-notifier/update-motd-updates-available rPx, - @{lib}/zsys-system-autosnapshot rPx, + @{bin}/apt-listchanges Px, + @{bin}/df Px, + @{bin}/dmesg Px, + @{bin}/dpkg Px, + @{bin}/dpkg-deb px, + @{bin}/dpkg-divert Px, + @{bin}/etckeeper Px, + @{bin}/ischroot Px, + @{bin}/lsb_release Px, + @{sbin}/dpkg-preconfigure Px, + @{sbin}/on_ac_power Px, + @{sbin}/sendmail Px, + @{lib}/apt/methods/http{,s} Px, + @{lib}/needrestart/apt-pinvoke Px, + @{lib}/update-notifier/update-motd-updates-available Px, + @{lib}/zsys-system-autosnapshot Px, /usr/share/distro-info/* r, + /usr/share/dbus-1/interfaces/*UnattendedUpgrade*.xml r, + @{etc_ro}/login.defs r, + @{etc_ro}/security/capability.conf r, + /etc/apport/report-ignore/{,**} r, /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, - /etc/default/grub.d/* r, + /etc/default/{,**} r, /etc/dpkg/origins/{,debian,ubuntu} r, /etc/fwupd/{,**} r, /etc/grub.d/* r, @@ -79,14 +94,20 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd/{,**} r, /etc/profile.d/* r, - /etc/security/capability.conf r, + /etc/ssh/moduli r, + @{etc_ro}/ssh/sshd_config r, + @{etc_ro}/ssh/sshd_config.d/{,*} r, + /etc/ufw/{,**} r, /etc/update-manager/{,**} r, - /etc/update-motd.d/* r, - /etc/vmware-tools/* r, + /etc/update-motd.d/{,**} r, + /etc/vim/{,**} r, + /etc/vmware-tools/{,**} r, /var/log/unattended-upgrades/{,**} rw, + /var/crash/*.crash rw, /var/lib/apt/periodic/unattended-upgrades-stamp w, + /var/lib/dpkg/info/{,*} r, /var/lib/dpkg/lock rwk, /var/lib/dpkg/lock-frontend rwk, /var/lib/dpkg/updates/ r, @@ -97,16 +118,19 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /var/lib/apt/lists/ rw, /var/lib/apt/lists/partial/ rw, /var/lib/apt/periodic/ w, - /var/log/apt/{term,history}.log w, - /var/log/apt/eipp.log.xz w, + /var/log/apt/*.log* rw, - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/unattended-upgrades.lock rwk, owner @{run}/unattended-upgrades.pid rw, owner @{run}/unattended-upgrades.progress rw, owner @{tmp}/apt-dpkg-install-*/{,*} rw, + @{PROC}/@{pid}/attr/current r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/mounts r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index 65f8a30d2..f7b94d68d 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -17,15 +18,18 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/ischroot rix, + @{bin}/ischroot Px, + + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/**.pyc w, + @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, /usr/share/unattended-upgrades/{,*} r, - /etc/apt/apt.conf.d/{,*} r, owner /var/log/unattended-upgrades/*.log* rw, + owner @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/unattended-upgrades.lock rwk, - owner @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/apt/update-apt-xapian-index b/apparmor.d/groups/apt/update-apt-xapian-index index 80b5d0fab..6ea4f19fb 100644 --- a/apparmor.d/groups/apt/update-apt-xapian-index +++ b/apparmor.d/groups/apt/update-apt-xapian-index @@ -3,24 +3,28 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/update-apt-xapian-index profile update-apt-xapian-index @{exec_path} { include - include + include + include include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, - @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg Px -> child-dpkg, /usr/share/apt-xapian-index/{,**} r, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + /var/cache/apt-xapian-index/ rw, /var/cache/apt-xapian-index/** rwk, @@ -30,15 +34,9 @@ profile update-apt-xapian-index @{exec_path} { /var/cache/apt/ r, /var/cache/apt/** rwk, - owner @{PROC}/@{pid}/fd/ r, - /var/lib/debtags/package-tags r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # file_inherit - owner /dev/tty@{int} rw, + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/avahi/avahi-autoipd b/apparmor.d/groups/avahi/avahi-autoipd index 8d18f1a75..a6e724214 100644 --- a/apparmor.d/groups/avahi/avahi-autoipd +++ b/apparmor.d/groups/avahi/avahi-autoipd @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse index 3c7bfdf05..805d54b2b 100644 --- a/apparmor.d/groups/avahi/avahi-browse +++ b/apparmor.d/groups/avahi/avahi-browse @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,14 +11,10 @@ include profile avahi-browse @{exec_path} { include include - include + include + include include - dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} - interface=org.freedesktop.Avahi.ServiceTypeBrowser - member={ItemNew,AllForNow,CacheExhausted} - peer=(name=:*, label=avahi-daemon), - @{exec_path} mr, @{lib}/@{multiarch}/avahi/service-types.db rwk, diff --git a/apparmor.d/groups/avahi/avahi-publish b/apparmor.d/groups/avahi/avahi-publish index 92f02d6d5..490303443 100644 --- a/apparmor.d/groups/avahi/avahi-publish +++ b/apparmor.d/groups/avahi/avahi-publish @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve index 459bc57da..d45cffca3 100644 --- a/apparmor.d/groups/avahi/avahi-resolve +++ b/apparmor.d/groups/avahi/avahi-resolve @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,19 +11,11 @@ include profile avahi-resolve @{exec_path} { include include - include + include + include + include include - dbus send bus=system path=/Client@{int}/AddressResolver@{int} - interface=org.freedesktop.Avahi.AddressResolver - member={Free,HostNameResolverNew} - peer=(name=:*, label=avahi-daemon), - - dbus receive bus=system path=/Client@{int}/AddressResolver@{int} - interface=org.freedesktop.Avahi.AddressResolver - member={Failure,Found} - peer=(name=:*, label=avahi-daemon), - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/avahi/avahi-set-host-name b/apparmor.d/groups/avahi/avahi-set-host-name index de986c7bc..45df7ce93 100644 --- a/apparmor.d/groups/avahi/avahi-set-host-name +++ b/apparmor.d/groups/avahi/avahi-set-host-name @@ -1,14 +1,17 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022 Jeroen Rijken +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/avahi-set-host-name profile avahi-set-host-name @{exec_path} { include + include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/groups/bluetooth/blueman similarity index 99% rename from apparmor.d/profiles-a-f/blueman rename to apparmor.d/groups/bluetooth/blueman index 9ac1c2c2b..08a553c1d 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/groups/bluetooth/blueman @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/blueman-mechanism b/apparmor.d/groups/bluetooth/blueman-mechanism similarity index 86% rename from apparmor.d/profiles-a-f/blueman-mechanism rename to apparmor.d/groups/bluetooth/blueman-mechanism index 152520fad..9b4800210 100644 --- a/apparmor.d/profiles-a-f/blueman-mechanism +++ b/apparmor.d/groups/bluetooth/blueman-mechanism @@ -3,13 +3,15 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/blueman-mechanism @{lib}/blueman/blueman-mechanism profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { include + include + include include include @@ -35,9 +37,9 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { /dev/rfkill rw, # For network AP - #@{bin}/ip rix, - #@{bin}/xtables-nft-multi rix, - #@{bin}/dnsmasq rPx, + #@{sbin}/ip rix, + #@{sbin}/xtables-nft-multi rix, + #@{sbin}/dnsmasq rPx, #@{bin}/dhclient rPx, # @{PROC}/sys/net/ipv4/ip_forward w, # @{PROC}/sys/net/ipv4/conf/ r, diff --git a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher b/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher similarity index 83% rename from apparmor.d/profiles-a-f/blueman-rfcomm-watcher rename to apparmor.d/groups/bluetooth/blueman-rfcomm-watcher index a8753ac8f..2d52a6e01 100644 --- a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher +++ b/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/blueman-rfcomm-watcher +@{exec_path} = @{lib}/blueman-rfcomm-watcher @{lib}/blueman/blueman-rfcomm-watcher profile blueman-rfcomm-watcher @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/bluemoon b/apparmor.d/groups/bluetooth/bluemoon similarity index 96% rename from apparmor.d/profiles-a-f/bluemoon rename to apparmor.d/groups/bluetooth/bluemoon index 06f4040f8..88cb70621 100644 --- a/apparmor.d/profiles-a-f/bluemoon +++ b/apparmor.d/groups/bluetooth/bluemoon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/bluetoothctl b/apparmor.d/groups/bluetooth/bluetoothctl similarity index 73% rename from apparmor.d/profiles-a-f/bluetoothctl rename to apparmor.d/groups/bluetooth/bluetoothctl index 603998f2c..0b075581b 100644 --- a/apparmor.d/profiles-a-f/bluetoothctl +++ b/apparmor.d/groups/bluetooth/bluetoothctl @@ -3,16 +3,24 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/bluetoothctl profile bluetoothctl @{exec_path} { include + include + include + + network bluetooth raw, + + #aa:dbus talk bus=system name=org.bluez label="@{p_bluetoothd}" @{exec_path} mr, + /usr/share/terminfo/** r, + /etc/inputrc r, owner @{user_cache_dirs}/ rw, diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd similarity index 63% rename from apparmor.d/profiles-a-f/bluetoothd rename to apparmor.d/groups/bluetooth/bluetoothd index 75934102b..12c8e2e80 100644 --- a/apparmor.d/profiles-a-f/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,6 +12,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { include include include + include # Needed for configuring HCI interfaces capability net_admin, @@ -25,30 +26,15 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.bluez - dbus receive bus=system path=/ + dbus send bus=system path=/{,MediaEndpoint} interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label="{brave,NetworkManager,pulseaudio,upowerd}"), - - dbus send bus=system path=/MediaEndpoint - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=pulseaudio), - - dbus send bus=system path=/MediaEndpoint/{A2DPSink,A2DPSource}/* - interface=org.bluez.MediaEndpoint1 - member=Release - peer=(name=:*, label=pulseaudio), - - dbus send bus=system path=/Profile/{HFPAGProfile,HSPHSProfile} - interface=org.bluez.MediaEndpoint1 - member=Release - peer=(name=:*, label=pulseaudio), + peer=(name=@{busname}), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved - peer=(name=org.freedesktop.DBus, label="{jwupd,NetworkManager,pulseaudio,upowerd}"), + member={InterfacesRemoved,InterfacesAdded} + peer=(name=org.freedesktop.DBus), @{exec_path} mr, @@ -60,7 +46,8 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{run}/sdp rw, owner @{run}/systemd/notify w, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{sys}/devices/@{pci}/rfkill@{int}/name r, @{sys}/devices/@{pci}/**/{uevent,name} r, @@ -71,7 +58,6 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/hostname r, /dev/uhid rw, - /dev/uinput rw, /dev/rfkill rw, /dev/hidraw@{int} rw, diff --git a/apparmor.d/profiles-m-r/obex-folder-listing b/apparmor.d/groups/bluetooth/obex-folder-listing similarity index 97% rename from apparmor.d/profiles-m-r/obex-folder-listing rename to apparmor.d/groups/bluetooth/obex-folder-listing index 7aa4070c5..ebbd8ae50 100644 --- a/apparmor.d/profiles-m-r/obex-folder-listing +++ b/apparmor.d/groups/bluetooth/obex-folder-listing @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/obexautofs b/apparmor.d/groups/bluetooth/obexautofs similarity index 86% rename from apparmor.d/profiles-m-r/obexautofs rename to apparmor.d/groups/bluetooth/obexautofs index 972829890..980349086 100644 --- a/apparmor.d/profiles-m-r/obexautofs +++ b/apparmor.d/groups/bluetooth/obexautofs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -36,20 +36,13 @@ profile obexautofs @{exec_path} { profile fusermount { include - include - - capability sys_admin, + include mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/, mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/*/, - @{bin}/fusermount{,3} mr, - - /etc/fuse.conf r, - - @{PROC}/@{pid}/mounts r, - - /dev/fuse rw, + umount @{HOME}/*/, + umount @{HOME}/*/*/, include if exists } diff --git a/apparmor.d/profiles-m-r/obexctl b/apparmor.d/groups/bluetooth/obexctl similarity index 97% rename from apparmor.d/profiles-m-r/obexctl rename to apparmor.d/groups/bluetooth/obexctl index d87243b75..5cd5853d5 100644 --- a/apparmor.d/profiles-m-r/obexctl +++ b/apparmor.d/groups/bluetooth/obexctl @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/obexd b/apparmor.d/groups/bluetooth/obexd similarity index 73% rename from apparmor.d/profiles-m-r/obexd rename to apparmor.d/groups/bluetooth/obexd index 9043489eb..3ea17a4e5 100644 --- a/apparmor.d/profiles-m-r/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -3,15 +3,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/bluetooth/obexd profile obexd @{exec_path} { include - include include + include + include include network bluetooth stream, @@ -22,7 +23,12 @@ profile obexd @{exec_path} { dbus receive bus=system path=/org/bluez/obex/@{uuid} interface=org.bluez.Profile1 member=Release - peer=(name=:*, label=bluetoothd), + peer=(name=:*, label="@{p_bluetoothd}"), + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @@ -31,6 +37,8 @@ profile obexd @{exec_path} { owner @{HOME}/bluetooth/* rw, + @{run}/systemd/users/@{uid} r, + include if exists } diff --git a/apparmor.d/profiles-m-r/obexfs b/apparmor.d/groups/bluetooth/obexfs similarity index 79% rename from apparmor.d/profiles-m-r/obexfs rename to apparmor.d/groups/bluetooth/obexfs index 4a746ecf1..e486349d3 100644 --- a/apparmor.d/profiles-m-r/obexfs +++ b/apparmor.d/groups/bluetooth/obexfs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,27 +27,19 @@ profile obexfs @{exec_path} { /dev/fuse rw, - profile fusermount { include - include - - # To mount anything: - capability sys_admin, + include network bluetooth stream, - @{bin}/fusermount{,3} mr, - - /etc/fuse.conf r, - - /dev/fuse rw, - mount fstype={fuse,fuse.obexfs} -> @{HOME}/*/, mount fstype={fuse,fuse.obexfs} -> @{HOME}/*/*/, - @{PROC}/@{pid}/mounts r, + umount @{HOME}/*/, + umount @{HOME}/*/*/, + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/obexpush-atd b/apparmor.d/groups/bluetooth/obexpush-atd similarity index 96% rename from apparmor.d/profiles-m-r/obexpush-atd rename to apparmor.d/groups/bluetooth/obexpush-atd index 17b0a2d37..2645ec678 100644 --- a/apparmor.d/profiles-m-r/obexpush-atd +++ b/apparmor.d/groups/bluetooth/obexpush-atd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/obexpushd b/apparmor.d/groups/bluetooth/obexpushd similarity index 97% rename from apparmor.d/profiles-m-r/obexpushd rename to apparmor.d/groups/bluetooth/obexpushd index 33a922f41..44b938401 100644 --- a/apparmor.d/profiles-m-r/obexpushd +++ b/apparmor.d/groups/bluetooth/obexpushd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index a47652600..4c38e0ce5 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -3,22 +3,24 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = brave{,-beta,-dev,-bin} -@{domain} = com.brave.Brave +@{domain} = com.brave.Brave org.chromium.Chromium @{lib_dirs} = /opt/brave{-bin,.com}{,/@{name}} @{config_dirs} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} @{cache_dirs} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} @{exec_path} = @{lib_dirs}/@{name} -profile brave @{exec_path} { +profile brave @{exec_path} flags=(attach_disconnected) { include include - unix (send, receive) type=stream peer=(label=brave-crashpad-handler), + # unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler), + + signal receive peer=brave//&brave-crashpad-handler, #aa:dbus own bus=session name=org.mpris.MediaPlayer2.brave path=/org/mpris/MediaPlayer2 @@ -34,21 +36,14 @@ profile brave @{exec_path} { /etc/opt/chrome/native-messaging-hosts/* r, owner @{user_config_dirs}/BraveSoftware/ rw, - owner @{user_config_dirs}/kioslaverc r, - owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r, owner @{config_dirs}/WidevineCdm/libwidevinecdm.so mrw, owner @{cache_dirs}/BraveSoftware/ rw, owner @{tmp}/net-export/ rw, # For brave://net-export/ - owner @{tmp}/.org.chromium.Chromium.* rwk, - owner @{tmp}/.org.chromium.Chromium*/{,**} rw, - - owner /dev/shm/.org.chromium.Chromium.* rw, - # Silencer + deny /etc/opt/ w, deny /etc/opt/chrome/ w, deny /dev/disk/by-uuid/ r, diff --git a/apparmor.d/groups/browsers/brave-crashpad-handler b/apparmor.d/groups/browsers/brave-crashpad-handler index 2bfe2ff94..ae90c734e 100644 --- a/apparmor.d/groups/browsers/brave-crashpad-handler +++ b/apparmor.d/groups/browsers/brave-crashpad-handler @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/brave-sandbox b/apparmor.d/groups/browsers/brave-sandbox index 7928b1385..8ab3dd522 100644 --- a/apparmor.d/groups/browsers/brave-sandbox +++ b/apparmor.d/groups/browsers/brave-sandbox @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/brave-wrapper b/apparmor.d/groups/browsers/brave-wrapper index f1127d860..b4f70689c 100644 --- a/apparmor.d/groups/browsers/brave-wrapper +++ b/apparmor.d/groups/browsers/brave-wrapper @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/chrome b/apparmor.d/groups/browsers/chrome index 93413c25c..9c11f0a4a 100644 --- a/apparmor.d/groups/browsers/chrome +++ b/apparmor.d/groups/browsers/chrome @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ include @{cache_dirs} = @{user_cache_dirs}/google-@{name} @{exec_path} = @{lib_dirs}/@{name} -profile chrome @{exec_path} { +profile chrome @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/browsers/chrome-crashpad-handler b/apparmor.d/groups/browsers/chrome-crashpad-handler index 67c0d0e8d..ea3d7d64a 100644 --- a/apparmor.d/groups/browsers/chrome-crashpad-handler +++ b/apparmor.d/groups/browsers/chrome-crashpad-handler @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/chrome-sandbox b/apparmor.d/groups/browsers/chrome-sandbox index 709f57bc8..eceec9f89 100644 --- a/apparmor.d/groups/browsers/chrome-sandbox +++ b/apparmor.d/groups/browsers/chrome-sandbox @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/chrome-wrapper b/apparmor.d/groups/browsers/chrome-wrapper index 8e9e1ba5d..709eb79a1 100644 --- a/apparmor.d/groups/browsers/chrome-wrapper +++ b/apparmor.d/groups/browsers/chrome-wrapper @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/chromium b/apparmor.d/groups/browsers/chromium index eb0d87f4f..658dee398 100644 --- a/apparmor.d/groups/browsers/chromium +++ b/apparmor.d/groups/browsers/chromium @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{lib_dirs}/@{name} -profile chromium @{exec_path} { +profile chromium @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/browsers/chromium-crashpad-handler b/apparmor.d/groups/browsers/chromium-crashpad-handler index 2bac71620..8d6ab2461 100644 --- a/apparmor.d/groups/browsers/chromium-crashpad-handler +++ b/apparmor.d/groups/browsers/chromium-crashpad-handler @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/chromium-sandbox b/apparmor.d/groups/browsers/chromium-sandbox index b07828e3b..f32af44ca 100644 --- a/apparmor.d/groups/browsers/chromium-sandbox +++ b/apparmor.d/groups/browsers/chromium-sandbox @@ -3,12 +3,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/chromium/chrome-sandbox -profile chromium-sandbox @{exec_path} { +profile chromium-sandbox @{exec_path} flags=(attach_disconnected) { include capability dac_override, diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper index 0a5017727..d29dcc630 100644 --- a/apparmor.d/groups/browsers/chromium-wrapper +++ b/apparmor.d/groups/browsers/chromium-wrapper @@ -3,14 +3,15 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/chromium -profile chromium-wrapper @{exec_path} { +profile chromium-wrapper @{exec_path} flags=(attach_disconnected) { include include + include @{exec_path} r, @@ -39,14 +40,12 @@ profile chromium-wrapper @{exec_path} { owner @{HOME}/.xsession-errors w, owner @{tmp}/chromiumargs.@{rand6} rw, - owner @{tmp}/tmp.*/ rw, - owner @{tmp}/tmp.*/** rwk, owner /dev/tty@{int} rw, - /dev/dri/card[0-9] rw, # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, + deny @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/groups/browsers/ephy-profile-migrator b/apparmor.d/groups/browsers/ephy-profile-migrator index ec343816d..e6f8902dd 100644 --- a/apparmor.d/groups/browsers/ephy-profile-migrator +++ b/apparmor.d/groups/browsers/ephy-profile-migrator @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index be42cb9a0..45a32868e 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,9 +10,9 @@ include profile epiphany @{exec_path} flags=(attach_disconnected) { include include - include include include + include include include include @@ -20,6 +20,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_override, @@ -29,34 +30,28 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, - @{exec_path} mr, - @{bin}/bwrap rix, - @{bin}/xdg-dbus-proxy rix, - @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix, + @{open_path} rPx -> child-open, - owner /bindfile@{rand6} rw, - owner /.flatpak-info r, + @{bin}/bwrap rix, + + /usr/share/enchant*/{,**} r, + + owner @{HOME}/.ephy-download-@{rand6} rw, + owner @{HOME}/.ephy-web-app-icon-@{rand6} rw, owner @{user_config_dirs}/glib-2.0/ w, owner @{user_config_dirs}/glib-2.0/settings/ w, + owner @{user_share_dirs}/org.gnome.Epiphany.WebApp_@{hex}/{,**} rw, + + owner @{tmp}/ContentRuleList@{rand6} rw, owner @{tmp}/epiphany-*-@{rand6}/{,**} rw, owner @{tmp}/Serialized@{rand9} rw, owner @{tmp}/WebKit-Media-@{rand6} rw, - owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/.flatpak/ w, - owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, - owner @{run}/user/@{uid}/webkitgtk/ w, - owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/firmware/acpi/pm_profile r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Epiphany-@{int}.scope/memory.* r, @{PROC}/@{pid}/cgroup r, @@ -64,12 +59,9 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/smaps r, owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny @{user_share_dirs}/gvfs-metadata/* r, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 41ce67746..f9ba190a3 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{name} = firefox{,.sh,-esr,-bin} -@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{name} = firefox{,-esr,-bin} +@{lib_dirs} = @{lib}/firefox{,-esr,-beta,-devedition,-nightly} /opt/@{name} @{config_dirs} = @{HOME}/.mozilla/ @{cache_dirs} = @{user_cache_dirs}/mozilla/ @@ -16,32 +16,43 @@ include profile firefox @{exec_path} flags=(attach_disconnected) { include include + include + include - signal (send) set=(term, kill) peer=keepassxc-proxy, + signal send set=(term, kill) peer=firefox//&keepassxc-proxy, + + unix type=seqpacket addr=@gecko-crash-helper-pipe.@{int}, + unix type=seqpacket peer=(label=firefox-crashhelper), #aa:dbus own bus=session name=org.mozilla.firefox #aa:dbus own bus=session name=org.mpris.MediaPlayer2.firefox path=/org/mpris/MediaPlayer2 @{exec_path} mrix, + @{lib_dirs}/crashhelper rPx -> firefox//&firefox-crashhelper, + @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, + @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, + + @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, @{lib}/mozilla/plugins/ r, - @{lib}/mozilla/plugins/libvlcplugin.so mr, + @{lib}/mozilla/plugins/*.so mr, # Desktop integration @{bin}/gnome-software rPx, - @{bin}/kreadconfig5 rix, + @{bin}/kreadconfig{,5} rPx, @{bin}/plasma-browser-integration-host rPx, + @{bin}/speech-dispatcher rPx, @{bin}/update-mime-database rPx, @{lib}/gvfsd-metadata rPx, @{lib}/mozilla/kmozillahelper rPUx, @{open_path} rPx -> child-open, # Common extensions + @{bin}/browserpass rPx, + @{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy, + @{lib}/browserpass/browserpass-native rPx, /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, - @{bin}/browserpass rPx, - # As a temporary solution - see issue #128 - @{bin}/keepassxc-proxy rix, owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, owner @{user_config_dirs}/ibus/bus/ r, @@ -54,17 +65,15 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, owner @{tmp}/.xfsm-ICE-@{rand6} rw, - owner @{tmp}/@{rand6}.tmp r, - owner @{tmp}/@{rand8}.txt w, - owner @{tmp}/* w, # file downloads (to anywhere) - owner @{tmp}/Mozilla@{uuid}-cachePurge-??????????????? rwk, - owner @{tmp}/mozilla* rw, - owner @{tmp}/mozilla*/ rw, - owner @{tmp}/mozilla*/* rwk, - owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-??????????????? rwk, - owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k, - owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw, - owner @{tmp}/Mozillato-be-removed-cachePurge-??????????????? rwk, + owner @{tmp}/@{rand8}.* rw, # file downloads (to anywhere) + owner @{tmp}/@{uuid}.zip{,.tmp} rw, + owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk, + owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-{@{hex15},@{hex16}} rwk, + owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/.parentlock k, + owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw, + owner @{tmp}/Mozillato-be-removed-cachePurge-{@{hex15},@{hex16}} rwk, + + owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowsrServer w, # Silencer deny @{lib_dirs}/** w, diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper new file mode 100644 index 000000000..8ffdccb67 --- /dev/null +++ b/apparmor.d/groups/browsers/firefox-crashhelper @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = firefox{,.sh,-esr,-bin} +@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{config_dirs} = @{HOME}/.mozilla/ +@{cache_dirs} = @{user_cache_dirs}/mozilla/ + +@{exec_path} = @{lib_dirs}/crashhelper +profile firefox-crashhelper @{exec_path} flags=(attach_disconnected) { + include + + unix type=seqpacket peer=(label=firefox), + + @{exec_path} mr, + + owner "@{config_dirs}/firefox/Crash Reports/" rw, + owner "@{config_dirs}/firefox/Crash Reports/crash_helper_server.log" rw, + + # file_inherit + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index c1afb00e4..8feccaa93 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,19 +28,23 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - @{exec_path} mr, + @{exec_path} mrix, + + @{bin}/curl rix, + @{bin}/mv rix, @{lib_dirs}/minidump-analyzer rPx, - @{bin}/mv rix, - owner "@{config_dirs}/firefox/Crash Reports/{,**}" rw, owner @{config_dirs}/firefox/*.*/crashes/{,**} rw, owner @{config_dirs}/firefox/*.*/crashes/events/@{uuid} rw, owner @{config_dirs}/firefox/*.*/extensions/*.xpi r, owner @{config_dirs}/firefox/*.*/minidumps/{,**} rw, owner @{config_dirs}/firefox/*.*/minidumps//@{uuid}.{dmp,extra} r, + owner @{config_dirs}/firefox/*.*/prefs.js r, + owner @{config_dirs}/firefox/*.*/storage-sync-v2.sqlite-shm r, owner @{config_dirs}/firefox/*.*/storage/default/* r, + owner @{config_dirs}/firefox/Profile*/*.sqlite-shm r, owner @{cache_dirs}/firefox/*.*/** r, @@ -51,8 +55,14 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + /dev/dri/card@{int} rw, /dev/dri/renderD128 rw, + /dev/nvidia@{int} r, + /dev/nvidiactl r, # Silencer deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index f2526292b..f9470a59b 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -2,29 +2,38 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{name} = firefox{,.sh,-esr,-bin} +@{name} = firefox{,-esr,-bin} @{lib_dirs} = @{lib}/@{name} /opt/@{name} @{config_dirs} = @{HOME}/.mozilla/ +@{cache_dirs} = @{user_cache_dirs}/mozilla/ @{exec_path} = @{lib_dirs}/glxtest profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { include include include + include include @{exec_path} mr, + / r, + + owner @{cache_dirs}/firefox/*/startupCache/scriptCache-* r, + owner @{cache_dirs}/firefox/*/startupCache/startupCache* r, + owner @{config_dirs}/firefox/*/.parentlock rw, owner @{tmp}/@{name}/.parentlock rw, owner @{PROC}/@{pid}/cmdline r, + deny @{user_share_dirs}/gnome-shell/session.gvdb rw, + include if exists } diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index d23d94bb8..ade169f25 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,8 +10,9 @@ include profile firefox-kmozillahelper @{exec_path} { include include - include include + include + include include include include @@ -24,34 +25,21 @@ profile firefox-kmozillahelper @{exec_path} { @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/knotifications{5,6}/*.notifyrc r, /usr/share/kservices{5,6}/{,**} r, - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_* r, - - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kdeglobals.@{rand6} rwl, owner @{user_config_dirs}/kmozillahelperrc r, owner @{user_config_dirs}/kmozillahelperrc.@{rand6} rwl, - owner @{user_config_dirs}/kwinrc r, + + owner @{user_share_dirs}/kservices5/ r, + owner @{user_share_dirs}/kservices5/searchproviders/ r, owner @{run}/user/@{uid}/kmozillahelper@{rand6}.@{int}.kioworker.socket wl, owner @{run}/user/@{uid}/xauth_@{rand6} rl, - @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/groups/browsers/firefox-minidump-analyzer b/apparmor.d/groups/browsers/firefox-minidump-analyzer index 08cfc081a..6e13ee872 100644 --- a/apparmor.d/groups/browsers/firefox-minidump-analyzer +++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/firefox-pingsender b/apparmor.d/groups/browsers/firefox-pingsender index 94dacaf2c..4c86af87a 100644 --- a/apparmor.d/groups/browsers/firefox-pingsender +++ b/apparmor.d/groups/browsers/firefox-pingsender @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/firefox-plugin-container b/apparmor.d/groups/browsers/firefox-plugin-container index c7a11b75b..b326d14b4 100644 --- a/apparmor.d/groups/browsers/firefox-plugin-container +++ b/apparmor.d/groups/browsers/firefox-plugin-container @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/firefox-vaapitest b/apparmor.d/groups/browsers/firefox-vaapitest index 785a7f547..36069d36f 100644 --- a/apparmor.d/groups/browsers/firefox-vaapitest +++ b/apparmor.d/groups/browsers/firefox-vaapitest @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,6 +25,7 @@ profile firefox-vaapitest @{exec_path} flags=(attach_disconnected) { deny @{config_dirs}/firefox/*/.parentlock rw, deny @{config_dirs}/firefox/*/startupCache/** r, deny @{user_cache_dirs}/mozilla/firefox/*/startupCache/* r, + deny @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/groups/browsers/msedge b/apparmor.d/groups/browsers/msedge index 41f8bb3cc..f616df6c6 100644 --- a/apparmor.d/groups/browsers/msedge +++ b/apparmor.d/groups/browsers/msedge @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -26,7 +26,7 @@ profile msedge @{exec_path} { @{lib_dirs}/xdg-mime rix, #-> xdg-mime, @{lib_dirs}/xdg-settings rix, #-> xdg-settings, - + @{lib_dirs}/microsoft-edge{,beta,-dev} rPx, @{lib_dirs}/chrome_crashpad_handler rPx -> msedge//&msedge-crashpad-handler, diff --git a/apparmor.d/groups/browsers/msedge-crashpad-handler b/apparmor.d/groups/browsers/msedge-crashpad-handler index 9ac6cec22..67e8212ff 100644 --- a/apparmor.d/groups/browsers/msedge-crashpad-handler +++ b/apparmor.d/groups/browsers/msedge-crashpad-handler @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/msedge-sandbox b/apparmor.d/groups/browsers/msedge-sandbox index 6424e7bd0..2d4dcdd3e 100644 --- a/apparmor.d/groups/browsers/msedge-sandbox +++ b/apparmor.d/groups/browsers/msedge-sandbox @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/msedge-wrapper b/apparmor.d/groups/browsers/msedge-wrapper index 5fbb9b8f2..8268db2e1 100644 --- a/apparmor.d/groups/browsers/msedge-wrapper +++ b/apparmor.d/groups/browsers/msedge-wrapper @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/opera b/apparmor.d/groups/browsers/opera index 33ce558d3..54cc05481 100644 --- a/apparmor.d/groups/browsers/opera +++ b/apparmor.d/groups/browsers/opera @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/opera-crashreporter b/apparmor.d/groups/browsers/opera-crashreporter index 7b7d6b8d5..eb67ede59 100644 --- a/apparmor.d/groups/browsers/opera-crashreporter +++ b/apparmor.d/groups/browsers/opera-crashreporter @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,7 +17,7 @@ profile opera-crashreporter @{exec_path} { include include include - include + include include ptrace (trace, read) peer=opera, diff --git a/apparmor.d/groups/browsers/opera-sandbox b/apparmor.d/groups/browsers/opera-sandbox index 4dc591aa3..bebe0a902 100644 --- a/apparmor.d/groups/browsers/opera-sandbox +++ b/apparmor.d/groups/browsers/opera-sandbox @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/torbrowser b/apparmor.d/groups/browsers/torbrowser similarity index 69% rename from apparmor.d/groups/whonix/torbrowser rename to apparmor.d/groups/browsers/torbrowser index 0ec13ed51..5068886c3 100644 --- a/apparmor.d/groups/whonix/torbrowser +++ b/apparmor.d/groups/browsers/torbrowser @@ -2,14 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = torbrowser "tor browser" -@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ @{data_dirs} = @{lib_dirs}/TorBrowser/Data/ -@{config_dirs} = @{data_dirs}/Browser/*.default/ +@{config_dirs} = @{data_dirs}/Browser/profile.default/ @{cache_dirs} = @{data_dirs}/Browser/Caches @{exec_path} = @{lib_dirs}/firefox{,.real} @@ -17,10 +17,19 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { include include + # Uncomment if you want to give the Tor Browser access to the common download directory. + # include + @{exec_path} mrix, - @{lib_dirs}/abicheck rix, - @{lib_dirs}/updater rPx, + @{lib_dirs}/abicheck ix, + @{lib_dirs}/glxtest Px -> torbrowser//&torbrowser-glxtest, + @{lib_dirs}/updater Px, + @{lib_dirs}/vaapitest Px -> torbrowser//&torbrowser-vaapitest, + + #aa:exclude whonix + @{lib_dirs}/TorBrowser/Tor/PluggableTransports/** Px -> torbrowser-tor, + @{lib_dirs}/TorBrowser/Tor/tor Px -> torbrowser-tor, /usr/share/homepage/{,**} r, @@ -33,14 +42,18 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { owner "@{tmp}/Tor Project*" rwk, owner "@{tmp}/Tor Project*/" rw, owner "@{tmp}/Tor Project*/**" rwk, + owner @{tmp}/@{rand8}.* rw, + owner @{tmp}/mozilla_pc@{int}/ rw, + owner @{tmp}/mozilla_pc@{int}/* rwk, # Due to the nature of the browser, we silence much more than for Firefox. + deny capability sys_ptrace, deny network inet dgram, # TOR does not work over UDP deny network inet6 dgram, + deny network inet6 stream, # TOR does not work over IPv6 deny dbus (send receive) bus=session path=/ca/desrt/dconf/Writer/user, deny @{bin}/lsb_release x, deny @{lib_dirs}/crashreporter x, - deny @{lib_dirs}/glxtest x, deny @{lib_dirs}/minidump-analyzer x, deny @{lib_dirs}/pingsender x, deny /usr/share/dconf/** r, @@ -56,6 +69,7 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { deny /etc/passwd r, deny /etc/resolv.conf r, deny /var/lib/dbus/machine-id r, + deny owner @{HOME}/ r, deny owner @{user_config_dirs}/dconf/user r, deny owner @{user_config_dirs}/gtk-*/{,**} rw, deny owner @{run}/user/@{uid}/dconf/ rw, diff --git a/apparmor.d/groups/whonix/torbrowser-glxtest b/apparmor.d/groups/browsers/torbrowser-glxtest similarity index 64% rename from apparmor.d/groups/whonix/torbrowser-glxtest rename to apparmor.d/groups/browsers/torbrowser-glxtest index cbc009db1..2d8697259 100644 --- a/apparmor.d/groups/whonix/torbrowser-glxtest +++ b/apparmor.d/groups/browsers/torbrowser-glxtest @@ -2,31 +2,32 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = torbrowser "tor browser" -@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ @{data_dirs} = @{lib_dirs}/TorBrowser/Data/ -@{config_dirs} = @{data_dirs}/Browser/*.default/ +@{config_dirs} = @{data_dirs}/Browser/profile.default/ @{cache_dirs} = @{data_dirs}/Browser/Caches @{exec_path} = @{lib_dirs}/glxtest -profile torbrowser-glxtest @{exec_path} { +profile torbrowser-glxtest @{exec_path} flags=(attach_disconnected) { include include include + include include @{exec_path} mr, - owner @{config_dirs}/.parentlock rw, - - owner @{tmp}/@{name}/.parentlock rw, + / r, owner @{PROC}/@{pid}/cmdline r, + deny @{config_dirs}/.parentlock rw, + include if exists } diff --git a/apparmor.d/groups/browsers/torbrowser-launcher b/apparmor.d/groups/browsers/torbrowser-launcher new file mode 100644 index 000000000..4969a14c3 --- /dev/null +++ b/apparmor.d/groups/browsers/torbrowser-launcher @@ -0,0 +1,93 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ + +@{exec_path} = @{bin}/torbrowser-launcher +profile torbrowser-launcher @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + + network netlink raw, + + @{exec_path} mrix, + + @{sh_path} rix, + @{bin}/file ix, + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/gpgconf Cx -> gpg, + @{bin}/gpgsm Cx -> gpg, + @{bin}/{,e}grep ix, + @{bin}/sed ix, + @{bin}/tail ix, + + @{lib_dirs}/execdesktop ix, + @{lib_dirs}/start-tor-browser Px, # torbrowser-start + @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop ix, + + /usr/share/file/** r, + /usr/share/torbrowser-launcher/{,**} r, + + owner @{user_cache_dirs}/torbrowser/{,**/} rw, + owner @{user_cache_dirs}/torbrowser/download/** rw, + owner @{user_cache_dirs}/torbrowser/torbrowser.gpg rw, + + owner @{user_config_dirs}/torbrowser/{,**/} rw, + owner @{user_config_dirs}/torbrowser/settings.json rw, + + owner @{user_share_dirs}/torbrowser/{,**} rw, + + owner @{PROC}/@{pid}/cmdline r, + + /dev/tty rw, + + profile gpg { + include + + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, + + @{bin}/gpg-agent ix, + @{lib}/{,gnupg/}scdaemon ix, + + owner @{HOME}/ r, + owner @{HOME}/@{XDG_GPG_DIR}/ r, + owner @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, + owner @{HOME}/@{XDG_GPG_DIR}/gpgsm.conf r, + + owner @{user_share_dirs}/torbrowser/ r, + owner @{user_share_dirs}/torbrowser/gnupg_homedir/ rw, + owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/gnupg/ r, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/whonix/torbrowser-plugin-container b/apparmor.d/groups/browsers/torbrowser-plugin-container similarity index 77% rename from apparmor.d/groups/whonix/torbrowser-plugin-container rename to apparmor.d/groups/browsers/torbrowser-plugin-container index 9fcb1bd3d..88abc411c 100644 --- a/apparmor.d/groups/whonix/torbrowser-plugin-container +++ b/apparmor.d/groups/browsers/torbrowser-plugin-container @@ -3,14 +3,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = torbrowser "tor browser" -@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ @{data_dirs} = @{lib_dirs}/TorBrowser/Data/ -@{config_dirs} = @{data_dirs}/Browser/*.default/ +@{config_dirs} = @{data_dirs}/Browser/profile.default/ @{cache_dirs} = @{data_dirs}/Browser/Caches @{exec_path} = @{lib_dirs}/plugin-container diff --git a/apparmor.d/groups/browsers/torbrowser-start b/apparmor.d/groups/browsers/torbrowser-start new file mode 100644 index 000000000..ce6a3678c --- /dev/null +++ b/apparmor.d/groups/browsers/torbrowser-start @@ -0,0 +1,56 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ + +@{exec_path} = @{lib_dirs}/start-tor-browser +profile torbrowser-start @{exec_path} { + include + include + + @{exec_path} rm, + + @{sh_path} rix, + @{bin}/cp ix, + @{bin}/dirname ix, + @{bin}/env r, + @{bin}/expr ix, + @{bin}/file ix, + @{bin}/getconf ix, + @{bin}/{,e}grep ix, + @{bin}/id ix, + @{bin}/ln ix, + @{bin}/mkdir ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/srm ix, + + @{lib_dirs}/abicheck ix, + @{lib_dirs}/firefox{,.real} Px -> torbrowser, + + /usr/share/file/** r, + + /etc/magic r, + + owner @{lib_dirs}/.config/ibus/{,**} rw, + owner @{lib_dirs}/.local/* rw, + owner @{lib_dirs}/sed@{rand6} rw, + owner @{lib_dirs}/TorBrowser/Tor/tor r, + + owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/sed@{rand6} rw, + owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/start-tor-browser.desktop rw, + owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/sed@{rand6} rw, + owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop rw, + + owner @{HOME}/.xsession-errors rw, + owner @{HOME}/.tb/tor-browser/* rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/torbrowser-tor b/apparmor.d/groups/browsers/torbrowser-tor new file mode 100644 index 000000000..57a49add7 --- /dev/null +++ b/apparmor.d/groups/browsers/torbrowser-tor @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ +@{data_dirs} = @{lib_dirs}/TorBrowser/Data/ + +@{exec_path} = @{lib_dirs}/TorBrowser/Tor/tor +profile torbrowser-tor @{exec_path} { + include + include + include + + network inet stream, + network netlink raw, + + @{exec_path} mr, + + @{lib_dirs}/{,**} r, + @{lib_dirs}/TorBrowser/Tor/*.so* m, + @{lib_dirs}/TorBrowser/Tor/PluggableTransports/** mix, + + owner @{data_dirs}/Tor/ rw, + owner @{data_dirs}/Tor/** rw, + owner @{data_dirs}/Tor/lock rwk, + + /tmp/onionshare/** rw, # OnionShare compatibility + + @{PROC}/sys/kernel/random/uuid r, + @{PROC}/sys/net/core/somaxconn r, + + deny /etc/group r, + deny /etc/host.conf r, + deny /etc/hosts r, + deny /etc/machine-id r, + deny /etc/mailcap r, + deny /etc/nsswitch.conf r, + deny /etc/os-release r, + deny /etc/passwd r, + deny /etc/resolv.conf r, + deny /etc/services r, + deny /var/lib/dbus/machine-id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/whonix/torbrowser-updater b/apparmor.d/groups/browsers/torbrowser-updater similarity index 74% rename from apparmor.d/groups/whonix/torbrowser-updater rename to apparmor.d/groups/browsers/torbrowser-updater index 4f0e16823..a5c1e7cc3 100644 --- a/apparmor.d/groups/whonix/torbrowser-updater +++ b/apparmor.d/groups/browsers/torbrowser-updater @@ -2,11 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ @{exec_path} = @{lib_dirs}/updater profile torbrowser-updater @{exec_path} { @@ -16,14 +16,12 @@ profile torbrowser-updater @{exec_path} { @{exec_path} mr, @{lib_dirs}/*.so mr, - @{lib_dirs}/firefox{,.real} rPx, + @{lib_dirs}/firefox{,.real} Px -> torbrowser, owner @{lib_dirs}/{,**} rw, owner @{tmp}/#@{int} rw, - deny owner @{lib_dirs}/Downloads/** rw, - include if exists } diff --git a/apparmor.d/groups/whonix/torbrowser-vaapitest b/apparmor.d/groups/browsers/torbrowser-vaapitest similarity index 58% rename from apparmor.d/groups/whonix/torbrowser-vaapitest rename to apparmor.d/groups/browsers/torbrowser-vaapitest index d29d1265a..37ea80f91 100644 --- a/apparmor.d/groups/whonix/torbrowser-vaapitest +++ b/apparmor.d/groups/browsers/torbrowser-vaapitest @@ -2,18 +2,18 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = torbrowser "tor browser" -@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ +@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ @{data_dirs} = @{lib_dirs}/TorBrowser/Data/ -@{config_dirs} = @{data_dirs}/Browser/*.default/ +@{config_dirs} = @{data_dirs}/Browser/profile.default/ @{cache_dirs} = @{data_dirs}/Browser/Caches @{exec_path} = @{lib_dirs}/vaapitest -profile torbrowser-vaapitest @{exec_path} { +profile torbrowser-vaapitest @{exec_path} flags=(attach_disconnected) { include include @@ -21,11 +21,10 @@ profile torbrowser-vaapitest @{exec_path} { @{exec_path} mr, - owner @{tmp}/@{name}/.parentlock rw, - + deny @{lib_dirs}/{,browser/}omni.ja r, + deny @{cache_dirs}/profile.default/startupCache/* r, deny @{config_dirs}/.parentlock rw, - deny @{config_dirs}/startupCache/** r, - deny @{user_cache_dirs}/startupCache/* r, + deny @{config_dirs}/extensions/*.xpi r, include if exists } diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index 2b0ac0475..fec6d7897 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -3,38 +3,24 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi2-registryd profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include + include include include - include + include include - signal (receive) set=(term) peer=gdm, + signal receive set=term peer=gdm, + signal receive set=hup peer=gdm-session-worker, - #aa:dbus own bus=accessibility name=org.a11y.atspi.{R,r}egistry - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name=:*), - dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=:*), - dbus receive bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=:*), - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus, label=dbus-accessibility), + #aa:dbus own bus=accessibility name=org.a11y.atspi + #aa:dbus talk bus=session name=org.a11y.{B,b}us label="@{p_dbus_accessibility}" dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -43,8 +29,6 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index dc4ded9cd..c9b9a1538 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,22 +11,36 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include + include include + include include - signal (receive) set=(term hup kill) peer=dbus-session, - signal (receive) set=(term hup kill) peer=gdm{,-session-worker}, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, - dbus bus=accessibility, + signal receive set=(term hup kill) peer=dbus-session, + signal receive set=(term hup kill) peer=gdm{,-session-worker}, + signal receive set=(term hup kill) peer=gnome-session-binary, + unix type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0), + + #aa:dbus own bus=accessibility name=org.freedesktop.DBus #aa:dbus own bus=session name=org.a11y.{B,b}us + dbus receive bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=Hello + peer=(name=@{busname}), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mrix, @@ -40,7 +54,6 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/defaults/at-spi2/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -50,6 +63,8 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.Xauthority r, + owner @{tmp}/xauth_@{rand6} r, + @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/gdm/Xauthority r, @@ -57,14 +72,14 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, - @{PROC}/@{pid}/attr/apparmor/current r, - @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/oom_score_adj r, + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/attr/apparmor/current r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, - - owner /dev/tty@{int} rw, + owner @{PROC}/@{pid}/oom_score_adj r, include if exists } diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 38259afc2..27e228e2c 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -4,32 +4,37 @@ # Profile for session dbus, regardless of the dbus implementation used. # It does not specify an attachment path as it would be the same than -# "dbus-system". It is intended to be used only via "Px ->" or via +# "dbus-system". It is intended to be used only via "Px ->" or via # systemd drop-in AppArmorProfile= setting. -abi , +abi , include -@{exec_path} = @{bin}/dbus-run-session +@{exec_path} = @{bin}/dbus-run-session @{bin}/dbus-update-activation-environment @{exec_path} += @{bin}/dbus-broker @{bin}/dbus-broker-launch @{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1{,.0}/dbus-daemon-launch-helper profile dbus-session flags=(attach_disconnected) { include include include + include include + network unix stream, + unix (send receive) type=stream addr=none peer=(label=gnome-shell, addr=none), - signal (receive) set=(term hup) peer=gdm-session-worker, - signal (receive) set=(term hup) peer=gdm-session, - signal (receive) set=(term hup) peer=gdm, + signal (receive) set=(term hup) peer=gdm{,-*}, signal (send) set=(term hup kill) peer=dbus-accessibility, signal (send) set=(term hup kill) peer=dconf-service, signal (send) set=(term hup kill) peer=xdg-*, - dbus bus=session, + #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} + dbus receive bus=session + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name="{@{busname},org.freedesktop.DBus}"), @{exec_path} mrix, @@ -38,6 +43,7 @@ profile dbus-session flags=(attach_disconnected) { @{bin}/** PUx, @{lib}/** PUx, + @{user_share_dirs}/*/** PUx, /usr/share/*/** PUx, /etc/dbus-1/{,**} r, @@ -48,9 +54,14 @@ profile dbus-session flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, + # Dbus can receive any user files + owner @{HOME}/** r, + owner @{HOME}/.var/app/*/**/.ref rw, owner @{HOME}/.var/app/*/**/logs/* rw, + owner @{user_share_dirs}/dbus-1/services/{,**} r, + @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/dbus-1/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw, @@ -59,12 +70,13 @@ profile dbus-session flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/.access rw, @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, - + @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/oom_score_adj r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_score_adj r, /dev/ptmx rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index f001c27b7..1b62a1086 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -4,10 +4,10 @@ # Profile for system dbus, regardless of the dbus implementation used. # It does not specify an attachment path as it would be the same than -# "dbus-session". It is intended to be used only via "Px ->" or via +# "dbus-session". It is intended to be used only via "Px ->" or via # systemd drop-in AppArmorProfile= setting. -abi , +abi , include @@ -15,8 +15,9 @@ include @{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1{,.0}/dbus-daemon-launch-helper profile dbus-system flags=(attach_disconnected) { include - include include + include + include include capability audit_write, @@ -30,13 +31,23 @@ profile dbus-system flags=(attach_disconnected) { network bluetooth stream, network bluetooth seqpacket, - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, - dbus bus=system, + #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} + dbus receive bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name="{@{busname},org.freedesktop.DBus}"), + + dbus receive bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Activator + member=ActivationFailure + peer=(name=@{busname}, label="@{p_systemd}"), @{exec_path} mrix, @{bin}/** PUx, + @{sbin}/** PUx, @{lib}/** PUx, /usr/share/*/** PUx, @@ -48,32 +59,40 @@ profile dbus-system flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, - @{desktop_share_dirs}/icc/ r, - @{desktop_share_dirs}/icc/edid-@{hex32}.icc r, - @{user_share_dirs}/icc/ r, - @{user_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{desktop_share_dirs}/icc/ r, + @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{user_share_dirs}/icc/ r, + @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, + + # Dbus can receive any user files + @{HOME}/** r, + + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, - @{run}/systemd/inhibit/*.ref rw, @{run}/systemd/notify w, - @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{int} r, @{sys}/kernel/security/apparmor/.access rw, @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, - @{PROC}/@{pid}/attr/apparmor/current r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/mounts r, + @{PROC}/@{pids}/attr/apparmor/current r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/oom_score_adj r, + @{PROC}/@{pids}/status r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj rw, - /dev/dri/card@{int} rw, - /dev/input/event@{int} rw, + @{att}/dev/dri/card@{int} rw, + @{att}/dev/input/event@{int} rw, + @{att}/dev/pts/ptmx rw, include if exists } diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index b072bcae9..b326138d6 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,7 +10,7 @@ include profile ibus-daemon @{exec_path} flags=(attach_disconnected) { include include - include + include include include @@ -42,6 +42,7 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{lib}/{,ibus/}ibus-* rPUx, + @{lib}/ibus-*/ibus-* rPUx, /usr/share/ibus/{,**} r, /usr/share/ibus-table/{,**} r, @@ -54,6 +55,7 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/fd/ r, + owner @{att}/dev/tty@{int} rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index f45474e45..bac225ebc 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,13 +11,12 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include include include + include include include - signal (receive) set=term peer=ibus-daemon, - - unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), - unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon), + signal receive set=kill peer=@{p_systemd_user}, + signal receive set=term peer=ibus-daemon, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index 250ffafbd..8bdc3c79c 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -2,15 +2,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,ibus/}ibus-engine-simple profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include + include include - include + include include signal (receive) set=term peer=ibus-daemon, @@ -28,8 +29,6 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/bus/ibus-engine-table b/apparmor.d/groups/bus/ibus-engine-table index ea39af4be..abe0d22c0 100644 --- a/apparmor.d/groups/bus/ibus-engine-table +++ b/apparmor.d/groups/bus/ibus-engine-table @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile ibus-engine-table @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, /usr/share/ibus-table/engine/{,**} r, /usr/share/ibus-table/tables/ r, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 27b7613d5..2fa49e50f 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -2,17 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,ibus/}ibus-extension-gtk3 profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include - include include - include - include include include include diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 66fef2950..b1f1445b3 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,16 +10,17 @@ include profile ibus-memconf @{exec_path} flags=(attach_disconnected) { include include - include + include + include include include signal (receive) set=(term) peer=ibus-daemon, - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), @{exec_path} mr, @@ -27,8 +28,6 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 9c779eb72..6ea4891a7 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,23 +14,21 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, - dbus bind bus=session name=org.freedesktop.portal.IBus, + #aa:dbus own bus=session name=org.freedesktop.portal.IBus + #aa:dbus own bus=session name=org.freedesktop.IBus dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), - - dbus receive bus=session path=/org/freedesktop/IBus - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=:*, label=ibus-daemon), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, + owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw, owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, + owner @{att}/dev/tty@{int} rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 44bb611fe..ce1c2b108 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -2,29 +2,28 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,ibus/}ibus-x11 profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include - include + include include - include - include include include include - unix (connect, receive, send) type=stream peer=(label=ibus-daemon), - network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, network netlink raw, + # unix (connect, receive, send) type=stream peer=(label=ibus-daemon), + unix (send receive connect) type=stream addr=none peer=(label=gnome-shell, addr=@/tmp/.X11-unix/X@{int}), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -32,6 +31,7 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw, owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, @@ -40,8 +40,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-a-f/filecap b/apparmor.d/groups/cap/filecap similarity index 98% rename from apparmor.d/profiles-a-f/filecap rename to apparmor.d/groups/cap/filecap index afad4070c..6729ebb91 100644 --- a/apparmor.d/profiles-a-f/filecap +++ b/apparmor.d/groups/cap/filecap @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/netcap b/apparmor.d/groups/cap/netcap similarity index 98% rename from apparmor.d/profiles-m-r/netcap rename to apparmor.d/groups/cap/netcap index d1e5a2852..a73dbffe4 100644 --- a/apparmor.d/profiles-m-r/netcap +++ b/apparmor.d/groups/cap/netcap @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pscap b/apparmor.d/groups/cap/pscap similarity index 97% rename from apparmor.d/profiles-m-r/pscap rename to apparmor.d/groups/cap/pscap index 8a88b26a4..f4bc2b76e 100644 --- a/apparmor.d/profiles-m-r/pscap +++ b/apparmor.d/groups/cap/pscap @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/children/child-dpkg b/apparmor.d/groups/children/child-dpkg index 4f65ab28b..0a97bacd2 100644 --- a/apparmor.d/groups/children/child-dpkg +++ b/apparmor.d/groups/children/child-dpkg @@ -9,12 +9,12 @@ # is invoked from other confined applications, but not when it is used # in regular (unconfined) shell scripts or run directly by the user. -abi , +abi , include @{exec_path} = @{bin}/dpkg -profile child-dpkg { +profile child-dpkg flags=(attach_disconnected) { include include include @@ -43,7 +43,7 @@ profile child-dpkg { /var/lib/dpkg/tmp.ci/md5sums rw, /var/lib/dpkg/triggers/Lock rw, /var/lib/dpkg/updates/* rw, - /var/log/dpkg.log ra, + /var/log/dpkg.log rw, # file_inherit /tmp/#@{int} rw, diff --git a/apparmor.d/groups/children/child-dpkg-divert b/apparmor.d/groups/children/child-dpkg-divert index 227b92249..ddfff5fc2 100644 --- a/apparmor.d/groups/children/child-dpkg-divert +++ b/apparmor.d/groups/children/child-dpkg-divert @@ -9,7 +9,7 @@ # it is invoked from other confined applications, but not when it is used # in regular (unconfined) shell scripts or run directly by the user. -abi , +abi , include @@ -22,6 +22,7 @@ profile child-dpkg-divert { /var/lib/dpkg/arch r, /var/lib/dpkg/status r, /var/lib/dpkg/updates/ r, + /var/lib/dpkg/updates/@{int} r, /var/lib/dpkg/triggers/File r, /var/lib/dpkg/triggers/Unincorp r, /var/lib/dpkg/diversions r, diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 1812463fc..8e991cee7 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -9,10 +9,10 @@ # and load the the nvidia kernel module. # Note: This profile does not specify an attachment path because it is -# intended to be used only via "Px -> child-modprobe-nvidia" exec transitions +# intended to be used only via "Px -> child-modprobe-nvidia" exec transitions # from other profiles. -abi , +abi , include @@ -34,8 +34,6 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/config r, - @{PROC}/sys/kernel/modprobe r, - @{PROC}/devices r, @{PROC}/driver/nvidia/capabilities/mig/config r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, @@ -43,7 +41,7 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{PROC}/modules r, owner /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - owner /dev/char/195:@{int} w, # Nvidia graphics devices + owner /dev/char/195:@{u8} w, # Nvidia graphics devices /dev/nvidia-modeset w, /dev/nvidia-uvm w, @@ -53,22 +51,20 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { owner /dev/nvidia-caps/ w, owner /dev/nvidia-caps/nvidia-cap@{int} w, - /dev/tty@{int} rw, + deny @{HOME}/.steam/** r, profile kmod { include include capability mknod, - # capability sys_module, /etc/nvidia/{current,legacy*,tesla*}/*.conf r, - # @{sys}/module/ipmi_devintf/initstate r, - # @{sys}/module/ipmi_msghandler/initstate r, - # @{sys}/module/{drm,nvidia}/initstate r, @{sys}/module/compression r, + deny @{HOME}/.steam/** r, + include if exists } diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index 3a10d9273..84b1d1ea1 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -15,11 +15,11 @@ # intended to be used only via "Px -> child-open" exec transitions # from other profiles. -abi , +abi , include -profile child-open { +profile child-open flags=(attach_disconnected,mediate_deleted) { include include include diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any new file mode 100644 index 000000000..446627e85 --- /dev/null +++ b/apparmor.d/groups/children/child-open-any @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This profile is designed to be used in a child profile to limit what +# confined application can invoke via open helper. + +# This version of child-open allows to open any programs. + +abi , + +include + +profile child-open-any flags=(attach_disconnected,mediate_deleted) { + include + include + include + + @{bin}/** PUx, + @{lib}/** PUx, + @{user_bin_dirs}/** PUx, + /opt/*/** PUx, + /usr/local/bin/** PUx, + /usr/share/** PUx, + + include if exists + include if exists +} + +# vim:syntax=apparmor + diff --git a/apparmor.d/groups/children/child-open-browsers b/apparmor.d/groups/children/child-open-browsers index 639c32a9b..473276bff 100644 --- a/apparmor.d/groups/children/child-open-browsers +++ b/apparmor.d/groups/children/child-open-browsers @@ -11,11 +11,11 @@ # intended to be used only via "Px -> child-open-browsers" exec transitions # from other profiles. -abi , +abi , include -profile child-open-browsers { +profile child-open-browsers flags=(attach_disconnected,mediate_deleted) { include include diff --git a/apparmor.d/groups/children/child-open-editor b/apparmor.d/groups/children/child-open-editor new file mode 100644 index 000000000..16d3dc868 --- /dev/null +++ b/apparmor.d/groups/children/child-open-editor @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This profile is designed to be used in a child profile to limit what +# confined application can invoke via open helper. + +# This version of child-open only allow to open text editor. + +# Note: This profile does not specify an attachment path because it is +# intended to be used only via "Px -> child-open-browsers" exec transitions +# from other profiles. + +abi , + +include + +profile child-open-editor flags=(attach_disconnected,mediate_deleted) { + include + include + + @{editor_ui_path} PUx, + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/child-open-help b/apparmor.d/groups/children/child-open-help index c9c49e142..1150d16d3 100644 --- a/apparmor.d/groups/children/child-open-help +++ b/apparmor.d/groups/children/child-open-help @@ -2,16 +2,16 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -profile child-open-help { +profile child-open-help flags=(attach_disconnected,mediate_deleted) { include include @{browsers_path} rPx, - @{bin}/yelp rPUx, + @{help_path} rPx, include if exists include if exists diff --git a/apparmor.d/groups/children/child-open-strict b/apparmor.d/groups/children/child-open-strict index cea3dc5e0..4296f03af 100644 --- a/apparmor.d/groups/children/child-open-strict +++ b/apparmor.d/groups/children/child-open-strict @@ -7,16 +7,18 @@ # This version of child-open only allow to open browsers & folders. -abi , +abi , include -profile child-open-strict { +profile child-open-strict flags=(attach_disconnected,mediate_deleted) { include include - @{browsers_path} rPx, - @{file_explorers_path} rPx, + @{browsers_path} Px, + @{file_explorers_path} Px, + + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mrix, include if exists include if exists diff --git a/apparmor.d/groups/children/child-pager b/apparmor.d/groups/children/child-pager index cfcc832be..8e60bce47 100644 --- a/apparmor.d/groups/children/child-pager +++ b/apparmor.d/groups/children/child-pager @@ -9,31 +9,13 @@ # is invoked from other confined applications, but not when it is used # in regular (unconfined) shell scripts or run directly by the user. -abi , +abi , include -@{exec_path} = @{bin}/pager @{bin}/less @{bin}/more -profile child-pager { +profile child-pager flags=(attach_disconnected) { include - include - - capability dac_override, - capability dac_read_search, - - signal (receive) set=(stop, cont, term, kill), - - @{bin}/ r, - @{exec_path} mr, - - @{system_share_dirs}/terminfo/{,**} r, - - owner @{HOME}/ r, - owner @{HOME}/.lesshs* rw, - owner @{HOME}/.terminfo/@{int}/* r, - owner @{user_cache_dirs}/lesshs* rw, - owner @{user_state_dirs}/ r, - owner @{user_state_dirs}/lesshs* rw, + include include if exists } diff --git a/apparmor.d/groups/children/child-systemctl b/apparmor.d/groups/children/child-systemctl index d9657a627..6dd9afd4a 100644 --- a/apparmor.d/groups/children/child-systemctl +++ b/apparmor.d/groups/children/child-systemctl @@ -9,7 +9,7 @@ # it is invoked from other confined applications, but not when it is # used in regular (unconfined) shell scripts or run directly by the user. -abi , +abi , include diff --git a/apparmor.d/groups/children/user_confined b/apparmor.d/groups/children/user_confined deleted file mode 100644 index 1d07d7c16..000000000 --- a/apparmor.d/groups/children/user_confined +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow confined users to read, write, lock and link to their own files -# anywhere, and execute from some places. - -abi , - -include - -profile user_confined flags=(complain) { - include - include - include - include - - deny capability sys_ptrace, - - @{bin}/** Pixmr, - - owner /** rwkl, - owner @{HOMEDIRS}/bin/** ixmr, - owner @{user_bin_dirs}/** ixmr, - - @{PROC}/** r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/user_default b/apparmor.d/groups/children/user_default deleted file mode 100644 index 4b010d22c..000000000 --- a/apparmor.d/groups/children/user_default +++ /dev/null @@ -1,32 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# By default, allow users to read, lock and link to their own files anywhere, -# but only write to files in their home directory. Only allow limited execution -# of files. - -abi , - -include - -profile user_default flags=(complain) { - include - include - include - include - - deny capability sys_ptrace, - - @{bin}/** Pixmr, - - owner /** rkl, - owner @{HOMEDIRS}/ w, - owner @{HOMEDIRS}/** w, - - @{PROC}/** r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/user_unconfined b/apparmor.d/groups/children/user_unconfined deleted file mode 100644 index ea40d67bf..000000000 --- a/apparmor.d/groups/children/user_unconfined +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -profile user_unconfined flags=(attach_disconnected,mediate_deleted) { - - capability, - network, - mount, - remount, - umount, - pivot_root, - ptrace, - signal, - dbus, - unix, - file, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/anacron b/apparmor.d/groups/cron/anacron similarity index 73% rename from apparmor.d/profiles-a-f/anacron rename to apparmor.d/groups/cron/anacron index 8893f1d70..3acfc14fd 100644 --- a/apparmor.d/profiles-a-f/anacron +++ b/apparmor.d/groups/cron/anacron @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/anacron +@{exec_path} = @{sbin}/anacron profile anacron @{exec_path} { include include @@ -17,7 +17,7 @@ profile anacron @{exec_path} { @{sh_path} rix, @{bin}/run-parts rCx -> run-parts, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, / r, /etc/anacrontab r, @@ -26,7 +26,9 @@ profile anacron @{exec_path} { @{HOME}/ r, - /tmp/file* rw, + @{tmp}/file@{rand6} rw, + /tmp/anacron-@{rand6} rw, + /tmp/anacron-@{rand6}@{c} rw, profile run-parts { include @@ -39,7 +41,10 @@ profile anacron @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/file@{rand6} rw, - include if exists + /tmp/anacron-@{rand6} rw, + /tmp/anacron-@{rand6}@{c} rw, + + include if exists } include if exists diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index a1a04dfa3..e91f9b419 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -3,15 +3,16 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/cron +@{exec_path} = @{sbin}/cron profile cron @{exec_path} flags=(attach_disconnected) { include include include + include include include @@ -24,20 +25,14 @@ profile cron @{exec_path} flags=(attach_disconnected) { network netlink raw, - ptrace (read) peer=unconfined, - @{exec_path} mr, - @{sh_path} rix, - @{bin}/nice rix, - @{bin}/ionice rix, - @{bin}/exim4 rPx, - @{bin}/run-parts rCx -> run-parts, # could even be rix, as long as we are not - # using the run-parts profile we are good - - @{lib}/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx, - @{lib}/sysstat/debian-sa1 rPUx, - /usr/share/rsync/scripts/rrsync rPUx, + @{sh_path} rix, + @{sbin}/exim4 rPx, + @{bin}/ionice rix, + @{bin}/nice rix, + @{bin}/run-parts rCx -> run-parts, + @{lib}/sysstat/debian-sa1 rPx, /etc/cron.d/{,*} r, /etc/crontab r, @@ -57,9 +52,10 @@ profile cron @{exec_path} flags=(attach_disconnected) { owner @{tmp}/#@{int} rw, - owner @{PROC}/@{pid}/uid_map r, - owner @{PROC}/@{pid}/loginuid rw, + @{PROC}/@{pid}/fd/ r, @{PROC}/1/limits r, + owner @{PROC}/@{pid}/loginuid rw, + owner @{PROC}/@{pid}/uid_map r, /dev/tty rw, @@ -73,7 +69,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { owner @{tmp}/#@{int} rw, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/cron/cron-anacron b/apparmor.d/groups/cron/cron-anacron index ccce517a9..91c531618 100644 --- a/apparmor.d/groups/cron/cron-anacron +++ b/apparmor.d/groups/cron/cron-anacron @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ profile cron-anacron @{exec_path} { @{exec_path} r, - @{bin}/anacron rPx, + @{sbin}/anacron rPx, @{sh_path} rix, @{bin}/cat rix, @{bin}/date rix, diff --git a/apparmor.d/groups/cron/cron-apport b/apparmor.d/groups/cron/cron-apport index e521016cb..1579115a7 100644 --- a/apparmor.d/groups/cron/cron-apport +++ b/apparmor.d/groups/cron/cron-apport @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,7 +18,7 @@ profile cron-apport @{exec_path} { / r, /var/crash/ r, - /var/crash/*.crash w, + /var/crash/* w, include if exists } diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt index 51057f47f..0d5d5a081 100644 --- a/apparmor.d/groups/cron/cron-apt +++ b/apparmor.d/groups/cron/cron-apt @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -46,7 +46,7 @@ profile cron-apt @{exec_path} { @{bin}/apt-get rPx, @{bin}/apt-file rPx, @{bin}/aptitude{,-curses} rPx, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, /usr/share/cron-apt/{,*} r, @@ -70,9 +70,6 @@ profile cron-apt @{exec_path} { /var/log/cron-apt/mail rw, /var/log/cron-apt/lastfullmessage rw, - # For the "ls" command - @{lib}/locale/locale-archive r, - # TMP /tmp/ r, owner @{tmp}/cron-apt.*/ rw, diff --git a/apparmor.d/groups/cron/cron-apt-compat b/apparmor.d/groups/cron/cron-apt-compat index 5c0c8054a..fcf5e4430 100644 --- a/apparmor.d/groups/cron/cron-apt-compat +++ b/apparmor.d/groups/cron/cron-apt-compat @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile cron-apt-compat @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, @{bin}/apt-config rPx, @{lib}/apt/apt.systemd.daily rPx, diff --git a/apparmor.d/groups/cron/cron-apt-listbugs b/apparmor.d/groups/cron/cron-apt-listbugs index 6415e66b1..1b3f40d87 100644 --- a/apparmor.d/groups/cron/cron-apt-listbugs +++ b/apparmor.d/groups/cron/cron-apt-listbugs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -33,6 +33,7 @@ profile cron-apt-listbugs @{exec_path} { /var/spool/apt-listbugs/lastprefclean rw, + include if exists } include if exists diff --git a/apparmor.d/groups/cron/cron-apt-show-versions b/apparmor.d/groups/cron/cron-apt-show-versions index 460a98d7e..213ed194f 100644 --- a/apparmor.d/groups/cron/cron-apt-show-versions +++ b/apparmor.d/groups/cron/cron-apt-show-versions @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/cron-apt-xapian-index b/apparmor.d/groups/cron/cron-apt-xapian-index index 335576536..15f93efec 100644 --- a/apparmor.d/groups/cron/cron-apt-xapian-index +++ b/apparmor.d/groups/cron/cron-apt-xapian-index @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,15 +14,14 @@ profile cron-apt-xapian-index @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/{,e}grep rix, - @{bin}/nice rix, @{bin}/ionice rix, @{bin}/ r, @{bin}/update-apt-xapian-index rPx, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, # For shell pwd / r, diff --git a/apparmor.d/groups/cron/cron-aptitude b/apparmor.d/groups/cron/cron-aptitude index 5769edadf..82b33e8ab 100644 --- a/apparmor.d/groups/cron/cron-aptitude +++ b/apparmor.d/groups/cron/cron-aptitude @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,7 +17,7 @@ profile cron-aptitude @{exec_path} { @{bin}/cp rix, @{bin}/date rix, @{bin}/basename rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/dirname rix, @{bin}/rm rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/cron/cron-cracklib b/apparmor.d/groups/cron/cron-cracklib index 5bc3aed32..9399b6ed4 100644 --- a/apparmor.d/groups/cron/cron-cracklib +++ b/apparmor.d/groups/cron/cron-cracklib @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,10 +12,10 @@ profile cron-cracklib @{exec_path} { include @{exec_path} r, - + @{sh_path} rix, @{bin}/logger rix, - @{bin}/update-cracklib rPx, + @{sbin}/update-cracklib rPx, /etc/cracklib/cracklib.conf r, diff --git a/apparmor.d/groups/cron/cron-debsums b/apparmor.d/groups/cron/cron-debsums index 6ca80c582..46a3bbe07 100644 --- a/apparmor.d/groups/cron/cron-debsums +++ b/apparmor.d/groups/cron/cron-debsums @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,15 +14,13 @@ profile cron-debsums @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/true rix, + @{bin}/{,e}grep rix, + @{bin}/debsums rPx, + @{bin}/ionice rix, @{bin}/logger rix, @{bin}/sed rix, - @{bin}/{,e}grep rix, - - @{bin}/ionice rix, - - @{bin}/debsums rPx, @{bin}/tee rCx -> tee, + @{bin}/true rix, /etc/ r, /etc/default/debsums r, @@ -31,18 +29,17 @@ profile cron-debsums @{exec_path} { # For shell pwd / r, - profile tee { include include - # Needed to write to /proc/self/fd/3 capability dac_override, @{bin}/tee mr, - owner @{PROC}/@{pid}/fd/3 rw, + owner @{PROC}/@{pid}/fd/@{int} rw, + include if exists } include if exists diff --git a/apparmor.d/groups/cron/cron-debtags b/apparmor.d/groups/cron/cron-debtags index ce32b715e..ea9086948 100644 --- a/apparmor.d/groups/cron/cron-debtags +++ b/apparmor.d/groups/cron/cron-debtags @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,9 +12,9 @@ profile cron-debtags @{exec_path} { include @{exec_path} r, - @{sh_path} rix, - /usr/bin/debtags rPx, + @{sh_path} rix, + @{bin}/debtags rPx, include if exists } diff --git a/apparmor.d/groups/cron/cron-dlocate b/apparmor.d/groups/cron/cron-dlocate index fa4b03f8d..9599b6b4d 100644 --- a/apparmor.d/groups/cron/cron-dlocate +++ b/apparmor.d/groups/cron/cron-dlocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/cron-etckeeper b/apparmor.d/groups/cron/cron-etckeeper index 36e105eb6..2029f8842 100644 --- a/apparmor.d/groups/cron/cron-etckeeper +++ b/apparmor.d/groups/cron/cron-etckeeper @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ profile cron-etckeeper @{exec_path} { include @{exec_path} r, - + @{sh_path} rix, @{bin}/rm rix, @{bin}/find rix, diff --git a/apparmor.d/groups/cron/cron-exim4-base b/apparmor.d/groups/cron/cron-exim4-base index 8fdfb9126..784dfae19 100644 --- a/apparmor.d/groups/cron/cron-exim4-base +++ b/apparmor.d/groups/cron/cron-exim4-base @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -34,13 +34,13 @@ profile cron-exim4-base @{exec_path} { @{bin}/hostname rix, @{bin}/xargs rix, @{bin}/find rix, - @{bin}/eximstats rix, + @{sbin}/eximstats rix, - @{bin}/exim4 rPx, - @{bin}/exim_tidydb rix, + @{sbin}/exim4 rPx, + @{sbin}/exim_tidydb rix, - @{bin}/start-stop-daemon rix, - @{bin}/runuser rix, + @{sbin}/start-stop-daemon rix, + @{sbin}/runuser rix, /etc/default/exim4 r, diff --git a/apparmor.d/groups/cron/cron-ipset-autoban-save b/apparmor.d/groups/cron/cron-ipset-autoban-save index 6f569d364..8b5891eed 100644 --- a/apparmor.d/groups/cron/cron-ipset-autoban-save +++ b/apparmor.d/groups/cron/cron-ipset-autoban-save @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile cron-ipset-autoban-save @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/ipset rix, + @{sbin}/ipset rix, /etc/peerblock/autoban rw, diff --git a/apparmor.d/groups/cron/cron-logrotate b/apparmor.d/groups/cron/cron-logrotate index 723ffe0d8..36044b2f3 100644 --- a/apparmor.d/groups/cron/cron-logrotate +++ b/apparmor.d/groups/cron/cron-logrotate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile cron-logrotate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/logrotate rPx, + @{sbin}/logrotate rPx, @{bin}/logger rix, diff --git a/apparmor.d/groups/cron/cron-man-db b/apparmor.d/groups/cron/cron-man-db index 941f2ef11..709f843e8 100644 --- a/apparmor.d/groups/cron/cron-man-db +++ b/apparmor.d/groups/cron/cron-man-db @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,7 +20,7 @@ profile cron-man-db @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, - @{bin}/start-stop-daemon rix, + @{sbin}/start-stop-daemon rix, @{bin}/xargs rix, @{bin}/find rix, diff --git a/apparmor.d/groups/cron/cron-mlocate b/apparmor.d/groups/cron/cron-mlocate index 9ee08974a..f91956bcd 100644 --- a/apparmor.d/groups/cron/cron-mlocate +++ b/apparmor.d/groups/cron/cron-mlocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile cron-mlocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, @@ -23,7 +23,7 @@ profile cron-mlocate @{exec_path} { @{bin}/nice rix, @{bin}/updatedb.mlocate rPx, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, @{run}/mlocate.daily.lock rwk, diff --git a/apparmor.d/groups/cron/cron-ntp b/apparmor.d/groups/cron/cron-ntp index ebc53dcf2..7221cc6e1 100644 --- a/apparmor.d/groups/cron/cron-ntp +++ b/apparmor.d/groups/cron/cron-ntp @@ -2,7 +2,7 @@ # Copyright (C) 2024 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile cron-ntp @{exec_path} { @{sh_path} rix, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/sed rix, include if exists diff --git a/apparmor.d/groups/cron/cron-plocate b/apparmor.d/groups/cron/cron-plocate index bae69e971..7f52d1a14 100644 --- a/apparmor.d/groups/cron/cron-plocate +++ b/apparmor.d/groups/cron/cron-plocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile cron-plocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, @@ -23,7 +23,7 @@ profile cron-plocate @{exec_path} { @{bin}/nice rix, @{bin}/updatedb.plocate rPx, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, @{run}/plocate.daily.lock rwk, diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index 3d25fecff..44d3a546f 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,7 +18,7 @@ profile cron-popularity-contest @{exec_path} { @{bin}/cat rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @@ -29,11 +29,11 @@ profile cron-popularity-contest @{exec_path} { # To send reports via TOR @{bin}/torify rix, @{bin}/torsocks rix, - @{bin}/getcap rix, + @{sbin}/getcap rix, /usr/share/popularity-contest/popcon-upload rCx -> popcon-upload, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/runuser rCx -> runuser, + @{sbin}/runuser rCx -> runuser, @{bin}/savelog rCx -> savelog, /usr/share/popularity-contest/ r, @@ -74,7 +74,7 @@ profile cron-popularity-contest @{exec_path} { @{bin}/mv rix, @{bin}/rm rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{sh_path} rix, /var/log/ r, @@ -93,7 +93,7 @@ profile cron-popularity-contest @{exec_path} { include include - @{bin}/runuser mr, + @{sbin}/runuser mr, @{sh_path} rix, @{bin}/popularity-contest rPx, @@ -141,7 +141,6 @@ profile cron-popularity-contest @{exec_path} { network inet6 stream, network netlink raw, - @{bin}/perl r, @{bin}/gzip rix, /usr/share/popularity-contest/popcon-upload r, @@ -152,7 +151,7 @@ profile cron-popularity-contest @{exec_path} { owner @{tmp}/#@{int} rw, # file_inherit - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/cron/cron-sysstat b/apparmor.d/groups/cron/cron-sysstat index 064ebc792..20aaee7e5 100644 --- a/apparmor.d/groups/cron/cron-sysstat +++ b/apparmor.d/groups/cron/cron-sysstat @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ profile cron-sysstat @{exec_path} { include @{exec_path} r, - + @{sh_path} rix, @{lib}/sysstat/sa2 rPx, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index c1fae96e4..d240454f5 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -3,35 +3,44 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/crontab profile crontab @{exec_path} { include + include include include + capability audit_write, + capability chown, + capability dac_read_search, + capability net_admin, capability setgid, capability setuid, + network netlink raw, + @{exec_path} mr, @{sh_path} rix, + @{editor_path} rCx -> editor, - # When editing the crontab file - @{bin}/sensible-editor rCx -> editor, - @{bin}/vim.* rCx -> editor, - + @{etc_ro}/environment r, + @{etc_ro}/security/*.conf r, /etc/cron.{allow,deny} r, + /etc/pam.d/* r, - /var/spool/cron/ r, - /var/spool/cron/crontabs/ rw, - owner /var/spool/cron/crontabs/* rw, + /var/spool/cron/ r, + /var/spool/cron/** rw, - owner @{tmp}/crontab.*/{,crontab} rw, + owner @{user_cache_dirs}/crontab/crontab.bak rw, + @{tmp}/crontab.@{rand6} rw, + @{tmp}/crontab.@{rand6}/ rw, + @{tmp}/crontab.@{rand6}/crontab rwl, profile editor { include @@ -39,12 +48,13 @@ profile crontab @{exec_path} { capability fsetid, - /tmp/ r, - owner @{tmp}/crontab.*/crontab rw, - - # file_inherit /etc/cron.{allow,deny} r, + /tmp/ r, + owner @{tmp}/crontab.@{rand6}/crontab rw, + owner @{tmp}/crontab.@{rand6} rw, + + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/cups-backend-beh b/apparmor.d/groups/cups/cups-backend-beh similarity index 91% rename from apparmor.d/profiles-a-f/cups-backend-beh rename to apparmor.d/groups/cups/cups-backend-beh index 5945ac6ea..1e9fe5b78 100644 --- a/apparmor.d/profiles-a-f/cups-backend-beh +++ b/apparmor.d/groups/cups/cups-backend-beh @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile cups-backend-beh @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-bluetooth b/apparmor.d/groups/cups/cups-backend-bluetooth similarity index 92% rename from apparmor.d/profiles-a-f/cups-backend-bluetooth rename to apparmor.d/groups/cups/cups-backend-bluetooth index ba606c7ef..78ffbac77 100644 --- a/apparmor.d/profiles-a-f/cups-backend-bluetooth +++ b/apparmor.d/groups/cups/cups-backend-bluetooth @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile cups-backend-bluetooth @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-brf b/apparmor.d/groups/cups/cups-backend-brf similarity index 92% rename from apparmor.d/profiles-a-f/cups-backend-brf rename to apparmor.d/groups/cups/cups-backend-brf index 2ea66ba05..6d50b284f 100644 --- a/apparmor.d/profiles-a-f/cups-backend-brf +++ b/apparmor.d/groups/cups/cups-backend-brf @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,6 +15,7 @@ profile cups-backend-brf @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-dnssd b/apparmor.d/groups/cups/cups-backend-dnssd similarity index 80% rename from apparmor.d/profiles-a-f/cups-backend-dnssd rename to apparmor.d/groups/cups/cups-backend-dnssd index 0bb1a34d1..877200660 100644 --- a/apparmor.d/profiles-a-f/cups-backend-dnssd +++ b/apparmor.d/groups/cups/cups-backend-dnssd @@ -2,18 +2,19 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/cups/backend/dnssd profile cups-backend-dnssd @{exec_path} { include - include + include @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-hp b/apparmor.d/groups/cups/cups-backend-hp similarity index 91% rename from apparmor.d/profiles-a-f/cups-backend-hp rename to apparmor.d/groups/cups/cups-backend-hp index f82ce7e0a..cd9af3d7f 100644 --- a/apparmor.d/profiles-a-f/cups-backend-hp +++ b/apparmor.d/groups/cups/cups-backend-hp @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile cups-backend-hp @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-implicitclass b/apparmor.d/groups/cups/cups-backend-implicitclass similarity index 92% rename from apparmor.d/profiles-a-f/cups-backend-implicitclass rename to apparmor.d/groups/cups/cups-backend-implicitclass index 6a50ec237..c71295f83 100644 --- a/apparmor.d/profiles-a-f/cups-backend-implicitclass +++ b/apparmor.d/groups/cups/cups-backend-implicitclass @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile cups-backend-implicitclass @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-ipp b/apparmor.d/groups/cups/cups-backend-ipp similarity index 91% rename from apparmor.d/profiles-a-f/cups-backend-ipp rename to apparmor.d/groups/cups/cups-backend-ipp index 706e1a5ae..8d61f4072 100644 --- a/apparmor.d/profiles-a-f/cups-backend-ipp +++ b/apparmor.d/groups/cups/cups-backend-ipp @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile cups-backend-ipp @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-lpd b/apparmor.d/groups/cups/cups-backend-lpd similarity index 91% rename from apparmor.d/profiles-a-f/cups-backend-lpd rename to apparmor.d/groups/cups/cups-backend-lpd index 077a913a0..89b62b569 100644 --- a/apparmor.d/profiles-a-f/cups-backend-lpd +++ b/apparmor.d/groups/cups/cups-backend-lpd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile cups-backend-lpd @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-mdns b/apparmor.d/groups/cups/cups-backend-mdns similarity index 91% rename from apparmor.d/profiles-a-f/cups-backend-mdns rename to apparmor.d/groups/cups/cups-backend-mdns index a520e9a19..9e5dfbe0f 100644 --- a/apparmor.d/profiles-a-f/cups-backend-mdns +++ b/apparmor.d/groups/cups/cups-backend-mdns @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile cups-backend-mdns @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-parallel b/apparmor.d/groups/cups/cups-backend-parallel similarity index 91% rename from apparmor.d/profiles-a-f/cups-backend-parallel rename to apparmor.d/groups/cups/cups-backend-parallel index fe2e752ef..b4340b2ed 100644 --- a/apparmor.d/profiles-a-f/cups-backend-parallel +++ b/apparmor.d/groups/cups/cups-backend-parallel @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile cups-backend-parallel @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-pdf b/apparmor.d/groups/cups/cups-backend-pdf similarity index 91% rename from apparmor.d/profiles-a-f/cups-backend-pdf rename to apparmor.d/groups/cups/cups-backend-pdf index efbb2a85d..21da6bf93 100644 --- a/apparmor.d/profiles-a-f/cups-backend-pdf +++ b/apparmor.d/groups/cups/cups-backend-pdf @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,26 +14,28 @@ profile cups-backend-pdf @{exec_path} { include capability chown, + capability dac_override, + capability dac_read_search, capability setgid, capability setuid, - capability dac_override, unix peer=(label=cupsd), @{exec_path} mr, - + @{sh_path} rix, @{bin}/cp rix, - @{bin}/gs rix, + @{bin}/gs{,.bin} rix, @{bin}/gsc rix, @{lib}/ghostscript/** mr, /usr/share/ghostscript/{,**} r, - /etc/papersize r, /etc/cups/ r, /etc/cups/cups-pdf.conf r, /etc/cups/ppd/*.ppd r, + /etc/papersize r, + /etc/paperspecs r, /var/log/cups/cups-pdf*_log w, /var/spool/cups-pdf/{,**} rw, diff --git a/apparmor.d/profiles-a-f/cups-backend-serial b/apparmor.d/groups/cups/cups-backend-serial similarity index 92% rename from apparmor.d/profiles-a-f/cups-backend-serial rename to apparmor.d/groups/cups/cups-backend-serial index e2ec19bce..26811ab59 100644 --- a/apparmor.d/profiles-a-f/cups-backend-serial +++ b/apparmor.d/groups/cups/cups-backend-serial @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile cups-backend-serial @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, /dev/ttyS@{int} w, diff --git a/apparmor.d/profiles-a-f/cups-backend-snmp b/apparmor.d/groups/cups/cups-backend-snmp similarity index 93% rename from apparmor.d/profiles-a-f/cups-backend-snmp rename to apparmor.d/groups/cups/cups-backend-snmp index 1532db04b..816f6c25b 100644 --- a/apparmor.d/profiles-a-f/cups-backend-snmp +++ b/apparmor.d/groups/cups/cups-backend-snmp @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,9 +16,10 @@ profile cups-backend-snmp @{exec_path} { network netlink raw, @{exec_path} mr, - + /etc/cups/snmp.conf r, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-socket b/apparmor.d/groups/cups/cups-backend-socket similarity index 91% rename from apparmor.d/profiles-a-f/cups-backend-socket rename to apparmor.d/groups/cups/cups-backend-socket index 338d2e2e6..f8f36a056 100644 --- a/apparmor.d/profiles-a-f/cups-backend-socket +++ b/apparmor.d/groups/cups/cups-backend-socket @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile cups-backend-socket @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-usb b/apparmor.d/groups/cups/cups-backend-usb similarity index 93% rename from apparmor.d/profiles-a-f/cups-backend-usb rename to apparmor.d/groups/cups/cups-backend-usb index e647939f4..7d9dbd237 100644 --- a/apparmor.d/profiles-a-f/cups-backend-usb +++ b/apparmor.d/groups/cups/cups-backend-usb @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,6 +21,7 @@ profile cups-backend-usb @{exec_path} { /etc/cups/ppd/*.ppd r, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-browsed b/apparmor.d/groups/cups/cups-browsed similarity index 61% rename from apparmor.d/profiles-a-f/cups-browsed rename to apparmor.d/groups/cups/cups-browsed index 2abffbe16..ca1dc9630 100644 --- a/apparmor.d/profiles-a-f/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -2,23 +2,24 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/cups-browsed -profile cups-browsed @{exec_path} { +@{exec_path} = @{sbin}/cups-browsed +profile cups-browsed @{exec_path} flags=(attach_disconnected) { include include - include include + include + include + include include include include capability net_admin, capability net_bind_service, - capability sys_nice, network inet dgram, network inet6 dgram, @@ -26,27 +27,30 @@ profile cups-browsed @{exec_path} { network inet6 stream, network netlink raw, - dbus receive bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=StateChanged - peer=(name=:*, label=avahi-daemon), + #aa:dbus talk bus=system name=org.cups.cupsd.Notifier label=cups-notifier-dbus dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=CheckPermissions - peer=(name=:*, label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, + @{bin}/ippfind rPx, + /usr/share/cups/locale/{,**} r, - /usr/share/locale/{,**} r, /etc/cups/{,**} r, - /var/cache/cups/{,**} rw, /var/log/cups/{,**} rw, + /var/cache/cups/{,**} rw, + owner /var/cache/cups-browsed/{,**} rw, + + owner @{tmp}/@{hex} rw, + @{run}/cups/certs/* r, + @{run}/avahi-daemon/socket rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/profiles-a-f/cups-notifier-dbus b/apparmor.d/groups/cups/cups-notifier-dbus similarity index 90% rename from apparmor.d/profiles-a-f/cups-notifier-dbus rename to apparmor.d/groups/cups/cups-notifier-dbus index 9632ca91d..fa31b726d 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-dbus +++ b/apparmor.d/groups/cups/cups-notifier-dbus @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,12 +16,14 @@ profile cups-notifier-dbus @{exec_path} { signal (receive) set=(term) peer=cupsd, + #aa:dbus own bus=system name=org.cups.cupsd.Notifier + @{exec_path} mr, - + owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw, owner @{tmp}/cups-dbus-notifier-lockfile rwk, - + include if exists } diff --git a/apparmor.d/profiles-a-f/cups-notifier-mailto b/apparmor.d/groups/cups/cups-notifier-mailto similarity index 95% rename from apparmor.d/profiles-a-f/cups-notifier-mailto rename to apparmor.d/groups/cups/cups-notifier-mailto index aad9f73c3..e69afb072 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-mailto +++ b/apparmor.d/groups/cups/cups-notifier-mailto @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,7 @@ profile cups-notifier-mailto @{exec_path} { include @{exec_path} mr, - + include if exists } diff --git a/apparmor.d/profiles-a-f/cups-notifier-rss b/apparmor.d/groups/cups/cups-notifier-rss similarity index 95% rename from apparmor.d/profiles-a-f/cups-notifier-rss rename to apparmor.d/groups/cups/cups-notifier-rss index 86dfecc9e..993392912 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-rss +++ b/apparmor.d/groups/cups/cups-notifier-rss @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,7 @@ profile cups-notifier-rss @{exec_path} { include @{exec_path} mr, - + include if exists } diff --git a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism b/apparmor.d/groups/cups/cups-pk-helper-mechanism similarity index 95% rename from apparmor.d/profiles-a-f/cups-pk-helper-mechanism rename to apparmor.d/groups/cups/cups-pk-helper-mechanism index 7c67e3e6a..89d517631 100644 --- a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism +++ b/apparmor.d/groups/cups/cups-pk-helper-mechanism @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -26,7 +26,7 @@ profile cups-pk-helper-mechanism @{exec_path} { /etc/cups/ppd/*.ppd r, - owner @{tmp}/[a-z0-9]* rw, + owner @{tmp}/@{int} rw, @{run}/cups/cups.sock rw, diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/groups/cups/cupsd similarity index 86% rename from apparmor.d/profiles-a-f/cupsd rename to apparmor.d/groups/cups/cupsd index 9511c7495..ec0bbfd67 100644 --- a/apparmor.d/profiles-a-f/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -2,15 +2,17 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +abi , + include -@{exec_path} = @{bin}/cupsd +@{exec_path} = @{sbin}/cupsd profile cupsd @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include include include @@ -27,7 +29,9 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { capability setuid, capability wake_alarm, + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network appletalk dgram, @@ -48,14 +52,14 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cp rix, - @{bin}/grep rix, - @{bin}/gs rix, + @{bin}/{,e}grep rix, + @{bin}/gs{,.bin} rix, @{bin}/gsc rix, @{bin}/hostname rix, @{bin}/ippfind rix, @{bin}/mktemp rix, @{bin}/printenv rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/rm rix, @{bin}/sed rix, @{bin}/smbspool rPx, @@ -88,12 +92,13 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{run}/cups/{,**} rw, @{run}/systemd/notify w, + @{run}/avahi-daemon/socket rw, @{sys}/module/apparmor/parameters/enabled r, @{PROC}/@{pids}/fd/ r, owner @{PROC}/@{pid}/mounts r, - + owner @{tmp}/*_latest_print_info w, /dev/tty rw, diff --git a/apparmor.d/groups/cups/ippfind b/apparmor.d/groups/cups/ippfind new file mode 100644 index 000000000..fe4347237 --- /dev/null +++ b/apparmor.d/groups/cups/ippfind @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ippfind +profile ippfind @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{bin}/echo rix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/cups/print-backends-cups b/apparmor.d/groups/cups/print-backends-cups new file mode 100644 index 000000000..6ab6007cb --- /dev/null +++ b/apparmor.d/groups/cups/print-backends-cups @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/@{multiarch}/print-backends/cups +profile print-backends-cups @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm index 3c66936d0..e0e0bd794 100644 --- a/apparmor.d/groups/display-manager/lightdm +++ b/apparmor.d/groups/display-manager/lightdm @@ -3,13 +3,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/lightdm profile lightdm @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -36,15 +37,21 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=xfce-session, signal (send) set=(term) peer=xorg, + #aa:dbus own bus=system name=org.freedesktop.DisplayManager + @{exec_path} mrix, - @{bin}/rm rix, + @{sh_path} rix, + @{bin}/{,e,f}grep rix, + @{bin}/df rix, + @{bin}/rm rix, @{bin}/lightdm-*-greeter rPUx, @{bin}/startx rPx, @{bin}/Xorg rPx, @{bin}/plymouth rPx, @{bin}/gnome-keyring-daemon rPx, + @{bin}/lightdm-session rPx, @{lib}/security-misc/* rPx, #aa:only whonix @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, @@ -56,11 +63,11 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xgreeters/{,**} r, + @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/{,*} r, /etc/default/locale r, - /etc/environment r, /etc/lightdm/{,**} r, /etc/machine-id r, - /etc/security/limits.d/{,*} r, /etc/shells r, /var/cache/lightdm/dmrc/*.dmrc* rw, @@ -81,6 +88,7 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r, + owner @{PROC}/@{pid}/mountinfo r, /dev/tty@{int} r, diff --git a/apparmor.d/groups/display-manager/lightdm-gtk-greeter b/apparmor.d/groups/display-manager/lightdm-gtk-greeter index 60fab17a2..e0f5f02f2 100644 --- a/apparmor.d/groups/display-manager/lightdm-gtk-greeter +++ b/apparmor.d/groups/display-manager/lightdm-gtk-greeter @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,7 +25,6 @@ profile lightdm-gtk-greeter @{exec_path} { @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, /usr/share/backgrounds/xfce/{,**} r, - /usr/share/desktop-base/{,**} r, /usr/share/lightdm/{,**} r, /usr/share/wayland-sessions/{,*.desktop} r, diff --git a/apparmor.d/groups/display-manager/lightdm-session b/apparmor.d/groups/display-manager/lightdm-session new file mode 100644 index 000000000..ea7d62be2 --- /dev/null +++ b/apparmor.d/groups/display-manager/lightdm-session @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lightdm-session +profile lightdm-session @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/im-launch rPx, + + @{sh_path} rix, + @{bin}/mktemp rix, + @{bin}/expr rix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/display-manager/lightdm-xsession b/apparmor.d/groups/display-manager/lightdm-xsession index 14df741df..5653b42ef 100644 --- a/apparmor.d/groups/display-manager/lightdm-xsession +++ b/apparmor.d/groups/display-manager/lightdm-xsession @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -32,7 +32,7 @@ profile lightdm-xsession @{exec_path} { profile systemctl { include include - + owner @{HOME}/.xsession-errors w, include if exists diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession index 6d95290c8..361a30b26 100644 --- a/apparmor.d/groups/display-manager/x11-xsession +++ b/apparmor.d/groups/display-manager/x11-xsession @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -34,7 +34,7 @@ profile x11-xsession @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @@ -68,7 +68,7 @@ profile x11-xsession @{exec_path} { profile ssh-agent { include - + @{bin}/ssh-agent mr, @{sh_path} rix, diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index 6278d2ac7..df17e0d9f 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,6 +10,7 @@ include profile xdm-xsession @{exec_path} { include include + include include include include @@ -18,22 +19,26 @@ profile xdm-xsession @{exec_path} { @{shells_path} rix, - @{bin}/checkproc rix, @{bin}/basename rix, @{bin}/cat rix, + @{sbin}/checkproc rix, @{bin}/dirname rix, + @{bin}/fortune rPUx, @{bin}/gpg-agent rPx, @{bin}/gpg-connect-agent rPx, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, @{bin}/manpath rix, @{bin}/readlink rix, + @{bin}/realpath rix, @{bin}/sed rix, @{bin}/ssh-agent rix, + @{bin}/tput rix, @{bin}/tr rix, @{bin}/tty rix, @{bin}/uname rix, @{bin}/whoami rix, + @{bin}/xmodmap rPUx, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/flatpak rPx, @@ -51,11 +56,11 @@ profile xdm-xsession @{exec_path} { @{etc_ro}/X11/xdm/sys.xsession rix, @{etc_ro}/X11/xinit/xinitrc.d/50-systemd-user.sh rix, @{etc_ro}/X11/xinit/xinitrc.d/xdg-user-dirs.sh rix, - @{HOME}/.xinitrc rPix, + @{HOME}/.xinitrc rPix, # TODO: rCx @{lib}/xinit/xinitrc rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mc/mc.sh r, + /usr/share/terminfo/{,**} r, @{etc_ro}/X11/xdm/scripts/{,*} r, @{etc_ro}/X11/xim r, @@ -70,6 +75,7 @@ profile xdm-xsession @{exec_path} { /etc/sysconfig/* r, owner @{HOME}/ r, + owner @{HOME}/@{XDG_GPG_DIR}/gpg-agent.conf r, owner @{user_share_dirs}/sddm/xorg-session.log rw, @@ -100,7 +106,7 @@ profile xdm-xsession @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/groups/filesystem/btrfs similarity index 87% rename from apparmor.d/profiles-a-f/btrfs rename to apparmor.d/groups/filesystem/btrfs index f056d12ca..40149588d 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/groups/filesystem/btrfs @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,8 +24,15 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { /var/lib/btrfs/scrub.status.@{uuid}{,_tmp} rwk, / r, - /boot/ r, /.snapshots/ r, + @{efi}/ r, + @{efi}/**/ r, + /home/ r, + /opt/ r, + /root/ r, + /srv/ r, + /usr/local/ r, + /var/ r, @{MOUNTS}/ r, @{MOUNTS}/ext2_saved/ rw, @{MOUNTS}/ext2_saved/image rw, @@ -43,10 +50,8 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{run}/snapper-tools-*/ r, @{run}/snapper-tools-@{rand6}/@/.snapshots/@{int}/snapshot r, - - @{sys}/fs/btrfs/@{uuid}/exclusive_operation r, - @{sys}/fs/btrfs/@{uuid}/devinfo/@{int}/fsid r, - @{sys}/fs/btrfs/@{uuid}/devinfo/@{int}/scrub_speed_max r, + + @{sys}/fs/btrfs/@{uuid}/** r, @{PROC}/partitions r, owner @{PROC}/@{pid}/mounts r, @@ -54,7 +59,6 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { /dev/btrfs-control rw, /dev/pts/@{int} rw, /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-a-f/btrfs-convert b/apparmor.d/groups/filesystem/btrfs-convert similarity index 89% rename from apparmor.d/profiles-a-f/btrfs-convert rename to apparmor.d/groups/filesystem/btrfs-convert index 8b443cf6e..22715c857 100644 --- a/apparmor.d/profiles-a-f/btrfs-convert +++ b/apparmor.d/groups/filesystem/btrfs-convert @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/btrfs-convert +@{exec_path} = @{sbin}/btrfs-convert profile btrfs-convert @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/btrfs-find-root b/apparmor.d/groups/filesystem/btrfs-find-root similarity index 89% rename from apparmor.d/profiles-a-f/btrfs-find-root rename to apparmor.d/groups/filesystem/btrfs-find-root index 03c2d47bd..cec2bbb61 100644 --- a/apparmor.d/profiles-a-f/btrfs-find-root +++ b/apparmor.d/groups/filesystem/btrfs-find-root @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/btrfs-find-root +@{exec_path} = @{sbin}/btrfs-find-root profile btrfs-find-root @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/btrfs-image b/apparmor.d/groups/filesystem/btrfs-image similarity index 90% rename from apparmor.d/profiles-a-f/btrfs-image rename to apparmor.d/groups/filesystem/btrfs-image index c1508bb09..48be7c381 100644 --- a/apparmor.d/profiles-a-f/btrfs-image +++ b/apparmor.d/groups/filesystem/btrfs-image @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/btrfs-image +@{exec_path} = @{sbin}/btrfs-image profile btrfs-image @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/btrfs-map-logical b/apparmor.d/groups/filesystem/btrfs-map-logical similarity index 97% rename from apparmor.d/profiles-a-f/btrfs-map-logical rename to apparmor.d/groups/filesystem/btrfs-map-logical index 12d2b09d6..f871bc946 100644 --- a/apparmor.d/profiles-a-f/btrfs-map-logical +++ b/apparmor.d/groups/filesystem/btrfs-map-logical @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/btrfs-select-super b/apparmor.d/groups/filesystem/btrfs-select-super similarity index 97% rename from apparmor.d/profiles-a-f/btrfs-select-super rename to apparmor.d/groups/filesystem/btrfs-select-super index f083363cf..0019aa906 100644 --- a/apparmor.d/profiles-a-f/btrfs-select-super +++ b/apparmor.d/groups/filesystem/btrfs-select-super @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/btrfstune b/apparmor.d/groups/filesystem/btrfstune similarity index 92% rename from apparmor.d/profiles-a-f/btrfstune rename to apparmor.d/groups/filesystem/btrfstune index cd8f7adfe..24a8ef46e 100644 --- a/apparmor.d/profiles-a-f/btrfstune +++ b/apparmor.d/groups/filesystem/btrfstune @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/btrfstune +@{exec_path} = @{sbin}/btrfstune profile btrfstune @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/fsck.btrfs b/apparmor.d/groups/filesystem/fsck.btrfs similarity index 89% rename from apparmor.d/profiles-a-f/fsck.btrfs rename to apparmor.d/groups/filesystem/fsck.btrfs index 470b5a3d3..512265788 100644 --- a/apparmor.d/profiles-a-f/fsck.btrfs +++ b/apparmor.d/groups/filesystem/fsck.btrfs @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/fsck.btrfs +@{exec_path} = @{sbin}/fsck.btrfs profile fsck.btrfs @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/fsck.fat b/apparmor.d/groups/filesystem/fsck.fat similarity index 84% rename from apparmor.d/profiles-a-f/fsck.fat rename to apparmor.d/groups/filesystem/fsck.fat index c188574ee..0e7df947d 100644 --- a/apparmor.d/profiles-a-f/fsck.fat +++ b/apparmor.d/groups/filesystem/fsck.fat @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/fsck.fat @{bin}/fsck.msdos @{bin}/fsck.vfat @{bin}/dosfsck +@{exec_path} = @{sbin}/fsck.fat @{sbin}/fsck.msdos @{sbin}/fsck.vfat @{sbin}/dosfsck profile fsck.fat @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/groups/filesystem/lvm similarity index 88% rename from apparmor.d/profiles-g-l/lvm rename to apparmor.d/groups/filesystem/lvm index 0bd6ef2e8..ad4645bff 100644 --- a/apparmor.d/profiles-g-l/lvm +++ b/apparmor.d/groups/filesystem/lvm @@ -2,11 +2,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/lvm +@{exec_path} = @{sbin}/lvm profile lvm @{exec_path} flags=(attach_disconnected) { include include @@ -23,12 +23,14 @@ profile lvm @{exec_path} flags=(attach_disconnected) { ptrace (read), - # mqueue r type=posix /, + mqueue getattr type=posix /, + mqueue r type=posix /, @{exec_path} rm, @{etc_rw}/lvm/** rwkl, /etc/multipath.conf r, + /etc/multipath/* r, @{run}/lock/ rw, @{run}/lock/lvm/ rw, @@ -47,6 +49,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) { /dev/**/ r, /dev/mapper/control rw, + /dev/root r, include if exists } diff --git a/apparmor.d/profiles-g-l/lvmconfig b/apparmor.d/groups/filesystem/lvmconfig similarity index 88% rename from apparmor.d/profiles-g-l/lvmconfig rename to apparmor.d/groups/filesystem/lvmconfig index f38bd6780..39224c22f 100644 --- a/apparmor.d/profiles-g-l/lvmconfig +++ b/apparmor.d/groups/filesystem/lvmconfig @@ -2,11 +2,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/lvmconfig +@{exec_path} = @{sbin}/lvmconfig profile lvmconfig @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/lvmdump b/apparmor.d/groups/filesystem/lvmdump similarity index 88% rename from apparmor.d/profiles-g-l/lvmdump rename to apparmor.d/groups/filesystem/lvmdump index 9dbe000f7..5e90ffeee 100644 --- a/apparmor.d/profiles-g-l/lvmdump +++ b/apparmor.d/groups/filesystem/lvmdump @@ -2,11 +2,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/lvmdump +@{exec_path} = @{sbin}/lvmdump profile lvmdump @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/lvmpolld b/apparmor.d/groups/filesystem/lvmpolld similarity index 85% rename from apparmor.d/profiles-g-l/lvmpolld rename to apparmor.d/groups/filesystem/lvmpolld index 7a4bc90b3..cce01b0d0 100644 --- a/apparmor.d/profiles-g-l/lvmpolld +++ b/apparmor.d/groups/filesystem/lvmpolld @@ -2,18 +2,18 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/lvmpolld +@{exec_path} = @{sbin}/lvmpolld profile lvmpolld @{exec_path} { include include include @{exec_path} rm, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/umount rPx, @{run}/lvmpolld.pid rwk, diff --git a/apparmor.d/profiles-m-r/mke2fs b/apparmor.d/groups/filesystem/mke2fs similarity index 79% rename from apparmor.d/profiles-m-r/mke2fs rename to apparmor.d/groups/filesystem/mke2fs index 038de3c73..90df8ecb1 100644 --- a/apparmor.d/profiles-m-r/mke2fs +++ b/apparmor.d/groups/filesystem/mke2fs @@ -3,13 +3,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/mke2fs @{bin}/mkfs.ext2 @{bin}/mkfs.ext3 @{bin}/mkfs.ext4 +@{exec_path} = @{sbin}/mke2fs @{sbin}/mkfs.ext2 @{sbin}/mkfs.ext3 @{sbin}/mkfs.ext4 profile mke2fs @{exec_path} { include + include include include @@ -19,7 +20,7 @@ profile mke2fs @{exec_path} { # To check for badblocks @{sh_path} rix, - @{bin}/badblocks rPx, + @{sbin}/badblocks rPx, /usr/share/file/misc/magic.mgc r, @@ -34,6 +35,8 @@ profile mke2fs @{exec_path} { owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, + owner @{tmp}/.guestfs-@{uid}/appliance.d.@{rand8}/@{user} rw, + @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/mkfs-btrfs b/apparmor.d/groups/filesystem/mkfs-btrfs similarity index 92% rename from apparmor.d/profiles-m-r/mkfs-btrfs rename to apparmor.d/groups/filesystem/mkfs-btrfs index 237fc8006..54c83e559 100644 --- a/apparmor.d/profiles-m-r/mkfs-btrfs +++ b/apparmor.d/groups/filesystem/mkfs-btrfs @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/mkfs.btrfs +@{exec_path} = @{sbin}/mkfs.btrfs profile mkfs-btrfs @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/mkfs-fat b/apparmor.d/groups/filesystem/mkfs-fat similarity index 97% rename from apparmor.d/profiles-m-r/mkfs-fat rename to apparmor.d/groups/filesystem/mkfs-fat index d7f7a1cc9..1aba124ae 100644 --- a/apparmor.d/profiles-m-r/mkfs-fat +++ b/apparmor.d/groups/filesystem/mkfs-fat @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mkntfs b/apparmor.d/groups/filesystem/mkntfs similarity index 97% rename from apparmor.d/profiles-m-r/mkntfs rename to apparmor.d/groups/filesystem/mkntfs index ccfa5f4ed..5141c5385 100644 --- a/apparmor.d/profiles-m-r/mkntfs +++ b/apparmor.d/groups/filesystem/mkntfs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mkswap b/apparmor.d/groups/filesystem/mkswap similarity index 92% rename from apparmor.d/profiles-m-r/mkswap rename to apparmor.d/groups/filesystem/mkswap index 4c732c2c6..fa30030f3 100644 --- a/apparmor.d/profiles-m-r/mkswap +++ b/apparmor.d/groups/filesystem/mkswap @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/mkswap +@{exec_path} = @{sbin}/mkswap profile mkswap @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/groups/filesystem/mount similarity index 97% rename from apparmor.d/profiles-m-r/mount rename to apparmor.d/groups/filesystem/mount index f122b8f27..f8616cd88 100644 --- a/apparmor.d/profiles-m-r/mount +++ b/apparmor.d/groups/filesystem/mount @@ -4,7 +4,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile mount @{exec_path} flags=(attach_disconnected) { include include include - + capability chown, capability dac_read_search, capability setgid, @@ -49,7 +49,6 @@ profile mount @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/ rw, @{MOUNTS}/*/ rw, @{MOUNTS}/*/*/ rw, - /media/cdrom[0-9]/ r, # Mount iso/img files owner @{user_img_dirs}/{,**} rwk, diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/groups/filesystem/mount-cifs similarity index 67% rename from apparmor.d/profiles-m-r/mount-cifs rename to apparmor.d/groups/filesystem/mount-cifs index bbadcc7e0..a6c8d01e3 100644 --- a/apparmor.d/profiles-m-r/mount-cifs +++ b/apparmor.d/groups/filesystem/mount-cifs @@ -3,46 +3,56 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/mount.cifs +@{exec_path} = @{sbin}/mount.cifs profile mount-cifs @{exec_path} flags=(complain) { include + include include - # To mount anything. capability sys_admin, - - # (#FIXME#) capability setpcap, + capability dac_read_search, + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink raw, + mount fstype=cifs -> @{HOME}/*/, + mount fstype=cifs -> @{HOME}/*/*/, + mount fstype=cifs -> @{MOUNTDIRS}/, + mount fstype=cifs -> @{MOUNTS}/, + mount fstype=cifs -> @{MOUNTS}/*/, + mount fstype=cifs -> @{MOUNTS}/*/*/, + + umount @{HOME}/*/, + umount @{HOME}/*/*/, + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, + umount @{MOUNTS}/*/, + umount @{MOUNTS}/*/*/, + @{exec_path} mr, @{bin}/systemd-ask-password rPUx, /etc/fstab r, + /etc/sync-credentials r, owner @{HOME}/.smbcredentials r, # Mount points + @{HOME}/*/ r, + @{HOME}/*/*/ r, @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @{MOUNTS}/*/ r, - - # Allow to mount smb/cifs disks only under the /media/ dirs - mount fstype=cifs -> @{MOUNTDIRS}/, - mount fstype=cifs -> @{MOUNTS}/, - mount fstype=cifs -> @{MOUNTS}/*/, - - umount @{MOUNTDIRS}/, - umount @{MOUNTS}/, - umount @{MOUNTS}/*/, + @{MOUNTS}/*/*/ r, include if exists } diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/groups/filesystem/mount-nfs similarity index 94% rename from apparmor.d/profiles-m-r/mount-nfs rename to apparmor.d/groups/filesystem/mount-nfs index 698f350ce..f670b62d7 100644 --- a/apparmor.d/profiles-m-r/mount-nfs +++ b/apparmor.d/groups/filesystem/mount-nfs @@ -3,11 +3,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/mount.nfs +@{exec_path} = @{sbin}/mount.nfs profile mount-nfs @{exec_path} flags=(complain) { include include @@ -42,7 +42,7 @@ profile mount-nfs @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/flock rix, - @{bin}/start-statd rix, + @{sbin}/start-statd rix, @{bin}/systemctl rCx -> systemctl, /etc/fstab r, @@ -64,7 +64,7 @@ profile mount-nfs @{exec_path} flags=(complain) { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/groups/filesystem/mount-zfs similarity index 98% rename from apparmor.d/profiles-m-r/mount-zfs rename to apparmor.d/groups/filesystem/mount-zfs index bc47f0a30..552f96b05 100644 --- a/apparmor.d/profiles-m-r/mount-zfs +++ b/apparmor.d/groups/filesystem/mount-zfs @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mtools b/apparmor.d/groups/filesystem/mtools similarity index 98% rename from apparmor.d/profiles-m-r/mtools rename to apparmor.d/groups/filesystem/mtools index 75c95fffd..5fea49231 100644 --- a/apparmor.d/profiles-m-r/mtools +++ b/apparmor.d/groups/filesystem/mtools @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nfsdcld b/apparmor.d/groups/filesystem/nfsdcld similarity index 91% rename from apparmor.d/profiles-m-r/nfsdcld rename to apparmor.d/groups/filesystem/nfsdcld index a02e226c6..23ecc576e 100644 --- a/apparmor.d/profiles-m-r/nfsdcld +++ b/apparmor.d/groups/filesystem/nfsdcld @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/nfsdcld +@{exec_path} = @{sbin}/nfsdcld profile nfsdcld @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/ntfs-3g b/apparmor.d/groups/filesystem/ntfs-3g similarity index 88% rename from apparmor.d/profiles-m-r/ntfs-3g rename to apparmor.d/groups/filesystem/ntfs-3g index e5ae871b6..e4749177c 100644 --- a/apparmor.d/profiles-m-r/ntfs-3g +++ b/apparmor.d/groups/filesystem/ntfs-3g @@ -3,14 +3,15 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/{low,}ntfs{,-3g} @{exec_path} += @{bin}/mount.{low,}ntfs{,-3g} -profile ntfs-3g @{exec_path} { +profile ntfs-3g @{exec_path} flags=(attach_disconnected) { include + include include include @@ -21,15 +22,6 @@ profile ntfs-3g @{exec_path} { capability setuid, capability sys_admin, - @{exec_path} mr, - - @{bin}/kmod rPx, # To load the fuse kernel module - - # Mount points - @{MOUNTDIRS}/ r, - @{MOUNTS}/ r, - @{MOUNTS}/*/ r, - # Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTDIRS}, mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/, @@ -42,16 +34,28 @@ profile ntfs-3g @{exec_path} { mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/, mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/, + mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /tmp/fsa/*/, # fsarchiver + umount @{MOUNTDIRS}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, + @{exec_path} mr, + + @{bin}/kmod rPx, # To load the fuse kernel module + + # Mount points + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/*/ r, + @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/task/@{tid}/status r, @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, /dev/fuse rw, + /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/ntfs-3g-probe b/apparmor.d/groups/filesystem/ntfs-3g-probe similarity index 96% rename from apparmor.d/profiles-m-r/ntfs-3g-probe rename to apparmor.d/groups/filesystem/ntfs-3g-probe index ef870e0f0..73ba17229 100644 --- a/apparmor.d/profiles-m-r/ntfs-3g-probe +++ b/apparmor.d/groups/filesystem/ntfs-3g-probe @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfscat b/apparmor.d/groups/filesystem/ntfscat similarity index 97% rename from apparmor.d/profiles-m-r/ntfscat rename to apparmor.d/groups/filesystem/ntfscat index 069a597e9..c1d14927b 100644 --- a/apparmor.d/profiles-m-r/ntfscat +++ b/apparmor.d/groups/filesystem/ntfscat @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfsclone b/apparmor.d/groups/filesystem/ntfsclone similarity index 92% rename from apparmor.d/profiles-m-r/ntfsclone rename to apparmor.d/groups/filesystem/ntfsclone index 06fe65684..c6443bf7a 100644 --- a/apparmor.d/profiles-m-r/ntfsclone +++ b/apparmor.d/groups/filesystem/ntfsclone @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/ntfsclone +@{exec_path} = @{sbin}/ntfsclone profile ntfsclone @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfscluster b/apparmor.d/groups/filesystem/ntfscluster similarity index 97% rename from apparmor.d/profiles-m-r/ntfscluster rename to apparmor.d/groups/filesystem/ntfscluster index 62aff85c8..80fdf01ce 100644 --- a/apparmor.d/profiles-m-r/ntfscluster +++ b/apparmor.d/groups/filesystem/ntfscluster @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfscmp b/apparmor.d/groups/filesystem/ntfscmp similarity index 97% rename from apparmor.d/profiles-m-r/ntfscmp rename to apparmor.d/groups/filesystem/ntfscmp index c5ecddc5f..db9a723d4 100644 --- a/apparmor.d/profiles-m-r/ntfscmp +++ b/apparmor.d/groups/filesystem/ntfscmp @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfscp b/apparmor.d/groups/filesystem/ntfscp similarity index 94% rename from apparmor.d/profiles-m-r/ntfscp rename to apparmor.d/groups/filesystem/ntfscp index 3beeb2b7a..f3bc38b6a 100644 --- a/apparmor.d/profiles-m-r/ntfscp +++ b/apparmor.d/groups/filesystem/ntfscp @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/ntfscp +@{exec_path} = @{sbin}/ntfscp profile ntfscp @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfsdecrypt b/apparmor.d/groups/filesystem/ntfsdecrypt similarity index 97% rename from apparmor.d/profiles-m-r/ntfsdecrypt rename to apparmor.d/groups/filesystem/ntfsdecrypt index e7ffe3188..63f771ed3 100644 --- a/apparmor.d/profiles-m-r/ntfsdecrypt +++ b/apparmor.d/groups/filesystem/ntfsdecrypt @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfsfallocate b/apparmor.d/groups/filesystem/ntfsfallocate similarity index 97% rename from apparmor.d/profiles-m-r/ntfsfallocate rename to apparmor.d/groups/filesystem/ntfsfallocate index 670092820..80654cb7a 100644 --- a/apparmor.d/profiles-m-r/ntfsfallocate +++ b/apparmor.d/groups/filesystem/ntfsfallocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfsfix b/apparmor.d/groups/filesystem/ntfsfix similarity index 97% rename from apparmor.d/profiles-m-r/ntfsfix rename to apparmor.d/groups/filesystem/ntfsfix index 179b3b7a9..e840ed6c5 100644 --- a/apparmor.d/profiles-m-r/ntfsfix +++ b/apparmor.d/groups/filesystem/ntfsfix @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfsinfo b/apparmor.d/groups/filesystem/ntfsinfo similarity index 97% rename from apparmor.d/profiles-m-r/ntfsinfo rename to apparmor.d/groups/filesystem/ntfsinfo index 3156e7004..08b5bea43 100644 --- a/apparmor.d/profiles-m-r/ntfsinfo +++ b/apparmor.d/groups/filesystem/ntfsinfo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfslabel b/apparmor.d/groups/filesystem/ntfslabel similarity index 90% rename from apparmor.d/profiles-m-r/ntfslabel rename to apparmor.d/groups/filesystem/ntfslabel index 6eee15ef8..5d4089a44 100644 --- a/apparmor.d/profiles-m-r/ntfslabel +++ b/apparmor.d/groups/filesystem/ntfslabel @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/ntfslabel +@{exec_path} = @{sbin}/ntfslabel profile ntfslabel @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfsls b/apparmor.d/groups/filesystem/ntfsls similarity index 97% rename from apparmor.d/profiles-m-r/ntfsls rename to apparmor.d/groups/filesystem/ntfsls index 56c2c28de..3badd08b2 100644 --- a/apparmor.d/profiles-m-r/ntfsls +++ b/apparmor.d/groups/filesystem/ntfsls @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfsmove b/apparmor.d/groups/filesystem/ntfsmove similarity index 97% rename from apparmor.d/profiles-m-r/ntfsmove rename to apparmor.d/groups/filesystem/ntfsmove index 876113c98..4c7ade080 100644 --- a/apparmor.d/profiles-m-r/ntfsmove +++ b/apparmor.d/groups/filesystem/ntfsmove @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfsrecover b/apparmor.d/groups/filesystem/ntfsrecover similarity index 97% rename from apparmor.d/profiles-m-r/ntfsrecover rename to apparmor.d/groups/filesystem/ntfsrecover index 43de112c1..fff3e1b52 100644 --- a/apparmor.d/profiles-m-r/ntfsrecover +++ b/apparmor.d/groups/filesystem/ntfsrecover @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfsresize b/apparmor.d/groups/filesystem/ntfsresize similarity index 90% rename from apparmor.d/profiles-m-r/ntfsresize rename to apparmor.d/groups/filesystem/ntfsresize index e0e8f58d2..3eac37d70 100644 --- a/apparmor.d/profiles-m-r/ntfsresize +++ b/apparmor.d/groups/filesystem/ntfsresize @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/ntfsresize +@{exec_path} = @{sbin}/ntfsresize profile ntfsresize @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfssecaudit b/apparmor.d/groups/filesystem/ntfssecaudit similarity index 97% rename from apparmor.d/profiles-m-r/ntfssecaudit rename to apparmor.d/groups/filesystem/ntfssecaudit index ee38f60a0..a323a898d 100644 --- a/apparmor.d/profiles-m-r/ntfssecaudit +++ b/apparmor.d/groups/filesystem/ntfssecaudit @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfstruncate b/apparmor.d/groups/filesystem/ntfstruncate similarity index 97% rename from apparmor.d/profiles-m-r/ntfstruncate rename to apparmor.d/groups/filesystem/ntfstruncate index c9dec413a..7f245ee07 100644 --- a/apparmor.d/profiles-m-r/ntfstruncate +++ b/apparmor.d/groups/filesystem/ntfstruncate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfsundelete b/apparmor.d/groups/filesystem/ntfsundelete similarity index 91% rename from apparmor.d/profiles-m-r/ntfsundelete rename to apparmor.d/groups/filesystem/ntfsundelete index a01876961..9f68cba7a 100644 --- a/apparmor.d/profiles-m-r/ntfsundelete +++ b/apparmor.d/groups/filesystem/ntfsundelete @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/ntfsundelete +@{exec_path} = @{sbin}/ntfsundelete profile ntfsundelete @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfsusermap b/apparmor.d/groups/filesystem/ntfsusermap similarity index 97% rename from apparmor.d/profiles-m-r/ntfsusermap rename to apparmor.d/groups/filesystem/ntfsusermap index acc6e8bbc..0cdfb9f71 100644 --- a/apparmor.d/profiles-m-r/ntfsusermap +++ b/apparmor.d/groups/filesystem/ntfsusermap @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/ntfswipe b/apparmor.d/groups/filesystem/ntfswipe similarity index 97% rename from apparmor.d/profiles-m-r/ntfswipe rename to apparmor.d/groups/filesystem/ntfswipe index 1471e1d27..9b64136bd 100644 --- a/apparmor.d/profiles-m-r/ntfswipe +++ b/apparmor.d/groups/filesystem/ntfswipe @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/udiskie b/apparmor.d/groups/filesystem/udiskie similarity index 54% rename from apparmor.d/profiles-s-z/udiskie rename to apparmor.d/groups/filesystem/udiskie index 505017bcd..53b726c23 100644 --- a/apparmor.d/profiles-s-z/udiskie +++ b/apparmor.d/groups/filesystem/udiskie @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,22 +11,20 @@ include profile udiskie @{exec_path} { include include - include - include + include include - include - include + include include - include include - include - include + include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, + + /etc/fstab r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, @@ -35,37 +33,9 @@ profile udiskie @{exec_path} { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, - /etc/fstab r, - - # Allowed apps to open - @{bin}/spacefm rPx, - # Silencer deny @{lib}/** w, - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{bin}/spacefm rPx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-s-z/udiskie-info b/apparmor.d/groups/filesystem/udiskie-info similarity index 90% rename from apparmor.d/profiles-s-z/udiskie-info rename to apparmor.d/groups/filesystem/udiskie-info index aa359ef56..b59b91472 100644 --- a/apparmor.d/profiles-s-z/udiskie-info +++ b/apparmor.d/groups/filesystem/udiskie-info @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,9 +13,10 @@ profile udiskie-info @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, - /usr/bin/ r, + @{bin}/ r, + @{sbin}/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/profiles-s-z/udiskie-mount b/apparmor.d/groups/filesystem/udiskie-mount similarity index 90% rename from apparmor.d/profiles-s-z/udiskie-mount rename to apparmor.d/groups/filesystem/udiskie-mount index 7e72e9713..3ec9e422a 100644 --- a/apparmor.d/profiles-s-z/udiskie-mount +++ b/apparmor.d/groups/filesystem/udiskie-mount @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,9 +13,10 @@ profile udiskie-mount @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, - /usr/bin/ r, + @{bin}/ r, + @{sbin}/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/profiles-s-z/udiskie-umount b/apparmor.d/groups/filesystem/udiskie-umount similarity index 90% rename from apparmor.d/profiles-s-z/udiskie-umount rename to apparmor.d/groups/filesystem/udiskie-umount index 8dc30eb9a..01271bdc6 100644 --- a/apparmor.d/profiles-s-z/udiskie-umount +++ b/apparmor.d/groups/filesystem/udiskie-umount @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,9 +13,10 @@ profile udiskie-umount @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, - /usr/bin/ r, + @{bin}/ r, + @{sbin}/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/profiles-s-z/udisksctl b/apparmor.d/groups/filesystem/udisksctl similarity index 69% rename from apparmor.d/profiles-s-z/udisksctl rename to apparmor.d/groups/filesystem/udisksctl index a05cede9c..6ae685723 100644 --- a/apparmor.d/profiles-s-z/udisksctl +++ b/apparmor.d/groups/filesystem/udisksctl @@ -3,21 +3,23 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/udisksctl profile udisksctl @{exec_path} { include + include + include + + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd @{exec_path} mr, @{sh_path} rix, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, + @{pager_path} rPx -> child-pager, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/groups/filesystem/udisksd similarity index 72% rename from apparmor.d/profiles-s-z/udisksd rename to apparmor.d/groups/filesystem/udisksd index 365044702..91d4a8569 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,8 +11,6 @@ include profile udisksd @{exec_path} flags=(attach_disconnected) { include include - include - include include include @@ -21,6 +19,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability fowner, capability fsetid, + capability ipc_lock, capability net_admin, capability setgid, capability setuid, @@ -50,6 +49,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { mount options=(rw move) -> @{MOUNTS}/, mount options=(rw move) -> @{MOUNTS}/*/, + mount fstype=vfat -> @{efi}/, + # Allow mounting on temporary mount point mount -> @{run}/udisks2/temp-mount-*/, mount / -> @{MOUNTS}/*/, @@ -58,36 +59,35 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount @{run}/udisks2/temp-mount-*/, + umount @{efi}/, umount /media/cdrom@{int}/, - signal (receive) set=(int) peer=@{p_systemd}, + signal receive set=int peer=@{p_systemd}, #aa:dbus own bus=system name=org.freedesktop.UDisks2 - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" @{exec_path} mr, @{sh_path} rix, @{bin}/umount rix, - @{bin}/dmidecode rPx, - @{bin}/dumpe2fs rPx, + @{sbin}/dmidecode rPx, + @{sbin}/dumpe2fs rPx, @{bin}/eject rPx, - @{bin}/fsck.fat rPx, - @{bin}/lvm rPUx, - @{bin}/mke2fs rPx, - @{bin}/mkfs.* rPx, + @{sbin}/fsck.fat rPx, + @{sbin}/lvm rPUx, + @{sbin}/mke2fs rPx, + @{sbin}/mkfs.* rPx, @{bin}/mount.exfat-fuse rPUx, @{bin}/ntfs-3g rPx, @{bin}/ntfsfix rPx, - @{bin}/sfdisk rPx, - @{bin}/sgdisk rPx, + @{sbin}/sfdisk rPx, + @{sbin}/sgdisk rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-escape rPx, + @{bin}/xfs_* rPUx, /etc/crypttab r, /etc/fstab r, @@ -103,27 +103,35 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/ rw, @{MOUNTS}/*/ rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/ r, @{run}/mount/utab{,.*} rwk, @{run}/udisks2/{,**} rw, @{run}/systemd/seats/seat@{int} r, - @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/cryptsetup/ r, @{run}/cryptsetup/L* rwk, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+scsi:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI + @{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices) @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, + @{sys}/bus/pci/slots/@{int}/address r, + @{sys}/bus/scsi/devices/ r, @{sys}/class/ r, @{sys}/class/nvme-subsystem/ r, @{sys}/class/nvme/ r, - @{sys}/devices/@{pci}/uevent r, - @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w, - @{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw, + @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}@{int}/{,**/}uevent w, + @{sys}/devices/@{pci}/{ata,usb,mmc}@{int}/{,**/}remove rw, + @{sys}/devices/@{pci}/uevent rw, + @{sys}/devices/**/net/*/ r, + @{sys}/devices/**/uevent r, @{sys}/devices/virtual/bdi/**/read_ahead_kb r, @{sys}/devices/virtual/block/*/{,**} rw, @{sys}/devices/virtual/block/loop@{int}/uevent rw, diff --git a/apparmor.d/profiles-s-z/umount.udisks2 b/apparmor.d/groups/filesystem/umount.udisks2 similarity index 88% rename from apparmor.d/profiles-s-z/umount.udisks2 rename to apparmor.d/groups/filesystem/umount.udisks2 index 2a6f7747d..752a1d5d3 100644 --- a/apparmor.d/profiles-s-z/umount.udisks2 +++ b/apparmor.d/groups/filesystem/umount.udisks2 @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/umount.udisks2 +@{exec_path} = @{sbin}/umount.udisks2 profile umount.udisks2 @{exec_path} flags=(complain) { include diff --git a/apparmor.d/groups/firewall/firewall-applet b/apparmor.d/groups/firewall/firewall-applet new file mode 100644 index 000000000..bd144b7e2 --- /dev/null +++ b/apparmor.d/groups/firewall/firewall-applet @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/firewall-applet +profile firewall-applet @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/ r, + @{python_path} r, + + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/cgroup r, + + owner @{user_config_dirs}/firewall/applet.conf rwkl, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/firewall/firewall-config b/apparmor.d/groups/firewall/firewall-config new file mode 100644 index 000000000..760a75200 --- /dev/null +++ b/apparmor.d/groups/firewall/firewall-config @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/firewall-config +profile firewall-config @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + @{open_path} rPx -> child-open-help, + + /usr/share/firewalld/__pycache__/ rw, + + /usr/share/firewalld/{,**} r, + + owner @{PROC}/@{pid}/mounts r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld new file mode 100644 index 000000000..57a0baa20 --- /dev/null +++ b/apparmor.d/groups/firewall/firewalld @@ -0,0 +1,80 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/firewalld +profile firewalld @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + capability dac_read_search, + capability mknod, + capability net_admin, + capability net_raw, + capability setpcap, + + network inet raw, + network inet6 raw, + network netlink raw, + + #aa:dbus own bus=system name=org.fedoraproject.FirewallD1 + + @{exec_path} mr, + @{python_path} r, + + @{bin}/ r, + @{sbin}/ r, + @{bin}/alts ix, + @{bin}/false ix, + @{bin}/kmod Cx -> kmod, + @{bin}/ebtables-legacy ix, + @{bin}/ebtables-legacy-restore ix, + @{sbin}/ipset ix, + @{sbin}/xtables-legacy-multi ix, + @{sbin}/xtables-nft-multi mix, + + /usr/local/lib/@{python_name}/dist-packages/ r, + + /usr/share/iproute2/{,**} r, + /usr/share/libalternatives/{,**} r, + + /etc/firewalld/{,**} rw, + /etc/iproute2/group r, + /etc/iproute2/rt_realms r, + + /var/lib/ebtables/lock rwk, + + /var/log/firewalld rw, + + @{run}/firewalld/{,*} rw, + @{run}/xtables.lock rwk, + + @{PROC}/sys/net/ipv{4,6}/ip_forward rw, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pids}/net/ip_tables_names r, + + profile kmod flags=(attach_disconnected) { + include + include + + capability sys_module, + + @{sys}/module/compression r, + @{sys}/module/nf_*/initstate r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nft b/apparmor.d/groups/firewall/nft similarity index 79% rename from apparmor.d/profiles-m-r/nft rename to apparmor.d/groups/firewall/nft index 50ee826cf..2392829c8 100644 --- a/apparmor.d/profiles-m-r/nft +++ b/apparmor.d/groups/firewall/nft @@ -3,11 +3,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/nft +@{exec_path} = @{sbin}/nft profile nft @{exec_path} { include include @@ -20,9 +20,11 @@ profile nft @{exec_path} { @{exec_path} mr, - owner /etc/iproute2/** r, + /usr/share/iproute2/{,**} r, - owner /etc/nftables/**.nft r, + /etc/iproute2/** r, + /etc/nftables.conf r, + /etc/nftables/{,**} r, @{PROC}/1/environ r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw new file mode 100644 index 000000000..39517ee6c --- /dev/null +++ b/apparmor.d/groups/firewall/ufw @@ -0,0 +1,90 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 EricLin +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/ufw +profile ufw @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + capability dac_read_search, + capability net_admin, + capability net_raw, + capability sys_ptrace, + + network inet dgram, + network inet raw, + network inet6 dgram, + network inet6 raw, + network netlink raw, + + ptrace read, + + @{exec_path} mr, + + @{python_path} rix, + @{sbin}/ r, + @{bin}/cat rix, + @{bin}/env r, + @{bin}/kmod rCx -> kmod, + @{lib}/ufw/ufw-init rPx, + @{sbin}/sysctl rCx -> sysctl, + @{sbin}/xtables-legacy-multi rix, + @{sbin}/xtables-nft-multi rix, + + /etc/default/ufw rw, + /etc/ufw/ rw, + /etc/ufw/** rwk, + + @{run}/xtables.lock rwk, + owner @{run}/ufw.lock rwk, + + owner @{tmp}/@{word8} rw, + owner @{tmp}/tmp@{word8} rw, + owner /var/tmp/@{word8} rw, + owner /var/tmp/tmp@{word8} rw, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/net/ip_tables_names r, + @{PROC}/@{pid}/stat r, + @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/sys/kernel/modprobe r, + + profile kmod flags=(attach_disconnected) { + include + include + + capability sys_module, + + @{sys}/module/compression r, + @{sys}/module/*/initstate r, + + include if exists + } + + profile sysctl { + include + include + + capability net_admin, + + @{sbin}/sysctl mr, + + /etc/ufw/sysctl.conf r, + + @{PROC}/sys/net/ipv{4,6}/** rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init new file mode 100644 index 000000000..fcb9d8b6c --- /dev/null +++ b/apparmor.d/groups/firewall/ufw-init @@ -0,0 +1,74 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ufw/ufw-init +profile ufw-init @{exec_path} { + include + include + + capability dac_override, + capability dac_read_search, + capability net_admin, + capability net_raw, + + network inet dgram, + network inet raw, + network inet6 dgram, + network inet6 raw, + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/echo rix, + @{sbin}/sysctl rCx -> sysctl, + @{sbin}/xtables-legacy-multi rix, + @{sbin}/xtables-nft-multi rix, + @{bin}/kmod rCx -> kmod, + + /etc/default/ufw r, + /etc/ufw/* r, + + @{run}/xtables.lock rwk, + + @{PROC}/@{pid}/net/ip_tables_names r, + @{PROC}/sys/kernel/modprobe r, + + profile kmod { + include + include + + capability sys_module, + + @{run}/xtables.lock r, + + @{sys}/module/compression r, + @{sys}/module/x_tables/initstate r, + + include if exists + } + + profile sysctl { + include + include + + capability net_admin, + + @{sbin}/sysctl mr, + + /etc/ufw/sysctl.conf r, + + @{PROC}/sys/net/ipv{4,6}/** rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/groups/flatpak/flatpak similarity index 52% rename from apparmor.d/profiles-a-f/flatpak rename to apparmor.d/groups/flatpak/flatpak index 4d3220a08..341db555e 100644 --- a/apparmor.d/profiles-a-f/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,14 +11,14 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include include - include + include include include include include include - # userns, + userns, capability dac_override, capability dac_read_search, @@ -35,6 +35,28 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain ptrace (read) peer=flatpak-app, + signal send peer=flatpak-app, + + unix type=seqpacket peer=(label=flatpak-system-helper), + unix type=stream peer=(label=flatpak//fusermount), + + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.Flatpak.SystemHelper label=flatpak-system-helper + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" + + #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper + #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ReloadConfig + peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), + + dbus send bus=system path=/org/freedesktop/Flatpak/SystemHelper + interface=org.freedesktop.Flatpak.SystemHelper + member=GetRevokefsFd + peer=(name=org.freedesktop.Flatpak.SystemHelper), + @{exec_path} mr, @{bin}/bwrap rPx -> flatpak-app, @@ -44,35 +66,54 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{bin}/gpgsm rCx -> gpg, @{lib}/revokefs-fuse rix, + @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + @{lib}/polkit-agent-helper-[0-9] rPx, + /usr/share/flatpak/{,**} r, /etc/flatpak/{,**} r, /etc/pulse/client.conf r, - / r, + @{att}/ r, /var/lib/flatpak/{,**} rwlk, /var/tmp/#@{int} rw, /var/tmp/flatpak-cache-@{rand6}/{,**/} r, - owner /var/tmp/flatpak-cache-@{rand6}/{,**} rwk, + owner /var/tmp/flatpak-cache-@{rand6}/ rw, + owner /var/tmp/flatpak-cache-@{rand6}/** rwlk -> /var/tmp/flatpak-cache-@{rand6}/**, owner @{HOME}/.var/ w, owner @{HOME}/.var/app/{,**} rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, + # Can create dotfile directories for any app + owner @{user_cache_dirs}/*/ w, + owner @{user_config_dirs}/*/ w, + owner @{user_share_dirs}/*/ w, + owner @{user_games_dirs}/{,**/} w, + owner @{user_documents_dirs}/ w, + + @{user_config_dirs}/dconf/user r, owner @{user_cache_dirs}/flatpak/{,**} rw, owner @{user_config_dirs}/pulse/client.conf r, owner @{user_config_dirs}/user-dirs.dirs r, @{user_share_dirs}/flatpak/{,**} r, owner @{user_share_dirs}/ r, - owner @{user_share_dirs}/flatpak/{,**} rwl, + owner @{user_share_dirs}/flatpak/ rw, + owner @{user_share_dirs}/flatpak/** rwlk, - /tmp/#@{int} rw, + owner @{tmp}/#@{int} rw, + owner @{tmp}/ostree-gpg-@{rand6}/{,**} rw, + owner @{tmp}/remote-summary-sig.@{rand6} rw, + owner @{tmp}/remote-summary.@{rand6} rw, owner /dev/shm/flatpak*/{,**} rw, - owner @{tmp}/ostree-gpg-*/{,**} rw, - @{run}/.userns r, + @{run}/.userns r, + @{att}/@{run}/.userns r, + @{run}/user/@{uid}/.dbus-proxy/ w, @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/.dbus-proxy/* rw, @@ -93,7 +134,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain /dev/tty rw, /dev/tty@{int} rw, - deny @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_share_dirs}/gvfs-metadata/* r, profile gpg { include @@ -101,36 +142,34 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain capability dac_read_search, - @{bin}/gpg{,2} mr, - @{bin}/gpgconf mr, - @{bin}/gpgsm mr, + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, + @{bin}/gpg-agent rix, + @{lib}/gnupg/scdaemon rix, @{HOME}/@{XDG_GPG_DIR}/*.conf r, - owner @{tmp}/ostree-gpg-*/ rw, - owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-@{rand6}/ rw, + owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, + + owner @{PROC}/@{pid}/fd/ r, include if exists } profile fusermount { include - include - include + include - capability sys_admin, + capability setuid, + + unix type=seqpacket peer=(label=flatpak-system-helper), + unix type=stream peer=(label=flatpak), mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, - @{bin}/fusermount{,3} mr, - - /etc/fuse.conf r, - - @{PROC}/@{pids}/mounts r, - - /dev/fuse rw, - include if exists } diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app similarity index 83% rename from apparmor.d/profiles-a-f/flatpak-app rename to apparmor.d/groups/flatpak/flatpak-app index 41d72d143..e6be7ef4f 100644 --- a/apparmor.d/profiles-a-f/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -3,11 +3,11 @@ # SPDX-License-Identifier: GPL-2.0-only # Default profile for all flatpak applications. Ideally, this profile should be -# generated by flatpak itself with settings from the flatpak manifest and +# generated by flatpak itself with settings from the flatpak manifest and # fully separated from bwrap. # Note: This profile used to be split in two (flatpak-bwrap & flatpak-app) in order -# to separate bwrap from the sandboxed app itself. It was generating issue with +# to separate bwrap from the sandboxed app itself. It was generating issue with # zypak-sandbox, therefore the profiles have been merged. Meanwhile, to install # some applications, flatpak needs write access to the sandbox content. This is # done through bwrap and therefore in this profile. @@ -15,10 +15,10 @@ # 1. All of this will have to be improved. However, as of today, it is the only # way to not break some (major) flatpak app. # 2. It is not a big deal as flatpak is responsible for the sandbox anyway. -# This this only defence in depth. +# This this only defence in depth. # 3. The main purpose of this profile is to ensure all processes are confined. -abi , +abi , include @@ -39,12 +39,18 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { network inet6 stream, network netlink dgram, network netlink raw, + network unix stream, - ptrace (read), + ptrace read, ptrace trace peer=flatpak-app, - signal (receive) set=(int) peer=flatpak-portal, - signal (receive) set=(int) peer=flatpak-session-helper, + signal receive peer=flatpak, + signal receive set=(int term) peer=flatpak-portal, + signal receive set=(int term) peer=flatpak-session-helper, + + unix type=seqpacket peer=(label=dbus-session), + # unix type=seqpacket peer=(label=unconfined), + unix type=seqpacket peer=(label=xdg-dbus-proxy), @{bin}/** rmix, @{lib}/** rmix, @@ -55,6 +61,8 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/*/**/@{bin}/** rmix, /var/lib/flatpak/app/*/**/@{lib}/** rmix, + @{run}/flatpak/app/*/.org.chromium.Chromium.@{rand6} rm, + @{run}/flatpak/app/*/**so* rm, @{run}/parent/@{bin}/** rmix, @{run}/parent/@{lib}/** rmix, @{run}/parent/app/** rmix, @@ -78,9 +86,9 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/exports/** rw, - /var/tmp/etilqs_@{hex16} rw, - @{run}/.userns r, + owner @{att}/@{HOME}/.var/app/** rwlkmix, + @{run}/parent/** r, @{run}/parent/app/.ref rk, @{run}/parent/usr/.ref rk, @@ -88,8 +96,9 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { owner @{run}/flatpak/app/** rw, owner @{run}/flatpak/doc/** rw, owner @{run}/ld-so-cache-dir/* rw, - owner @{run}/user/@{uid}/*.kioworker.socket r, - owner @{run}/user/@{uid}/#@{int} rwl, + owner @{run}/user/ r, + + /dev/ntsync r, include if exists include if exists diff --git a/apparmor.d/profiles-a-f/flatpak-oci-authenticator b/apparmor.d/groups/flatpak/flatpak-oci-authenticator similarity index 97% rename from apparmor.d/profiles-a-f/flatpak-oci-authenticator rename to apparmor.d/groups/flatpak/flatpak-oci-authenticator index 9b379b55d..be6c7b320 100644 --- a/apparmor.d/profiles-a-f/flatpak-oci-authenticator +++ b/apparmor.d/groups/flatpak/flatpak-oci-authenticator @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal similarity index 63% rename from apparmor.d/profiles-a-f/flatpak-portal rename to apparmor.d/groups/flatpak/flatpak-portal index 570a3ea8c..97f9f4911 100644 --- a/apparmor.d/profiles-a-f/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,6 +10,9 @@ include profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include include + include + include + include include capability sys_ptrace, @@ -22,23 +25,24 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.portal.Flatpak + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{bin}/flatpak rPx, - /usr/share/mime/mime.cache r, /usr/share/xdg-desktop-portal/portals/{,*.portal} r, - /var/lib/flatpak/exports/share/mime/mime.cache r, + owner /att/**/ r, + owner @{att}/.flatpak-info r, - / r, - /.flatpak-info r, - - owner @{HOME}/.var/app/*/**/.ref rw, - owner @{HOME}/.var/app/*/**/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, owner @{user_config_dirs}/user-dirs.dirs r, - owner @{user_share_dirs}/mime/mime.cache r, owner @{run}/user/@{uid}/.flatpak/@{int}/* r, owner @{run}/user/@{uid}/.flatpak/@{int}-private/* r, diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/groups/flatpak/flatpak-session-helper similarity index 68% rename from apparmor.d/profiles-a-f/flatpak-session-helper rename to apparmor.d/groups/flatpak/flatpak-session-helper index d27d0c24a..8a8f5afb7 100644 --- a/apparmor.d/profiles-a-f/flatpak-session-helper +++ b/apparmor.d/groups/flatpak/flatpak-session-helper @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,40 +10,56 @@ include profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { include include + include include include include - include - signal (send) set=(hup int) peer=user_unconfined, - signal (send) set=(int) peer=@{p_systemd}, - signal (send) set=(int) peer=flatpak-app, + signal send set=(hup int) peer=user_unconfined, + signal send set=(int) peer=@{p_systemd}, + signal send set=(int) peer=flatpak-app, #aa:dbus own bus=session name=org.freedesktop.Flatpak + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{shells_path} rUx -> user_unconfined, @{bin}/dbus-monitor rPUx, @{bin}/env rix, @{bin}/flatpak rPx, - @{bin}/test rix, @{bin}/getent rix, @{bin}/p11-kit rix, - @{bin}/pkexec rPx, # TODO: too wide, rCx. + @{bin}/pkexec rCx -> pkexec, + @{bin}/printenv rix, @{bin}/ps rPx, + @{bin}/test rix, + @{bin}/touch rix, @{lib}/p11-kit/p11-kit-remote rix, @{lib}/p11-kit/p11-kit-server rix, /var/lib/flatpak/app/*/**/@{bin}/** rPx -> flatpak-app, /var/lib/flatpak/app/*/**/@{lib}/** rPx -> flatpak-app, + owner @{user_config_dirs}/mimeapps.list w, + owner @{run}/user/@{uid}/.flatpak-helper/{,**} rw, owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-@{int} rw, - + owner @{PROC}/@{pids}/fd/ r, /dev/ptmx rw, + profile pkexec { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper similarity index 63% rename from apparmor.d/profiles-a-f/flatpak-system-helper rename to apparmor.d/groups/flatpak/flatpak-system-helper index 81a1231cb..0bd74bdcb 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -2,19 +2,23 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/flatpak-system-helper profile flatpak-system-helper @{exec_path} { include + include + include + include include include include capability chown, capability dac_override, + capability dac_read_search, capability fowner, capability net_admin, capability setgid, @@ -22,9 +26,15 @@ profile flatpak-system-helper @{exec_path} { capability sys_nice, capability sys_ptrace, - ptrace (read), + ptrace read, + + unix type=seqpacket peer=(label=dbus-system), + unix type=seqpacket peer=(label=flatpak), + unix type=seqpacket peer=(label=flatpak//fusermount), + unix type=seqpacket peer=(label=unconfined), #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper + #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon @{exec_path} mr, @@ -37,17 +47,21 @@ profile flatpak-system-helper @{exec_path} { /etc/flatpak/{,**} r, /etc/machine-id r, - /usr/share/mime/mime.cache r, + /usr/share/flatpak/remotes.d/{,**} r, /usr/share/flatpak/triggers/ r, /var/lib/flatpak/{,**} rwkl, /var/tmp/flatpak-cache-*/{,**} rw, owner /{var/,}tmp/#@{int} rw, - owner /{var/,}tmp/ostree-gpg-*/ rw, - owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner /{var/,}tmp/ostree-gpg-@{rand6}/ rw, + owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, - @{PROC}/@{pid}/stat r, + @{tmp}/remote-summary-sig.@{rand6} r, + @{tmp}/remote-summary.@{rand6} r, + + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, @@ -62,8 +76,8 @@ profile flatpak-system-helper @{exec_path} { @{lib}/{,gnupg/}scdaemon rix, @{bin}/gpg-agent rix, - owner @{tmp}/ostree-gpg-*/ r, - owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-@{rand6}/ r, + owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/profiles-a-f/flatpak-validate-icon b/apparmor.d/groups/flatpak/flatpak-validate-icon similarity index 96% rename from apparmor.d/profiles-a-f/flatpak-validate-icon rename to apparmor.d/groups/flatpak/flatpak-validate-icon index 7669bb1e6..41701a5ff 100644 --- a/apparmor.d/profiles-a-f/flatpak-validate-icon +++ b/apparmor.d/groups/flatpak/flatpak-validate-icon @@ -2,7 +2,7 @@ # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 4f2e8b64c..85e277198 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,24 +21,19 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { capability sys_nice, capability sys_ptrace, - ptrace (read) peer=unconfined, + ptrace read peer=unconfined, #aa:dbus own bus=system name=org.freedesktop.Accounts - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), - @{exec_path} mr, - @{bin}/adduser rPx, + @{sbin}/adduser rPx, @{bin}/cat rix, @{bin}/chage rPx, @{bin}/passwd rPx, - @{bin}/chpasswd rPx, - @{bin}/userdel rPx, - @{bin}/usermod rPx, + @{sbin}/chpasswd rPx, + @{sbin}/userdel rPx, + @{sbin}/usermod rPx, @{bin}/locale rPUx, /usr/share/language-tools/language-validate rPx, @@ -58,24 +53,23 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { /etc/shells r, /etc/sysconfig/displaymanager r, + /var/log/wtmp r, + owner /var/lib/AccountsService/ r, owner /var/lib/AccountsService/** rw, @{HOME}/ r, owner @{HOME}/.pam_environment r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/loginuid rw, - @{PROC}/@{pids}/loginuid r, - @{PROC}/@{pids}/cmdline r, + owner @{tmp}/gnome-control-center-user-icon-@{rand6} rw, + + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/loginuid r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, - - # wtmp.d ? - /var/log/wtmp r, - - owner @{tmp}/gnome-control-center-user-icon-@{rand6} rw, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/loginuid rw, include if exists } diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/groups/freedesktop/boltd similarity index 90% rename from apparmor.d/profiles-a-f/boltd rename to apparmor.d/groups/freedesktop/boltd index 47c16d1cd..5b72f8427 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/groups/freedesktop/boltd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,9 +25,9 @@ profile boltd @{exec_path} flags=(attach_disconnected) { owner @{run}/boltd/{,**} rw, - @{run}/systemd/notify rw, - @{run}/systemd/journal/socket w, - @{run}/udev/data/+thunderbolt:* r, + @{att}/@{run}/systemd/notify w, + + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. @{sys}/bus/ r, @{sys}/bus/thunderbolt/devices/ r, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index f20cebeb7..c069b7afd 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,9 +11,11 @@ include profile colord @{exec_path} flags=(attach_disconnected) { include include - include include + include + include include + include include network inet dgram, @@ -22,12 +24,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.ColorManager - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), - @{exec_path} mrix, + @{lib}/colord-sane ix, /etc/machine-id r, /etc/sane.d/{,**} r, @@ -35,11 +33,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { /etc/udev/hwdb.bin r, /usr/share/color/icc/{,**} r, - /usr/share/mime/mime.cache r, /usr/share/snmp/mibs/{,*} r, - @{system_share_dirs}/mime/mime.cache r, - owner /var/lib/colord/.cache/ rw, owner /var/lib/colord/.cache/** rw, owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk, @@ -49,10 +44,9 @@ profile colord @{exec_path} flags=(attach_disconnected) { owner /var/lib/snmp/mibs/{iana,ietf}/ r, owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, - @{desktop_share_dirs}/icc/edid-*.icc r, - @{user_share_dirs}/icc/edid-*.icc r, + @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, - @{run}/systemd/journal/socket rw, @{run}/systemd/sessions/* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @@ -62,9 +56,11 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{sys}/class/drm/ r, @{sys}/class/video4linux/ r, @{sys}/devices/@{pci}/{vendor,model,type} r, - @{sys}/devices/@{pci}/drm/card@{int}/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r, + @{sys}/devices/@{pci}/drm/card@{int}/**/{enabled,edid} r, @{sys}/devices/@{pci}/uevent r, - @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/sys/dev/parport/ r, @{PROC}/sys/dev/parport/parport@{int}/base-addr r, diff --git a/apparmor.d/groups/freedesktop/colord-session b/apparmor.d/groups/freedesktop/colord-session index e61063bda..16c109970 100644 --- a/apparmor.d/groups/freedesktop/colord-session +++ b/apparmor.d/groups/freedesktop/colord-session @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/cpupower b/apparmor.d/groups/freedesktop/cpupower index 0b1d0ead3..2d58faffe 100644 --- a/apparmor.d/groups/freedesktop/cpupower +++ b/apparmor.d/groups/freedesktop/cpupower @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,19 +28,13 @@ profile cpupower @{exec_path} { @{sys}/devices/system/cpu/{cpufreq,cpuidle}/** r, @{sys}/devices/system/cpu/cpu@{int}/{cpufreq,cpuidle}/ r, @{sys}/devices/system/cpu/cpu@{int}/{cpufreq,cpuidle}/** r, - - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{min,max}_freq rw, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_setspeed rw, - @{sys}/devices/system/cpu/cpu@{int}/cpuidle/state[0-9]/disable rw, - - @{sys}/devices/system/cpu/cpu@{int}/topology/{physical_package_id,core_id} r, - + @{sys}/devices/system/cpu/cpu@{int}/cpuidle/state@{int}/disable rw, @{sys}/devices/system/cpu/cpu@{int}/online r, + @{sys}/devices/system/cpu/cpu@{int}/topology/{physical_package_id,core_id} r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/* rw, /dev/cpu/@{int}/msr r, - profile kmod { include include diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf index 6abd28da3..20b453df4 100644 --- a/apparmor.d/groups/freedesktop/dconf +++ b/apparmor.d/groups/freedesktop/dconf @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/dconf profile dconf @{exec_path} flags=(attach_disconnected) { include + include include capability sys_nice, diff --git a/apparmor.d/groups/freedesktop/dconf-editor b/apparmor.d/groups/freedesktop/dconf-editor index 00d6553ec..3fdbb8b65 100644 --- a/apparmor.d/groups/freedesktop/dconf-editor +++ b/apparmor.d/groups/freedesktop/dconf-editor @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index 120ff3920..da950506a 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -3,13 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,dconf/}dconf-service profile dconf-service @{exec_path} flags=(attach_disconnected) { include + include include include @@ -38,8 +39,6 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) { @{PROC}/cmdline r, - /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/desktop-file-install b/apparmor.d/groups/freedesktop/desktop-file-install index 269a6b39a..aa9ccae1b 100644 --- a/apparmor.d/groups/freedesktop/desktop-file-install +++ b/apparmor.d/groups/freedesktop/desktop-file-install @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/fc-cache b/apparmor.d/groups/freedesktop/fc-cache index 3fbd77be0..128a4708b 100644 --- a/apparmor.d/groups/freedesktop/fc-cache +++ b/apparmor.d/groups/freedesktop/fc-cache @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -26,6 +26,8 @@ profile fc-cache @{exec_path} { /var/tmp/mkinitramfs_*/{**,} rwl, + owner @{user_cache_dirs}/ w, + # Silencer deny network inet6 stream, deny network inet stream, diff --git a/apparmor.d/groups/freedesktop/fc-list b/apparmor.d/groups/freedesktop/fc-list index cd31a79de..6254b2456 100644 --- a/apparmor.d/groups/freedesktop/fc-list +++ b/apparmor.d/groups/freedesktop/fc-list @@ -3,13 +3,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/fc-list +@{exec_path} = @{bin}/fc-list @{bin}/fc-match @{bin}/fc-pattern profile fc-list @{exec_path} { include + include include include diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index e5d86092a..04eeba521 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,9 +11,12 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { include include include - include include include + include + include + include + include include include include @@ -26,23 +29,14 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.GeoClue2 - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), - @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/geoclue/{,**} r, /etc/sysconfig/proxy r, /var/lib/nscd/services r, /var/lib/dbus/machine-id r, - @{run}/systemd/journal/socket rw, - @{PROC}/@{pids}/cgroup r, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, diff --git a/apparmor.d/groups/freedesktop/iio-sensor-proxy b/apparmor.d/groups/freedesktop/iio-sensor-proxy index c8ab6b2b8..1201e1277 100644 --- a/apparmor.d/groups/freedesktop/iio-sensor-proxy +++ b/apparmor.d/groups/freedesktop/iio-sensor-proxy @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,7 +18,7 @@ profile iio-sensor-proxy @{exec_path} { @{exec_path} mr, - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # For /dev/input/* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/freedesktop/pacat b/apparmor.d/groups/freedesktop/pacat new file mode 100644 index 000000000..8329b7924 --- /dev/null +++ b/apparmor.d/groups/freedesktop/pacat @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pacat +profile pacat @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + owner @{user_music_dirs}/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index f8385a89b..04b08ecc4 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,8 +14,9 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { include include include + include + include include - include capability sys_ptrace, @@ -25,11 +26,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.pulseaudio.Server - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-session), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -44,19 +40,20 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { /etc/pipewire/{,**} r, - / r, - /.flatpak-info r, + / r, + /att/**/ r, + owner @{att}/.flatpak-info r, owner @{user_config_dirs}/pipewire/{,**} r, owner @{tmp}/librnnoise-@{int}.so rm, + @{run}/snapd.socket rw, owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, owner @{run}/user/@{uid}/pulse/pid rw, - @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @@ -65,13 +62,11 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,removable,uevent} r, @{sys}/devices/**/device:*/**/path r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,bios_vendor,board_vendor} r, - @{sys}/module/apparmor/parameters/enabled r, # deny ? + @{sys}/module/apparmor/parameters/enabled r, + owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index f316df3b0..83ee32baa 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,20 +14,15 @@ profile pipewire-media-session @{exec_path} { include include include + include include include - include network bluetooth raw, network bluetooth seqpacket, network bluetooth stream, network netlink raw, - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=GetConnectionUnixProcessID - peer=(name=org.freedesktop.DBus, label=dbus-session), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index a0026b4e1..e6e6e59c5 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,15 +11,21 @@ include profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { include include + include + include + include include capability sys_ptrace, - ptrace (read), + ptrace read, + + #aa:dbus own bus=session name=org.pulseaudio.Server @{exec_path} mr, @{bin}/pactl rix, + @{bin}/pipewire mr, /usr/share/pipewire/{,**} r, @@ -28,8 +34,8 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /etc/machine-id r, - / r, - /.flatpak-info r, + @{att}/ r, + owner @{att}/.flatpak-info r, owner @{run}/user/@{uid}/pulse/pid w, owner @{tmp}/librnnoise-@{int}.so rm, @@ -38,6 +44,9 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/module/apparmor/parameters/enabled r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/pkla-admin-identities b/apparmor.d/groups/freedesktop/pkla-admin-identities new file mode 100644 index 000000000..778dd131c --- /dev/null +++ b/apparmor.d/groups/freedesktop/pkla-admin-identities @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pkla-admin-identities +profile pkla-admin-identities @{exec_path} { + include + include + + @{exec_path} mr, + + /etc/polkit-1/localauthority.conf.d/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pkla-check-authorization b/apparmor.d/groups/freedesktop/pkla-check-authorization new file mode 100644 index 000000000..ff5b72f71 --- /dev/null +++ b/apparmor.d/groups/freedesktop/pkla-check-authorization @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pkla-check-authorization +profile pkla-check-authorization @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/plymouth b/apparmor.d/groups/freedesktop/plymouth index 278c09aea..327eca3e5 100644 --- a/apparmor.d/groups/freedesktop/plymouth +++ b/apparmor.d/groups/freedesktop/plymouth @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme index e5440d614..da13572e5 100644 --- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme +++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/plymouth-set-default-theme +@{exec_path} = @{sbin}/plymouth-set-default-theme profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) { include include @@ -15,7 +15,7 @@ profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/plymouth rPx, /usr/share/plymouth/{,**} r, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 16e87a50d..0a2390661 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -2,16 +2,17 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/plymouthd +@{exec_path} = @{sbin}/plymouthd profile plymouthd @{exec_path} { include include include include + include capability checkpoint_restore, capability dac_override, @@ -42,6 +43,7 @@ profile plymouthd @{exec_path} { /etc/vconsole.conf r, /var/lib/plymouth/{,**} rw, + /var/log/plymouth-*.log w, @{run}/plymouth/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent index 71709ed4f..bb48d0c5b 100644 --- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,11 +12,19 @@ include @{exec_path} += @{lib}/polkit-gnome/polkit-gnome-authentication-agent-1 profile polkit-gnome-authentication-agent @{exec_path} { include + include + include + include include include + signal (send) set=(term) peer=polkit-agent-helper, + @{exec_path} mr, + @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + @{lib}/polkit-agent-helper-[0-9] rPx, + @{PROC}/@{pid}/cgroup r, include if exists diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 7754ee09f..8a08f02d0 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,6 +11,8 @@ include @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include + include include include include @@ -26,22 +28,25 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected, signal (send) set=(term, kill) peer=polkit-agent-helper, + #aa:dbus own bus=session name=org.kde.polkit-kde-authentication-agent-@{int} + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + @{exec_path} mr, @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, /etc/machine-id r, + /etc/xdg/plasmarc r, /var/lib/dbus/machine-id r, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/ rw, owner @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/** rwk, owner link @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/** -> @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/**, owner @{user_cache_dirs}/qtshadercache-*/* r, - + owner @{tmp}/#@{int} rw, owner @{tmp}/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int}, # owner /tmp/xauth_@{rand6} r, diff --git a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent index 762882b74..0dfea7525 100644 --- a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,13 +11,9 @@ include profile polkit-mate-authentication-agent @{exec_path} { include include - include - include + include include - include - include - include - include + include include signal (send) set=(term, kill) peer=polkit-agent-helper, @@ -26,19 +22,15 @@ profile polkit-mate-authentication-agent @{exec_path} { @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, - /usr/share/X11/xkb/** r, - /var/lib/dbus/machine-id r, /etc/machine-id r, - owner @{HOME}/.Xauthority r, - - owner /dev/tty@{int} rw, - @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 0bb878ab6..206958062 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -4,7 +4,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,17 +14,21 @@ profile pulseaudio @{exec_path} { include include include - include - include include include + include + include + include + include + include include include + include include include - include include include + include include ptrace (trace) peer=@{profile_name}, @@ -47,26 +51,11 @@ profile pulseaudio @{exec_path} { member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member=Found - peer=(name=:*, label=avahi-daemon), - - dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} - interface=org.freedesktop.Avahi.ServiceBrowser - member=ItemRemove - peer=(name=:*, label=avahi-daemon), - dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name=org.bluez), - dbus send bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member={Found,Free} - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), - @{exec_path} mrix, @{lib}/pulse/gsettings-helper rix, @@ -78,12 +67,15 @@ profile pulseaudio @{exec_path} { /etc/pulse/{,**} r, + / r, + owner @{desktop_cache_dirs}/gstreamer-1.0/ rw, owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{desktop_config_dirs}/dconf/user r, - owner @{desktop_config_dirs}/pulse/{,**} rw, - owner @{desktop_config_dirs}/pulse/cookie k, + owner @{desktop_config_dirs}/dconf/user r, + owner @{desktop_config_dirs}/pulse/{,**} rw, + owner @{desktop_config_dirs}/pulse/cookie k, + owner @{HOME}/.pulse/{,**} rw, owner @{user_config_dirs}/ w, owner @{user_config_dirs}/pulse/{,**} rw, @@ -102,7 +94,6 @@ profile pulseaudio @{exec_path} { @{sys}/devices/**/sound/**/{uevent,pcm_class} r, @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, - @{sys}/devices/virtual/video4linux/video@{int}/uevent r, deny @{sys}/module/apparmor/parameters/enabled r, @@ -110,9 +101,6 @@ profile pulseaudio @{exec_path} { owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/cmdline r, - /dev/media@{int} r, - /dev/video@{int} rw, - # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index e070bff2f..90be74ecf 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,6 +11,7 @@ include profile update-desktop-database @{exec_path} flags=(attach_disconnected) { include include + include include capability dac_override, @@ -24,6 +25,8 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) { @{system_share_dirs}/applications/.mimeinfo.cache.* rw, @{system_share_dirs}/applications/mimeinfo.cache w, + /usr/share/byobu/desktop/* r, + /var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw, /var/lib/snapd/desktop/applications/mimeinfo.cache w, diff --git a/apparmor.d/groups/freedesktop/update-mime-database b/apparmor.d/groups/freedesktop/update-mime-database index 778af218c..9efd9cccc 100644 --- a/apparmor.d/groups/freedesktop/update-mime-database +++ b/apparmor.d/groups/freedesktop/update-mime-database @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 0428aebfc..83652914f 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -3,16 +3,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/upower profile upower @{exec_path} { include + include + include - # Needed? - audit capability sys_nice, + #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index d57efafc4..201e49f3c 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,8 +11,9 @@ include profile upowerd @{exec_path} flags=(attach_disconnected) { include include - include + include include + include include network netlink raw, @@ -27,20 +28,21 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { /var/lib/upower/ r, /var/lib/upower/history-*.dat{,.*} rw, - @{run}/udev/data/ r, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/ r, # Lists all udev data files + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+serio:* r, # for serial mice + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c116:@{int} r, # for ALSA - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{sys}/bus/hid/devices/ r, @{sys}/class/input/ r, @@ -49,12 +51,13 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { @{sys}/class/sound/ r, @{sys}/devices/ r, @{sys}/devices/**/capabilities/* r, + @{sys}/devices/**/leds/**/brightness rw, + @{sys}/devices/**/leds/**/brightness_hw_changed r, + @{sys}/devices/**/leds/**/max_brightness r, @{sys}/devices/**/power_supply/**/* r, @{sys}/devices/**/uevent r, - @{sys}/devices/platform/**/leds/**/brightness rw, - @{sys}/devices/platform/**/leds/**/brightness_hw_changed r, - @{sys}/devices/platform/**/leds/**/max_brightness r, @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/misc/uhid/*/input/input@{int}/name r, /dev/input/event* r, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/groups/freedesktop/wireplumber similarity index 64% rename from apparmor.d/profiles-s-z/wireplumber rename to apparmor.d/groups/freedesktop/wireplumber index 146408bc7..90eb46dc4 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -2,35 +2,43 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/wireplumber profile wireplumber @{exec_path} { include - include include include include + include include - include + include + include include + include include - include + include network bluetooth raw, network bluetooth seqpacket, network bluetooth stream, network netlink raw, - dbus bind bus=session name=org.freedesktop.ReserveDevice1.Audio0, + #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio@{int} + #aa:dbus own bus=session name=org.pipewire.Telephony dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), + dbus receive bus=system path=/midi{,server@{int}} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label="@{p_bluetoothd}"), + @{exec_path} mr, /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, @@ -41,8 +49,8 @@ profile wireplumber @{exec_path} { /usr/share/wireplumber/{,**} r, owner @{desktop_local_dirs}/ w, - owner @{desktop_local_dirs}/state/ w, - owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, + owner @{desktop_state_dirs}/ w, + owner @{desktop_state_dirs}/wireplumber/{,**} rw, owner @{HOME}/.local/ w, owner @{user_state_dirs}/ w, @@ -50,29 +58,37 @@ profile wireplumber @{exec_path} { owner @{user_config_dirs}/wireplumber/{,**} r, owner @{run}/user/@{uid}/pipewire-@{int} rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, + + /dev/shm/lttng-ust-wait-@{int} rw, + owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, + owner /dev/shm/lttng-ust-wait-@{int}-@{int} rw, @{run}/systemd/users/@{uid} r, @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) - @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @{sys}/bus/media/devices/ r, - @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, - @{sys}/devices/**/device:*/**/path r, + @{sys}/devices/**/device:*/{,**/}path r, @{sys}/devices/**/sound/**/pcm_class r, @{sys}/devices/**/sound/**/uevent r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{PROC}/1/cgroup r, + @{PROC}/1/status r, + @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, + /dev/udmabuf rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/wmname b/apparmor.d/groups/freedesktop/wmname new file mode 100644 index 000000000..1d2c7aa23 --- /dev/null +++ b/apparmor.d/groups/freedesktop/wmname @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/wmname +profile wmname @{exec_path} { + include + include + + @{exec_path} mr, + owner @{HOME}/.Xauthority r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index 6a4da425e..031f03ac4 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -2,33 +2,41 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-dbus-proxy profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include - include + include + include include include - include - include + include include include - include + include + + network unix stream, + + #aa:dbus talk bus=session name=org.freedesktop.portal.Flatpak label=flatpak-portal + #aa:dbus talk bus=session name=org.freedesktop.portal.Request path=/org/freedesktop/portal/desktop label=xdg-desktop-portal dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime - member=MakeThreadRealtimeWithPID + member=MakeThread* peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), @{exec_path} mr, - owner @{HOME}/.var/app/*/.local/share/*/logs/* rw, - owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, + owner @{att}/@{HOME}/.var/app/** r, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw, + owner @{run}/flatpak/doc/** r, owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-icon b/apparmor.d/groups/freedesktop/xdg-desktop-icon index 7379369e1..a6200a2b2 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-icon +++ b/apparmor.d/groups/freedesktop/xdg-desktop-icon @@ -2,15 +2,46 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-desktop-icon profile xdg-desktop-icon @{exec_path} { include + include - @{exec_path} mr, + @{exec_path} r, + + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/chmod ix, + @{bin}/cp ix, + @{bin}/cut ix, + @{bin}/mkdir ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/tr ix, + @{bin}/umask ix, + @{bin}/uname ix, + + # To get DE information + @{bin}/kde{,4}-config ix, + + @{bin}/dbus-send Cx -> bus, + @{bin}/xprop Px, + + profile bus flags=(complain) { + include + include + include + + include if exists + } include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-menu b/apparmor.d/groups/freedesktop/xdg-desktop-menu index 4204c51d1..f86fbedc8 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-menu +++ b/apparmor.d/groups/freedesktop/xdg-desktop-menu @@ -3,44 +3,54 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-desktop-menu profile xdg-desktop-menu @{exec_path} flags=(complain) { include - include include + include + include @{exec_path} r, - @{sh_path} rix, - @{bin}/mkdir rix, - @{bin}/sed rix, - @{bin}/cut rix, - @{bin}/basename rix, - @{bin}/rm rix, - @{bin}/cp rix, - @{bin}/cat rix, - @{bin}/touch rix, - @{bin}/{m,g,}awk rix, - @{bin}/whoami rix, - @{bin}/mv rix, - @{bin}/{,e}grep rix, - @{bin}/readlink rix, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/chmod ix, + @{bin}/cp ix, + @{bin}/cut ix, + @{bin}/dirname ix, + @{bin}/ln ix, + @{bin}/mkdir ix, + @{bin}/mktemp ix, + @{bin}/mv ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/touch ix, + @{bin}/tr ix, + @{bin}/umask ix, + @{bin}/uname ix, - @{bin}/update-desktop-database rPx, + # To get DE information + @{bin}/kde{,4}-config ix, - owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu rw, - owner @{user_share_dirs}/applications/chrome-*.desktop rw, - owner @{HOME}/.gnome/apps/chrome-*.desktop rw, + @{bin}/dbus-send Cx -> bus, + @{bin}/update-desktop-database Px, + @{bin}/xprop Px, - /usr/share/applications/*.desktop rw, - /usr/share/*/*.desktop r, - - /usr/share/applications/defaults.list r, - /usr/share/applications/defaults.list.new w, + profile bus flags=(complain) { + include + include + include + include if exists + } include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 65420a2ee..ec2cc86be 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,41 +17,45 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include + include + include include + include include include + include + include include capability sys_ptrace, network netlink raw, - ptrace (read), + ptrace read, + + signal receive set=term peer=gdm, + signal receive set=hup peer=gdm-session-worker, #aa:dbus own bus=session name=org.freedesktop.portal.Desktop path=/org/freedesktop/portal/desktop interface={org.freedesktop.DBus.Properties,org.freedesktop{,.impl}.portal.{Settings,Background}} dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime member=MakeThread* - peer=(name=:*), - - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member=CheckPermissions - peer=(name=:*, label=NetworkManager), + peer=(name=@{busname}), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.host.portal.Registry + member=Register + peer=(name=@{busname}), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.NetworkMonitor + member=GetStatus + peer=(name=@{busname}, label=snap.*), #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor - dbus send bus=session path=/org/freedesktop/portal/documents - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=xdg-document-portal), - dbus send bus=session path=/org/freedesktop/portal/documents - interface=org.freedesktop.portal.Documents - peer=(name=:*, label=xdg-document-portal), - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-session), + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit label=xdg-desktop-portal-gtk + #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome + #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -62,29 +66,43 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/nautilus rPx, - @{bin}/snap rPUx, - @{bin}/kreadconfig5 rPx, - @{lib}/xdg-desktop-portal-validate-icon rPUx, - @{open_path} rPx -> child-open, + @{bin}/kreadconfig{,5} rPx, + @{lib}/xdg-desktop-portal-validate-icon rPx, + @{open_path} mrPx -> child-open, - / r, - /.flatpak-info r, + / r, + @{att}/.flatpak-info r, + owner /att/**/ r, /usr/share/dconf/profile/gdm r, /usr/share/xdg-desktop-portal/** r, + /usr/share/gdm/greeter-dconf-defaults r, /etc/sysconfig/proxy r, - /var/lib/gdm{,3}/greeter-dconf-defaults r, + @{GDM_HOME}/greeter-dconf-defaults r, + owner @{gdm_config_dirs}/dconf/user r, + owner @{gdm_config_dirs}/user-dirs.dirs r, - @{user_config_dirs}/kioslaverc r, + # The portal can receive any user file as it is a file chooser for UI app. + owner @{HOME}/** r, - owner @{tmp}/icon* rw, + @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/xdg-desktop-portal/* r, + owner @{user_share_dirs}/xdg-desktop-portal/{,**} rw, + + owner @{tmp}/icon@{rand6} rw, owner @{run}/user/@{uid}/.flatpak/{,*/*} r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{PROC}/ r, + @{PROC}/@{pids}/status r, @{PROC}/*/ r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index fecaa51b7..30b415204 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,79 +13,85 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include - include include - include + include + include include include include include include include + include include network unix stream, - signal (receive) set=term peer=gdm, - signal (receive) set=(hup term) peer=gdm-session-worker, + signal receive set=term peer=gdm, + signal receive set=(hup term) peer=gdm-session-worker, #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome - - dbus send bus=session path=/org/gnome/Shell/Screenshot - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), + #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal + #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.Settings.GlobalShortcutsProvider label=gnome-control-center-global-shortcuts-provider + #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label="gvfs-*-volume-monitor" dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Background member=RunningApplicationsChanged peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Background - member=GetAppState - peer=(name=:*, label=xdg-desktop-portal), - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Settings - member=SettingChanged - peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - - dbus (send, receive) bus=session path=/org/gnome/Mutter/* - interface=org.gnome.Mutter.* - peer=(name=:*, label="{gnome-shell,gsd-xsettings}"), - dbus send bus=session path=/org/gnome/Mutter/* + dbus send bus=session path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties - peer=(name=:*, label="{gnome-shell,gsd-xsettings}"), + member=GetAll + peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, / r, @{bin}/ r, @{bin}/* r, + /opt/** r, /usr/share/dconf/profile/gdm r, + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/gdm/greeter/applications/{,**} r, /usr/share/thumbnailers/{,**} r, - owner @{DESKTOP_HOME}/greeter-dconf-defaults r, + owner @{desktop_cache_dirs}/dconf/user r, owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, + owner @{desktop_config_dirs}/dconf/user r, + owner @{desktop_share_dirs}/applications/{,**} r, + owner @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{HOME}/ r, + owner @{HOME}/* r, owner @{HOME}/*/{,**} rw, + owner @{MOUNTS}/ r, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, + owner @{tmp}/gtkprint_ppd_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} r, + owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw, + + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{run}/mount/utab r, owner @{PROC}/@{pid}/ r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index a06b898d3..b7906c5e2 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -2,65 +2,65 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/xdg-desktop-portal-gtk -profile xdg-desktop-portal-gtk @{exec_path} { +profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include - include - include + include include - include + include include include include include include + include + include include include - include - unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), + signal receive set=term peer=gdm, + signal receive set=hup peer=gdm-session-worker, #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gtk + #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Settings label=xdg-desktop-portal + dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings peer=(name=:*), - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Settings - member=SettingChanged - peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - - dbus send bus=session path=/org/gtk/Notifications - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), @{exec_path} mr, - / r, + /usr/share/gdm/greeter-dconf-defaults r, + + / r, + owner /att/**/ r, owner /var/lib/xkb/server-@{int}.xkm rw, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, + owner @{gdm_config_dirs}/dconf/user r, + owner /var/lib/gdm3/greeter-dconf-defaults r, + owner @{tmp}/runtime-*/xauth_@{rand6} r, @{run}/mount/utab r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + owner @{PROC}/@{pid}/mountinfo r, include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland b/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland new file mode 100644 index 000000000..876825ee4 --- /dev/null +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/xdg-desktop-portal-hyprland +profile xdg-desktop-portal-hyprland @{exec_path} { + include + include + include + include + include + include + + @{exec_path} mr, + + @{sh_path} ix, + @{bin}/hyprland-share-picker rix, + @{bin}/sleep rix, + @{bin}/slurp rix, + + owner /tmp/hypr/ rw, + owner /tmp/hypr/\#@{int} rwkl, + owner /tmp/hypr/hyprland-share-picker.conf* rwkl, + + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + owner @{PROC}/@{pid}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index a5329097b..bd5981dcf 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,9 +10,13 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}xdg-desktop-portal-kde profile xdg-desktop-portal-kde @{exec_path} { include + include + include include + include include include + include network inet dgram, network inet6 dgram, @@ -20,24 +24,43 @@ profile xdg-desktop-portal-kde @{exec_path} { network inet6 stream, network netlink raw, + signal send set=term peer=kioworker, + @{exec_path} mr, #aa:exec kioworker + /usr/share/plasma/look-and-feel/** r, + /usr/share/thumbnailers/{,**} r, + + /etc/fstab r, + /etc/xdg/dolphinrc r, + + / r, + + owner @{HOME}/ r, + owner @{desktop_config_dirs}/user-dirs.dirs r, - owner @{user_cache_dirs}/*.kcache r, + owner @{user_cache_dirs}/xdg-desktop-portal-kde/{,**} rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, - - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/autostart/org.kde.*.desktop r, owner @{user_config_dirs}/breezerc r, - owner @{user_config_dirs}/kdeglobals{,.*} rwlk, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc rw, + owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc.@{rand6} rwlk, + owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc.lock rwk, + + owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rw, + owner @{PROC}/@{pid}/mountinfo r, + + /dev/shm/ r, /dev/tty r, include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers index a76f73b36..2fa8cc01f 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,7 +10,7 @@ include profile xdg-desktop-portal-rewrite-launchers @{exec_path} { include include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon b/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon new file mode 100644 index 000000000..2c6c37538 --- /dev/null +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/xdg-desktop-portal-validate-icon +profile xdg-desktop-portal-validate-icon @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability dac_override, + + @{exec_path} mrix, + + @{bin}/bwrap ix, + + owner @{tmp}/icon@{rand6} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 86633e72f..84c0fce42 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,9 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { include include include + include include + include include capability sys_admin, @@ -21,13 +23,15 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { mount fstype=fuse.portal -> @{run}/user/@{uid}/doc/, - signal (receive) set=(term) peer=gdm, + signal receive set=term peer=gdm, + signal receive set=hup peer=gdm-session-worker, ptrace (read), unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount), - #aa:dbus own bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents + #aa:dbus own bus=session name=org.freedesktop.portal.{Documents,FileTransfer} path=/org/freedesktop/portal/documents + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -36,13 +40,17 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/flatpak rPUx, + @{bin}/flatpak rPx, @{bin}/fusermount{,3} rCx -> fusermount, + @{bin}/snap rPx, - / r, - owner /.flatpak-info r, + / r, + owner /att/**/ r, + owner @{att}/.flatpak-info r, - owner @{HOME}/** r, + owner @{HOME}/ r, + owner @{HOME}/*/{,**} rw, + owner @{MOUNTS}/ r, owner @{user_share_dirs}/flatpak/db/documents r, owner @{user_share_dirs}/Trash/files/** r, @@ -54,15 +62,16 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, - /dev/fuse rw, - owner /dev/tty@{int} rw, + /dev/fuse rw, - profile fusermount { + profile fusermount flags=(attach_disconnected) { include - include + include + include - capability sys_admin, capability dac_read_search, + capability dac_override, + capability setuid, mount options=(rw, rprivate) -> /, mount options=(rw, rbind) @{run}/user/@{uid}/ -> /, @@ -72,17 +81,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { unix (send receive) type=stream peer=(label=xdg-document-portal), - @{bin}/fusermount{,3} mr, - - /etc/fuse{,3}.conf r, - owner @{run}/user/@{uid}/doc/ rw, - @{PROC}/@{pids}/mounts r, - - /dev/fuse rw, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-email b/apparmor.d/groups/freedesktop/xdg-email index da457a0fe..cf580ceac 100644 --- a/apparmor.d/groups/freedesktop/xdg-email +++ b/apparmor.d/groups/freedesktop/xdg-email @@ -3,32 +3,51 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-email profile xdg-email @{exec_path} flags=(complain) { include + include + include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{m,g,}awk rix, - @{bin}/basename rix, - @{bin}/cut rix, - @{bin}/echo rix, - @{bin}/gio rPx, - @{bin}/kreadconfig5 rPx, - @{bin}/readlink rix, - @{bin}/sed rix, - @{bin}/tail rix, - @{bin}/which{,.debianutils} rix, - @{bin}/xdg-mime rPx, - @{thunderbird_path} rPx, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cut ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/sed ix, + @{bin}/tail ix, + @{bin}/tr ix, + @{bin}/uname ix, - owner /dev/tty@{int} rw, + # To get DE information + @{bin}/kde{,4}-config ix, + @{bin}/gconftool{,-2} ix, + @{bin}/qtxdg-mat ix, + + @{bin}/dbus-send Cx -> bus, + @{bin}/gdbus Cx -> bus, + @{bin}/kreadconfig{,5} Px, + @{bin}/xdg-mime Px, + @{bin}/xprop Px, + @{open_path} Px -> child-open-email, + @{thunderbird_path} Px, + + profile bus flags=(complain) { + include + include + include + + include if exists + } include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-icon-resource b/apparmor.d/groups/freedesktop/xdg-icon-resource index 9ece71574..4f29d38a0 100644 --- a/apparmor.d/groups/freedesktop/xdg-icon-resource +++ b/apparmor.d/groups/freedesktop/xdg-icon-resource @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,35 +11,43 @@ include profile xdg-icon-resource @{exec_path} flags=(attach_disconnected) { include include - include + include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/whoami rix, - @{bin}/sed rix, - @{bin}/basename rix, - @{bin}/mkdir rix, - @{bin}/cp rix, - @{bin}/rm rix, - @{bin}/readlink rix, - @{bin}/touch rix, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cp ix, + @{bin}/cut ix, + @{bin}/dirname ix, + @{bin}/ln ix, + @{bin}/mkdir ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/touch ix, + @{bin}/tr ix, + @{bin}/umask ix, + @{bin}/uname ix, + @{bin}/whoami ix, - @{bin}/gtk{,4}-update-icon-cache rPx, + # To get DE information + @{bin}/kde{,4}-config ix, - /usr/share/**/icons/**.png r, - /usr/share/icons/**.png rw, - /usr/share/icons/*/.xdg-icon-resource-dummy rw, - /usr/share/terminfo/** r, + @{bin}/dbus-send Cx -> bus, + @{bin}/gtk{,4}-update-icon-cache Px, + @{bin}/xprop Px, - owner @{tmp}/.com.google.Chrome.*/chrome-*.png r, - - owner @{user_share_dirs}/icons/**/apps/chrome-*.png rw, - owner @{user_share_dirs}/icons/**/.xdg-icon-resource-dummy rw, - /opt/**/*.png r, - - deny @{user_share_dirs}/gvfs-metadata/* r, + profile bus flags=(complain) { + include + include + include + include if exists + } include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index badefb819..9e6dbc2e0 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -3,76 +3,75 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-mime profile xdg-mime @{exec_path} flags=(attach_disconnected) { include + include include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{m,g,}awk rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/file rix, - @{bin}/head rix, - @{bin}/mv rix, - @{bin}/readlink rix, - @{bin}/realpath rix, - @{bin}/sed rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/which{,.debianutils} rix, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cut ix, + @{bin}/file ix, + @{bin}/head ix, + @{bin}/mkdir ix, + @{bin}/mv ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/touch ix, + @{bin}/tr ix, + @{bin}/umask ix, + @{bin}/uname ix, - @{bin}/gio rPx, - @{bin}/kbuildsycoca5 rPx, - @{bin}/ktraderclient5 rPUx, - @{bin}/mimetype rPx, - @{bin}/xprop rPx, + # To query DE information + @{bin}/gio ix, + @{bin}/gnomevfs-info ix, + @{bin}/gvfs-info ix, + @{bin}/kde{,4}-config ix, + @{bin}/kfile ix, + @{bin}/kmimetypefinder{,5} ix, + @{bin}/ktraderclient{,5} ix, + @{bin}/qtpaths ix, + @{bin}/qtxdg-mat ix, - /usr/share/terminfo/** r, + @{bin}/dbus-send Cx -> bus, + @{bin}/kbuildsycoca{,5} Px, + @{bin}/mimetype Px, + @{bin}/vendor_perl/mimetype Px, + @{bin}/xprop Px, - owner @{HOME}/.Xauthority r, owner @{user_config_dirs}/mimeapps.list{,.new} rw, - owner @{run}/user/@{uid}/ r, + owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r, - @{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r, - @{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r, + @{PROC}/version r, - /dev/dri/card@{int} rw, /dev/tty rw, - # When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two - # following root processes: - # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr - # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session - # - # Should this be allowed? Xdg-mime works fine without this. - #@{bin}/dbus-launch rCx -> dbus, - #@{bin}/dbus-send rCx -> dbus, - deny @{bin}/dbus-launch rx, - deny @{bin}/dbus-send rx, + # file_inherit + deny /opt/*/** r, + deny owner @{user_config_dirs}/*/** rw, + deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - - profile dbus { + profile bus flags=(complain) { include - include - - @{bin}/dbus-launch mr, - @{bin}/dbus-send mr, - @{bin}/dbus-daemon rPx, - - @{HOME}/.Xauthority r, - owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, + include + include + include + include if exists } include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open index e7ee7dc8c..7893800d1 100644 --- a/apparmor.d/groups/freedesktop/xdg-open +++ b/apparmor.d/groups/freedesktop/xdg-open @@ -3,58 +3,48 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-open profile xdg-open @{exec_path} flags=(attach_disconnected) { include - include + include include + include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/sed rix, - @{bin}/cut rix, - @{bin}/which{,.debianutils} rix, - @{bin}/cat rix, - @{bin}/uname rix, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cut ix, + @{bin}/env ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/sed ix, + @{bin}/tr ix, + @{bin}/uname ix, - @{bin}/xprop rPx, - @{bin}/xdg-mime rPx, + # To get DE information + @{bin}/kde{,4}-config ix, - @{bin}/exo-open rPx, - @{bin}/gio rPx, - #@{bin}/kde-open5 rPUx, - @{bin}/ktraderclient5 rPUx, + @{bin}/dbus-send Cx -> bus, + @{bin}/gdbus Cx -> bus, + @{bin}/xprop Px, + @{bin}/xdg-mime Px, + @{open_path} Px -> child-open-any, - @{bin}/dbus-launch rCx -> dbus, - @{bin}/dbus-send rCx -> dbus, + @{PROC}/version r, - /** r, - owner /** rw, - - # freedesktop.org-strict - owner @{user_share_dirs}/applications/ r, - /usr/share/applications/*.desktop r, - - /dev/tty rw, - - profile dbus { + profile bus flags=(attach_disconnected) { include - include + include + include - @{bin}/dbus-launch mr, - @{bin}/dbus-send mr, - @{bin}/dbus-daemon rPx, - - # for dbus-launch - owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, - - @{HOME}/.Xauthority r, + include if exists } include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index f698111d4..3b15d9688 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -2,20 +2,22 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/xdg-permission-store profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { include + include include include capability sys_nice, - signal (receive) set=(term hup kill) peer=dbus-session, - signal (receive) set=(term hup kill) peer=gdm, + signal receive set=(term hup kill) peer=dbus-session, + signal receive set=(term hup kill) peer=gdm, + signal receive set=(term hup kill) peer=gdm-session-worker, #aa:dbus own bus=session name=org.freedesktop.impl.portal.PermissionStore @@ -41,11 +43,11 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/flatpak/db/background rw, - owner @{user_share_dirs}/flatpak/db/devices r, + owner @{user_share_dirs}/flatpak/db/desktop-used-apps rw, + owner @{user_share_dirs}/flatpak/db/devices rw, owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/notifications rw, - - /dev/tty@{int} rw, + owner @{user_share_dirs}/flatpak/db/screencast r, include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver index cee9898b5..dd7d17118 100644 --- a/apparmor.d/groups/freedesktop/xdg-screensaver +++ b/apparmor.d/groups/freedesktop/xdg-screensaver @@ -3,42 +3,54 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-screensaver -profile xdg-screensaver @{exec_path} { +profile xdg-screensaver @{exec_path} flags=(complain) { include include + include + include @{exec_path} r, - @{bin}/ r, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cut ix, + @{bin}/dirname ix, + @{bin}/kill ix, + @{bin}/ln ix, + @{bin}/lockfile ix, + @{bin}/mktemp ix, + @{bin}/mv ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/uname ix, + @{bin}/xautolock ix, - @{sh_path} rix, - @{bin}/mv rix, - @{bin}/{,e}grep rix, - @{bin}/sed rix, - @{bin}/which{,.debianutils} rix, - @{bin}/cat rix, - @{bin}/uname rix, + @{bin}/dbus-send Cx -> bus, + @{bin}/xprop Px, + @{bin}/xset Px, + @{bin}/ps Px, + @{bin}/hostname Px, - @{bin}/xautolock rix, - @{bin}/dbus-send rix, + profile bus flags=(complain) { + include + include + include - @{bin}/xprop rPx, - @{bin}/xdg-mime rPx, - @{bin}/xset rPx, - @{bin}/hostname rix, + #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy + #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console - /dev/dri/card@{int} rw, - - owner @{HOME}/ r, - owner @{HOME}/.Xauthority r, - owner @{tmp}/xauth-@{int}-_[0-9] r, - - owner @{run}/user/@{uid}/ r, + include if exists + } include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index a4d611712..fd05bcee9 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -3,65 +3,62 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-settings -profile xdg-settings @{exec_path} { +profile xdg-settings @{exec_path} flags=(attach_disconnected) { include include include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/mktemp rix, - @{bin}/mv rix, - @{bin}/readlink rix, - @{bin}/realpath rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/uname rix, - @{bin}/wc rix, - @{bin}/which{,.debianutils} rix, + @{sh_path} mr, + @{bin}/{,e}grep rix, + @{bin}/basename rix, + @{bin}/cat ix, + @{bin}/cut rix, + @{bin}/head ix, + @{bin}/mkdir ix, + @{bin}/mktemp ix, + @{bin}/mv ix, + @{bin}/readlink ix, + @{bin}/realpath rix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/sleep ix, + @{bin}/sort ix, + @{bin}/touch ix, + @{bin}/tr ix, + @{bin}/uname ix, + @{bin}/wc ix, - @{bin}/dbus-launch rCx -> dbus, - @{bin}/dbus-send rCx -> dbus, - @{bin}/kreadconfig5 rPx, - @{bin}/xdg-mime rPx, - @{bin}/xprop rPx, + # To set/get DE information + @{bin}/gconftool{,-2} ix, + @{bin}/kde{,4}-config ix, + @{bin}/kwriteconfig{,5,6} ix, + @{bin}/qtxdg-mat ix, - /usr/share/terminfo/** r, + @{bin}/dbus-send Cx -> bus, + @{bin}/kreadconfig{,5} Px, + @{bin}/xdg-mime Px, + @{bin}/xprop Px, - /etc/xdg/xfce4/helpers.rc r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, + owner @{user_config_dirs}/xfce4/helpers.rc{,.@{rand6}} rw, + owner @{user_share_dirs}/applications/{,**} rw, - owner @{HOME}/ r, - owner @{HOME}/.Xauthority r, + @{PROC}/version r, - owner @{user_config_dirs}/xfce4/helpers.rc{,.*} rw, + owner /dev/pts/@{int} rw, - owner @{run}/user/@{uid}/ r, - - owner @{PROC}/@{pid}/fd/ r, - - profile dbus { + profile bus flags=(complain) { include - include + include + include - @{bin}/dbus-launch mr, - @{bin}/dbus-send mr, - @{bin}/dbus-daemon rPx, - - owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, - - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-user-dir b/apparmor.d/groups/freedesktop/xdg-user-dir index fa52d6f52..f963a21b9 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dir +++ b/apparmor.d/groups/freedesktop/xdg-user-dir @@ -2,23 +2,23 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-user-dir profile xdg-user-dir @{exec_path} flags=(attach_disconnected) { include + include + include @{exec_path} mr, - @{sh_path} rix, - @{bin}/env rix, + @{sh_path} rix, + @{bin}/env rix, owner @{user_config_dirs}/user-dirs.dirs r, - /dev/tty rw, - # Silencer deny network inet stream, deny network inet6 stream, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 01a289533..feb1b9bd6 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -2,21 +2,27 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-user-dirs-gtk-update profile xdg-user-dirs-gtk-update @{exec_path} { include - include + include + include + include + include @{exec_path} mr, + @{bin}/xdg-user-dirs-update Px, + owner @{user_config_dirs}/gtk-3.0/bookmarks* rw, - owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, + owner @{tmp}/dirs-@{rand6} rw, + include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update index 4730ca091..09c66d6ac 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update @@ -2,20 +2,18 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-user-dirs-update profile xdg-user-dirs-update @{exec_path} { include + include include @{exec_path} mr, - /etc/xdg/user-dirs.conf r, - /etc/xdg/user-dirs.defaults r, - owner @{desktop_config_dirs}/ rw, owner @{desktop_config_dirs}/user-dirs.dirs{,*} rw, owner @{desktop_config_dirs}/user-dirs.locale rw, diff --git a/apparmor.d/groups/freedesktop/xhost b/apparmor.d/groups/freedesktop/xhost index 467a92e03..6032179e4 100644 --- a/apparmor.d/groups/freedesktop/xhost +++ b/apparmor.d/groups/freedesktop/xhost @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xhost -profile xhost @{exec_path} { +profile xhost @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index ef719d673..a99e12b7a 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -3,17 +3,21 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xkbcomp profile xkbcomp @{exec_path} flags=(attach_disconnected) { include + include + include + include include unix (send,receive) type=stream addr=none peer=(label=gnome-shell), unix (send,receive) type=stream addr=none peer=(label=xwayland), + unix (send,receive) type=stream addr=none peer=(label=kwin_wayland), @{exec_path} mr, @@ -27,6 +31,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/xorg/Xorg.@{int}.log w, /var/lib/{gdm{3,},sddm}/.local/share/xorg/Xorg.@{int}.log w, + /var/log/Xorg.@{int}.log w, owner /var/log/lightdm/x-@{int}.log w, owner @{run}/user/@{uid}/server-@{int}.xkm rwk, @@ -36,10 +41,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { /dev/dri/card@{int} rw, /dev/fb@{int} rw, /dev/tty rw, - /dev/tty@{int} rw, - - deny /dev/input/event@{int} rw, - deny /var/log/Xorg.@{int}.log w, + /dev/input/event@{int} rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 9e1625e8e..bfec4405c 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -45,11 +45,16 @@ profile xorg @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/login1/session/* + interface=org.freedesktop.login1.Session + member=ReleaseControl + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + @{exec_path} mrix, @{sh_path} rix, @{bin}/xkbcomp rPx, - @{bin}/pkexec rPx, + @{bin}/pkexec rCx -> pkexec, @{lib}/xorg/ r, @{lib}/xorg/modules/ r, @@ -87,31 +92,18 @@ profile xorg @{exec_path} flags=(attach_disconnected) { owner @{tmp}/server-* rwk, owner @{tmp}/serverauth.* r, - @{sys}/bus/ r, - @{sys}/bus/pci/devices/ r, - @{sys}/class/ r, - @{sys}/class/{tty,input,drm}/ r, - @{sys}/class/power_supply/ r, - @{sys}/devices/**/{uevent,name,id,config} r, - @{sys}/devices/**/hid r, - @{sys}/devices/**/power_supply/**/{type,online} r, - @{sys}/devices/@{pci}/ r, - @{sys}/devices/@{pci}/backlight/*/{,max_}brightness r, - @{sys}/devices/@{pci}/backlight/*/brightness rw, - @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/platform/ r, - @{sys}/module/i915/{,**} r, - - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi* r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad? - @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/+sound:card@{int} r, # for sound card + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @@ -119,19 +111,46 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* + @{sys}/bus/ r, + @{sys}/bus/pci/devices/ r, + @{sys}/class/ r, + @{sys}/class/{tty,input,drm}/ r, + @{sys}/class/power_supply/ r, + @{sys}/devices/@{pci}/ r, + @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness r, + @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/brightness rw, + @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/resource@{int} rw, + @{sys}/devices/**/{uevent,name,id,config} r, + @{sys}/devices/**/hid r, + @{sys}/devices/**/power_supply/**/{type,online} r, + @{sys}/devices/platform/ r, + @{sys}/module/i915/{,**} r, + @{PROC}/@{pids}/cmdline r, @{PROC}/cmdline r, @{PROC}/ioports r, @{PROC}/mtrr rw, - /dev/fb[0-9] rw, - /dev/input/event@{int} rw, + /dev/ r, + /dev/fb@{int} rw, + @{att}/dev/input/event@{int} rw, + /dev/input/mouse@{int} rw, /dev/shm/#@{int} rw, /dev/shm/shmfd-* rw, /dev/tty rw, /dev/tty@{int} rw, + /dev/udmabuf rw, /dev/vga_arbiter rw, # Graphic card modules + profile pkexec { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/freedesktop/xprop b/apparmor.d/groups/freedesktop/xprop index aaa19b998..f83afae61 100644 --- a/apparmor.d/groups/freedesktop/xprop +++ b/apparmor.d/groups/freedesktop/xprop @@ -3,13 +3,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xprop profile xprop @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/freedesktop/xrandr b/apparmor.d/groups/freedesktop/xrandr index 99e07a121..ed9e7a030 100644 --- a/apparmor.d/groups/freedesktop/xrandr +++ b/apparmor.d/groups/freedesktop/xrandr @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,8 +12,12 @@ profile xrandr @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, + @{run}/sddm/xauth_@{rand6} r, + owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 9bd897bee..55d069815 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,7 +19,7 @@ profile xrdb @{exec_path} { @{bin}/{,*-}cpp-[0-9]* rix, @{sh_path} rix, @{bin}/cpp rix, - @{lib}/gcc/@{multiarch}/@{int}*/cc1 rix, + @{lib}/gcc/@{multiarch}/@{version}/cc1 rix, @{lib}/llvm-[0-9]*/bin/clang rix, /usr/include/stdc-predef.h r, diff --git a/apparmor.d/groups/freedesktop/xset b/apparmor.d/groups/freedesktop/xset index ff09d2b1a..20dc2b1fb 100644 --- a/apparmor.d/groups/freedesktop/xset +++ b/apparmor.d/groups/freedesktop/xset @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index db5d0a7aa..c0ddcb359 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -3,13 +3,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xsetroot profile xsetroot @{exec_path} { include + include include capability dac_read_search, @@ -18,10 +19,6 @@ profile xsetroot @{exec_path} { @{exec_path} mr, - /usr/share/icons/{,**} r, - - owner @{HOME}/.icons/** r, - owner @{user_share_dirs}/sddm/xorg-session.log w, owner @{user_share_dirs}/sddm/wayland-session.log w, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 93a652573..a8950dbc6 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -2,15 +2,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/Xwayland +@{exec_path} = @{bin}/Xwayland profile xwayland @{exec_path} flags=(attach_disconnected) { include + include include include + include include signal (receive) set=(term hup) peer=gdm*, @@ -18,6 +20,9 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup) peer=kwin_wayland, signal (receive) set=(term hup) peer=login, + unix type=stream peer=(label=gnome-shell), + unix type=stream peer=(label=kwin_wayland), + @{exec_path} mrix, @{sh_path} rix, @@ -26,6 +31,11 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { /usr/share/fonts/{,**} r, /usr/share/ghostscript/fonts/{,**} r, + / r, + + owner @{desktop_cache_dirs}/nvidia/GLCache/ rw, + owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, + owner @{tmp}/server-@{int}.xkm rwk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, owner @{run}/user/@{uid}/server-@{int}.xkm rw, @@ -33,9 +43,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cmdline r, - /dev/tty@{int} rw, - /dev/tty rw, - include if exists } diff --git a/apparmor.d/groups/gnome-extension/batteryhealthchargingctl b/apparmor.d/groups/gnome-extension/batteryhealthchargingctl new file mode 100644 index 000000000..4b1f7a138 --- /dev/null +++ b/apparmor.d/groups/gnome-extension/batteryhealthchargingctl @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/batteryhealthchargingctl{,-@{user}} +@{exec_path} += /usr/local/bin/batteryhealthchargingctl{,-@{user}} +profile batteryhealthchargingctl @{exec_path} { + include + include + + capability dac_read_search, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/env rix, + @{bin}/cmp rix, + @{bin}/cut rix, + @{bin}/pkaction rix, + @{bin}/sed rix, + @{bin}/sort rix, + + /etc/polkit-1/rules.d/*.batteryhealthcharging.setthreshold-@{user}.rules r, + + @{user_share_dirs}/gnome-shell/extensions/Battery-Health-Charging@maniacx.github.com/resources/** r, + + @{sys}/class/power_supply/ r, + @{sys}/devices/**/power_supply/BAT@{int}/charge_control_end_threshold w, + @{sys}/devices/**/power_supply/BAT@{int}/charge_control_start_threshold w, + @{sys}/devices/**/power_supply/BAT@{int}/charge_types rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/chrome-gnome-shell b/apparmor.d/groups/gnome/chrome-gnome-shell index 9063afc57..944d5e1d5 100644 --- a/apparmor.d/groups/gnome/chrome-gnome-shell +++ b/apparmor.d/groups/gnome/chrome-gnome-shell @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,6 +10,7 @@ include profile chrome-gnome-shell @{exec_path} { include include + include include include include @@ -23,8 +24,6 @@ profile chrome-gnome-shell @{exec_path} { @{exec_path} mr, @{bin}/ r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{PROC}/@{pid}/mounts r, deny @{HOME}/.* r, diff --git a/apparmor.d/groups/gnome/decibels b/apparmor.d/groups/gnome/decibels new file mode 100644 index 000000000..2bb38dfd5 --- /dev/null +++ b/apparmor.d/groups/gnome/decibels @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/decibels @{bin}/org.gnome.Decibels +profile decibels @{exec_path} { + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/gjs-console rix, + + @{open_path} rPx -> child-open-help, + + /usr/share/org.gnome.Decibels/{,**} r, + + owner @{user_music_dirs}/{,**} r, + owner @{user_pictures_dirs}/{,**} r, + owner @{user_torrents_dirs}/{,**} r, + owner @{user_videos_dirs}/{,**} r, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index 444fc581f..59b3c5d40 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -2,38 +2,65 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/deja-dup/deja-dup-monitor +@{exec_path} = @{lib}/deja-dup/deja-dup-monitor profile deja-dup-monitor @{exec_path} { include include include include include - include - include + include + include + include include + include + include + include network netlink raw, #aa:dbus own bus=session name=org.gnome.DejaDup.Monitor - #aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup + #aa:dbus talk bus=session name=org.gnome.DejaDup interface+=org.gtk.Actions label=deja-dup + + dbus send bus=session path=/org/gnome/DejaDup + interface=org.gtk.Actions + member=Activate + peer=(name=org.gnome.DejaDup), dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*, label=NetworkManager), + dbus send bus=system path=/org/freedesktop/UPower/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=power-profiles-daemon), + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + @{bin}/chrt rix, + @{bin}/ionice rix, + @{bin}/deja-dup Px, + + /usr/share/gvfs/remote-volume-monitors/{,**} r, /var/tmp/ r, /tmp/ r, + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index ca1213df9..2168382e0 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,10 +29,12 @@ profile epiphany-search-provider @{exec_path} { @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, owner @{user_cache_dirs}/epiphany/{,**} rwk, + owner @{user_config_dirs}/epiphany/{,**} rw, owner @{user_share_dirs}/epiphany/{,**} rwk, + owner @{tmp}/ContentRuleList-@{rand6} rw, owner @{tmp}/ContentRuleList@{rand6} rw, - owner @{tmp}/Serialized* rw, + owner @{tmp}/SerializedNFA-@{rand6} rw, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/firmware/acpi/pm_profile r, diff --git a/apparmor.d/groups/gnome/epiphany-webapp-provider b/apparmor.d/groups/gnome/epiphany-webapp-provider index 7dda86245..c161a5a0c 100644 --- a/apparmor.d/groups/gnome/epiphany-webapp-provider +++ b/apparmor.d/groups/gnome/epiphany-webapp-provider @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index de7c3c299..1b9051a4a 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,10 +11,11 @@ profile evolution-addressbook-factory @{exec_path} { include include include - include + include include - include + include include + include include include include @@ -26,10 +27,13 @@ profile evolution-addressbook-factory @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookCursor + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookFactory + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookView dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* @@ -37,12 +41,12 @@ profile evolution-addressbook-factory @{exec_path} { dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=evolution-*), + peer=(name=@{busname}, label=evolution-*), dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=evolution-source-registry), + peer=(name=@{busname}, label=evolution-source-registry), dbus send bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.Properties @@ -51,13 +55,17 @@ profile evolution-addressbook-factory @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/evolution/dataserver/** + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=obexd), @{exec_path} mr, @{exec_path}-subprocess rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icu/@{int}.@{int}/*.dat r, owner @{user_share_dirs}/evolution/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index a4c2c4a92..501685b22 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -2,17 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify profile evolution-alarm-notify @{exec_path} { include - include include - include - include include include include @@ -34,10 +31,11 @@ profile evolution-alarm-notify @{exec_path} { @{exec_path} mr, /usr/share/evolution-data-server/{,**} r, - /usr/share/{,zoneinfo-}icu/{,**} r, /etc/timezone r, + owner @{user_share_dirs}/evolution/datetime-formats.ini r, + include if exists } diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index d1ec45ac4..87cce8fbc 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,8 +12,10 @@ profile evolution-calendar-factory @{exec_path} { include include include - include + include + include include + include include include include @@ -57,11 +59,6 @@ profile evolution-calendar-factory @{exec_path} { member=Complete peer=(name=org.freedesktop.DBus, label=gnome-calendar), - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member=Move - peer=(name=:*, label=gvfsd-metadata), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -70,14 +67,12 @@ profile evolution-calendar-factory @{exec_path} { @{exec_path} mr, @{exec_path}-subprocess rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, owner @{user_share_dirs}/evolution/calendar/{,**} rwk, - owner @{user_share_dirs}/evolution/tasks/system/ w, - owner @{user_share_dirs}/evolution/tasks/system/tasks.ics* rw, + owner @{user_share_dirs}/evolution/memos/system/{,**} rw, + owner @{user_share_dirs}/evolution/tasks/system/{,**} rw, owner @{user_share_dirs}/gvfs-metadata/{,*} r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 7c97acc2e..0732646b5 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,10 +10,12 @@ include profile evolution-source-registry @{exec_path} { include include - include + include include + include include include + include include network inet stream, @@ -46,8 +48,6 @@ profile evolution-source-registry @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_cache_dirs}/evolution/{,**} rwk, owner @{user_config_dirs}/evolution/sources/{,*} rw, owner @{user_share_dirs}/evolution/{,**} r, diff --git a/apparmor.d/groups/gnome/evolution-user-prompter b/apparmor.d/groups/gnome/evolution-user-prompter index 560f2bdb0..d1c095abf 100644 --- a/apparmor.d/groups/gnome/evolution-user-prompter +++ b/apparmor.d/groups/gnome/evolution-user-prompter @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,6 +10,8 @@ include profile evolution-user-prompter @{exec_path} { include include + include + include #aa:dbus own bus=session name=org.gnome.evolution.dataserver.UserPrompter0 diff --git a/apparmor.d/groups/gnome/gcr-prompter b/apparmor.d/groups/gnome/gcr-prompter index 7ecb4fb84..6bcbd1cc0 100644 --- a/apparmor.d/groups/gnome/gcr-prompter +++ b/apparmor.d/groups/gnome/gcr-prompter @@ -2,13 +2,14 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gcr-prompter profile gcr-prompter @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gcr-ssh-agent b/apparmor.d/groups/gnome/gcr-ssh-agent index a6f0f22fd..24e94d9cb 100644 --- a/apparmor.d/groups/gnome/gcr-ssh-agent +++ b/apparmor.d/groups/gnome/gcr-ssh-agent @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 2817f668e..3f958cb7e 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/gdm{3,} +@{exec_path} = @{sbin}/gdm @{sbin}/gdm3 profile gdm @{exec_path} flags=(attach_disconnected) { include include @@ -17,9 +17,11 @@ profile gdm @{exec_path} flags=(attach_disconnected) { capability chown, capability dac_override, capability dac_read_search, + capability fowner, capability fsetid, capability kill, capability net_admin, + capability sys_admin, capability sys_nice, capability sys_tty_config, @@ -34,13 +36,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.gnome.DisplayManager - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser} - peer=(name=org.freedesktop.DBus, label=dbus-system), + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" @{exec_path} mr, @@ -50,7 +47,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{bin}/plymouth rPx, @{bin}/prime-switch rPUx, @{bin}/sleep rix, - @{bin}/systemd-cat rPx, + @{bin}/systemd-cat rix, @{lib}/{,gdm/}gdm-session-worker rPx, /etc/gdm{3,}/PrimeOff/Default rix, @@ -58,6 +55,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/*.desktop r, /usr/share/xsessions/*.desktop r, + /etc/.pwd.lock rwk, /etc/default/locale r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, @@ -70,18 +68,17 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /var/log/gdm{3,}/ rw, - owner @{GDM_HOME}/block-initial-setup rw, + @{GDM_HOME}/ rw, + @{GDM_HOME}/** rw, - @{run}/gdm{3,}/greeter/ rw, - @{run}/systemd/seats/seat@{int} r, - @{run}/systemd/sessions/* r, - @{run}/systemd/users/@{uid} r, - owner @{run}/gdm{3,}.pid rw, - owner @{run}/gdm{3,}/ rw, - owner @{run}/gdm{3,}/custom.conf r, - owner @{run}/gdm{3,}/dbus/ w, - owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w, - owner @{run}/gdm{3,}/gdm.pid rw, + @{run}/gdm{,3}/ rw, + owner @{run}/gdm{,3}.pid rw, + owner @{run}/gdm{,3}/dbus/ rw, + owner @{run}/gdm{,3}/dbus/dbus-@{rand8} rw, + + @{run}/systemd/seats/seat@{int} r, + @{run}/systemd/sessions/* r, + @{run}/systemd/users/@{uid} r, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @@ -92,7 +89,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/virtual/tty/tty@{int}/active r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cgroup.events r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cgroup.events r, @{PROC}/@{pid}/cgroup r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index db1c43d84..c5e6d4cd5 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,13 +18,15 @@ profile gdm-generate-config @{exec_path} { capability setgid, capability setuid, + # ptrace read, + @{exec_path} mr, @{sh_path} rix, @{bin}/dconf rix, @{bin}/install rix, - @{bin}/pgrep rCx -> pgrep, - @{bin}/pkill rix, + @{bin}/pgrep rCx -> &pgrep, + @{bin}/pkill rCx -> &pgrep, @{bin}/setpriv rix, @{bin}/setsid rix, @@ -32,8 +34,7 @@ profile gdm-generate-config @{exec_path} { /usr/share/gdm{3,}/{,**} r, /var/lib/ r, - @{GDM_HOME}/ r, - owner @{GDM_HOME}/ rw, + @{GDM_HOME}/ rw, owner @{GDM_HOME}/greeter-dconf-defaults rw, owner @{GDM_HOME}/greeter-dconf-defaults.@{rand6} rw, @@ -41,15 +42,19 @@ profile gdm-generate-config @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, + @{PROC}/tty/drivers r, @{PROC}/uptime r, profile pgrep { include include + @{bin}/pkill mr, + include if exists } diff --git a/apparmor.d/groups/gnome/gdm-prime-defaut b/apparmor.d/groups/gnome/gdm-prime-defaut new file mode 100644 index 000000000..eea0ee3b3 --- /dev/null +++ b/apparmor.d/groups/gnome/gdm-prime-defaut @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/gdm{3,}/{Init,Prime}/Default +profile gdm-prime-defaut @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/prime-offload ix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gdm-runtime-config b/apparmor.d/groups/gnome/gdm-runtime-config index 26ce14234..558f3677c 100644 --- a/apparmor.d/groups/gnome/gdm-runtime-config +++ b/apparmor.d/groups/gnome/gdm-runtime-config @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index d889a708a..5d2e3e21e 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,14 +11,15 @@ profile gdm-session @{exec_path} { include include include - include - include + include + include - signal (receive) set=(hup term) peer=gdm-session-worker, - signal (receive) set=(term) peer=gdm, - signal (send) set=(term) peer=dbus-session, - signal (send) set=(term) peer=gnome-session-binary, - signal (send) set=(term) peer=xorg, + signal receive set=(hup term) peer=gdm-session-worker, + signal receive set=(term) peer=gdm, + signal send set=(term) peer=dbus-session, + signal send set=(term) peer=gnome-session-binary, + signal send set=(term) peer=xorg, + signal send set=term peer=gnome-session, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -34,21 +35,14 @@ profile gdm-session @{exec_path} { # only: xorg @{bin}/Xorg rPx, - /etc/gdm{3,}/Prime/Default rix, + /etc/gdm{3,}/Prime/Default rPx, /etc/gdm{3,}/Xsession rPx, /usr/share/gdm{3,}/gdm.schemas r, - /etc/default/locale r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, - /etc/locale.conf r, - /etc/sysconfig/console r, /etc/sysconfig/displaymanager r, - /etc/sysconfig/language r, - /etc/sysconfig/mail r, - /etc/sysconfig/proxy r, - /etc/sysconfig/windowmanager r, owner @{gdm_cache_dirs}/gdm/ rw, owner @{gdm_cache_dirs}/gdm/Xauthority rw, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 48ac848c1..3bab1b134 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,31 +29,33 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { capability sys_tty_config, network netlink raw, + network unix stream, - signal (receive) set=term peer=gdm, - signal (send) set=(hup term) peer=gdm-session, - signal (send) set=hup peer=at-spi*, - signal (send) set=hup peer=dbus-accessibility, - signal (send) set=hup peer=dbus-session, - signal (send) set=hup peer=dconf-service, - signal (send) set=hup peer=gjs-console, - signal (send) set=hup peer=gnome-*, - signal (send) set=hup peer=gsd-*, - signal (send) set=hup peer=ibus-*, - signal (send) set=hup peer=mutter-x11-frames, - signal (send) set=hup peer=tracker-miner, - signal (send) set=hup peer=xdg-*, - signal (send) set=hup peer=xorg, - signal (send) set=hup peer=xwayland, + signal receive set=term peer=gdm, + signal send set=(hup term) peer=gdm-session, + signal send set=hup peer=at-spi*, + signal send set=hup peer=dbus-accessibility, + signal send set=hup peer=dbus-session, + signal send set=hup peer=dconf-service, + signal send set=hup peer=gjs-console, + signal send set=hup peer=gnome-*, + signal send set=hup peer=gsd-*, + signal send set=hup peer=ibus-*, + signal send set=hup peer=mutter-x11-frames, + signal send set=hup peer=tracker-miner, + signal send set=hup peer=xdg-*, + signal send set=hup peer=xorg, + signal send set=hup peer=xwayland, - unix (bind) type=stream addr=@@{hex16}/bus/gdm-session-wor/system, + unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system, - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={*Session,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mrix, @@ -76,6 +78,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, /etc/default/locale r, + /etc/fscrypt.conf r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, /etc/locale.conf r, @@ -92,8 +95,21 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /var/lib/wtmpdb/ r, /var/lib/wtmpdb/* rwk, + /.fscrypt/policies/ r, + /.fscrypt/protectors/ r, + owner /.fscrypt/protectors/@{hex16} r, + + #aa:lint ignore=tunables + /home/ r, + /home/.fscrypt/policies/ r, + owner /home/.fscrypt/policies/@{hex32} r, + owner /home/.fscrypt/protectors/@{hex16}.link r, + owner @{HOME}/.pam_environment r, + owner @{user_cache_dirs}/ w, + + @{run}/cockpit/active.issue r, @{run}/cockpit/inactive.motd r, owner @{run}/systemd/seats/seat@{int} r, owner @{run}/user/@{uid}/keyring/control rw, @@ -103,14 +119,17 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner @{run}/gdm{3,}/dbus/ w, owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w, + @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, @{run}/cockpit/active.motd r, @{run}/faillock/@{user} rwk, + @{run}/fscrypt/ rw, + @{run}/fscrypt/@{uid}.count rwk, @{run}/motd.d/{,*} r, @{run}/systemd/sessions/* r, - @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, @{run}/utmp rwk, + @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pids}/cgroup r, @{PROC}/1/limits r, @{PROC}/keys r, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index a48958b40..2882c3d9e 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,6 +11,7 @@ profile gdm-xsession @{exec_path} { include include include + include include include @@ -51,7 +52,6 @@ profile gdm-xsession @{exec_path} { @{etc_ro}/X11/xdm/Xsession rPx, @{lib}/gnome-session-binary rPx, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/im-config/data/{,*} r, /usr/share/im-config/xinputrc.common r, @@ -73,7 +73,7 @@ profile gdm-xsession @{exec_path} { peer=(name=org.freedesktop.systemd1), @{bin}/dbus-update-activation-environment mr, - + owner @{HOME}/.xsession-errors w, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 19b33d743..3652dd6e9 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -3,29 +3,42 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +# TODO: Rethink this profile: +# - Access to gio from a profile is handled by child-open-* +# - Direct access should only be needed is some special context and it should not +# require access to that much resources. + +abi , include @{exec_path} = @{bin}/gio @{exec_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop -@{exec_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop +@{exec_path} += @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include + include + include include include include include include + include + include @{exec_path} mr, @{bin}/gnome-terminal rPUx, @{lib}/gio-launch-desktop rix, + @{lib}/*/** rPx, + @{lib}/* rPx, owner @{HOME}/{,**} rw, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, + owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r, @{run}/mount/utab r, @@ -36,7 +49,6 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { /dev/dri/card@{int} rw, - deny @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists } diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs new file mode 100644 index 000000000..de9d25a14 --- /dev/null +++ b/apparmor.d/groups/gnome/gjs @@ -0,0 +1,133 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# GNOME JavaScript interpreter. It is used to run some gnome internal app +# as well as third party extensions. +# +# Therefore, by default, some extension are confined under this profile. To fix +# this, the various programs using gjs must never run gjs as module, they need +# to run it as executable with a specific script. +# +# This currently concerns: +# - gnome-extension-ding (used to not be started as a module) +# - org.gnome.ScreenSaver (simple dbus service) +# - org.gnome.Shell.Extensions (full UI app, requires gnome-strict, graphics, ...) +# - org.gnome.Shell.Notifications (simple dbus service) +# - org.gnome.Shell.Screencast (simple dbus service) + +abi , + +include + +@{exec_path} = @{bin}/gjs-console +profile gjs @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + # Only needed by org.gnome.Shell.Extensions + include + include + + # Only needed by gnome-extension-ding + include + include + include + include + include + include + include + include + + unix type=stream peer=(label=gnome-shell), + + signal receive set=(term hup) peer=gdm, + + #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions + #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface+=org.gtk.Actions + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus* + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus* + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + #aa:dbus own bus=session name=org.gnome.Shell.Screencast + #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell + + #aa:dbus own bus=session name=org.freedesktop.Notifications + #aa:dbus own bus=session name=org.gnome.ScreenSaver + #aa:dbus own bus=session name=org.gnome.Shell.Extensions + #aa:dbus own bus=session name=org.gnome.Shell.Notifications + + @{exec_path} mrix, + + # gnome-extension-ding + @{sh_path} rix, + @{bin}/env rix, + @{bin}/gnome-control-center rPx, + @{bin}/nautilus rPx, + + @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + @{lib}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + + /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + + /usr/share/dconf/profile/gdm r, + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/gnome-shell/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, + /usr/share/thumbnailers/{,**} r, + + owner @{gdm_cache_dirs}/gstreamer-1.0/registry.@{arch}.bin r, + owner @{gdm_config_dirs}/dconf/user r, + owner @{GDM_HOME}/greeter-dconf-defaults r, + + owner @{user_cache_dirs}/gstreamer-1.0/ rw, + owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + + owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, + owner @{user_share_dirs}/nautilus/scripts/ r, + + owner @{user_desktop_dirs}/ r, + owner @{user_templates_dirs}/ r, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + /dev/ r, + /dev/dri/ r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + profile gstreamer { + include + include + include + include + include + + network (bind create getattr setopt getopt) netlink raw, + + @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mr, + @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner mr, + @{lib}/gstreamer-1.0/gst-plugin-scanner mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console deleted file mode 100644 index 0fc2add0e..000000000 --- a/apparmor.d/groups/gnome/gjs-console +++ /dev/null @@ -1,94 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# TODO: GNOME JavaScript interpreter. It is used to run some gnome internal app -# as well as third party extensions. Therefore, by default, some extension are -# confined under this profile. The resulting profile is quite broad. -# This architecture needs to be rethinked. - -abi , - -include - -@{exec_path} = @{bin}/gjs-console -profile gjs-console @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - include - include - include - include - - network netlink raw, - - signal (receive) set=(term hup) peer=gdm*, - - #aa:dbus own bus=session name=org.freedesktop.Notifications - #aa:dbus own bus=session name=org.gnome.ScreenSaver - #aa:dbus own bus=session name=org.gnome.Shell.Extensions - #aa:dbus own bus=session name=org.gnome.Shell.Notifications - #aa:dbus own bus=session name=org.gnome.Shell.Screencast - - dbus send bus=session path=/org/gnome/Mutter/ScreenCast - interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=gnome-shell), - - dbus send bus=session path=/org/gnome/Shell - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell - interface=org.gnome.Shell.Extensions - member=ListExtensions - peer=(name=:*, label=gnome-shell), - - @{exec_path} mr, - - @{bin}/ r, - @{bin}/* PUx, - @{lib}/** PUx, - - /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - - /etc/openni2/OpenNI.ini r, - - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/gnome-shell/{,**} r, - /usr/share/icu/@{int}.@{int}/*.dat r, - - owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwl, - owner @{gdm_cache_dirs}/gstreamer-1.0/ rw, - owner @{gdm_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{gdm_config_dirs}/dconf/user r, - owner @{GDM_HOME}/greeter-dconf-defaults r, - - /tmp/ r, - /var/tmp/ r, - - owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, - owner @{user_cache_dirs}/gstreamer-1.0/ rw, - owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - /dev/ r, - /dev/tty rw, - /dev/tty@{int} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gkbd-keyboard-display b/apparmor.d/groups/gnome/gkbd-keyboard-display index 7b9fc07cd..18b11e9be 100644 --- a/apparmor.d/groups/gnome/gkbd-keyboard-display +++ b/apparmor.d/groups/gnome/gkbd-keyboard-display @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes new file mode 100644 index 000000000..cd46dd069 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -0,0 +1,105 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gnome-boxes +profile gnome-boxes @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{open_path} rPx -> child-open, + + @{bin}/qemu-img rix, + @{bin}/virsh rCx -> virsh, + @{bin}/virtqemud rPUx, + + /usr/share/ladspa/rdf/{,*} r, + /usr/share/osinfo/{,**} r, + /usr/share/gnome-boxes/{,**} r, + + /etc/qemu/bridge.conf r, + + @{MOUNTS}/ r, + owner @{HOME}/ r, + + # For disk images + owner @{user_img_dirs}/{,**} rw, + owner @{user_vm_dirs}/{,**} rw, + + owner @{user_cache_dirs}/gnome-boxes/ rw, + owner @{user_cache_dirs}/gnome-boxes/** rwk, + owner @{user_cache_dirs}/libvirt/qemu/log/*.log r, + + owner @{user_config_dirs}/gnome-boxes/ rw, + owner @{user_config_dirs}/gnome-boxes/** rwk, + + owner @{user_share_dirs}/gnome-boxes/ rw, + owner @{user_share_dirs}/gnome-boxes/** rwk, + + owner @{tmp}/.goutputstream-@{rand6} rw, + owner @{tmp}/*.iso-@{rand6} rw, + owner @{tmp}/*.svg-@{rand6} rw, + + owner @{run}/user/@{uid}/libvirt/ rw, + owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + + @{run}/mount/utab r, + + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{sys}/devices/@{pci}/usb@{int}/** r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.gnome.Boxes.slice/*/memory.* r, + + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + @{PROC}/zoneinfo r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + + profile virsh { + include + include + + @{bin}/virsh mr, + @{bin}/pkttyagent r, + + owner @{run}/user/@{uid}/libvirt/ r, + owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + + @{sys}/devices/system/node/ r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-browser-connector-host b/apparmor.d/groups/gnome/gnome-browser-connector-host index 09ac8dbad..e95762b6a 100644 --- a/apparmor.d/groups/gnome/gnome-browser-connector-host +++ b/apparmor.d/groups/gnome/gnome-browser-connector-host @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,15 +11,14 @@ profile gnome-browser-connector-host @{exec_path} { include include include + include @{exec_path} mr, @{bin}/env rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, - @{lib}/python3.@{int}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, - - /usr/share/glib-2.0/schemas/gschemas.compiled r, + @{lib}/@{python_name}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 2ac0e4ca7..4ab9b165f 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -2,14 +2,15 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-calculator -profile gnome-calculator @{exec_path} { +profile gnome-calculator @{exec_path} flags=(attach_disconnected) { include include + include include # Needed to get currency exchange rates @@ -19,8 +20,12 @@ profile gnome-calculator @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.gnome.Calculator + @{exec_path} mr, + @{open_path} rPx -> child-open-help, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index a0a5f7e6f..8400f03c1 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,12 +17,14 @@ profile gnome-calculator-search-provider @{exec_path} { signal (send) set=kill peer=unconfined, - #aa:dbus own bus=session name=org.gnome.Calculator.SearchProvider interface=org.gnome.Shell.SearchProvider2 + #aa:dbus own bus=session name=org.gnome.Calculator.SearchProvider interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mrix, @{bin}/* rPUx, + owner @{user_cache_dirs}/gnome-calculator/* r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index c74292f4b..2173e3d62 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -2,16 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-calendar profile gnome-calendar @{exec_path} { include - include include - include include include include @@ -25,25 +23,28 @@ profile gnome-calendar @{exec_path} { #aa:dbus own bus=session name=org.gnome.Calendar - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory + #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" + + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar path=/org/gnome/evolution/dataserver/ label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarFactory label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarView label=evolution-calendar-factory - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source label=evolution-source-registry - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source path=/org/gnome/evolution/dataserver/ label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.SourceManager label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Subprocess label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color - #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label=geoclue - - dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=evolution-source-registry), + #aa:dbus talk bus=session name=org.gnome.Shell.SearchProvider2 path=/org/gnome/Calendar/SearchProvider label=gnome-shell @{exec_path} mr, + @{open_path} rPx -> child-open-help, /usr/share/evolution-data-server/{,**} r, /usr/share/libgweather/Locations.xml r, + owner @{tmp}/pid-@{pid}/*.ics r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 1d3285292..b5ae5672a 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,11 +11,12 @@ profile gnome-characters @{exec_path} { include include include + include include include include - #aa:dbus own bus=session name=org.gnome.Characters interface=org.gnome.Shell.SearchProvider2 + #aa:dbus own bus=session name=org.gnome.Characters @{exec_path} mr, @@ -23,12 +24,10 @@ profile gnome-characters @{exec_path} { @{open_path} rPx -> child-open-help, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/org.gnome.Characters/{,**} r, + /usr/share/xml/iso-codes/{,**} r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-characters-backgroudservice b/apparmor.d/groups/gnome/gnome-characters-backgroudservice index 6e975a7dd..4b70cdfa6 100644 --- a/apparmor.d/groups/gnome/gnome-characters-backgroudservice +++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index fbb3942f7..92886c887 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,15 +10,19 @@ include profile gnome-clocks @{exec_path} { include include - include - include - include + include + include include + include include - #aa:dbus own bus=session name=org.gnome.clocks + network netlink raw, + + #aa:dbus own bus=session name=org.gnome.clocks interface+=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.clocks.SearchProvider interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mr, + @{open_path} rPx -> child-open-help, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts index fc96424a9..b6474cf55 100644 --- a/apparmor.d/groups/gnome/gnome-contacts +++ b/apparmor.d/groups/gnome/gnome-contacts @@ -2,15 +2,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-contacts profile gnome-contacts @{exec_path} { include - include - include include include include @@ -26,6 +24,7 @@ profile gnome-contacts @{exec_path} { #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon @{exec_path} mr, + @{open_path} rPx -> child-open-help, owner @{user_cache_dirs}/evolution/addressbook/{,**} r, owner @{user_share_dirs}/folks/relationships.ini r, diff --git a/apparmor.d/groups/gnome/gnome-contacts-search-provider b/apparmor.d/groups/gnome/gnome-contacts-search-provider index a0a74f62e..0abc39acd 100644 --- a/apparmor.d/groups/gnome/gnome-contacts-search-provider +++ b/apparmor.d/groups/gnome/gnome-contacts-search-provider @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 08ae20d49..9f78fb4fd 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,17 +10,17 @@ include profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include - include + include include include - include include - include + include include include include include include + include include include include @@ -32,56 +32,71 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal (send) set=(kill) peer=unconfined, - signal (send) set=(kill) peer=passwd, - - unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), - - dbus bus=session, - dbus bus=system, + signal send set=kill peer=unconfined, + signal send set=kill peer=passwd, #aa:dbus own bus=session name=org.gnome.Settings + #aa:dbus own bus=session name=org.bluez.obex.Agent1 + #aa:dbus talk bus=session name=org.bluez.AgentManager1 label=bluetoothd + #aa:dbus talk bus=session name=org.bluez.obex label=obexd + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color + #aa:dbus talk bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label="gsd-*" #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell - #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed + #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences + #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control + #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}" + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager - #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd + #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} + + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, @{bin}/@{shells} rUx, @{bin}/gcm-viewer rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, @{bin}/sed rix, - @{bin}/tecla rix, + @{bin}/tecla rPx, @{bin}/bwrap rCx -> bwrap, @{bin}/gkbd-keyboard-display rPx, @{bin}/gnome-software rPx, - @{bin}/openvpn rPx, + @{sbin}/openvpn rPx, @{bin}/passwd rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/software-properties-gtk rPx, - @{bin}/usermod rPx, - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rPx, + @{sbin}/usermod rPx, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/cups/backend/snmp rPx, @{lib}/gnome-control-center-goa-helper rPx, @{lib}/gnome-control-center-print-renderer rPx, /usr/share/language-tools/language2locale rix, /usr/share/language-tools/language-options rPUx, - @{open_path} rPx -> child-open-browsers, + @{open_path} rPx -> child-open-any, - /opt/**/share/icons/{,**} r, /snap/*/@{int}/**.png r, /usr/share/backgrounds/{,**} r, /usr/share/cups/data/testprint r, - /usr/share/desktop-base/**.{xml,png,svg} r, /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, /usr/share/gnome-background-properties/{,**} r, /usr/share/gnome-bluetooth{-*,}/{,**} r, @@ -94,10 +109,10 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/wallpapers/{,**} r, /usr/share/xml/iso-codes/{,**} r, + @{etc_ro}/security/pwquality.conf r, + @{etc_ro}/security/pwquality.conf.d/{,**} r, /etc/machine-info r, /etc/rygel.conf r, - /etc/security/pwquality.conf r, - /etc/security/pwquality.conf.d/{,**} r, /etc/fstab r, /etc/machine-id r, @@ -107,18 +122,22 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /var/cache/samba/ rw, /var/lib/AccountsService/icons/* r, + / r, + owner @{HOME}/.cat_installer/ca.pem r, owner @{HOME}/.cert/nm-openvpn/*.pem r, owner @{HOME}/.face r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_cache_dirs}/gnome-control-center/{,**} rw, + owner @{user_cache_dirs}/thumbnails/fail/gnome-thumbnail-factory/@{hex32}.png.@{rand6} rw, owner @{user_config_dirs}/background rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw, owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, + owner @{user_config_dirs}/mimeapps.list w, + owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw, owner @{user_games_dirs}/**.png r, @@ -128,6 +147,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw, owner @{user_share_dirs}/icc/{,edid-*} r, + owner @{tmp}/@{hex12}@{h} rw, + owner @{tmp}/@{rand8} rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, @{run}/samba/ rw, @@ -143,7 +164,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/bus/ r, @{sys}/class/ r, @@ -153,45 +174,45 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{sys}/devices/platform/**/uevent r, @{sys}/devices/virtual/**/uevent r, @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/temp* r, @{sys}/firmware/acpi/pm_profile r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, @{PROC}/cmdline r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, @{PROC}/zoneinfo r, + @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/maps r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/*/comm rw, /dev/ r, - /dev/media@{int} r, - /dev/video@{int} rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - profile bwrap { + profile bwrap flags=(attach_disconnected) { include include @{bin}/bwrap mr, - + include if exists } profile pkexec { include - - @{bin}/pkexec mr, - + include + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 72f5867a4..8b813d260 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -2,19 +2,16 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gnome-control-center-goa-helper profile gnome-control-center-goa-helper @{exec_path} { include - include + include include include - include - include - include include include include @@ -39,7 +36,7 @@ profile gnome-control-center-goa-helper @{exec_path} { @{exec_path} mr, - @{bin}/bwrap rPUx, + @{bin}/bwrap rCx -> bwrap, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @@ -48,9 +45,11 @@ profile gnome-control-center-goa-helper @{exec_path} { owner @{user_config_dirs}/goa-1.0/accounts.conf r, - owner @{user_cache_dirs}/gnome-control-center-goa-helper/{,**} rwl, + owner @{user_cache_dirs}/gnome-control-center-goa-helper/ rw, + owner @{user_cache_dirs}/gnome-control-center-goa-helper/** rwl, - owner @{user_share_dirs}/gnome-control-center-goa-helper/{,**} rwk, + owner @{user_share_dirs}/gnome-control-center-goa-helper/ rw, + owner @{user_share_dirs}/gnome-control-center-goa-helper/** rwk, owner @{user_share_dirs}/webkitgtk/{,**} rw, owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, @@ -63,6 +62,15 @@ profile gnome-control-center-goa-helper @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, + profile bwrap flags=(attach_disconnected,complain) { + include + include + + @{bin}/bwrap mr, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 22784f1d5..cbd1f1a75 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -2,16 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gnome-control-center-print-renderer profile gnome-control-center-print-renderer @{exec_path} { include - include include - include include include include @@ -24,6 +22,7 @@ profile gnome-control-center-print-renderer @{exec_path} { / r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index b584a8c1a..6d24e72c1 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,14 +10,12 @@ include profile gnome-control-center-search-provider @{exec_path} { include include + include include include include - dbus bind bus=session name=org.gnome.Settings.SearchProvider, - dbus receive bus=session path=/org/gnome/Settings/SearchProvider - interface=org.gnome.Shell.SearchProvider2 - peer=(name=:*, label=gnome-shell), + #aa:dbus own bus=session name=org.gnome.Settings.SearchProvider interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index bb1f5012a..8c637920b 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,6 +27,9 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { owner @{tmp}/gnome-desktop-thumbnailer.png w, owner @{tmp}/gsf-thumbnailer-@{rand6} rw, + owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, + owner /dev/shm/lttng-ust-wait-@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index fe743f186..d9959691b 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -2,17 +2,22 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-disk-image-mounter profile gnome-disk-image-mounter @{exec_path} { include + include + include + include include include include + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd + @{exec_path} mr, # Allow to mount user files diff --git a/apparmor.d/groups/gnome/gnome-disks b/apparmor.d/groups/gnome/gnome-disks index 575668029..4d5301262 100644 --- a/apparmor.d/groups/gnome/gnome-disks +++ b/apparmor.d/groups/gnome/gnome-disks @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-extension b/apparmor.d/groups/gnome/gnome-extension new file mode 100644 index 000000000..e13eca832 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-extension @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# gjs started from gnome-shell should (in theory) only run gnome extensions. + +abi , + +include + +@{exec_path} = @{bin}/gjs-console +profile gnome-extension { + include + include + include + include + include + include + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index d8c5a9cfe..9f848be8e 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -2,52 +2,47 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,app/}ding.js +@{share_dirs} = /usr/share/gnome-shell/extensions/ding@rastersoft.com +@{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/ding@rastersoft.com + +@{exec_path} = @{share_dirs}/app/{ding,createThumbnail}.js profile gnome-extension-ding @{exec_path} { include include - include include include include - include include - include - include - include - include - include - include - include + include + include + include + include + include include include include + include unix (send,receive) type=stream addr=none peer=(label=gnome-shell), - #aa:dbus own bus=session name=com.rastersoft.ding interface=org.gtk.Actions - #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface=org.gtk.Actions + #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions + #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface+=org.gtk.Actions dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.freedesktop.DBus, label=dbus-session), + member=Introspect + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus* - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus* - peer=(name=org.freedesktop.DBus, label=dbus-system), - - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member=Set - peer=(name=:*, label=gvfsd-metadata), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, @@ -57,11 +52,11 @@ profile gnome-extension-ding @{exec_path} { @{bin}/gnome-control-center rPx, @{bin}/nautilus rPx, - /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,app/}* r, + @{share_dirs}/{,**} r, /usr/share/thumbnailers/{,*.thumbnailer} r, - owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, + owner @{user_desktop_dirs}/ r, + owner @{user_templates_dirs}/ r, owner @{user_share_dirs}/nautilus/scripts/ r, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 5808aecad..2592eb77e 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -2,27 +2,34 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{share_dirs} = /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/ -@{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/ +@{share_dirs} = /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io +@{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io -@{exec_path} = @{share_dirs}/service/daemon.js +@{exec_path} = @{share_dirs}/service/daemon.js @{share_dirs}/gsconnect-preferences profile gnome-extension-gsconnect @{exec_path} { include include - include include include + include + include + include + include + include + include + include + include include - include - include - include + include include + include include include + include network inet dgram, network inet6 dgram, @@ -30,16 +37,21 @@ profile gnome-extension-gsconnect @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect interface+=org.gtk.{Actions,Menus} + + dbus eavesdrop bus=session, + @{exec_path} mr, + @{sh_path} rix, @{bin}/env rix, @{bin}/gjs-console rix, @{bin}/openssl rix, - @{sh_path} rix, @{bin}/ssh-add rix, - @{bin}/ssh-keygen rPx, - @{bin}/xdg-screensaver rPx, + @{bin}/dconf rPx, + @{bin}/ssh-keygen rPx, + @{bin}/xdg-screensaver rPx, @{lib}/gio/modules/*.so* rm, @{lib}/girepository-1.0/* r, @@ -49,28 +61,27 @@ profile gnome-extension-gsconnect @{exec_path} { @{share_dirs}/{,**} r, @{share_dirs}/gsconnect-preferences rix, - /etc/machine-id r, - owner @{user_cache_dirs}/gsconnect/{,**} rw, - owner @{user_config_dirs}/ r, - owner @{user_config_dirs}/gsconnect/{,**} rw, owner @{user_config_dirs}/mimeapps.list w, owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, - owner @{user_share_dirs}/ r, + owner @{HOME}/.mozilla/firefox/firefox-mpris/@{word}.png r, - owner @{run}/user/@{uid}/gsconnect/ w, + owner @{tmp}/.org.chromium.Chromium.@{rand6} r, + + owner @{run}/user/@{uid}/gsconnect/{,**} rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + owner @{run}/user/@{uid}/keyring/ssh rw, @{sys}/devices/virtual/dmi/id/chassis_type r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/shm/ r, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-extension-manager b/apparmor.d/groups/gnome/gnome-extension-manager index d3ed3794b..3b23d4ffc 100644 --- a/apparmor.d/groups/gnome/gnome-extension-manager +++ b/apparmor.d/groups/gnome/gnome-extension-manager @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -32,6 +32,7 @@ profile gnome-extension-manager @{exec_path} { @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, # Silencer deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index ffa771be4..0a65c95f2 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,13 +16,12 @@ profile gnome-extensions-app @{exec_path} { @{sh_path} rix, @{bin}/gjs-console rix, + @{open_path} rPx -> child-open-help, /usr/share/gnome-shell/org.gnome.Extensions* r, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/terminfo/** r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/task/@{tid}/stat r, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-firmware b/apparmor.d/groups/gnome/gnome-firmware index 307fc06e3..706c16e87 100644 --- a/apparmor.d/groups/gnome/gnome-firmware +++ b/apparmor.d/groups/gnome/gnome-firmware @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,10 +20,11 @@ profile gnome-firmware @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/ + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, + @{open_path} rPx -> child-open-help, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-font-viewer b/apparmor.d/groups/gnome/gnome-font-viewer new file mode 100644 index 000000000..0895bd7f0 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-font-viewer @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gnome-font-viewer +profile gnome-font-viewer @{exec_path} { + include + include + + @{exec_path} mr, + @{open_path} rPx -> child-open-help, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index c3904d836..7439e0fb6 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -2,20 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gnome-initial-setup profile gnome-initial-setup @{exec_path} { include - include include include - include include include - include include include include @@ -29,7 +26,12 @@ profile gnome-initial-setup @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.gnome.InitialSetup interface=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.InitialSetup interface+=org.gtk.Actions + + dbus send bus=system path=/com/canonical/UbuntuAdvantage/Manager + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=com.canonical.UbuntuAdvantage), @{exec_path} mr, @@ -41,13 +43,14 @@ profile gnome-initial-setup @{exec_path} { @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, + @{lib}/@{multiarch}/ld-linux-*.so* rix, /usr/share/dconf/profile/gdm r, /usr/share/gnome-initial-setup/{,**} r, /usr/share/xml/iso-codes/{,**} r, - /etc/security/pwquality.conf r, - /etc/security/pwquality.conf.d/{,**} r, + @{etc_ro}/security/pwquality.conf r, + @{etc_ro}/security/pwquality.conf.d/{,**} r, /etc/timezone r, /etc/gdm{,3}/custom.conf r, @@ -73,6 +76,10 @@ profile gnome-initial-setup @{exec_path} { @{run}/systemd/sessions/@{int} r, @{run}/systemd/users/@{uid} r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/gnome-initial-setup-first-login.service/memory.* r, @{sys}/devices/virtual/dmi/id/bios_vendor r, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 722a69fe7..e39ef0dc0 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -3,26 +3,31 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-keyring-daemon profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include + include include include include include - include + include capability ipc_lock, - signal (receive) set=(term) peer=gdm, - signal (send) set=(term) peer=ssh-agent, + signal receive set=(term) peer=gdm, + signal send set=(term) peer=ssh-agent, + + unix type=stream peer=(label=snap.*), #aa:dbus own bus=session name=org.gnome.keyring #aa:dbus own bus=session name=org.freedesktop.{S,s}ecret{,s} + #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret path=/org/freedesktop/portal/desktop + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Request path=/org/freedesktop/portal/desktop/ label=xdg-desktop-portal dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -32,12 +37,13 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mr, @{bin}/ssh-add rix, @{bin}/ssh-agent rPx, + @{lib}/gcr-ssh-askpass rPUx, /etc/gcrypt/hwf.deny r, diff --git a/apparmor.d/groups/gnome/gnome-logs b/apparmor.d/groups/gnome/gnome-logs index ab0a6144f..5e3ab03bd 100644 --- a/apparmor.d/groups/gnome/gnome-logs +++ b/apparmor.d/groups/gnome/gnome-logs @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile gnome-logs @{exec_path} { include @{exec_path} mr, + @{open_path} rPx -> child-open-help, /etc/machine-id r, diff --git a/apparmor.d/groups/gnome/gnome-maps b/apparmor.d/groups/gnome/gnome-maps index 36f93215f..705857391 100644 --- a/apparmor.d/groups/gnome/gnome-maps +++ b/apparmor.d/groups/gnome/gnome-maps @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,6 +22,8 @@ profile gnome-maps @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open-help, + audit @{bin}/gjs-console rix, owner @{user_pictures_dirs}/** rw, @@ -43,7 +45,6 @@ profile gnome-maps @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index be07256ae..2f9795ceb 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,6 +17,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { include include include + include include network inet stream, @@ -28,10 +29,13 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.freedesktop.Tracker3.Writeback label=tracker-writeback @{exec_path} mr, + + @{open_path} rPx -> child-open-help, + @{bin}/ r, @{bin}/env r, - @{bin}/python3.@{int} rix, - @{lib}/python3.@{int}/site-packages/gnomemusic/__pycache__/{,**} rw, + @{python_path} rix, + @{lib}/@{python_name}/site-packages/gnomemusic/__pycache__/{,**} rw, /usr/share/grilo-plugins/grl-lua-factory/{,*} r, /usr/share/org.gnome.Music/{,**} r, @@ -45,10 +49,9 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/grilo-plugins/ rwk, owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk, - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, - owner /var/tmp/etilqs_@{hex16} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer index 410953e49..31d9b7987 100644 --- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer +++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer @@ -2,19 +2,18 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gnome-photos-thumbnailer profile gnome-photos-thumbnailer @{exec_path} { include + include include @{exec_path} mr, - /usr/share/mime/mime.cache r, - owner @{user_pictures_dirs}/{,**} r, owner @{user_cache_dirs}/babl/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-recipes b/apparmor.d/groups/gnome/gnome-recipes index c2e11a805..900259447 100644 --- a/apparmor.d/groups/gnome/gnome-recipes +++ b/apparmor.d/groups/gnome/gnome-recipes @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,6 +24,7 @@ profile gnome-recipes @{exec_path} { @{exec_path} mr, @{bin}/tar rix, + @{open_path} rPx -> child-open-help, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index dab1f58a9..c3631ddb7 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,11 +15,15 @@ profile gnome-remote-desktop-daemon @{exec_path} { include include include + include + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, + network netlink raw, - #aa:dbus own bus=session name=org.gnome.RemoteDesktop.User + #aa:dbus own bus=system name=org.gnome.RemoteDesktop #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index e349d85c1..257e91c0a 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -2,24 +2,36 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-session profile gnome-session @{exec_path} { include + include include + include + include include include + signal receive set=term peer=gdm, + signal receive set=term peer=gdm-session, + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mrix, @{shells_path} rix, @{bin}/cat rix, - @{bin}/gettext.sh r, + @{bin}/find rix, @{bin}/gettext rix, - @{bin}/grep rix, + @{bin}/gettext.sh r, + @{bin}/{,e}grep rix, @{bin}/head rix, @{bin}/id rix, @{bin}/locale rix, @@ -27,10 +39,13 @@ profile gnome-session @{exec_path} { @{bin}/manpath rix, @{bin}/readlink rix, @{bin}/realpath rix, + @{bin}/run-parts rix, @{bin}/sed rix, + @{bin}/tput rix, @{bin}/tr rix, @{bin}/tty rix, - @{bin}/uname rPx, + @{bin}/uname rix, + @{bin}/xargs rix, @{bin}/dpkg-query rpx, @{bin}/flatpak rCx -> flatpak, @@ -55,7 +70,12 @@ profile gnome-session @{exec_path} { /etc/X11/xinit/xinputrc r, /etc/X11/Xsession.d/*im-config_launch r, + owner @{HOME}/ r, + + owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, /dev/tty@{int} rw, @@ -65,7 +85,7 @@ profile gnome-session @{exec_path} { include @{bin}/flatpak mr, - + /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 49ed8285a..5359a70df 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -2,26 +2,23 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include - include include include - include include - include - include include - include + include include include include include + include network inet stream, network inet6 stream, @@ -29,20 +26,16 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal (receive) set=(term, hup) peer=gdm*, - signal (send) set=(term) peer=gsd-*, + signal receive set=(term, hup) peer=gdm*, + signal send set=(term) peer=gsd-*, #aa:dbus own bus=session name=org.gnome.SessionManager + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment} - peer=(name=org.freedesktop.DBus label=dbus-session), - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={CanPowerOff,PowerOff,Reboot} - peer=(name=:*, label=systemd-logind), + member=UpdateActivationEnvironment + peer=(name=org.freedesktop.DBus label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager @@ -51,19 +44,13 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/dbus-daemon rPx -> dbus-session, - @{bin}/env rix, - @{bin}/gnome-session rPx, - @{bin}/gnome-shell rPx, + @{bin}/tput rix, @{bin}/session-migration rPx, + @{lib}/gnome-session-check-* rPx, + @{lib}/gnome-session-failed rix, - @{lib}/gnome-session-check-accelerated rix, - @{lib}/gnome-session-check-accelerated-gl-helper rix, - @{lib}/gnome-session-check-accelerated-gles-helper rix, - @{lib}/gnome-session-failed rix, - - @{lib}/gio-launch-desktop rCx -> open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + @{lib}/gio-launch-desktop rCx -> open, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, @@ -71,15 +58,18 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter/autostart/{,*.desktop} r, /usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/sessions/*.session r, + /usr/share/gnome-shell/extensions/ r, /usr/share/gnome-shell/extensions/*/metadata.json r, /usr/share/gnome/autostart/{,*.desktop} r, @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{gdm_cache_dirs}/gdm/Xauthority r, + owner @{gdm_config_dirs}/ rw, owner @{gdm_config_dirs}/dconf/user rw, owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, + owner @{gdm_config_dirs}/user-dirs.dirs r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_share_dirs}/applications/{,**} r, @@ -87,9 +77,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gnome-session/ rw, owner @{user_config_dirs}/gnome-session/saved-session/ rw, - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, + @{run}/systemd/sessions/* r, - @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, owner @{run}/user/@{uid}/ICEauthority rw, @@ -99,9 +90,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/{vendor,device} r, - @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, @{PROC}/cmdline r, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, @@ -111,49 +103,22 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { profile open flags=(attach_disconnected) { include - include + include + include + @{bin}/env rix, + @{sh_path} r, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr, @{lib}/gio-launch-desktop mr, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - @{sh_path} rix, - @{bin}/aa-notify rPx, - @{bin}/blueman-applet rPx, - @{bin}/firewall-applet rPx, - @{bin}/gnome-keyring-daemon rPx, - @{bin}/gnome-shell rPx, - @{bin}/gnome-software rPx, - @{bin}/im-launch rPx, - @{bin}/keepassxc rPx, - @{bin}/opensuse-welcome rPx, - @{bin}/parcellite rPUx, - @{bin}/pkcs11-register rPx, - @{bin}/snap rPUx, - @{bin}/snapshot-detect rPUx, - @{bin}/spice-vdagent rPx, - @{bin}/start-pulseaudio-x11 rPx, - @{bin}/ubuntu-report rPx, - @{bin}/update-notifier rPx, - @{bin}/xbrlapi rPx, - @{bin}/xdg-user-dirs-gtk-update rPx, - @{bin}/xdg-user-dirs-update rPx, - @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, - @{lib}/{,gnome-shell/}gnome-shell-overrides-migration.sh rPx, - @{lib}/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher rPUx, - @{lib}/caribou/caribou rPUx, - @{lib}/deja-dup/deja-dup-monitor rPx, - @{lib}/gsd-* rPx, - @{lib}/update-notifier/ubuntu-advantage-notification rPx, - @{lib}/xapps/sn-watcher/* rPUx, - @{thunderbird_path} rPx, - /usr/share/libpam-kwallet-common/pam_kwallet_init rPUx, + @{lib}/** PUx, + @{bin}/** PUx, + /opt/*/** PUx, + /usr/share/*/** PUx, + /usr/local/bin/** PUx, + /usr/games/** PUx, - #aa:exec baloo - #aa:exec evolution-alarm-notify - @{lib}/kdeconnectd rPUx, - @{lib}/@{multiarch}/{,libexec/}kdeconnectd rPUx, - - /dev/tty@{int} rw, + /dev/tty rw, include if exists include if exists diff --git a/apparmor.d/groups/gnome/gnome-session-check b/apparmor.d/groups/gnome/gnome-session-check new file mode 100644 index 000000000..44755aef2 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-session-check @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/gnome-session-check-* +profile gnome-session-check @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{lib}/gnome-session-check-accelerated-gl-helper ix, + @{lib}/gnome-session-check-accelerated-gles-helper ix, + + /usr/share/gnome-session/hardware-compatibility r, + + @{PROC}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-session-ctl b/apparmor.d/groups/gnome/gnome-session-ctl index 220a9cac3..04c4ce628 100644 --- a/apparmor.d/groups/gnome/gnome-session-ctl +++ b/apparmor.d/groups/gnome/gnome-session-ctl @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index f1b3ad7a0..24c069e72 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,44 +10,39 @@ include profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include include + include include include include - include - include include include include include - include - include - include - include + include include - include include include - include include - include - include - include - include - include + include + include + include + include include include include include include include + include include + include include + include include include - include + include capability sys_nice, capability sys_ptrace, @@ -59,16 +54,14 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix stream, - ptrace (read), - ptrace (readby) peer=pipewire, + ptrace read, - signal (receive) set=(term, hup) peer=gdm*, - signal (send), + signal receive set=(term, hup) peer=gdm*, + signal send, unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), unix (send,receive) type=stream addr=none peer=(label=xkbcomp), unix (send,receive) type=stream addr=none peer=(label=xwayland), - unix (send,receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon), # Owned by gnome-shell @@ -76,74 +69,65 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.gnome.Mutter #aa:dbus own bus=session name=org.gnome.Shell - #aa:dbus own bus=session name=com.canonical.Unity path=/com/canonical/{U,u}nity + #aa:dbus own bus=session name=com.canonical.{U,u}nity + #aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,com/canonical/dbusmenu} + #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting #aa:dbus own bus=session name=com.rastersoft.dingextension + #aa:dbus own bus=session name=org.ayatana.NotificationItem + #aa:dbus own bus=session name=org.freedesktop.a11y.Manager + #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=org.gtk.Actions path=/** #aa:dbus own bus=session name=org.gtk.MountOperationHandler #aa:dbus own bus=session name=org.gtk.Notifications + #aa:dbus own bus=session name=org.kde.StatusNotifierItem path=/ #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher + # Talk with gnome-shell - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + # The strategy with dbus rules in this profile is first to declare all communications + # needed on buses and to limit them only to their profiles in apparmor.d. As such, + # only dbus directive is used for this. Later, some communications could be + # restricted. + + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label="@{p_power_profiles_daemon}" #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding + #aa:dbus talk bus=session name=org.freedesktop.Notifications label=gjs + #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy + #aa:dbus talk bus=session name=org.gnome.* label=gnome-* + #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=* + #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console - #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* - - # System bus - - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=RegisterAuthenticationAgent - peer=(name=:*, label=polkitd), - dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent - interface=org.freedesktop.PolicyKit1.AuthenticationAgent - member=BeginAuthentication - peer=(name=:*, label=polkitd), - - dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager - interface=org.freedesktop.NetworkManager.AgentManager - member={RegisterWithCapabilities,Unregister} - peer=(name=:*, label=NetworkManager), - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} - peer=(name=org.freedesktop.DBus, label=dbus-system), + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" # Session bus - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} - peer=(name=org.freedesktop.DBus, label=dbus-session), + dbus send bus=session path=/org/gnome/** + peer=(name=org.gnome.*), + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/ interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetNameOwner,ListNames} - peer=(name=org.freedesktop.DBus, label=dbus-session), + member={GetNameOwner,ListNames} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.a11y.atspi.Socket member=Embed peer=(name=org.a11y.atspi.Registry), - dbus send bus=session path=/org/gtk/vfs/** - interface=org.gtk.vfs.* - peer=(name=:*, label=gvfsd*), - - dbus send bus=session path=/org/ayatana/NotificationItem/* - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name=:*, label=update-notifier), - dbus receive bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobRemoved @@ -167,57 +151,60 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), @{exec_path} mr, @{bin}/unzip rix, - @{bin}/gjs-console rPx, + @{bin}/flatpak rPx, + @{bin}/gjs-console rPx -> gnome-extension, @{bin}/glib-compile-schemas rPx, @{bin}/ibus-daemon rPx, + @{bin}/sensors rPx, + @{bin}/tecla rPx, @{bin}/Xwayland rPx, + @{bin}/nvidia-smi rPx, # FIXME; for extension only + @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas rPx, + @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/mutter-x11-frames rPx, #aa:exec polkit-agent-helper - @{sh_path} rCx -> shell, - @{lib}/gio-launch-desktop rCx -> open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + @{sh_path} rCx -> shell, + @{bin}/pkexec rCx -> pkexec, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, + @{lib}/gio-launch-desktop rCx -> open, + @{python_path} rCx -> python, - /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx, + @{user_share_dirs}/gnome-shell/extensions/*/** rPUx, + /usr/share/gnome-shell/extensions/*/** rPUx, - /opt/**/share/icons/{,**} r, - /opt/*/**/*.png r, - /snap/*/@{uid}/**.png r, - /usr/share/{,zoneinfo-}icu/{,**} r, - /usr/share/**.{png,jpg,svg} r, + /snap/*/@{uid}/**.@{image_ext} r, + /usr/share/**.@{image_ext} r, /usr/share/**/icons/{,**} r, /usr/share/backgrounds/{,**} r, /usr/share/byobu/desktop/byobu* r, /usr/share/dconf/profile/gdm r, - /usr/share/desktop-base/** r, /usr/share/desktop-directories/{,*.directory} r, /usr/share/gdm/BuiltInSessions/{,*.desktop} r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, /usr/share/libgweather/Locations.xml r, - /usr/share/libinput*/ r, - /usr/share/libinput*/{,**/}@{int2}-*.quirks r, - /usr/share/libinput*/libinput/ r, + /usr/share/libinput*/{,**} r, /usr/share/libwacom/{,*.stylus,*.tablet} r, + /usr/share/poppler/{,**} r, /usr/share/wallpapers/** r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/{,**} r, @{system_share_dirs}/gnome-shell/{,**} r, - / r, - /.flatpak-info r, /etc/fstab r, /etc/timezone r, + /etc/tpm2-tss/*.json r, /etc/udev/hwdb.bin r, /etc/xdg/menus/gnome-applications.menu r, @@ -226,6 +213,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/**/gnome-shell/{,**} r, /var/lib/flatpak/appstream/**/icons/** r, + owner @{att}/ r, + owner @{att}/.flatpak-info r, + owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_cache_dirs}/ w, owner @{gdm_cache_dirs}/event-sound-cache.tdb.@{hex32}.@{multiarch} rwk, @@ -234,6 +224,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw, owner @{gdm_cache_dirs}/libgweather/ r, + owner @{gdm_cache_dirs}/nvidia/GLCache/ rw, + owner @{gdm_cache_dirs}/nvidia/GLCache/** rwk, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/ibus/ rw, owner @{gdm_config_dirs}/ibus/bus/ rw, @@ -241,29 +233,38 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_config_dirs}/pulse/ rw, owner @{gdm_config_dirs}/pulse/client.conf r, owner @{gdm_config_dirs}/pulse/cookie rwk, + owner @{gdm_local_dirs}/ w, + owner @{gdm_share_dirs}/ w, owner @{gdm_share_dirs}/applications/{,**} r, owner @{gdm_share_dirs}/gnome-shell/{,**} rw, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{gdm_share_dirs}/icc/.goutputstream-@{rand6} rw, + owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, + owner @{HOME}/.mozilla/native-messaging-hosts/ rw, + owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.*.json{,.@{rand6}} rw, + owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, + owner @{HOME}/.var/app/**.@{image_ext} r, owner @{HOME}/.var/app/**/ r, - owner @{HOME}/.var/app/**.{png,jpg,svg} r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, - owner @{user_games_dirs}/**.{png,jpg,svg} r, - owner @{user_music_dirs}/**.{png,jpg,svg} r, + owner @{user_games_dirs}/**.@{image_ext} r, + owner @{user_music_dirs}/**.@{image_ext} r, owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw, + owner @{user_config_dirs}/**/NativeMessagingHosts/ rw, + owner @{user_config_dirs}/**/NativeMessagingHosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{user_config_dirs}/background r, owner @{user_config_dirs}/ibus/ w, owner @{user_config_dirs}/monitors.xml{,~} rwl, owner @{user_config_dirs}/tiling-assistant/{,**} rw, owner @{user_share_dirs}/backgrounds/{,**} rw, + owner @{user_share_dirs}/dbus-1/services/ r, + owner @{user_share_dirs}/dbus-1/services/org.gnome.Shell.*.service{,.@{rand6}} rw, owner @{user_share_dirs}/desktop-directories/{,**} r, owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, @@ -271,53 +272,60 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, + owner @{user_share_dirs}/icons/**/org.gnome.Shell.*.svg{,.@{rand6}} w, - owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r, + owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, owner @{user_cache_dirs}/gnome-screenshot/{,**} rw, owner @{user_cache_dirs}/gnome-software/icons/{,**} r, + owner @{user_cache_dirs}/gsconnect/@{hex32} r, owner @{user_cache_dirs}/libgweather/{,**} rw, owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, + owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, @{run}/gdm{3,}/dbus/dbus-@{rand8} rw, + owner @{run}/user/@{uid}/app/*/*.@{rand6} r, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw, + owner @{run}/user/@{uid}/snap.*/wayland-cursor-shared-@{rand6} rw, owner @{run}/user/@{uid}/systemd/notify rw, - owner /dev/shm/.org.chromium.Chromium.* rw, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, owner /dev/shm/wayland.mozilla.ipc.@{int} rw, /tmp/.X@{int}-lock rw, /tmp/dbus-@{rand8} rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6} r, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/ r, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/status_icon_@{int}.png r, owner @{tmp}/@{rand6}.shell-extension.zip rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/users/@{uid} r, @{run}/systemd/seats/seat@{int} r, @{run}/systemd/sessions/ r, @{run}/systemd/sessions/* r, - @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/udev/tags/seat/ r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+dmi:id r, # for motherboard info - @{run}/udev/data/+acpi* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard - @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* - @{run}/udev/data/n@{int} r, + @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/uevent r, @{sys}/bus/ r, @@ -326,7 +334,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/class/net/ r, @{sys}/class/power_supply/ r, @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/gpu_busy_percent r, @{sys}/devices/@{pci}/input@{int}/{properties,name} r, + @{sys}/devices/@{pci}/mem_info_vram_* r, @{sys}/devices/@{pci}/net/*/statistics/collisions r, @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r, @@ -339,6 +349,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/platform/**/input@{int}/{properties,name} r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/net/*/statistics/collisions r, @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r, @@ -351,10 +364,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{PROC}/ r, @{PROC}/@{pid}/attr/current r, @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/net/* r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/@{tid}/stat r, - @{PROC}/@{pids}/cmdline r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, @@ -364,24 +375,28 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{pid}/cmdline r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/input/event@{int} rw, - /dev/media@{int} rw, - /dev/tty@{int} rw, + /dev/tty@{int} rw, + @{att}/dev/dri/card@{int} rw, + @{att}/dev/input/event@{int} rw, profile shell flags=(attach_disconnected,mediate_deleted) { include - + capability sys_ptrace, - ptrace (read), + ptrace read, @{sh_path} mr, - - @{bin}/pmap rix, - @{bin}/grep rix, + + @{bin}/cat rix, + @{bin}/{,e}grep rix, + @{bin}/kmod rPx -> gnome-shell//lsmod, + @{bin}/pmap rix, @{sys}/devices/system/node/ r, @@ -394,20 +409,58 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include if exists } - profile open flags=(attach_disconnected,mediate_deleted) { + profile lsmod flags=(attach_disconnected,mediate_deleted) { include - include + include - unix receive type=stream, + @{sys}/module/{,**} r, + include if exists + } + + profile pkexec { + include + include + + ptrace read peer=gnome-shell, + + @{bin}/pkexec mr, + + /usr/local/bin/batteryhealthchargingctl{,-@{user}} rPx, + @{bin}/batteryhealthchargingctl{,-@{user}} rPx, + + include if exists + } + + profile python { + include + include + + # /usr/share/gnome-shell/extensions/{,**} + + include if exists + } + + profile open flags=(attach_disconnected,mediate_deleted,complain) { + include + include + + network inet stream, + network unix stream, + + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr, @{lib}/gio-launch-desktop mr, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - @{lib}/* PUx, - /usr/games/* PUx, - /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx, + @{lib}/** PUx, + @{bin}/** PUx, + /opt/*/** PUx, + /usr/share/*/** PUx, + /usr/local/bin/** PUx, + /usr/games/** PUx, - owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, + owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + + owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index cc56eff59..37bb7b374 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,6 +11,7 @@ profile gnome-shell-calendar-server @{exec_path} { include include include + include include #aa:dbus own bus=session name=org.gnome.Shell.CalendarServer @@ -30,14 +31,11 @@ profile gnome-shell-calendar-server @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/{,zoneinfo-}icu/{,**} r, - /etc/sysconfig/clock r, /etc/timezone r, diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer index f0e9bf398..56e448fd8 100644 --- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer +++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,11 +10,10 @@ include profile gnome-shell-hotplug-sniffer @{exec_path} { include include + include @{exec_path} mr, - /usr/share/mime/mime.cache r, - @{MOUNTS}/**/ r, @{MOUNTS}/** r, diff --git a/apparmor.d/groups/gnome/gnome-shell-overrides-migration b/apparmor.d/groups/gnome/gnome-shell-overrides-migration index d041df4de..8d5cc4d1d 100644 --- a/apparmor.d/groups/gnome/gnome-shell-overrides-migration +++ b/apparmor.d/groups/gnome/gnome-shell-overrides-migration @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 9bdb0cfc0..0b1602fbb 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -2,18 +2,21 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-software profile gnome-software @{exec_path} { include - include + include + include + include + include + include include - include - include include + include include include @@ -26,11 +29,22 @@ profile gnome-software @{exec_path} { mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, + #aa:dbus own bus=session name=org.freedesktop.PackageKit + #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application + + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/@{int}_@{hex8} label="@{p_packagekitd}" + + dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=Changed + peer=(name=@{busname}, label=polkitd), + @{exec_path} mr, @{bin}/baobab rPUx, @{bin}/bwrap rPx -> flatpak-app, @{bin}/fusermount{,3} rCx -> fusermount, + @{bin}/gnome-control-center rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, @@ -39,6 +53,8 @@ profile gnome-software @{exec_path} { /usr/share/app-info/{,**} r, /usr/share/appdata/{,**} r, + /usr/share/byobu/desktop/{,**} r, + /usr/share/flatpak/remotes.d/ r, /usr/share/metainfo/{,**} r, /usr/share/swcatalog/{,**} r, /usr/share/xml/iso-codes/{,**} r, @@ -64,30 +80,34 @@ profile gnome-software @{exec_path} { /var/lib/PackageKit/offline-update-competed r, /var/lib/PackageKit/prepared-update r, - /var/lib/swcatalog/icons/**.png r, - /var/lib/swcatalog/yaml/ r, + /var/lib/swcatalog/** r, /var/tmp/flatpak-cache-*/ rw, /var/tmp/flatpak-cache-*/** rwkl, /var/tmp/#@{int} rw, - / r, - owner @{HOME}/.var/app/{,**} rw, - owner @{user_cache_dirs}/flatpak/{,**} rwl, - owner @{user_cache_dirs}/gnome-software/{,**} rw, + owner @{user_download_dirs}/*.flatpakref r, + owner @{user_cache_dirs}/flatpak/{,**} rwl, + + owner @{user_config_dirs}/flatpak/{,**} r, owner @{user_config_dirs}/pulse/*.conf r, owner @{user_share_dirs}/ r, owner @{user_share_dirs}/flatpak/.changed w, + owner @{user_share_dirs}/flatpak/{app,runtime}/ r, + owner @{user_share_dirs}/flatpak/{app,runtime}/*/ r, + owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/deploy r, + owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/metadata r, + owner @{user_share_dirs}/flatpak/{app,runtime}/*/*/ r, + owner @{user_share_dirs}/flatpak/overrides/* r, owner @{user_share_dirs}/flatpak/repo/ rw, owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, - owner @{user_share_dirs}/gnome-software/{,**} rw, - owner @{tmp}/ostree-gpg-*/ rw, - owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-@{rand6}/ rw, + owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, owner @{tmp}/#@{int} rw, owner @{run}/user/@{uid}/.dbus-proxy/ rw, @@ -102,19 +122,23 @@ profile gnome-software @{exec_path} { owner /dev/shm/flatpak-com.*/ rw, owner /dev/shm/flatpak-com.*/.flatpak-tmpdir rw, - @{run}/systemd/inhibit/*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/sessions/@{int} r, + @{run}/systemd/users/@{uid} r, @{sys}/module/nvidia/version r, @{PROC}/@{pids}/mounts r, + @{PROC}/1/cgroup r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, - owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fdinfo/@{int} r, - owner @{PROC}/@{pid}/stat r, /dev/fuse rw, - + + deny owner @{user_share_dirs}/gvfs-metadata/* r, + profile gpg { include @@ -122,34 +146,38 @@ profile gnome-software @{exec_path} { @{bin}/gpgconf mr, @{bin}/gpgsm mr, + @{bin}/gpg-agent rix, + @{bin}/gpg-connect-agent rix, + @{lib}/{,gnupg/}scdaemon rix, + @{HOME}/@{XDG_GPG_DIR}/*.conf r, @{tmp}/ r, - owner @{tmp}/ostree-gpg-*/ r, - owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-@{rand6}/ r, + owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, - owner @{run}/user/@{uid}/gnupg/ w, + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/gnupg/ rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, + owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } profile fusermount { include - include + include - capability sys_admin, + capability setuid, mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, - @{bin}/fusermount{,3} mr, - - /etc/fuse.conf r, - - @{PROC}/@{pids}/mounts r, - - /dev/fuse rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 126140401..152b28ff7 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -2,17 +2,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-system-monitor profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include - include - include - include - include + include + include + include + include include capability sys_ptrace, @@ -21,9 +21,9 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - ptrace (read), + ptrace read, - signal (send) set=(kill term cont stop), + signal send set=(kill term cont stop), #aa:dbus own bus=session name=org.gnome.SystemMonitor @@ -35,8 +35,12 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{bin}/sed rix, @{bin}/tr rix, - /usr/share/gnome-system-monitor/{,**} r, - /usr/share/firefox-esr/browser/chrome/icons/default/*.png r, + /usr/share/byobu/desktop/{,**} r, + /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, + + / r, + + owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, owner @{run}/user/@{uid}/doc/ rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, @@ -70,6 +74,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/smaps r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/wchan r, @{PROC}/diskstats r, @{PROC}/vmstat r, @@ -80,8 +85,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { profile pkexec { include - - @{bin}/pkexec mr, + include include if exists } diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index db128da15..fe380dadd 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,22 +10,19 @@ include profile gnome-terminal-server @{exec_path} { include include - include include - include include - include include include include - signal (send) set=(hup) peer=htop, - signal (send) set=(term hup kill) peer=unconfined, + signal send set=(hup) peer=htop, + signal send set=(term hup kill) peer=unconfined, - ptrace (read) peer=htop, - ptrace (read) peer=unconfined, + ptrace read peer=htop, + ptrace read peer=unconfined, - #aa:dbus own bus=session name=org.gnome.Terminal interface=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.Terminal interface+=org.gtk.Actions dbus receive bus=session path=/org/gnome/Terminal/SearchProvider interface=org.gnome.Shell.SearchProvider2 @@ -38,17 +35,17 @@ profile gnome-terminal-server @{exec_path} { @{exec_path} mr, + @{lib}/gnome-terminal-preferences ix, + # The shell is not confined on purpose. - @{bin}/@{shells} rUx, + @{bin}/@{shells} Ux, # Some CLI program can be launched directly from Gnome Shell - @{bin}/htop rPx, - @{bin}/micro rPUx, - @{bin}/nvtop rPx, + @{bin}/htop Px, + @{bin}/micro PUx, + @{bin}/nvtop Px, - @{open_path} rPx -> child-open, - - /usr/share/icu/@{int}.@{int}/*.dat r, + @{open_path} Px -> child-open, /etc/shells r, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 80ff8310d..8aa950e2c 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,13 +10,20 @@ include profile gnome-text-editor @{exec_path} { include include + include include include + include include include + #aa:dbus own bus=session name=org.gnome.TextEditor + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + @{exec_path} mr, + @{open_path} rPx -> child-open-help, + owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gnome-tour b/apparmor.d/groups/gnome/gnome-tour index fc6605232..8ae95f4a0 100644 --- a/apparmor.d/groups/gnome/gnome-tour +++ b/apparmor.d/groups/gnome/gnome-tour @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile gnome-tour @{exec_path} { include @{exec_path} mr, + @{open_path} rPx -> child-open-help, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index a04234cce..7f93b7864 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -2,43 +2,50 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-tweaks -profile gnome-tweaks @{exec_path} { +profile gnome-tweaks @{exec_path} flags=(attach_disconnected) { include include - include - include + include include include + network netlink raw, + @{exec_path} mr, @{bin}/ r, + @{bin}/env r, @{bin}/ps rPx, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{open_path} rPx -> child-open-help, - @{lib}/python3.@{int}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w, - - /usr/share/gnome-tweaks/{,**} r, + @{lib}/@{python_name}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w, /etc/xdg/autostart/{,**} r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_config_dirs}/autostart/ rw, - owner @{user_config_dirs}/autostart/*.desktop r, + owner @{user_config_dirs}/autostart/*.desktop rw, owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw, owner @{user_share_dirs}/backgrounds/{,**} r, owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, - owner @{user_share_dirs}/recently-used.xbel* rw, + + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + @{sys}/bus/ r, + @{sys}/class/input/ r, + @{sys}/devices/**/uevent r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/gnome-user-share-webdav b/apparmor.d/groups/gnome/gnome-user-share-webdav new file mode 100644 index 000000000..d54d7476a --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-user-share-webdav @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/gnome-user-share-webdav +profile gnome-user-share-webdav @{exec_path} { + include + include + + #aa:dbus own bus=session name=org.gnome.user-share.webdav + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-weather b/apparmor.d/groups/gnome/gnome-weather index b2851601c..fe2bf69b2 100644 --- a/apparmor.d/groups/gnome/gnome-weather +++ b/apparmor.d/groups/gnome/gnome-weather @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,6 +23,7 @@ profile gnome-weather @{exec_path} { @{exec_path} mr, @{bin}/gjs-console rix, + @{open_path} rPx -> child-open-help, /usr/share/org.gnome.Weather/{,**} r, @@ -30,9 +31,10 @@ profile gnome-weather @{exec_path} { @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, + deny owner @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 968bf154a..b7c138285 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,6 @@ profile goa-daemon @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index cf62b5f50..4509a6159 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,7 @@ profile goa-identity-service @{exec_path} { include include include - include + include #aa:dbus own bus=session name=org.gnome.Identity diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index f9d3804c7..22aaba164 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,8 +10,10 @@ include profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include include - include + include + include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -26,13 +28,10 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, @{gdm_config_dirs}/dconf/user r, @{GDM_HOME}/greeter-dconf-defaults r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 5c43cddf4..1a52321b1 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -2,30 +2,30 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-color profile gsd-color @{exec_path} flags=(attach_disconnected) { include - include + include include include - include include - include - include + include include include include include + network inet stream, + signal (receive) set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Color - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties @@ -42,12 +42,10 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-*.icc rw, + owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{user_share_dirs}/icc/ rw, - owner @{user_share_dirs}/icc/edid-*.icc rw, - - owner /dev/tty@{int} rw, + owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, include if exists } diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index d25b4cdcc..0364f3f2b 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,10 +10,19 @@ include profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include include - include + include + include include + include + include - signal (receive) set=(term, hup) peer=gdm*, + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + signal receive set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Datetime @@ -26,7 +35,6 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-settings-daemon/datetime/backward r, owner @{GDM_HOME}/greeter-dconf-defaults r, @@ -34,9 +42,13 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/geocode-glib/* r, - owner @{PROC}/@{pid}/stat r, + @{run}/systemd/sessions/@{int} r, + @{run}/systemd/users/@{uid} r, - owner /dev/tty@{int} rw, + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, + owner @{PROC}/@{pid}/stat r, include if exists } diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index d1e65865f..00ca93f19 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,10 +14,11 @@ profile gsd-disk-utility-notify @{exec_path} { include #aa:dbus own bus=session name=org.gnome.Disks.NotificationMonitor + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 7194b7a2b..497462a03 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,10 +11,12 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include + include include include + include include signal (receive) set=(term, hup) peer=gdm*, @@ -22,10 +24,10 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Housekeeping - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=Subscribe + peer=(name=org.freedesktop.systemd1), @{exec_path} mr, @@ -46,8 +48,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/cgroup r, owner @{PROC}/@{pids}/mountinfo r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index c87d6c9be..be27a873e 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -2,25 +2,25 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-keyboard profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include - include + include include include - include - include - include - include + include + include include include include include + network inet stream, + signal (receive) set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Keyboard @@ -37,8 +37,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw, owner @{user_share_dirs}/gnome-settings-daemon/{,input-sources*} rw, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 1dee19713..b299ab7ff 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,77 +10,48 @@ include profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include - include include - include - include + include + include + include include include include include + include signal (receive) set=(term, hup) peer=gdm*, + network inet stream, network netlink raw, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.MediaKeys + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill + #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=PowerOff - peer=(name=:*, label=systemd-logind), - - dbus send bus=session path=/org/gnome/Shell - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell - interface=org.gnome.Shell - member={GrabAccelerators,UngrabAccelerators} - peer=(name=:*, label=gnome-shell), - dbus receive bus=session path=/org/gnome/Shell - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name=:*, label=gnome-shell), - dbus receive bus=session path=/org/gnome/Shell - interface=org.gnome.Shell - member=AcceleratorActivated - peer=(name=:*, label=gnome-shell), - - dbus send bus=session path=/org/gnome/SettingsDaemon/Rfkill - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gsd-rfkill), - dbus receive bus=session path=/org/gnome/SettingsDaemon/Rfkill - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=gsd-rfkill), + peer=(name=@{busname}, label="@{p_systemd_logind}"), dbus send bus=session path=/ interface=org.freedesktop.DBus member=ListNames - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/gnome/SettingsDaemon/Power interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gsd-power), + peer=(name=@{busname}, label=gsd-power), dbus receive bus=session path=/org/gnome/SettingsDaemon/Power interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=gsd-power), - - dbus send bus=session path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), + peer=(name=@{busname}, label=gsd-power), @{exec_path} mr, @@ -93,15 +64,13 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, - owner @{user_share_dirs}/recently-used.xbel{,.*} rw, - - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # For /dev/bus/usb/** - @{sys}/devices/**/usb[0-9]/{,**} r, + @{sys}/devices/**/usb@{int}/{,**} r, @{sys}/devices/@{pci}/sound/**/uevent r, @{sys}/devices/platform/**/uevent r, @{sys}/devices/virtual/**/uevent r, @@ -109,8 +78,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 03c23744f..d3ac6b456 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,46 +10,49 @@ include profile gsd-power @{exec_path} flags=(attach_disconnected) { include include - include include include include - include include include include include - include - include + include include - include - include - include + include + include include include include include + include + include + include + network inet stream, network netlink raw, signal (receive) set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Power - dbus send bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name=:*, label=gnome-shell), + #aa:dbus talk bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.Shell.Brightness label=gnome-shell dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight interface=org.freedesktop.UPower.KbdBacklight member=GetBrightness - peer=(name=:*, label=upowerd), + peer=(name=@{busname}, label="@{p_upowerd}"), dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=gsd-xsettings), + peer=(name=@{busname}, label=gsd-xsettings), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=Suspend + peer=(name=@{busname}, label="@{p_systemd_logind}"), @{exec_path} mr, @@ -59,34 +62,33 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, - @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/backlight/ r, - @{sys}/devices/@{pci}/class r, + @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, @{sys}/devices/@{pci}/backlight/**/brightness rw, - @{sys}/devices/@{pci}/backlight/**/{max_brightness,actual_brightness} r, - @{sys}/devices/@{pci}/backlight/**/{uevent,type} r, - @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, - @{sys}/devices/@{pci}/drm/card@{int}/**/{max_brightness,actual_brightness} r, + @{sys}/devices/@{pci}/class r, + @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, - - @{sys}/devices/platform/**/leds/*backlight*/uevent r, - @{sys}/devices/platform/**/leds/*backlight*/max_brightness r, - @{sys}/devices/platform/**/leds/*backlight*/brightness rw, + @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, + @{sys}/devices/**/leds/**/{,max_,actual_}brightness rw, + @{sys}/devices/**/leds/**/{uevent,type,enabled} r, + @{sys}/devices/**/leds/**/brightness_hw_changed r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/cgroup r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index b684c0c7c..22ec520cb 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,26 +11,34 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include + include + include + include include include network inet stream, network inet6 stream, - signal (receive) set=(term, hup) peer=gdm*, - signal (send) set=(hup) peer=gsd-printer, + signal receive set=(term, hup) peer=gdm*, + signal send set=(hup) peer=gsd-printer, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.PrintNotifications # dbus receive bus=system path=/org/cups/cupsd/Notifier # interface=org.cups.cupsd.Notifier, + dbus receive bus=system path=/org/cups/cupsd/Notifier + interface=org.cups.cupsd.Notifier + member={ServerStarted,PrinterDeleted,PrinterStateChanged,PrinterStopped,PrinterAdded} + peer=(name=@{busname}, label=cups-notifier-dbus), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{lib}/gsd-printer rPx, @@ -38,8 +46,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index 9db9abb09..a768c8d1e 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,9 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { include include include - include + include + include + include include signal (receive) set=(term, hup) peer=gdm*, @@ -29,8 +31,6 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 456361e88..7283c5c00 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -2,19 +2,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-rfkill profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include + include include include include include include - include + include signal (receive) set=(term, hup) peer=gdm*, @@ -33,8 +34,6 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features - owner /dev/tty@{int} rw, - /dev/rfkill rw, include if exists diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index e0d3dc1b0..ac2f9229d 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -2,15 +2,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-screensaver-proxy profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include + include include - include + include signal (receive) set=(term, hup) peer=gdm*, @@ -24,8 +25,6 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 4ba613fb7..9d432ae13 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,8 +12,10 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include include include - include + include + include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -29,11 +31,15 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), + dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/3 + interface=org.freedesktop.NetworkManager.VPN.Connection + member=VpnStateChanged + peer=(name=@{busname}, label=NetworkManager), + @{exec_path} mr, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, @@ -41,9 +47,8 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, - @{PROC}/@{pid}/cgroup r, - - owner /dev/tty@{int} rw, + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, include if exists } diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index c72c9a8eb..5143b9984 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,10 +10,13 @@ include profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include include - include + include + include include + include include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -28,17 +31,17 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/{,opensc/}opensc.conf r, - - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, + /etc/tpm2-tss/* rk, /var/tmp/ r, /tmp/ r, - owner /dev/tty@{int} rw, + owner @{GDM_HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk, + owner @{GDM_HOME}/greeter-dconf-defaults r, + owner @{gdm_config_dirs}/dconf/user r, + + owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk, include if exists } diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index ea063aeda..ff2d30766 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -2,20 +2,22 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-sound profile gsd-sound @{exec_path} flags=(attach_disconnected) { include + include include include - include - include + include + include include + include - signal (receive) set=(term, hup) peer=gdm*, + signal receive set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Sound @@ -28,7 +30,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, @@ -36,8 +37,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/sounds/ rw, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 4db37cb0a..bcdb353a8 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,13 +10,21 @@ include profile gsd-usb-protection @{exec_path} { include include + include + include + include include + include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection - @{exec_path} mr, + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), - /usr/share/glib-2.0/schemas/gschemas.compiled r, + @{exec_path} mr, include if exists } diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 9b6e13fdb..3d4f2cb05 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -2,18 +2,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-wacom profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include - include + include include - include - include - include + include include include include @@ -32,8 +30,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{GDM_HOME}/greeter-dconf-defaults r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-wwan b/apparmor.d/groups/gnome/gsd-wwan index 9c8852055..3a5ee53df 100644 --- a/apparmor.d/groups/gnome/gsd-wwan +++ b/apparmor.d/groups/gnome/gsd-wwan @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,10 +10,17 @@ include profile gsd-wwan @{exec_path} { include include + include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Wwan + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 4b489c259..20151eec0 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -2,22 +2,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-xsettings profile gsd-xsettings @{exec_path} { include - include include include - include include include - include + include include - include + include include include include @@ -33,17 +31,25 @@ profile gsd-xsettings @{exec_path} { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.XSettings #aa:dbus own bus=session name=org.gtk.Settings - dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} - interface=org.freedesktop.Accounts.User - member=SetInputSources - peer=(name=:*, label=accounts-daemon), + #aa:dbus talk bus=session name=org.gnome.Mutter.X11 label=gnome-shell dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetId - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + + dbus receive bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member={UserAdded,UserDeleted} + peer=(name=@{busname}, label="@{p_accounts_daemon}"), + + dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} + interface=org.freedesktop.Accounts.User + member=SetInputSources + peer=(name=@{busname}, label="@{p_accounts_daemon}"), @{exec_path} mr, + @{sh_path} mr, @{bin}/cat rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index e756831f2..f843d6c14 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,7 +17,7 @@ profile kgx @{exec_path} { capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, @@ -25,20 +25,24 @@ profile kgx @{exec_path} { @{bin}/@{shells} rUx, # Some CLI program can be launched directly from Gnome Shell - @{bin}/htop rPx, - @{bin}/micro rPUx, - @{bin}/nvtop rPx, - @{bin}/vim rUx, + @{bin}/btop PUx, + @{bin}/htop Px, + @{bin}/micro PUx, + @{bin}/nvtop Px, + @{bin}/nvtop Px, + @{bin}/vim Ux, - @{open_path} rPx -> child-open-help, + @{open_path} Px -> child-open-help, owner @{tmp}/#@{int} rw, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/ptmx rw, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch new file mode 100644 index 000000000..ea1566757 --- /dev/null +++ b/apparmor.d/groups/gnome/localsearch @@ -0,0 +1,80 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/localsearch @{lib}/localsearch-3 +profile localsearch @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + + network netlink raw, + + #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files + #aa:dbus own bus=session name=org.freedesktop.LocalSearch3 + + dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=@{busname}, label=nautilus), + dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.Tracker3.Endpoint + member=Query + peer=(name=@{busname}, label=nautilus), + + @{exec_path} mr, + + @{lib}/localsearch-extractor-3 ix, # nnp + + /usr/share/localsearch3/{,**} r, + /usr/share/osinfo/{,**} r, + /usr/share/poppler/{,**} r, + + /etc/fstab r, + + # Allow to search user files + owner @{HOME}/ r, + owner @{HOME}/{,**} r, + owner @{MOUNTS}/{,**} r, + owner @{tmp}/*/{,**} r, + + owner @{user_cache_dirs}/tracker3/ rw, + owner @{user_cache_dirs}/tracker3/files/ rw, + owner @{user_cache_dirs}/tracker3/files/** rwk, + + owner @{GDM_HOME}/ r, + owner @{GDM_HOME}/*/ r, + owner @{gdm_cache_dirs}/tracker3/{,**} rwk, + owner @{gdm_config_dirs}/user-dirs.dirs r, + + @{run}/mount/utab r, + + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{PROC}/sys/fs/fanotify/max_user_marks r, + @{PROC}/sys/fs/inotify/max_user_watches r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/localsearch-control b/apparmor.d/groups/gnome/localsearch-control new file mode 100644 index 000000000..354f85009 --- /dev/null +++ b/apparmor.d/groups/gnome/localsearch-control @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/localsearch-control-3 +profile localsearch-control @{exec_path} { + include + include + + #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files.Control + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/localsearch-writeback b/apparmor.d/groups/gnome/localsearch-writeback new file mode 100644 index 000000000..7d50726c0 --- /dev/null +++ b/apparmor.d/groups/gnome/localsearch-writeback @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/localsearch-writeback-3 +profile localsearch-writeback @{exec_path} { + include + include + + #aa:dbus own bus=session name=org.freedesktop.LocalSearch3.Writeback + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 6d53ebf44..ea55ee902 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -2,22 +2,37 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/loupe profile loupe @{exec_path} flags=(attach_disconnected) { include + include + include + include include include include include + include include include include - signal (send) set=(kill) peer=loupe//bwrap, + unix type=stream peer=(label=loupe//bwrap), + + signal send set=kill peer=loupe//bwrap, + + #aa:dbus own bus=session name=org.gnome.Loupe interface+=org.freedesktop.Application + + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=@{p_systemd_hostnamed}), @{exec_path} mr, @@ -28,7 +43,10 @@ profile loupe @{exec_path} flags=(attach_disconnected) { / r, - @{run}/mount/utab r, + owner @{user_cache_dirs}/glycin/{,**} rw, + + @{run}/mount/utab r, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @@ -38,6 +56,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny @{user_share_dirs}/gvfs-metadata/* r, @@ -45,10 +65,14 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=(kill) peer=loupe, + unix type=stream peer=(label=loupe), + + signal receive set=kill peer=loupe, @{bin}/bwrap mr, - @{lib}/glycin-loaders/*/glycin-image-rs rix, + @{lib}/glycin-loaders/*/glycin-* rix, + + owner @{PROC}/@{pid}/fd/ r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 0a208c6ad..d5c83a31b 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -2,18 +2,18 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/mutter-x11-frames profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include - include + include include - include - include + include include + include include include include @@ -26,15 +26,14 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, + owner @{gdm_cache_dirs}//fontconfig/ rw, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rwl, owner @{gdm_config_dirs}/dconf/user r, @{sys}/devices/@{pci}/boot_vga r, owner @{PROC}/@{pid}/cmdline r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 66f9af691..c405a3bf8 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -2,23 +2,21 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/nautilus profile nautilus @{exec_path} flags=(attach_disconnected) { include - include include include include - include include include include - include - include + include + include include include include @@ -26,38 +24,54 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include - # mqueue r type=posix /, + mqueue r type=posix /, + + unix type=stream peer=(label=gnome-shell), - #aa:dbus own bus=session name=org.gnome.Nautilus interface=org.gtk.{Application,Actions} #aa:dbus own bus=session name=org.freedesktop.FileManager1 + #aa:dbus own bus=session name=org.gnome.Nautilus interface+=org.gtk.{Application,Actions} + #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa:dbus talk bus=session name=org.freedesktop.Application path=/ label="*" + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome + #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus.Properties - member={GetAll,ListActivatableNames} - peer=(name=org.freedesktop.DBus, label=dbus-session), - - dbus send bus=session path=/org/gtk/Notifications - interface=org.gtk.Notifications - member=AddNotification - peer=(name=org.gtk.Notifications, label=gnome-shell), + dbus send bus=session path=/org/gnome/Mutter/ServiceChannel + interface=org.gnome.Mutter.ServiceChannel + member=OpenWaylandServiceConnection + peer=(name=@{busname}, label=gnome-shell), dbus (send, receive) bus=session path=/org/gtk/Application/CommandLine interface=org.gtk.private.CommandLine member=Print - peer=(name=:*, label=nautilus), + peer=(name=@{busname}, label=nautilus), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=ListActivatableNames - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/dbus interface=org.freedesktop.DBus member=NameHasOwner - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + + dbus send bus=session + interface=org.freedesktop.Application + member=Open, + + dbus send bus=session path=/org/gnome/Nautilus + interface=org.gtk.Application + member={CommandLine,DescribeAll} + peer=(name=org.gnome.Nautilus, label=nautilus), @{exec_path} mr, @@ -66,11 +80,12 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{bin}/file-roller rPx, @{bin}/firejail rPUx, @{bin}/net rPUx, - @{bin}/tracker3 rPUx, + + @{bin}/* r, + @{lib}/@{multiarch}/glib-2.0/gio-launch-desktop m, @{open_path} rPx -> child-open, - /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/nautilus/{,**} r, /usr/share/poppler/{,**} r, /usr/share/sounds/freedesktop/stereo/*.oga r, @@ -82,6 +97,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /var/cache/fontconfig/ rw, + #aa:lint ignore=too-wide # Full access to user's data / r, /*/ r, @@ -90,12 +106,15 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @{MOUNTS}/** rw, - owner @{HOME}/{,**} rw, - owner @{run}/user/@{uid}/{,**} rw, - owner @{tmp}/{,**} rw, + owner @{HOME}/ r, + owner @{HOME}/** rw, + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/** rw, + owner @{tmp}/ r, + owner @{tmp}/** rw, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, @@ -115,6 +134,8 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index ee2de80ce..e1bde2238 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -2,22 +2,23 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/org.gnome.NautilusPreviewer -profile org.gnome.NautilusPreviewer @{exec_path} { +profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { include include + include include include include include include + include include include - include network netlink raw, @@ -39,18 +40,19 @@ profile org.gnome.NautilusPreviewer @{exec_path} { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, - @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, @{PROC}/zoneinfo r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm w, owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/media@{int} r, - include if exists } diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers new file mode 100644 index 000000000..6c4fe6f12 --- /dev/null +++ b/apparmor.d/groups/gnome/papers @@ -0,0 +1,67 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/papers +profile papers @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + + #aa:dbus own bus=session name=org.gnome.Papers interface+=org.freedesktop.Application + + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + dbus send bus=session path=/org/freedesktop/portal/desktop/session/1_4509/gtk1155412026 + interface=org.freedesktop.portal.Session + member=Close + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + + @{exec_path} mr, + + @{open_path} Cx -> open, + + /usr/share/poppler/{,**} r, + + /etc/passwd r, + + owner @{user_share_dirs}/gvfs-metadata/{,*} r, + + owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, + owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, + owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db-journal rw, + + /tmp/ r, + /var/tmp/ r, + owner @{tmp}/.goutputstream-@{rand6} rw, + owner @{tmp}/papers-@{int}/{,**} rw, + owner @{tmp}/gtkprint_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} rw, + + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + + profile open { + include + include + + @{browsers_path} Px, + @{help_path} Px, + @{bin}/papers Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis new file mode 100644 index 000000000..3195d7f03 --- /dev/null +++ b/apparmor.d/groups/gnome/ptyxis @@ -0,0 +1,44 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ptyxis +profile ptyxis @{exec_path} { + include + include + include + include + + unix type=stream peer=(label=ptyxis-agent), + + #aa:dbus own bus=session name=org.gnome.Ptyxis interface+=org.freedesktop.Application + + @{exec_path} mr, + + @{lib}/ptyxis-agent Px, + @{open_path} Px -> child-open-help, + + /etc/shells r, + + owner @{user_cache_dirs}/org.gnome.Ptyxis/ rw, + owner @{user_cache_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_cache_dirs}/org.gnome.Ptyxis/**, + + owner @{user_config_dirs}/org.gnome.Ptyxis/ rw, + owner @{user_config_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_config_dirs}/org.gnome.Ptyxis/**, + owner @{user_config_dirs}/ubuntu-xdg-terminals.list r, + + owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, + owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, + + owner /tmp/#@{int} rw, + + /dev/ptmx rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent new file mode 100644 index 000000000..6418193a6 --- /dev/null +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -0,0 +1,64 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ptyxis-agent +profile ptyxis-agent @{exec_path} { + include + include + include + include + include + include + include + + signal send set=hup peer=@{p_systemd}, + + ptrace read, + + unix type=stream peer=(label=ptyxis), + + @{exec_path} mr, + + @{bin}/podman Px, + @{bin}/systemd-run Cx -> shell, + + owner @{user_share_dirs}/containers/ w, + owner @{user_share_dirs}/containers/storage/ w, + owner @{user_share_dirs}/containers/storage/overlay-containers/ w, + + @{PROC}/@{pid}/cmdline r, + + /dev/ptmx rw, + + profile shell { + include + include + + signal send, + + unix bind type=stream addr=@@{udbus}/bus/systemd-run/, + + @{bin}/systemd-run mr, + + # The shell is not confined on purpose. + @{bin}/@{shells} Ux, + + # Some CLI program can be launched directly from Gnome Shell + @{bin}/htop Px, + @{bin}/micro PUx, + @{bin}/nvtop Px, + + owner @{run}/user/@{uid}/systemd/private rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index ba23af8a4..c34526ee1 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -2,29 +2,25 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/seahorse profile seahorse @{exec_path} { include - include + include include include - include - include include - include include include include + include + include include - dbus bind bus=session name=org.gnome.seahorse.Application, - dbus receive bus=session path=/org/gnome/seahorse/Application - interface=org.gnome.Shell.SearchProvider2 - peer=(name=:*), + #aa:dbus own bus=session name=org.gnome.seahorse.Application interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mr, @@ -36,7 +32,6 @@ profile seahorse @{exec_path} { /etc/pki/trust/blocklist/ r, /etc/gcrypt/hwf.deny r, - /etc/{,opensc/}opensc.conf r, owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index 570515cd7..b31532cae 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -2,24 +2,34 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/session-migration profile session-migration @{exec_path} { include + include + include + include + include @{exec_path} mr, - @{sh_path} rix, - /usr/share/session-migration/scripts/*.sh rix, + @{sh_path} rix, + @{python_path} rix, + @{bin}/dconf rPx, + @{bin}/gsettings rPx, + /usr/share/session-migration/scripts/* rix, /usr/share/session-migration/{,**} r, + owner @{gdm_share_dirs}/ w, owner @{gdm_share_dirs}/session_migration-* rw, owner @{user_share_dirs}/session_migration-* rw, + /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/tecla b/apparmor.d/groups/gnome/tecla new file mode 100644 index 000000000..082c6c925 --- /dev/null +++ b/apparmor.d/groups/gnome/tecla @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/tecla +profile tecla @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 858d216ac..e200ecb42 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,9 +10,9 @@ include profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include + include + include include include include @@ -20,6 +20,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include include + include include network netlink raw, @@ -28,18 +29,12 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Extract - #aa:dbus talk bus=session name=org.freedesktop.Tracker3 label=tracker-miner interface=org.freedesktop.DBus.Peer - - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member={GetTreeFromDevice,Remove} - peer=(name=:*, label=gvfsd-metadata), + #aa:dbus talk bus=session name=org.freedesktop.Tracker3 label=tracker-miner interface+=org.freedesktop.DBus.Peer @{exec_path} mr, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter/applications/*.desktop r, - /usr/share/hwdata/*.ids r, /usr/share/ladspa/rdf/{,**} r, /usr/share/osinfo/{,**} r, /usr/share/poppler/{,**} r, @@ -76,11 +71,9 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} r, - /dev/video@{int} rw, - # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index b037db499..85b7b0d53 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,17 +11,18 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include - include - include - include - include + include + include + include include include include include include + include include - include + include + include network netlink raw, @@ -47,7 +48,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r, /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, - /usr/share/hwdata/*.ids r, /usr/share/ladspa/rdf/{,**} r, /usr/share/osinfo/{,**} r, /usr/share/poppler/{,**} r, @@ -65,9 +65,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ r, - owner /var/tmp/etilqs_@{hex16} rw, - owner @{tmp}/etilqs_@{hex16} rw, - # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, @@ -85,11 +82,11 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cmdline r, @{PROC}/sys/fs/fanotify/max_user_marks r, @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/vm/mmap_min_addr r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - /dev/video@{int} rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/gnome/tracker-writeback b/apparmor.d/groups/gnome/tracker-writeback index 426b1be60..a5346b463 100644 --- a/apparmor.d/groups/gnome/tracker-writeback +++ b/apparmor.d/groups/gnome/tracker-writeback @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/tracker-xdg-portal b/apparmor.d/groups/gnome/tracker-xdg-portal new file mode 100644 index 000000000..20ed6bdce --- /dev/null +++ b/apparmor.d/groups/gnome/tracker-xdg-portal @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/tracker-xdg-portal-3 +profile tracker-xdg-portal @{exec_path} flags=(complain) { + include + include + include + + #aa:dbus own bus=session name=org.freedesktop.portal.Tracker + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index 4da1fe736..1f2fc39d3 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -2,18 +2,24 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/yelp @{bin}/gnome-help -profile yelp @{exec_path} { +profile yelp @{exec_path} flags=(attach_disconnected) { include + include + include include network netlink raw, + #aa:dbus own bus=accessibility name=org.gnome.Yelp + #aa:dbus own bus=session name=org.gnome.Yelp interface+=org.gtk.Actions + @{exec_path} mr, + @{open_path} rPx -> child-open-help, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, @@ -24,10 +30,14 @@ profile yelp @{exec_path} { /etc/xml/{,**} r, + @{sys}/firmware/acpi/pm_profile r, @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r, - owner @{sys}/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice/*.slice/*/memory.* r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*/memory.* r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.current r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.high r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.max r, @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/gpg/dirmngr b/apparmor.d/groups/gpg/dirmngr index d2afa3462..2fbdfb086 100644 --- a/apparmor.d/groups/gpg/dirmngr +++ b/apparmor.d/groups/gpg/dirmngr @@ -3,13 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/dirmngr profile dirmngr @{exec_path} { include + include include include include @@ -39,6 +40,13 @@ profile dirmngr @{exec_path} { owner @{run}/user/@{uid}/gnupg/S.dirmngr rw, owner @{run}/user/@{uid}/gnupg/d.*/S.dirmngr rw, + # FIXME: Needed by dirmngr@.service + owner /etc/pacman.d/gnupg/ rw, + owner /etc/pacman.d/gnupg/S.dirmngr rw, + owner /etc/pacman.d/gnupg/d.*/S.dirmngr rw, + owner /etc/pacman.d/gnupg/crls.d/ rw, + owner /etc/pacman.d/gnupg/crls.d/DIR.txt rw, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 4fcc8946d..40c23b660 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,8 +28,29 @@ profile gpg @{exec_path} { @{bin}/gpgsm rPx, @{lib}/{,gnupg/}scdaemon rPx, + /usr/share/terminfo/** r, + /usr/share/keyrings/** rw, #aa:only apt + /usr/share/pacman/keyrings/** r, #aa:only pacman + /etc/inputrc r, + #aa:only pacman + /etc/pacman.d/gnupg/ rw, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, + + #aa:only apt + /etc/apt/trusted.gpg.d/{,*} r, + owner /etc/apt/keyrings/ rw, + owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**, + + owner /var/lib/*/{,.}gnupg/ rw, + owner /var/lib/*/{,.}gnupg/** rwkl -> /var/lib/*/{,.}gnupg/**, + + # TODO: Remove after zypper profile is created + #aa:only zypper + owner /var/tmp/zypp.@{rand6}/ rw, + owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**, + owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, @@ -39,31 +60,18 @@ profile gpg @{exec_path} { owner @{user_projects_dirs}/**/gnupg/ rw, owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**, - #aa:only apt - owner /etc/apt/keyrings/ rw, - owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**, - - #aa:only pacman - owner /etc/pacman.d/gnupg/gpg.conf r, - owner /etc/pacman.d/gnupg/pubring.gpg r, - owner /etc/pacman.d/gnupg/trustdb.gpg r, - - owner /var/lib/*/gnupg/ rw, - owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**, - - owner /var/lib/*/.gnupg/ rw, - owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, - - # TODO: Remove after zypper profile is created - #aa:only zypper - owner /var/tmp/zypp.@{rand6}/ rw, - owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**, + # TODO: For compatibility with torbrowser profile from upstream. + owner @{user_share_dirs}/torbrowser/gnupg_homedir/ rw, + owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{user_share_dirs}/torbrowser/gnupg_homedir/**, #aa:exclude ubuntu - owner @{tmp}/ostree-gpg-*/ r, - owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-@{rand6}/ r, + owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, - owner @{tmp}/tmp.[a-zA-Z0-9]* rw, + owner /tmp/@{int}@{int} rw, + + owner @{run}/user/@{uid}/gnupg/d.*/ rw, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 336d491b1..708ccc5f3 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -3,13 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gpg-agent profile gpg-agent @{exec_path} { include + include include signal (receive) peer=pinentry-*, @@ -24,63 +25,68 @@ profile gpg-agent @{exec_path} { /usr/share/gnupg/* r, owner @{HOME}/@{XDG_GPG_DIR}/ rw, - owner @{HOME}/@{XDG_GPG_DIR}/gpg-agent.conf r, + owner @{HOME}/@{XDG_GPG_DIR}/*.conf r, owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, - owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key rw, - owner @{HOME}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key{,.tmp} rw, + owner @{HOME}/@{XDG_GPG_DIR}/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw, - owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/*.conf r, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, - owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key rw, - owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key{,.tmp} rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/sshcontrol r, owner @{user_projects_dirs}/**/{.,}gnupg/ rw, - owner @{user_projects_dirs}/**/{.,}gnupg/gpg-agent.conf r, + owner @{user_projects_dirs}/**/{.,}gnupg/*.conf r, owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw, - owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key rw, - owner @{user_projects_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw, + owner @{user_projects_dirs}/**/{.,}gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{user_projects_dirs}/**/{.,}gnupg/sshcontrol r, owner @{run}/user/@{uid}/gnupg/ rw, - owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r, + owner @{run}/user/@{uid}/gnupg/*.conf r, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw, - owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key rw, - owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{run}/user/@{uid}/gnupg/sshcontrol r, - owner @{user_tmp_dirs}/**/{.,}gnupg/ rw, - owner @{user_tmp_dirs}/**/{.,}gnupg/gpg-agent.conf r, - owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw, - owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key rw, - owner @{user_tmp_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, - owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r, + owner @{tmp}/**/{.,}gnupg/ rw, + owner @{tmp}/**/{.,}gnupg/*.conf r, + owner @{tmp}/**/{.,}gnupg/private-keys-v1.d/ rw, + owner @{tmp}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw, + owner @{tmp}/**/{.,}gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{tmp}/**/{.,}gnupg/sshcontrol r, + + #aa:only pacman + owner /etc/pacman.d/gnupg/ rw, + owner /etc/pacman.d/gnupg/*.conf r, + owner /etc/pacman.d/gnupg/private-keys-v1.d/ rw, + owner /etc/pacman.d/gnupg/private-keys-v1.d/@{hex}.key rw, + owner /etc/pacman.d/gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner /etc/pacman.d/gnupg/sshcontrol r, owner /var/lib/*/.gnupg/ rw, owner /var/lib/*/.gnupg/private-keys-v1.d/ rw, owner /var/lib/*/.gnupg/private-keys-v1.d/@{hex}.key rw, - owner /var/lib/*/.gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner /var/lib/*/.gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner /var/lib/*/.gnupg/sshcontrol r, owner /var/lib/*/gnupg/ rw, owner /var/lib/*/gnupg/private-keys-v1.d/ rw, owner /var/lib/*/gnupg/private-keys-v1.d/@{hex}.key rw, - owner /var/lib/*/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner /var/lib/*/gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner /var/lib/*/gnupg/sshcontrol r, + #aa:only zypper owner /var/tmp/zypp.*/ rw, owner /var/tmp/zypp.*/{,*/}private-keys-v1.d/ rw, owner /var/tmp/zypp.*/{,*/}private-keys-v1.d/@{hex}.key rw, owner /var/tmp/zypp.*/{,*/}S.gpg-agent{,.ssh,.browser,.extra} rw, - owner @{tmp}/tmp.*/gnupg/ rw, - owner @{tmp}/tmp.*/gnupg/private-keys-v1.d/ rw, - owner @{tmp}/tmp.*/gnupg/private-keys-v1.d/@{hex}.key rw, - owner @{tmp}/tmp.*/gnupg/{,d.*/}S.gpg-agent rw, - owner @{tmp}/tmp.*/gnupg/sshcontrol r, - @{PROC}/@{pid}/fd/ r, # Silencer diff --git a/apparmor.d/groups/gpg/gpg-connect-agent b/apparmor.d/groups/gpg/gpg-connect-agent index ae8f90ed5..ebea13b56 100644 --- a/apparmor.d/groups/gpg/gpg-connect-agent +++ b/apparmor.d/groups/gpg/gpg-connect-agent @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,14 +18,17 @@ profile gpg-connect-agent @{exec_path} { /etc/inputrc r, - owner @{PROC}/@{pid}/fd/ r, - + owner @{run}/user/@{uid}/gnupg/ w, owner @{run}/user/@{uid}/gnupg/d.*/ rw, + owner @{run}/user/@{uid}/gnupg/S.dirmngr rw, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid} rw, owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid}x rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, owner @{tmp}/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/groups/gpg/gpgconf b/apparmor.d/groups/gpg/gpgconf index 9537c60c6..d7f8cb353 100644 --- a/apparmor.d/groups/gpg/gpgconf +++ b/apparmor.d/groups/gpg/gpgconf @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,10 +22,11 @@ profile gpgconf @{exec_path} { @{bin}/gpg-connect-agent rPx, @{bin}/gpg{,2} rPx, @{bin}/gpgsm rPx, - @{bin}/pinentry-* rPx, + @{bin}/pinentry{,-*} rPx, @{bin}/scdaemon rPx, + @{lib}/{,gnupg/}keyboxd rPUx, @{lib}/{,gnupg/}scdaemon rPx, - @{lib}/keyboxd rPUx, + @{lib}/{,gnupg/}tpm2daemon rPUx, /etc/gcrypt/hwf.deny r, /etc/gnupg/gpgconf.conf r, diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm index 5bfa3fdf4..2ef1a9d4a 100644 --- a/apparmor.d/groups/gpg/gpgsm +++ b/apparmor.d/groups/gpg/gpgsm @@ -3,13 +3,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gpgsm profile gpgsm @{exec_path} { include + include include capability dac_read_search, @@ -22,11 +23,11 @@ profile gpgsm @{exec_path} { /etc/gcrypt/hwf.deny r, - deny /usr/bin/.gnupg/ w, + owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, + deny @{bin}/.gnupg/ w, include if exists } diff --git a/apparmor.d/groups/gpg/keyboxd b/apparmor.d/groups/gpg/keyboxd index bf77509fd..51ec8b134 100644 --- a/apparmor.d/groups/gpg/keyboxd +++ b/apparmor.d/groups/gpg/keyboxd @@ -2,16 +2,18 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gnupg/keyboxd profile keyboxd @{exec_path} { include + include @{exec_path} mr, + owner @{HOME}/@{XDG_GPG_DIR}/ w, owner @{HOME}/@{XDG_GPG_DIR}/common.conf r, owner @{HOME}/@{XDG_GPG_DIR}/public-keys.d/ rw, owner @{HOME}/@{XDG_GPG_DIR}/public-keys.d/* rwlk, diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index eeb1a618e..729455f7f 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,14 +16,20 @@ profile scdaemon @{exec_path} { network netlink raw, signal (send) peer=gpg-agent, + signal send set=usr2 peer=unconfined, @{exec_path} mr, + #aa:only pacman + owner /etc/pacman.d/gnupg/scdaemon.conf r, + owner /etc/pacman.d/gnupg/S.scdaemon rw, + owner @{HOME}/@{XDG_GPG_DIR}/scdaemon.conf r, + owner @{HOME}/@{XDG_GPG_DIR}/common.conf r, owner @{HOME}/@{XDG_GPG_DIR}/reader_@{int}.status rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, - owner @{run}/user/@{uid}/gnupg/d.*/S.scdaemon rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, owner /var/tmp/zypp.*/PublicKey/S.scdaemon w, owner /var/tmp/zypp.*/zypp-general-kr*/S.scdaemon w, diff --git a/apparmor.d/groups/grub/grub-bios-setup b/apparmor.d/groups/grub/grub-bios-setup index 44602a4ee..b0d606701 100644 --- a/apparmor.d/groups/grub/grub-bios-setup +++ b/apparmor.d/groups/grub/grub-bios-setup @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index 1ab754daf..f09ba540d 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -2,27 +2,24 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = /usr/share/grub/grub-check-signatures profile grub-check-signatures @{exec_path} { include - include + include @{exec_path} mr, - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}//mktemp rix, - @{bin}//od rix, + @{bin}/{m,g,}awk ix, + @{bin}/mktemp ix, + @{bin}/od ix, - /usr/share/debconf/frontend rPx, + owner @{tmp}/tmp.@{rand10}/ rw, - /usr/share/debconf/confmodule r, - - owner @{tmp}/tmp.*/ rw, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, include if exists } diff --git a/apparmor.d/groups/grub/grub-editenv b/apparmor.d/groups/grub/grub-editenv index 414f12909..29f9bf8f7 100644 --- a/apparmor.d/groups/grub/grub-editenv +++ b/apparmor.d/groups/grub/grub-editenv @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,7 @@ profile grub-editenv @{exec_path} { @{exec_path} mr, - /boot/grub/grubenv rw, + @{efi}/grub/grubenv rw, include if exists } diff --git a/apparmor.d/groups/grub/grub-file b/apparmor.d/groups/grub/grub-file index 0c43d739d..6551bd553 100644 --- a/apparmor.d/groups/grub/grub-file +++ b/apparmor.d/groups/grub/grub-file @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-fstest b/apparmor.d/groups/grub/grub-fstest index c8f4d48a8..3819fe890 100644 --- a/apparmor.d/groups/grub/grub-fstest +++ b/apparmor.d/groups/grub/grub-fstest @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-glue-efi b/apparmor.d/groups/grub/grub-glue-efi index 0c2d91173..f72664388 100644 --- a/apparmor.d/groups/grub/grub-glue-efi +++ b/apparmor.d/groups/grub/grub-glue-efi @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index 7902bf02d..e3ed75334 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -3,11 +3,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/grub-install +@{exec_path} = @{sbin}/grub-install profile grub-install @{exec_path} flags=(complain) { include include @@ -19,26 +19,34 @@ profile grub-install @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/efibootmgr rix, + @{sbin}/efibootmgr rix, @{bin}/kmod rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/udevadm rPx, /usr/share/grub/{,**} r, + /usr/share/locale-langpack/{,**} r, /etc/default/grub.d/{,**} r, /etc/default/grub r, - /boot/efi/EFI/ubuntu/* w, - /boot/efi/EFI/BOOT/{,**} rw, - /boot/EFI/*/grubx*.efi rw, - /boot/grub/{,**} rw, + @{efi}/ r, + @{efi}/EFI/ r, + @{efi}/EFI/*/grubx*.efi rw, + @{efi}/EFI/BOOT/{,**} rw, + @{efi}/EFI/ubuntu/* w, + @{efi}/grub/{,**} rw, + @{sys}/devices/**/hid r, + @{sys}/devices/**/path r, + @{sys}/devices/**/uid r, + @{sys}/firmware/efi/ r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootCurrent-@{uuid} r, - @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, + @{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw, @{sys}/firmware/efi/efivars/Timeout-@{uuid} r, + @{sys}/firmware/efi/fw_platform_size r, @{sys}/firmware/efi/w_platform_size r, @{PROC}/devices r, diff --git a/apparmor.d/groups/grub/grub-kbdcomp b/apparmor.d/groups/grub/grub-kbdcomp index 7c49e93ec..0334bf2f5 100644 --- a/apparmor.d/groups/grub/grub-kbdcomp +++ b/apparmor.d/groups/grub/grub-kbdcomp @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-macbless b/apparmor.d/groups/grub/grub-macbless index 8f73e3807..17e71a25c 100644 --- a/apparmor.d/groups/grub/grub-macbless +++ b/apparmor.d/groups/grub/grub-macbless @@ -2,11 +2,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/grub-macbless +@{exec_path} = @{sbin}/grub-macbless profile grub-macbless @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-menulst2cfg b/apparmor.d/groups/grub/grub-menulst2cfg index 826de1e1d..cd2d0121d 100644 --- a/apparmor.d/groups/grub/grub-menulst2cfg +++ b/apparmor.d/groups/grub/grub-menulst2cfg @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index d44ffcf3d..5b62fa30c 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -3,11 +3,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/grub-mkconfig +@{exec_path} = @{sbin}/grub-mkconfig @{sbin}/grub2-mkconfig profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { include include @@ -21,24 +21,25 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/{e,f,}grep rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, - @{bin}/btrfs rPx, + @{sbin}/btrfs rPx, @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cut rix, @{bin}/date rix, @{bin}/dirname rix, - @{bin}/dmsetup rPUx, + @{sbin}/dmsetup rPx, @{bin}/dpkg rPx, @{bin}/find rix, @{bin}/findmnt rPx, @{bin}/gettext rix, + @{bin}/grub-editenv rPx, @{bin}/grub-mkrelpath rPx, - @{bin}/grub-probe rPx, + @{sbin}/grub-probe rPx, @{bin}/grub-script-check rPx, @{bin}/head rix, @{bin}/id rPx, @{bin}/ls rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/mktemp rix, @{bin}/mount rPx, @{bin}/mountpoint rix, @@ -55,14 +56,16 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, @{bin}/umount rPx, @{bin}/uname rix, - @{bin}/which{.debianutils,} rix, + @{bin}/which{,.debianutils} rix, @{bin}/zfs rPx, @{bin}/zpool rPx, /etc/grub.d/{,**} rix, + @{lib}/grub-customizer/* rix, @{lib}/grub/grub-sort-version rPx, @{lib}/libostree/grub[0-9]-@{int}_ostree rix, + /usr/share/desktop-base/*/grub/* r, /usr/share/grub/{,**} r, /usr/share/terminfo/** r, @@ -78,10 +81,10 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { /.zfs/snapshot/*/etc/fstab r, /.zfs/snapshot/*/etc/machine-id r, - /boot/{,**} r, - /boot/grub/{,**} rw, + @{efi}/{,**} r, + @{efi}/grub/{,**} rw, - # owner /tmp/** rw, + /tmp/grub-*.@{rand10}/{,**} rw, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, diff --git a/apparmor.d/groups/grub/grub-mkdevicemap b/apparmor.d/groups/grub/grub-mkdevicemap index 0af9aab2d..ca9f3ad3c 100644 --- a/apparmor.d/groups/grub/grub-mkdevicemap +++ b/apparmor.d/groups/grub/grub-mkdevicemap @@ -2,17 +2,24 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/grub-mkdevicemap +@{exec_path} = @{sbin}/grub-mkdevicemap profile grub-mkdevicemap @{exec_path} { include include + include + + capability sys_admin, @{exec_path} mr, + @{PROC}/devices r, + + /dev/mapper/control rw, + include if exists } diff --git a/apparmor.d/groups/grub/grub-mkfont b/apparmor.d/groups/grub/grub-mkfont index 52d719b38..a1e4b1eff 100644 --- a/apparmor.d/groups/grub/grub-mkfont +++ b/apparmor.d/groups/grub/grub-mkfont @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mkimage b/apparmor.d/groups/grub/grub-mkimage index ac5fef3b4..54f8dcc80 100644 --- a/apparmor.d/groups/grub/grub-mkimage +++ b/apparmor.d/groups/grub/grub-mkimage @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mklayout b/apparmor.d/groups/grub/grub-mklayout index 616627f35..11263914b 100644 --- a/apparmor.d/groups/grub/grub-mklayout +++ b/apparmor.d/groups/grub/grub-mklayout @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mknetdir b/apparmor.d/groups/grub/grub-mknetdir index 9bb011422..10aaa77d4 100644 --- a/apparmor.d/groups/grub/grub-mknetdir +++ b/apparmor.d/groups/grub/grub-mknetdir @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 b/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 index 58b7da49b..45cefcedf 100644 --- a/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 +++ b/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath index 22e0b754a..d4508b4c5 100644 --- a/apparmor.d/groups/grub/grub-mkrelpath +++ b/apparmor.d/groups/grub/grub-mkrelpath @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,12 +21,12 @@ profile grub-mkrelpath @{exec_path} { / r, /usr/share/grub/* r, - /boot/ r, - /boot/grub/themes/{,**} r, + @{efi}/ r, + @{efi}/grub/themes/{,**} r, /tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r, /tmp/grub-btrfs.*/@/.snapshots/@{int}/snapshot/boot/ r, - /tmp/grub-btrfs.*/@_backup_@{int}/boot/ r, + /tmp/grub-btrfs.*/@_backup_*/boot/ r, /tmp/grub-btrfs.*/ r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/grub/grub-mkrescue b/apparmor.d/groups/grub/grub-mkrescue index 4eee01abf..dfd9ce031 100644 --- a/apparmor.d/groups/grub/grub-mkrescue +++ b/apparmor.d/groups/grub/grub-mkrescue @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mkstandalone b/apparmor.d/groups/grub/grub-mkstandalone index c891fd4bf..8cce05fb9 100644 --- a/apparmor.d/groups/grub/grub-mkstandalone +++ b/apparmor.d/groups/grub/grub-mkstandalone @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mount b/apparmor.d/groups/grub/grub-mount index a21f427e8..e660069bd 100644 --- a/apparmor.d/groups/grub/grub-mount +++ b/apparmor.d/groups/grub/grub-mount @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index 9cc94f9c1..d900ec2f6 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,7 @@ profile grub-multi-install @{exec_path} { @{exec_path} mr, - @{bin}/grub-install rPx, + @{sbin}/grub-install rPx, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/cat rix, @@ -24,14 +24,13 @@ profile grub-multi-install @{exec_path} { @{bin}/sort rix, @{bin}/touch rix, @{bin}/udevadm rPx, - /usr/share/debconf/frontend rPx, + /usr/share/debconf/frontend rix, - /usr/lib/terminfo/x/xterm-256color r, + @{lib}/terminfo/x/xterm-256color r, /usr/share/debconf/confmodule r, - /boot/grub/grub.cfg rw, + @{efi}/grub/grub.cfg rw, - owner @{PROC}/@{pid}/maps r, owner @{PROC}/@{pid}/mounts r, /dev/disk/by-id/ r, diff --git a/apparmor.d/groups/grub/grub-ntldr-img b/apparmor.d/groups/grub/grub-ntldr-img index 885384b6d..676b16f1b 100644 --- a/apparmor.d/groups/grub/grub-ntldr-img +++ b/apparmor.d/groups/grub/grub-ntldr-img @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index f0bbf8e41..c767d2f02 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -3,53 +3,40 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/grub-probe +@{exec_path} = @{sbin}/grub-probe profile grub-probe @{exec_path} { include include include + capability dac_read_search, capability sys_admin, @{exec_path} mr, /{usr/,}{local/,}{s,}bin/zpool rPx, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/lvm rPx, + @{bin}/lsb_release rPx, + @{sbin}/lvm rPx, @{bin}/udevadm rPx, /usr/share/grub/* r, / r, - /boot/ r, - /boot/grub/themes/{,**} r, + @{efi}/ r, + @{efi}/grub/ r, + @{efi}/grub/themes/{,**} r, @{PROC}/@{pids}/mountinfo r, @{PROC}/devices r, - /dev/*vg*/ r, - /dev/bsg/ r, - /dev/bus/ r, - /dev/bus/usb/ r, - /dev/bus/usb/@{int}/ r, - /dev/cpu/ r, - /dev/cpu/@{int}/ r, - /dev/dma_heap/ r, - /dev/dri/ r, - /dev/dri/by-path/ r, - /dev/hugepages/ r, - /dev/input/ r, - /dev/input/by-id/ r, - /dev/input/by-path/ r, - /dev/mapper/control rw, - /dev/mqueue/ r, - /dev/shm/ r, - /dev/snd/ r, - /dev/snd/by-path/ r, + /dev/**/ r, + /dev/mapper/control w, + + deny mqueue (read, getattr) type=posix /, include if exists } diff --git a/apparmor.d/groups/grub/grub-reboot b/apparmor.d/groups/grub/grub-reboot index 236a46241..310b416bf 100644 --- a/apparmor.d/groups/grub/grub-reboot +++ b/apparmor.d/groups/grub/grub-reboot @@ -2,11 +2,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/grub-reboot +@{exec_path} = @{sbin}/grub-reboot profile grub-reboot @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-render-label b/apparmor.d/groups/grub/grub-render-label index 005823ffa..5d7c4cfe0 100644 --- a/apparmor.d/groups/grub/grub-render-label +++ b/apparmor.d/groups/grub/grub-render-label @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-script-check b/apparmor.d/groups/grub/grub-script-check index 9cb595834..9961a778e 100644 --- a/apparmor.d/groups/grub/grub-script-check +++ b/apparmor.d/groups/grub/grub-script-check @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,7 @@ profile grub-script-check @{exec_path} { @{exec_path} mr, - /boot/grub/grub* rw, + @{efi}/grub/grub* rw, include if exists } diff --git a/apparmor.d/groups/grub/grub-set-default b/apparmor.d/groups/grub/grub-set-default index 729ff11d9..9e3c96464 100644 --- a/apparmor.d/groups/grub/grub-set-default +++ b/apparmor.d/groups/grub/grub-set-default @@ -2,11 +2,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/grub-set-default +@{exec_path} = @{sbin}/grub-set-default profile grub-set-default @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-sort-version b/apparmor.d/groups/grub/grub-sort-version index 7f830dc33..6ece8a60b 100644 --- a/apparmor.d/groups/grub/grub-sort-version +++ b/apparmor.d/groups/grub/grub-sort-version @@ -2,14 +2,16 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/grub/grub-sort-version profile grub-sort-version @{exec_path} { include - include + include + include + include include capability dac_read_search, diff --git a/apparmor.d/groups/grub/grub-syslinux2cfg b/apparmor.d/groups/grub/grub-syslinux2cfg index 581ab262b..584e33268 100644 --- a/apparmor.d/groups/grub/grub-syslinux2cfg +++ b/apparmor.d/groups/grub/grub-syslinux2cfg @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index e74f72349..d4460a3cf 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -2,11 +2,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/update-grub{2,} +@{exec_path} = @{sbin}/update-grub profile update-grub @{exec_path} { include include @@ -14,8 +14,9 @@ profile update-grub @{exec_path} { capability dac_read_search, @{exec_path} mr, - @{sh_path} rix, - @{bin}/grub-mkconfig rPx, + + @{sh_path} rix, + @{sbin}/grub-mkconfig rPx, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 0b35916b0..32136d710 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,12 +12,12 @@ profile gvfs-afc-volume-monitor @{exec_path} { include include - #aa:dbus own bus=session name=org.gtk.vfs.AfcVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.AfcVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 66681c8af..017a66e84 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,17 +12,17 @@ profile gvfs-goa-volume-monitor @{exec_path} { include include - #aa:dbus own bus=session name=org.gtk.vfs.GoaVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.GoaVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + member=Introspect + peer=(name=@{busname}, label=gnome-shell), dbus send bus=session path=/org/gnome/OnlineAccounts interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=goa-daemon), + peer=(name=@{busname}, label=goa-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index 5b21c3a6b..ece97e688 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,12 +16,12 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index dfdf41113..fd3b38012 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,12 +15,12 @@ profile gvfs-mtp-volume-monitor @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gtk.vfs.MTPVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.MTPVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 57e6cf476..80f7f86a9 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,8 +12,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include include include @@ -30,13 +29,13 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { ptrace (read), - #aa:dbus own bus=session name=org.gtk.vfs.UDisks2VolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.UDisks2VolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @@ -53,6 +52,8 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/**/ r, @{HOME}/**/ r, + owner @{MOUNTS}/autorun.inf r, + owner @{desktop_config_dirs}/dconf/user r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index 710abbba1..e3e3edfae 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,28 +13,33 @@ profile gvfsd @{exec_path} { include include + signal receive set=usr1 peer=pacman, + #aa:dbus own bus=session name=org.gtk.vfs.Daemon #aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker + # The server side of abstractions/bus/session/org.gtk.vfs.Mountable dbus send bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd-*), + peer=(name=@{busname}, label=gvfsd-*), + # The server side of abstractions/bus/session/org.gtk.vfs.Spawner dbus receive bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd-*), + peer=(name=@{busname}, label=gvfsd-*), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{sh_path} rix, @{lib}/{,gvfs/}gvfsd-* rpx, + @{bin}/pkexec rCx -> pkexec, /usr/share/gvfs/{,**} r, @@ -43,6 +48,17 @@ profile gvfsd @{exec_path} { owner @{PROC}/@{pid}/fd/ r, + profile pkexec { + include + include + + ptrace read peer=gvfsd, + + @{lib}/{,gvfs/}gvfsd-admin rPx, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 34e4cdfd6..5a1fd1c82 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -3,16 +3,45 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-admin profile gvfsd-admin @{exec_path} { include + include + include + include + include + include + include + + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setuid, + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, + #aa:lint ignore=too-wide + # Full access to system's data, but no write access to sensitive system directories + / r, + /*/ r, + /*/** rw, + deny @{sys}/** w, + deny @{PROC}/** w, + deny @{efi}/** w, + deny /dev/** w, + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-afc b/apparmor.d/groups/gvfs/gvfsd-afc index 6054f50b8..da231f469 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afc +++ b/apparmor.d/groups/gvfs/gvfsd-afc @@ -3,13 +3,24 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afc profile gvfsd-afc @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp b/apparmor.d/groups/gvfs/gvfsd-afp index 1ea7c14b8..db6fe5a48 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp +++ b/apparmor.d/groups/gvfs/gvfsd-afp @@ -3,13 +3,24 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afp profile gvfsd-afp @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp-browse b/apparmor.d/groups/gvfs/gvfsd-afp-browse index 8baf49101..a39e25785 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp-browse +++ b/apparmor.d/groups/gvfs/gvfsd-afp-browse @@ -3,13 +3,24 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afp-browse profile gvfsd-afp-browse @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive index 4c860fe45..68b1e7765 100644 --- a/apparmor.d/groups/gvfs/gvfsd-archive +++ b/apparmor.d/groups/gvfs/gvfsd-archive @@ -3,16 +3,27 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-archive profile gvfsd-archive @{exec_path} { include + include + include + include + include include include + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{HOME}/**.{tar,tar.gz,zip} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-burn b/apparmor.d/groups/gvfs/gvfsd-burn index 4063141d4..09062241a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-burn +++ b/apparmor.d/groups/gvfs/gvfsd-burn @@ -3,13 +3,24 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-burn profile gvfsd-burn @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-cdda b/apparmor.d/groups/gvfs/gvfsd-cdda index dc69cea53..356f8dcd3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-cdda +++ b/apparmor.d/groups/gvfs/gvfsd-cdda @@ -3,13 +3,24 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-cdda profile gvfsd-cdda @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index b1479d780..667b448c4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -3,13 +3,26 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-computer profile gvfsd-computer @{exec_path} { include + include + include + include + include + + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label=gvfs-afc-volume-monitor + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index bb86dd7db..b335724cb 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -3,13 +3,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-dav profile gvfsd-dav @{exec_path} { include + include + include + include + include include include include @@ -24,6 +28,13 @@ profile gvfsd-dav @{exec_path} { network inet6 dgram, network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index b07cd070b..aad9de3a0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,25 +12,19 @@ profile gvfsd-dnssd @{exec_path} { include include include - include - include + include + include + include + include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=:*, label=gvfsd-network), - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-ftp b/apparmor.d/groups/gvfs/gvfsd-ftp index 47b58d639..3b36fc4f1 100644 --- a/apparmor.d/groups/gvfs/gvfsd-ftp +++ b/apparmor.d/groups/gvfs/gvfsd-ftp @@ -3,13 +3,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-ftp profile gvfsd-ftp @{exec_path} { include + include + include + include + include include include include @@ -20,6 +24,13 @@ profile gvfsd-ftp @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 9cd6b77ca..f67068f49 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,52 +11,46 @@ include profile gvfsd-fuse @{exec_path} { include include - include + include + include + include include + capability sys_admin, + mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterFuse - peer=(name=:*, label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session path=/ + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{bin}/fusermount{,3} rCx -> fusermount, + owner @{run}/user/@{uid}/gvfsd-fuse/ rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} w, + @{PROC}/sys/fs/pipe-max-size r, /dev/fuse rw, profile fusermount { include - include + include - capability dac_read_search, - capability sys_admin, # To mount anything + capability setuid, mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, umount @{run}/user/@{uid}/**/, unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse), - @{bin}/fusermount{,3} mr, - - /etc/fuse{,3}.conf r, - /etc/machine-id r, - - @{PROC}/@{pid}/mounts r, - - /dev/fuse rw, - include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-google b/apparmor.d/groups/gvfs/gvfsd-google index b6aa722e7..819e84c39 100644 --- a/apparmor.d/groups/gvfs/gvfsd-google +++ b/apparmor.d/groups/gvfs/gvfsd-google @@ -3,13 +3,24 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-google profile gvfsd-google @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-gphoto2 b/apparmor.d/groups/gvfs/gvfsd-gphoto2 index 731bdd204..0544000c0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-gphoto2 +++ b/apparmor.d/groups/gvfs/gvfsd-gphoto2 @@ -3,13 +3,24 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-gphoto2 profile gvfsd-gphoto2 @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index a2d02063c..2678bde40 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,8 +11,11 @@ include profile gvfsd-http @{exec_path} { include include + include + include + include include - include + # include include include include @@ -23,20 +26,16 @@ profile gvfsd-http @{exec_path} { network inet6 dgram, network netlink raw, - #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http + unix type=stream peer=(label=gnome-shell), + unix type=stream peer=(label=gnome-extension-gsconnect), - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name=:*, label=gvfsd), + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-localtest b/apparmor.d/groups/gvfs/gvfsd-localtest index da0a21386..d1af3c60c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-localtest +++ b/apparmor.d/groups/gvfs/gvfsd-localtest @@ -3,13 +3,16 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-localtest profile gvfsd-localtest @{exec_path} { include + include + include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index 6237715a8..8565856d9 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,6 +11,9 @@ include profile gvfsd-metadata @{exec_path} { include include + include + include + include include network netlink raw, @@ -18,11 +21,12 @@ profile gvfsd-metadata @{exec_path} { signal (receive) set=(usr1) peer=pacman, #aa:dbus own bus=session name=org.gtk.vfs.Metadata path=/org/gtk/vfs/{m,M}etadata + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index d8ea92d1f..8d5ad78c5 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -3,13 +3,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-mtp profile gvfsd-mtp @{exec_path} { include + include + include + include + include include include include @@ -19,10 +23,18 @@ profile gvfsd-mtp @{exec_path} { network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, - owner @{HOME}/{,**} rw, - owner @{MOUNTS}/{,**} rw, + owner @{HOME}/ r, + owner @{HOME}/** rw, + owner @{MOUNTS}/** rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 8fc843290..7874686bc 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,39 +11,22 @@ include profile gvfsd-network @{exec_path} { include include + include + include + include include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member={MountLocation,LookupMount,RegisterMount} - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=:*, label=gvfsd-dnssd), - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=:*, label=gnome-control-center), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-nfs b/apparmor.d/groups/gvfs/gvfsd-nfs index 0a2ab4d1c..aae859d73 100644 --- a/apparmor.d/groups/gvfs/gvfsd-nfs +++ b/apparmor.d/groups/gvfs/gvfsd-nfs @@ -3,19 +3,30 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-nfs profile gvfsd-nfs @{exec_path} { include + include + include + include + include include network inet stream, network inet6 stream, network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index ab2ea4677..ca59d75cd 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,33 +11,27 @@ include profile gvfsd-recent @{exec_path} { include include - include - include + include + include + include include include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name=:*, label=gvfsd), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, # Full access to user's data - owner @{HOME}/{,**} rw, - owner @{MOUNTS}/{,**} rw, + owner @{HOME}/{,**} r, + owner @{MOUNTS}/{,**} r, owner @{HOME}/.zshenv r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, @@ -46,7 +40,7 @@ profile gvfsd-recent @{exec_path} { owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{run}/mount/utab r, - + owner @{PROC}/@{pid}/mountinfo r, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 05c8a2bbf..862ef88aa 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -3,22 +3,36 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-sftp profile gvfsd-sftp @{exec_path} { include + include + include + include + include include include include + include + + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{bin}/ssh rPx, owner @{run}/user/@{uid}/gvfsd-sftp/ rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} w, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index 4eb770986..9d99a43af 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -3,13 +3,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-smb profile gvfsd-smb @{exec_path} { include + include + include + include + include include include @@ -19,6 +23,13 @@ profile gvfsd-smb @{exec_path} { network inet dgram, network inet6 dgram, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, /etc/samba/smb.conf r, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index 3882e6f1c..66099563e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,8 +11,11 @@ include profile gvfsd-smb-browse @{exec_path} { include include - include + include + include + include include + include include network netlink raw, @@ -22,21 +25,15 @@ profile gvfsd-smb-browse @{exec_path} { network inet6 dgram, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_smb_browse + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/samba/* r, /var/cache/samba/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index d65edb691..070c41a84 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,6 +11,9 @@ include profile gvfsd-trash @{exec_path} { include include + include + include + include include include include @@ -20,31 +23,12 @@ profile gvfsd-trash @{exec_path} { network inet6 stream, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=:*, label="{gnome-shell,nautilus}"), - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name=:*, label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index b2ff47c91..4ea39c7d0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -2,23 +2,40 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-wsdd profile gvfsd-wsdd @{exec_path} { include + include + include + include + include + include + include + network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), network netlink raw, + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, - @{bin}/env r, + @{bin}/env mr, @{bin}/wsdd rPx, + @{run}/avahi-daemon/socket rw, @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + owner @{run}/user/@{uid}/gvfsd/wsdd rw, include if exists } diff --git a/apparmor.d/groups/hyprland/hyprctl b/apparmor.d/groups/hyprland/hyprctl new file mode 100644 index 000000000..96440098e --- /dev/null +++ b/apparmor.d/groups/hyprland/hyprctl @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/hyprctl +profile hyprctl @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor + diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland new file mode 100644 index 000000000..cd3270e49 --- /dev/null +++ b/apparmor.d/groups/hyprland/hyprland @@ -0,0 +1,76 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/Hyprland +profile hyprland @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + + capability sys_ptrace, + + network netlink raw, + + signal send, + + ptrace read, + + @{exec_path} mr, + + /usr/share/hypr{,land}/{,*} r, + /usr/share/libinput/{,*} r, + + owner @{user_cache_dirs}/hyprland/{,**} rw, + owner @{user_config_dirs}/hypr/** r, + owner @{user_share_dirs}/hyprpm/** mr, + owner @{user_share_dirs}/hyprland/** rw, + + owner @{run}/user/@{uid}/gamescope-* rw, + owner @{run}/user/@{uid}/.hyprpaper_* rw, + owner @{run}/user/@{uid}/.hyprpicker_* rw, + owner @{run}/user/@{uid}/hypr/{,**} rw, + owner @{att}/dev/shm/.org.chromium.Chromium.@{rand6} rw, + + @{run}/systemd/sessions/@{int} r, + + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+dmi:id r, # for motherboard info + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+sound:card@{int} r, # for sound card + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** + @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* + + @{sys}/bus/ r, + @{sys}/class/input/ r, + @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/**/uevent r, + + owner @{PROC}/@{pid}/environ r, + + @{att}/dev/dri/card@{int} rw, + @{att}/dev/input/event@{int} rw, + + /dev/input/event@{int} rw, + /dev/tty r, + owner /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor + diff --git a/apparmor.d/groups/hyprland/hyprlock b/apparmor.d/groups/hyprland/hyprlock new file mode 100644 index 000000000..fab1c2a2e --- /dev/null +++ b/apparmor.d/groups/hyprland/hyprlock @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/hyprlock +profile hyprlock @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + network netlink raw, + + @{exec_path} mr, + + @{etc_ro}/security/faillock.conf r, + /etc/shells r, + + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, + owner @{user_pictures_dirs}/** r, + + owner @{user_config_dirs}/hypr/hyprlock.conf r, + + owner @{run}/faillock/@{user} rwk, + + owner /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/hyprland/hyprpaper b/apparmor.d/groups/hyprland/hyprpaper new file mode 100644 index 000000000..6d0674d9f --- /dev/null +++ b/apparmor.d/groups/hyprland/hyprpaper @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/hyprpaper +profile hyprpaper @{exec_path} flags=(attach_disconnected) { + include + include + include + + @{exec_path} mr, + + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, + + owner @{user_config_dirs}/hypr/hyprpaper.conf r, + + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/.hyprpaper* rw, + owner @{run}/user/@{uid}/hypr/*/.hyprpaper.sock w, + owner @{run}/user/@{uid}/hyprpaper.lock rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker new file mode 100644 index 000000000..7becc5fb6 --- /dev/null +++ b/apparmor.d/groups/hyprland/hyprpicker @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/hyprpicker +profile hyprpicker @{exec_path} { + include + include + + @{exec_path} mr, + @{bin}/wl-copy Px, + + owner @{run}/user/@{uid}/.hyprpicker* rw, + owner /dev/shm/wlroots-@{rand6} r, + owner /dev/shm/@{uuid} r, + + owner /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor + diff --git a/apparmor.d/groups/hyprland/hyprpm b/apparmor.d/groups/hyprland/hyprpm new file mode 100644 index 000000000..149128b1e --- /dev/null +++ b/apparmor.d/groups/hyprland/hyprpm @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/hyprpm +profile hyprpm @{exec_path} { + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + + @{exec_path} mr, + + @{bin}/** rix, + @{lib}/gcc/** rix, + @{lib}/git-core/** rix, + + /usr/include/** r, + /usr/share/git-core/** r, + /usr/share/pkgconfig/** r, + + owner @{HOME}/.gitconfig r, + + owner @{user_share_dirs}/hyprpm/{,**} rw, + + /tmp/hyprpm/** rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/hyprland/pypr b/apparmor.d/groups/hyprland/pypr new file mode 100644 index 000000000..2f489e055 --- /dev/null +++ b/apparmor.d/groups/hyprland/pypr @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pypr +profile pypr @{exec_path} flags=(attach_disconnected) { + include + include + include + + signal send set=(term kill), + + ptrace read, + + @{exec_path} mr, + + owner @{user_config_dirs}/hypr/pyprland.toml r, + + owner @{run}/user/@{uid}/hypr/*/.pyprland.sock rw, + + owner /dev/tty@{int} rw, # file_inherit + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 972173e61..b5e1b4ae8 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,6 +10,9 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier profile DiscoverNotifier @{exec_path} { include + include + include + include include include include @@ -22,15 +25,20 @@ profile DiscoverNotifier @{exec_path} { network netlink dgram, network netlink raw, + #aa:dbus own bus=session name=org.kde.discover.notifier + + #aa:dbus talk bus=system name=org.freedesktop.PackageKit label=packagekitd + @{exec_path} mr, @{bin}/apt-config rPx, + @{bin}/plasma-discover rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, - /usr/share/knotifications{5,6}/{,**} r, + /usr/share/flatpak/remotes.d/{,**} r, /usr/share/metainfo/{,**} r, /etc/machine-id r, @@ -39,11 +47,11 @@ profile DiscoverNotifier @{exec_path} { /var/lib/flatpak/{,**} r, /var/cache/swcatalog/cache/ w, + /var/cache/swcatalog/xml/{,**} r, - owner @{user_cache_dirs}/appstream/ r, - owner @{user_cache_dirs}/appstream/** r, + owner @{user_cache_dirs}/appstream/ rw, + owner @{user_cache_dirs}/appstream/** rw, owner @{user_cache_dirs}/flatpak/{,**} rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/@{int} rw, owner @{user_config_dirs}/breezerc r, @@ -53,7 +61,9 @@ profile DiscoverNotifier @{exec_path} { owner @{user_share_dirs}/flatpak/{,**} rw, - owner @{tmp}/ostree-gpg-*/ rw, + owner @{tmp}/ostree-gpg-@{rand6}/ rw, + owner @{tmp}/ostree-gpg-@{rand6}/pubring.gpg rw, + owner @{tmp}/ostree-gpg-@{rand6}/trustdb.gpg rw, /dev/tty r, @@ -67,8 +77,8 @@ profile DiscoverNotifier @{exec_path} { @{HOME}/@{XDG_GPG_DIR}/*.conf r, @{tmp}/ r, - owner @{tmp}/ostree-gpg-*/ r, - owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-@{rand6}/ r, + owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, owner @{run}/user/@{uid}/gnupg/ w, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 0fdfa3919..29447e22a 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ profile baloo @{exec_path} { include include include - include + include include include include @@ -25,23 +25,33 @@ profile baloo @{exec_path} { @{lib}/{,kf6/}baloo_file_extractor rix, /usr/share/poppler/{,**} r, - /usr/share/desktop-base/kf5-settings/baloofilerc r, /etc/fstab r, /etc/machine-id r, - /etc/xdg/baloofilerc r, # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, owner @{tmp}/*/{,**} r, + owner @{user_cache_dirs}/kcrash-metadata/ w, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/baloofilerc rwl, owner @{user_config_dirs}/baloofilerc.lock rwkl, owner @{user_share_dirs}/baloo/{,**} rwk, + @{run}/mount/utab r, + + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/uevent r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 1b5d79492..33660a776 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,6 +10,8 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloorunner profile baloorunner @{exec_path} { include + include + include include include include @@ -18,43 +20,17 @@ profile baloorunner @{exec_path} { @{bin}/* rPx, - /etc/xdg/baloofilerc r, - - owner @{user_cache_dirs}/icon-cache.kcache rw, - - owner @{user_config_dirs}/baloofilerc r, + # Allow to search user files + owner @{HOME}/{,**} r, + owner @{MOUNTS}/{,**} r, + owner @{tmp}/*/{,**} r, owner @{user_share_dirs}/baloo/{,**} rwk, /tmp/ r, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+dmi* r, # for motherboard info - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+sound:card@{int} r, # for sound card - - @{run}/udev/data/c1:@{int} r, # For RAM disk - @{run}/udev/data/c4:@{int} r, # For TTY devices - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices - @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters - @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* - @{run}/udev/data/c89:@{int} r, # For I2C bus interface - @{run}/udev/data/c202:@{int} r, # CPU model-specific registers - @{run}/udev/data/c203:@{int} r, # CPU CPUID information - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index bb5ab9fe5..022c0beec 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,32 +16,45 @@ profile dolphin @{exec_path} { include include include + include include include include include + include network netlink raw, - signal (send) set=(term) peer=kioworker, + signal send set=hup peer=@{p_systemd}, + signal send set=term peer=kioworker, + + ptrace read peer=@{p_systemd}, + ptrace read peer=okular, @{exec_path} mr, + @{lib}/libheif/ r, + @{lib}/libheif/*.so* mr, + @{bin}/ldd rix, + @{bin}/lsb_release rPx, + @{lib}/{,@{multiarch}/}utempter/utempter rPx, @{thunderbird_path} rPx, + #aa:exec kioworker /usr/share/kf5/kmoretools/{,**} r, /usr/share/kio/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, + /usr/share/misc/termcap r, + /usr/share/thumbnailers/{,**} r, /etc/fstab r, + /etc/exports r, /etc/machine-id r, /etc/xdg/arkrc r, /etc/xdg/dolphinrc r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, /etc/xdg/ui/ui_standards.rc r, # Full access to user's data @@ -57,7 +70,7 @@ profile dolphin @{exec_path} { owner @{tmp}/{,**} rw, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, @@ -65,33 +78,46 @@ profile dolphin @{exec_path} { owner @{user_share_dirs}/dolphin/ rw, owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int}, - owner @{user_share_dirs}/recently-used.xbel{,.*} rwlk, + owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/dolphinrc rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc.lock rwk, owner @{user_config_dirs}/kde.org/#@{int} rw, - owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int}, owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk, - - owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/session/dolphin_* rwlk -> @{user_config_dirs}/session/#@{int}, + owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int}, + owner @{user_config_dirs}/knfsshare.{,.@{rand6}} rwk, + owner @{user_config_dirs}/knfsshare.lock rwk, owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int}, owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int}, - @{run}/mount/utab r, - owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, - owner @{run}/user/@{uid}/#@{int} rw, + owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int}, + owner @{tmp}/dolphin.@{rand6}{,.lock} rwlk, + + @{run}/issue r, + @{run}/mount/utab r, + owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/uevent r, + + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, @{sys}/devices/virtual/block/dm-@{int}/uevent r, - /dev/tty r, + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi index 602b087bb..e04180ff4 100644 --- a/apparmor.d/groups/kde/drkonqi +++ b/apparmor.d/groups/kde/drkonqi @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}drkonqi profile drkonqi @{exec_path} { include + include include network inet stream, @@ -22,13 +23,36 @@ profile drkonqi @{exec_path} { @{exec_path} mr, - /usr/share/drkonqi/{,**} r, - /usr/share/knotifications{5,6}/*.notifyrc r, + @{bin}/plasmashell r, + @{bin}/lsb_release rPx, + /usr/share/drkonqi/{,**} r, + + /etc/machine-id r, + + / r, + + owner @{user_cache_dirs}/drkonqi/ rw, + owner @{user_cache_dirs}/drkonqi/** rwlk -> @{user_cache_dirs}/drkonqi/**, owner @{user_cache_dirs}/kcrash-metadata/* w, + owner @{user_config_dirs}/breezerc r, + owner @{user_config_dirs}/drkonqirc r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/remote/ r, + /dev/tty r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + include if exists } diff --git a/apparmor.d/groups/kde/drkonqi-coredump-cleanup b/apparmor.d/groups/kde/drkonqi-coredump-cleanup index fe2fd0566..199dd9c8f 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-cleanup +++ b/apparmor.d/groups/kde/drkonqi-coredump-cleanup @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,8 @@ profile drkonqi-coredump-cleanup @{exec_path} { @{exec_path} mr, @{user_cache_dirs}/kcrash-metadata/ r, - owner @{user_cache_dirs}/kcrash-metadata/plasmashell.@{hex32}.@{int4}.ini w, + owner @{user_cache_dirs}/kcrash-metadata/plasmashell.@{hex32}.@{int4}.ini rw, + owner @{user_cache_dirs}/kcrash-metadata/@{int}.ini rw, include if exists } diff --git a/apparmor.d/groups/kde/drkonqi-coredump-processor b/apparmor.d/groups/kde/drkonqi-coredump-processor index bfe6ec108..359352383 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-processor +++ b/apparmor.d/groups/kde/drkonqi-coredump-processor @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}drkonqi-coredump-processor profile drkonqi-coredump-processor @{exec_path} { include + include include capability dac_override, @@ -24,9 +25,9 @@ profile drkonqi-coredump-processor @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal r, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal r, + /{run,var}/log/journal/@{hex32}/system@*.journal* r, /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@*.journal* r, /{run,var}/log/journal/remote/ r, include if exists diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index c1a63931e..dbca9fcf5 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -2,14 +2,15 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gmenudbusmenuproxy profile gmenudbusmenuproxy @{exec_path} { include - include + include + include include include diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index fb6a01c8a..1fdb4b920 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -2,30 +2,31 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kaccess profile kaccess @{exec_path} { include + include + include include include include + #aa:dbus own bus=session name=org.kde.kaccess + #aa:dbus talk bus=session name=org.kde.kglobalaccel path=/kglobalaccel label=kglobalacceld + @{exec_path} mr, @{bin}/gsettings rPx, - /usr/share/icons/{,**} r, - - owner @{user_cache_dirs}/icon-cache.kcache rw, + /etc/machine-id r, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kaccessrc r, - owner @{user_share_dirs}/mime/generic-icons r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index b51d72a91..1cc6b41d1 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kactivitymanagerd profile kactivitymanagerd @{exec_path} { include + include include include include @@ -18,6 +19,9 @@ profile kactivitymanagerd @{exec_path} { include include + #aa:dbus own bus=session name=org.kde.ActivityManager path=/ActivityManager + #aa:dbus own bus=session name=org.kde.runners.activities + @{exec_path} mr, /etc/xdg/menus/{,*/} r, @@ -29,21 +33,15 @@ profile kactivitymanagerd @{exec_path} { owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, - owner @{user_cache_dirs}/ksycoca{5,6}_* r, - owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/breezerc r, - owner @{user_config_dirs}/dolphinrc r, owner @{user_config_dirs}/kactivitymanagerdrc.lock rwk, owner @{user_config_dirs}/kactivitymanagerdrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/libreoffice/**.xcu r, owner @{user_config_dirs}/menus/{,**} r, - owner @{user_config_dirs}/trashrc r, owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk, owner @{user_share_dirs}/kservices{5,6}/{,**} r, - owner @{user_share_dirs}/recently-used.xbel r, owner @{user_share_dirs}/user-places.xbel r, owner @{run}/user/@{uid}/#@{int} rw, diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index daf880cf9..e9ae78457 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -2,14 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kalendarac profile kalendarac @{exec_path} { include - include + include include include include @@ -20,14 +20,12 @@ profile kalendarac @{exec_path} { /usr/share/akonadi/firstrun/{,*} r, /usr/share/akonadi/plugins/serializer/{,*.desktop} r, - /usr/share/knotifications{5,6}/{,**} r, /etc/machine-id r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akonadi-firstrunrc r, + owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, owner @{user_config_dirs}/emaildefaults r, owner @{user_config_dirs}/emailidentities r, @@ -36,6 +34,11 @@ profile kalendarac @{exec_path} { owner @{user_config_dirs}/kalendaracrc.lock rwk, owner @{user_config_dirs}/kmail2rc r, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/kalendaracstaterc rw, + owner @{user_state_dirs}/kalendaracstaterc.@{rand6} rwl, + owner @{user_state_dirs}/kalendaracstaterc.lock rwk, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kauth-backlighthelper b/apparmor.d/groups/kde/kauth-backlighthelper index 0098d81c0..cc844ce17 100644 --- a/apparmor.d/groups/kde/kauth-backlighthelper +++ b/apparmor.d/groups/kde/kauth-backlighthelper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,20 +16,22 @@ profile kauth-backlighthelper @{exec_path} { capability net_admin, + #aa:dbus own bus=system name=org.kde.powerdevil.backlighthelper + @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, @{sys}/class/backlight/ r, @{sys}/class/leds/ r, - @{sys}/devices/@{pci}/backlight/**/{max_brightness,actual_brightness} r, - @{sys}/devices/@{pci}/backlight/**/{uevent,type} r, + @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, @{sys}/devices/@{pci}/backlight/**/brightness rw, - @{sys}/devices/@{pci}/drm/card@{int}/**/{max_brightness,actual_brightness} r, + @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, - @{sys}/devices/@{pci}/intel_backlight/{max_,}brightness rw, - @{sys}/devices/@{pci}/intel_backlight/type r, /dev/tty r, diff --git a/apparmor.d/groups/kde/kauth-chargethresholdhelper b/apparmor.d/groups/kde/kauth-chargethresholdhelper index 29dfe216b..119b5508d 100644 --- a/apparmor.d/groups/kde/kauth-chargethresholdhelper +++ b/apparmor.d/groups/kde/kauth-chargethresholdhelper @@ -2,21 +2,25 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}chargethresholdhelper profile kauth-chargethresholdhelper @{exec_path} { include + include include + include + + #aa:dbus own bus=system name=org.kde.powerdevil.chargethresholdhelper + #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/power_supply/** r, @{sys}/devices/**/power_supply/** r, include if exists diff --git a/apparmor.d/groups/kde/kauth-discretegpuhelper b/apparmor.d/groups/kde/kauth-discretegpuhelper index 98e6614b8..8fcec5a2c 100644 --- a/apparmor.d/groups/kde/kauth-discretegpuhelper +++ b/apparmor.d/groups/kde/kauth-discretegpuhelper @@ -2,15 +2,19 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}discretegpuhelper profile kauth-discretegpuhelper @{exec_path} { include + include + include include + #aa:dbus own bus=system name=org.kde.powerdevil.discretegpuhelper + @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-fontinst b/apparmor.d/groups/kde/kauth-fontinst index 3a9c21b7b..d05975eac 100644 --- a/apparmor.d/groups/kde/kauth-fontinst +++ b/apparmor.d/groups/kde/kauth-fontinst @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index fa1345d74..2e60e6a0a 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,14 +15,18 @@ profile kauth-kded-smart-helper @{exec_path} { #aa:dbus own bus=system name=org.kde.kded.smart + dbus receive bus=system path=/ + interface=org.kde.kf5auth + member=performAction + peer=(name=@{busname}, label=kded), dbus send bus=system path=/ interface=org.kde.kf5auth member=remoteSignal - peer=(name=org.freedesktop.DBus, label=kded5), + peer=(name=org.freedesktop.DBus, label=kded), @{exec_path} mr, - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper index a172c3404..afecd8d53 100644 --- a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper +++ b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,7 @@ profile kauth-kinfocenter-dmidecode-helper @{exec_path} { @{exec_path} mr, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, include if exists } diff --git a/apparmor.d/groups/kde/kbuildsycoca5 b/apparmor.d/groups/kde/kbuildsycoca similarity index 58% rename from apparmor.d/groups/kde/kbuildsycoca5 rename to apparmor.d/groups/kde/kbuildsycoca index 5bd97e1ac..db3aed9dc 100644 --- a/apparmor.d/groups/kde/kbuildsycoca5 +++ b/apparmor.d/groups/kde/kbuildsycoca @@ -3,24 +3,21 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/kbuildsycoca5 -profile kbuildsycoca5 @{exec_path} flags=(attach_disconnected) { +@{exec_path} = @{bin}/kbuildsycoca{,5} +profile kbuildsycoca @{exec_path} flags=(attach_disconnected) { include include include @{exec_path} mr, - owner @{user_cache_dirs}/ksycoca5_* rw, - owner link @{user_cache_dirs}/ksycoca5_* -> @{user_cache_dirs}/#@{int}, - /dev/tty r, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 95fdd6e63..59f60c285 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,9 +10,11 @@ include profile kcminit @{exec_path} { include include - include + include include + #aa:dbus own bus=session name=org.kde.{KCM,kcm}init path=/kcminit + @{exec_path} mr, @{bin}/xrdb rPx, @@ -26,6 +28,8 @@ profile kcminit @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/gtkrc-2.0{,.@{rand6}} rwl, owner @{user_config_dirs}/gtkrc{,.@{rand6}} rwl, + owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl, + owner @{user_config_dirs}/kcminputrc.lock rwk, owner @{user_config_dirs}/kgammarc r, owner @{user_config_dirs}/touchpadrc r, owner @{user_config_dirs}/touchpadxlibinputrc r, diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index bcab6d31b..6a01748fd 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ profile kconf_update @{exec_path} { include include include - include + include include include include @@ -24,68 +24,35 @@ profile kconf_update @{exec_path} { @{sh_path} rix, @{bin}/{,p}grep rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/qtpaths rix, @{bin}/sed rix, @{bin}/qtchooser rPx, @{lib}/kconf_update_bin/* rix, @{lib}/@{multiarch}/kconf_update_bin/* rix, + @{lib}/qt6/bin/qtpaths rix, /usr/share/kconf_update/*.py rix, /usr/share/kconf_update/*.sh rix, /usr/share/kconf_update/{,**} r, /usr/share/kglobalaccel/org.kde.krunner.desktop r, - /etc/xdg/konsolerc r, - /etc/xdg/ui/ui_standards.rc r, + /etc/xdg/*rc r, + /etc/xdg/ui/*rc r, /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{HOME}/.gtkrc-@{version} w, - owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/akregatorrc.lock rwk, - owner @{user_config_dirs}/akregatorrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/dolphinrc.lock rwk, - owner @{user_config_dirs}/dolphinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/*rc rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/*rc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/*rc.lock rwk, owner @{user_config_dirs}/gtk-{3,4}.0/* rwlk -> @{user_config_dirs}/gtk-{3,4}.0/**, - owner @{user_config_dirs}/kactivitymanagerd-statsrc rw, - owner @{user_config_dirs}/kateschemarc.lock rwk, - owner @{user_config_dirs}/kateschemarc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kcminputrc.lock rwk, - owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kconf_updaterc.lock rwk, - owner @{user_config_dirs}/kconf_updaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kdeglobals.lock rwk, - owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, - owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/khotkeysrc.lock rwk, - owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kmixrc.lock rwk, - owner @{user_config_dirs}/kmixrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/konsolerc.lock rwk, - owner @{user_config_dirs}/konsolerc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/krunnerrc.lock rwk, - owner @{user_config_dirs}/krunnerrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/krunnerstaterc.lock rwk, - owner @{user_config_dirs}/krunnerstaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kscreenlockerrc.lock rwk, - owner @{user_config_dirs}/kscreenlockerrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/ksmserverrc.lock rwk, - owner @{user_config_dirs}/ksmserverrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kwinrc.lock rwk, - owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kwinrulesrc.lock rwk, - owner @{user_config_dirs}/kwinrulesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kxkbrc.lock rwk, - owner @{user_config_dirs}/kxkbrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/plasma-org.kde.plasma.desktop-appletsrc rw, - owner @{user_config_dirs}/plasmashellrc r, owner @{user_config_dirs}/sed@{rand6} rw, owner @{user_config_dirs}/xsettingsd/xsettingsd.conf rw, + owner @{user_config_dirs}/kcmfonts.lock rwk, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/krunnerstaterc.lock rwk, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 960747c21..7d6daeda6 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,32 +10,47 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}org_kde_powerdevil profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) { include + include + include + include + include + include include include include include + include capability wake_alarm, network netlink raw, + #aa:dbus own bus=system name=org.freedesktop.Policy.Power + #aa:dbus own bus=system name=org.kde.kf5auth path=/ + + #aa:dbus own bus=session name=local.org_kde_powerdevil + #aa:dbus own bus=session name=org.freedesktop.PowerManagement + #aa:dbus own bus=session name=org.kde.Solid.PowerManagement + + #aa:dbus talk bus=session name=org.kde.KWin path=/ label="kwin_{wayland,x11}" + @{exec_path} mrix, @{sh_path} rix, @{bin}/find rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kcminit rPx, @{bin}/sed rix, + @{bin}/uname rPx, @{bin}/xargs rix, @{lib}/drkonqi rPx, - /usr/share/knotifications{5,6}/*.notifyrc r, - /etc/fstab r, /etc/machine-id r, owner @{HOME}/ r, + owner @{user_cache_dirs}/ddcutil/* r, owner @{user_cache_dirs}/kcrash-metadata/{,*} rw, owner @{user_config_dirs}/#@{int} rw, @@ -45,10 +60,13 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk, owner @{user_config_dirs}/powermanagementprofilesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - @{run}/systemd/inhibit/*.ref rw, - @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + + @{run}/mount/utab r, owner @{run}/user/@{uid}kcrash_@{int} rw, + @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** + @{sys}/bus/ r, @{sys}/bus/i2c/devices/ r, @{sys}/class/ r, @@ -56,20 +74,25 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/class/i2c-dev/ r, @{sys}/class/usbmisc/ r, @{sys}/devices/ r, + @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness r, @{sys}/devices/@{pci}/card@{int}/*/dpms r, + @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness r, + @{sys}/devices/@{pci}/drm/card@{int}/**/*_id r, @{sys}/devices/@{pci}/drm/card@{int}/**/dev r, + @{sys}/devices/@{pci}/drm/card@{int}/**/name r, @{sys}/devices/@{pci}/drm/card@{int}/*/dpms r, @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r, @{sys}/devices/@{pci}/drm/card@{int}/*/status r, - @{sys}/devices/@{pci}/i2c-@{int}/**/dev r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/**/dev r, @{sys}/devices/**/ r, - @{sys}/devices/i2c-@{int}/name r, - @{sys}/devices/platform/**/i2c-@{int}/**/name r, - @{sys}/devices/platform/*/i2c-@{int}/name r, + @{sys}/devices/i2c-*/name r, + @{sys}/devices/platform/**/i2c-*/**/name r, + @{sys}/devices/platform/*/i2c-*/name r, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, /dev/i2c-@{int} rwk, diff --git a/apparmor.d/groups/kde/kde-systemd-start-condition b/apparmor.d/groups/kde/kde-systemd-start-condition index 8f368ef73..efec3a8a6 100644 --- a/apparmor.d/groups/kde/kde-systemd-start-condition +++ b/apparmor.d/groups/kde/kde-systemd-start-condition @@ -2,20 +2,20 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kde-systemd-start-condition profile kde-systemd-start-condition @{exec_path} { include + include @{exec_path} mr, - /etc/xdg/baloofilerc r, - /usr/share/desktop-base/kf{5,6}-settings/baloofilerc r, - - owner @{user_config_dirs}/baloofilerc r, + owner @{user_config_dirs}/kalendaracrc r, + owner @{user_config_dirs}/kgpgrc r, + owner @{user_config_dirs}/kmixrc r, owner @{user_config_dirs}/konquerorrc r, owner @{user_config_dirs}/plasma-welcomerc r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 6fc974030..678c64e71 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -2,144 +2,171 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kded5 @{bin}/kded6 profile kded @{exec_path} { include + include #aa:only apt include + include include - include + include + include + include + include include include - include - include + include include - include + include include include + include include capability sys_ptrace, network inet dgram, + network inet stream, network inet6 dgram, - network netlink raw, + network inet6 stream, network netlink dgram, + network netlink raw, - ptrace (read), + ptrace read, - signal (send) set=hup peer=xsettingsd, + signal send set=hup peer=xsettingsd, + signal send set=term peer=kioworker, + + # Owned by KDE #aa:dbus own bus=system name=com.redhat.NewPrinterNotification + + #aa:dbus own bus=session name=org.gtk.Settings + #aa:dbus own bus=session name=org.kde.DistroReleaseNotifier + #aa:dbus own bus=session name=org.kde.GtkConfig + #aa:dbus own bus=session name=org.kde.kappmenu + #aa:dbus own bus=session name=org.kde.kcookiejar5 + #aa:dbus own bus=session name=org.kde.kded5 + #aa:dbus own bus=session name=org.kde.keyboard + #aa:dbus own bus=session name=org.kde.KeyboardLayouts + #aa:dbus own bus=session name=org.kde.plasmanetworkmanagement + #aa:dbus own bus=session name=org.kde.plasmashell.accentColor + #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher + #aa:dbus own bus=session name=org.kde.Wacom + #aa:dbus own bus=session name=org.kubuntu.NotificationHelper + #aa:dbus own bus=session name=org.kubuntu.restrictedInstall + + # Talk with KDE + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd + #aa:dbus talk bus=session name=org.kde.NightColor path=/ColorCorrect label="{kwin_wayland,kwin_x11}" + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label="{kglobalacceld,kwin_wayland}" + dbus receive bus=system path=/ interface=org.kde.kf5auth member=remoteSignal - peer=(name=:*, label=kauth-kded-smart-helper), + peer=(name=@{busname}, label=kauth-kded-smart-helper), dbus send bus=system path=/ interface=org.kde.kf5auth member=performAction - peer=(name="{:*,org.kde.kded.smart}", label=kauth-kded-smart-helper), + peer=(name="{@{busname},org.kde.kded.smart}", label=kauth-kded-smart-helper), @{exec_path} mrix, + @{python_path} rix, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/flatpak rPx, @{bin}/kcminit rPx, + @{bin}/lsb_release rPx, @{bin}/pgrep rCx -> pgrep, @{bin}/plasma-welcome rPUx, - @{bin}/python3.@{int} rix, @{bin}/setxkbmap rix, + @{bin}/xmodmap rPUx, @{bin}/xrdb rPx, @{bin}/xsetroot rPx, @{bin}/xsettingsd rPx, @{lib}/drkonqi rPx, - #aa:exec utempter + @{lib}/{,@{multiarch}/}utempter/utempter rPx, #aa:exec kconf_update /usr/share/color-schemes/{,**} r, + /usr/share/distro-info/{,**} r, + /usr/share/distro-release-notifier/{,**} r, /usr/share/kconf_update/ r, /usr/share/kded{5,6}/{,**} r, /usr/share/kf{5,6}/kcookiejar/* r, /usr/share/khotkeys/{,**} r, - /usr/share/knotifications{5,6}/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, + /usr/share/ubuntu-release-upgrader/{,*} r, /etc/fstab r, /etc/xdg/accept-languages.codes r, - /etc/xdg/kcminputrc r, /etc/xdg/kde* r, /etc/xdg/kioslaverc r, /etc/xdg/menus/{,**} r, + /etc/update-manager/{,**} r, /etc/machine-id r, /var/lib/dbus/machine-id r, / r, + @{efi}/ r, + owner /var/lib/update-manager/meta-release-lts rw, + + owner @{HOME}/ r, owner @{HOME}/.gtkrc-2.0 rw, + owner @{HOME}/.var/ w, + owner @{HOME}/.var/app/ w, + owner @{HOME}/.var/app/org.mozilla.firefox/**/ w, + owner @{HOME}/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/org.kde.plasma.browser_integration.json w, + owner @{HOME}/.var/app/org.mozilla.firefox/plasma-browser-integration-host w, + @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, - owner @{user_cache_dirs}/#@{int} rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/plasmashell/ rw, owner @{user_cache_dirs}/plasmashell/** rwlk -> @{user_cache_dirs}/plasmashell/**, + owner @{user_cache_dirs}/update-manager-core/meta-release-lts rw, @{user_config_dirs}/kcookiejarrc.lock rwk, @{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/bluedevilglobalrc.lock rwk, - owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/breezerc r, + owner @{user_config_dirs}/*rc rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/*rc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/*rc.lock rwk, owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl, owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini.lock rk, - owner @{user_config_dirs}/gtkrc{,*} rwlk, - owner @{user_config_dirs}/kcminputrc r, - owner @{user_config_dirs}/kconf_updaterc rw, - owner @{user_config_dirs}/kconf_updaterc.lock rwk, - owner @{user_config_dirs}/kdebugrc r, - owner @{user_config_dirs}/kded{5,6}rc.lock rwk, - owner @{user_config_dirs}/kded{5,6}rc{,.@{rand6}} rwl, owner @{user_config_dirs}/kdedefaults/{,**} r, - owner @{user_config_dirs}/kdeglobals.lock rwk, - owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl, - owner @{user_config_dirs}/khotkeysrc.lock rwk, - owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kioslaverc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/ksmserverrc r, - owner @{user_config_dirs}/ktimezonedrc.lock rwk, - owner @{user_config_dirs}/ktimezonedrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kwalletrc r, - owner @{user_config_dirs}/kwinrc.lock rwk, - owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/libaccounts-glib/ rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, owner @{user_config_dirs}/menus/{,**} r, - owner @{user_config_dirs}/networkmanagement.notifyrc r, - owner @{user_config_dirs}/plasma-nm r, - owner @{user_config_dirs}/plasma-welcomerc r, - owner @{user_config_dirs}/touchpadrc r, + owner @{user_config_dirs}/plasma* r, owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, owner @{user_config_dirs}/xsettingsd/{,**} rw, - owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int}, owner @{user_share_dirs}/icc/{,edid-*} r, owner @{user_share_dirs}/kcookiejar/#@{int} rw, owner @{user_share_dirs}/kcookiejar/cookies.lock rwk, + owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int}, owner @{user_share_dirs}/kded{5,6}/{,**} rw, owner @{user_share_dirs}/kscreen/{,**} rwl, owner @{user_share_dirs}/kservices{5,6}/{,**} r, owner @{user_share_dirs}/ktp/cache.db rwk, owner @{user_share_dirs}/remoteview/ r, owner @{user_share_dirs}/services5/{,**} r, + owner @{user_share_dirs}/user-places.xbel r, + + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk -> @{user_state_dirs}/#@{int}, @{run}/mount/utab r, @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @@ -151,12 +178,18 @@ profile kded @{exec_path} { owner @{tmp}/kded6.@{rand6} rwl -> /tmp/#@{int}, owner @{tmp}/plasma-csd-generator.@{rand6}/{,**} rw, + @{sys}/class/leds/ r, + + @{run}/udev/data/b8:@{int} r, # for /dev/sd* + @{run}/udev/data/b259:@{int} r, # Block Extended Major + @{PROC}/ r, @{PROC}/@{pids}/cmdline/ r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/fd/info/@{int} r, @{PROC}/sys/fs/inotify/max_user_{instances,watches} r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, @@ -168,8 +201,6 @@ profile kded @{exec_path} { include include - @{PROC}/tty/drivers r, - include if exists } diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 85ff38d65..156bdf928 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -2,15 +2,18 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld profile kglobalacceld @{exec_path} { include + include include + #aa:dbus own bus=session name=org.kde.KGlobalAccel path=/kglobalaccel + @{exec_path} mr, @{bin}/kstart rPx, @@ -20,8 +23,11 @@ profile kglobalacceld @{exec_path} { /etc/machine-id r, owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/kglobalshortcutsrc* rwl, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, + owner @{user_config_dirs}/kglobalshortcutsrc* rwl, + owner @{user_config_dirs}/khotkeysrc r, + + @{PROC}/sys/kernel/random/boot_id r, /dev/tty r, diff --git a/apparmor.d/groups/kde/kio_http_cache_cleaner b/apparmor.d/groups/kde/kio_http_cache_cleaner index fa3f494c7..dc1b28dcc 100644 --- a/apparmor.d/groups/kde/kio_http_cache_cleaner +++ b/apparmor.d/groups/kde/kio_http_cache_cleaner @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index 7462d6c5b..571581059 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,19 +10,16 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kiod{5,6} profile kiod @{exec_path} { include + include include include include + include network netlink raw, @{exec_path} mr, - /usr/share/icons/breeze/index.theme r, - /usr/share/mime/{,**} r, - - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksslcertificatemanager.lock rwk, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 6dd771859..0fc81a764 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/kf5/kioslave5 @{lib}/@{multiarch}/{,libexec/}kf5/kioslave5 profile kioworker @{exec_path} { include + include include include include @@ -26,10 +27,13 @@ profile kioworker @{exec_path} { network netlink raw, network netlink dgram, - signal (receive) set=term peer=dolphin, - signal (receive) set=term peer=firefox-kmozillahelper, - signal (receive) set=term peer=plasma-discover, - signal (receive) set=term peer=plasmashell, + signal receive set=term peer=dolphin, + signal receive set=term peer=firefox-kmozillahelper, + signal receive set=term peer=plasma-discover, + signal receive set=term peer=plasmashell, + signal receive set=term peer=xdg-desktop-portal-kde, + + #aa:dbus talk bus=session name=org.kde.kded5 path=/kded label=kded @{exec_path} mr, @@ -37,13 +41,15 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, + @{bin}/gs{,.bin} rix, #aa:exec kio_http_cache_cleaner - /usr/share/kio_desktop/directory.desktop r, + /usr/share/kio_desktop/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes{5,6}/*.desktop r, /usr/share/remoteview/* r, + /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/xdg/kioslaverc r, @@ -54,6 +60,8 @@ profile kioworker @{exec_path} { /*/ r, @{bin}/ r, @{bin}/* r, + @{sbin}/ r, + @{sbin}/* r, @{lib}/ r, @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @@ -63,7 +71,7 @@ profile kioworker @{exec_path} { owner @{tmp}/{,**} rw, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /etc/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, @@ -72,9 +80,7 @@ profile kioworker @{exec_path} { owner @{HOME}/@{XDG_DESKTOP_DIR}/.directory l -> @{HOME}/@{XDG_DESKTOP_DIR}/#@{int}, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kio_http/* rwl, - owner @{user_cache_dirs}/ksycoca{5,6}_* r, owner @{user_config_dirs}/kio_httprc r, owner @{user_config_dirs}/menus/{,**} r, @@ -91,7 +97,9 @@ profile kioworker @{exec_path} { @{run}/mount/utab r, owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kio_*.socket rwl -> @{run}/user/@{uid}/#@{int}, + owner @{run}/user/@{uid}/kioworker*.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 054731148..446d8a08d 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,6 @@ include profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include include include @@ -22,16 +21,25 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(hup), + #aa:dbus own bus=session name=org.kde.konsole-@{int} + @{exec_path} mr, @{bin}/@{shells} rUx, @{browsers_path} rPx, - #aa:exec utempter + @{lib}/libheif/ r, + @{lib}/libheif/** mr, + @{lib}/{,@{multiarch}/}utempter/utempter rPx, + + # Some CLI program can be launched directly from KDE + @{bin}/btop rPUx, + @{bin}/htop rPx, + @{bin}/micro rPUx, + @{bin}/nvtop rPx, + @{bin}/vim rUx, /usr/share/color-schemes/{,**} r, /usr/share/kf6/{,**} r, - /usr/share/knotifications{5,6}/konsole.notifyrc r, - /usr/share/knotifications{5,6}/plasma_workspace.notifyrc r, /usr/share/konsole/{,**} r, /usr/share/sounds/** r, @@ -42,28 +50,38 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/@{XDG_SSH_DIR}/config r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_* r, - owner @{user_config_dirs}/#@{int} rwl, owner @{user_config_dirs}/breezerc r, - owner @{user_config_dirs}/konsolerc{,*} rwlk, + owner @{user_config_dirs}/kbookmarkrc r, + owner @{user_config_dirs}/konsole.notifyrc r, + owner @{user_config_dirs}/konsolerc rwl, + owner @{user_config_dirs}/konsolerc.@{rand6} rwl, + owner @{user_config_dirs}/konsolerc.lock rwk, owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.lock rwk, owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/menus/{,**} r, + owner @{user_config_dirs}/session/** rwlk, owner @{user_share_dirs}/color-schemes/{,**} r, owner @{user_share_dirs}/konsole/ rw, owner @{user_share_dirs}/konsole/** rwlk, owner @{user_share_dirs}/kxmlgui5/konsole/{,**} r, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/konsolestaterc rw, + owner @{user_state_dirs}/konsolestaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int}, + owner @{user_state_dirs}/konsolestaterc.lock rwk, + owner @{tmp}/#@{int} rw, owner @{tmp}/konsole.@{rand6} rw, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/stat r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/** rw, + + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/cgroup r, /dev/ptmx rw, diff --git a/apparmor.d/groups/kde/kreadconfig b/apparmor.d/groups/kde/kreadconfig index fc14b9536..8ad9c4b5b 100644 --- a/apparmor.d/groups/kde/kreadconfig +++ b/apparmor.d/groups/kde/kreadconfig @@ -2,13 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/kreadconfig5 +@{exec_path} = @{bin}/kreadconfig{,5} profile kreadconfig @{exec_path} { include + include capability dac_read_search, @@ -16,14 +17,8 @@ profile kreadconfig @{exec_path} { @{exec_path} mr, - /usr/share/icu/@{int}.@{int}/*.dat r, - - /etc/xdg/kdeglobals r, /etc/xdg/kioslaverc r, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdeglobals r, - include if exists } diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index 94890bacc..e44ee1f83 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,8 +10,13 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kscreen_backend_launcher profile kscreen_backend_launcher @{exec_path} { include + include + include include + #aa:dbus own bus=session name=org.kde.KScreen + #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil + @{exec_path} mr, /dev/tty r, diff --git a/apparmor.d/groups/kde/kscreen_osd_service b/apparmor.d/groups/kde/kscreen_osd_service index cafd59a67..8bff3306f 100644 --- a/apparmor.d/groups/kde/kscreen_osd_service +++ b/apparmor.d/groups/kde/kscreen_osd_service @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 1884414a9..192d3f957 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,24 +13,24 @@ profile kscreenlocker_greet @{exec_path} { include include include - include include - include + include include include include include include include + include network netlink raw, + ptrace read peer=ksmserver, + signal (receive) set=(term) peer=kwin_wayland, signal (receive) set=(usr1, term) peer=ksmserver, signal (send) peer=kcheckpass, - unix (send,receive) type=stream peer=(label="ksmserver",addr=none), - dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -41,7 +41,7 @@ profile kscreenlocker_greet @{exec_path} { @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, - @{bin}/unix_chkpwd rPx, + @{sbin}/unix_chkpwd rPx, @{lib}/@{multiarch}/libexec/kcheckpass rPx, /usr/share/plasma/** r, @@ -51,12 +51,13 @@ profile kscreenlocker_greet @{exec_path} { /usr/share/xsessions/{,*.desktop} r, /usr/share/hunspell/* r, - /{usr/,}etc/environment r, - /{usr/,}etc/login.defs r, - /{usr/,}etc/login.defs.d/ r, - /{usr/,}etc/security/*.conf r, + @{etc_ro}/environment r, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, + @{etc_ro}/security/*.conf r, /etc/fstab r, /etc/machine-id r, + /etc/os-release r, /etc/pam.d/* r, /etc/shells r, /etc/xdg/kscreenlockerrc r, @@ -70,10 +71,11 @@ profile kscreenlocker_greet @{exec_path} { owner @{user_pictures_dirs}/{,**} r, owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kscreenlocker_greet/ w, owner @{user_cache_dirs}/kscreenlocker_greet/** rwlk, - owner @{user_cache_dirs}/ksvg-elements r, + owner @{user_cache_dirs}/ksvg-elements rw, + owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int}, + owner @{user_cache_dirs}/ksvg-elements.lock rwlk, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements-default_v* r, @@ -83,8 +85,10 @@ profile kscreenlocker_greet @{exec_path} { owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kscreenlockerrc r, + owner @{user_config_dirs}/kscreenlockerrc.lock rwk, owner @{user_config_dirs}/ksmserverrc r, owner @{user_config_dirs}/plasmarc r, + owner @{user_config_dirs}/plasmashellrc r, # If one is blocked, the others are probed. deny owner @{HOME}/#@{int} mrw, @@ -97,9 +101,11 @@ profile kscreenlocker_greet @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, + @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/loginuid r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 08db56872..09a228e29 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,16 +11,24 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include + include include include include include - signal (send) set=(usr1,term) peer=kscreenlocker-greet, + signal send set=(usr1,term) peer=kscreenlocker_greet, ptrace (read) peer=kbuildsycoca5, - unix (send, receive) type=stream peer=(label="kscreenlocker-greet",addr=none), + #aa:dbus own bus=session name=org.freedesktop.ScreenSaver + #aa:dbus own bus=session name=org.kde.ksmserver path=/KSMServer + #aa:dbus own bus=session name=org.kde.KSMServerInterface path=/KSMServer + #aa:dbus own bus=session name=org.kde.screensaver + + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label=kglobalacceld + #aa:dbus talk bus=session name=org.kde.KWin.Session path=/Session label=kwin_wayland @{exec_path} mr, @@ -31,10 +39,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:exec drkonqi #aa:exec kscreenlocker_greet - @{user_bin_dirs}/** rPUx, - /usr/share/color-schemes/{,**} r, - /usr/share/knotifications{5,6}/*.notifyrc r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes{5,6}/{,**} r, @@ -46,25 +51,27 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/@{rand6} rw, owner @{HOME}/.Xauthority rw, - owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/fontconfig/*-le64.cache-* r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, owner @{user_config_dirs}/kscreenlockerrc r, owner @{user_config_dirs}/ksmserverrc rw, owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl, owner @{user_config_dirs}/ksmserverrc.lock rwk, - owner @{user_config_dirs}/menus/ r, - # owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw, owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, + owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/iceauth_@{rand6} wl -> @{run}/user/@{uid}/#@{int}, + owner @{run}/user/@{uid}/iceauth_@{rand6}-c w, + owner @{run}/user/@{uid}/iceauth_@{rand6}-l wl -> @{run}/user/@{uid}/iceauth_@{rand6}-c, + owner @{run}/user/@{uid}/iceauth_@{rand6}-n rw, + owner @{tmp}/@{rand6} rw, - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/user/@{uid}/KSMserver__[0-9] rw, /dev/tty r, diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index 44d7f6e2a..711da6e9d 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -3,22 +3,28 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/ksmserver-logout-greeter @{exec_path} += @{lib}/@{multiarch}/{,libexec/}ksmserver-logout-greeter -profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { +profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include + include include include - include include include include include + #aa:dbus own bus=session name=org.kde.LogoutPrompt path=/LogoutPrompt + + #aa:dbus talk bus=session name=org.kde.LogoutPrompt path=/Shutdown label=plasma-shutdown + #aa:dbus talk bus=session name=org.kde.KWin label=kwin_wayland + @{exec_path} mr, @{lib}/os-release r, @@ -54,7 +60,6 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/dev/i915/perf_stream_paranoid r, owner @{PROC}/@{pid}/exe r, - owner @{PROC}/@{pid}/status r, include if exists } diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index 463aec245..770625988 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -2,28 +2,34 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/ksplashqml profile ksplashqml @{exec_path} { include + include include include include include + ptrace read peer=startplasma, + + #aa:dbus own bus=session name=org.kde.KSplash path=/KSplash + @{exec_path} mr, @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, + /usr/share/color-schemes/* r, /usr/share/plasma/** r, /etc/machine-id r, + /etc/xdg/plasmarc r, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/ksplash/ rw, owner @{user_cache_dirs}/ksplash/** rwlk -> @{user_cache_dirs}/ksplash/**, diff --git a/apparmor.d/groups/kde/kstart b/apparmor.d/groups/kde/kstart index 6aefc1d43..04d084d0c 100644 --- a/apparmor.d/groups/kde/kstart +++ b/apparmor.d/groups/kde/kstart @@ -3,14 +3,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kstart profile kstart @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index 5005dde31..0a685d8e5 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,14 +11,17 @@ include profile kwalletd @{exec_path} { include include + include include include include - include include include include + #aa:dbus own bus=session name=org.freedesktop.secrets + #aa:dbus own bus=session name=org.kde.kwalletd5 + @{exec_path} mr, @{bin}/gpgconf rCx -> gpg, @@ -30,8 +33,6 @@ profile kwalletd @{exec_path} { /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kwalletrc r, @@ -41,6 +42,8 @@ profile kwalletd @{exec_path} { owner @{user_share_dirs}/kwalletd/ rw, owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int}, + owner @{run}/user/@{uid}/kwallet{5,6}.socket rw, + owner @{tmp}/kwalletd5.* rw, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/kde/kwalletmanager b/apparmor.d/groups/kde/kwalletmanager index b1ca562cc..5ffcafd4f 100644 --- a/apparmor.d/groups/kde/kwalletmanager +++ b/apparmor.d/groups/kde/kwalletmanager @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,7 +29,6 @@ profile kwalletmanager @{exec_path} { /etc/xdg/ui/ui_standards.rc r, /var/lib/dbus/machine-id r, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kwalletmanager5rc rw, owner @{user_config_dirs}/kwalletmanager5rc.* rwl -> @{user_config_dirs}/#@{int}, @@ -37,15 +36,11 @@ profile kwalletmanager @{exec_path} { owner @{user_config_dirs}/kwalletrc rw, owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwalletrc.lock rwk, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#@{int}, - owner @{user_config_dirs}/session/kwalletmanager5_*.lock rwk, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/cmdline r, - /dev/shm/ r, /dev/shm/#@{int} rw, include if exists diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 7bed8beca..224835ac2 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -2,14 +2,16 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kwin_wayland -profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { +profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + include + include include include include @@ -19,25 +21,38 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { capability sys_nice, capability sys_ptrace, - ptrace (read), - - signal (receive) set=term peer=sddm, - signal (receive) set=(kill, term) peer=kwin_wayland_wrapper, - signal (send) set=(kill, term) peer=xwayland, - network netlink raw, + ptrace read, + + signal receive set=term peer=sddm, + signal receive set=(kill, term) peer=kwin_wayland_wrapper, + signal send set=(kill, term) peer=xwayland, + + unix type=stream peer=(label=xkbcomp), + unix type=stream peer=(label=xwayland), + + #aa:dbus own bus=session name=org.freedesktop.ScreenSaver + #aa:dbus own bus=session name=org.kde.kglobalaccel path=/kglobalaccel + #aa:dbus own bus=session name=org.kde.KWin + #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect + #aa:dbus own bus=session name=org.kde.screensaver + + #aa:dbus talk bus=session name=org.kde.ActivityManager path=/ActivityManager label=kactivitymanagerd + @{exec_path} mr, + /etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi, + /etc/xdg/Xwayland-session.d/00-pulseaudio-x11 Cx -> pulseaudio, + /etc/xdg/Xwayland-session.d/10-ibus-x11 Cx -> ibus, #aa:exec kscreenlocker_greet /usr/share/color-schemes/*.colors r, - /usr/share/desktop-base/kf5-settings/{,**} r, /usr/share/desktop-directories/*.directory r, /usr/share/kglobalaccel/{,**} r, - /usr/share/knotifications{5,6}/ksmserver.notifyrc r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,*.desktop} r, + /usr/share/kwin-wayland/{,**} r, /usr/share/kwin/{,**} r, /usr/share/libinput-*/{,**} r, /usr/share/libinput/{,**} r, @@ -45,10 +60,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /usr/share/plasma/desktoptheme/** r, /etc/pipewire/client.conf.d/ r, - /etc/xdg/kscreenlockerrc r, - /etc/xdg/menus/{,applications.menu} r, - /etc/xdg/menus/applications-merged/ r, - /etc/xdg/plasmarc r, + /etc/xdg/** r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -71,11 +83,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{sddm_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{sddm_config_dirs}/#@{int}, owner @{user_cache_dirs}/ r, - owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/ksvg-elements r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_* r, - owner @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/kwin/ rw, owner @{user_cache_dirs}/kwin/** rwkl -> @{user_cache_dirs}/kwin/**, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, @@ -85,10 +93,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_config_dirs}/#@{int} rwl, owner @{user_config_dirs}/breezerc r, - owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/* r, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/khotkeysrc r, owner @{user_config_dirs}/klaunchrc r, owner @{user_config_dirs}/kscreenlockerrc r, owner @{user_config_dirs}/kwinoutputconfig.json rw, @@ -96,29 +104,36 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, - owner @{user_config_dirs}/menus/{,applications-merged/} r, + owner @{user_config_dirs}/menus/** r, owner @{user_config_dirs}/plasmarc r, - owner @{user_config_dirs}/session/* r, + owner @{user_config_dirs}/session/* r, owner @{user_share_dirs}/kscreen/* r, owner @{user_share_dirs}/kwin/scripts/{,**} r, - @{run}/systemd/inhibit/*.ref rw, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/input/ r, @{sys}/devices/**/uevent r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{run}/udev/data/+acpi:* r, # for ACPI + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:* r, # for motherboard info - @{run}/udev/data/+hid:* r, # for HID subsystem + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+serio:* r, # for touchpad @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb:* r, + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @@ -127,10 +142,58 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/input/event@{int} rw, + @{att}/dev/input/event@{int} rw, + @{att}/dev/dri/card@{int} rw, + /dev/tty r, /dev/tty@{int} rw, + profile at-spi { + include + include + + @{sh_path} r, + @{bin}/busctl rix, + @{bin}/sed rix, + @{bin}/xprop rPx, + + /etc/xdg/Xwayland-session.d/00-at-spi r, + + /home/ r, + owner @{HOME}/ r, + + include if exists + } + + profile pulseaudio { + include + include + + @{sh_path} rix, + @{bin}/pactl Px, + + /etc/xdg/Xwayland-session.d/00-pulseaudio-x11 r, + + owner @{HOME}/ r, + + include if exists + } + + profile ibus { + include + include + + @{sh_path} r, + @{lib}/{,ibus/}ibus-x11 rPx, + + /etc/xdg/Xwayland-session.d/10-ibus-x11 r, + + /home/ r, + owner @{HOME}/ r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/kde/kwin_wayland_wrapper b/apparmor.d/groups/kde/kwin_wayland_wrapper index f28106373..a7ce4c2fe 100644 --- a/apparmor.d/groups/kde/kwin_wayland_wrapper +++ b/apparmor.d/groups/kde/kwin_wayland_wrapper @@ -2,18 +2,21 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kwin_wayland_wrapper profile kwin_wayland_wrapper @{exec_path} { include + include include include signal (send) set=(term, kill) peer=kwin_wayland, + #aa:dbus own bus=session name=org.kde.KWinWrapper + @{exec_path} mr, @{bin}/kwin_wayland rPx, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index f53e9803b..8cc233ff2 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -2,18 +2,20 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kwin_x11 profile kwin_x11 @{exec_path} { include + include include include include include include + include network inet dgram, network inet6 dgram, @@ -21,41 +23,51 @@ profile kwin_x11 @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.kde.KWin + #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect + + #aa:dbus talk bus=session name=org.kde.ActivityManager label=kactivitymanagerd + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/kglobalaccel label=kglobalacceld + @{exec_path} mrix, @{sh_path} rix, + @{bin}/kdialog rix, @{lib}/kwin_killer_helper rix, #aa:exec drkonqi + /usr/share/kwin-x11/{,**} r, /usr/share/kwin/{,**} r, /usr/share/plasma/desktoptheme/{,**} r, + /usr/share/sounds/*/stereo/*.oga r, /etc/machine-id r, - /etc/xdg/kcminputrc r, /etc/xdg/plasmarc r, owner @{user_cache_dirs}/ r, - owner @{user_cache_dirs}/#@{int} rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kcrash-metadata/*.ini rw, + owner @{user_cache_dirs}/ksvg-elements r, owner @{user_cache_dirs}/kwin/{,**} rwl, - owner @{user_cache_dirs}/plasmarc r, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasma-svgelements.lock rwk, + owner @{user_cache_dirs}/plasmarc r, owner @{user_cache_dirs}/session/#@{int} rw, owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/kcminputrc r, + owner @{user_config_dirs}/kaccessrc r, + owner @{user_config_dirs}/kdedefaults/plasmarc r, + owner @{user_config_dirs}/kwinoutputconfig.json rw, owner @{user_config_dirs}/kwinrc.lock rwk, owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl, owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, - owner @{user_config_dirs}/session/kwin_* rwk, owner @{user_config_dirs}/plasmarc r, - owner @{user_config_dirs}/session/#@{int} rw, + + owner @{user_share_dirs}/kwin/scripts/ r, + owner @{tmp}/#@{int} rw, owner @{tmp}/kwin.@{rand6} rwl, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index d732ee0f7..a2ffad26f 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,28 +11,51 @@ include profile okular @{exec_path} { include include + include include + include include include + include include include include + network netlink raw, + + ptrace read peer=@{p_systemd}, + + signal send set=term peer=kioworker, + @{exec_path} mr, @{bin}/ps2pdf rPUx, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/gpgcon rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, @{open_path} rPx -> child-open, + #aa:exec kioworker /usr/share/color-schemes/{,**} r, /usr/share/okular/{,**} r, /usr/share/poppler/{,**} r, + /etc/fstab r, + /etc/xdg/dolphinrc r, + + / r, + @{MOUNTS}/ r, + + owner @{user_cache_dirs}/okular/{,**} rw, + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/KDE/*.conf r, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/kservicemenurc r, + owner @{user_config_dirs}/kwalletrc r, + owner @{user_config_dirs}/okular-generator-popplerrc r, owner @{user_config_dirs}/okularpartrc rw, owner @{user_config_dirs}/okularpartrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/okularpartrc.lock rwk, @@ -40,21 +63,39 @@ profile okular @{exec_path} { owner @{user_config_dirs}/okularrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/okularrc.lock rwk, + owner @{user_share_dirs}/#@{int} rw, + owner @{user_share_dirs}/kxmlgui{5,6}/okular/{,*} r, owner @{user_share_dirs}/okular/ rw, owner @{user_share_dirs}/okular/** rwlk -> @{user_share_dirs}/okular/**, + owner @{user_share_dirs}/user-places.xbel r, - owner @{user_cache_dirs}/okular/{,**} rw, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/okularstaterc rw, + owner @{user_state_dirs}/okularstaterc.@{rand6} rwlk -> @{user_state_dirs}/#@{int}, + owner @{user_state_dirs}/okularstaterc.lock rwk, owner @{tmp}/#@{int} rw, + owner @{tmp}/okular.@{rand6} rwl -> /tmp/#@{int}, owner @{tmp}/okular_@{rand6}.ps rwl -> /tmp/#@{int}, + owner @{tmp}/messageviewer_attachment_@{rand6}/{,*} r, # files opened from KMail as mail attachment, + + owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/okular@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, profile gpg { include + include @{bin}/gpg{,2} mr, - @{bin}/gpgcon mr, + @{bin}/gpgconf mr, @{bin}/gpgsm mr, + owner @{HOME}/@{XDG_GPG_DIR}/*.conf r, + owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/gnupg/ r, diff --git a/apparmor.d/groups/kde/pam_kwallet_init b/apparmor.d/groups/kde/pam_kwallet_init index b84407863..764917a1f 100644 --- a/apparmor.d/groups/kde/pam_kwallet_init +++ b/apparmor.d/groups/kde/pam_kwallet_init @@ -2,7 +2,7 @@ # Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host index 6270df2f7..e17d4c5f1 100644 --- a/apparmor.d/groups/kde/plasma-browser-integration-host +++ b/apparmor.d/groups/kde/plasma-browser-integration-host @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,19 +21,10 @@ profile plasma-browser-integration-host @{exec_path} { @{exec_path} mr, - /etc/xdg/menus/applications-merged/ r, - /usr/share/kservices{5,6}/{,**} r, - /etc/xdg/menus/ r, /etc/xdg/taskmanagerrulesrc r, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_* r, - - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover index 5d0884026..1247d0fdf 100644 --- a/apparmor.d/groups/kde/plasma-discover +++ b/apparmor.d/groups/kde/plasma-discover @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,7 +29,7 @@ profile plasma-discover @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/kreadconfig5 rPx, + @{bin}/kreadconfig{,5} rPx, @{bin}/gpg rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @@ -38,7 +38,6 @@ profile plasma-discover @{exec_path} { #aa:exec kio_http_cache_cleaner #aa:exec kioworker - /usr/share/knotifications{5,6}/plasma_workspace.notifyrc r, /usr/share/knsrcfiles/{,*} r, /usr/share/kservices{5,6}/{,*} r, /usr/share/kservicetypes5/{,*} r, @@ -65,7 +64,6 @@ profile plasma-discover @{exec_path} { owner @{user_cache_dirs}/appstream/*.xb rw, owner @{user_cache_dirs}/discover/{,**} rwlk, owner @{user_cache_dirs}/flatpak/system-cache/{,**} rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kio_http/ w, owner @{user_config_dirs}/ r, @@ -86,8 +84,8 @@ profile plasma-discover @{exec_path} { owner @{tmp}/*.kwinscript rwl -> /tmp/#@{int}, owner @{tmp}/#@{int} rw, owner @{tmp}/discover-@{rand6}/{,**} rw, - owner @{tmp}/ostree-gpg-*/ rw, - owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-@{rand6}/ rw, + owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, owner @{run}/user/@{uid}/.flatpak-cache rw, owner @{run}/user/@{uid}/.flatpak/{,**} rw, @@ -108,8 +106,8 @@ profile plasma-discover @{exec_path} { @{HOME}/@{XDG_GPG_DIR}/*.conf r, - owner @{tmp}/ostree-gpg-*/ r, - owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, + owner @{tmp}/ostree-gpg-@{rand6}/ r, + owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, include if exists } diff --git a/apparmor.d/groups/kde/plasma-emojier b/apparmor.d/groups/kde/plasma-emojier index 3862706a9..ba00660fc 100644 --- a/apparmor.d/groups/kde/plasma-emojier +++ b/apparmor.d/groups/kde/plasma-emojier @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/plasma_session b/apparmor.d/groups/kde/plasma_session index 6082b579e..5d3812594 100644 --- a/apparmor.d/groups/kde/plasma_session +++ b/apparmor.d/groups/kde/plasma_session @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -33,15 +33,10 @@ profile plasma_session @{exec_path} { #aa:exec polkit-kde-authentication-agent /usr/share/kservices{5,6}/{,**} r, - /usr/share/knotifications{5,6}/{,**} r, /etc/xdg/autostart/ r, /etc/xdg/autostart/*.desktop r, - /etc/xdg/menus/ r, - owner @{user_cache_dirs}/ksycoca{5,6}_* r, - - owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/kdedefaults/ksplashrc r, owner @{user_config_dirs}/plasma-welcomerc r, diff --git a/apparmor.d/groups/kde/plasma_waitforname b/apparmor.d/groups/kde/plasma_waitforname index c987a4759..d32122a8a 100644 --- a/apparmor.d/groups/kde/plasma_waitforname +++ b/apparmor.d/groups/kde/plasma_waitforname @@ -2,14 +2,16 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/plasma_waitforname profile plasma_waitforname @{exec_path} { include + include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index e4cde431b..600d1be48 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,8 +13,9 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include + include include - include + include include include include @@ -27,8 +28,9 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include + include - # userns, + userns, capability sys_ptrace, @@ -39,9 +41,26 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { network netlink dgram, network netlink raw, - ptrace (read), + ptrace read, - signal (send), + signal send, + + #aa:dbus own bus=session name=com.canonical.Unity + #aa:dbus own bus=session name=org.freedesktop.Notifications + #aa:dbus own bus=session name=org.kde.JobViewServer + #aa:dbus own bus=session name=org.kde.klipper + #aa:dbus own bus=session name=org.kde.kuiserver + #aa:dbus own bus=session name=org.kde.plasmashell path=/PlasmaShell + #aa:dbus own bus=session name=org.kde.StatusNotifierHost-@{int} + + #aa:dbus talk bus=session name=org.kde.kdeconnect path=/ label=kdeconnectd + #aa:dbus talk bus=session name=org.kde.KeyboardLayouts path=/Layouts label=kded + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/kglobalaccel label="{kglobalacceld,kwin_wayland}" + #aa:dbus talk bus=session name=org.kde.KSplash path=/KSplash label=ksplashqml + #aa:dbus talk bus=session name=org.kde.KWin path=/ label="kwin_{wayland,x11}" + #aa:dbus talk bus=session name=org.kde.NightColor path=/ColorCorrect label="kwin_{wayland,x11}" + #aa:dbus talk bus=session name=org.kde.Solid.PowerManagement label=kde-powerdevil + #aa:dbus talk bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher label=kded @{exec_path} mr, @@ -49,19 +68,19 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{lib}/libheif/{,**} mr, @{bin}/dolphin rPx, - @{bin}/ksysguardd rix, + @{bin}/ksysguardd rPUx, @{bin}/plasma-discover rPUx, @{bin}/xrdb rPx, @{lib}/kf{5,6}/kdesu{,d} rix, #aa:exec kioworker + /snap/*/@{uid}/**.@{image_ext} r, + /usr/share/*/icons/{,**} r, /usr/share/akonadi/{,**} r, - /usr/share/desktop-base/{,**} r, /usr/share/desktop-directories/kf5-*.directory r, /usr/share/kf{5,6}/{,**} r, /usr/share/kio/servicemenus/{,*.desktop} r, - /usr/share/knotifications{5,6}/*.notifyrc r, /usr/share/konsole/ r, /usr/share/krunner/{,**} r, /usr/share/kservices{5,6}/{,**} r, @@ -70,15 +89,16 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /usr/share/metainfo/{,**} r, /usr/share/plasma/{,**} r, /usr/share/plasma5support/** r, + /usr/share/qalculate/{,**} r, /usr/share/rider/{,**} r, /usr/share/solid/actions/{,**} r, /usr/share/swcatalog/{,**} r, /usr/share/templates/{,*.desktop} r, + /usr/share/thumbnailers/{,*} r, /usr/share/wallpapers/{,**} r, /etc/appstream.conf r, /etc/fstab r, - /etc/ksysguarddrc r, /etc/machine-id r, /etc/os-release r, /etc/sensors.d/ r, @@ -87,9 +107,15 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /var/lib/AccountsService/icons/* r, + @{MOUNTS}/ r, + @{HOME}/ r, + owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, + owner @{HOME}/.var/app/**.{png,jpg,svg} r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{user_games_dirs}/**.{png,jpg,svg} r, + owner @{user_music_dirs}/**.{png,jpg,svg} r, owner @{user_pictures_dirs}/{,**} r, owner @{user_templates_dirs}/ r, @@ -100,12 +126,10 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_cache_dirs}/appstream/*.xb rw, owner @{user_cache_dirs}/bookmarksrunner/ rw, owner @{user_cache_dirs}/bookmarksrunner/** rwkl -> @{user_cache_dirs}/bookmarksrunner/#@{int}, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kcrash-metadata/plasmashell.*.ini w, owner @{user_cache_dirs}/ksvg-elements rw, owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/ksvg-elements.lock rwlk, - owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw, owner @{user_cache_dirs}/plasma_engine_potd/{,**} rw, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, @@ -125,18 +149,18 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/akonadi/akonadi*rc r, owner @{user_config_dirs}/arkrc r, owner @{user_config_dirs}/baloofileinformationrc r, - owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/breezerc r, - owner @{user_config_dirs}/dolphinrc r, owner @{user_config_dirs}/eventviewsrc r, owner @{user_config_dirs}/kactivitymanagerd* rwkl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kcookiejarrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kdiff3fileitemactionrc r, + owner @{user_config_dirs}/kiorc r, owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/klaunchrc r, owner @{user_config_dirs}/klipperrc r, owner @{user_config_dirs}/kmail2.notifyrc r, + owner @{user_config_dirs}/knfsshare r, owner @{user_config_dirs}/korganizerrc r, owner @{user_config_dirs}/krunnerrc r, owner @{user_config_dirs}/ksmserverrc r, @@ -144,15 +168,15 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/menus/{,**} r, owner @{user_config_dirs}/networkmanagement.notifyrc r, owner @{user_config_dirs}/plasma* rwlk, - owner @{user_config_dirs}/trashrc r, + owner @{user_share_dirs}/*/sessions/ r, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/akonadi/search_db/{,**} r, owner @{user_share_dirs}/kactivitymanagerd/resources/database rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, owner @{user_share_dirs}/kio/servicemenus/{,**} r, - owner @{user_share_dirs}/klipper/{,*} rwl, + owner @{user_share_dirs}/klipper/{,**} rwlk, owner @{user_share_dirs}/konsole/ r, owner @{user_share_dirs}/kpeople/persondb rwk, owner @{user_share_dirs}/kpeoplevcard/ r, @@ -166,15 +190,23 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/plasma_icons/*.desktop r, owner @{user_share_dirs}/plasma/{,**} r, owner @{user_share_dirs}/plasmashell/** rwkl -> @{user_share_dirs}/plasmashell/**, + owner @{user_share_dirs}/qalculate/{,**} r, owner @{user_share_dirs}/user-places.xbel{,*} rwl, owner @{user_share_dirs}/wallpapers/{,**} rw, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/plasma/* r, + owner @{user_state_dirs}/plasmashellstaterc rw, + owner @{user_state_dirs}/plasmashellstaterc.@{rand6} rwl, + owner @{user_state_dirs}/plasmashellstaterc.lock rwk, + /tmp/.mount_nextcl@{rand6}/{,*} r, owner @{tmp}/#@{int} rw, @{run}/mount/utab r, @{run}/user/@{uid}/gvfs/ r, owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/app/*/*.@{rand6} r, owner @{run}/user/@{uid}/kdesud_:@{int} w, owner @{run}/user/@{uid}/plasmashell@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, @@ -184,11 +216,17 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{sys}/devices/platform/** r, @{sys}/devices/@{pci}/name r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/thermal/**/{name,type} r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r, @{PROC}/ r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/stat r, @{PROC}/cmdline r, @{PROC}/diskstats r, @{PROC}/loadavg r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 8aea34ad4..1b8930f06 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,12 +14,12 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include include include + include include capability audit_write, @@ -40,65 +40,73 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace (trace) peer=@{profile_name}, signal (receive) set=(hup) peer=@{p_systemd}, + signal (send) set=(kill, term) peer=labwc, + signal (send) set=(kill, term) peer=lxqt-session, signal (send) set=(kill, term) peer=startplasma, signal (send) set=(kill, term) peer=xorg, signal (send) set=(kill, term) peer=xsetroot, signal (send) set=(term) peer=kwin_wayland, signal (send) set=(term) peer=sddm-greeter, signal (send) set=(term) peer=startplasma-wayland, + signal (send) set=(term) peer=startlxqtwayland, - dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=kscreenlocker-greet), + unix type=stream addr=@@{udbus}/bus/sddm-helper/system, - dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=systemd-logind), + #aa:dbus own bus=system name=org.freedesktop.DisplayManager - dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.freedesktop.DBus, label=kscreenlocker-greet), + #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 interface=org.freedesktop.login1.Manager label="@{p_systemd_logind}" @{exec_path} mr, @{lib}/@{multiarch}/sddm/sddm-helper rix, @{lib}/plasma-dbus-run-session-if-needed rix, @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed rix, - @{lib}/sddm/sddm-helper rix, - @{lib}/sddm/sddm-helper-start-wayland rix, - @{lib}/sddm/sddm-helper-start-x11user rix, + @{lib}/{,sddm/}sddm-helper rix, + @{lib}/{,sddm/}sddm-helper-start-wayland rix, + @{lib}/{,sddm/}sddm-helper-start-x11user rix, @{shells_path} rix, + @{bin}/{,e}grep rix, + @{bin}/basename rix, @{bin}/cat rix, - @{bin}/checkproc rix, + @{bin}/date rix, + @{bin}/dirname rix, @{bin}/disable-paste rix, + @{bin}/id rix, @{bin}/locale rix, @{bin}/manpath rix, @{bin}/mktemp rix, @{bin}/pidof rix, @{bin}/readlink rix, @{bin}/realpath rix, + @{bin}/sed rix, @{bin}/tr rix, @{bin}/tty rix, @{bin}/uname rix, @{bin}/xdm r, @{bin}/xmodmap rix, + @{sbin}/checkproc rix, @{bin}/dbus-run-session rPx -> dbus-session, + @{bin}/dbus-update-activation-environment rPx -> dbus-session, @{bin}/flatpak rPx, @{bin}/gnome-keyring-daemon rPx, + @{bin}/Hyprland rPx, + @{bin}/ksecretd rPUx, @{bin}/kwalletd{5,6} rPx, @{bin}/kwin_wayland rPx, + @{bin}/labwc rPx, @{bin}/sddm-greeter{,-qt6} rPx, + @{bin}/startlxqt rPx, + @{bin}/startlxqtwayland rPx, @{bin}/startplasma-wayland rPx, @{bin}/startplasma-x11 rPx, @{bin}/sway rPUx, @{bin}/systemctl rCx -> systemctl, @{bin}/xauth rCx -> xauth, @{bin}/Xorg rPx, + @{bin}/xrandr rPx, @{bin}/xrdb rPx, @{bin}/xset rPx, @{bin}/xsetroot rPx, @@ -106,13 +114,12 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{etc_ro}/sddm/Xsession rPx, @{etc_ro}/X11/xdm/Xsession rPx, - /usr/etc/X11/xdm/Xsetup rix, + @{etc_ro}/X11/xdm/Xsetup rix, /usr/share/sddm/scripts/wayland-session rix, /usr/share/sddm/scripts/Xsession rix, /usr/share/sddm/scripts/Xsetup rix, /usr/share/sddm/scripts/Xstop rix, - /usr/share/desktop-base/softwaves-theme/login/*.svg r, /usr/share/plasma/desktoptheme/** r, /usr/share/sddm/faces/.*.icon r, /usr/share/sddm/themes/** r, @@ -122,9 +129,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/X11/xinit/xinitrc.d/{,*} r, - /{usr/,}etc/environment r, - /{usr/,}etc/security/limits.d/{,*.conf} r, - /{usr/,}etc/X11/Xmodmap r, + @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/{,*.conf} r, + @{etc_ro}/X11/Xmodmap r, /etc/debuginfod/{,*} r, /etc/manpath.config r, /etc/default/locale r, @@ -172,12 +179,13 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/#@{int} rw, owner @{tmp}/sddm-auth* rw, + @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, + @{run}/faillock/@{user} rwk, @{run}/sddm.pid rw, @{run}/sddm/\{@{uuid}\} rw, @{run}/sddm/#@{int} rw, @{run}/sddm/xauth_@{rand6} rwl -> @{run}/sddm/#@{int}, - @{run}/systemd/sessions/*.ref rw, @{run}/user/@{uid}/xauth_@{rand6} rwl, owner @{run}/sddm/ rw, owner @{run}/user/@{uid}/ r, @@ -199,7 +207,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index f249d911e..47383bb75 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,28 +13,33 @@ profile sddm-greeter @{exec_path} { include include include - include - include + include include include include include include + include network netlink raw, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ListActivatableNames + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + @{exec_path} mr, @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, - /usr/share/desktop-base/*-theme/login/*.svg r, + /usr/share/endeavouros/backgrounds/** r, + /usr/share/hunspell/** r, /usr/share/plasma/desktoptheme/** r, /usr/share/sddm/{,**} r, + /usr/share/wallpapers/{,**} r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xsessions/{,*.desktop} r, - /usr/share/wallpapers/{,**} r, - /usr/share/hunspell/** r, /etc/fstab r, /etc/os-release r, @@ -49,8 +54,9 @@ profile sddm-greeter @{exec_path} { owner @{SDDM_HOME}/#@{int} mrw, owner @{sddm_cache_dirs}/** mrwkl -> @{sddm_cache_dirs}/**, + @{HOME}/.face.icon r, + owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rw, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index 3e566b458..0e9290d53 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,9 +25,11 @@ profile sddm-xsession @{exec_path} { @{bin}/chmod rix, @{bin}/csh rix, @{bin}/date rix, + @{bin}/dpkg-query rpx, @{bin}/fish rix, + @{bin}/gettext rix, @{bin}/gettext.sh r, - @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, @{bin}/id rix, @{bin}/locale rix, @{bin}/locale-check rix, @@ -40,12 +42,13 @@ profile sddm-xsession @{exec_path} { @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which{,.*} rix, - @{bin}/zsh rix, + @{bin}/tr rix, + @{bin}/which{,.debianutils} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/flatpak rPx, @{bin}/numlockx rPx, + @{bin}/xbrlapi rPx, @{bin}/xhost rPx, @{bin}/xrdb rPx, /etc/X11/Xsession rPx, @@ -60,7 +63,9 @@ profile sddm-xsession @{exec_path} { @{system_share_dirs}/im-config/data/{,*} r, @{system_share_dirs}/im-config/xinputrc.common r, + @{system_share_dirs}/libdebuginfod-common/debuginfod.sh r, + /etc/debuginfod/{,**} r, /etc/default/{,*} r, /etc/X11/{,**} r, @@ -71,7 +76,7 @@ profile sddm-xsession @{exec_path} { owner @{tmp}/xsess-env-* rw, owner @{tmp}/file* rw, - audit owner @{tmp}/tmp.* rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{PROC}/@{pid}/loginuid r, @@ -90,6 +95,16 @@ profile sddm-xsession @{exec_path} { profile dbus { include + include + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=UpdateActivationEnvironment + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=SetEnvironment + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), @{bin}/dbus-update-activation-environment mr, @@ -123,6 +138,8 @@ profile sddm-xsession @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{HOME}/.xsession-errors w, + /dev/tty@{int} rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index e575f3bb2..64e332dc5 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,18 +10,25 @@ include profile startplasma @{exec_path} { include include - include include + include + include + include + include signal (receive) set=(hup) peer=@{p_systemd}, signal (receive) set=(term) peer=sddm, + #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" + #aa:dbus talk bus=session name=org.kde.KSplash path=/KSplash label=ksplashqml + @{exec_path} mr, @{sh_path} rix, @{bin}/env rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kapplymousetheme rPUx, + @{bin}/kdeinit5_shutdown rPUx, @{bin}/ksplashqml rPUx, @{bin}/plasma_session rPx, @{bin}/xrdb rPx, @@ -29,33 +36,26 @@ profile startplasma @{exec_path} { @{lib}/@{multiarch}/libexec/plasma-sourceenv.sh r, + /usr/share/byobu/desktop/{,**} r, /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, - /usr/share/knotifications{5,6}/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, /usr/share/plasma/{,**} r, - /etc/locale.alias r, /etc/machine-id r, - /etc/xdg/kcminputrc r, /etc/xdg/menus/{,**} r, /etc/xdg/plasma-workspace/env/{,*} r, - - /var/lib/flatpak/exports/share/mime/ r, + /etc/xdg/plasmarc r, @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/#@{int} rwk, owner @{user_cache_dirs}/kcrash-metadata/ rw, owner @{user_cache_dirs}/plasma-svgelements rw, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/gtkrc{,*} rwlk, - owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/ rw, owner @{user_config_dirs}/kdedefaults/** rwkl -> @{user_config_dirs}/kdedefaults/**, - owner @{user_config_dirs}/kdeglobals.lock rwk, - owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksplashrc r, owner @{user_config_dirs}/kwinkdeglobalsrc.lock rwk, owner @{user_config_dirs}/menus/{,**} r, @@ -66,6 +66,7 @@ profile startplasma @{exec_path} { owner @{user_config_dirs}/startkderc r, owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, + owner link @{user_config_dirs}/kdeglobals -> @{user_config_dirs}/#@{int}, owner @{user_share_dirs}/color-schemes/{,**} r, owner @{user_share_dirs}/kservices{5,6}/{,**} r, @@ -77,8 +78,7 @@ profile startplasma @{exec_path} { owner @{run}/user/@{uid}/ r, - @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/maps r, + @{PROC}/sys/kernel/random/boot_id r, /dev/tty r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index 8de52a49c..9558a6528 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -2,80 +2,141 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/systemsettings profile systemsettings @{exec_path} { include + include include + include + include include include include include + include network netlink raw, + signal send set=term peer=kioworker, + + #aa:dbus own bus=session name=org.kde.internal.KSettingsWidget_kcm_networkmanagement + #aa:dbus own bus=session name=org.kde.systemsettings + @{exec_path} mr, + @{sh_path} rix, + @{bin}/cat rix, + @{bin}/eglinfo rPUx, @{bin}/kcminit rPx, + @{bin}/lspci rPx, + @{bin}/openssl rix, + @{bin}/pactl rPx, + @{bin}/plasma-discover rPx, + @{bin}/plasmashell rPx, + @{bin}/xdpyinfo rPUx, + @{lib}/qt{5,6}/bin/qdbus rPx, + #aa:exec kioworker /usr/share/kcm_networkmanagement/{,**} r, + /usr/share/kcm_recentFiles/{,**} r, /usr/share/kcmkeys/{,*.kksrc} r, /usr/share/kglobalaccel/* r, /usr/share/kinfocenter/{,**} r, - /usr/share/kinfocenter/{,**} r, + /usr/share/solid/{,**} r, /usr/share/kpackage/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, + /usr/share/kwin/{,**} r, /usr/share/kxmlgui5/systemsettings/systemsettingsui.rc r, /usr/share/plasma/{,**} r, /usr/share/sddm/themes/{,**} r, - /usr/share/sddm/themes/{,**} r, /usr/share/systemsettings/{,**} r, + /usr/share/wallpapers/{,**} r, + /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/machine-id r, - /etc/xdg/menus/{,applications-merged/} r, + /etc/xdg/plasmanotifyrc r, /etc/xdg/ui/ui_standards.rc r, /var/lib/dbus/machine-id r, + /etc/xdg/* r, - owner @{user_cache_dirs}/#@{int} rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/kinfocenter/{,**} rwl, + /var/cache/cracklib/cracklib_dict.* r, + /var/cache/samba/ rw, + /var/lib/AccountsService/icons/* r, + /var/lib/flatpak/repo/{,**} r, + + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, + + owner @{user_cache_dirs}/kcrash-metadata/*.ini rw, + owner @{user_cache_dirs}/kinfocenter/{,**} rwlk, owner @{user_cache_dirs}/ksvg-elements rw, owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/ksvg-elements.lock rwlk, - owner @{user_cache_dirs}/ksycoca{5,6}_* r, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, + owner @{user_cache_dirs}/plasma-svgelements r, owner @{user_cache_dirs}/systemsettings/ rw, owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**, + owner @{user_config_dirs}/{P,p}lasma* r, + owner @{user_config_dirs}/*rc r, owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/khotkeysrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/plasmarc r, + owner @{user_config_dirs}/device_automounter_kcmrc.lock rwk, + owner @{user_config_dirs}/emaildefaults r, owner @{user_config_dirs}/kde.org/{,**} rwlk, + owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kinfocenterrc* rwlk, + owner @{user_config_dirs}/libaccounts-glib/ rw, + owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, + owner @{user_config_dirs}/session/ rw, + owner @{user_config_dirs}/session/** rwlk, owner @{user_config_dirs}/systemsettingsrc.lock rwk, owner @{user_config_dirs}/systemsettingsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_share_dirs}/baloo/index r, - owner @{user_share_dirs}/kservices5/{,ServiceMenus/} r, - owner @{user_share_dirs}/kactivitymanagerd/resources/database rk, + owner @{user_share_dirs}/kactivitymanagerd/resources/database rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, - + owner @{user_share_dirs}/kinfocenter/ rw, + owner @{user_share_dirs}/kinfocenter/** rwlk, + owner @{user_share_dirs}/knotifications{5,6}/{,**} r, + owner @{user_share_dirs}/krdpserver/ rw, + owner @{user_share_dirs}/kservices{5,6}/{,ServiceMenus/} r, owner @{user_share_dirs}/systemsettings/ rw, owner @{user_share_dirs}/systemsettings/** rwlk, + owner @{user_share_dirs}/wallpapers/{,**} r, + + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/systemsettingsstaterc rw, + owner @{user_state_dirs}/systemsettingsstaterc.@{rand6} rwlk, + owner @{user_state_dirs}/systemsettingsstaterc.lock rwlk, + + owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/systemsettings@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{sys}/bus/ r, + @{sys}/bus/acpi/devices/ r, @{sys}/bus/cpu/devices/ r, @{sys}/class/ r, + @{sys}/firmware/acpi/pm_profile r, + @{PROC}/interrupts r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + /dev/ r, + /dev/bus/usb/ r, + /dev/input/ r, + /dev/rfkill r, /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/utempter b/apparmor.d/groups/kde/utempter index 1ff12062f..309b9c444 100644 --- a/apparmor.d/groups/kde/utempter +++ b/apparmor.d/groups/kde/utempter @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/wayland-session b/apparmor.d/groups/kde/wayland-session index b9e7cf4fc..c07b06815 100644 --- a/apparmor.d/groups/kde/wayland-session +++ b/apparmor.d/groups/kde/wayland-session @@ -2,30 +2,44 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{etc_ro}/sddm/wayland-session profile wayland-session @{exec_path} { include + include include @{exec_path} mr, - @{shells_path} rix, - @{bin}/id rix, + @{shells_path} rix, + @{bin}/cat ix, + @{bin}/dpkg-query px, + @{bin}/gettext ix, + @{bin}/gettext.sh r, + @{bin}/id ix, + @{bin}/locale ix, + @{bin}/locale-check ix, + @{bin}/sed ix, + @{bin}/tr ix, - @{lib}/plasma-dbus-run-session-if-needed rix, - @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed rix, - @{bin}/startplasma-wayland rPx, + @{bin}/startplasma-wayland Px, + @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed ix, + @{lib}/plasma-dbus-run-session-if-needed ix, + /usr/share/im-config/{,**} r, + /usr/share/libdebuginfod-common/debuginfod.sh r, + + /etc/debuginfod/{,**} r, + /etc/default/im-config r, /etc/machine-id r, + /etc/X11/xinit/xinputrc r, + /etc/X11/Xsession.d/*im-config_launch r, owner @{user_share_dirs}/sddm/wayland-session.log rw, - /dev/tty rw, - include if exists } diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index a4474a64a..5c36f579e 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -2,16 +2,19 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xembedsniproxy profile xembedsniproxy @{exec_path} { include + include include + include include include + include @{exec_path} mr, @@ -20,6 +23,8 @@ profile xembedsniproxy @{exec_path} { owner @{tmp}/xauth_@{rand6} r, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + @{run}/user/@{uid}/xauth_@{rand6} rl, include if exists diff --git a/apparmor.d/groups/kde/xsettingsd b/apparmor.d/groups/kde/xsettingsd index 7e422a3d0..1adbf1d9f 100644 --- a/apparmor.d/groups/kde/xsettingsd +++ b/apparmor.d/groups/kde/xsettingsd @@ -2,13 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xsettingsd profile xsettingsd @{exec_path} { include + include signal (receive) set=hup peer=kded, diff --git a/apparmor.d/groups/kde/xwaylandvideobridge b/apparmor.d/groups/kde/xwaylandvideobridge index 0f6aeb48a..889018a13 100644 --- a/apparmor.d/groups/kde/xwaylandvideobridge +++ b/apparmor.d/groups/kde/xwaylandvideobridge @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/lxqt/lxqt-about b/apparmor.d/groups/lxqt/lxqt-about new file mode 100644 index 000000000..8f5830453 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-about @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-about +profile lxqt-about @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/desktop-directories/{,**} r, + + /etc/xdg/menus/lxqt-applications.menu r, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-file-associations b/apparmor.d/groups/lxqt/lxqt-config-file-associations new file mode 100644 index 000000000..4232f1c70 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-file-associations @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-file-associations +profile lxqt-config-file-associations @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + owner @{user_config_dirs}/ r, + owner @{user_config_dirs}/mimeapps* rwk, + owner @{user_config_dirs}/lxqt-* rwk, + owner @{user_config_dirs}/lxqt/ r, + owner @{user_config_dirs}/lxqt/#@{int} rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-file-associations.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-file-associations.conf kl -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-file-associations.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/#@{int} rwk, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-locale b/apparmor.d/groups/lxqt/lxqt-config-locale new file mode 100644 index 000000000..c7c868c18 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-locale @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-locale +profile lxqt-config-locale @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + owner @{user_config_dirs}/lxqt/* r, + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf.lock rwk, + owner @{user_config_dirs}/lxqt/session.conf.lock rwk, + owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/session.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-notificationd b/apparmor.d/groups/lxqt/lxqt-config-notificationd new file mode 100644 index 000000000..63b2eb673 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-notificationd @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-notificationd +profile lxqt-config-notificationd @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + /var/lib/dbus/machine-id r, + + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/notifications.conf.lock rwk, + owner @{user_config_dirs}/lxqt/notifications.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/notifications.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/#@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-powermanagement b/apparmor.d/groups/lxqt/lxqt-config-powermanagement new file mode 100644 index 000000000..4b96ccb36 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-powermanagement @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-powermanagement +profile lxqt-config-powermanagement @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + + @{sys}/class/leds/ r, + @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/brightness rw, + @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, + @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-printer b/apparmor.d/groups/lxqt/lxqt-config-printer new file mode 100644 index 000000000..f4c38e94d --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-printer @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-printer +profile lxqt-config-printer @{exec_path} { + include + include + + @{exec_path} mr, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-globalkeysd b/apparmor.d/groups/lxqt/lxqt-globalkeysd new file mode 100644 index 000000000..a9a75aa90 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-globalkeysd @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-globalkeysd +profile lxqt-globalkeysd @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{open_path} rPx -> child-open-help, + @{bin}/screengrab rPx, + @{bin}/lxqt-config-brightness rPx, + + /usr/share/lxqt/globalkeyshortcuts.conf rw, + + /var/lib/dbus/machine-id r, + + owner @{user_config_dirs}/lxqt/ r, + owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.lock wrk, + owner @{user_config_dirs}/lxqt/#@{int} wr, + owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-leave b/apparmor.d/groups/lxqt/lxqt-leave new file mode 100644 index 000000000..e76d81f54 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-leave @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-leave +profile lxqt-leave @{exec_path} { + include + include + + @{exec_path} mr, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel new file mode 100644 index 000000000..f817be69d --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -0,0 +1,93 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-panel +profile lxqt-panel @{exec_path} { + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + network packet dgram, + + @{exec_path} mr, + + @{bin}/exo-open rix, + @{lib}/gio-launch-desktop rix, + @{bin}/nm-applet rPx, + @{bin}/nm-connection-editor rPx, + @{bin}/ControlPanel rPx, + + @{bin}/sudo rCx -> root, + + @{lib}/lxqt-panel/*.so mr, # LXQT-Plugins + @{lib}/lxqt-config/*.so mr, # LXQT-Plugins + + /usr/share/desktop-directories/{,**} r, + /usr/share/lxqt/{,**} r, + + /etc/fstab r, + /etc/udev/udev.conf r, + /etc/machine-id r, + /etc/xdg/lxqt-qtxdg.conf r, + /etc/xdg/menus/**.menu r, + /etc/xdg/menus/applications-merged/ r, + /etc/xdg/ui/uistandards.rc r, + + /var/lib/dbus/machine-id r, + + owner @{HOME}/Desktop/*.desktop rw, + owner @{HOME}/Desktop/#@{int} rw, + owner @{HOME}/Desktop/*.desktop l -> @{HOME}/Desktop/#@{int}, + + owner @{user_config_dirs}/menus/*.menu rw, + owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_config_dirs}/share/desktop-directories/*.directory r, + owner @{user_config_dirs}/share/gvfs-metadata/{,*} r, + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/panel.conf rw, + owner @{user_config_dirs}/lxqt/panel.conf.lock rwk, + owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/pulse/{,**} rwk, + + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + + @{sys}/class/i2c-adapter/ r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/net/dev r, + owner @{PROC}/@{pid}/mounts r, + + /dev/tty rw, + /dev/tty@{int} rw, + /dev/pts/@{int} rw, + /dev/snd/controlC@{int} rw, + + profile root { + include + include + + @{bin}/lsblk rPx, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-runner b/apparmor.d/groups/lxqt/lxqt-runner new file mode 100644 index 000000000..5783c1fa0 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-runner @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-runner +profile lxqt-runner @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/desktop-directories/ r, + /usr/share/desktop-directories/{,**} r, + + /etc/xdg/menus/lxqt-applications.menu r, + + owner @{user_config_dirs}/lxqt/lxqt-runner.conf.lock rwk, + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/lxqt-runner.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session new file mode 100644 index 000000000..910ea7c5f --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -0,0 +1,96 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-session +profile lxqt-session @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + network netlink raw, + + signal (send), + signal (receive) set=(kill, term) peer=startlxqt, + signal (receive) set=(kill, term) peer=sddm, + + ptrace (read), + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/sed rix, + @{bin}/readlink rix, + @{bin}/dirname rix, + @{bin}/system-config-printer-applet rPx, + @{bin}/dbus-update-activation-environment rCx -> dbus, + @{bin}/systemctl rCx -> systemctl, + + @{bin}/pavucontrol rPx, + @{lib}/geoclue-2.0/demos/agent rPx, + @{bin}/nm-connection-editor rPx, + @{bin}/nm-applet rPx, + @{bin}/openbox rix, + @{bin}/dconf-editor rPx, + @{bin}/setxkbmap rix, + @{bin}/start-pulseaudio-x11 rPx, + @{bin}/xrdb rPx, + @{bin}/xdg-user-dirs-update rPx, + + /usr/share/ r, + /usr/share/cursors/ r, + /usr/share/backintime/common/* r, + /usr/share/desktop-directories/* r, + /usr/share/system-config-printer/* r, + + /etc/xdg/ r, + /etc/xdg/autostart/ r, + /etc/xdg/autostart/*.desktop r, + /etc/xdg/menus/lxqt-* r, + /etc/xdg/openbox/* r, + /etc/udev/udev.conf r, + + owner @{user_config_dirs}/autostart/ r, + owner @{user_config_dirs}/autostart/*.desktop r, + owner @{user_cache_dirs}/openbox/ rw, + owner @{user_cache_dirs}/openbox/sessions/ rw, + owner @{user_cache_dirs}/openbox/openbox.log rwk, + owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, + owner @{user_config_dirs}/openbox/rc.xml r, + + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + + @{PROC}/ r, + @{PROC}/uptime r, + @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/stat r, + + /dev/tty rw, + + profile systemctl { + include + include + + include if exists + } + profile dbus { + include + include + + @{bin}/dbus-update-activation-environment mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt new file mode 100644 index 000000000..3ae907116 --- /dev/null +++ b/apparmor.d/groups/lxqt/startlxqt @@ -0,0 +1,79 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/startlxqt +profile startlxqt @{exec_path} { + include + include + include + include + + signal (receive) set=(term) peer=sddm, + + @{exec_path} mr, + + @{bin}/xrdb rPx, + @{bin}/xsetroot rPx, + @{bin}/xprop rpx, + @{bin}/mkdir rix, + @{sh_path} rix, + @{bin}/lxqt-session rPx, + + @{bin}/systemctl rCx -> systemctl, + @{bin}/dbus-update-activation-environment rCx -> dbus, + + /usr/share/color-schemes/{,**} r, + /usr/share/desktop-directories/{,**} r, + /usr/share/kservices5/{,**} r, + + /etc/machine-id r, + /etc/xdg/menus/{,**} r, + + @{HOME}/ r, + + owner @{user_cache_dirs}/#@{int} rw, + @{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int}, + + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/lxqt/ rw, + owner @{user_config_dirs}/menus/{,**} r, + + owner @{user_share_dirs}/kservices5/{,**} r, + owner @{user_share_dirs}/sddm/wayland-session.log rw, + owner @{user_share_dirs}/sddm/xorg-session.log rw, + + owner /tmp/#@{int} rw, + owner /tmp/startlxqt.@{rand6} rwl -> /tmp/#@{int}, + + owner @{run}/user/@{uid}/ r, + + /dev/tty rw, + /dev/tty@{int} rw, + + include if exists + + profile systemctl flags=(attach_disconnected) { + include + include + + include if exists + } + + profile dbus { + include + + @{bin}/dbus-update-activation-environment mr, + + owner @{HOME}/.xsession-errors w, + + include if exists + } +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index fad5908b4..22b94effd 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/ModemManager +@{exec_path} = @{sbin}/ModemManager profile ModemManager @{exec_path} flags=(attach_disconnected) { include include @@ -14,9 +14,10 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { include include include - include + include capability net_admin, + capability sys_admin, network qipcrtr dgram, network netlink raw, @@ -25,16 +26,20 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+usb:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+pnp:* r, # For Plug and Play devices (legacy hardware, sound cards, etc.) + @{run}/udev/data/+serial*:* r, # For serial devices (modems, serial ports, etc.) + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices) @{run}/udev/data/c16[6,7]:@{int} r, # USB modems @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces - @{run}/systemd/inhibit/*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{sys}/bus/ r, @{sys}/bus/usb/devices/ r, @@ -43,9 +48,8 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/tty/ r, @{sys}/class/wwan/ r, + @{sys}/devices/**/net/*/ r, @{sys}/devices/**/uevent r, - @{sys}/devices/@{pci}/revision r, - @{sys}/devices/virtual/net/*/ r, @{sys}/devices/virtual/tty/*/ r, include if exists diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index e5e9b0785..fca80465d 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -2,16 +2,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/NetworkManager +@{exec_path} = @{sbin}/NetworkManager profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -43,48 +43,58 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.NetworkManager + #aa:dbus talk bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant + #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*), + peer=(name=@{busname}), - dbus receive bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved - peer=(name=:*, label=bluetoothd), - - dbus send bus=system path=/ + dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=bluetoothd), + peer=(name=@{busname}, label=gnome-control-center), - dbus send bus=system path=/org/fedoraproject/FirewallD1 - interface=org.fedoraproject.FirewallD1.zone - member={changeZoneOfInterface,removeInterface} - peer=(name=org.freedesktop.DBus, label=firewalld), + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=nm-online), + + dbus send bus=system path=/org/freedesktop/nm_dispatcher + interface=org.freedesktop.nm_dispatcher + member=Action2 + peer=(name=org.freedesktop.nm_dispatcher), + + dbus send bus=system path=/uk/org/thekelleys/dnsmasq + interface=org.freedesktop.NetworkManager.dnsmasq + member=SetServersEx + peer=(name=@{busname}, label=dnsmasq), dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded - peer=(name=org.freedesktop.DBus, label=nm-online), + member={InterfacesAdded,InterfacesRemoved} + peer=(name=org.freedesktop.DBus), - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=cockpit-bridge), @{exec_path} mr, @{sh_path} rix, - @{bin}/nft rix, + @{sbin}/nft rix, - @{bin}/dnsmasq rPx, + @{sbin}/dnsmasq rPx, @{bin}/kmod rPx, @{bin}/netconfig rPUx, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, + @{bin}/resolvectl rPx, @{bin}/systemctl rCx -> systemctl, @{lib}/{,NetworkManager/}nm-daemon-helper rPx, @{lib}/{,NetworkManager/}nm-dhcp-helper rPx, @@ -94,11 +104,18 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/{,NetworkManager/}nm-openvpn-service rPx, @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, + /usr/share/netplan/netplan.script rPx, + + @{lib}/netplan/@{int2}-network-manager-all.yaml w, - /usr/share/netplan/netplan.script rPx, /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, + /usr/share/iproute2/{,**} r, + + /etc/netplan/ r, + /etc/netplan/90-NM-@{uuid}.yaml r, + + @{att}/ r, - / r, /etc/ r, /etc/iproute2/* r, /etc/machine-id r, @@ -106,6 +123,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /etc/network/interfaces.d/{,*} r, /etc/NetworkManager/{,**} r, /etc/NetworkManager/system-connections/{,**} w, + @{etc_rw}/netplan/90-NM-@{uuid}.yaml w, @{etc_rw}/resolv.conf rw, @{etc_rw}/resolv.conf.[0-9A-Z]* rw, @@ -118,30 +136,35 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/net/rfkill/ r, @{sys}/class/rfkill/ r, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/resolve/io.systemd.Resolve rw, + + @{run}/netplan/ r, @{run}/network/ifstate r, @{run}/NetworkManager/{,**} rw, @{run}/nm-*.pid rw, @{run}/nscd/db* rwl, - @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/users/@{uid} r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power + @{run}/udev/data/n@{int} r, # For network interfaces - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/@{pci}/net/*/{,**} r, @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r, + @{sys}/devices/**/@{uuid}/net/*/{,**} r, + @{sys}/devices/**/uevent r, + @{sys}/devices/virtual/net/{,**} r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/stat r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/net/** rw, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + /dev/net/tun rw, /dev/rfkill rw, profile systemctl { diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index e1b039ad8..7bcd9efba 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/dhcpcd +@{exec_path} = @{sbin}/dhcpcd profile dhcpcd @{exec_path} flags=(attach_disconnected) { include include @@ -27,7 +27,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { network inet6 raw, network netlink raw, network packet raw, - + @{exec_path} mr, @{sh_path} rix, @@ -35,26 +35,21 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{bin}/chmod rix, @{bin}/cmp rix, @{bin}/mkdir rix, + @{sbin}/resolvconf rPx, @{bin}/rm rix, @{bin}/sed rix, @{lib}/dhcpcd/dhcpcd-run-hooks rix, - /var/lib/dhcpcd/*.lease{,6} rw, - /var/lib/dhcpcd/secret rw, + /usr/share/dhcpcd/{,**} r, /etc/dhcpcd.conf r, /etc/resolv.conf rw, - @{run}/dhcpcd/{.pid,pid} rwk, - @{run}/dhcpcd/{.sock,sock} w, - @{run}/dhcpcd/*.pid wk, - @{run}/dhcpcd/*.sock w, - @{run}/dhcpcd/hook-state/ rw, - @{run}/dhcpcd/hook-state/resolv.conf.*.{dhcp,link} rw, - @{run}/dhcpcd/hook-state/resolv.conf/ rw, - @{run}/dhcpcd/unpriv.sock w, + /var/lib/dhcpcd/** rw, - @{run}/udev/data/n@{int} r, + @{run}/dhcpcd/** rwk, + + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/@{pci}/uevent r, @{sys}/devices/virtual/dmi/id/product_uuid r, diff --git a/apparmor.d/groups/network/iwctl b/apparmor.d/groups/network/iwctl index 3ccafc80a..0b5bd090e 100644 --- a/apparmor.d/groups/network/iwctl +++ b/apparmor.d/groups/network/iwctl @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/iwd b/apparmor.d/groups/network/iwd index a80a4c37a..13edaaf16 100644 --- a/apparmor.d/groups/network/iwd +++ b/apparmor.d/groups/network/iwd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,21 +21,27 @@ profile iwd @{exec_path} { network netlink raw, network netlink dgram, network alg seqpacket, + network packet dgram, - @{exec_path} mr, + @{exec_path} mr, + @{sbin}/resolvconf rPx, /etc/iwd/{,**} r, /var/lib/iwd/{,**} rw, - @{sys}/devices/@{pci}/ieee80211/phy[0-9]/* r, + @{sys}/devices/@{pci}/ieee80211/phy@{int}/* r, @{sys}/devices/@{pci}/modalias r, @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/arp_* rw, @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/drop_* rw, @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/ndisc_* rw, + @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/accept_ra rw, + @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/optimistic_dad rw, @{PROC}/sys/net/ipv{4,6}/conf/wlp*/arp_* rw, @{PROC}/sys/net/ipv{4,6}/conf/wlp*/drop_* rw, @{PROC}/sys/net/ipv{4,6}/conf/wlp*/ndisc_* rw, + @{PROC}/sys/net/ipv{4,6}/conf/wlp*/accept_ra rw, + @{PROC}/sys/net/ipv{4,6}/conf/wlp*/optimistic_dad rw, /dev/rfkill rw, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index dcdb1738a..d5c93fc5c 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,10 +10,11 @@ include @{exec_path} += /opt/Mullvad*/resources/mullvad-daemon profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { include + include include capability dac_override, - + capability net_admin, capability fowner, capability fsetid, @@ -29,7 +30,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { network netlink raw, network netlink dgram, - mount fstype=cgroup -> /sys/fs/cgroup/net_cls/, + mount fstype=cgroup -> @{sys}/fs/cgroup/net_cls/, @{exec_path} mr, @@ -39,7 +40,8 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { "/opt/Mullvad VPN/resources/*.so*" mr, "/opt/Mullvad VPN/resources/*" r, - /etc/mullvad-vpn/{,*} r, + /etc/mullvad-vpn/ rw, + /etc/mullvad-vpn/* r, /etc/mullvad-vpn/@{uuid} rw, /etc/mullvad-vpn/*.json rw, @{etc_rw}/resolv.conf rw, @@ -48,21 +50,25 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { owner /var/cache/mullvad-vpn/{,*} rw, owner /var/log/mullvad-vpn/{,*} rw, owner /var/log/private/mullvad-vpn/*.log rw, - - owner @{run}/mullvad-vpn rw, - @{run}/NetworkManager/resolv.conf r, - - @{sys}/fs/cgroup/net_cls/ w, - @{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w, - @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, owner @{tmp}/@{uuid} rw, owner @{tmp}/talpid-openvpn-@{uuid} rw, + @{run}/NetworkManager/resolv.conf r, + owner @{run}/mullvad-vpn rw, + + @{sys}/fs/cgroup/net_cls/ w, + @{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w, + @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, + @{sys}/fs/cgroup/system.slice/cpu.max r, + @{sys}/fs/cgroup/system.slice/mullvad-daemon.service/cpu.max r, + @{sys}/fs/cgroup/system.slice/mullvad-early-boot-blocking.service/cpu.max r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw, + @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, - @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, /dev/net/tun rw, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 7533b107c..133e4bc00 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -2,12 +2,13 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{name} = Mullvad*VPN -@{lib_dirs} = /opt/@{name} +@{name} = Mullvad?VPN +@{domain} = org.chromium.Chromium +@{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -23,16 +24,14 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { network netlink raw, @{exec_path} mrix, - @{sh_path} rix, + @{sh_path} rix, - @{bin}/gsettings rix, + @{bin}/gsettings rPx, @{open_path} rPx -> child-open-browsers, - owner @{user_cache_dirs}/dconf/user rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/@{name}*.png rw, - - @{run}/systemd/inhibit/*.ref rw, + @{run}/mullvad-vpn rw, /dev/tty rw, diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan similarity index 53% rename from apparmor.d/groups/network/netplan.script rename to apparmor.d/groups/network/netplan index c9cc3fff7..a0fad0a93 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan @@ -2,19 +2,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = /usr/share/netplan/netplan.script -profile netplan.script @{exec_path} flags=(attach_disconnected) { +profile netplan @{exec_path} flags=(attach_disconnected) { include + include include include + #aa;dbus owb bus=system name=io.netplan.Netplan + @{exec_path} mr, - @{lib}/netplan/generate rix, + @{lib}/netplan/generate rPx, @{bin}/udevadm rCx -> udevadm, @{bin}/systemctl rCx -> systemctl, @@ -22,25 +25,20 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { /etc/netplan/{,*} r, - @{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} rw, - @{run}/NetworkManager/system-connections/ rw, - @{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw, - @{run}/systemd/system/ r, - @{run}/systemd/system/netplan-* rw, - @{run}/systemd/system/systemd-networkd.service.wants/ rw, - @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw, - @{run}/udev/rules.d/ r, - @{run}/udev/rules.d/90-netplan.rules{,.@{rand6}} rw, + @{run}/netplan/ r, profile udevadm { include include - @{run}/udev/control rw, + capability net_admin, + + @{att}/@{run}/udev/control rw, + @{run}/udev/rules.d/90-netplan.rules rw, @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw, - include if exists + include if exists } profile systemctl { @@ -49,10 +47,14 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { capability net_admin, - include if exists + ptrace read peer=@{p_systemd}, + + @{run}/udev/control rw, + + include if exists } - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate new file mode 100644 index 000000000..cea17b81c --- /dev/null +++ b/apparmor.d/groups/network/netplan-generate @@ -0,0 +1,72 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/netplan/generate +profile netplan-generate @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability chown, + + network netlink raw, + + @{exec_path} mr, + + @{bin}/systemctl rCx -> systemctl, + + /etc/netplan/{,*} r, + + @{run}/NetworkManager/ rw, + @{run}/NetworkManager/conf.d/ rw, + @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf rw, + @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf.@{rand6} rw, + @{run}/NetworkManager/conf.d/netplan.conf rw, + @{run}/NetworkManager/conf.d/netplan.conf.@{rand6} rw, + @{run}/NetworkManager/system-connections/ rw, + @{run}/NetworkManager/system-connections/* rw, + + @{run}/systemd/generator/multi-user.target.wants/ w, + @{run}/systemd/generator/multi-user.target.wants/systemd-networkd.service w, + @{run}/systemd/generator/netplan.stamp w, + @{run}/systemd/generator/network-online.target.wants/ w, + @{run}/systemd/generator/network-online.target.wants/systemd-networkd-wait-online.service w, + @{run}/systemd/network/ rw, + @{run}/systemd/network/@{int}-netplan{,-*}.{network,link}{,.@{rand6}} rw, + @{run}/systemd/system/ r, + @{run}/systemd/system/netplan-* rw, + @{run}/systemd/system/systemd-networkd-wait-online.service.d/ rw, + @{run}/systemd/system/systemd-networkd-wait-online.service.d/@{int}-netplan.conf{,.@{rand6}} rw, + @{run}/systemd/system/systemd-networkd.service.wants/ rw, + @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw, + + @{run}/udev/rules.d/ rw, + @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw, + + @{run}/netplan/ r, + + @{run}/udev/rules.d/ r, + @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw, + + @{sys}/devices/**/net/*/address r, + + profile systemctl { + include + include + + capability net_admin, + + @{att}/@{run}/systemd/private rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index 361cf8d3b..8b4d53b1c 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,16 +16,18 @@ profile networkd-dispatcher @{exec_path} { dbus receive bus=system path=/org/freedesktop/network1{,/link/*} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=systemd-networkd), + peer=(name=:*, label="@{p_systemd_networkd}"), @{exec_path} mr, @{bin}/ r, - @{bin}/networkctl rPx, + @{bin}/chronyc rPUx, @{bin}/ls rix, + @{bin}/networkctl rPx, @{bin}/sed rix, @{lib}/networkd-dispatcher/routable.d/postfix rix, + @{lib}/NetworkManager/dispatcher.d/@{int}-chrony-onoffline rix, /etc/networkd-dispatcher/{,**} r, diff --git a/apparmor.d/groups/network/nm-daemon-helper b/apparmor.d/groups/network/nm-daemon-helper index f8d262a44..7d16292f2 100644 --- a/apparmor.d/groups/network/nm-daemon-helper +++ b/apparmor.d/groups/network/nm-daemon-helper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nm-dhcp-helper b/apparmor.d/groups/network/nm-dhcp-helper index 434dce19f..3e232154e 100644 --- a/apparmor.d/groups/network/nm-dhcp-helper +++ b/apparmor.d/groups/network/nm-dhcp-helper @@ -2,14 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,NetworkManager/}nm-dhcp-helper profile nm-dhcp-helper @{exec_path} { include - include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 9e2904a54..029a5e39a 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -4,7 +4,7 @@ # TODO: rethink how the scripts should be managed -abi , +abi , include @@ -26,31 +26,37 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} + interface=org.freedesktop.NetworkManager.Settings.Connection + member=GetSettings + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, @{sh_path} rix, - @{bin}/python3.@{int} rix, @{bin}/basename rix, @{bin}/cat rix, - @{bin}/chronyc rPUx, @{bin}/chown rix, + @{bin}/chronyc rPUx, @{bin}/date rix, - @{bin}/gawk rix, - @{bin}/grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/{,e}grep rix, @{bin}/id rix, - @{bin}/invoke-rc.d rCx -> invoke-rc, + @{sbin}/invoke-rc.d rCx -> invoke-rc, + @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/netconfig rPUx, @{bin}/nmcli rix, + @{python_path} rix, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-cat rPx, + @{bin}/systemd-cat rix, @{bin}/tr rix, /usr/share/tlp/tlp-readconfs rPUx, @@ -100,7 +106,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { profile invoke-rc { include - @{bin}/invoke-rc.d rm, + @{sbin}/invoke-rc.d rm, @{sh_path} rix, @{bin}/basename rix, @{bin}/ls rix, diff --git a/apparmor.d/groups/network/nm-iface-helper b/apparmor.d/groups/network/nm-iface-helper index 36fa1ca30..c74379698 100644 --- a/apparmor.d/groups/network/nm-iface-helper +++ b/apparmor.d/groups/network/nm-iface-helper @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nm-initrd-generator b/apparmor.d/groups/network/nm-initrd-generator index 095347370..611587547 100644 --- a/apparmor.d/groups/network/nm-initrd-generator +++ b/apparmor.d/groups/network/nm-initrd-generator @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nm-online b/apparmor.d/groups/network/nm-online index 159b890d1..710d3115b 100644 --- a/apparmor.d/groups/network/nm-online +++ b/apparmor.d/groups/network/nm-online @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,16 +11,17 @@ profile nm-online @{exec_path} { include include include + include dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} interface=org.freedesktop.NetworkManager.Connection.Active member=StateChanged - peer=(name=:*, label=NetworkManager), - + peer=(name=@{busname}, label=NetworkManager), + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} interface=org.freedesktop.NetworkManager.Settings.Connection member=GetSettings - peer=(name=:*, label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, diff --git a/apparmor.d/groups/network/nm-openvpn-auth-dialog b/apparmor.d/groups/network/nm-openvpn-auth-dialog index 854614345..87e3e4f40 100644 --- a/apparmor.d/groups/network/nm-openvpn-auth-dialog +++ b/apparmor.d/groups/network/nm-openvpn-auth-dialog @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nm-openvpn-service b/apparmor.d/groups/network/nm-openvpn-service index d65aa8f1a..943386f61 100644 --- a/apparmor.d/groups/network/nm-openvpn-service +++ b/apparmor.d/groups/network/nm-openvpn-service @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,7 +20,7 @@ profile nm-openvpn-service @{exec_path} { @{sh_path} rix, @{bin}/kmod rPx, - @{bin}/openvpn rPx, + @{sbin}/openvpn rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, diff --git a/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper b/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper index 130067a76..b2f4ca0e3 100644 --- a/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper +++ b/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nm-priv-helper b/apparmor.d/groups/network/nm-priv-helper index e07c9f685..13a283c52 100644 --- a/apparmor.d/groups/network/nm-priv-helper +++ b/apparmor.d/groups/network/nm-priv-helper @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index 2345d9d2c..b4da14960 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -2,28 +2,44 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/nmcli profile nmcli @{exec_path} { include + include + include capability dac_read_search, capability sys_nice, + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded + peer=(name=@{busname}, label=NetworkManager), + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesRemoved + peer=(name=@{busname}, label=NetworkManager), + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=NetworkManager), + @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, + + /etc/netplan/* r, owner @{HOME}/.nm-vpngate/*.ovpn r, owner @{HOME}/.cert/nm-openvpn/*.pem rw, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/@{pci}/net/*/{,**} r, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 6bf8c168b..2a513b84e 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -18,26 +18,21 @@ # If a user wants to type user/pass interactively, systemd-ask-password is # invoked for that. -abi , +abi , include -@{exec_path} = @{bin}/openvpn +@{exec_path} = @{sbin}/openvpn profile openvpn @{exec_path} flags=(attach_disconnected) { include include - # Needed to remove the following errors: - # ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1) - # Exiting due to fatal error - capability net_admin, - - # These are needed when user/group are set in a OpenVPN config file - capability setuid, - capability setgid, - - capability dac_read_search, capability dac_override, + capability dac_read_search, + capability net_admin, # create tun + capability setgid, # when user/group are set in a OpenVPN config file + capability setuid, + capability sys_module, network inet dgram, network inet6 dgram, @@ -59,7 +54,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{run}/NetworkManager/nm-openvpn-@{uuid} rw, @{run}/openvpn/*.{pid,status} rw, - @{run}/systemd/journal/dev-log rw, + @{run}/systemd/journal/dev-log r, @{bin}/ip rix, @{bin}/systemd-ask-password rPx, @@ -71,6 +66,8 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/net/route r, + /dev/net/tun rw, + profile update-resolv { include include @@ -85,11 +82,12 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/ip rix, @{bin}/which{,.debianutils} rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, /etc/iproute2/rt_tables r, - /etc/iproute2/rt_tables.d/ r, + /etc/iproute2/rt_tables.d/{,*} r, + include if exists } profile force-user-traffic-via-vpn { @@ -110,7 +108,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/env rix, @{bin}/ip rix, - @{bin}/nft rix, + @{sbin}/nft rix, @{bin}/sed rix, /etc/iproute2/rt_realms r, @@ -121,6 +119,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { owner @{PROC}/sys/net/ipv{4,}/route/flush w, + include if exists } include if exists diff --git a/apparmor.d/groups/network/rpcbind b/apparmor.d/groups/network/rpcbind index 049605f97..0650470ac 100644 --- a/apparmor.d/groups/network/rpcbind +++ b/apparmor.d/groups/network/rpcbind @@ -1,17 +1,27 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2023 Jeroen Rijken +# Copyright (C) 2025 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/rpcbind +@{exec_path} = @{sbin}/rpcbind profile rpcbind @{exec_path} flags=(complain) { include + include + + capability setgid, + capability setuid, @{exec_path} rm, + /etc/netconfig r, + + @{run}/rpcbind.lock rwkl, + @{run}/rpcbind/*.xdr rwkl, + include if exists } diff --git a/apparmor.d/groups/network/socat b/apparmor.d/groups/network/socat new file mode 100644 index 000000000..25f975d25 --- /dev/null +++ b/apparmor.d/groups/network/socat @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Nishit Majithia (nishitm) +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/socat +profile socat @{exec_path} { + include + include + include + include + + capability chown, + capability dac_override, + capability dac_read_search, + capability fsetid, + capability net_admin, + capability net_bind_service, + capability net_raw, + capability sys_admin, + capability sys_module, + capability sys_resource, + + # Allow creation of network sockets and `socat` uses dccp for some + # fuctionalities that is why it is necessary to allow whole `network` + network, + + @{exec_path} mr, + + @{PROC}/@{pid}/fdinfo/@{int} rw, + @{PROC}/@{pid}/stat r, + + /dev/net/tun rw, + /dev/vsock r, # For bi-directional communication between vms and host/hypervisor + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/network/tailscale b/apparmor.d/groups/network/tailscale index 5c3b62211..4e5bba684 100644 --- a/apparmor.d/groups/network/tailscale +++ b/apparmor.d/groups/network/tailscale @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,8 +27,6 @@ profile tailscale @{exec_path} { owner @{run}/tailscale/tailscaled.sock rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/ r, @{PROC}/@{pids}/stat r, @{PROC}/sys/net/core/somaxconn r, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index 121697da6..8162dff1e 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,35 +21,23 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { capability syslog, network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, network inet raw, + network inet stream, + network inet6 dgram, network inet6 raw, + network inet6 stream, network netlink raw, + network packet dgram, ptrace (read), - dbus send bus=system path=/org/freedesktop/resolve1 - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=org.freedesktop.resolve1, label=systemd-resolved), - - dbus send bus=system path=/org/freedesktop/resolve1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.resolve1, label=systemd-resolved), - - dbus send bus=system path=/org/freedesktop/resolve1 - interface=org.freedesktop.resolve1.Manager - member={FlushCaches,SetLink*} - peer=(name=org.freedesktop.resolve1, label=systemd-resolved), + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" @{exec_path} mr, @{bin}/ip rix, @{bin}/resolvectl rPx, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, @{bin}/systemctl rCx -> systemctl, @@ -69,7 +57,6 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { owner @{run}/tailscale/{,**} rw, @{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{PROC}/ r, @{PROC}/@{pid}/mounts r, @@ -92,7 +79,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { capability mknod, capability net_admin, - + network netlink raw, /dev/net/tun rw, diff --git a/apparmor.d/groups/network/wg b/apparmor.d/groups/network/wg index 783fa41fe..0b0315e33 100644 --- a/apparmor.d/groups/network/wg +++ b/apparmor.d/groups/network/wg @@ -2,20 +2,28 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/wg -profile wg @{exec_path} { +profile wg @{exec_path} flags=(attach_disconnected) { include + include capability net_admin, + capability net_bind_service, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, network netlink raw, @{exec_path} mr, + /etc/wireguard/{,**} rw, + include if exists } diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index 1183a4a5b..33de68147 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -2,14 +2,18 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/wg-quick -profile wg-quick @{exec_path} { +profile wg-quick @{exec_path} flags=(attach_disconnected) { include + include + include + include + capability dac_read_search, capability net_admin, network netlink raw, @@ -19,30 +23,39 @@ profile wg-quick @{exec_path} { @{sh_path} rix, @{bin}/cat rix, @{bin}/ip rPx, - @{bin}/nft rix, + @{bin}/mv rix, + @{sbin}/nft rix, @{bin}/readlink rix, + @{sbin}/resolvconf rPx, @{bin}/resolvectl rPx, + @{bin}/rm rix, @{bin}/sort rix, @{bin}/stat rix, - @{bin}/sysctl rix, + @{bin}/sync rix, + @{sbin}/sysctl rCx -> sysctl, @{bin}/wg rPx, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, /usr/share/terminfo/** r, /etc/iproute2/group r, /etc/iproute2/rt_realms r, /etc/resolvconf/interface-order r, - /etc/wireguard/*.conf r, + /etc/wireguard/{,**} rw, @{sys}/module/wireguard r, - @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w, + @{PROC}/@{pid}/net/ip_tables_names r, - /dev/tty rw, + profile sysctl flags=(attach_disconnected) { + include - # Force the use as root - deny @{bin}/sudo x, + @{sbin}/sysctl mr, + + @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w, + + include if exists + } include if exists } diff --git a/apparmor.d/groups/pacman/arch-audit b/apparmor.d/groups/pacman/arch-audit index 7ef09601c..7539c1c7f 100644 --- a/apparmor.d/groups/pacman/arch-audit +++ b/apparmor.d/groups/pacman/arch-audit @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,19 +21,19 @@ profile arch-audit @{exec_path} { network netlink raw, @{exec_path} mr, - + /etc/arch-audit/settings.toml r, /usr/share/terminfo/** r, /var/lib/pacman/local/{,**} r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/mountinfo r, - @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + /dev/pts/@{int} rw, include if exists diff --git a/apparmor.d/groups/pacman/archlinux-java b/apparmor.d/groups/pacman/archlinux-java index 5a78db048..38cd95d0a 100644 --- a/apparmor.d/groups/pacman/archlinux-java +++ b/apparmor.d/groups/pacman/archlinux-java @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,12 +14,14 @@ profile archlinux-java @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/basename rix, - @{bin}/bash rix, @{bin}/dirname rix, + @{bin}/find rix, @{bin}/id rix, @{bin}/ln rix, @{bin}/readlink rix, + @{bin}/sort rix, @{bin}/unlink rix, @{lib}/jvm/default w, diff --git a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync index 708d2b585..014073443 100644 --- a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync +++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -30,7 +30,7 @@ profile archlinux-keyring-wkd-sync @{exec_path} { /etc/pacman.conf r, /etc/pacman.d/*-mirrorlist r, /etc/pacman.d/gnupg/ rw, - /etc/pacman.d/gnupg/** rwk -> /etc/pacman.d/gnupg/**, + /etc/pacman.d/gnupg/** rwlk -> /etc/pacman.d/gnupg/**, /etc/pacman.d/mirrorlist r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index 8aba909e4..df9af9fef 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,8 +29,8 @@ profile aurpublish @{exec_path} { @{bin}/date rix, @{bin}/gettext rix, @{bin}/git rPx, - @{bin}/gpg{,2} rPx, - @{bin}/grep rix, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/{,e}grep rix, @{bin}/makepkg rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @@ -47,21 +47,47 @@ profile aurpublish @{exec_path} { /etc/makepkg.conf r, /etc/makepkg.conf.d/{,**} r, - owner @{user_build_dirs}/**/ w, - owner @{user_projects_dirs}/**/ r, + owner @{user_build_dirs}/{,**/} w, + owner @{user_projects_dirs}/** r, owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw, owner @{user_projects_dirs}/**/.SRCINFO rw, - owner @{user_projects_dirs}/**/PKGBUILD r, - owner @{user_cache_dirs}/makepkg/src/* rw, + owner @{user_cache_dirs}/makepkg/src/** rw, owner @{user_config_dirs}/pacman/makepkg.conf r, + owner /tmp/*/src/ w, owner @{tmp}/tmp.@{rand10} rw, - owner @{PROC}/@{pid}/maps r, - /dev/tty rw, + profile gpg { + include + + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpg-agent rix, + @{lib}/{,gnupg/}scdaemon rix, + + owner @{HOME}/@{XDG_GPG_DIR}/ rw, + owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + + owner @{user_cache_dirs}/makepkg/src/*.asc r, + + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/gnupg/ r, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.browser w, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.extra w, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.ssh w, + + owner @{tmp}/tmp.@{rand10} rw, + + owner @{PROC}/@{pid}/fd/ r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg new file mode 100644 index 000000000..84136638c --- /dev/null +++ b/apparmor.d/groups/pacman/makepkg @@ -0,0 +1,104 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/makepkg +profile makepkg @{exec_path} { + include + include + include + include + include + include + include + include + include + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + signal send set=winch peer=pacman, + signal send set=winch peer=pacman//systemctl, + + file, + + @{pager_path} Px -> child-pager, + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/gpgconf Cx -> gpg, + @{bin}/gpgsm Cx -> gpg, + @{bin}/lsb_release Px, + @{bin}/sudo Cx -> sudo, + + deny capability sys_ptrace, + deny ptrace read, + + profile gpg { + include + include + include + + network netlink raw, + + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, + + @{bin}/dirmngr rix, + @{bin}/gpg-agent rix, + @{bin}/gpg-connect-agent rix, + @{lib}/{,gnupg/}scdaemon rix, + + /etc/pacman.d/gnupg/ r, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, + + owner @{user_pkg_dirs}/{,**} rw, + + owner @{HOME}/@{XDG_GPG_DIR}/ rw, + owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + + owner @{user_cache_dirs}/makepkg/src/*.asc r, + + owner @{tmp}/.git_vtag_tmp@{rand6} rw, + owner @{tmp}/tmp.@{rand10} rw, + + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/gnupg/ r, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, + owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/task/@{tid}/comm rw, + + include if exists + } + + profile sudo { + include + include + + capability sys_ptrace, + + ptrace read, + + signal send set=(term winch) peer=pacman, + signal send set=(term winch) peer=pacman//systemctl, + signal send set=(term winch) peer=systemd-tty-ask-password-agent, + + @{bin}/pacman Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index b83ea2d3c..165b42c02 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,29 +24,32 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{coreutils_path} rix, + @{bin}/{m,g,}awk rix, @{bin}/bsdtar rix, @{bin}/fc-match rix, @{bin}/findmnt rPx, - @{bin}/fsck rix, + @{sbin}/fsck rix, @{bin}/getent rix, @{bin}/gzip rix, @{bin}/hexdump rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/ldd rix, @{bin}/loadkeys rix, + @{bin}/objcopy rix, + @{bin}/objdump rix, @{bin}/tput rix, @{bin}/xz rix, @{bin}/zcat rix, @{bin}/zstd rix, - @{bin}/{depmod,insmod} rPx, - @{bin}/{kmod,lsmod} rPx, - @{bin}/{modinfo,rmmod} rPx, - @{bin}/modprobe rPx, + @{bin}/kmod rPx, @{bin}/plymouth rPx, - @{bin}/plymouth-set-default-theme rPx, + @{sbin}/plymouth-set-default-theme rPx, + @{bin}/sbctl rPx, + @{bin}/sync rPx, @{lib}/initcpio/busybox rix, + @{lib}/initcpio/post/** rix, @{lib}/ld-*.so* rix, /etc/fstab r, @@ -56,7 +59,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/mkinitcpio.conf r, /etc/mkinitcpio.conf.d/{,**} r, /etc/mkinitcpio.d/{,**} r, - /etc/modprobe.d/{,*} r, + /etc/modprobe.d/{,**} r, /etc/os-release r, /etc/plymouth/plymouthd.conf r, /etc/vconsole.conf r, @@ -78,19 +81,28 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Manage /boot / r, - /boot/ r, - /boot/initramfs-*.img* rw, - /boot/vmlinuz-* r, + @{efi}/ r, + @{efi}/@{hex32}/{,**} rw, + @{efi}/EFI/{,**} rw, + @{efi}/initramfs-*.img* rw, + @{efi}/vmlinuz-* r, - # Temp files - owner @{run}/initramfs/{,**} rw, - owner @{run}/mkinitcpio.@{rand6}/{,**} rwl, + /usr/share/systemd/bootctl/** r, + + /etc/kernel/** r, + + /tmp/mkinitcpio.@{rand6} rw, + /tmp/mkinitcpio.@{rand6}.tmp rw, owner @{tmp}/mkinitcpio.@{rand6} rw, owner @{tmp}/mkinitcpio.@{rand6}/{,**} rwl, + owner @{run}/initcpio-tmp/mkinitcpio.@{rand6}/{,**} rwl, + owner @{run}/initramfs/{,**} rw, + owner @{run}/mkinitcpio.@{rand6}/{,**} rwl, @{sys}/class/block/ r, @{sys}/devices/{,**} r, + @{sys}/firmware/efi/fw_platform_size r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index 3089b2f3e..d68c0b832 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,8 +16,8 @@ profile paccache @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/bash rix, @{bin}/cat rix, @{bin}/gettext rix, @{bin}/gpg{,2} rix, @@ -36,10 +36,14 @@ profile paccache @{exec_path} flags=(attach_disconnected) { /etc/pacman.conf r, /etc/pacman.d/{,**} r, + /etc/pacman.d/gnupg/** rwlk -> /etc/pacman.d/gnupg/**, /var/cache/pacman/pkg/{,*} rw, /var/lib/pacman/{,**} r, + @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, + @{HOME}/@{XDG_GPG_DIR}/gpgsm.conf r, + owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index 417e48504..eef992666 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,23 +19,23 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/cat rix, - @{bin}/cmp rix, - @{bin}/find rix, - @{bin}/locate rix, - @{bin}/pacman rix, - @{bin}/pacman-conf rPx, - @{bin}/pacsort rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/tput rix, - @{bin}/vim rix, + @{bin}/{m,g,}awk ix, + @{bin}/cat ix, + @{bin}/cmp ix, + @{bin}/find ix, + @{bin}/locate ix, + @{bin}/pacman ix, + @{bin}/pacman-conf Px, + @{bin}/pacsort ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/tput ix, + @{editor_path} Cx -> editor, # packages files / r, - /boot/{,**} r, - /etc/{,**} r, + @{efi}/{,**} r, + /etc/{,**} rw, /opt/{,**} r, /srv/{,**} r, /usr/{,**} r, @@ -44,6 +44,15 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { /dev/tty rw, /dev/pts/@{int} rw, + profile editor { + include + include + + /etc/** rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 1f3d9ad8b..41b45c9d0 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,6 +12,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include include include + include include capability audit_write, @@ -26,6 +27,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability setfcap, capability setgid, capability setuid, + capability sys_admin, capability sys_chroot, capability sys_ptrace, capability sys_resource, @@ -37,80 +39,65 @@ profile pacman @{exec_path} flags=(attach_disconnected) { network netlink raw, network unix stream, - ptrace (read), + ptrace read, - signal (send) set=(usr1) peer=gvfsd, + signal send, + signal receive set=(term winch) peer=makepkg//sudo, @{exec_path} mrix, - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/gpgconf rCx -> gpg, - @{bin}/gpgsm rCx -> gpg, - - # Pacman hooks & install scripts - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/appstreamcli rPx, - @{bin}/arch-audit rPx, - @{bin}/archlinux-java rPx, - @{bin}/bootctl rPx, - @{bin}/cert-sync rPx, - @{bin}/checkrebuild rPUx, - @{bin}/dconf rPx, - @{bin}/dot rix, - @{bin}/fc-cache{,-32} rPx, - @{bin}/filecap rix, - @{bin}/gdbus rix, - @{bin}/gdk-pixbuf-query-loaders rPx, - @{bin}/getent rix, - @{bin}/gettext rix, - @{bin}/ghc-pkg{,-*} rPx, - @{bin}/gio-querymodules rPx, - @{bin}/glib-compile-schemas rPx, - @{bin}/groupadd rPx, - @{bin}/gtk-query-immodules-{2,3}.0 rPx, - @{bin}/gtk{,4}-update-icon-cache rPx, - @{bin}/iconvconfig rix, - @{bin}/install-catalog rPx, - @{bin}/install-info rPx, - @{bin}/iscsi-iname rix, - @{bin}/journalctl rPx, - @{bin}/killall rix, - @{bin}/ldconfig rix, - @{bin}/locale-gen rPx, - @{bin}/mkinitcpio rPx, - @{bin}/needrestart rPx, - @{bin}/pacdiff rPx, - @{bin}/pacman-key rPx, - @{bin}/perl rix, - @{bin}/pkgfile rPUx, - @{bin}/pkill rix, - @{bin}/rsync rix, - @{bin}/sbctl rPx, - @{bin}/setcap rix, - @{bin}/setfacl rix, - @{bin}/sysctl rPx, - @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-* rPx, - @{bin}/tput rix, - @{bin}/update-ca-trust rPx, - @{bin}/update-desktop-database rPx, - @{bin}/update-grub rPx, - @{bin}/update-mime-database rPx, - @{bin}/vercmp rix, - @{bin}/xmlcatalog rix, - @{lib}/systemd/systemd-* rPx, - @{lib}/vlc/vlc-cache-gen rPx, - /opt/Mullvad*/resources/mullvad-setup rPx, - /usr/share/code-features/patch.py rPx, - /usr/share/code-marketplace/patch.py rPx, - /usr/share/libalpm/scripts/* rPUx, - /usr/share/texmf-dist/scripts/texlive/mktexlsr rPUx, + # Pacman's keyring + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/gpgconf Cx -> gpg, + @{bin}/gpgsm Cx -> gpg, + + # Common program found in hooks & install scripts + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/dot ix, + @{bin}/filecap ix, + @{bin}/getent ix, + @{bin}/gettext ix, + @{bin}/gzip ix, + @{bin}/rsync ix, + @{bin}/setfacl ix, + @{bin}/tput ix, + @{bin}/vercmp ix, + @{bin}/which{,.debianutils} ix, + @{bin}/xmlcatalog ix, + @{sbin}/iconvconfig ix, + @{sbin}/iscsi-iname ix, + @{sbin}/setcap ix, + + @{bin}/dbus-send Cx -> bus, + @{bin}/gdbus Cx -> bus, + @{bin}/killall Cx -> pkill, + @{bin}/kmod Cx -> kmod, + @{bin}/pkill Cx -> pkill, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/ldconfig Cx -> ldconfig, + + #aa:lint ignore=too-wide + # Hooks & install scripts can legitimately start/restart anything + # PU is only used as a safety fallback. + @{bin}/** PUx, + @{sbin}/** PUx, + /opt/*/** PUx, + /etc/** PUx, + /usr/share/** PUx, + + @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} Px, + @{lib}/systemd/systemd-* Px, + @{lib}/vlc/vlc-cache-gen Px, + + # For shell pwd, keept as it can annoy users to see error in pacman output + /**/ r, # Install/update packages + #aa:lint ignore=too-wide / r, /*{,/} rw, - /boot/** rwl -> /boot/**, + @{efi}/** rwl -> @{efi}/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, @@ -118,11 +105,10 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /var/** rwlk -> /var/**, # Read packages files - @{user_pkg_dirs}/**/ r, - @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r, + @{user_pkg_dirs}/{,**} r, owner /var/lib/pacman/{,**} rwl, - owner @{tmp}/alpm_*/{,**} rw, + owner @{tmp}/alpm_@{rand6}/{,**} rw, owner @{tmp}/checkup-db-@{int}/sync/{,*.db*} rw, owner @{tmp}/checkup-db-@{int}/db.lck rw, @@ -133,8 +119,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/stat r, - @{PROC}/1/environ r, @{PROC}/sys/kernel/osrelease r, @{PROC}/tty/drivers r, @{PROC}/uptime r, @@ -144,11 +130,6 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /dev/tty@{int} rw, owner /dev/pts/@{int} rw, - # Silencer, - deny @{HOME}/ r, - deny @{HOME}/**/ r, - deny /tmp/ r, - profile gpg { include include @@ -170,7 +151,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gpg-connect-agent rix, /etc/pacman.d/gnupg/ rw, - /etc/pacman.d/gnupg/** rwkl, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, @{HOME}/@{XDG_GPG_DIR}/*.conf r, @@ -185,7 +166,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include if exists } - profile systemctl { + profile systemctl flags=(attach_disconnected) { include include @@ -193,20 +174,79 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_resource, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/diff rPx -> child-pager, + ptrace read peer=@{p_systemd}, + + signal send set=cont peer=child-pager, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + signal receive set=(term winch) peer=makepkg//sudo, + + @{pager_path} rPx -> child-pager, + @{bin}/systemd-tty-ask-password-agent rPx, /etc/machine-id r, /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/*.journal* r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, include if exists } + profile bus { + include + include + include + + @{bin}/gdbus rix, + + include if exists + } + + profile pkill { + include + include + + @{bin}/killall mr, + @{bin}/pkill mr, + + include if exists + } + + profile kmod { + include + include + + include if exists + } + + profile ldconfig { + include + include + + @{sh_path} rix, + @{sbin}/ldconfig mrix, + + @{lib}/ r, + /usr/local/ r, + /usr/local/lib/ r, + + /opt/cuda/**/@{lib}/ r, + /opt/cuda/**/@{lib}/@{multiarch}/ r, + + /etc/ld.so.cache rw, + /etc/ld.so.cache~ rw, + + /var/cache/ldconfig/ rw, + owner /var/cache/ldconfig/aux-cache* rw, + + include if exists + } + include if exists include if exists } diff --git a/apparmor.d/groups/pacman/pacman-conf b/apparmor.d/groups/pacman/pacman-conf index ebf99cbff..4884d248c 100644 --- a/apparmor.d/groups/pacman/pacman-conf +++ b/apparmor.d/groups/pacman/pacman-conf @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) { /etc/pacman.conf r, /etc/pacman.d/mirrorlist r, /etc/pacman.d/*-mirrorlist r, - + /dev/tty@{int} rw, # Inherit Silencer diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index 39389f42f..3e916efe3 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = /usr/share/code-{features,marketplace}/patch.py +@{exec_path} = /usr/share/code-{features,marketplace}{,-insiders}/patch.py profile pacman-hook-code @{exec_path} { include include @@ -16,12 +16,13 @@ profile pacman-hook-code @{exec_path} { @{exec_path} mr, @{bin}/env r, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{lib}/code/product.json rw, + @{lib}/code/out/vs/code/electron-utility/sharedProcess/sharedProcessMain.js w, - /usr/share/code-{features,marketplace}/{,*} r, - /usr/share/code-{features,marketplace}/cache.json rw, + /usr/share/code-{features,marketplace}{,-insiders}/{,*} r, + /usr/share/code-{features,marketplace}{,-insiders}/cache.json rw, include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-dconf b/apparmor.d/groups/pacman/pacman-hook-dconf index 91e3b367d..c49eb08e9 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dconf +++ b/apparmor.d/groups/pacman/pacman-hook-dconf @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile pacman-hook-dconf @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/rm rix, @{bin}/dconf rPx, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index c54523d86..0dae14351 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,14 +14,13 @@ profile pacman-hook-depmod @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/basename rix, - @{bin}/bash rix, - @{bin}/depmod rPx, @{bin}/kmod rPx, @{bin}/rm rix, @{bin}/rmdir rix, - /usr/lib/modules/*/{,**} rw, + @{lib}/modules/*/{,**} rw, /dev/tty rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms index 8d0fb58ca..a8a54c151 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dkms +++ b/apparmor.d/groups/pacman/pacman-hook-dkms @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,10 +14,12 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability mknod, + network unix stream, + @{exec_path} mr, @{sh_path} rix, - @{bin}/dkms rPx, + @{sbin}/dkms rPx, @{bin}/kmod rPx, @{bin}/nproc rix, @@ -31,7 +33,6 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) { # Inherit Silencer deny network inet stream, deny network inet6 stream, - deny unix (receive) type=stream, include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-fontconfig b/apparmor.d/groups/pacman/pacman-hook-fontconfig index 8068d83dc..3b29e01ea 100644 --- a/apparmor.d/groups/pacman/pacman-hook-fontconfig +++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile pacman-hook-fontconfig @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/ln rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-gio b/apparmor.d/groups/pacman/pacman-hook-gio index dcbfe6e28..17218158e 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gio +++ b/apparmor.d/groups/pacman/pacman-hook-gio @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,14 +14,14 @@ profile pacman-hook-gio @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/rmdir rix, @{bin}/gio-querymodules rPx, @{lib}/gio/modules/giomodule.cache{,.[0-9A-Z]*} rw, @{lib}/gtk-{3,4}.0/**/*/ rw, - /usr/lib/gio/modules/ rw, + @{lib}/gio/modules/ rw, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk b/apparmor.d/groups/pacman/pacman-hook-gtk index d75527d79..e6aa28627 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk +++ b/apparmor.d/groups/pacman/pacman-hook-gtk @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile pacman-hook-gtk @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/rm rix, @{bin}/rmdir rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules index aae81662b..a0be0e39b 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules +++ b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules @@ -2,13 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = /usr/share/libalpm/scripts/gtk4-querymodules profile pacman-hook-gtk4-querymodules @{exec_path} { include + include capability dac_read_search, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index a182b23ca..48ce25ab2 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/cmp rix, @{bin}/compgen rix, @{bin}/env rix, @@ -36,10 +36,11 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/mkinitcpio.d/*.preset{,.pacsave} rw, / r, - /boot/ r, - /boot/vmlinuz-* rw, - /boot/initramfs-*.img rw, - /boot/initramfs-*-fallback.img rw, + @{efi}/ r, + @{efi}/EFI/boot/boot*.efi rw, + @{efi}/initramfs-*-fallback.img rw, + @{efi}/initramfs-*.img rw, + @{efi}/vmlinuz-* rw, /dev/tty rw, owner /dev/pts/@{int} rw, @@ -54,11 +55,11 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { capability dac_read_search, @{bin}/pacman mr, - + @{bin}/gpg rix, @{bin}/gpgconf rix, @{bin}/gpgsm rix, - + /etc/pacman.conf r, /etc/pacman.d/{,**} r, /etc/pacman.d/gnupg/** rwkl, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove index 8d26de0b4..6378ca991 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/cmp rix, @{bin}/mv rix, @{bin}/rm rix, @@ -24,9 +24,9 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { /usr/share/mkinitcpio/*.preset r, /etc/mkinitcpio.d/*.preset rw, - /boot/vmlinuz-* rw, - /boot/initramfs-*.img rw, - /boot/initramfs-*-fallback.img rw, + @{efi}/vmlinuz-* rw, + @{efi}/initramfs-*.img rw, + @{efi}/initramfs-*-fallback.img rw, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-perl b/apparmor.d/groups/pacman/pacman-hook-perl index 894ba266c..aa2be8b09 100644 --- a/apparmor.d/groups/pacman/pacman-hook-perl +++ b/apparmor.d/groups/pacman/pacman-hook-perl @@ -2,26 +2,25 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = /usr/share/libalpm/scripts/detect-old-perl-modules.sh profile pacman-hook-perl @{exec_path} { include + include capability dac_read_search, capability mknod, @{exec_path} mr, - @{bin}/perl rix, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/find rix, @{bin}/pacman rPx, @{bin}/sed rix, - - @{lib}/perl@{int}/{,**} r, + @{bin}/wc rix, /dev/tty rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index f704f5ddb..860fb34ea 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,13 +15,14 @@ profile pacman-hook-systemd @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/touch rix, @{bin}/journalctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/systemd-hwdb rPx, + @{bin}/systemd-notify rPx, @{bin}/systemd-sysusers rPx, @{bin}/systemd-tmpfiles rPx, @{bin}/udevadm rPx, @@ -43,6 +44,13 @@ profile pacman-hook-systemd @{exec_path} { include capability net_admin, + capability sys_resource, + + ptrace read peer=@{p_systemd}, + + signal send set=(cont, term) peer=systemd-tty-ask-password-agent, + + @{bin}/systemd-tty-ask-password-agent Px, include if exists } diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 0375c7863..1e1204c27 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,15 +16,15 @@ profile pacman-key @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, - @{bin}/bash rix, @{bin}/chmod rix, @{bin}/gettext rix, - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/grep rix, + @{bin}/gpg{,2} rCx -> &gpg, + @{bin}/{,e}grep rix, @{bin}/ngettext rix, - @{bin}/pacman-conf rPx, + @{bin}/pacman-conf rPx -> &pacman-conf, @{bin}/touch rix, @{bin}/tput rix, @{bin}/vercmp rix, @@ -34,8 +34,9 @@ profile pacman-key @{exec_path} { /usr/share/pacman/keyrings/{,*} r, /usr/share/terminfo/** r, - /etc/pacman.d/gnupg/* rw, - + /etc/pacman.d/gnupg/ rw, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, + /dev/tty rw, profile gpg { @@ -59,15 +60,16 @@ profile pacman-key @{exec_path} { /etc/pacman.d/gnupg/ rw, /etc/pacman.d/gnupg/** rwkl, - @{HOME}/.gnupg/gpg.conf r, + @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat rw, - /dev/pts/@{int} rw, - /dev/tty@{int} rw, + /dev/pts/@{int} rw, + /dev/tty@{int} rw, + include if exists } include if exists diff --git a/apparmor.d/groups/pacman/reflector b/apparmor.d/groups/pacman/reflector index 7b277fb3e..119f0d2a1 100644 --- a/apparmor.d/groups/pacman/reflector +++ b/apparmor.d/groups/pacman/reflector @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,13 +25,18 @@ profile reflector @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/ r, + @{bin}/rsync ix, /etc/xdg/reflector/reflector.conf r, /etc/pacman.d/mirrorlist rw, - owner @{user_cache_dirs}/mirrorstatus.json rw, /var/cache/reflector/mirrorstatus.json rw, + owner @{user_cache_dirs}/mirrorstatus.json rw, + + @{tmp}/@{rand8} rw, + @{tmp}/tmp@{rand8}/{,**} rw, + @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay new file mode 100644 index 000000000..42932cc2e --- /dev/null +++ b/apparmor.d/groups/pacman/yay @@ -0,0 +1,112 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/yay +profile yay @{exec_path} { + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{editor_path} Cx -> editor, + @{bin}/git Cx -> git, + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/makepkg Px, + @{bin}/pacman Px, + @{bin}/pacman-conf Px, + @{bin}/sudo Cx -> sudo, + + /var/lib/pacman/** r, + + owner @{user_cache_dirs}/yay/ rw, + owner @{user_cache_dirs}/yay/** rwkl -> @{user_cache_dirs}/yay/**, + + owner @{user_config_dirs}/yay/{,**} rw, + + profile git { + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{bin}/git* mrix, + @{lib}/git{,-core}/git* mrix, + + @{pager_path} rPx -> child-pager, + @{bin}/gpg{2,} rPx -> yay//gpg, + + /usr/share/git{,-core}/{,**} r, + + owner @{user_build_dirs}/**/.git/** r, + owner @{user_pkg_dirs}/**/.git/** r, + owner @{user_projects_dirs}/**/.git/** r, + + owner @{HOME}/.gitconfig r, + owner @{user_cache_dirs}/yay/ rw, + owner @{user_cache_dirs}/yay/** rwlk -> @{user_cache_dirs}/yay/**, + owner @{user_config_dirs}/git/{,*} r, + + include if exists + } + + profile editor { + include + include + + owner @{HOME}/**/ r, # For pwd + + owner @{user_cache_dirs}/yay/*/** rw, + + include if exists + } + + profile gpg { + include + include + + @{bin}/gpg{,2} mr, + @{bin}/gpg-agent rPx, + @{bin}/dirmngr rPx, + + owner @{HOME}/@{XDG_GPG_DIR}/ rw, + owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + + include if exists + } + + profile sudo { + include + include + + capability sys_ptrace, + + ptrace read peer=unconfined, + + @{bin}/pacman Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/polkit/pkexec b/apparmor.d/groups/polkit/pkexec new file mode 100644 index 000000000..8c6d868da --- /dev/null +++ b/apparmor.d/groups/polkit/pkexec @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pkexec +profile pkexec @{exec_path} { + include + include + + capability sys_nice, + + signal send set=(term, kill) peer=polkit-agent-helper, + + ptrace read, + + @{exec_path} mr, + + @{bin}/* PUx, + @{sbin}/* PUx, + @{lib}/** PUx, + /opt/*/** PUx, + /usr/share/** PUx, + + /etc/default/locale r, + + @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/groups/polkit/pkttyagent similarity index 93% rename from apparmor.d/profiles-m-r/pkttyagent rename to apparmor.d/groups/polkit/pkttyagent index 68c85487b..436447aef 100644 --- a/apparmor.d/profiles-m-r/pkttyagent +++ b/apparmor.d/groups/polkit/pkttyagent @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,8 +18,8 @@ profile pkttyagent @{exec_path} { capability sys_nice, capability audit_write, - ptrace (read), - signal (send,receive), + ptrace read, + signal (send, receive), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper similarity index 72% rename from apparmor.d/groups/freedesktop/polkit-agent-helper rename to apparmor.d/groups/polkit/polkit-agent-helper index d6265589f..f761ecf29 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -3,13 +3,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] @{exec_path} += @{lib}/polkit-agent-helper-[0-9] -profile polkit-agent-helper @{exec_path} { +profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { include include include @@ -25,20 +25,22 @@ profile polkit-agent-helper @{exec_path} { network netlink raw, - signal (receive) set=(term, kill) peer=gnome-shell, - signal (receive) set=(term, kill) peer=pkexec, - signal (receive) set=(term, kill) peer=pkttyagent, - signal (receive) set=(term, kill) peer=polkit-*-authentication-agent, + signal receive set=(term kill) peer=gnome-shell, + signal receive set=(term kill) peer=pkexec, + signal receive set=(term kill) peer=pkttyagent, + signal receive set=(term kill) peer=polkit-*-authentication-agent, + + unix bind type=stream addr=@@{udbus}/bus/polkit-agent-he/system, dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=polkitd), + peer=(name=@{busname}, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=AuthenticationAgentResponse2 - peer=(name=:*, label=polkitd), + peer=(name=@{busname}, label="@{p_polkitd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/polkit/polkitd similarity index 68% rename from apparmor.d/groups/freedesktop/polkitd rename to apparmor.d/groups/polkit/polkitd index 2533b1982..fa00311cd 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -3,14 +3,15 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/{,polkit-1/}polkitd +@{exec_path} = @{lib}/polkitd @{lib}/polkit-1/polkitd profile polkitd @{exec_path} flags=(attach_disconnected) { include include + include include capability setgid, @@ -19,18 +20,19 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { capability sys_ptrace, audit capability net_admin, - ptrace (read), + ptrace read, #aa:dbus own bus=system name=org.freedesktop.PolicyKit1 - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label=dbus-system), + dbus send bus=system path=/org/kde/PolicyKit1/AuthenticationAgent + interface=org.freedesktop.PolicyKit1.AuthenticationAgent + member=BeginAuthentication + peer=(name=@{busname}, label=polkit-kde-authentication-agent), @{exec_path} mr, - @{bin}/pkla-check-authorization rPUx, + @{bin}/pkla-check-authorization rPx, + @{bin}/pkla-admin-identities rPx, /etc/machine-id r, @@ -53,13 +55,19 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { /var/lib/polkit{,-1}/localauthority/{,**} r, owner /var/lib/polkit{,-1}/.cache/ rw, + @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Home rw, + @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, + @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/@{tid}/stat r, @{PROC}/1/environ r, @{PROC}/cmdline r, @@ -67,9 +75,6 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fdinfo/@{int} r, - # Silencer - deny /.cache/ rw, - include if exists } diff --git a/apparmor.d/groups/procps/free b/apparmor.d/groups/procps/free new file mode 100644 index 000000000..56075ae1c --- /dev/null +++ b/apparmor.d/groups/procps/free @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/free +profile free @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/groups/procps/htop similarity index 93% rename from apparmor.d/profiles-g-l/htop rename to apparmor.d/groups/procps/htop index d06991025..ef14d9ca9 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/groups/procps/htop @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,14 +20,15 @@ profile htop @{exec_path} { network netlink raw, - signal (send), - signal (receive) set=(hup) peer=gnome-terminal-server, + signal send, + signal receive set=hup peer=gnome-terminal-server, - ptrace (read), + ptrace read, @{exec_path} mr, @{bin}/lsof rix, + @{bin}/strace rix, /usr/share/terminfo/** r, @@ -38,58 +39,13 @@ profile htop @{exec_path} { owner @{user_config_dirs}/htop/ rw, owner @{user_config_dirs}/htop/* rw, - owner @{PROC}/@{pid}/smaps_rollup r, - - @{PROC}/ r, - @{PROC}/diskstats r, - @{PROC}/loadavg r, - @{PROC}/pressure/cpu r, - @{PROC}/pressure/io r, - @{PROC}/pressure/memory r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/sys/kernel/sched_autogroup_enabled r, - @{PROC}/tty/drivers r, - @{PROC}/uptime r, - - @{PROC}/@{pids}/ r, - @{PROC}/@{pids}/attr/current r, - @{PROC}/@{pids}/autogroup rw, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/io r, - @{PROC}/@{pids}/mounts r, - @{PROC}/@{pids}/net/dev r, - @{PROC}/@{pids}/oom_{,score_}adj r, - @{PROC}/@{pids}/oom_score r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/statm r, - @{PROC}/@{pids}/wchan r, - - @{PROC}/@{pids}/task/ r, - @{PROC}/@{pids}/task/@{tid}/ r, - @{PROC}/@{pids}/task/@{tid}/attr/current r, - @{PROC}/@{pids}/task/@{tid}/cgroup r, - @{PROC}/@{pids}/task/@{tid}/cmdline r, - @{PROC}/@{pids}/task/@{tid}/comm r, - @{PROC}/@{pids}/task/@{tid}/environ r, - @{PROC}/@{pids}/task/@{tid}/io r, - @{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r, - @{PROC}/@{pids}/task/@{tid}/oom_score r, - @{PROC}/@{pids}/task/@{tid}/stat r, - @{PROC}/@{pids}/task/@{tid}/statm r, - @{PROC}/@{pids}/task/@{tid}/status r, - @{PROC}/@{pids}/task/@{tid}/wchan r, - @{sys}/bus/dax/devices/ r, @{sys}/bus/i2c/devices/ r, @{sys}/bus/soc/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, @@ -100,8 +56,8 @@ profile htop @{exec_path} { @{sys}/devices/**/hwmon/**/{name,temp*} r, @{sys}/devices/**/power_supply/**/{uevent,type,online} r, @{sys}/devices/*/name r, - @{sys}/devices/i2c-@{int}/name r, - @{sys}/devices/platform/*/i2c-@{int}/name r, + @{sys}/devices/i2c-*/name r, + @{sys}/devices/platform/*/i2c-*/name r, @{sys}/devices/system/cpu/cpu@{int}/** r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_{cur,min,max}_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, @@ -129,8 +85,54 @@ profile htop @{exec_path} { @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, + @{PROC}/ r, + @{PROC}/diskstats r, + @{PROC}/loadavg r, + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/sched_autogroup_enabled r, + @{PROC}/tty/drivers r, + @{PROC}/uptime r, + + @{PROC}/@{pids}/ r, + @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pids}/autogroup rw, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/maps r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/net/dev r, + @{PROC}/@{pids}/oom_{,score_}adj r, + @{PROC}/@{pids}/oom_score r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/wchan r, + + @{PROC}/@{pids}/task/ r, + @{PROC}/@{pids}/task/@{tid}/ r, + @{PROC}/@{pids}/task/@{tid}/attr/current r, + @{PROC}/@{pids}/task/@{tid}/cgroup r, + @{PROC}/@{pids}/task/@{tid}/cmdline r, + @{PROC}/@{pids}/task/@{tid}/comm r, + @{PROC}/@{pids}/task/@{tid}/environ r, + @{PROC}/@{pids}/task/@{tid}/io r, + @{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r, + @{PROC}/@{pids}/task/@{tid}/oom_score r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/task/@{tid}/statm r, + @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/task/@{tid}/wchan r, + @{PROC}/cmdline r, owner @{PROC}/@{pid}/cpuset r, + owner @{PROC}/@{pid}/smaps_rollup r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/procps/pgrep b/apparmor.d/groups/procps/pgrep new file mode 100644 index 000000000..d10c1e772 --- /dev/null +++ b/apparmor.d/groups/procps/pgrep @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pgrep +profile pgrep @{exec_path} flags=(attach_disconnected) { + include + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/procps/pidof b/apparmor.d/groups/procps/pidof new file mode 100644 index 000000000..3413eb6c3 --- /dev/null +++ b/apparmor.d/groups/procps/pidof @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pidof +profile pidof @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ps b/apparmor.d/groups/procps/ps similarity index 96% rename from apparmor.d/profiles-m-r/ps rename to apparmor.d/groups/procps/ps index bdcd6cee2..7663cbf5d 100644 --- a/apparmor.d/profiles-m-r/ps +++ b/apparmor.d/groups/procps/ps @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -34,6 +34,7 @@ profile ps @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/task/@{tid}/cmdline r, @{PROC}/@{pids}/task/@{tid}/stat r, diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/groups/procps/sysctl similarity index 82% rename from apparmor.d/profiles-s-z/sysctl rename to apparmor.d/groups/procps/sysctl index 4e50430be..9275c7054 100644 --- a/apparmor.d/profiles-s-z/sysctl +++ b/apparmor.d/groups/procps/sysctl @@ -4,24 +4,27 @@ # TODO: Rethink this profile. Should not be called by another profile. -abi , +abi , include -@{exec_path} = @{bin}/sysctl +@{exec_path} = @{sbin}/sysctl profile sysctl @{exec_path} { include include capability net_admin, capability sys_admin, + capability sys_ptrace, capability sys_resource, @{exec_path} mr, /etc/sysctl.conf r, /etc/sysctl.d/{,**} r, - /usr/lib/sysctl.d/{,**} r, + @{lib}/sysctl.d/{,**} r, + + /etc/ufw/sysctl.conf r, # Add support for ufw @{PROC}/sys/ r, @{PROC}/sys/** rw, diff --git a/apparmor.d/profiles-s-z/top b/apparmor.d/groups/procps/top similarity index 93% rename from apparmor.d/profiles-s-z/top rename to apparmor.d/groups/procps/top index 9e4b7c11a..6a5d272a3 100644 --- a/apparmor.d/profiles-s-z/top +++ b/apparmor.d/groups/procps/top @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,17 +11,17 @@ include profile top @{exec_path} flags=(attach_disconnected) { include include - include include + include capability dac_read_search, capability kill, capability sys_nice, capability sys_ptrace, - signal (send), + signal send, - ptrace (read), + ptrace read, @{exec_path} mr, @@ -36,16 +36,14 @@ profile top @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/ r, @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/system/node/node@{int}/cpumap r, + @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/oom_{,score_}adj r, - @{PROC}/@{pids}/oom_{,score_}adj r, - @{PROC}/@{pids}/oom_score r, @{PROC}/@{pids}/oom_score r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, diff --git a/apparmor.d/profiles-s-z/uptime b/apparmor.d/groups/procps/uptime similarity index 91% rename from apparmor.d/profiles-s-z/uptime rename to apparmor.d/groups/procps/uptime index 1b28a07da..3da204a38 100644 --- a/apparmor.d/profiles-s-z/uptime +++ b/apparmor.d/groups/procps/uptime @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,6 +15,8 @@ profile uptime @{exec_path} { @{exec_path} mr, + @{run}/systemd/sessions/@{int} r, + @{PROC}/uptime r, @{PROC}/loadavg r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/procps/vmstat b/apparmor.d/groups/procps/vmstat new file mode 100644 index 000000000..1276222a2 --- /dev/null +++ b/apparmor.d/groups/procps/vmstat @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/vmstat +profile vmstat @{exec_path} { + include + include + + @{exec_path} mr, + + @{sys}/block/ r, + @{sys}/devices/system/node/ r, + + @{PROC}/diskstats r, + @{PROC}/slabinfo r, + @{PROC}/uptime r, + @{PROC}/vmstat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/w b/apparmor.d/groups/procps/w similarity index 91% rename from apparmor.d/profiles-s-z/w rename to apparmor.d/groups/procps/w index a3fc8c9e3..2445034e9 100644 --- a/apparmor.d/profiles-s-z/w +++ b/apparmor.d/groups/procps/w @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile w @{exec_path} { capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, @@ -24,7 +24,7 @@ profile w @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{run}/systemd/sessions/ r, - @{run}/systemd/sessions/@{int} r, + @{run}/systemd/sessions/* r, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-a-f/chage b/apparmor.d/groups/shadow/chage similarity index 95% rename from apparmor.d/profiles-a-f/chage rename to apparmor.d/groups/shadow/chage index 3eaa0efb9..43f34a703 100644 --- a/apparmor.d/profiles-a-f/chage +++ b/apparmor.d/groups/shadow/chage @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,7 +20,7 @@ profile chage @{exec_path} { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow} rw, /etc/{passwd,shadow}.@{pid} w, diff --git a/apparmor.d/profiles-a-f/chpasswd b/apparmor.d/groups/shadow/chpasswd similarity index 73% rename from apparmor.d/profiles-a-f/chpasswd rename to apparmor.d/groups/shadow/chpasswd index 1fd84f53c..5e84f31b4 100644 --- a/apparmor.d/profiles-a-f/chpasswd +++ b/apparmor.d/groups/shadow/chpasswd @@ -2,22 +2,30 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +abi , + include -@{exec_path} = @{bin}/chpasswd +@{exec_path} = @{sbin}/chpasswd profile chpasswd @{exec_path} { include + include include include + capability audit_write, capability chown, capability fsetid, + capability net_admin, capability setuid, + network netlink raw, + @{exec_path} mr, + @{etc_ro}/login.defs r, + /etc/.pwd.lock wk, - /etc/login.defs r, /etc/passwd rw, /etc/passwd.@{int} w, /etc/passwd.lock l -> /etc/passwd.@{int}, @@ -29,6 +37,11 @@ profile chpasswd @{exec_path} { /etc/shadow.lock w, /etc/shadow+ rw, + /etc/pam.d/* r, + /etc/security/pwquality.conf r, + + @{PROC}/@{pid}/loginuid r, + include if exists } diff --git a/apparmor.d/profiles-g-l/gpasswd b/apparmor.d/groups/shadow/gpasswd similarity index 96% rename from apparmor.d/profiles-g-l/gpasswd rename to apparmor.d/groups/shadow/gpasswd index 11c1e9767..ab2d21860 100644 --- a/apparmor.d/profiles-g-l/gpasswd +++ b/apparmor.d/groups/shadow/gpasswd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,7 +29,7 @@ profile gpasswd @{exec_path} { owner @{PROC}/@{pid}/loginuid r, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}.@{pid} w, diff --git a/apparmor.d/profiles-g-l/groupadd b/apparmor.d/groups/shadow/groupadd similarity index 92% rename from apparmor.d/profiles-g-l/groupadd rename to apparmor.d/groups/shadow/groupadd index 4c6e80c59..2d135007a 100644 --- a/apparmor.d/profiles-g-l/groupadd +++ b/apparmor.d/groups/shadow/groupadd @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/groupadd +@{exec_path} = @{sbin}/groupadd profile groupadd @{exec_path} { include include @@ -22,7 +22,7 @@ profile groupadd @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}- w, diff --git a/apparmor.d/profiles-g-l/groupdel b/apparmor.d/groups/shadow/groupdel similarity index 93% rename from apparmor.d/profiles-g-l/groupdel rename to apparmor.d/groups/shadow/groupdel index a28fb72f7..8f8b28239 100644 --- a/apparmor.d/profiles-g-l/groupdel +++ b/apparmor.d/groups/shadow/groupdel @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/groupdel +@{exec_path} = @{sbin}/groupdel profile groupdel @{exec_path} { include include @@ -25,7 +25,7 @@ profile groupdel @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}.@{pid} w, diff --git a/apparmor.d/profiles-g-l/groupmod b/apparmor.d/groups/shadow/groupmod similarity index 93% rename from apparmor.d/profiles-g-l/groupmod rename to apparmor.d/groups/shadow/groupmod index a37273af6..34bf046cd 100644 --- a/apparmor.d/profiles-g-l/groupmod +++ b/apparmor.d/groups/shadow/groupmod @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/groupmod +@{exec_path} = @{sbin}/groupmod profile groupmod @{exec_path} { include include @@ -24,7 +24,7 @@ profile groupmod @{exec_path} { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,gshadow,group} rw, /etc/{passwd,gshadow,group}.@{pid} w, diff --git a/apparmor.d/profiles-g-l/grpck b/apparmor.d/groups/shadow/grpck similarity index 92% rename from apparmor.d/profiles-g-l/grpck rename to apparmor.d/groups/shadow/grpck index 3e42f90c7..1e47307e4 100644 --- a/apparmor.d/profiles-g-l/grpck +++ b/apparmor.d/groups/shadow/grpck @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/grpck +@{exec_path} = @{sbin}/grpck profile grpck @{exec_path} flags=(attach_disconnected) { include include @@ -18,7 +18,7 @@ profile grpck @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{gshadow,group} rw, /etc/{gshadow,group}.@{pid} rw, diff --git a/apparmor.d/profiles-g-l/lastlog b/apparmor.d/groups/shadow/lastlog similarity index 92% rename from apparmor.d/profiles-g-l/lastlog rename to apparmor.d/groups/shadow/lastlog index 3df955097..0cb62819f 100644 --- a/apparmor.d/profiles-g-l/lastlog +++ b/apparmor.d/groups/shadow/lastlog @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,8 +17,9 @@ profile lastlog @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + /var/log/lastlog r, - /etc/login.defs r, include if exists } diff --git a/apparmor.d/profiles-m-r/newgidmap b/apparmor.d/groups/shadow/newgidmap similarity index 89% rename from apparmor.d/profiles-m-r/newgidmap rename to apparmor.d/groups/shadow/newgidmap index 9398350e1..6fa555504 100644 --- a/apparmor.d/profiles-m-r/newgidmap +++ b/apparmor.d/groups/shadow/newgidmap @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,6 +18,8 @@ profile newgidmap @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, /etc/subgid r, @{PROC}/@{pids}/ r, diff --git a/apparmor.d/profiles-m-r/newuidmap b/apparmor.d/groups/shadow/newuidmap similarity index 89% rename from apparmor.d/profiles-m-r/newuidmap rename to apparmor.d/groups/shadow/newuidmap index eeba22557..6a53bf5c1 100644 --- a/apparmor.d/profiles-m-r/newuidmap +++ b/apparmor.d/groups/shadow/newuidmap @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,6 +18,8 @@ profile newuidmap @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, /etc/subuid r, @{PROC}/@{pids}/ r, diff --git a/apparmor.d/profiles-m-r/passwd b/apparmor.d/groups/shadow/passwd similarity index 92% rename from apparmor.d/profiles-m-r/passwd rename to apparmor.d/groups/shadow/passwd index f37f5651d..9d81c0bea 100644 --- a/apparmor.d/profiles-m-r/passwd +++ b/apparmor.d/groups/shadow/passwd @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,7 +21,7 @@ profile passwd @{exec_path} { capability net_admin, capability setuid, - signal (receive) set=(term, kill) peer=gnome-control-center, + signal receive set=(term kill) peer=gnome-control-center, network netlink raw, diff --git a/apparmor.d/profiles-m-r/pwck b/apparmor.d/groups/shadow/pwck similarity index 89% rename from apparmor.d/profiles-m-r/pwck rename to apparmor.d/groups/shadow/pwck index af459593a..456a15af4 100644 --- a/apparmor.d/profiles-m-r/pwck +++ b/apparmor.d/groups/shadow/pwck @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/pwck +@{exec_path} = @{sbin}/pwck profile pwck @{exec_path} flags=(attach_disconnected) { include include @@ -16,7 +16,8 @@ profile pwck @{exec_path} flags=(attach_disconnected) { @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, + /etc/.pwd.lock wk, /etc/passwd rw, /etc/passwd.@{int} rw, diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/groups/shadow/useradd similarity index 92% rename from apparmor.d/profiles-s-z/useradd rename to apparmor.d/groups/shadow/useradd index a6094867a..b10487cf2 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/groups/shadow/useradd @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/useradd +@{exec_path} = @{sbin}/useradd profile useradd @{exec_path} { include include @@ -25,12 +25,12 @@ profile useradd @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - @{bin}/usermod rPx, + @{sbin}/usermod rPx, @{bin}/pam_tally2 rCx -> pam_tally2, /etc/default/useradd r, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid}- w, @@ -53,9 +53,10 @@ profile useradd @{exec_path} { # To create user dirs and copy files from /etc/skel/ to them @{HOME}/ rw, - @{HOME}/.* w, + @{HOME}/** wl, + @{HOME}/**/ r, /var/lib/*/{,*} rw, - /etc/skel/{,.*} r, + /etc/skel/{,.**} r, profile pam_tally2 { include diff --git a/apparmor.d/profiles-s-z/userdel b/apparmor.d/groups/shadow/userdel similarity index 95% rename from apparmor.d/profiles-s-z/userdel rename to apparmor.d/groups/shadow/userdel index 6b95a4848..589c726d0 100644 --- a/apparmor.d/profiles-s-z/userdel +++ b/apparmor.d/groups/shadow/userdel @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/userdel +@{exec_path} = @{sbin}/userdel profile userdel @{exec_path} flags=(attach_disconnected) { include include @@ -26,7 +26,7 @@ profile userdel @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w, diff --git a/apparmor.d/profiles-s-z/usermod b/apparmor.d/groups/shadow/usermod similarity index 95% rename from apparmor.d/profiles-s-z/usermod rename to apparmor.d/groups/shadow/usermod index cfcdc6bdc..b59260a25 100644 --- a/apparmor.d/profiles-s-z/usermod +++ b/apparmor.d/groups/shadow/usermod @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/usermod +@{exec_path} = @{sbin}/usermod profile usermod @{exec_path} flags=(attach_disconnected) { include include @@ -28,7 +28,7 @@ profile usermod @{exec_path} flags=(attach_disconnected) { @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/subuid r, /etc/{passwd,shadow,gshadow,group} rw, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap new file mode 100644 index 000000000..9530b8594 --- /dev/null +++ b/apparmor.d/groups/snap/snap @@ -0,0 +1,217 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} + +@{exec_path} = @{bin_dirs}/snap +profile snap @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + + capability chown, + capability dac_override, + capability dac_read_search, + capability setuid, + capability sys_admin, + capability sys_ptrace, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + ptrace read peer=snap.*, + + unix (send, receive) type=stream peer=(label=apt), + + mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/, + + #aa:dbus own bus=session name=io.snapcraft.Launcher + #aa:dbus own bus=session name=io.snapcraft.SessionAgent + #aa:dbus own bus=session name=io.snapcraft.Settings + + #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.* + #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" + + dbus send bus=session path=/org/freedesktop/portal/documents + interface=org.freedesktop.portal.Documents + member=GetMountPoint + peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"), + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + + @{exec_path} mrix, + + @{sh_path} mr, + @{bin}/mount rix, + @{bin}/getent rix, + + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/systemctl rCx -> systemctl, + @{bin}/systemd-run rCx -> run, # Start snap from the cli + @{bin}/unsquashfs rCx -> unsquashfs, + @{bin}/xdg-settings rCx -> xdg-settings, + + @{bin_dirs}/xdelta3 ix, + @{lib_dirs}/** mr, + @{lib_dirs}/snapd/snap-confine rPx, + @{lib_dirs}/snapd/snap-seccomp rPx, + @{lib_dirs}/snapd/snapd rPx, + + /etc/fstab r, + + /var/lib/snapd/{,**} rwk, + /var/cache/snapd/commands.db rwk, + /var/cache/snapd/names r, + + @{DESKTOP_HOME}/snap/{,**} rw, + /snap/{,**} rw, + + @{HOME}/ r, + @{HOME}/.snap.mkdir-new/ rw, + @{HOME}/.snap/{,**} rw, + @{HOME}/snap/{,**} rw, + + @{user_pkg_dirs}/** r, + + owner @{tmp}/read-file@{int}/unpack/{,**} w, + owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, + + @{run}/user/@{uid}/bus rw, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, + owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/snapd-session-agent.socket rw, + owner @{run}/user/@{uid}/systemd/notify rw, + + @{run}/mount/utab r, + @{run}/snapd.socket rw, + + @{sys}/fs/cgroup/cgroup.controllers r, + @{sys}/kernel/security/apparmor/features/{,**} r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/cgroups r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/random/uuid r, + @{PROC}/sys/kernel/seccomp/actions_avail r, + @{PROC}/version r, + @{PROC}/@{pid}/attr/apparmor/current r, + owner @{PROC}/@{pid}/mounts r, + + /dev/tty@{int} rw, + /dev/ttyS@{int} rw, + + /apparmor/.null rw, + + # file_inherit, safe to deny + deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + + profile gpg { + include + + @{bin}/gpg{,2} mr, + + @{bin}/dirmngr rix, + @{bin}/gpg-agent rix, + @{bin}/gpg-connect-agent rix, + + owner @{HOME}/.snap/gnupg/ rw, + owner @{HOME}/.snap/gnupg/** rwkl, + + include if exists + } + + profile xdg-settings { + include + include + + @{bin}/xdg-settings mr, + + @{sh_path} r, + @{bin}/{,e}grep rix, + @{bin}/basename rix, + @{bin}/cat ix, + @{bin}/cut rix, + @{bin}/head ix, + @{bin}/mkdir ix, + @{bin}/mktemp ix, + @{bin}/mv ix, + @{bin}/readlink ix, + @{bin}/realpath rix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/sleep ix, + @{bin}/sort ix, + @{bin}/touch ix, + @{bin}/tr ix, + @{bin}/uname ix, + @{bin}/wc ix, + + @{bin}/xdg-mime Px, + + include if exists + } + + profile run { + include + + unix bind type=stream addr=@@{udbus}/bus/systemd-run/, + + @{bin}/systemd-run mr, + + owner @{run}/user/@{uid}/systemd/private rw, + + include if exists + } + + profile systemctl { + include + include + include + + capability net_admin, + + network unix stream, + network (send receive) netlink raw, + + @{run}/systemd/notify w, + owner @{run}/user/@{uid}/systemd/notify rw, + owner @{run}/user/@{uid}/systemd/private rw, + + include if exists + } + + profile unsquashfs { + include + + @{bin}/unsquashfs mr, + + /**.snap r, + + owner /tmp/read-file@{int}/unpack/{,**} w, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snap-device-helper b/apparmor.d/groups/snap/snap-device-helper similarity index 97% rename from apparmor.d/profiles-s-z/snap-device-helper rename to apparmor.d/groups/snap/snap-device-helper index ec342d4e2..5a9fded35 100644 --- a/apparmor.d/profiles-s-z/snap-device-helper +++ b/apparmor.d/groups/snap/snap-device-helper @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/snap-discard-ns b/apparmor.d/groups/snap/snap-discard-ns similarity index 86% rename from apparmor.d/profiles-s-z/snap-discard-ns rename to apparmor.d/groups/snap/snap-discard-ns index ab90529b7..0ccb3f1c7 100644 --- a/apparmor.d/profiles-s-z/snap-discard-ns +++ b/apparmor.d/groups/snap/snap-discard-ns @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-discard-ns profile snap-discard-ns @{exec_path} { @@ -20,6 +20,7 @@ profile snap-discard-ns @{exec_path} { umount @{run}/snapd/ns/*.mnt, @{exec_path} mr, + @{lib_dirs}/**.so* mr, / r, @{run}/ r, diff --git a/apparmor.d/profiles-s-z/snap-failure b/apparmor.d/groups/snap/snap-failure similarity index 83% rename from apparmor.d/profiles-s-z/snap-failure rename to apparmor.d/groups/snap/snap-failure index df8fe47fb..bed3a2d12 100644 --- a/apparmor.d/profiles-s-z/snap-failure +++ b/apparmor.d/groups/snap/snap-failure @@ -2,31 +2,30 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-failure profile snap-failure @{exec_path} { include @{exec_path} mr, + @{lib_dirs}/**.so* mr, @{bin}/systemctl rCx -> systemctl, @{lib_dirs}/snapd/snapd rPx, /var/lib/snapd/sequence/snapd.json r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/cmdline r, profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/groups/snap/snap-seccomp similarity index 57% rename from apparmor.d/profiles-s-z/snap-seccomp rename to apparmor.d/groups/snap/snap-seccomp index 0da410bca..90c1724be 100644 --- a/apparmor.d/profiles-s-z/snap-seccomp +++ b/apparmor.d/groups/snap/snap-seccomp @@ -2,29 +2,36 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-seccomp -profile snap-seccomp @{exec_path} { +profile snap-seccomp @{exec_path} flags=(attach_disconnected) { include include include + capability dac_read_search, + network netlink raw, @{exec_path} mr, + @{lib_dirs}/**.so* mr, + + @{bin}/getent rix, /var/lib/snapd/seccomp/bpf/{,**} rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - owner @{PROC}/@{pids}/mountinfo r, - deny @{user_share_dirs}/gvfs-metadata/* r, + /apparmor/.null rw, + + # file_inherit, safe to deny + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + deny owner @{user_share_dirs}/gvfs-metadata/* r, include if exists } diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns similarity index 61% rename from apparmor.d/profiles-s-z/snap-update-ns rename to apparmor.d/groups/snap/snap-update-ns index e9315f5c7..5d08a4240 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-update-ns profile snap-update-ns @{exec_path} { @@ -18,24 +18,46 @@ profile snap-update-ns @{exec_path} { network netlink raw, - mount -> /boot/, + mount -> @{efi}/, mount -> /snap/**, mount -> /tmp/.snap/**, mount -> /usr/**, mount -> /var/lib/dhcp/, + + umount @{lib}/@{multiarch}/webkit2gtk-@{version}/, umount /snap/**, + umount /tmp/.snap/**, + umount /usr/share/xml/iso-codes/, umount /var/lib/dhcp/, @{exec_path} mr, + @{lib_dirs}/**.so* mr, + + @{lib}/@{multiarch}/webkit2gtk-@{version}/ w, + + /usr/share/xml/ r, + /usr/share/xml/iso-codes/ rw, /var/lib/snapd/mount/{,*} r, / r, /tmp/ r, + @{lib}/ r, + /usr/ r, + /usr/local/ r, + /usr/local/share/ r, + /usr/local/share/doc/ rw, + /usr/local/share/fonts/ rw, + /usr/share/ r, + /usr/share/drirc.d w, + /usr/share/X11/ r, + /usr/share/X11/XErrorDB w, owner /snap/{,**} rw, owner /var/ rw, + owner /var/lib/ rw, + owner /var/lib/snapd/ rw, owner /var/snap/ rw, owner /var/snap/**/ rw, @@ -46,8 +68,8 @@ profile snap-update-ns @{exec_path} { @{sys}/fs/cgroup/{,**/} r, @{sys}/fs/cgroup/system.slice/snap.*.service/cgroup.freeze rw, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.scope/cgroup.freeze rw, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{PROC}/@{pids}/cgroup r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/groups/snap/snapd similarity index 61% rename from apparmor.d/profiles-s-z/snapd rename to apparmor.d/groups/snap/snapd index 3892a8ca4..87e535b3f 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/groups/snap/snapd @@ -2,12 +2,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd profile snapd @{exec_path} { @@ -28,57 +28,63 @@ profile snapd @{exec_path} { capability dac_read_search, capability fowner, capability fsetid, + capability mac_admin, capability net_admin, capability setgid, capability setuid, capability sys_admin, capability sys_ptrace, - capability sys_resource, network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, network netlink raw, + network unix stream, mount fstype=squashfs /dev/loop@{int} -> /tmp/syscheck-mountpoint-@{int}/, umount /tmp/syscheck-mountpoint-@{int}/, umount /snap/*/*/, - ptrace (read) peer=snap, - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, + ptrace read peer=snap{,.*}, - unix (bind) type=stream addr=@@{hex16}/bus/systemctl/, + signal send set=kill peer=snapd//journalctl, dbus send bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager member={SetWallMessage,ScheduleShutdown} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + + dbus send bus=system path=/org/freedesktop/timedate1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.timedate1), @{exec_path} mrix, - @{bin}/adduser rPx, - @{bin}/groupadd rPx, - @{bin}/hostnamectl rPx, - @{bin}/ssh-keygen rPx, - @{bin}/useradd rPx, - @{sh_path} rix, - @{bin}/apparmor_parser rPx, + @{sbin}/adduser rPx, + @{sbin}/apparmor_parser rPx, @{bin}/cp rix, + @{bin}/getent rix, + @{sbin}/groupadd rPx, @{bin}/gzip rix, - @{bin}/journalctl rPx, + @{bin}/hostnamectl rPx, + @{bin}/journalctl rCx -> journalctl, @{bin}/kmod rPx, @{bin}/mount rix, - @{bin}/runuser rCx -> runuser, + @{sbin}/runuser rCx -> runuser, + @{bin}/ssh-keygen rPx, @{bin}/sync rix, - @{bin}/systemctl rix, + @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/tar rix, @{bin}/udevadm rPx, @{bin}/umount rix, @{bin}/unsquashfs rix, @{bin}/update-desktop-database rPx, + @{sbin}/useradd rPx, @{bin_dirs}/fc-cache-* mr, @{bin_dirs}/snap rPUx, @@ -91,21 +97,24 @@ profile snapd @{exec_path} { @{lib_dirs}/snapd/snap-update-ns rPx, /usr/share/bash-completion/{,**} r, - /usr/share/dbus-1/{system,session}.d/{,snapd*} r, + /usr/share/dbus-1/{system,session}.d/ rw, + /usr/share/dbus-1/{system,session}.d/snapd* rw, /usr/share/dbus-1/services/*snap* r, - /usr/share/polkit-1/actions/{,**/} r, + /usr/share/polkit-1/actions/{,**} r, + /usr/share/polkit-1/actions/snap.*.policy* rw, + @{etc_ro}/environment r, /etc/apparmor.d/*snapd.snap* r, /etc/dbus-1/system.d/{,**/} r, - /etc/environment r, /etc/fstab r, /etc/mime.types r, /etc/modprobe.d/{,**/} r, /etc/modules-load.d/{,**/} r, /etc/modules-load.d/*snap* rw, + /etc/polkit-1/rules.d/{,**/} r, /etc/systemd/system/{,**/} r, /etc/systemd/system/snap* rw, - /etc/systemd/user/{,**/} r, + /etc/systemd/user/{,**/} rw, /etc/systemd/user/**/*snap* rw, /etc/systemd/user/*snap* rw, /etc/udev/rules.d/{,*snap*} rw, @@ -119,12 +128,14 @@ profile snapd @{exec_path} { /var/cache/apparmor/*/snap* rw, /tmp/ r, + /tmp/read-file@{int}/{,**} rw, + /tmp/snapd@{int}/ rw, + /tmp/snapd@{int}/** rw, /tmp/syscheck-mountpoint-@{int}/{,**} rw, /tmp/syscheck-squashfs-@{int} rw, - /tmp/read-file@{int}/{,**} rw, - /boot/ r, - /boot/grub/grubenv r, + @{efi}/ r, + @{efi}/grub/grubenv r, / r, /home/ r, @@ -138,9 +149,11 @@ profile snapd @{exec_path} { @{run}/user/ r, @{run}/user/@{uid}/ r, + @{run}/user/@{uid}/snap.*/{,**} rw, @{run}/user/@{uid}/snapd-session-agent.socket rw, @{run}/user/snap.*/{,**} rw, + @{run}/mount/utab.act rk, @{run}/snapd*.socket rw, @{run}/snapd/{,**} rw, @{run}/snapd/lock/*.lock rwk, @@ -148,17 +161,15 @@ profile snapd @{exec_path} { @{run}/systemd/private rw, @{sys}/fs/cgroup/{,*/} r, - @{sys}/fs/cgroup/system.slice/{,**/} r, - @{sys}/fs/cgroup/user.slice/ r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r, + @{sys}/fs/cgroup/*.slice/ r, + @{sys}/fs/cgroup/*.slice/{,**/} r, + @{sys}/fs/cgroup/*.slice/**/cgroup.procs r, + @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/kernel/kexec_loaded r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{sys}/kernel/security/apparmor/.notify r, @{sys}/kernel/security/apparmor/features/{,**} r, @{sys}/kernel/security/apparmor/profiles r, - @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r, - @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/stat r, @@ -171,10 +182,62 @@ profile snapd @{exec_path} { /dev/loop-control rw, + profile systemctl { + include + include + + capability net_admin, + capability sys_resource, + + network netlink raw, + + ptrace read peer=@{p_systemd}, + + /etc/systemd/system/{,**/} r, + /etc/systemd/system/snap* rw, + /etc/systemd/user/{,**/} rw, + /etc/systemd/user/**/*snap* rw, + /etc/systemd/user/*snap* rw, + + @{run}/systemd/notify rw, + + include if exists + } + + profile journalctl { + include + include + + capability net_admin, + capability sys_resource, + + network netlink raw, + + signal receive set=kill peer=snapd, + + @{bin}/journalctl mr, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/{,*} r, + + @{run}/systemd/notify w, + + include if exists + } + profile runuser { include - @{bin}/runuser mr, + @{sbin}/runuser mr, + + @{sh_path} ix, + @{bin}/gzip ix, + @{bin}/tar ix, + + owner @{HOME}/snap/*/{,**} r, include if exists } diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener b/apparmor.d/groups/snap/snapd-aa-prompt-listener similarity index 78% rename from apparmor.d/profiles-s-z/snapd-aa-prompt-listener rename to apparmor.d/groups/snap/snapd-aa-prompt-listener index 3e3045b80..37730ba6f 100644 --- a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener +++ b/apparmor.d/groups/snap/snapd-aa-prompt-listener @@ -2,22 +2,21 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-listener profile snapd-aa-prompt-listener @{exec_path} { include @{exec_path} mrix, + @{lib_dirs}/**.so* mr, @{lib_dirs}/snapd/info r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/cmdline r, include if exists diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-ui b/apparmor.d/groups/snap/snapd-aa-prompt-ui similarity index 82% rename from apparmor.d/profiles-s-z/snapd-aa-prompt-ui rename to apparmor.d/groups/snap/snapd-aa-prompt-ui index d7b9b3713..99dc98efe 100644 --- a/apparmor.d/profiles-s-z/snapd-aa-prompt-ui +++ b/apparmor.d/groups/snap/snapd-aa-prompt-ui @@ -2,17 +2,18 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-ui profile snapd-aa-prompt-ui @{exec_path} { include @{exec_path} mrix, + @{lib_dirs}/**.so* mr, @{lib_dirs}/snapd/info r, diff --git a/apparmor.d/profiles-s-z/snapd-apparmor b/apparmor.d/groups/snap/snapd-apparmor similarity index 77% rename from apparmor.d/profiles-s-z/snapd-apparmor rename to apparmor.d/groups/snap/snapd-apparmor index 22a9c5faa..47b939fa0 100644 --- a/apparmor.d/profiles-s-z/snapd-apparmor +++ b/apparmor.d/groups/snap/snapd-apparmor @@ -2,11 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-apparmor profile snapd-apparmor @{exec_path} { @@ -15,15 +15,14 @@ profile snapd-apparmor @{exec_path} { @{exec_path} mrix, @{bin}/systemd-detect-virt rPx, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, + @{lib_dirs}/** mr, @{lib_dirs}/snapd/apparmor_parser rPx -> apparmor_parser, @{lib_dirs}/snapd/info r, /var/lib/snapd/apparmor/profiles/ r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/cmdline r, include if exists diff --git a/apparmor.d/groups/ssh/sftp-server b/apparmor.d/groups/ssh/sftp-server index 672d9b5e5..a0fc3e2f8 100644 --- a/apparmor.d/groups/ssh/sftp-server +++ b/apparmor.d/groups/ssh/sftp-server @@ -2,12 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/openssh/sftp-server -@{exec_path} += @{lib}/ssh/sftp-server +@{exec_path} = @{lib}/{openssh,ssh}/sftp-server profile sftp-server @{exec_path} { include include diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index d4c948f86..0d6826490 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,44 +11,58 @@ include profile ssh @{exec_path} { include include + include + include include - signal (receive) set=(term) peer=gnome-keyring-daemon, - network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, network netlink raw, + signal receive set=term peer=gnome-keyring-daemon, + signal send set=hup peer=unconfined, + @{exec_path} mrix, - @{bin}/{,b,d,rb}ash rix, - @{bin}/{c,k,tc,z}sh rix, + @{bin}/@{shells} rUx, + @{bin}/ssh.hmac r, + + @{lib}/{,ssh/}ssh-sk-helper rix, @{etc_ro}/ssh/ssh_config r, + @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/sshd_config r, @{etc_ro}/ssh/sshd_config.d/{,*} r, /etc/machine-id r, - /etc/ssh/ssh_config r, - /etc/ssh/ssh_config.d/{,*} r, - - owner @{HOME}/@{XDG_SSH_DIR}/ r, - owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, - owner @{HOME}/@{XDG_SSH_DIR}/config r, + + owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl, owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_*_*_* wl, owner @{user_projects_dirs}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/config r, - owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, + owner @{tmp}/krb5cc_* rwk, + audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, + + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, owner @{run}/user/@{uid}/keyring/ssh rw, + @{sys}/ r, + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/hidraw/ r, + @{sys}/class/hidraw/hidraw@{int} r, + owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/fd/ r, + /dev/hidraw@{int} rwk, + include if exists } diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index ec82ea1bc..9fc2900b4 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,21 +12,23 @@ profile ssh-agent @{exec_path} { include include - signal (receive) set=term peer=cockpit-bridge, - signal (receive) set=term peer=gnome-keyring-daemon, + signal receive set=term peer=cockpit-bridge, + signal receive set=term peer=cockpit-session, + signal receive set=term peer=gnome-keyring-daemon, @{exec_path} mr, @{sh_path} rix, @{bin}/gpg-agent rPx, + @{bin}/im-launch rPx, owner @{HOME}/@{XDG_SSH_DIR}/ rw, owner @{HOME}/@{XDG_SSH_DIR}/* r, owner @{HOME}/.xsession-errors w, owner @{user_projects_dirs}/**/ssh/{,*} r, - owner @{tmp}/ssh-*/ rw, - owner @{tmp}/ssh-*/agent.* rw, + owner @{tmp}/ssh-@{rand12}/ rw, + owner @{tmp}/ssh-@{rand12}/agent.@{int} rw, owner @{run}/user/@{uid}/keyring/.ssh rw, owner @{run}/user/@{uid}/openssh_agent rw, @@ -34,6 +36,7 @@ profile ssh-agent @{exec_path} { owner @{run}/user/@{uid}/gcr/.ssh w, /dev/tty@{int} rw, + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch index 66e05b5ec..86bd0866f 100644 --- a/apparmor.d/groups/ssh/ssh-agent-launch +++ b/apparmor.d/groups/ssh/ssh-agent-launch @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,10 +12,10 @@ profile ssh-agent-launch @{exec_path} { @{exec_path} mr, - @{bin}/{,z,ba,da}sh rix, + @{sh_path} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/getopt rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ssh-agent rPx, /etc/X11/Xsession.options r, @@ -25,14 +25,14 @@ profile ssh-agent-launch @{exec_path} { include dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=UpdateActivationEnvironment - peer=(name=org.freedesktop.DBus, label=dbus-session), + interface=org.freedesktop.DBus + member=UpdateActivationEnvironment + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=SetEnvironment - peer=(name=org.freedesktop.systemd1), + interface=org.freedesktop.systemd1.Manager + member=SetEnvironment + peer=(name=org.freedesktop.systemd1), @{bin}/dbus-update-activation-environment mr, diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index f31ac1195..738268b0a 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -3,12 +3,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/ssh-keygen - profile ssh-keygen @{exec_path} { include include @@ -16,10 +15,16 @@ profile ssh-keygen @{exec_path} { @{exec_path} mr, + @{lib}/{,ssh/}ssh-sk-helper rPx -> ssh-sk-helper, + + /etc/ssh/moduli rw, /etc/ssh/ssh_host_*_key* rw, - owner @{HOME}/@{XDG_SSH_DIR}/ w, - owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw, + owner @{HOME}/@{XDG_SSH_DIR}/ rw, + owner @{HOME}/@{XDG_SSH_DIR}/* rwl -> @{HOME}/@{XDG_SSH_DIR}/*, + + owner /tmp/snapd@{int}/*_*{,.pub} w, + owner /tmp/snapd@{int}/*.key{,.pub} w, /dev/tty@{int} rw, /dev/ttyS@{int} rw, diff --git a/apparmor.d/groups/ssh/ssh-sk-helper b/apparmor.d/groups/ssh/ssh-sk-helper new file mode 100644 index 000000000..ff9de97c3 --- /dev/null +++ b/apparmor.d/groups/ssh/ssh-sk-helper @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/{,ssh/}ssh-sk-helper +profile ssh-sk-helper flags=(complain) { + include + include + + @{exec_path} mr, + + @{sys}/ r, + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/hidraw/ r, + @{sys}/class/hidraw/hidraw@{int} r, + + /dev/hidraw@{int} rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 1410d090f..633076ad6 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -11,11 +11,11 @@ # If you want real protection disallow SSH access. -abi , +abi , include -@{exec_path} = @{bin}/sshd +@{exec_path} = @{sbin}/sshd profile sshd @{exec_path} flags=(attach_disconnected) { include include @@ -25,12 +25,14 @@ profile sshd @{exec_path} flags=(attach_disconnected) { include include include + include #aa:only RBAC capability audit_write, capability chown, - capability dac_read_search, capability dac_override, + capability dac_read_search, capability fowner, + capability fsetid, capability kill, capability net_bind_service, capability setgid, @@ -49,24 +51,33 @@ profile sshd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal (receive) set=(hup) peer=@{p_systemd}, + unix type=stream peer=(label=sshd-session), - ptrace (read,trace) peer=@{p_systemd}, + signal receive set=hup peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex16}/bus/sshd/system, + ptrace (read trace) peer=@{p_systemd}, dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + + dbus send bus=system path=/org/freedesktop/home1 + interface=org.freedesktop.home1.Manager + member=GetUserRecordByName + peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"), @{exec_path} mrix, - @{bin}/@{shells} rUx, - @{bin}/false rix, - @{bin}/nologin rPx, - @{bin}/passwd rPx, - @{lib}/openssh/sftp-server rPx, + @{sbin}/sshd.hmac r, + + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{bin}/false ix, + @{sbin}/nologin Px, + @{bin}/passwd Px, + @{lib}/{openssh,ssh}/sftp-server Px, + @{lib}/{openssh,ssh}/sshd-auth Px, + @{lib}/{openssh,ssh}/sshd-session Px, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, @@ -93,19 +104,20 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, - owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, + @{HOME}/@{XDG_SSH_DIR}/authorized_keys* r, owner @{user_cache_dirs}/{,motd*} rw, + @{att}/@{run}/systemd/sessions/@{int}.ref rw, + @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, @{run}/motd.dynamic rw, @{run}/motd.dynamic.new rw, @{run}/systemd/notify w, - @{run}/systemd/sessions/*.ref rw, owner @{run}/sshd{,.init}.pid wl, @{sys}/fs/cgroup/*/user/*/@{int}/ rw, - @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw, + @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-@{word}.scope/ rw, @{PROC}/@{pids}/fd/ r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/ssh/sshd-auth b/apparmor.d/groups/ssh/sshd-auth new file mode 100644 index 000000000..c1601b813 --- /dev/null +++ b/apparmor.d/groups/ssh/sshd-auth @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/{openssh,ssh}/sshd-auth +profile sshd-auth @{exec_path} { + include + include + + capability setgid, + capability setuid, + capability sys_chroot, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + @{sbin}/sshd.hmac r, + + /etc/gss/mech.d/{,*} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session new file mode 100644 index 000000000..ab86f3ad1 --- /dev/null +++ b/apparmor.d/groups/ssh/sshd-session @@ -0,0 +1,92 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/{openssh,ssh}/sshd-session +profile sshd-session @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include #aa:only RBAC + + capability audit_write, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability kill, + capability setgid, + capability setuid, + capability sys_chroot, + capability sys_resource, + + # sshd doesn't require net_admin. libpam-systemd tries to + # use it if available to set the send/receive buffers size, + # but will fall back to a non-privileged version if it fails. + deny capability net_admin, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + unix type=stream peer=(label=sshd), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + + dbus send bus=system path=/org/freedesktop/home1 + interface=org.freedesktop.home1.Manager + member=GetUserRecordByName + peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"), + + @{exec_path} mr, + + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{bin}/userdbctl Px, + @{lib}/{openssh,ssh}/sshd-auth Px, + + @{etc_rw}/motd r, + @{etc_rw}/motd.d/{,**} r, + /etc/machine-id r, + /etc/motd r, + + /var/lib/lastlog/ r, + /var/lib/lastlog/lastlog2.db rwk, + /var/lib/lastlog/lastlog2.db-journal rw, + + /var/lib/wtmpdb/ w, + + owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, + + owner @{user_cache_dirs}/{,motd*} rw, + + @{att}/@{run}/systemd/sessions/@{int}.ref w, + + @{run}/cockpit/active.issue r, + @{run}/motd.d/{,*} r, + @{run}/motd.dynamic rw, + @{run}/motd.dynamic.new rw, + + @{PROC}/1/limits r, + owner @{PROC}/@{pid}/loginuid rw, + owner @{PROC}/@{pid}/uid_map r, + + /dev/ptmx rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs index 7623cd87a..ee6a2f903 100644 --- a/apparmor.d/groups/ssh/sshfs +++ b/apparmor.d/groups/ssh/sshfs @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,8 +13,12 @@ profile sshfs @{exec_path} flags=(complain) { mount fstype=fuse.sshfs -> @{HOME}/*/, mount fstype=fuse.sshfs -> @{HOME}/*/*/, + mount fstype=fuse.sshfs -> @{MOUNTDIRS}/, + mount fstype=fuse.sshfs -> @{MOUNTS}/, + mount fstype=fuse.sshfs -> @{MOUNTS}/*/, + mount fstype=fuse.sshfs -> @{MOUNTS}/*/*/, - unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none), + unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount"), @{exec_path} mr, @@ -27,23 +31,24 @@ profile sshfs @{exec_path} flags=(complain) { profile fusermount flags=(complain) { include - include - - capability sys_admin, + include mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/, mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/, + mount fstype={fuse,fuse.sshfs} -> @{MOUNTDIRS}/, + mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/, + mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/, + mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/*/, + + umount @{HOME}/*/, + umount @{HOME}/*/*/, + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, + umount @{MOUNTS}/*/, + umount @{MOUNTS}/*/*/, unix (connect, send, receive) type=stream peer=(label="sshfs",addr=none), - @{bin}/fusermount{,3} mr, - - /etc/fuse.conf r, - - @{PROC}/@{pid}/mounts r, - - /dev/fuse rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/groups/steam/steam similarity index 73% rename from apparmor.d/profiles-s-z/steam rename to apparmor.d/groups/steam/steam index 8de447bfe..e3fcb1931 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/groups/steam/steam @@ -17,15 +17,16 @@ # ├── steam-gameoverlayui # Steam game overlay # └── steamerrorreporter # Error reporter -abi , +abi , include -@{arch} = amd64 i386 -@{runtime} = SteamLinuxRuntime_sniper +@{domain} = org.chromium.Chromium +@{runtime_name} = sniper soldier +@{runtime} = SteamLinuxRuntime_@{runtime_name} steam-runtime-steamrt @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation -@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} -@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} steamrt64 +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{lib_dirs}/steam-runtime-steamrt @{app_dirs} = @{share_dirs}/steamapps/common/ @{exec_path} = @{share_dirs}/steam.sh @@ -40,13 +41,14 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include capability sys_ptrace, network inet dgram, - network inet6 dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink raw, network unix, @@ -54,7 +56,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace read, ptrace trace peer=steam, - signal send peer=steam-game, + signal send peer=steam-game-{native,proton}, signal send peer=steam-launcher, signal send peer=steam//journalctl, signal send peer=steam//web, @@ -65,44 +67,56 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sh_path} rix, @{coreutils_path} rix, + @{open_path} rPx -> child-open, @{bin}/getopt rix, @{bin}/journalctl rPx -> systemctl, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsof rix, @{bin}/lspci rCx -> lspci, + @{bin}/tar rix, @{bin}/which{,.debianutils} rix, @{bin}/xdg-icon-resource rPx, @{bin}/xdg-user-dir rix, + @{bin}/xz rix, + @{bin}/zenity rix, @{lib}/@{multiarch}/ld-*.so* rix, @{lib}/ld-linux.so* rix, - @{open_path} rPx -> child-open, - @{lib_dirs}/** mr, - @{lib_dirs}/*driverquery rix, - @{lib_dirs}/fossilize_replay rpx, - @{lib_dirs}/gameoverlayui rpx, - @{lib_dirs}/reaper rpx, # steam-runtime - @{lib_dirs}/steam* rix, + @{lib_dirs}/** mr, + @{lib_dirs}/*driverquery rix, + @{lib_dirs}/fossilize_replay rpx, # steam-fossilize + @{lib_dirs}/gameoverlayui rpx, # steam-gameoverlayui + @{lib_dirs}/reaper rpx, # steam-runtime + @{lib_dirs}/steam* rix, @{app_dirs}/@{runtime}/*entry-point rpx -> steam-runtime, - @{share_dirs}/linux{32,64}/steamerrorreporter rpx, + @{share_dirs}/linux{32,64}/steamerrorreporter rpx, # steamerrorreporter - @{runtime_dirs}/@{arch}/@{bin}/srt-logger rix, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements rcx -> check, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-identify-library-abi rix, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service rpx, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-supervisor rix, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info rix, - @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, - @{runtime_dirs}/*entry-point rix, - @{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, - @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, - @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web, - @{runtime_dirs}/run{,.sh} rix, - @{runtime_dirs}/setup.sh rix, + @{runtime_dirs}/*entry-point rix, + @{runtime_dirs}/@{arch}/@{bin}/srt-logger rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements rcx -> check, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-dialog{,-ui} rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-identify-library-abi rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-input-monitor rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launch-* rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-interface-@{int} rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service rpx, # steam-launcher + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-libcurl-* rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-supervisor rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-urlopen rix, + @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, + @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix, + @{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, + @{runtime_dirs}/pressure-vessel/@{bin}/pv-* rix, + @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, + @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web, + @{runtime_dirs}/run{,.sh} rix, + @{runtime_dirs}/setup.sh rix, @{lib}/os-release rk, @@ -111,16 +125,18 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/lsb-release r, /etc/machine-id r, /etc/timezone r, + /var/lib/dbus/machine-id r, + / r, @{bin}/ r, @{lib}/ r, - / r, /etc/ r, /home/ r, /usr/ r, /usr/local/ r, /usr/local/lib/ r, + /var/ r, /var/tmp/ r, @@ -131,7 +147,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/.steampid rw, owner @{share_dirs}/ rw, - owner @{share_dirs}/** rwkl -> @{share_dirs}/**, + owner @{share_dirs}/** rwlk -> @{share_dirs}/**, owner @{user_games_dirs}/ rw, owner @{user_games_dirs}/** rwlk -> @{user_games_dirs}/**, @@ -141,7 +157,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/autostart/ r, owner @{user_config_dirs}/cef_user_data/{,**} r, owner @{user_config_dirs}/cef_user_data/Dictionaries/* rw, - owner @{user_config_dirs}/cef_user_data/WidevineCdm/** rwm, + owner @{user_config_dirs}/cef_user_data/WidevineCdm/** mrw, owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, @@ -150,32 +166,34 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk, @{tmp}/ r, + owner @{tmp}/#@{int} rw, owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, - owner @{tmp}/#@{int} rw, owner @{tmp}/dumps/ rw, owner @{tmp}/dumps/** rwk, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, owner @{tmp}/glx-icds-@{rand6}/{,**} rw, owner @{tmp}/runtime-info.txt.@{rand6} rwk, - owner @{tmp}/steam@{rand6}/{,**} rw, owner @{tmp}/steam/ rw, owner @{tmp}/steam/** rwk, + owner @{tmp}/steam@{rand6}/{,**} rw, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, + owner @{tmp}/steam@{rand6} rwk, + owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw, owner /dev/shm/fossilize-*-@{int}-@{int} rw, owner /dev/shm/u@{uid}-Shm_@{hex6} rw, owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex8} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, - owner /dev/shm/ValveIPCSHM_@{uid} rw, owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/srt-fifo.@{rand6}/{,*} rw, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{run}/udev/data/n@{int} r, + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/ r, @{sys}/bus/ r, @@ -185,15 +203,15 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/class/net/ r, @{sys}/class/power_supply/ r, @{sys}/devices/ r, - @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/sound/card@{int}/input@{int}/properties r, - @{sys}/devices/**/input@{int}/ r, - @{sys}/devices/**/input@{int}/capabilities/* r, @{sys}/devices/**/input/input@{int}/ r, @{sys}/devices/**/input/input@{int}/properties r, + @{sys}/devices/**/input@{int}/ r, + @{sys}/devices/**/input@{int}/capabilities/* r, @{sys}/devices/**/power_supply/{AC,BAT@{int},hidpp_battery_@{int}}/{,*} r, @{sys}/devices/**/report_descriptor r, @{sys}/devices/**/uevent r, + @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/sound/card@{int}/input@{int}/properties r, @{sys}/devices/system/ r, @{sys}/devices/system/cpu/cpu@{int}/ r, @{sys}/devices/virtual/dmi/id/bios_vendor r, @@ -209,7 +227,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pid}/net/* r, @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/stat r, @{PROC}/1/cgroup r, @{PROC}/locks r, @{PROC}/sys/kernel/sched_autogroup_enabled r, @@ -229,7 +246,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/input/ r, - /dev/uinput w, deny /opt/** r, @@ -237,46 +253,51 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include include include + include + capability dac_override, capability dac_read_search, capability sys_chroot, network inet dgram, - network inet6 dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink raw, ptrace trace peer=steam//web, - signal receive set=kill peer=steam, + signal receive set=(cont kill term) peer=steam, unix receive type=stream, - @{bin}/ldconfig rix, @{bin}/getopt rix, @{bin}/gzip rix, - @{bin}/true rix, + @{sbin}/ldconfig rix, @{bin}/localedef rix, @{bin}/readlink rix, + @{bin}/true rix, - @{lib_dirs}/** mr, - @{lib_dirs}/steamwebhelper rix, - @{lib_dirs}/steamwebhelper_sniper_wrap.sh rix, + @{lib_dirs}/** mr, + @{lib_dirs}/steamwebhelper rix, + @{lib_dirs}/steamwebhelper_sniper_wrap.sh rix, - @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap mr, - @{runtime_dirs}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix, + @{runtime_dirs}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix, + @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap mr, @{lib}/pressure-vessel/from-host/** rix, @{run}/host/@{bin}/* rix, @{run}/host/@{lib}/** rix, @{share_dirs}/config/cefdata/WidevineCdm/**/linux_*/libwidevinecdm.so mr, + @{share_dirs}/config/htmlcache/WidevineCdm/**/linux_*/libwidevinecdm.so mr, + @{share_dirs}/linux{32,64}/steamclient.so mr, @{runtime_dirs}/var/tmp-@{rand6}/usr/.ref w, @@ -287,37 +308,34 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib}/ r, /usr/local/lib/ r, /var/tmp/ r, + /home/ r, owner /bindfile@{rand6} rw, owner /var/cache/ldconfig/aux-cache* rw, owner /var/pressure-vessel/ldso/* rw, - owner @{HOME}/.pki/ rw, - owner @{HOME}/.pki/nssdb/ rw, - owner @{HOME}/.pki/nssdb/pkcs11.txt rw, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + owner @{HOME}/ r, owner @{lib_dirs}/.cef-* wk, owner @{share_dirs}/{,**} r, + owner @{share_dirs}/clientui/** k, owner @{share_dirs}/config/** rwk, owner @{share_dirs}/logs/** rwk, - owner @{share_dirs}/clientui/** k, owner @{share_dirs}/public/** k, @{tmp}/ r, + owner @{tmp}/.com.valvesoftware.Steam.@{rand6} rw, + owner @{tmp}/.com.valvesoftware.Steam.@{rand6}/{,**} rw, owner @{tmp}/#@{int} rw, owner @{tmp}/dumps/ rw, owner @{tmp}/dumps/** rwk, - owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, owner @{tmp}/pressure-vessel-*-@{rand6}/ rw, owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw, - /dev/shm/ r, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + owner /dev/shm/.com.valvesoftware.Steam.@{rand6} rw, owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex6} rw, owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, @@ -327,17 +345,17 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{run}/pressure-vessel/** r, - @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{sys}/bus/ r, @{sys}/bus/*/devices/ r, @{sys}/class/*/ r, @{sys}/devices/**/report_descriptor r, @{sys}/devices/**/uevent r, - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/tty/tty@{int}/active r, + @{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,interface} r, @{PROC}/ r, + @{PROC}/version r, @{PROC}/@{pid}/stat r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, @@ -349,9 +367,12 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm r, owner @{PROC}/@{pid}/task/@{tid}/status r, + /dev/ r, /dev/hidraw@{int} rw, /dev/tty rw, + @{att}/dev/dri/renderD128 rw, + include if exists } @@ -360,15 +381,17 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + capability dac_override, capability dac_read_search, + capability sys_ptrace, unix receive type=stream, @{bin}/true rix, - @{lib_dirs}/** mr, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements mr, - @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rix, + @{lib_dirs}/** mr, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements mr, + @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rix, / r, @@ -377,7 +400,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{share_dirs}/ r, - @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, include if exists } diff --git a/apparmor.d/profiles-s-z/steam-fossilize b/apparmor.d/groups/steam/steam-fossilize similarity index 90% rename from apparmor.d/profiles-s-z/steam-fossilize rename to apparmor.d/groups/steam/steam-fossilize index b33c90d8b..a5dd65b7c 100644 --- a/apparmor.d/profiles-s-z/steam-fossilize +++ b/apparmor.d/groups/steam/steam-fossilize @@ -2,12 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{arch} = amd64 i386 -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -40,11 +39,13 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/node/node@{int}/cpumap r, - @{PROC}/@{pids}/statm r, + @{PROC}/@{pid}/statm r, @{PROC}/pressure/io r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + deny network inet stream, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/profiles-s-z/steam-game-native b/apparmor.d/groups/steam/steam-game-native similarity index 75% rename from apparmor.d/profiles-s-z/steam-game-native rename to apparmor.d/groups/steam/steam-game-native index 9453076ea..ba06d56a4 100644 --- a/apparmor.d/profiles-s-z/steam-game-native +++ b/apparmor.d/groups/steam/steam-game-native @@ -2,12 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{arch} = amd64 i386 -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -19,20 +18,20 @@ profile steam-game-native @{exec_path} flags=(attach_disconnected) { include network inet dgram, - network inet6 dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink raw, network unix stream, signal receive peer=steam, - @{exec_path} rmix, + @{exec_path} mrix, - @{sh_path} rix, + @{sh_path} rix, - @{app_dirs}/** mr, - @{lib_dirs}/** mr, + @{app_dirs}/** mr, + @{lib_dirs}/** mr, include if exists } diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/groups/steam/steam-game-proton similarity index 66% rename from apparmor.d/profiles-s-z/steam-game-proton rename to apparmor.d/groups/steam/steam-game-proton index 49a668996..1b094c2a3 100644 --- a/apparmor.d/profiles-s-z/steam-game-proton +++ b/apparmor.d/groups/steam/steam-game-proton @@ -2,24 +2,26 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{arch} = amd64 i386 -@{runtime} = SteamLinuxRuntime_sniper +@{runtime_name} = sniper soldier +@{runtime} = SteamLinuxRuntime_@{runtime_name} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{app_dirs} = @{share_dirs}/steamapps/common/ @{exec_path} = @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap -profile steam-game-proton @{exec_path} flags=(attach_disconnected) { +profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { include include include include + include + capability dac_override, capability dac_read_search, network inet dgram, @@ -29,21 +31,29 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) { network unix stream, signal receive peer=steam, + unix, @{exec_path} mr, @{bin}/bwrap mrix, + @{sh_path} rix, + @{bin}/cat rix, + @{bin}/env rix, + @{bin}/chmod rix, + @{bin}/fc-match rix, @{bin}/getopt rix, @{bin}/gzip rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, + @{bin}/ln rix, @{bin}/localedef rix, - @{bin}/python3.@{int} rix, + @{bin}/mkdir rix, @{bin}/readlink rix, + @{bin}/rm rix, @{bin}/steam-runtime-launcher-interface-@{int} rix, @{bin}/steam-runtime-system-info rix, @{bin}/steam-runtime-urlopen rix, @{bin}/true rix, - @{bin}/chmod rix, + @{python_path} rix, @{open_path} rix, @{lib_dirs}/** mr, @@ -51,14 +61,17 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) { @{lib}/pressure-vessel/from-host/@{lib}/** rix, @{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, - @{app_dirs}/** mr, - @{app_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, - @{app_dirs}/Proton*/files/@{bin}/* rix, - @{app_dirs}/Proton*/files/@{lib}/** rix, - @{app_dirs}/Proton*/proton rix, - @{app_dirs}/@{runtime}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix, + # TODO stack with steam ? rpx -> steam-game-proton&//steam, + @{runtime_dirs}/run.sh rix, + @{runtime_dirs}/@{arch}@{bin}/steam-runtime-identify-library-abi rix, + @{runtime_dirs}/@{arch}@{bin}/steam-runtime-launcher-interface-@{int} rix, + @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/run.sh rix, + @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/@{arch}@{bin}/steam-runtime-identify-library-abi rix, + @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/@{arch}@{bin}/steam-runtime-launcher-interface-@{int} rix, - @{run}/host/@{bin}/ldconfig rix, + @{app_dirs}/** mrix, + + @{run}/host/@{sbin}/ldconfig rix, @{run}/host/@{bin}/localedef rix, @{run}/host/@{lib}/** mr, @@ -72,28 +85,23 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) { owner /var/pressure-vessel/** rw, owner /var/cache/ldconfig/aux-cache* rw, + owner "@{app_dirs}/Steamworks Shared/runasadmin.vdf" rw, owner @{app_dirs}/@{runtime}/var/tmp-@{rand6}/usr/.ref rwk, + owner @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/* rw, owner @{app_dirs}/Proton*/** rwkl, owner @{share_dirs}/*.dll r, owner @{share_dirs}/bin/ r, + owner @{share_dirs}/installscriptevalutor_log.txt rw, owner @{share_dirs}/legacycompat/ r, owner @{share_dirs}/legacycompat/** mr, owner @{share_dirs}/steamapps/compatdata/{,**} rwk, - owner @{user_share_dirs}/applications/wine/ rw, - owner @{user_share_dirs}/applications/wine/**/ rw, - - owner @{tmp}/.wine-@{uid}/ rw, - owner @{tmp}/.wine-@{uid}/** rwk, owner @{tmp}/glx-icds-@{rand6}/{,**} w, owner @{tmp}/pressure-vessel-*-@{rand6}/ rw, owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} w, - owner /dev/shm/wine-@{hex6}-fsync rw, - owner /dev/shm/wine-@{hex6}@{h}-fsync rw, - @{run}/host/fonts/{,**} r, @{run}/host/share/{,**} r, @{run}/host/usr/{,**} r, diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/groups/steam/steam-gameoverlayui similarity index 91% rename from apparmor.d/profiles-s-z/steam-gameoverlayui rename to apparmor.d/groups/steam/steam-gameoverlayui index bbe2452e2..278b47e98 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/groups/steam/steam-gameoverlayui @@ -2,12 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{arch} = amd64 i386 -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -18,11 +17,13 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { include include include + include include network inet stream, network inet6 stream, - network unix stream, + + unix, @{exec_path} mr, @@ -48,6 +49,8 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { owner @{share_dirs}/resource/{,**} rk, owner @{share_dirs}/userdata/@{int}/{,**} rk, + owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw, + owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, diff --git a/apparmor.d/profiles-s-z/steam-launch b/apparmor.d/groups/steam/steam-launch similarity index 63% rename from apparmor.d/profiles-s-z/steam-launch rename to apparmor.d/groups/steam/steam-launch index 877181b61..321c9c9c5 100644 --- a/apparmor.d/profiles-s-z/steam-launch +++ b/apparmor.d/groups/steam/steam-launch @@ -2,12 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{arch} = amd64 i386 -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -23,20 +22,37 @@ profile steam-launch @{exec_path} { @{exec_path} mr, @{sh_path} rix, + @{bin}/cat rix, + @{bin}/cmp rix, @{bin}/cp rix, @{bin}/dirname rix, @{bin}/env rix, @{bin}/id rix, @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/rmdir rix, @{lib}/steam/steam rix, @{lib}/steam/bin_steam.sh rix, @{share_dirs}/steam.sh rPx, + @{lib_dirs}/** mr, + + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rPx, + @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/* r, + @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix, + /usr/ r, /usr/local/ r, owner @{share_dirs}/bootstrap.tar.xz rw, + owner @{share_dirs}/logs/ r, + owner @{share_dirs}/logs/* rwk, + + owner @{run}/user/@{uid}/srt-fifo.@{rand6}/ rw, + owner @{run}/user/@{uid}/srt-fifo.@{rand6}/fifo rw, + + owner @{PROC}/@{pid}/fd/@{int} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/steam-launcher b/apparmor.d/groups/steam/steam-launcher similarity index 90% rename from apparmor.d/profiles-s-z/steam-launcher rename to apparmor.d/groups/steam/steam-launcher index 45fa30245..e73b30d1a 100644 --- a/apparmor.d/profiles-s-z/steam-launcher +++ b/apparmor.d/groups/steam/steam-launcher @@ -2,12 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{arch} = amd64 i386 -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -24,7 +23,7 @@ profile steam-launcher @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{lib_dirs}/** mr, - + include if exists } diff --git a/apparmor.d/profiles-s-z/steam-runtime b/apparmor.d/groups/steam/steam-runtime similarity index 79% rename from apparmor.d/profiles-s-z/steam-runtime rename to apparmor.d/groups/steam/steam-runtime index 5d6d0f856..543324c0f 100644 --- a/apparmor.d/profiles-s-z/steam-runtime +++ b/apparmor.d/groups/steam/steam-runtime @@ -2,12 +2,12 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{arch} = amd64 i386 -@{runtime} = SteamLinuxRuntime_sniper +@{runtime_name} = sniper soldier +@{runtime} = SteamLinuxRuntime_@{runtime_name} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -22,11 +22,13 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { include include + network inet stream, + network inet6 stream, network unix stream, @{exec_path} mr, - @{sh_path} r, + @{sh_path} rix, @{bin}/getopt rix, @{bin}/readlink rix, @@ -34,15 +36,13 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/steam-launch-wrapper rix, # Native linux games (steam-game-native) - @{app_dirs}/[^S]*/** rpx -> steam-game-native, + @{app_dirs}/[^S]*/** rpx -> steam-game-native, # Only for @{app_dirs}/@{runtime}/** # Proton games, sandboxed (steam-game-proton) @{app_dirs}/@{runtime}/*entry-point rmix, @{app_dirs}/@{runtime}/pressure-vessel/@{bin}/pressure-vessel-* rix, @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/** mr, - @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-capsule-capture-libs rix, - @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-detect-platform rix, - @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-inspect-library rix, + @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rpx -> steam-game-proton, @{app_dirs}/@{runtime}/run rix, @{bin}/bwrap rpx -> steam-game-proton, @@ -51,16 +51,20 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { @{lib}/ r, @{lib_dirs}/ r, + owner @{HOME}/ r, owner @{HOME}/.steam/steam.pipe r, owner @{app_dirs}/*/ r, - owner @{app_dirs}/config/config.vdf rw, + owner @{app_dirs}/config/config.vdf{,.*} rw, owner @{app_dirs}/@{runtime}/** r, owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk, - owner @{app_dirs}/@{runtime}/sniper_platform_*/** rwk, + owner @{app_dirs}/@{runtime}/@{runtime_name}_platform_*/** rwk, owner @{app_dirs}/@{runtime}/var/** rwk, owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/pressure-vessel/**, - owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/sniper_platform_*/**, + owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/@{runtime_name}_platform_*/**, + + owner @{share_dirs}/config/config.vdf{,.*} rw, + owner @{share_dirs}/steamapps/appmanifest_* rw, owner @{tmp}/ r, owner @{tmp}/#@{int} rw, @@ -76,6 +80,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/stat r, /dev/tty rw, diff --git a/apparmor.d/groups/steam/steam-runtime-steam-remote b/apparmor.d/groups/steam/steam-runtime-steam-remote new file mode 100644 index 000000000..b7d5f2b15 --- /dev/null +++ b/apparmor.d/groups/steam/steam-runtime-steam-remote @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{runtime} = SteamLinuxRuntime_{sniper,soldier} +@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{app_dirs} = @{share_dirs}/steamapps/common/ + +@{exec_path} = @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote +profile steam-runtime-steam-remote @{exec_path} flags=(attach_disconnected,complain) { + include + + @{exec_path} mr, + + @{runtime_dirs}/** mr, + + owner @{HOME}/.steam/steam.pipe rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steamerrorreporter b/apparmor.d/groups/steam/steamerrorreporter similarity index 87% rename from apparmor.d/profiles-s-z/steamerrorreporter rename to apparmor.d/groups/steam/steamerrorreporter index 3e206e898..d438c604d 100644 --- a/apparmor.d/profiles-s-z/steamerrorreporter +++ b/apparmor.d/groups/steam/steamerrorreporter @@ -2,12 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{arch} = amd64 i386 -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -28,15 +27,13 @@ profile steamerrorreporter @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.steam/steam.pipe r, - owner @{lib_dirs}/{,**} r, + owner @{lib_dirs}/{,**} r, owner @{runtime_dirs}/pinned_libs_{32,64}/ r, owner @{share_dirs}/ r, owner @{tmp}/dumps/ r, owner @{tmp}/dumps/*_log.txt rw, - owner @{PROC}/@{pid}/status r, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-generator-bless-boot b/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot similarity index 97% rename from apparmor.d/groups/systemd/systemd-generator-bless-boot rename to apparmor.d/groups/systemd-generators/systemd-generator-bless-boot index e09b01d5a..32e2aac65 100644 --- a/apparmor.d/groups/systemd/systemd-generator-bless-boot +++ b/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-cloud-init b/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init similarity index 78% rename from apparmor.d/groups/systemd/systemd-generator-cloud-init rename to apparmor.d/groups/systemd-generators/systemd-generator-cloud-init index d57de673b..698a4fcb9 100644 --- a/apparmor.d/groups/systemd/systemd-generator-cloud-init +++ b/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,6 +15,7 @@ profile systemd-generator-cloud-init @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, + @{bin}/ln rix, @{bin}/mkdir rix, @{bin}/systemd-detect-virt rPx, @{lib}/cloud-init/ds-identify rPUx, @@ -22,6 +23,9 @@ profile systemd-generator-cloud-init @{exec_path} flags=(attach_disconnected) { @{run}/cloud-init/ w, @{run}/cloud-init/cloud-init-generator.* rw, @{run}/cloud-init/disabled w, + @{run}/cloud-init/enabled w, + @{run}/systemd/generator.early/multi-user.target.wants/ w, + @{run}/systemd/generator.early/multi-user.target.wants/cloud-init.target w, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/systemd/systemd-generator-cryptsetup b/apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup similarity index 97% rename from apparmor.d/groups/systemd/systemd-generator-cryptsetup rename to apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup index e29178fbd..1979dba1d 100644 --- a/apparmor.d/groups/systemd/systemd-generator-cryptsetup +++ b/apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-debug b/apparmor.d/groups/systemd-generators/systemd-generator-debug similarity index 97% rename from apparmor.d/groups/systemd/systemd-generator-debug rename to apparmor.d/groups/systemd-generators/systemd-generator-debug index 2d83cc0ba..4ce9d2974 100644 --- a/apparmor.d/groups/systemd/systemd-generator-debug +++ b/apparmor.d/groups/systemd-generators/systemd-generator-debug @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify similarity index 89% rename from apparmor.d/groups/systemd/systemd-generator-ds-identify rename to apparmor.d/groups/systemd-generators/systemd-generator-ds-identify index b88d2387f..daa877efe 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,15 +12,16 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { include include - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, @{exec_path} mr, @{sh_path} rix, - @{bin}/blkid rPx, + @{bin}/{,e}grep rix, @{bin}/systemd-detect-virt rPx, @{bin}/tr rix, @{bin}/uname rix, + @{sbin}/blkid rPx, /etc/cloud/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-arch b/apparmor.d/groups/systemd-generators/systemd-generator-environment-arch similarity index 97% rename from apparmor.d/groups/systemd/systemd-generator-environment-arch rename to apparmor.d/groups/systemd-generators/systemd-generator-environment-arch index 6311ad9c4..738144547 100644 --- a/apparmor.d/groups/systemd/systemd-generator-environment-arch +++ b/apparmor.d/groups/systemd-generators/systemd-generator-environment-arch @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-flatpak b/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak similarity index 97% rename from apparmor.d/groups/systemd/systemd-generator-environment-flatpak rename to apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak index e03b70cca..a4ba2afe1 100644 --- a/apparmor.d/groups/systemd/systemd-generator-environment-flatpak +++ b/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/snap-repair b/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd similarity index 50% rename from apparmor.d/profiles-s-z/snap-repair rename to apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd index d5f282ffa..b18bd6bd5 100644 --- a/apparmor.d/profiles-s-z/snap-repair +++ b/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd @@ -2,17 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/snapd/snap-repair -profile snap-repair @{exec_path} { +@{exec_path} = @{lib}/systemd/system-environment-generators/snapd-env-generator +profile systemd-generator-environment-snapd @{exec_path} flags=(attach_disconnected) { include @{exec_path} mr, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery b/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery new file mode 100644 index 000000000..1af9fe22f --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/friendly-recovery +profile systemd-generator-friendly-recovery @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/cat rix, + + @{PROC}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-fstab b/apparmor.d/groups/systemd-generators/systemd-generator-fstab similarity index 89% rename from apparmor.d/groups/systemd/systemd-generator-fstab rename to apparmor.d/groups/systemd-generators/systemd-generator-fstab index 075c5c6af..193ff22af 100644 --- a/apparmor.d/groups/systemd/systemd-generator-fstab +++ b/apparmor.d/groups/systemd-generators/systemd-generator-fstab @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,12 +13,13 @@ profile systemd-generator-fstab @{exec_path} { capability dac_override, capability dac_read_search, + capability mknod, @{exec_path} mr, /etc/fstab r, - @{run}/systemd/generator/** w, + @{run}/systemd/generator/** rw, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-generator-getty b/apparmor.d/groups/systemd-generators/systemd-generator-getty similarity index 98% rename from apparmor.d/groups/systemd/systemd-generator-getty rename to apparmor.d/groups/systemd-generators/systemd-generator-getty index 92b5a4ffa..0eadabec8 100644 --- a/apparmor.d/groups/systemd/systemd-generator-getty +++ b/apparmor.d/groups/systemd-generators/systemd-generator-getty @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-generator-gpt-auto b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto similarity index 95% rename from apparmor.d/groups/systemd/systemd-generator-gpt-auto rename to apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto index 613380b43..4bf0092d0 100644 --- a/apparmor.d/groups/systemd/systemd-generator-gpt-auto +++ b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,8 +17,7 @@ profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, / r, - /boot/ r, - /efi/ r, + @{efi}/ r, /etc/fstab r, /usr/ r, diff --git a/apparmor.d/groups/systemd/systemd-generator-hibernate-resume b/apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume similarity index 97% rename from apparmor.d/groups/systemd/systemd-generator-hibernate-resume rename to apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume index dbfee2fcd..7c5e9ec80 100644 --- a/apparmor.d/groups/systemd/systemd-generator-hibernate-resume +++ b/apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-import b/apparmor.d/groups/systemd-generators/systemd-generator-import new file mode 100644 index 000000000..de3753aaf --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-import @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-import-generator +profile systemd-generator-import @{exec_path} flags=(attach_disconnected) { + include + + capability sys_ptrace, + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + / r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-integritysetup b/apparmor.d/groups/systemd-generators/systemd-generator-integritysetup similarity index 97% rename from apparmor.d/groups/systemd/systemd-generator-integritysetup rename to apparmor.d/groups/systemd-generators/systemd-generator-integritysetup index 9eb46a451..72ef28061 100644 --- a/apparmor.d/groups/systemd/systemd-generator-integritysetup +++ b/apparmor.d/groups/systemd-generators/systemd-generator-integritysetup @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-openvpn b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn new file mode 100644 index 000000000..780c63d56 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/openvpn-generator +profile systemd-generator-openvpn @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/ls ix, + @{bin}/mkdir ix, + + /etc/default/openvpn r, + /etc/openvpn/ r, + + @{run}/systemd/generator/openvpn.service.wants/{,**} w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-ostree b/apparmor.d/groups/systemd-generators/systemd-generator-ostree similarity index 95% rename from apparmor.d/groups/systemd/systemd-generator-ostree rename to apparmor.d/groups/systemd-generators/systemd-generator-ostree index c38e3690b..ce2ecaf43 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ostree +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ostree @@ -2,11 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/systemd/system-generators/ostree-system-generator +@{exec_path} = @{lib}/systemd/system-generators/ostree-system-generator profile systemd-generator-ostree @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-rc-local b/apparmor.d/groups/systemd-generators/systemd-generator-rc-local new file mode 100644 index 000000000..3e8bec6c5 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-rc-local @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-rc-local-generator +profile systemd-generator-rc-local @{exec_path} flags=(attach_disconnected) { + include + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-run b/apparmor.d/groups/systemd-generators/systemd-generator-run similarity index 97% rename from apparmor.d/groups/systemd/systemd-generator-run rename to apparmor.d/groups/systemd-generators/systemd-generator-run index 272073edc..39c8b0fd6 100644 --- a/apparmor.d/groups/systemd/systemd-generator-run +++ b/apparmor.d/groups/systemd-generators/systemd-generator-run @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-snapd b/apparmor.d/groups/systemd-generators/systemd-generator-snapd new file mode 100644 index 000000000..8544a7938 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-snapd @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/snapd-generator +profile systemd-generator-snapd @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + @{PROC}/1/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ssh b/apparmor.d/groups/systemd-generators/systemd-generator-ssh new file mode 100644 index 000000000..0f6aa11d9 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ssh @@ -0,0 +1,52 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-ssh-generator +profile systemd-generator-ssh @{exec_path} flags=(attach_disconnected) { + include + + capability net_admin, + + network vsock stream, + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{sbin}/sshd r, + + @{run}/ r, + @{run}/systemd/ r, + @{run}/systemd/generator/ r, + @{run}/systemd/generator/sockets.target.wants/ rw, + @{run}/systemd/generator/sockets.target.wants/*.socket w, + @{run}/systemd/generator/sshd-*.service w, + @{run}/systemd/generator/sshd-*.socket rw, + @{run}/systemd/system/ r, + @{run}/systemd/transient/ r, + + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/firmware/dmi/entries/*/raw r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + /dev/vsock r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket b/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket new file mode 100644 index 000000000..f08df7d90 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/sshd-socket-generator +profile systemd-generator-sshd-socket @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mr, + + @{etc_ro}/ssh/sshd_config r, + @{etc_ro}/ssh/sshd_config.d/{,*} r, + + @{run}/systemd/generator/ssh.socket.d/{,*} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-system-update b/apparmor.d/groups/systemd-generators/systemd-generator-system-update similarity index 87% rename from apparmor.d/groups/systemd/systemd-generator-system-update rename to apparmor.d/groups/systemd-generators/systemd-generator-system-update index f9d09d634..9767a2e72 100644 --- a/apparmor.d/groups/systemd/systemd-generator-system-update +++ b/apparmor.d/groups/systemd-generators/systemd-generator-system-update @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,8 @@ profile systemd-generator-system-update @{exec_path} flags=(attach_disconnected) @{exec_path} mr, - @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/status r, include if exists } diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-sysv b/apparmor.d/groups/systemd-generators/systemd-generator-sysv new file mode 100644 index 000000000..fc290fca4 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-sysv @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-sysv-generator +profile systemd-generator-sysv @{exec_path} flags=(attach_disconnected) { + include + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + /etc/init.d/{,**} r, + /etc/rc@{int}.d/{,**} r, + + @{run}/systemd/generator.late/** w, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 new file mode 100644 index 000000000..ee5d924cc --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-tpm2-generator +profile systemd-generator-tpm2 @{exec_path} flags=(attach_disconnected) { + include + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{sys}/class/tpmrm/ r, + @{sys}/devices/**/tpm/tpm@{int}/tpm_version_major r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-user-autostart b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart similarity index 83% rename from apparmor.d/groups/systemd/systemd-generator-user-autostart rename to apparmor.d/groups/systemd-generators/systemd-generator-user-autostart index 95dab2026..ff4c74664 100644 --- a/apparmor.d/groups/systemd/systemd-generator-user-autostart +++ b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart @@ -2,14 +2,15 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/user-generators/systemd-xdg-autostart-generator -profile systemd-generator-user-autostart @{exec_path} { +profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) { include include + include include capability net_admin, diff --git a/apparmor.d/groups/systemd/systemd-generator-user-environment b/apparmor.d/groups/systemd-generators/systemd-generator-user-environment similarity index 85% rename from apparmor.d/groups/systemd/systemd-generator-user-environment rename to apparmor.d/groups/systemd-generators/systemd-generator-user-environment index 1abceb364..27db22078 100644 --- a/apparmor.d/groups/systemd/systemd-generator-user-environment +++ b/apparmor.d/groups/systemd-generators/systemd-generator-user-environment @@ -2,16 +2,18 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/user-environment-generators/* -profile systemd-generator-user-environment @{exec_path} { +profile systemd-generator-user-environment @{exec_path} flags=(attach_disconnected) { include include include + capability net_admin, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/systemd/systemd-generator-veritysetup b/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup similarity index 97% rename from apparmor.d/groups/systemd/systemd-generator-veritysetup rename to apparmor.d/groups/systemd-generators/systemd-generator-veritysetup index a0084a26b..97776312f 100644 --- a/apparmor.d/groups/systemd/systemd-generator-veritysetup +++ b/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service b/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service new file mode 100644 index 000000000..1b585c0cc --- /dev/null +++ b/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /bin/bash -c 'read args <&3; echo "args=$args"; \ +# exec /usr/bin/cloud-init devel hotplug-hook $args; \ +# exit 0' + +abi , + +include + +profile cloud-init-hotplugd.service { + include + + @{sh_path} ix, + @{bin}/cloud-init Px, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/debug-shell.service b/apparmor.d/groups/systemd-service/debug-shell.service new file mode 100644 index 000000000..9f8e235cf --- /dev/null +++ b/apparmor.d/groups/systemd-service/debug-shell.service @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=/usr/bin/bash + +abi , + +include + +profile debug-shell.service { + include + + all, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/dmesg.service b/apparmor.d/groups/systemd-service/dmesg.service new file mode 100644 index 000000000..0a46f6ed9 --- /dev/null +++ b/apparmor.d/groups/systemd-service/dmesg.service @@ -0,0 +1,63 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=-/usr/bin/savelog -m640 -q -p -n -c 5 /var/log/dmesg +# ExecStart=/bin/journalctl --boot 0 --dmesg --output short-monotonic --quiet --no-pager --no-hostname +# ExecStartPost=/bin/chgrp adm /var/log/dmesg +# ExecStartPost=/bin/chmod 0640 /var/log/dmesg + +abi , + +include + +profile dmesg.service flags=(attach_disconnected) { + include + include + + capability chown, + capability fsetid, + capability sys_admin, + + ptrace read peer=@{p_systemd}, + + @{sh_path} r, + @{bin}/basename ix, + @{bin}/chgrp rix, + @{bin}/chmod rix, + @{bin}/chown ix, + @{bin}/date ix, + @{bin}/dirname ix, + @{bin}/gzip ix, + @{bin}/gzip ix, + @{bin}/journalctl r, + @{bin}/ln ix, + @{bin}/mv ix, + @{bin}/rm ix, + @{bin}/savelog rix, + @{bin}/touch ix, + + /etc/machine-id r, + + /var/log/ r, + /var/log/dmesg rw, + /var/log/dmesg.* rwl -> /var/log/dmesg, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* rw, + + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/grub-common.service b/apparmor.d/groups/systemd-service/grub-common.service new file mode 100644 index 000000000..fc4de5edc --- /dev/null +++ b/apparmor.d/groups/systemd-service/grub-common.service @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=/bin/sh -c '[ -s /boot/grub/grubenv ] || rm -f /boot/grub/grubenv; mkdir -p /boot/grub' +# ExecStart=grub-editenv /boot/grub/grubenv unset recordfail +# ExecStartPost=/bin/sh -c 'if grub-editenv /boot/grub/grubenv list | grep -q initrdless_boot_fallback_triggered=1; then echo "grub: GRUB_FORCE_PARTUUID set, initrdless boot paniced, fallback triggered."; fi' + +abi , + +include + +profile grub-common.service { + include + + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/grub-editenv rix, + @{bin}/mkdir ix, + @{bin}/rm ix, + + @{efi}/grub/ w, + @{efi}/grub/grubenv rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/ldconfig.service b/apparmor.d/groups/systemd-service/ldconfig.service new file mode 100644 index 000000000..f7d193e9e --- /dev/null +++ b/apparmor.d/groups/systemd-service/ldconfig.service @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /sbin/ldconfig -X + +abi , + +include + +profile ldconfig.service { + include + + @{lib}/ r, + @{sbin}/ldconfig r, + + /var/cache/ldconfig/aux-cache rw, + /var/cache/ldconfig/aux-cache~ rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/man-db.service b/apparmor.d/groups/systemd-service/man-db.service new file mode 100644 index 000000000..c3bfa7c32 --- /dev/null +++ b/apparmor.d/groups/systemd-service/man-db.service @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=+/usr/bin/install -d -o man -g man -m 0755 /var/cache/man +# ExecStart=/usr/bin/find /var/cache/man -type f -name *.gz -atime +6 -delete +# ExecStart=/usr/bin/mandb --quiet + +abi , + +include + +profile man-db.service flags=(attach_disconnected) { + include + include + + @{bin}/find ix, + @{bin}/install ix, + @{bin}/mandb r, + + /usr/{,local/}share/man/{,**} r, + + /etc/man_db.conf r, + /etc/manpath.config r, + + /usr/share/man/{,**} r, + /usr/local/man/{,**} r, + /usr/local/share/man/{,**} r, + + /usr/{,share/}man/{,**} r, + /usr/local/{,share/}man/{,**} r, + + /usr/share/**/man/man@{u8}/*.@{int}.gz r, + + owner /var/cache/man/ rw, + owner /var/cache/man/** rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/secureboot-db.service b/apparmor.d/groups/systemd-service/secureboot-db.service new file mode 100644 index 000000000..a951747be --- /dev/null +++ b/apparmor.d/groups/systemd-service/secureboot-db.service @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f +# ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose + +abi , + +include + +profile secureboot-db.service flags=(complain) { + include + + @{bin}/chattr ix, + @{bin}/sbkeysync PUx, + + @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, + @{sys}/firmware/efi/efivars/db-@{uuid} rw, + @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/shadow.service b/apparmor.d/groups/systemd-service/shadow.service new file mode 100644 index 000000000..95f780b89 --- /dev/null +++ b/apparmor.d/groups/systemd-service/shadow.service @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile shadow.service flags=(attach_disconnected) { + include + include + + @{sh_path} rix, + @{sbin}/grpck Px -> &grpck, + @{sbin}/pwck Px -> &pwck, + + /etc/machine-id r, + /etc/shadow r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service new file mode 100644 index 000000000..ce819a791 --- /dev/null +++ b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /bin/mount /run -o remount,exec +# /bin/mkdir -p /run/initramfs +# /bin/cp /usr/lib/snapd/system-shutdown /run/initramfs/shutdown + +abi , + +include + +profile snapd.system-shutdown.service { + include + + @{bin}/cp ix, + @{bin}/mkdir ix, + @{bin}/mount ix, + + @{lib}/snapd/system-shutdown r, + + @{run}/initramfs/ rw, + @{run}/initramfs/shutdown rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/system-update-cleanup.service b/apparmor.d/groups/systemd-service/system-update-cleanup.service new file mode 100644 index 000000000..4166cb76c --- /dev/null +++ b/apparmor.d/groups/systemd-service/system-update-cleanup.service @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=rm -fv /system-update /etc/system-update + +abi , + +include + +profile system-update-cleanup.service { + include + + @{bin}/rm ix, + + /etc/system-update w, + /system-update w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/usb_modeswitch.service b/apparmor.d/groups/systemd-service/usb_modeswitch.service new file mode 100644 index 000000000..00a62c933 --- /dev/null +++ b/apparmor.d/groups/systemd-service/usb_modeswitch.service @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile usb_modeswitch.service { + include + + @{sbin}/usb_modeswitch_dispatcher ix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 2bd8c4c78..70a91197f 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -2,42 +2,39 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/bootctl -profile bootctl @{exec_path} { +profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include include + capability linux_immutable, capability mknod, capability net_admin, + capability sys_rawio, + capability sys_resource, - signal (send) peer=child-pager, + signal send peer=child-pager, - ptrace (read) peer=unconfined, + ptrace read peer=unconfined, @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, - /{boot,efi}/ r, - /{boot,efi}/EFI/{,**} r, - /{boot,efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw, - /{boot,efi}/EFI/BOOT/BOOTX64.EFI w, - /{boot,efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw, - /{boot,efi}/EFI/systemd/systemd-boot*.efi w, - /{boot,efi}/loader/.#bootctlrandom-seed@{hex} rw, - /{boot,efi}/loader/.#entries.srel* w, - /{boot,efi}/loader/{,**} r, - /{boot,efi}/loader/entries.srel w, - /{boot,efi}/loader/random-seed w, + @{efi}/ r, + @{efi}/@{hex32}/ rw, + @{efi}/EFI/{,**} rwl, + @{efi}/loader/ rw, + @{efi}/loader/** rwl -> @{efi}/loader/#@{int}, + /etc/kernel/.#entry-token@{hex16} rw, + /etc/kernel/entry-token rw, /etc/machine-id r, /etc/machine-info r, @@ -45,14 +42,15 @@ profile bootctl @{exec_path} { @{sys}/class/tpmrm/ r, + @{sys}/devices/pnp@{int}/**/tpm/tpm@{int}/tpm_version_major r, @{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/AuditMode-@{uuid} r, - @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r, - @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, + @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, + @{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw, @{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, @@ -62,15 +60,15 @@ profile bootctl @{exec_path} { @{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r, - @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} r, - @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, + @{sys}/firmware/efi/efivars/OsIndications-@{uuid} rw, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, @{sys}/firmware/efi/fw_platform_size r, - @{PROC}/sys/kernel/random/poolsize r, - owner @{PROC}/@{pid}/cgroup r, + @{PROC}/sys/kernel/random/poolsize r, + owner @{PROC}/@{pid}/cgroup r, # Inherit silencer deny network inet6 stream, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index baf89561d..eed7080f8 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -2,17 +2,15 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/busctl -profile busctl @{exec_path} { +profile busctl @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include @@ -20,11 +18,11 @@ profile busctl @{exec_path} { capability net_admin, capability sys_ptrace, - ptrace (read), + ptrace read, - unix (bind) type=stream addr=@@{hex16}/bus/busctl/busctl, + unix bind type=stream addr=@@{udbus}/bus/busctl/busctl, - signal (send) set=(cont) peer=child-pager, + signal send set=cont peer=child-pager, dbus eavesdrop bus=accessibility, dbus eavesdrop bus=session, @@ -33,20 +31,40 @@ profile busctl @{exec_path} { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Monitoring member=BecomeMonitor - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionCredentials,ListNames,ListActivatableNames} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Monitoring + member=BecomeMonitor + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionCredentials,ListNames,ListActivatableNames} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + + dbus send bus=system + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + dbus send bus=system + interface=org.freedesktop.DBus.Properties + member={GetAll,Get}, @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/attr/current r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/loginuid r, + @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/stat r, include if exists } diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index 7c4149bee..06969ef47 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -3,13 +3,16 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/coredumpctl profile coredumpctl @{exec_path} flags=(complain) { include + include + include + include include capability dac_read_search, @@ -22,9 +25,7 @@ profile coredumpctl @{exec_path} flags=(complain) { @{bin}/gdb rCx -> gdb, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, /var/lib/dbus/machine-id r, /etc/machine-id r, @@ -33,9 +34,7 @@ profile coredumpctl @{exec_path} flags=(complain) { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/* r, owner @{tmp}/*.coredump w, owner @{tmp}/core.* w, @@ -64,12 +63,12 @@ profile coredumpctl @{exec_path} flags=(complain) { /etc/inputrc r, /etc/gdb/** r, - + owner /var/tmp/coredump-* rw, @{PROC}/@{pids}/fd/ r, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/systemd/homectl b/apparmor.d/groups/systemd/homectl new file mode 100644 index 000000000..3c962e309 --- /dev/null +++ b/apparmor.d/groups/systemd/homectl @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/homectl +profile homectl @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + + capability net_admin, + capability sys_resource, + + signal send peer=child-pager, + + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" + + @{exec_path} mr, + + @{bin}/pkttyagent rpx, + + @{pager_path} rPx -> child-pager, + + /etc/machine-id r, + + owner @{PROC}/@{pids}/cgroup r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index 47e7f531e..6b29e260d 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,11 +10,16 @@ include profile hostnamectl @{exec_path} { include include + include include capability net_admin, - #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.hostname1), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index 4b5f11810..c852b3756 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,14 +20,18 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, - signal (receive) set=(term) peer=cockpit-bridge, - signal (send) peer=child-pager, + network netlink raw, + + signal receive set=kill peer=snapd, + signal receive set=term peer=cockpit-bridge, + signal send peer=child-pager, @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, + + @{bin}/* r, + @{sbin}/* r, /var/lib/dbus/machine-id r, /etc/machine-id r, @@ -35,6 +39,8 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/catalog/database rw, /var/lib/systemd/catalog/.#database* rw, + /var/log/dmesg w, + /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal* r, @@ -49,6 +55,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { @{run}/host/container-manager r, @{run}/systemd/journal/io.systemd.journal rw, + @{run}/systemd/notify rw, @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, @@ -57,7 +64,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { deny network inet stream, deny network inet6 stream, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index 46f67b325..9792fb75f 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -2,25 +2,35 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/localectl -profile localectl @{exec_path} { +profile localectl @{exec_path} flags=(attach_disconnected) { include include + include capability net_admin, + signal send set=cont peer=child-pager, + + #aa:dbus talk bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" + dbus send bus=system path=/org/freedesktop/locale1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.locale1), + @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, + @{bin}/pkttyagent rPx, /usr/share/kbd/keymaps/{,**} r, + owner @{PROC}/@{pid}/cgroup r, + include if exists } diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index 345957e3f..f516d16db 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -2,26 +2,50 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/loginctl -profile loginctl @{exec_path} { +profile loginctl @{exec_path} flags=(attach_disconnected) { include include - include - include + include include + include + include capability net_admin, capability sys_resource, + signal send set=cont peer=child-pager, + + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, + @{bin}/ssh rPx, + + /etc/machine-id r, + + @{run}/log/journal/ r, + + /var/lib/systemd/catalog/database r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + + @{PROC}/sys/fs/nr_open r, + owner @{PROC}/@{pid}/cgroup r, + + /dev/rfkill r, include if exists } diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index f570d5eab..a0d1471f9 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,6 +11,7 @@ include profile networkctl @{exec_path} flags=(attach_disconnected) { include include + include capability net_admin, capability sys_module, @@ -24,25 +25,24 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex16}/bus/networkctl/system, + unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system, - #aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd - # No label available - dbus send bus=system path=/org/freedesktop/network@{int} + #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" + dbus send bus=system path=/org/freedesktop/network1{,/**} interface=org.freedesktop.DBus.Properties member=Get - peer=(name=org.freedesktop.network@{int}), + peer=(name=org.freedesktop.network1), @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, /etc/udev/hwdb.bin r, /var/lib/dbus/machine-id r, /etc/machine-id r, + owner /var/lib/systemd/network/ r, + # To be able to read logs @{run}/log/ r, /{run,var}/log/journal/ r, @@ -51,17 +51,23 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { /{run,var}/log/journal/@{hex32}/system.journal* r, /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + @{att}/@{run}/systemd/netif/io.systemd.Network rw, + + @{run}/systemd/netif/links/ r, @{run}/systemd/netif/leases/@{int} r, @{run}/systemd/netif/links/@{int} r, @{run}/systemd/netif/state r, @{run}/systemd/notify w, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/**/net/**/uevent r, - @{PROC}/sys/kernel/random/boot_id r, @{PROC}/1/cgroup r, + @{PROC}/cmdline r, + @{PROC}/sys/fs/nr_open r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl new file mode 100644 index 000000000..3013d8ae6 --- /dev/null +++ b/apparmor.d/groups/systemd/resolvectl @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/resolvectl +profile resolvectl @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + capability net_admin, + + network inet raw, + network inet6 raw, + network netlink raw, + + signal send set=cont peer=child-pager, + + unix bind type=stream addr=@@{udbus}/bus/resolvconf/system, + + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + + #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" + dbus send bus=system path=/org/freedesktop/network1 + interface=org.freedesktop.network1.Manager + member=SetLinkDNSEx + peer=(name=org.freedesktop.network1), + + @{exec_path} mr, + + @{pager_path} rPx -> child-pager, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-ac-power b/apparmor.d/groups/systemd/systemd-ac-power index 44cbad98c..1353547f0 100644 --- a/apparmor.d/groups/systemd/systemd-ac-power +++ b/apparmor.d/groups/systemd/systemd-ac-power @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index deb22cbc1..3ae0a7143 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,15 +22,15 @@ profile systemd-analyze @{exec_path} { signal (send) peer=child-pager, + unix bind type=stream addr=@@{udbus}/bus/systemd-analyze/system, + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @{exec_path} mr, @{lib}/systemd/system-environment-generators/* rix, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, + @{pager_path} rPx -> child-pager, @{bin}/man rPx, /usr/ r, @@ -47,7 +47,8 @@ profile systemd-analyze @{exec_path} { @{run}/systemd/system/ r, @{run}/systemd/transient/ r, @{run}/systemd/userdb/io.systemd.DynamicUser w, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{run}/udev/tags/systemd/ r, @{sys}/devices/**/uevent r, @@ -61,6 +62,7 @@ profile systemd-analyze @{exec_path} { @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r, @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-ask-password b/apparmor.d/groups/systemd/systemd-ask-password index 9a5e04306..6eec2ee6b 100644 --- a/apparmor.d/groups/systemd/systemd-ask-password +++ b/apparmor.d/groups/systemd/systemd-ask-password @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight index 4a80835ed..b5a966f37 100644 --- a/apparmor.d/groups/systemd/systemd-backlight +++ b/apparmor.d/groups/systemd/systemd-backlight @@ -3,12 +3,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-backlight -profile systemd-backlight @{exec_path} { +profile systemd-backlight @{exec_path} flags=(attach_disconnected) { include include @@ -18,8 +18,8 @@ profile systemd-backlight @{exec_path} { /var/lib/systemd/backlight/*backlight* rw, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+leds:*backlight* r, # For keyboard backlights, mouse LEDs, etc. @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{sys}/bus/ r, @@ -27,20 +27,20 @@ profile systemd-backlight @{exec_path} { @{sys}/class/ r, @{sys}/class/backlight/ r, - @{sys}/devices/@{pci}/*:@{int}.@{int}/**/ r, @{sys}/devices/@{pci}/ r, - @{sys}/devices/@{pci}/backlight/**/{max_brightness,actual_brightness} r, - @{sys}/devices/@{pci}/backlight/**/{uevent,type} r, + @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, @{sys}/devices/@{pci}/backlight/**/brightness rw, @{sys}/devices/@{pci}/class r, - @{sys}/devices/@{pci}/drm/card@{int}/**/{max_brightness,actual_brightness} r, - @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type} r, + @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, @{sys}/devices/@{pci}/uevent r, - - @{sys}/devices/platform/**/leds/*backlight*/brightness rw, - @{sys}/devices/platform/**/leds/*backlight*/max_brightness r, - @{sys}/devices/platform/**/leds/*backlight*/uevent r, + @{sys}/devices/**/leds/**/{,max_,actual_}brightness rw, + @{sys}/devices/**/leds/**/{uevent,type,enabled} r, + @{sys}/devices/**/leds/**/brightness_hw_changed r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt index 8fae04706..5e3406ea9 100644 --- a/apparmor.d/groups/systemd/systemd-binfmt +++ b/apparmor.d/groups/systemd/systemd-binfmt @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,11 +16,12 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/* r, + @{sbin}/* r, # Config file locations /etc/binfmt.d/{,*.conf} r, @{run}/binfmt.d/{,*.conf} r, - /usr/lib/binfmt.d/{,*.conf} r, + @{lib}/binfmt.d/{,*.conf} r, @{PROC}/sys/fs/binfmt_misc/register w, @{PROC}/sys/fs/binfmt_misc/status w, diff --git a/apparmor.d/groups/systemd/systemd-cat b/apparmor.d/groups/systemd/systemd-cat index 0ccfd68c0..fd202c181 100644 --- a/apparmor.d/groups/systemd/systemd-cat +++ b/apparmor.d/groups/systemd/systemd-cat @@ -2,21 +2,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/systemd-cat profile systemd-cat @{exec_path} { include + include + include capability net_admin, @{exec_path} mr, - @{bin}/cat rix, - @{bin}/echo rix, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls index ed7254339..33191171e 100644 --- a/apparmor.d/groups/systemd/systemd-cgls +++ b/apparmor.d/groups/systemd/systemd-cgls @@ -2,21 +2,28 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/systemd-cgls profile systemd-cgls @{exec_path} { include + include + include + include - ptrace (read), + capability sys_ptrace, + + ptrace read, + + signal send set=cont peer=child-pager, + + unix bind type=stream addr=@@{udbus}/bus/systemd-cgls/system, @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, @{sys}/fs/cgroup/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-cgtop b/apparmor.d/groups/systemd/systemd-cgtop index 9ae69cd69..90ecc99f8 100644 --- a/apparmor.d/groups/systemd/systemd-cgtop +++ b/apparmor.d/groups/systemd/systemd-cgtop @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,9 +14,7 @@ profile systemd-cgtop @{exec_path} { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, @{sys}/fs/cgroup/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 1902c6799..061b93ffd 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted include include - # userns, + userns, capability dac_override, capability dac_read_search, @@ -33,13 +33,26 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{lib}/** r, / r, @{bin}/* r, + @{sbin}/* r, /opt/** r, + /usr/share/*/** r, + @{user_lib_dirs}/** r, + /snap/*/@{int}/opt/** r, + /snap/*/@{int}/usr/** r, /etc/systemd/coredump.conf r, /etc/systemd/coredump.conf.d/{,**} r, + owner @{HOME}/**.so* r, + /var/lib/systemd/coredump/{,**} rwl, + owner @{run}/user/@{uid}/snap.*/.org.chromium.Chromium.@{rand6} r, + + @{att}/@{run}/systemd/coredump rw, + @{run}/systemd/coredump rw, + + @{PROC}/@{pids}/auxv r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/comm r, @@ -47,9 +60,11 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/limits r, + @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/ns/ r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/setgroups r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup index fba766fe8..fdddebe03 100644 --- a/apparmor.d/groups/systemd/systemd-cryptsetup +++ b/apparmor.d/groups/systemd/systemd-cryptsetup @@ -2,16 +2,17 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/systemd-cryptsetup @{lib}/systemd/systemd-cryptsetup -profile systemd-cryptsetup @{exec_path} { +profile systemd-cryptsetup @{exec_path} flags=(attach_disconnected) { include include include + capability dac_read_search, capability ipc_lock, capability net_admin, capability sys_admin, @@ -26,10 +27,12 @@ profile systemd-cryptsetup @{exec_path} { @{run}/cryptsetup/ r, @{run}/cryptsetup/* rwk, @{run}/systemd/ask-password/* rw, - + @{sys}/devices/virtual/bdi/*/read_ahead_kb r, @{sys}/fs/ r, + @{run}/systemd/ask-password/ r, + @{PROC}/devices r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-delta b/apparmor.d/groups/systemd/systemd-delta index 9ac4e8239..311636d95 100644 --- a/apparmor.d/groups/systemd/systemd-delta +++ b/apparmor.d/groups/systemd/systemd-delta @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,11 +10,11 @@ include profile systemd-delta @{exec_path} { include - signal (send) peer=child-pager, + signal send peer=child-pager, @{exec_path} mr, - @{bin}/less rPx -> child-pager, + @{pager_path} rPx -> child-pager, /etc/binfmt.d/{,**} r, /etc/modprobe.d/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 63e97171c..9b49c20fc 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,16 +11,16 @@ include profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { include include - include - capability net_admin, + capability sys_ptrace, - network netlink raw, + ptrace read peer=@{p_systemd}, @{exec_path} mr, @{run}/cloud-init/ds-identify.log w, @{run}/host/container-manager r, + @{run}/systemd/container r, @{run}/systemd/notify w, @{sys}/devices/virtual/dmi/id/bios_vendor r, @@ -29,6 +29,23 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/firmware/dmi/entries/*/raw r, + @{sys}/firmware/uv/prot_virt_guest r, + @{sys}/hypervisor/properties/features r, + @{sys}/hypervisor/type r, + + @{PROC}/1/environ r, + @{PROC}/device-tree/ r, + @{PROC}/device-tree/compatible r, + @{PROC}/device-tree/hypervisor/compatible r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sysinfo r, + @{PROC}/xen/capabilities r, + + /dev/cpu/@{int}/msr r, + + deny capability net_admin, + deny capability perfmon, + deny network (send receive) netlink raw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 991a787d2..1bbb91858 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,23 +11,28 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_read_search, capability sys_admin, capability sys_resource, - mount options=(rw, rslave) -> /, - mount options=(rw, nodev) -> /mnt/*/, - mount -> /tmp/dissect-@{rand6}/, + mount -> /tmp/dissect-@{rand6}/, + mount fstype=tmpfs options=(rw nodev) rootfs -> @{run}/systemd/dissect-root/, + mount options=(ro nodev) /dev/loop* -> @{run}/systemd/dissect-root/{,**/}, + mount options=(rw nodev) -> /mnt/*/, + mount options=(rw rshared rslave) -> /, - signal (send) set=(cont) peer=child-pager, + umount @{run}/systemd/dissect-root/, + + signal send set=cont peer=child-pager, + + ptrace read peer=@{p_systemd}, @{exec_path} mr, - @{bin}/fsck rPx, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{sbin}/fsck rPx, + @{pager_path} rPx -> child-pager, # Location of file system OS images @{user_build_dirs}/{,**} r, @@ -37,14 +42,19 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { owner @{tmp}/dissect-@{rand6}/{,**} rw, + @{run}/systemd/dissect-root/ rw, + @{run}/systemd/dissect-root/** rwlk, + @{sys}/devices/virtual/block/loop@{int}/{,**} r, @{sys}/kernel/uevent_seqnum r, - @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/mountinfo r, /dev/btrfs-control rw, /dev/loop-control rwk, - /dev/loop* rwk, + /dev/loop* rwk, + /dev/mapper/control w, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-escape b/apparmor.d/groups/systemd/systemd-escape index c292c1d96..469ccc945 100644 --- a/apparmor.d/groups/systemd/systemd-escape +++ b/apparmor.d/groups/systemd/systemd-escape @@ -2,14 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/systemd-escape profile systemd-escape @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-fsck b/apparmor.d/groups/systemd/systemd-fsck index 2d6326d71..4836c9747 100644 --- a/apparmor.d/groups/systemd/systemd-fsck +++ b/apparmor.d/groups/systemd/systemd-fsck @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-fsck -profile systemd-fsck @{exec_path} { +profile systemd-fsck @{exec_path} flags=(attach_disconnected) { include include include @@ -19,9 +19,9 @@ profile systemd-fsck @{exec_path} { @{exec_path} mr, - @{bin}/e2fsck rPx, - @{bin}/fsck rPx, - @{bin}/fsck.* rPx, + @{sbin}/e2fsck rPx, + @{sbin}/fsck rPx, + @{sbin}/fsck.* rPx, owner @{run}/systemd/quotacheck w, owner @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/groups/systemd/systemd-fsckd b/apparmor.d/groups/systemd/systemd-fsckd index 9fc59bfe0..7abde7c90 100644 --- a/apparmor.d/groups/systemd/systemd-fsckd +++ b/apparmor.d/groups/systemd/systemd-fsckd @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-fsckd -profile systemd-fsckd @{exec_path} { +profile systemd-fsckd @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index a9f9d7fb1..c53be3a35 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,6 +14,8 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { include include + userns, + capability chown, capability dac_override, capability dac_read_search, @@ -24,6 +26,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { capability setpcap, capability setuid, capability sys_admin, + capability sys_ptrace, capability sys_resource, network inet dgram, @@ -32,22 +35,33 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { network inet6 raw, network netlink raw, - mount options=(rw, rslave) -> @{run}/, - mount /dev/dm-@{int} -> @{run}/systemd/user-home-mount/, + mount -> @{run}/systemd/user-home-mount/, + mount options=(rw private) -> @{run}/systemd/user-home-mount/, + mount options=(rw rslave) -> @{run}/, + + umount @{run}/systemd/user-home-mount/, + + signal (send receive) set=kill peer=systemd-homed//&systemd-homework, + + ptrace read peer=systemd-homed//&systemd-homework, + + unix bind type=stream addr=@@{udbus}/bus/systemd-homed/system, #aa:dbus own bus=system name=org.freedesktop.home1 + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd @{exec_path} mr, - @{lib}/systemd/systemd-homework rPx, - @{bin}/mkfs.btrfs rPx, - @{bin}/mkfs.fat rPx, - @{bin}/mke2fs rPx, + @{lib}/systemd/systemd-homework rPx -> &systemd-homework, + @{sbin}/mkfs.btrfs rPx, + @{sbin}/mkfs.fat rPx, + @{sbin}/mke2fs rPx, /etc/machine-id r, /etc/systemd/homed.conf r, /etc/skel/{,**} r, + /var/cache/systemd/home/{,**} rw, /var/lib/systemd/home/{,**} rw, / r, @@ -60,6 +74,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{run}/systemd/home/{,**} rw, @{run}/systemd/userdb/io.systemd.home r, @{run}/systemd/user-home-mount/{,**} rw, + @{run}/systemd/notify w, @{sys}/bus/ r, @{sys}/fs/ r, @@ -70,9 +85,12 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/devices r, @{PROC}/pressure/* r, + @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/uid_map w, /dev/loop-control rwk, diff --git a/apparmor.d/groups/systemd/systemd-homework b/apparmor.d/groups/systemd/systemd-homework index 8dc8a825d..b81c196f8 100644 --- a/apparmor.d/groups/systemd/systemd-homework +++ b/apparmor.d/groups/systemd/systemd-homework @@ -2,19 +2,73 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-homework -profile systemd-homework @{exec_path} { +profile systemd-homework @{exec_path} flags=(attach_disconnected) { include - include include + include + include + + userns, + + capability chown, + capability fowner, + capability fsetid, + capability setfcap, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_resource, + + network netlink raw, + + mount options=(rw rslave) -> @{run}/, + mount -> @{run}/systemd/user-home-mount/, + + umount @{run}/systemd/user-home-mount/, + + signal (send receive) set=kill peer=systemd-homed//&systemd-homework, + + ptrace read peer=systemd-homed//&systemd-homework, @{exec_path} mr, + @{sbin}/mkfs.btrfs rPx, + @{sbin}/mkfs.fat rPx, + @{sbin}/mke2fs rPx, + /etc/machine-id r, + /etc/skel/{,**} r, + + /var/cache/systemd/home/{,**} rw, + + @{HOMEDIRS}/ r, + @{HOMEDIRS}/.#homework@{user}.* rw, + @{HOMEDIRS}/@{user}.home rw, + + @{run}/ r, + @{run}/cryptsetup/ r, + @{run}/cryptsetup/* rwk, + @{run}/systemd/user-home-mount/ rw, + @{run}/systemd/user-home-mount/@{user}/{,**} rw, + + @{sys}/fs/ r, + + @{PROC}/devices r, + @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/uid_map w, + + /dev/loop-control rwk, + /dev/loop@{int} rw, + /dev/mapper/control rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index b81b16403..8fae34b29 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-hostnamed -profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { +profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { include include include @@ -16,26 +16,25 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { capability sys_admin, # To set a hostname - unix (bind) type=stream addr=@@{hex16}/bus/systemd-hostnam/system, + network unix stream, + + unix (bind) type=stream addr=@@{udbus}/bus/systemd-hostnam/system, #aa:dbus own bus=system name=org.freedesktop.hostname1 - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=GetConnectionUnixUser - peer=(name=org.freedesktop.DBus, label=dbus-system), - @{exec_path} mr, @{etc_rw}/.#hostname* rw, @{etc_rw}/hostname rw, + /etc/.#machine-info@{hex16} rw, /etc/.#machine-info@{rand6} rw, /etc/machine-id r, /etc/machine-info rw, /etc/os-release r, + @{att}/@{run}/systemd/notify rw, + @{run}/systemd/default-hostname rw, - @{run}/systemd/notify rw, @{run}/udev/data/+dmi:* r, # for motherboard info @{sys}/devices/virtual/dmi/id/ r, @@ -45,12 +44,16 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_serial r, + @{sys}/devices/virtual/dmi/id/product_uuid r, @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/uevent r, @{sys}/firmware/acpi/pm_profile r, @{sys}/firmware/dmi/entries/*/raw r, + /dev/vsock r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb index 4ee18fb34..ae64274c6 100644 --- a/apparmor.d/groups/systemd/systemd-hwdb +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,11 +16,11 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{exec_path} mr, @{lib}/udev/#@{int} rwl, - @{lib}/udev/.#hwdb.bin@{hex} wl -> @{lib}/udev/#@{int}, + @{lib}/udev/.#hwdb.bin{@{hex16},@{rand6}} wl -> @{lib}/udev/#@{int}, @{lib}/udev/hwdb.bin w, - /etc/udev/.#hwdb.bind* rw, - /etc/udev/hwdb.bin rw, + /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} wl -> /etc/udev/#@{int}, + /etc/udev/hwdb.bin w, /etc/udev/hwdb.d/{,*} r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/systemd/systemd-id128 b/apparmor.d/groups/systemd/systemd-id128 index afa516e39..f0944db26 100644 --- a/apparmor.d/groups/systemd/systemd-id128 +++ b/apparmor.d/groups/systemd/systemd-id128 @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-inhibit b/apparmor.d/groups/systemd/systemd-inhibit index 755cfe5ee..ae475ff48 100644 --- a/apparmor.d/groups/systemd/systemd-inhibit +++ b/apparmor.d/groups/systemd/systemd-inhibit @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,11 +14,13 @@ profile systemd-inhibit @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, + signal receive set=term peer=@{p_packagekitd}, + @{exec_path} mr, @{bin}/cat rix, - @{run}/systemd/inhibit/*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-initctl b/apparmor.d/groups/systemd/systemd-initctl new file mode 100644 index 000000000..05f32a7f6 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-initctl @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-initctl +profile systemd-initctl @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability net_admin, + + unix type=stream addr=@@{udbus}/bus/systemd-initctl/, + + @{exec_path} mr, + + @{run}/initctl rw, + @{run}/systemd/notify rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 29191a95d..e0a8a2e47 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-journald -profile systemd-journald @{exec_path} { +profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -28,7 +28,7 @@ profile systemd-journald @{exec_path} { network netlink raw, - ptrace (read), + ptrace read, @{exec_path} mr, @@ -46,22 +46,25 @@ profile systemd-journald @{exec_path} { @{run}/host/container-manager r, @{run}/utmp rk, - @{run}/udev/data/+acpi:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+ieee80211:* r, # For Wi-Fi devices, such as wireless network cards and access points. @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+pci:* r, - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+scsi:* r, - @{run}/udev/data/+sdio:* r, - @{run}/udev/data/+thunderbolt:* r, - @{run}/udev/data/+usb-serial:* r, - @{run}/udev/data/+usb:* r, - @{run}/udev/data/+virtio:* r, + @{run}/udev/data/+mdio_bus:* r, # For Management Data Input/Output (Ethernet PHY (physical layer) devices) + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI + @{run}/udev/data/+sdio:* r, # For Secure Digital Input Output devices, such as Wi-Fi, Bluetooth cards, GPS and NFC modules. + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. + @{run}/udev/data/+usb-serial:* r, # For USB to serial adapters + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+virtio:* r, # For paravirtualized devices (network interfaces, block devices, console) @{run}/udev/data/b254:@{int} r, # for /dev/zram* - @{run}/udev/data/b259:@{int} r, + @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/b8:@{int} r, # for /dev/sd* @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c108:@{int} r, # For /dev/ppp @{run}/udev/data/c18[8-9]:@{int} r, # USB devices & USB serial converters @@ -79,6 +82,7 @@ profile systemd-journald @{exec_path} { @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/status r, @{PROC}/pressure/* r, @{PROC}/sys/kernel/hostname r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index c149f37ee..cefab3890 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,27 +14,46 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { include include - unix (bind) type=stream addr=@@{hex16}/bus/systemd-localed/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-localed/system, #aa:dbus own bus=system name=org.freedesktop.locale1 + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=Reload + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, + @{bin}/cat ix, + @{bin}/gzip ix, + @{bin}/localedef ix, + @{bin}/rm ix, + @{bin}/sort ix, + @{sbin}/locale-gen rPx, + + /usr/share/i18n/{,**} r, /usr/share/kbd/keymaps/{,**} r, /usr/share/systemd/*-map r, /usr/share/X11/xkb/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, + /etc/ r, + /etc/.#locale.conf@{hex16} rw, + /etc/.#locale.gen@{hex16} rw, /etc/.#vconsole.conf* rw, /etc/default/.#locale* rw, /etc/default/keyboard r, /etc/default/locale rw, - /etc/locale.conf r, + /etc/locale.conf rw, + /etc/locale.gen rw, + /etc/nsswitch.conf r, + /etc/passwd r, /etc/vconsole.conf rw, - /etc/X11/xorg.conf.d/ r, - /etc/X11/xorg.conf.d/.#*.confd* rw, + /etc/X11/xorg.conf.d/ rw, + /etc/X11/xorg.conf.d/.#*.conf@{hex} rw, /etc/X11/xorg.conf.d/*.conf rw, - @{run}/systemd/notify rw, + @{att}/@{run}/systemd/notify rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 855d0d58c..6b102829d 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -3,7 +3,7 @@ # Copyright (C) 2024 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,11 +12,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { include include include + include include include include include - include capability chown, capability dac_override, @@ -27,9 +27,10 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { network netlink raw, - # mqueue r type=posix /, + mqueue getattr type=posix /, + mqueue r type=posix /, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-logind/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-logind/system, #aa:dbus own bus=system name=org.freedesktop.login1 @@ -40,11 +41,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(label=ksmserver-logout-greeter), - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label=dbus-system), - @{exec_path} mr, /etc/machine-id r, @@ -54,15 +50,15 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /etc/systemd/sleep.conf.d/{,**} r, / r, - /boot/{,**} r, - /efi/{,**} r, + @{efi}/{,**} r, /swap.img r, /swap/swapfile r, /swapfile r, - /var/lib/systemd/linger/ r, + /var/lib/systemd/linger/{,@{user}} rw, @{run}/.#nologin* rw, + @{run}/credentials/getty@tty@{int}.service/ r, @{run}/host/container-manager r, @{run}/nologin rw, @{run}/utmp rk, @@ -72,13 +68,15 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/tags/uaccess/ r, @{run}/udev/static_node-tags/uaccess/ r, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+drivers:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+drivers:* r, # For drivers loaded in the system @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+wakeup:* r, # For wakeup events (e.g., from sleep or hibernation) @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # For /dev/input/* @@ -91,11 +89,13 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, + @{run}/systemd/inhibit/ rw, @{run}/systemd/inhibit/.#* rw, - @{run}/systemd/inhibit/[0-9]*{,.ref} rw, - @{run}/systemd/journal/socket rw, - @{run}/systemd/notify rw, + @{run}/systemd/inhibit/@{int}{,.ref} rw, @{run}/systemd/seats/ rw, @{run}/systemd/seats/.#seat* rw, @{run}/systemd/seats/seat@{int} rw, @@ -124,12 +124,13 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{sys}/module/vt/parameters/default_utf8 r, @{sys}/power/{state,resume_offset,resume,disk} r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/sessionid r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/1/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, @@ -137,10 +138,12 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fdinfo/@{int} r, /dev/dri/card@{int} rw, - /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) - /dev/mqueue/ r, - /dev/tty@{int} rw, - owner /dev/shm/{,**/} rw, + @{att}/dev/dri/card@{int} rw, + + /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) + /dev/mqueue/ r, + /dev/tty@{int} rw, + /dev/shm/{,**/} rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index 71c9d0467..a2115a926 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,18 +17,21 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_chroot, - ptrace (read), + ptrace read, + mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, umount /etc/machine-id, @{exec_path} mr, + @{att}/ r, / r, /etc/ r, /etc/machine-id rw, /var/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 512fdde82..520080082 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -2,14 +2,15 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-machined -profile systemd-machined @{exec_path} { +profile systemd-machined @{exec_path} flags=(attach_disconnected) { include include + include include include @@ -21,6 +22,7 @@ profile systemd-machined @{exec_path} { capability kill, capability mknod, capability setgid, + capability setuid, capability sys_admin, capability sys_chroot, capability sys_ptrace, @@ -31,24 +33,48 @@ profile systemd-machined @{exec_path} { network inet6 dgram, network netlink raw, + signal send set=rtmin+6 peer=systemd-nspawn, + + ptrace read peer=systemd-nspawn, + + unix type=stream addr=@@{udbus}/bus/systemd-machine/system, + #aa:dbus own bus=system name=org.freedesktop.machine1 #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @{exec_path} mr, - /var/lib/machines/{,**} rw, /etc/machine-id r, + / r, + @{att}/ r, + + owner /var/lib/machines/ rw, + owner /var/lib/machines/** rwk, + + owner @{run}/systemd/nspawn/ w, + owner @{run}/systemd/nspawn/locks/ w, + owner @{run}/systemd/nspawn/locks/** rwk, + @{run}/systemd/machine/{,**} rw, @{run}/systemd/machines/{,**} rw, @{run}/systemd/notify w, @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/gid_map r, + @{PROC}/@{pid}/setgroups r, + @{PROC}/@{pid}/uid_map r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, + /dev/ptmx rw, + /dev/pts/@{int} rw, + /dev/pts/ptmx rw, + /dev/vsock r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-makefs b/apparmor.d/groups/systemd/systemd-makefs index 05ec6dc34..74a824411 100644 --- a/apparmor.d/groups/systemd/systemd-makefs +++ b/apparmor.d/groups/systemd/systemd-makefs @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,8 +17,8 @@ profile systemd-makefs @{exec_path} { @{exec_path} mr, - @{bin}/mkfs.* rPx, - @{bin}/mkswap rPx, + @{sbin}/mkfs.* rPx, + @{sbin}/mkswap rPx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load index 4ecbd0acb..3f778244b 100644 --- a/apparmor.d/groups/systemd/systemd-modules-load +++ b/apparmor.d/groups/systemd/systemd-modules-load @@ -3,16 +3,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-modules-load -profile systemd-modules-load @{exec_path} { +profile systemd-modules-load @{exec_path} flags=(attach_disconnected) { include include capability net_admin, + capability perfmon, capability sys_module, @{exec_path} mr, @@ -23,6 +24,9 @@ profile systemd-modules-load @{exec_path} { /etc/modules-load.d/ r, /etc/modules-load.d/*.conf r, + @{run}/modprobe.d/ r, + @{run}/modprobe.d/*.conf r, + @{sys}/devices/@{pci}/config r, @{sys}/module/*/initstate r, @{sys}/module/compression r, diff --git a/apparmor.d/groups/systemd/systemd-mount b/apparmor.d/groups/systemd/systemd-mount index 4db3dcacf..b78de3312 100644 --- a/apparmor.d/groups/systemd/systemd-mount +++ b/apparmor.d/groups/systemd/systemd-mount @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,9 +13,7 @@ profile systemd-mount @{exec_path} { @{exec_path} mr, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{pager_path} rPx -> child-pager, @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/groups/systemd/systemd-network-generator b/apparmor.d/groups/systemd/systemd-network-generator index cce35fae6..ceebbc5c2 100644 --- a/apparmor.d/groups/systemd/systemd-network-generator +++ b/apparmor.d/groups/systemd/systemd-network-generator @@ -2,12 +2,12 @@ # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-network-generator -profile systemd-network-generator @{exec_path} { +profile systemd-network-generator @{exec_path} flags=(attach_disconnected) { include include @@ -17,6 +17,8 @@ profile systemd-network-generator @{exec_path} { owner @{run}/systemd/network/{,**} rw, + @{run}/credentials/systemd-network-generator.service/ r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index f0f97433d..ccb6d9629 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,10 +14,12 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { include include + capability bpf, capability net_admin, capability net_bind_service, capability net_broadcast, capability net_raw, + capability sys_admin, network inet dgram, network inet6 dgram, @@ -27,7 +29,9 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { network packet dgram, network packet raw, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-network/bus-api-network, + unix bind type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network, + + signal receive set=usr2 peer=@{p_systemd}, #aa:dbus own bus=system name=org.freedesktop.network1 @@ -38,40 +42,52 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.hostname1 member=SetHostname - peer=(name=org.freedesktop.hostname1, label=systemd-hostnamed), + peer=(name=org.freedesktop.hostname1, label="@{p_systemd_hostnamed}"), @{exec_path} mr, /var/lib/dbus/machine-id r, /etc/machine-id r, - /etc/systemd/networkd.conf r, + /etc/systemd/network.conf r, /etc/systemd/network/{,**} r, + /etc/systemd/networkd.conf r, + /etc/systemd/networkd.conf.d/{,**} r, /etc/networkd-dispatcher/carrier.d/{,*} r, + @{att}/ r, + @{att}/@{run}/systemd/notify rw, + + @{run}/mount/utab r, + @{run}/systemd/resolve/resolv.conf r, + + owner @{att}/var/lib/systemd/network/ r, + + owner /var/lib/systemd/network/ rw, + owner /var/lib/systemd/network/** rwk, + @{run}/systemd/network/ r, @{run}/systemd/network/*.network r, - @{run}/systemd/notify rw, - owner @{run}/systemd/netif/.#state rw, - owner @{run}/systemd/netif/.#state* rw, - owner @{run}/systemd/netif/leases/{,*} rw, - owner @{run}/systemd/netif/links/{,*} rw, - owner @{run}/systemd/netif/lldp/{,*} rw, - owner @{run}/systemd/netif/state rw, + owner @{run}/systemd/netif/** rw, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces + @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/rfkill@{int}/* r, @{sys}/devices/**/net/** r, - @{sys}/devices/@{pci}/ r, @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/fs/cgroup/ r, + @{sys}/kernel/btf/vmlinux r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/pressure/* r, - @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, + @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/version_signature r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-networkd-wait-online b/apparmor.d/groups/systemd/systemd-networkd-wait-online index 8e9ec3438..c36b5af39 100644 --- a/apparmor.d/groups/systemd/systemd-networkd-wait-online +++ b/apparmor.d/groups/systemd/systemd-networkd-wait-online @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-networkd-wait-online -profile systemd-networkd-wait-online @{exec_path} flags=(complain) { +profile systemd-networkd-wait-online @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-notify b/apparmor.d/groups/systemd/systemd-notify index 7be0e88ed..f62599d28 100644 --- a/apparmor.d/groups/systemd/systemd-notify +++ b/apparmor.d/groups/systemd/systemd-notify @@ -2,13 +2,14 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/systemd-notify profile systemd-notify @{exec_path} { include + include capability sys_admin, capability net_admin, diff --git a/apparmor.d/groups/systemd/systemd-nsresourced b/apparmor.d/groups/systemd/systemd-nsresourced new file mode 100644 index 000000000..97dcb3b05 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-nsresourced @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-nsresourced +profile systemd-nsresourced @{exec_path} flags=(attach_disconnected) { + include + include + + capability bpf, + capability perfmon, + capability sys_resource, + + signal receive set=usr2 peer=systemd-nsresourced//&systemd-nsresourcework, + + @{exec_path} mr, + + @{lib}/systemd/systemd-nsresourcework ix, # no new privs + + @{run}/systemd/nsresource/ rw, + @{run}/systemd/nsresource/** rw, + + @{sys}/devices/kprobe/type r, + @{sys}/fs/bpf/ r, + @{sys}/fs/bpf/systemd/ rw, + @{sys}/fs/bpf/systemd/userns-restrict/{,**} rw, + @{sys}/fs/cgroup/system.slice/systemd-nsresourced.service/memory.pressure rw, + @{sys}/kernel/btf/vmlinux r, + @{sys}/kernel/security/lsm r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-nsresourcework b/apparmor.d/groups/systemd/systemd-nsresourcework new file mode 100644 index 000000000..5b8d53398 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-nsresourcework @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-nsresourcework +profile systemd-nsresourcework @{exec_path} { + include + + capability sys_resource, + + signal send set=usr2 peer=systemd-nsresourced, + + @{exec_path} mr, + + @{run}/systemd/nsresource/registry/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 9ebe87c49..ce61dba23 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { capability dac_override, capability kill, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-oomd/bus-api-oom, + unix bind type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom, #aa:dbus own bus=system name=org.freedesktop.oom1 @@ -24,10 +24,11 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { /etc/systemd/oomd.conf r, /etc/systemd/oomd.conf.d/{,**} r, - @{run}/systemd/io.system.ManagedOOM rw, - @{run}/systemd/io.systemd.ManagedOOM rw, - @{run}/systemd/notify rw, - owner @{run}/systemd/journal/socket w, + @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, + + @{run}/systemd/io.system.ManagedOOM rw, + @{run}/systemd/io.systemd.ManagedOOM rw, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/memory.* r, diff --git a/apparmor.d/groups/systemd/systemd-path b/apparmor.d/groups/systemd/systemd-path index 7ab73f52e..0d061d845 100644 --- a/apparmor.d/groups/systemd/systemd-path +++ b/apparmor.d/groups/systemd/systemd-path @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,11 +10,10 @@ include profile systemd-path @{exec_path} { include include + include @{exec_path} mr, - owner @{user_config_dirs}/user-dirs.dirs r, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-portabled b/apparmor.d/groups/systemd/systemd-portabled index a54c5d8db..bee3df8df 100644 --- a/apparmor.d/groups/systemd/systemd-portabled +++ b/apparmor.d/groups/systemd/systemd-portabled @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-random-seed b/apparmor.d/groups/systemd/systemd-random-seed index e9753150c..86ea02a0d 100644 --- a/apparmor.d/groups/systemd/systemd-random-seed +++ b/apparmor.d/groups/systemd/systemd-random-seed @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-random-seed -profile systemd-random-seed @{exec_path} { +profile systemd-random-seed @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 44ab5cfaf..73213160b 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-remount-fs -profile systemd-remount-fs @{exec_path} { +profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { include include include @@ -17,18 +17,19 @@ profile systemd-remount-fs @{exec_path} { capability sys_resource, mount options=(rw, remount) -> /, - mount options=(rw, remount) -> /proc/, + mount options=(rw, remount) -> @{PROC}/, @{exec_path} mr, @{bin}/mount rix, + @{etc_ro}/blkid.conf r, + @{etc_ro}/blkid.conf.d/{,**} r, /etc/fstab r, @{run}/host/container-manager r, @{run}/mount/utab rw, - @{run}/mount/utab.@{rand6} rw, - @{run}/mount/utab.lock rwk, + @{run}/mount/utab.* rwk, @{sys}/devices/virtual/block/dm-@{int}/dm/name r, diff --git a/apparmor.d/groups/systemd/systemd-resolve b/apparmor.d/groups/systemd/systemd-resolve deleted file mode 100644 index cfb0732dc..000000000 --- a/apparmor.d/groups/systemd/systemd-resolve +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/resolvectl -@{exec_path} += @{bin}/systemd-resolve -profile systemd-resolve @{exec_path} { - include - - capability mknod, - capability net_admin, - - network netlink raw, - - @{exec_path} mr, - - @{PROC}/ r, - owner @{PROC}/@{pids}/fd/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 7b2e7ffa9..8f4b5bc57 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -1,8 +1,8 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-3.0-only +# SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -31,27 +31,22 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.resolve1 - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), - @{exec_path} mr, /etc/systemd/resolved.conf r, /etc/systemd/resolved.conf.d/{,*} r, - @{run}/systemd/netif/links/* r, - @{run}/systemd/notify rw, - @{run}/systemd/resolve/{,**} rw, - owner @{run}/systemd/journal/socket w, + @{att}/@{run}/systemd/notify w, + + @{run}/systemd/netif/links/* r, + @{run}/systemd/resolve/{,**} rw, @{PROC}/@{pid}/cgroup r, @{PROC}/pressure/* r, @{PROC}/sys/kernel/hostname r, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index 1ff164b86..34e7255ab 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -3,16 +3,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-rfkill -profile systemd-rfkill @{exec_path} { +profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { include include capability net_admin, + capability sys_admin, capability sys_ptrace, network netlink raw, @@ -22,7 +23,7 @@ profile systemd-rfkill @{exec_path} { /var/lib/systemd/rfkill/* rw, @{run}/systemd/notify rw, - @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{sys}/devices/**/rfkill@{int}/{uevent,name} r, diff --git a/apparmor.d/groups/systemd/systemd-shutdown b/apparmor.d/groups/systemd/systemd-shutdown index 02abda424..e9887c0cb 100644 --- a/apparmor.d/groups/systemd/systemd-shutdown +++ b/apparmor.d/groups/systemd/systemd-shutdown @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index a17c13631..a55bf752d 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-sleep -profile systemd-sleep @{exec_path} { +profile systemd-sleep @{exec_path} flags=(attach_disconnected) { include include include @@ -19,6 +19,8 @@ profile systemd-sleep @{exec_path} { @{exec_path} mr, + @{sh_path} mr, + @{lib}/systemd/system-sleep/grub2.sleep rPx, @{lib}/systemd/system-sleep/hdparm rPx, @{lib}/systemd/system-sleep/nvidia rPx, @@ -31,7 +33,6 @@ profile systemd-sleep @{exec_path} { @{sys}/power/state rw, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-grub2 b/apparmor.d/groups/systemd/systemd-sleep-grub similarity index 88% rename from apparmor.d/groups/systemd/systemd-sleep-grub2 rename to apparmor.d/groups/systemd/systemd-sleep-grub index e7ae09355..38be5772f 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-grub2 +++ b/apparmor.d/groups/systemd/systemd-sleep-grub @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,13 +14,11 @@ profile systemd-sleep-grub @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/uname rix, /etc/sysconfig/bootloader r, - @{PROC}/@{pid}/maps r, - /dev/tty rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 9a282e7f8..5b9c51dbe 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,6 +11,9 @@ profile systemd-sleep-hdparm @{exec_path} { include @{exec_path} mr, + @{sh_path} r, + + @{lib}/pm-utils/power.d/*hdparm-apm ix, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-nvidia b/apparmor.d/groups/systemd/systemd-sleep-nvidia index 4ff89f5a7..2ca5d7474 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-nvidia +++ b/apparmor.d/groups/systemd/systemd-sleep-nvidia @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,6 +11,7 @@ profile systemd-sleep-nvidia @{exec_path} { include include + capability perfmon, capability sys_admin, capability sys_tty_config, diff --git a/apparmor.d/groups/systemd/systemd-sleep-sysstat b/apparmor.d/groups/systemd/systemd-sleep-sysstat index d854cd7f7..e29a41a7a 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-sysstat +++ b/apparmor.d/groups/systemd/systemd-sleep-sysstat @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,6 +12,9 @@ profile systemd-sleep-sysstat @{exec_path} { @{exec_path} mr, + @{lib}/sysstat/sa{1,2} Px, + @{lib}/sysstat/debian-sa{1,2} Px, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-tlp b/apparmor.d/groups/systemd/systemd-sleep-tlp index 1e7d3fe34..fc9a51067 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-tlp +++ b/apparmor.d/groups/systemd/systemd-sleep-tlp @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,8 @@ profile systemd-sleep-tlp @{exec_path} { @{exec_path} mr, - @{bin}/tlp rPUx, + @{sh_path} rix, + @{sbin}/tlp rPUx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-upgrades b/apparmor.d/groups/systemd/systemd-sleep-upgrades index 9d1758e25..c2c107b1f 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-upgrades +++ b/apparmor.d/groups/systemd/systemd-sleep-upgrades @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,6 +11,7 @@ profile systemd-sleep-upgrades @{exec_path} { include @{exec_path} mr, + @{sh_path} r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-socket-proxyd b/apparmor.d/groups/systemd/systemd-socket-proxyd index 0a9c75aa3..7290e6d0c 100644 --- a/apparmor.d/groups/systemd/systemd-socket-proxyd +++ b/apparmor.d/groups/systemd/systemd-socket-proxyd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-stdio-bridge b/apparmor.d/groups/systemd/systemd-stdio-bridge new file mode 100644 index 000000000..5f3bc2e36 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-stdio-bridge @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/systemd-stdio-bridge +profile systemd-stdio-bridge @{exec_path} flags=(attach_disconnected) { + include + include + include + + signal send set=term peer=@{p_systemd}, + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-sulogin-shell b/apparmor.d/groups/systemd/systemd-sulogin-shell index bb0f082b9..5ccf33219 100644 --- a/apparmor.d/groups/systemd/systemd-sulogin-shell +++ b/apparmor.d/groups/systemd/systemd-sulogin-shell @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-sulogin-shell -profile systemd-sulogin-shell @{exec_path} { +profile systemd-sulogin-shell @{exec_path} flags=(attach_disconnected) { include include @@ -18,7 +18,7 @@ profile systemd-sulogin-shell @{exec_path} { @{exec_path} mr, - @{bin}/sulogin rPx, + @{sbin}/sulogin rPx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl index f209745fc..87e0ede5c 100644 --- a/apparmor.d/groups/systemd/systemd-sysctl +++ b/apparmor.d/groups/systemd/systemd-sysctl @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,7 +25,7 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) { @{run}/sysctl.d/{,*.conf} r, /etc/sysctl.conf r, /etc/sysctl.d/{,*.conf} r, - /usr/lib/sysctl.d/{,*.conf} r, + @{lib}/sysctl.d/{,*.conf} r, @{PROC}/sys/** rw, diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index 18ef93df0..2d250f63c 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,12 +16,16 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { capability fsetid, capability net_admin, + signal send set=cont peer=child-pager, + @{exec_path} mr, + @{pager_path} rPx -> child-pager, + # Config file locations - /etc/sysusers.d/*.conf r, - @{run}/sysusers.d/*.conf r, - /usr/lib/sysusers.d/*.conf r, + /etc/sysusers.d/{,*.conf} r, + @{run}/sysusers.d/{,*.conf} r, + @{lib}/sysusers.d/{,*.conf} r, # Where the users can be created, /home/{,*} rw, @@ -40,6 +44,8 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { /etc/.#{group,gshadow}@{hex} rw, /etc/.pwd.lock rwk, + owner @{PROC}/@{pid}/cgroup r, + /dev/tty@{int} rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index 4d9ae9ce1..b65f2b7af 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { capability sys_time, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-timedat/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-timedat/system, #aa:dbus own bus=system name=org.freedesktop.timedate1 @@ -23,6 +23,14 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={DisableUnitFiles,EnableUnitFiles} + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={JobRemoved,Reload,StartUnit,StopUnit} + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, @@ -35,7 +43,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { /etc/.#timezone* rw, /etc/timezone rw, - @{run}/systemd/notify rw, + @{att}/@{run}/systemd/notify rw, /dev/rtc@{int} r, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 51fd6358e..2ac7f09fb 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,8 +21,8 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-timesyn/bus-api-timesync, - unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none), + unix (bind) type=stream addr=@@{udbus}/bus/systemd-timesyn/bus-api-timesync, + unix (send, receive) type=dgram addr=none peer=(label=@{p_sd}, addr=none), #aa:dbus own bus=system name=org.freedesktop.timesync1 @@ -34,11 +34,11 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { owner /var/lib/systemd/timesync/clock rw, + @{att}/@{run}/systemd/notify rw, + @{run}/resolvconf/*.conf r, @{run}/systemd/netif/state r, - @{run}/systemd/notify rw, @{run}/systemd/timesyncd.conf.d/{,**} r, - owner @{run}/systemd/journal/socket w, owner @{run}/systemd/timesync/synchronized rw, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index 595ccf7da..0e1e404ab 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -30,7 +30,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { # Config file locations /etc/tmpfiles.d/{,*.conf} r, @{run}/tmpfiles.d/{,*.conf} r, - /usr/lib/tmpfiles.d/{,*.conf} r, + @{lib}/tmpfiles.d/{,*.conf} r, @{user_config_dirs}/user-tmpfiles.d/{,*.conf} r, @{run}/user/@{uid}/user-tmpfiles.d/{,*.conf} r, @{user_share_dirs}/user-tmpfiles.d/{,*.conf} r, @@ -42,7 +42,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { /etc/{,**} rw, /home/ rw, /opt/{,**} rw, - /run/{,**} rw, + @{run}/{,**} rw, /srv/{,**} rw, /tmp/{,**} rwk, /usr/{,**} rw, @@ -51,7 +51,10 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/{,**} rw, @{sys}/class/net/ r, + @{sys}/devices/system/cpu/cpufreq/ r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor w, @{sys}/devices/system/cpu/microcode/reload w, + @{sys}/module/pcie_aspm/parameters/policy w, @{PROC}/@{pid}/net/unix r, @{PROC}/1/cmdline r, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index f1da3f8a6..b318bf3dd 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,21 +13,32 @@ profile systemd-tty-ask-password-agent @{exec_path} { include capability dac_override, + capability dac_read_search, capability net_admin, capability sys_resource, - signal (receive) set=(term cont) peer=*//systemctl, - signal (receive) set=(term cont) peer=default, - signal (receive) set=(term cont) peer=logrotate, + signal receive set=(term cont winch) peer=@{p_logrotate}, + signal receive set=(term cont winch) peer=*//systemctl, + signal receive set=(term cont winch) peer=deb-systemd-invoke, + signal receive set=(term cont winch) peer=default, + signal receive set=(term cont winch) peer=machinectl, + signal receive set=(term cont winch) peer=makepkg//sudo, + signal receive set=(term cont winch) peer=role_*, + signal receive set=(term cont winch) peer=rpm, @{exec_path} mrix, @{run}/systemd/ask-password-block/{,*} rw, @{run}/systemd/ask-password/{,*} rw, + + @{run}/user/@{uid}/ w, + @{run}/user/@{uid}/systemd/ w, + @{run}/user/@{uid}/systemd/ask-password/ rw, + @{run}/utmp rk, @{PROC}/@{pids}/stat r, - + @{sys}/devices/virtual/tty/console/active r, @{sys}/devices/virtual/tty/tty@{int}/active r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 220cbb54c..cb9592d47 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -3,16 +3,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/udevadm @{lib}/systemd/systemd-udevd -profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { +profile systemd-udevd @{exec_path} flags=(attach_disconnected) { include + include include include - include + include capability chown, capability dac_override, @@ -21,68 +22,70 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { capability fsetid, capability mknod, capability net_admin, + capability perfmon, capability sys_admin, capability sys_module, capability sys_ptrace, capability sys_rawio, capability sys_resource, - ptrace (read), + ptrace read, network inet dgram, network inet6 dgram, network netlink raw, + unix type=stream addr=@@{udbus}/bus/udevadm/, + @{exec_path} mrix, - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/*-print-pci-ids rix, - @{bin}/alsactl rPUx, - @{bin}/ddcutil rPx, - @{bin}/dmsetup rPUx, - @{bin}/ethtool rix, - @{bin}/issue-generator rPx, - @{bin}/kmod rPx, - @{bin}/less rPx -> child-pager, - @{bin}/logger rix, - @{bin}/ls rix, - @{bin}/lvm rPx, - @{bin}/mknod rix, - @{bin}/more rPx -> child-pager, - @{bin}/multipath rPx, - @{bin}/nfsrahead rix, - @{bin}/pager rPx -> child-pager, - @{bin}/perl rix, - @{bin}/setfacl rix, - @{bin}/sg_inq rix, - @{bin}/snap rPUx, - @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-run rix, - @{bin}/unshare rix, + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/logger rix, + @{bin}/ls rix, + @{bin}/mknod rix, + @{bin}/nfsrahead rix, + @{bin}/setfacl rix, + @{bin}/sg_inq rix, + @{bin}/systemd-run rix, # TODO: rCx -> run, + @{bin}/unshare rix, + @{sbin}/ethtool rix, - @{lib}/crda/* rPUx, - @{lib}/gdm-runtime-config rPx, - @{lib}/nfsrahead rPUx, - @{lib}/open-iscsi/net-interface-handler rPUx, - @{lib}/pm-utils/power.d/* rPUx, - @{lib}/snapd/snap-device-helper rPx, - @{lib}/systemd/systemd-* rPx, - @{lib}/udev/* rPUx, - /usr/share/hplip/config_usb_printer.py rPUx, + @{bin}/ddcutil rPx, + @{bin}/kmod rCx -> kmod, + @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, + @{bin}/snap rPx, + @{bin}/systemctl rCx -> systemctl, + @{bin}/vmmouse_detect rPx, + @{pager_path} rPx -> child-pager, + @{sbin}/alsactl rPx, + @{sbin}/dmsetup rPx, + @{sbin}/issue-generator rPx, + @{sbin}/kdump-config rPx, + @{sbin}/lvm rPx, + @{sbin}/multipath rPx, + @{sbin}/u-d-c-print-pci-ids rPx, - /etc/console-setup/*.sh rPUx, - /etc/network/cloud-ifupdown-helper rPUx, + @{lib}/crda/* rPUx, + @{lib}/gdm-runtime-config rPx, + @{lib}/nfsrahead rPUx, + @{lib}/open-iscsi/net-interface-handler rPx, + @{lib}/pm-utils/power.d/* rPUx, + @{lib}/snapd/snap-device-helper rPx, + @{lib}/systemd/systemd-* rPx, + @{lib}/udev/* rPUx, + /usr/share/hplip/config_usb_printer.py rPUx, - /etc/machine-id r, + /etc/console-setup/*.sh rPUx, + /etc/network/cloud-ifupdown-helper rPUx, /etc/default/* r, - + /etc/machine-id r, /etc/nfs.conf rk, /etc/udev/{,**} r, + /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} rw, /etc/udev/hwdb.bin rw, - /etc/udev/.#hwdb.bin* rw, /etc/modprobe.d/ r, /etc/modprobe.d/*.conf r, @@ -90,14 +93,20 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { /etc/systemd/network/ r, /etc/systemd/network/@{int2}-*.link r, - @{run}/udev/ rw, - @{run}/udev/** rwk, - + @{run}/credentials/systemd-udev-load-credentials.service/ r, + @{run}/modprobe.d/ r, @{run}/systemd/network/ r, @{run}/systemd/network/*.link rw, @{run}/systemd/notify rw, + @{run}/systemd/private rw, @{run}/systemd/seats/seat@{int} r, + @{att}/@{run}/systemd/notify w, + @{att}/@{run}/udev/control rw, + + @{run}/udev/ rw, + @{run}/udev/** rwk, + @{sys}/** rw, @{PROC}/@{pid}/mountinfo r, @@ -115,6 +124,21 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { /dev/ rw, /dev/** rwk, + profile kmod flags=(attach_disconnected,complain) { + include + include + + capability sys_module, + + @{sh_path} rix, + @{bin}/kmod ix, + + @{sys}/module/*/initstate r, + @{sys}/module/compression r, + + include if exists + } + profile systemctl flags=(attach_disconnected,complain) { include include @@ -122,10 +146,6 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { capability net_admin, capability sys_ptrace, - # / r, - - @{PROC}/sys/kernel/cap_last_cap r, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-update-done b/apparmor.d/groups/systemd/systemd-update-done index 046bc3e65..e7a44d01d 100644 --- a/apparmor.d/groups/systemd/systemd-update-done +++ b/apparmor.d/groups/systemd/systemd-update-done @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-update-done -profile systemd-update-done @{exec_path} { +profile systemd-update-done @{exec_path} flags=(attach_disconnected) { include capability net_admin, diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp index 60227f08a..82025859b 100644 --- a/apparmor.d/groups/systemd/systemd-update-utmp +++ b/apparmor.d/groups/systemd/systemd-update-utmp @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-update-utmp -profile systemd-update-utmp @{exec_path} { +profile systemd-update-utmp @{exec_path} flags=(attach_disconnected) { include include include @@ -17,7 +17,7 @@ profile systemd-update-utmp @{exec_path} { network netlink raw, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-update-/, + unix bind type=stream addr=@@{udbus}/bus/systemd-update-/, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 38d2d3931..363b9a32d 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-user-runtime-dir -profile systemd-user-runtime-dir @{exec_path} { +profile systemd-user-runtime-dir @{exec_path} flags=(attach_disconnected) { include include include @@ -20,10 +20,12 @@ profile systemd-user-runtime-dir @{exec_path} { capability net_admin, capability sys_admin, + network unix stream, + mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/, umount @{run}/user/@{uid}/, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-user-ru/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-user-ru/system, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-user-sessions b/apparmor.d/groups/systemd/systemd-user-sessions index 25e5befef..8de32dfe2 100644 --- a/apparmor.d/groups/systemd/systemd-user-sessions +++ b/apparmor.d/groups/systemd/systemd-user-sessions @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-user-sessions -profile systemd-user-sessions @{exec_path} { +profile systemd-user-sessions @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index f591faf3d..f9fad3693 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,9 +25,16 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) @{lib}/systemd/systemd-userwork rix, + /etc/gshadow r, /etc/shadow r, + /etc/machine-id r, + @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Home rw, + @{att}/@{run}/systemd/userdb/io.systemd.Machine rw, + @{run}/systemd/userdb/{,**} rw, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork index c7e4b6292..2521c655e 100644 --- a/apparmor.d/groups/systemd/systemd-userwork +++ b/apparmor.d/groups/systemd/systemd-userwork @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,6 +18,7 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/gshadow r, /etc/machine-id r, /etc/shadow r, diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup index 000bd6957..8c99d606c 100644 --- a/apparmor.d/groups/systemd/systemd-vconsole-setup +++ b/apparmor.d/groups/systemd/systemd-vconsole-setup @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-vconsole-setup -profile systemd-vconsole-setup @{exec_path} { +profile systemd-vconsole-setup @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl index 159d1442a..fa7c13297 100644 --- a/apparmor.d/groups/systemd/userdbctl +++ b/apparmor.d/groups/systemd/userdbctl @@ -2,28 +2,35 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/userdbctl -profile userdbctl @{exec_path} { +profile userdbctl @{exec_path} flags=(attach_disconnected) { include + include include capability dac_read_search, capability sys_resource, + signal send set=cont peer=child-pager, + @{exec_path} mr, - - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, - /etc/shadow r, + @{pager_path} rPx -> child-pager, + /etc/gshadow r, + /etc/shadow r, - @{PROC}/@{pid}/cgroup r, + /etc/machine-id r, + + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/gid_map r, + owner @{PROC}/@{pid}/setgroups r, + owner @{PROC}/@{pid}/uid_map r, include if exists } diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index 2e8c20737..193bfc9b6 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,30 +11,37 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { include include - capability sys_module, - @{exec_path} mr, - @{bin}/kmod rix, + @{bin}/kmod rCx -> kmod, @{bin}/systemd-detect-virt rPx, @{lib}/systemd/systemd-makefs rPx, /etc/systemd/zram-generator.conf r, - /etc/modprobe.d/{,**} r, owner @{run}/systemd/generator/{,*/}var-cache-makepkg.mount rw, owner @{run}/systemd/generator/dev-zram@{int}.swap rw, owner @{run}/systemd/generator/swap.target.wants/{,dev-zram@{int}.swap} rw, owner @{run}/systemd/generator/systemd-zram-setup@zram@{int}.service.d/{,*.conf} rw, - @{sys}/block/zram@{int}/{disksize,reset} rw, - @{sys}/devices/virtual/block/zram@{int}/{disksize,reset,comp_algorithm} rw, - @{sys}/module/compression r, + @{sys}/block/zram@{int}/* rw, + @{sys}/devices/virtual/block/zram@{int}/* rw, @{PROC}/crypto r, owner /dev/pts/@{int} rw, + profile kmod flags=(attach_disconnected) { + include + include + + capability sys_module, + + @{sys}/module/compression r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index bc03772b6..211dda9cc 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -2,55 +2,79 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = /usr/share/apport/apport +@{exec_path} = /usr/share/apport/apport profile apport @{exec_path} flags=(attach_disconnected) { include - include + include include - include + include include include capability chown, capability dac_read_search, + capability fowner, capability fsetid, capability setgid, capability setuid, capability sys_ptrace, - ptrace (read) peer=gnome-shell, - ptrace (read) peer=snap.cups.cupsd, - ptrace (read) peer=tracker-extract, + ptrace read, @{exec_path} mr, - @{bin}/gdbus rix, @{bin}/{,e,f}grep rix, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/dpkg-divert rPx -> child-dpkg-divert, + @{bin}/dpkg rPx -> &child-dpkg, + @{bin}/dpkg-divert rPx -> &child-dpkg-divert, + @{bin}/gdbus rix, + @{bin}/md5sum rix, /usr/share/apport/{,**} r, + @{etc_ro}/login.defs r, /etc/apport/report-ignore/{,**} r, + /etc/dpkg/dpkg.cfg r, + /etc/dpkg/dpkg.cfg.d/{,**} r, + + /var/lib/dpkg/info/ r, + /var/lib/dpkg/info/*.list r, + /var/lib/dpkg/info/*.md5sums r, + /var/lib/dpkg/diversions r, + /var/lib/dpkg/triggers/* r, + /var/lib/dpkg/updates/ r, + + /var/lib/systemd/coredump/*.zst r, /var/crash/ rw, /var/crash/*.@{uid}.crash rw, + owner /var/cache/apt/pkgcache.bin.@{rand6} rw, owner /var/log/apport.log rw, - @{run}/apport.lock rwk, + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + @{run}/apport.lock rwk, + @{run}/log/journal/ r, + + @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/stat r, @{PROC}/sys/fs/suid_dumpable w, @{PROC}/sys/kernel/core_pattern w, @{PROC}/sys/kernel/core_pipe_limit w, owner @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/ubuntu/apport-checkreports b/apparmor.d/groups/ubuntu/apport-checkreports index dec9a5d7d..5e39988fd 100644 --- a/apparmor.d/groups/ubuntu/apport-checkreports +++ b/apparmor.d/groups/ubuntu/apport-checkreports @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,15 +14,15 @@ profile apport-checkreports @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/python3.@{int} r, + @{python_path} r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, /usr/share/apport/ r, + @{etc_ro}/login.defs r, /etc/apt/apt.conf.d/{,**} r, /etc/default/apport r, - /etc/login.defs r, /var/crash/ r, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index a63f38890..6d90cadda 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -2,21 +2,19 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = /usr/share/apport/apport-gtk profile apport-gtk @{exec_path} { include + include include - include include - include - include - include include include + include include include include @@ -29,10 +27,12 @@ profile apport-gtk @{exec_path} { network inet6 stream, network inet dgram, network inet6 dgram, + network netlink raw, @{exec_path} mr, @{sh_path} rix, + @{python_path} rix, @{bin}/{f,}grep rix, @{bin}/apt-cache rPx, @{bin}/cut rix, @@ -41,27 +41,32 @@ profile apport-gtk @{exec_path} { @{bin}/dpkg-query rpx, @{bin}/gdb rCx -> gdb, @{bin}/gsettings rPx, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/journalctl rPx, - @{bin}/killall5 rix, @{bin}/kmod rPx, @{bin}/ldd rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/md5sum rix, - @{bin}/pkexec rPx, # TODO: rCx or something + @{bin}/pkexec rCx -> pkexec, + @{bin}/readlink rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, + @{bin}/uname rix, @{bin}/which{,.debianutils} rix, + @{sbin}/killall5 rix, @{lib}/{,colord/}colord-sane rPx, @{lib}/@{multiarch}/ld*.so* rix, /usr/share/apport/root_info_wrapper rix, + @{bin}/* r, + @{sbin}/* r, + /usr/share/apport/{,**} r, /usr/share/apport/general-hooks/*.py r, /etc/apport/{,**} r, - /etc/cloud/cloud.cfg.d/{,**} r, /etc/bash_completion.d/apport_completion r, + /etc/cloud/{,**} r, /etc/cron.daily/apport r, /etc/default/apport r, /etc/gtk-3.0/settings.ini r, @@ -69,19 +74,22 @@ profile apport-gtk @{exec_path} { /etc/logrotate.d/apport r, /etc/xdg/autostart/*.desktop r, - /var/crash/{,*.@{uid}.crash} rw, /var/lib/dpkg/info/ r, /var/lib/dpkg/info/*.list r, /var/lib/usbutils/*.ids r, /var/lib/dpkg/info/*.md5sums r, /var/log/installer/media-info r, - @{run}/snapd.socket rw, + /var/crash/ rw, + owner /var/crash/*.@{uid}.{crash,upload} rw, - /tmp/[a-z0-9]* rw, - /tmp/apport_core_* rw, - /tmp/launchpadlib.cache.[a-z0-9]*/ rw, - /tmp/tmp[a-z0-9]*/{,**} rw, + @{run}/cloud-init/cloud.cfg r, + @{run}/snapd.socket rw, + + owner @{tmp}/@{word8} rw, + owner @{tmp}/apport_core_@{rand8} rw, + owner @{tmp}/launchpadlib.cache.@{rand8}/ rw, + owner @{tmp}/tmp@{rand8}/{,**} rw, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @@ -99,14 +107,14 @@ profile apport-gtk @{exec_path} { include @{bin}/gdb mr, - + @{bin}/iconv rix, @{bin}/* r, /usr/share/gcc/python/{,**/}__pycache__/{,**} rw, + /usr/share/gdb/python/{,**/}__pycache__/{,**} rw, /usr/share/gdb/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/{,**} r, /usr/share/terminfo/** r, /usr/share/themes/{,**} r, @@ -120,10 +128,26 @@ profile apport-gtk @{exec_path} { include if exists } + profile pkexec { + include + include + + include if exists + } + profile systemctl { include include + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.systemd1, label=unconfined), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnitFileState + peer=(name=org.freedesktop.systemd1, label=unconfined), + include if exists } diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook index c200de4d5..2555d0373 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -2,14 +2,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/ubuntu-advantage/apt-esm-hook profile apt-esm-hook @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index 54c116677..e8f03807d 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -2,14 +2,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/ubuntu-advantage/apt-esm-json-hook profile apt-esm-json-hook @{exec_path} { include - include + include include unix (receive, send) type=stream peer=(label=apt), @@ -20,10 +20,9 @@ profile apt-esm-json-hook @{exec_path} { /var/lib/ubuntu-advantage/{,**} r, /var/lib/ubuntu-advantage/apt-esm/{,**} rw, + /var/log/ubuntu-advantage-apt-hook.log w, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - - @{run}/cloud-init/cloud-id-nocloud r, + @{run}/cloud-init/cloud-id-* r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news new file mode 100644 index 000000000..91c8b29cc --- /dev/null +++ b/apparmor.d/groups/ubuntu/apt_news @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ubuntu-advantage/apt_news.py +profile apt_news @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + capability chown, + capability fowner, + capability kill, + capability setgid, + capability setuid, + + signal send set=int peer=apt-methods-*, + + @{exec_path} mr, + + @{lib}/apt/methods/* Px, + + /etc/ubuntu-advantage/uaclient.conf r, + + @{run}/ubuntu-advantage/ rw, + @{run}/ubuntu-advantage/apt-news/{,**} rw, + + owner @{run}/ubuntu-advantage/apt-news/** rw, + + @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index a6db303e5..2b7b2b4ee 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -2,18 +2,15 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/ubuntu-release-upgrader/check-new-release-gtk profile check-new-release-gtk @{exec_path} { include - include - include + include include - include - include include include include @@ -29,11 +26,11 @@ profile check-new-release-gtk @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx, - @{bin}/ischroot rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/ischroot rPx, + @{bin}/lsb_release rPx, - @{lib}/python3/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, - @{lib}/python3/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, + @{lib}/@{python_name}/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, + @{lib}/@{python_name}/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index c66587969..a80a4f729 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,21 +14,15 @@ profile cron-ubuntu-fan @{exec_path} { @{exec_path} mr, - @{bin}/{,da,ba}sh rix, - @{bin}/fanctl rix, - @{bin}/flock rix, - @{bin}/grep rix, - @{bin}/id rix, + @{sh_path} rix, + @{sbin}/fanctl rPx, + @{bin}/{,e}grep rix, @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, - @{bin}/touch rix, /etc/network/fan r, - @{run}/ubuntu-fan/ rw, - @{run}/ubuntu-fan/.lock rwk, - include if exists } diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index a2f93f42d..e9c4c9ab3 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -2,14 +2,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/do-release-upgrade profile do-release-upgrade @{exec_path} { include - include + include include include include @@ -26,8 +26,8 @@ profile do-release-upgrade @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/ischroot rPx, + @{bin}/lsb_release rPx, /usr/share/distro-info/*.csv r, /usr/share/ubuntu-release-upgrader/{,**} r, @@ -37,10 +37,15 @@ profile do-release-upgrade @{exec_path} { /var/lib/ubuntu-release-upgrader/release-upgrade-available rw, /var/lib/update-manager/* rw, - /var/cache/apt/pkgcache.bin{,.*} rw, - owner @{PROC}/@{pid}/fd/ r, + /var/cache/apt/ rw, + /var/cache/apt/pkgcache.bin rw, + /var/cache/apt/pkgcache.bin.@{rand6} rw, + /var/cache/apt/srcpkgcache.bin rw, + /var/cache/apt/srcpkgcache.bin.@{rand6} rw, + @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/ubuntu/pro b/apparmor.d/groups/ubuntu/esm_cache similarity index 52% rename from apparmor.d/groups/ubuntu/pro rename to apparmor.d/groups/ubuntu/esm_cache index c00b07587..53238564a 100644 --- a/apparmor.d/groups/ubuntu/pro +++ b/apparmor.d/groups/ubuntu/esm_cache @@ -1,20 +1,19 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/pro -profile pro @{exec_path} { +@{exec_path} = @{lib}/ubuntu-advantage/esm_cache.py +profile esm_cache @{exec_path} { include - include include @{exec_path} mr, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/fanctl b/apparmor.d/groups/ubuntu/fanctl new file mode 100644 index 000000000..ef278da63 --- /dev/null +++ b/apparmor.d/groups/ubuntu/fanctl @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/fanctl +profile fanctl @{exec_path} flags=(attach_disconnected) { + include + + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/flock ix, + @{bin}/id ix, + @{bin}/touch ix, + @{bin}/mkdir ix, + @{bin}/ip ix, + @{bin}/sed ix, + + /etc/network/fan r, + + @{run}/ubuntu-fan/ rw, + @{run}/ubuntu-fan/.lock rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/hwe-support-status b/apparmor.d/groups/ubuntu/hwe-support-status index 0752e6358..c85fb9966 100644 --- a/apparmor.d/groups/ubuntu/hwe-support-status +++ b/apparmor.d/groups/ubuntu/hwe-support-status @@ -2,20 +2,20 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/hwe-support-status profile hwe-support-status @{exec_path} { include - include + include include @{exec_path} mr, @{bin}/dpkg rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/distro-info/{,**} r, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index 93059dc34..5e4b09ce3 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -2,22 +2,22 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/update-notifier/list-oem-metapackages profile list-oem-metapackages @{exec_path} { include + include include - include @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, - @{lib}/python3/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/@{python_name}/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw, /etc/machine-id r, diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index 14f21729f..fb8eb259e 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -2,29 +2,19 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/update-notifier/livepatch-notification profile livepatch-notification @{exec_path} { include - include include - include - include include - include - include + include @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/icons/{,**} r, - /usr/share/X11/{,**} r, - - @{run}/user/@{uid}/gdm/Xauthority r, - include if exists } diff --git a/apparmor.d/groups/ubuntu/notify-reboot-required b/apparmor.d/groups/ubuntu/notify-reboot-required index 0c7d008e8..ee9e22e21 100644 --- a/apparmor.d/groups/ubuntu/notify-reboot-required +++ b/apparmor.d/groups/ubuntu/notify-reboot-required @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/ubuntu/notify-updates-outdated b/apparmor.d/groups/ubuntu/notify-updates-outdated index 39ce41c73..a42b3ba1c 100644 --- a/apparmor.d/groups/ubuntu/notify-updates-outdated +++ b/apparmor.d/groups/ubuntu/notify-updates-outdated @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/ubuntu/package-data-downloader b/apparmor.d/groups/ubuntu/package-data-downloader index bba0add83..1703d27cd 100644 --- a/apparmor.d/groups/ubuntu/package-data-downloader +++ b/apparmor.d/groups/ubuntu/package-data-downloader @@ -2,17 +2,20 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/update-notifier/package-data-downloader profile package-data-downloader @{exec_path} { include - include + include + include include include + capability dac_read_search, + @{exec_path} mr, /var/lib/update-notifier/package-data-downloads/{,**} rw, diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index 6876687e2..8cf3ed885 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,7 +17,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - # mqueue r type=posix /, + mqueue (read,getattr) type=posix /, ptrace (read), diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd index 3130f196e..b5d7d2885 100644 --- a/apparmor.d/groups/ubuntu/release-upgrade-motd +++ b/apparmor.d/groups/ubuntu/release-upgrade-motd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,6 +22,8 @@ profile release-upgrade-motd @{exec_path} { /var/lib/ubuntu-release-upgrader/release-upgrade-available rw, + @{run}/motd.dynamic.new w, + /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index 2def932dc..72e016573 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -2,14 +2,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/software-properties/software-properties-dbus profile software-properties-dbus @{exec_path} { include - include + include include include include @@ -19,18 +19,23 @@ profile software-properties-dbus @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), dbus receive bus=system interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=software-properties-gtk), + peer=(name=@{busname}, label=software-properties-gtk), + + dbus receive bus=system path=/ + interface=com.ubuntu.SoftwareProperties + member=Reload + peer=(name=@{busname}, label=software-properties-gtk), @{exec_path} mr, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/env rix, @{bin}/apt-key rPx, # Changing trusted keys - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /etc/apt/apt.conf.d/10periodic w, /etc/apt/sources.list{,.save} rw, @@ -39,9 +44,9 @@ profile software-properties-dbus @{exec_path} { /usr/share/distro-info/*.csv r, /usr/share/xml/iso-codes/{,**} r, - owner @{tmp}/???????? rw, # unconventional '_' tail - owner @{tmp}/tmp????????/ w, # change to 'c' - owner @{tmp}/tmp????????/apt.conf w, + owner @{tmp}/@{word8} rw, + owner @{tmp}/tmp@{word8}/ w, # change to 'c' + owner @{tmp}/tmp@{word8}/apt.conf w, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 9db3ec332..836adbb55 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -2,65 +2,45 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/software-properties-gtk -profile software-properties-gtk @{exec_path} { +profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include - include - include + include + include include include - include include include include include include - dbus bind bus=session name=com.ubuntu.SoftwareProperties, - dbus (send, receive) bus=system path=/com/ubuntu/SoftwareProperties - interface={com.ubuntu.SoftwareProperties,org.gtk.{Application,Actions}} - peer=(name="{:*,com.ubuntu.SoftwareProperties}", label=software-properties-gtk), - dbus send bus=system path=/ - interface=com.ubuntu.SoftwareProperties - peer=(name=:*, label=software-properties-dbus), + #aa:dbus own bus=session name=com.ubuntu.SoftwareProperties - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*), - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=ubuntu-advantage-desktop-daemon), - - dbus send bus=system path=/com/canonical/UbuntuAdvantage/Manager - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=ubuntu-advantage-desktop-daemon), + #aa:dbus talk bus=system name=com.canonical.UbuntuAdvantage label=ubuntu-advantage-desktop-daemon + #aa:dbus talk bus=system name=com.ubuntu.SoftwareProperties path=/ label=software-properties-dbus @{exec_path} mr, @{bin}/ r, - @{bin}/python3.@{int} r, - @{bin}/{,da,ba}sh rix, + @{sh_path} rix, + @{python_path} r, @{bin}/aplay rPx, @{bin}/apt-key rPx, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/ischroot rPx, + @{bin}/lsb_release rPx, @{bin}/ubuntu-advantage rPx, /usr/share/distro-info/*.csv r, /usr/share/pixmaps/ r, /usr/share/python-apt/{,**} r, /usr/share/software-properties/{,**} r, - /usr/share/themes/{,**} r, /usr/share/ubuntu-drivers-common/detect/{,**} r, /usr/share/X11/xkb/{,**} r, /usr/share/xml/iso-codes/{,**} r, @@ -73,9 +53,13 @@ profile software-properties-gtk @{exec_path} { /var/crash/*software-properties-gtk.@{uid}.crash rw, /var/lib/ubuntu-advantage/status.json r, - owner @{tmp}/???????? rw, - owner @{tmp}/tmp????????/ rw, # change to 'c' - owner @{tmp}/tmp????????/apt.conf rw, + owner @{tmp}/@{word8} rw, + owner @{tmp}/tmp@{word8}/ rw, + owner @{tmp}/tmp@{word8}/apt.conf rw, + + /dev/shm/ r, + owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6}, + owner /dev/shm/sem.mp-@{rand8} rwl -> /dev/shm/sem.@{rand6}, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, @@ -90,6 +74,7 @@ profile software-properties-gtk @{exec_path} { owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 08886b640..8f673e261 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,9 +22,9 @@ profile subiquity-console-conf @{exec_path} { @{exec_path} mr, - @{bin}/{,da,ba}sh rix, + @{sh_path} rix, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/mv rix, @@ -35,10 +35,10 @@ profile subiquity-console-conf @{exec_path} { @{bin}/journalctl rCx -> journalctl, @{bin}/ssh-keygen rPx, - @{bin}/sshd rPx, + @{sbin}/sshd rPx, @{bin}/snap rPUx, - /usr/lib/snapd/snap-recovery-chooser rPUx, - /usr/share/netplan/netplan.script rPUx, # TODO: rPx, + @{lib}/snapd/snap-recovery-chooser rPUx, + /usr/share/netplan/netplan.script rPx, /usr/share/subiquity/{,**} r, /usr/share/subiquity/console-conf-tui rix, @@ -53,13 +53,13 @@ profile subiquity-console-conf @{exec_path} { @{run}/snapd-recovery-chooser-triggered r, @{run}/snapd.socket rw, - @{run}/udev/data/+acpi:* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:* r, # For motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/c1:@{int} r, # For RAM disk @@ -74,7 +74,7 @@ profile subiquity-console-conf @{exec_path} { @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/devices/ r, @{sys}/*/*/ r, @@ -109,6 +109,7 @@ profile subiquity-console-conf @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, + include if exists } include if exists diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index bb5f81b82..4ede61bc8 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -2,18 +2,18 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/ubuntu-advantage profile ubuntu-advantage @{exec_path} { include - include + include include include include - include + include capability dac_read_search, capability setgid, @@ -29,13 +29,12 @@ profile ubuntu-advantage @{exec_path} { @{exec_path} mr, - @{bin}/ischroot rix, - @{bin}/apt rPx, @{bin}/apt-cache rPx, @{bin}/apt-config rPx, @{bin}/apt-get rPx, @{bin}/dpkg rPx -> child-dpkg, + @{bin}/ischroot rPx, @{bin}/ps rPx, @{bin}/snap rPUx, @{bin}/systemctl rCx -> systemctl, @@ -53,15 +52,18 @@ profile ubuntu-advantage @{exec_path} { /etc/machine-id r, + owner @{user_cache_dirs}/ubuntu-pro/{,**} rw, + owner @{tmp}/tmp[0-9a-z]*/apt.conf r, owner @{tmp}/[0-9a-z]*{,/} rw, owner @{tmp}/[0-9a-z]*/apt-helper-output rw, @{run}/ubuntu-advantage/{,**} rw, - @{PROC}/version_signature r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, + @{PROC}/1/cgroup r, + @{PROC}/version_signature r, owner @{PROC}/@{pid}/fd/ r, profile systemctl { @@ -87,6 +89,7 @@ profile ubuntu-advantage @{exec_path} { /dev/kmsg w, + include if exists } include if exists diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon index 2e35697c0..5265a2df3 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,17 +14,8 @@ profile ubuntu-advantage-desktop-daemon @{exec_path} flags=(attach_disconnected) capability sys_nice, - dbus bind bus=system name=com.canonical.UbuntuAdvantage, - - dbus receive bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=software-properties-gtk), - - dbus receive bus=system - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=software-properties-gtk), + #aa:dbus own bus=system name=com.canonical.UbuntuAdvantage + #aa:dbus talk bus=system name=com.ubuntu.SoftwareProperties label=software-properties-gtk @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index 2f539bac8..a44e226bc 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -2,27 +2,19 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/update-notifier/ubuntu-advantage-notification profile ubuntu-advantage-notification @{exec_path} { include - include include - include - include include - include - include + include @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/icons/{,**} r, - /usr/share/X11/xkb/{,**} r, - include if exists } diff --git a/apparmor.d/groups/ubuntu/ubuntu-distro-info b/apparmor.d/groups/ubuntu/ubuntu-distro-info index a444aada3..6806a4e27 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-distro-info +++ b/apparmor.d/groups/ubuntu/ubuntu-distro-info @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/ubuntu/ubuntu-fan-net b/apparmor.d/groups/ubuntu/ubuntu-fan-net new file mode 100644 index 000000000..ab83ebed4 --- /dev/null +++ b/apparmor.d/groups/ubuntu/ubuntu-fan-net @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ubuntu-fan/fan-net +profile ubuntu-fan-net @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} mr, + @{bin}/{m,g,}awk ix, + @{bin}/kmod Cx -> kmod, + @{bin}/{,e}grep ix, + @{bin}/networkctl Px, + @{sbin}/fanctl Px, + + profile kmod { + include + include + + capability sys_module, + + @{sys}/module/compression r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report index 5edc9ebd2..65fa3eaa0 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-report +++ b/apparmor.d/groups/ubuntu/ubuntu-report @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,9 +21,7 @@ profile ubuntu-report @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, - owner @{user_cache_dirs}/ubuntu-report/{,*} r, - - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + owner @{user_cache_dirs}/ubuntu-report/{,*} rw, include if exists } diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 0ee70c39b..873f06b67 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -2,29 +2,27 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/update-manager profile update-manager @{exec_path} flags=(attach_disconnected) { include - include + include include - include include include - include include include include - include include include include include include include + include network inet dgram, network inet6 dgram, @@ -43,16 +41,16 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/hwe-support-status rPx, - @{bin}/ischroot rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/ischroot rPx, + @{bin}/lsb_release rPx, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, @{bin}/uname rix, @{lib}/apt/methods/http{,s} rPx, - @{lib}/python3/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, - @{lib}/python3/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, - @{lib}/python3/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, + @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, + @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, @@ -62,7 +60,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /etc/ubuntu-advantage/uaclient.conf r, /etc/update-manager/{,**} r, - /boot/ r, + @{efi}/ r, /var/lib/dpkg/info/*.list r, /var/lib/dpkg/updates/ r, @@ -70,7 +68,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/update-manager-core/{,**} rw, - @{run}/systemd/inhibit/*.ref w, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index b0e62994f..c244f2902 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,19 +12,21 @@ profile update-motd-fsck-at-reboot @{exec_path} { @{exec_path} mr, - @{bin}/dumpe2fs rPx, + @{sbin}/dumpe2fs rPx, @{sh_path} rix, @{bin}/{m,g,}awk rix, @{bin}/cat rix, @{bin}/cut rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/id rix, @{bin}/mount rCx -> mount, @{bin}/stat rix, /var/lib/update-notifier/fsck-at-reboot rw, + @{run}/motd.dynamic.new w, + @{PROC}/uptime r, /dev/tty@{int} rw, @@ -45,6 +47,7 @@ profile update-motd-fsck-at-reboot @{exec_path} { /dev/tty@{int} rw, + include if exists } include if exists diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index bf1acfb1b..09775cb6f 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -2,14 +2,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/update-notifier/update-motd-updates-available profile update-motd-updates-available @{exec_path} { include - include + include include include include @@ -18,7 +18,7 @@ profile update-motd-updates-available @{exec_path} { @{exec_path} mr, - @{bin}/python3.@{int} r, + @{python_path} r, @{sh_path} rix, @{bin}/apt-config rPx, @@ -26,8 +26,8 @@ profile update-motd-updates-available @{exec_path} { @{bin}/dirname rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/find rix, - @{bin}/ischroot rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/ischroot rPx, + @{bin}/lsb_release rPx, @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 999502dbc..06e851b45 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -2,58 +2,44 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/update-notifier profile update-notifier @{exec_path} { include + include include - include include include - include - include include - include include include include + include include - unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-api-user, + unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus talk bus=system name=org.debian.apt label=apt + #aa:dbus talk bus=session name=org.ayatana.NotificationItem interface+=org.kde.StatusNotifierItem label=gnome-shell - dbus receive bus=session path=/org/ayatana/NotificationItem/software_update_available - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name=:*, label=gnome-shell), - - dbus receive bus=session path=/org/ayatana/NotificationItem/livepatch{,/Menu} - interface=org.freedesktop.DBus.Properties - member=={Get,GetAll} - peer=(name=:*, label=gnome-shell), - dbus receive bus=session path=/org/ayatana/NotificationItem/livepatch/Menu - interface=com.canonical.dbusmenu - member={AboutToShow,GetGroupProperties,GetLayout} - peer=(name=:*, label=gnome-shell), - - dbus send bus=session path=/org/ayatana/NotificationItem/* - interface=org.kde.StatusNotifierItem - peer=(name=org.freedesktop.DBus, label=gnome-shell), + dbus receive bus=system path=/com/ubuntu/UnattendedUpgrade/Pending + interface=com.ubuntu.UnattendedUpgrade.Pending + member=Finished + peer=(name=@{busname}, label=unattended-upgrade), @{exec_path} mr, @{sh_path} rix, @{bin}/ionice rix, - @{bin}/ischroot rix, @{bin}/nice rix, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/pkexec rPx, # TODO: rCx or rix to run /usr/lib/update-notifier/package-system-locked + @{bin}/ischroot rPx, + @{bin}/lsb_release rPx, + @{bin}/pkexec rCx -> pkexec, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, @{bin}/systemctl rCx -> systemctl, @@ -65,8 +51,9 @@ profile update-notifier @{exec_path} { @{lib}/update-notifier/package-system-locked rPx, /usr/share/apport/apport-checkreports rPx, /usr/share/apport/apport-gtk rPx, + @{open_path} Cx -> open, - @{lib}/python3.@{int}/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, + @{lib}/@{python_name}/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, @@ -85,12 +72,23 @@ profile update-notifier @{exec_path} { @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, + profile pkexec { + include + include + + ptrace read peer=update-notifier, + + @{lib}/update-notifier/package-system-locked Px, + + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/stat r, + + include if exists + } + profile systemctl { include include - include - - unix (bind) type=stream addr=@@{hex16}/bus/systemctl/system, dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager @@ -100,6 +98,13 @@ profile update-notifier @{exec_path} { include if exists } + profile open { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash new file mode 100644 index 000000000..4926c0b1c --- /dev/null +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/update-notifier/update-notifier-crash +profile update-notifier-crash @{exec_path} { + include + include + + @{exec_path} mr, + + @{bin}/{,e}grep ix, + @{bin}/groups Px, + @{bin}/systemctl Cx -> systemctl, + @{bin}/which{,.debianutils} rix, + @{sh_path} mr, + /usr/share/apport/apport-checkreports Px, + + owner @{HOME}/ r, + + profile systemctl { + include + include + + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnitFileState + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lsusb b/apparmor.d/groups/usb/lsusb similarity index 70% rename from apparmor.d/profiles-g-l/lsusb rename to apparmor.d/groups/usb/lsusb index eadda4785..a10659292 100644 --- a/apparmor.d/profiles-g-l/lsusb +++ b/apparmor.d/groups/usb/lsusb @@ -3,15 +3,18 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/lsusb +@{exec_path} = @{bin}/lsusb @{bin}/lsusb.py profile lsusb @{exec_path} { include include - include + include + + capability net_admin, + capability sys_admin, network netlink raw, @@ -19,6 +22,8 @@ profile lsusb @{exec_path} { /etc/udev/hwdb.bin r, + /dev/bus/usb/@{int}/@{int} w, + include if exists } diff --git a/apparmor.d/profiles-s-z/usb-devices b/apparmor.d/groups/usb/usb-devices similarity index 95% rename from apparmor.d/profiles-s-z/usb-devices rename to apparmor.d/groups/usb/usb-devices index 94e6526ab..59ff12feb 100644 --- a/apparmor.d/profiles-s-z/usb-devices +++ b/apparmor.d/groups/usb/usb-devices @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,6 +22,7 @@ profile usb-devices @{exec_path} { @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat rix, + @{bin}/sed rix, @{bin}/cut rix, @{bin}/find rix, @{bin}/readlink rix, diff --git a/apparmor.d/profiles-s-z/usbguard b/apparmor.d/groups/usb/usbguard similarity index 98% rename from apparmor.d/profiles-s-z/usbguard rename to apparmor.d/groups/usb/usbguard index deb5ef46d..798352c89 100644 --- a/apparmor.d/profiles-s-z/usbguard +++ b/apparmor.d/groups/usb/usbguard @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/usbguard-applet-qt b/apparmor.d/groups/usb/usbguard-applet-qt similarity index 85% rename from apparmor.d/profiles-s-z/usbguard-applet-qt rename to apparmor.d/groups/usb/usbguard-applet-qt index bc004b86f..558b9093c 100644 --- a/apparmor.d/profiles-s-z/usbguard-applet-qt +++ b/apparmor.d/groups/usb/usbguard-applet-qt @@ -3,29 +3,28 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/usbguard-applet-qt profile usbguard-applet-qt @{exec_path} { include - include - include - include - include - include - include - include - include + include include + include + include include + include # Needed? ptrace (read), @{exec_path} mr, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + owner @{user_config_dirs}/USBGuard/ rw, owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#@{int}, @@ -37,11 +36,6 @@ profile usbguard-applet-qt @{exec_path} { owner @{PROC}/@{pid}/cmdline r, - /usr/share/hwdata/pnp.ids r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - include if exists } diff --git a/apparmor.d/profiles-s-z/usbguard-daemon b/apparmor.d/groups/usb/usbguard-daemon similarity index 94% rename from apparmor.d/profiles-s-z/usbguard-daemon rename to apparmor.d/groups/usb/usbguard-daemon index d6c05f782..1fb97459d 100644 --- a/apparmor.d/profiles-s-z/usbguard-daemon +++ b/apparmor.d/groups/usb/usbguard-daemon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,8 +24,8 @@ profile usbguard-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/usbguard/{,**} r, /etc/usbguard/*.conf rw, - /etc/usbguard/IPCAccessControl.d/{,*} r, owner @{run}/usbguard.pid rwk, diff --git a/apparmor.d/profiles-s-z/usbguard-dbus b/apparmor.d/groups/usb/usbguard-dbus similarity index 98% rename from apparmor.d/profiles-s-z/usbguard-dbus rename to apparmor.d/groups/usb/usbguard-dbus index b02524d55..d406d5262 100644 --- a/apparmor.d/profiles-s-z/usbguard-dbus +++ b/apparmor.d/groups/usb/usbguard-dbus @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/usbguard-notifier b/apparmor.d/groups/usb/usbguard-notifier similarity index 97% rename from apparmor.d/profiles-s-z/usbguard-notifier rename to apparmor.d/groups/usb/usbguard-notifier index 48f88d0aa..963fcb2e8 100644 --- a/apparmor.d/profiles-s-z/usbguard-notifier +++ b/apparmor.d/groups/usb/usbguard-notifier @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/groups/utils/agetty similarity index 76% rename from apparmor.d/profiles-a-f/agetty rename to apparmor.d/groups/utils/agetty index c15748c6a..9ae450196 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/groups/utils/agetty @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/agetty +@{exec_path} = @{sbin}/agetty profile agetty @{exec_path} { include include @@ -20,20 +20,23 @@ profile agetty @{exec_path} { network netlink raw, + signal receive set=hup peer=@{p_systemd}, + @{exec_path} mr, @{bin}/login rPx, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, @{etc_rw}/issue r, /{,usr/}lib/os-release r, /{etc,run,lib,usr/lib}/issue r, /{etc,run,lib,usr/lib}/issue.d/{,*} r, /etc/inittab r, - /etc/login.defs r, - /etc/login.defs.d/ r, /etc/os-release r, - /usr/etc/login.defs r, + @{run}/credentials/getty@tty@{int}.service/ r, + @{run}/credentials/serial-getty@ttyS@{int}.service/ r, owner @{run}/agetty.reload rw, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/groups/utils/blkid similarity index 74% rename from apparmor.d/profiles-a-f/blkid rename to apparmor.d/groups/utils/blkid index ad8134064..4105a7419 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/groups/utils/blkid @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/blkid +@{exec_path} = @{sbin}/blkid profile blkid @{exec_path} flags=(attach_disconnected) { include include @@ -23,6 +23,8 @@ profile blkid @{exec_path} flags=(attach_disconnected) { @{etc_rw}/blkid.tab{,-@{rand6}} rw, @{etc_rw}/blkid.tab.old rwl -> /etc/blkid.tab, + /.ismount-test-file rw, + # Image files @{user_img_dirs}/{,**} r, @@ -32,13 +34,20 @@ profile blkid @{exec_path} flags=(attach_disconnected) { @{run}/blkid/blkid.tab{,-@{rand6}} rw, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, - @{run}/cloud-init/ds-identify.log w, # file_inherit - - # For the EVALUATE=scan method + @{PROC}/@{pid}/mounts r, @{PROC}/partitions r, + @{PROC}/swaps r, + + # Other possible location of the cache file + /dev/.blkid.tab.old rwl -> /dev/.blkid.tab, + /dev/.blkid.tab{,-@{rand6}} rw, + /dev/blkid.tab.old rwl -> /dev/blkid.tab, owner /dev/tty@{int} rw, + # file_inherit + deny @{run}/cloud-init/ds-identify.log w, + include if exists } diff --git a/apparmor.d/profiles-a-f/blockdev b/apparmor.d/groups/utils/blockdev similarity index 83% rename from apparmor.d/profiles-a-f/blockdev rename to apparmor.d/groups/utils/blockdev index 1b6cc77cb..0c5e7b17c 100644 --- a/apparmor.d/profiles-a-f/blockdev +++ b/apparmor.d/groups/utils/blockdev @@ -3,14 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/blockdev +@{exec_path} = @{sbin}/blockdev profile blockdev @{exec_path} { include - include + include capability sys_admin, diff --git a/apparmor.d/profiles-a-f/chfn b/apparmor.d/groups/utils/chfn similarity index 86% rename from apparmor.d/profiles-a-f/chfn rename to apparmor.d/groups/utils/chfn index 162a08b84..45b50c7ad 100644 --- a/apparmor.d/profiles-a-f/chfn +++ b/apparmor.d/groups/utils/chfn @@ -3,26 +3,23 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/chfn profile chfn @{exec_path} { include + include + include include include - include include - # To write records to the kernel auditing log. capability audit_write, - - # To set the right permission to the files in the /etc/ dir. capability chown, capability fsetid, - - # chfn is a SETUID binary + capability net_admin, capability setuid, network netlink raw, diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/groups/utils/chsh similarity index 79% rename from apparmor.d/profiles-a-f/chsh rename to apparmor.d/groups/utils/chsh index ffcdb5bdf..e3581be31 100644 --- a/apparmor.d/profiles-a-f/chsh +++ b/apparmor.d/groups/utils/chsh @@ -3,40 +3,40 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/chsh profile chsh @{exec_path} { include - include include + include + include include + include - # To write records to the kernel auditing log. capability audit_write, - - # To set the right permission to the files in the /etc/ dir. capability chown, capability fsetid, - - # gpasswd is a SETUID binary + capability net_admin, capability setuid, network netlink raw, - @{exec_path} mr, + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" - owner @{PROC}/@{pid}/loginuid r, + @{exec_path} mr, /etc/shells r, + /etc/.chsh.@{rand6} rw, /etc/passwd rw, /etc/passwd- w, - /etc/passwd+ rw, /etc/passwd.@{pid} w, /etc/passwd.lock wl -> /etc/passwd.@{pid}, + /etc/passwd.OLD wl -> /etc/passwd, + /etc/passwd+ rw, /etc/shadow r, @@ -44,6 +44,8 @@ profile chsh @{exec_path} { # modify the /etc/passwd or /etc/shadow password database. /etc/.pwd.lock rwk, + owner @{PROC}/@{pid}/loginuid r, + include if exists } diff --git a/apparmor.d/profiles-a-f/df b/apparmor.d/groups/utils/df similarity index 88% rename from apparmor.d/profiles-a-f/df rename to apparmor.d/groups/utils/df index 18b3687e1..baceace65 100644 --- a/apparmor.d/profiles-a-f/df +++ b/apparmor.d/groups/utils/df @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/df -profile df @{exec_path} { +profile df @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/dmesg b/apparmor.d/groups/utils/dmesg similarity index 73% rename from apparmor.d/profiles-a-f/dmesg rename to apparmor.d/groups/utils/dmesg index 6dcd5cbb8..2976d1316 100644 --- a/apparmor.d/profiles-a-f/dmesg +++ b/apparmor.d/groups/utils/dmesg @@ -3,28 +3,27 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/dmesg -profile dmesg @{exec_path} { +profile dmesg @{exec_path} flags=(attach_disconnected) { include include capability dac_read_search, + capability sys_admin, capability syslog, @{exec_path} mr, - @{sh_path} rix, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - @{bin}/pager rPx -> child-pager, + @{sh_path} rix, + @{pager_path} rPx -> child-pager, /usr/share/terminfo/** r, - owner @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/pid_max r, /dev/kmsg r, diff --git a/apparmor.d/profiles-a-f/eject b/apparmor.d/groups/utils/eject similarity index 97% rename from apparmor.d/profiles-a-f/eject rename to apparmor.d/groups/utils/eject index bd467c2be..84168322a 100644 --- a/apparmor.d/profiles-a-f/eject +++ b/apparmor.d/groups/utils/eject @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/findmnt b/apparmor.d/groups/utils/findmnt similarity index 97% rename from apparmor.d/profiles-a-f/findmnt rename to apparmor.d/groups/utils/findmnt index 7fb7c9e1b..0c027dc2c 100644 --- a/apparmor.d/profiles-a-f/findmnt +++ b/apparmor.d/groups/utils/findmnt @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,7 +20,7 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) { /etc/fstab r, /etc/mtab r, - + @{PROC}/@{pids}/mountinfo r, # File Inherit diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/groups/utils/fsck similarity index 90% rename from apparmor.d/profiles-a-f/fsck rename to apparmor.d/groups/utils/fsck index d04b32e96..e2537b21c 100644 --- a/apparmor.d/profiles-a-f/fsck +++ b/apparmor.d/groups/utils/fsck @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/fsck +@{exec_path} = @{sbin}/fsck profile fsck @{exec_path} flags=(attach_disconnected) { include include @@ -18,15 +18,15 @@ profile fsck @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/e2fsck rPx, - @{bin}/fsck.* rPx, + @{sbin}/e2fsck rPx, + @{sbin}/fsck.* rPx, /etc/fstab r, # When a mount dir is passed to fsck as an argument. @{HOME}/ r, @{MOUNTS}/ r, - /boot/ r, + @{efi}/ r, @{run}/mount/utab r, @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/groups/utils/fstrim b/apparmor.d/groups/utils/fstrim new file mode 100644 index 000000000..87bd7fad5 --- /dev/null +++ b/apparmor.d/groups/utils/fstrim @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/fstrim +profile fstrim @{exec_path} flags=(attach_disconnected) { + include + include + + capability dac_override, + capability sys_admin, + + @{exec_path} mr, + + /etc/fstab r, + + @{HOMEDIRS}/ r, + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + / r, + @{efi}/ r, + /var/ r, + + @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/hwclock b/apparmor.d/groups/utils/hwclock new file mode 100644 index 000000000..d1433a605 --- /dev/null +++ b/apparmor.d/groups/utils/hwclock @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/hwclock +profile hwclock @{exec_path} { + include + include + + capability audit_write, + capability sys_time, + + network netlink raw, + + @{exec_path} mr, + + /etc/adjtime rw, + + @{sys}/devices/pnp@{int}/*/rtc/rtc@{int}/{,*} r, + + /dev/rtc@{int} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/locale-gen b/apparmor.d/groups/utils/locale-gen similarity index 92% rename from apparmor.d/profiles-g-l/locale-gen rename to apparmor.d/groups/utils/locale-gen index 093074d1b..5366f1403 100644 --- a/apparmor.d/profiles-g-l/locale-gen +++ b/apparmor.d/groups/utils/locale-gen @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/locale-gen +@{exec_path} = @{sbin}/locale-gen profile locale-gen @{exec_path} { include include @@ -18,6 +18,7 @@ profile locale-gen @{exec_path} { @{exec_path} mr, @{sh_path} rix, + @{bin}/{e,}grep rix, @{bin}/cat rix, @{bin}/gzip rix, @{bin}/localedef rix, diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/groups/utils/login similarity index 74% rename from apparmor.d/profiles-g-l/login rename to apparmor.d/groups/utils/login index c93553030..cf9663e8e 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/groups/utils/login @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,6 +14,7 @@ profile login @{exec_path} flags=(attach_disconnected) { include include include + include #aa:only RBAC capability audit_write, capability chown, @@ -30,39 +31,40 @@ profile login @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (send) set=(hup term), - - unix type=stream addr=@@{hex16}/bus/login/system, + signal send set=(hup term), ptrace read, - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, - @{bin}/@{shells} rUx, + @{shells_path} Ux, #aa:exclude RBAC @{etc_ro}/environment r, + @{etc_ro}/security/group.conf r, + @{etc_ro}/security/limits.conf r, @{etc_ro}/security/limits.d/{,*} r, + @{etc_ro}/security/pam_env.conf r, /etc/default/locale r, /etc/legal r, /etc/machine-id r, /etc/motd r, /etc/motd.d/ r, - /etc/security/group.conf r, - /etc/security/limits.conf r, - /etc/security/pam_env.conf r, /etc/shells r, + /var/lib/faillock/@{user} rwk, + /var/lib/lastlog/ r, /var/log/btmp{,.@{int}} r, owner @{user_cache_dirs}/motd.legal-displayed rw, - @{run}/motd.d/{,*} r, - @{run}/dbus/system_bus_socket rw, + @{att}/@{run}/systemd/sessions/@{int}.ref w, + + @{run}/credentials/getty@tty@{int}.service/ r, @{run}/faillock/@{user} rwk, + @{run}/motd.d/{,*} r, @{run}/motd.dynamic{,.new} rw, - @{run}/systemd/sessions/*.ref rw, @{PROC}/@{pids}/cgroup r, @{PROC}/1/limits r, diff --git a/apparmor.d/profiles-g-l/losetup b/apparmor.d/groups/utils/losetup similarity index 63% rename from apparmor.d/profiles-g-l/losetup rename to apparmor.d/groups/utils/losetup index fb8b448d1..9b32074ba 100644 --- a/apparmor.d/profiles-g-l/losetup +++ b/apparmor.d/groups/utils/losetup @@ -2,26 +2,31 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/losetup +@{exec_path} = @{sbin}/losetup profile losetup @{exec_path} { include include + include capability dac_override, capability dac_read_search, - unix (receive) type=stream, + unix receive type=stream, @{exec_path} mr, - @{sys}/devices/**/usb[0-9]/{,**} r, + @{user_img_dirs}/** rw, + @{user_vm_dirs}/** rw, + + @{sys}/block/ r, + @{sys}/devices/virtual/block/loop@{int}/{,**} r, /dev/loop-control rw, - /dev/loop[0-9]* rw, + /dev/loop@{int} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/lsblk b/apparmor.d/groups/utils/lsblk similarity index 83% rename from apparmor.d/profiles-g-l/lsblk rename to apparmor.d/groups/utils/lsblk index 56aad52b8..6fc1d5bb2 100644 --- a/apparmor.d/profiles-g-l/lsblk +++ b/apparmor.d/groups/utils/lsblk @@ -3,12 +3,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/lsblk -profile lsblk @{exec_path} { +profile lsblk @{exec_path} flags=(attach_disconnected) { include include include @@ -27,6 +27,7 @@ profile lsblk @{exec_path} { # File Inherit deny network inet stream, deny network inet6 stream, + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/profiles-g-l/lscpu b/apparmor.d/groups/utils/lscpu similarity index 98% rename from apparmor.d/profiles-g-l/lscpu rename to apparmor.d/groups/utils/lscpu index 804e67632..caa2b5628 100644 --- a/apparmor.d/profiles-g-l/lscpu +++ b/apparmor.d/groups/utils/lscpu @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/utils/lsfd b/apparmor.d/groups/utils/lsfd new file mode 100644 index 000000000..96e497ea6 --- /dev/null +++ b/apparmor.d/groups/utils/lsfd @@ -0,0 +1,69 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsfd +profile lsfd @{exec_path} flags=(attach_disconnected) { + include + include + + capability bpf, + capability checkpoint_restore, + capability dac_read_search, + capability net_admin, + capability sys_admin, + capability sys_chroot, + capability sys_ptrace, + capability sys_resource, + capability syslog, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 raw, + network inet6 stream, + network inet6 stream, + network netlink dgram, + network netlink raw, + network packet dgram, + + ptrace read, + ptrace trace, + + mqueue (read create delete getattr) type=posix /.lsfd-mqueue-nodev-test:@{int}, + + @{exec_path} mr, + + / r, + @{att}/ r, + + owner @{att}/.lsfd-mqueue-nodev-test:@{int} rw, + + @{run}/ r, + @{run}/netns/ r, + + @{sys}/kernel/cpu_byteorder r, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/net/* r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/syscall r, + @{PROC}/@{pid}/task/ r, + @{PROC}/devices r, + @{PROC}/misc r, + @{PROC}/partitions r, + @{PROC}/tty/drivers r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lsipc b/apparmor.d/groups/utils/lsipc new file mode 100644 index 000000000..7677a8a03 --- /dev/null +++ b/apparmor.d/groups/utils/lsipc @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsipc +profile lsipc @{exec_path} { + include + include + + @{exec_path} mr, + + @{PROC}/sys/fs/mqueue/msg_max r, + @{PROC}/sys/fs/mqueue/msgsize_max r, + @{PROC}/sys/fs/mqueue/queues_max r, + @{PROC}/sys/kernel/msgmax r, + @{PROC}/sys/kernel/msgmnb r, + @{PROC}/sys/kernel/msgmni r, + @{PROC}/sys/kernel/sem r, + @{PROC}/sys/kernel/shmall r, + @{PROC}/sys/kernel/shmmax r, + @{PROC}/sys/kernel/shmmni r, + @{PROC}/sysvipc/msg r, + @{PROC}/sysvipc/sem r, + @{PROC}/sysvipc/shm r, + + /dev/mqueue/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lslocks b/apparmor.d/groups/utils/lslocks new file mode 100644 index 000000000..44d2e1d01 --- /dev/null +++ b/apparmor.d/groups/utils/lslocks @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lslocks +profile lslocks @{exec_path} flags=(attach_disconnected) { + include + + capability dac_read_search, + capability sys_ptrace, + + ptrace read, + + @{exec_path} mr, + + @{sys}/devices/**/block/** r, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/locks r, + owner @{PROC}/@{pid}/ r, + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lslogins b/apparmor.d/groups/utils/lslogins new file mode 100644 index 000000000..7393b47c0 --- /dev/null +++ b/apparmor.d/groups/utils/lslogins @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lslogins +profile lslogins @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/.pwd.lock w, + /etc/.pwd.lock wk, + /etc/login.defs r, + /etc/shadow r, + + /var/log/lastlog r, + /var/log/wtmp rk, + + @{run}/systemd/userdb/ r, + + @{PROC}/ r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lsns b/apparmor.d/groups/utils/lsns new file mode 100644 index 000000000..7fbf56896 --- /dev/null +++ b/apparmor.d/groups/utils/lsns @@ -0,0 +1,44 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsns +profile lsns @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability net_admin, + capability sys_ptrace, + capability dac_read_search, + + network, + + ptrace read, + ptrace trace, + + @{exec_path} mr, + + @{att}/ r, + + @{run}/*/netns/** r, + @{run}/*/ns/** r, + + @{sys}/devices/**/block/** r, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/groups/utils/lspci similarity index 76% rename from apparmor.d/profiles-g-l/lspci rename to apparmor.d/groups/utils/lspci index 0d6936d22..c6ac0fdcd 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/groups/utils/lspci @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,11 +13,13 @@ profile lspci @{exec_path} flags=(attach_disconnected) { include include + capability dac_read_search, capability sys_admin, - @{exec_path} mr, + network inet dgram, + network inet6 dgram, - /app/lib/libzypak-preload-host*.so rm, + @{exec_path} mr, /usr/share/hwdata/pci.ids r, /usr/share/misc/pci.ids r, @@ -30,17 +32,22 @@ profile lspci @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.pciids-cache.tmp-*-@{pid} rw, owner @{HOME}/.pciids-cache rw, + owner @{user_cache_dirs}/pci-ids rw, @{sys}/bus/pci/devices/ r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/devices/@{pci}/** r, @{sys}/module/compression r, + @{PROC}/bus/pci/devices r, @{PROC}/cmdline r, @{PROC}/ioports r, - deny @{user_share_dirs}/gvfs-metadata/* r, + # file_inherit + deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_cache_dirs}/*/** rw, include if exists } diff --git a/apparmor.d/groups/utils/lsscsi b/apparmor.d/groups/utils/lsscsi new file mode 100644 index 000000000..f0e7b4df2 --- /dev/null +++ b/apparmor.d/groups/utils/lsscsi @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsscsi +profile lsscsi @{exec_path} { + include + include + + @{exec_path} mr, + + / r, + + /dev/ r, + /dev/** r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/newgrp b/apparmor.d/groups/utils/newgrp similarity index 94% rename from apparmor.d/profiles-m-r/newgrp rename to apparmor.d/groups/utils/newgrp index 1878b9b5e..1452f34fc 100644 --- a/apparmor.d/profiles-m-r/newgrp +++ b/apparmor.d/groups/utils/newgrp @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,9 +23,9 @@ profile newgrp @{exec_path} { @{bin}/@{shells} rUx, - /etc/{passwd,group,shadow,gshadow} r, + @{etc_ro}/login.defs r, - /etc/login.defs r, + /etc/{passwd,group,shadow,gshadow} r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/profiles-m-r/nologin b/apparmor.d/groups/utils/nologin similarity index 90% rename from apparmor.d/profiles-m-r/nologin rename to apparmor.d/groups/utils/nologin index fad964b64..795a1aa35 100644 --- a/apparmor.d/profiles-m-r/nologin +++ b/apparmor.d/groups/utils/nologin @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/nologin +@{exec_path} = @{sbin}/nologin profile nologin @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/pstree b/apparmor.d/groups/utils/pstree similarity index 94% rename from apparmor.d/profiles-m-r/pstree rename to apparmor.d/groups/utils/pstree index a2630d212..4b75a0364 100644 --- a/apparmor.d/profiles-m-r/pstree +++ b/apparmor.d/groups/utils/pstree @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,6 +18,8 @@ profile pstree @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /usr/share/terminfo/** r, + @{PROC} r, @{PROC}/@{pids}/attr/current r, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/groups/utils/su similarity index 53% rename from apparmor.d/profiles-s-z/su rename to apparmor.d/groups/utils/su index 429c48938..e5293021c 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/groups/utils/su @@ -3,28 +3,33 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/su -profile su @{exec_path} { +profile su @{exec_path} flags=(attach_disconnected) { include include include + include #aa:only RBAC capability chown, # pseudo-terminal - signal (send) set=(term,kill), - signal (receive) set=(int,quit,term), - signal (receive) set=(cont,hup) peer=sudo, - - unix (bind) type=dgram, + signal send set=(term kill), + signal receive set=(int quit term), + signal receive set=(cont hup) peer=sudo, @{exec_path} mr, - @{bin}/@{shells} rUx, - @{bin}/nologin rPx, + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{sbin}/nologin Px, + + @{etc_ro}/default/su r, + /etc/default/locale r, + /etc/environment r, + + @{HOME}/.xauth@{rand6} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/sulogin b/apparmor.d/groups/utils/sulogin similarity index 77% rename from apparmor.d/profiles-s-z/sulogin rename to apparmor.d/groups/utils/sulogin index 3793df043..2af869dab 100644 --- a/apparmor.d/profiles-s-z/sulogin +++ b/apparmor.d/groups/utils/sulogin @@ -2,16 +2,19 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/sulogin +@{exec_path} = @{sbin}/sulogin profile sulogin @{exec_path} { include + include include + capability checkpoint_restore, capability sys_admin, + capability sys_tty_config, @{exec_path} mr, @@ -22,9 +25,6 @@ profile sulogin @{exec_path} { @{PROC}/consoles r, - /dev/ r, - /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/swaplabel b/apparmor.d/groups/utils/swaplabel similarity index 90% rename from apparmor.d/profiles-s-z/swaplabel rename to apparmor.d/groups/utils/swaplabel index 03d2fe8d0..16abf153d 100644 --- a/apparmor.d/profiles-s-z/swaplabel +++ b/apparmor.d/groups/utils/swaplabel @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/swaplabel +@{exec_path} = @{sbin}/swaplabel profile swaplabel @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/swapon b/apparmor.d/groups/utils/swapon similarity index 90% rename from apparmor.d/profiles-s-z/swapon rename to apparmor.d/groups/utils/swapon index 31ee2e93a..dd4aec8e2 100644 --- a/apparmor.d/profiles-s-z/swapon +++ b/apparmor.d/groups/utils/swapon @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/swapon @{bin}/swapoff +@{exec_path} = @{sbin}/swapon @{sbin}/swapoff profile swapon @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/sync b/apparmor.d/groups/utils/sync similarity index 75% rename from apparmor.d/profiles-s-z/sync rename to apparmor.d/groups/utils/sync index 6bdb55732..9b47b4df2 100644 --- a/apparmor.d/profiles-s-z/sync +++ b/apparmor.d/groups/utils/sync @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,9 @@ profile sync @{exec_path} { @{exec_path} mr, + # All paths where sync can be used to flush all write operations on a single file to disk + /{,**} rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/umount b/apparmor.d/groups/utils/umount similarity index 98% rename from apparmor.d/profiles-s-z/umount rename to apparmor.d/groups/utils/umount index e066dff89..66fae00bb 100644 --- a/apparmor.d/profiles-s-z/umount +++ b/apparmor.d/groups/utils/umount @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/uname b/apparmor.d/groups/utils/uname similarity index 76% rename from apparmor.d/profiles-s-z/uname rename to apparmor.d/groups/utils/uname index 4dd41a7bf..45a864c23 100644 --- a/apparmor.d/profiles-s-z/uname +++ b/apparmor.d/groups/utils/uname @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,10 +14,11 @@ profile uname @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /dev/tty@{int} rw, + @{att}/dev/tty@{int} rw, deny network, - deny @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_share_dirs}/zed/**/data.mdb rw, include if exists } diff --git a/apparmor.d/profiles-s-z/users b/apparmor.d/groups/utils/users similarity index 96% rename from apparmor.d/profiles-s-z/users rename to apparmor.d/groups/utils/users index fbad304bf..67d7a83e7 100644 --- a/apparmor.d/profiles-s-z/users +++ b/apparmor.d/groups/utils/users @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/utils/uuidd b/apparmor.d/groups/utils/uuidd new file mode 100644 index 000000000..52f52b4a2 --- /dev/null +++ b/apparmor.d/groups/utils/uuidd @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/uuidd +profile uuidd @{exec_path} flags=(attach_disconnected) { + include + include + + capability dac_override, + + network inet dgram, + + @{exec_path} mr, + + owner /var/lib/libuuid/clock.txt rwk, + owner /var/lib/libuuid/clock-cont.txt rwk, + + @{att}/@{run}/uuidd/request rw, + + @{run}/uuidd/request rw, + @{run}/uuidd/uuidd.pid rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/uuidgen b/apparmor.d/groups/utils/uuidgen similarity index 78% rename from apparmor.d/profiles-s-z/uuidgen rename to apparmor.d/groups/utils/uuidgen index b00ed1f26..c056daaa0 100644 --- a/apparmor.d/profiles-s-z/uuidgen +++ b/apparmor.d/groups/utils/uuidgen @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,8 +11,14 @@ profile uuidgen @{exec_path} { include include + network inet dgram, + @{exec_path} mr, + owner /var/lib/libuuid/clock.txt w, + + @{run}/uuidd/request w, + include if exists } diff --git a/apparmor.d/profiles-s-z/whereis b/apparmor.d/groups/utils/whereis similarity index 90% rename from apparmor.d/profiles-s-z/whereis rename to apparmor.d/groups/utils/whereis index 330957a62..36e457998 100644 --- a/apparmor.d/profiles-s-z/whereis +++ b/apparmor.d/groups/utils/whereis @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,6 +15,7 @@ profile whereis @{exec_path} { @{exec_path} mr, @{bin}/{,*/} r, + @{sbin}/{,*/} r, @{lib}/ r, @{lib}/go-*/bin/ r, /usr/{local/,}games/ r, @@ -27,10 +28,10 @@ profile whereis @{exec_path} { /usr/src/{**,} r, /opt/ r, - /opt/cni/bin/ r, - /opt/containerd/bin/ r, + /opt/**/bin/ r, + /opt/**/lib/ r, - /etc/ r, + @{etc_ro}/ r, /snap/bin/ r, /var/lib/flatpak/exports/bin/ r, diff --git a/apparmor.d/profiles-s-z/who b/apparmor.d/groups/utils/who similarity index 72% rename from apparmor.d/profiles-s-z/who rename to apparmor.d/groups/utils/who index bed53e7e6..d9ca9e164 100644 --- a/apparmor.d/profiles-s-z/who +++ b/apparmor.d/groups/utils/who @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/who +@{exec_path} = @{bin}/{,gnu}who profile who @{exec_path} { include include @@ -18,7 +18,12 @@ profile who @{exec_path} { @{exec_path} mr, + @{run}/systemd/sessions/* r, + + # file_inherit + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + deny owner @{user_share_dirs}/zed/**/data.mdb rw, include if exists } diff --git a/apparmor.d/groups/systemd/zramctl b/apparmor.d/groups/utils/zramctl similarity index 55% rename from apparmor.d/groups/systemd/zramctl rename to apparmor.d/groups/utils/zramctl index 0d1632924..29428a96f 100644 --- a/apparmor.d/groups/systemd/zramctl +++ b/apparmor.d/groups/utils/zramctl @@ -2,11 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/zramctl +@{exec_path} = @{sbin}/zramctl profile zramctl @{exec_path} { include include @@ -14,7 +14,15 @@ profile zramctl @{exec_path} { @{exec_path} mr, @{sys}/devices/virtual/block/zram@{int}/ r, + @{sys}/devices/virtual/block/zram@{int}/comp_algorithm rw, @{sys}/devices/virtual/block/zram@{int}/disksize r, + @{sys}/devices/virtual/block/zram@{int}/disksize w, + @{sys}/devices/virtual/block/zram@{int}/max_comp_streams r, + @{sys}/devices/virtual/block/zram@{int}/mm_stat r, + @{sys}/devices/virtual/block/zram@{int}/reset w, + + @{PROC}/swaps r, + owner @{PROC}/@{pid}/mounts r, /dev/ r, /dev/zram@{int} rw, diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth index 21914faf8..3192c7051 100644 --- a/apparmor.d/groups/virt/cni-bandwidth +++ b/apparmor.d/groups/virt/cni-bandwidth @@ -2,14 +2,14 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/cni/bandwidth /opt/cni/bin/bandwidth profile cni-bandwidth @{exec_path} { include - + network inet dgram, network inet6 dgram, network inet stream, @@ -17,8 +17,6 @@ profile cni-bandwidth @{exec_path} { network netlink raw, @{exec_path} mr, - - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, include if exists } diff --git a/apparmor.d/groups/virt/cni-bridge b/apparmor.d/groups/virt/cni-bridge index 37de32ae0..1e27d04a3 100644 --- a/apparmor.d/groups/virt/cni-bridge +++ b/apparmor.d/groups/virt/cni-bridge @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,8 +12,6 @@ profile cni-bridge @{exec_path} { @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index 7c39a7ad2..9015d2157 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -2,13 +2,14 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/cni/calico /opt/cni/bin/calico profile cni-calico @{exec_path} flags=(attach_disconnected) { include + include capability sys_admin, capability net_admin, @@ -25,15 +26,13 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { @{exec_path}-ipam rix, / r, - + /etc/cni/net.d/{,**} r, - + /var/lib/calico/{,**} r, /var/log/calico/cni/ r, /var/log/calico/cni/*.log rw, - - /usr/share/mime/globs2 r, - + @{run}/calico/ rw, @{run}/calico/ipam.lock rwk, @{run}/netns/cni-@{uuid} r, @@ -41,8 +40,6 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/net/ipv{4,6}/ip_forward rw, @{PROC}/sys/net/ipv{4,6}/{conf,neigh}/cali[0-9a-z]*/* rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-firewall b/apparmor.d/groups/virt/cni-firewall index 866b9dc96..d5171e8dc 100644 --- a/apparmor.d/groups/virt/cni-firewall +++ b/apparmor.d/groups/virt/cni-firewall @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,8 +12,6 @@ profile cni-firewall @{exec_path} { @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-flannel b/apparmor.d/groups/virt/cni-flannel index 05929a64c..6bdccec8c 100644 --- a/apparmor.d/groups/virt/cni-flannel +++ b/apparmor.d/groups/virt/cni-flannel @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,8 +12,6 @@ profile cni-flannel @{exec_path} flags=(complain,attach_disconnected){ @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-host-local b/apparmor.d/groups/virt/cni-host-local index bf555cfd8..5f645ce3f 100644 --- a/apparmor.d/groups/virt/cni-host-local +++ b/apparmor.d/groups/virt/cni-host-local @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,8 +12,6 @@ profile cni-host-local @{exec_path} flags=(complain,attach_disconnected){ @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback index d05a303de..fd4f50df3 100644 --- a/apparmor.d/groups/virt/cni-loopback +++ b/apparmor.d/groups/virt/cni-loopback @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,8 +21,6 @@ profile cni-loopback @{exec_path} flags=(attach_disconnected) { @{run}/netns/ r, @{run}/netns/cni-@{uuid} rw, - - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, include if exists } diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap index db29f252c..0f2692ecf 100644 --- a/apparmor.d/groups/virt/cni-portmap +++ b/apparmor.d/groups/virt/cni-portmap @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,11 +15,9 @@ profile cni-portmap @{exec_path} { network netlink raw, @{exec_path} mr, - @{bin}/xtables-nft-multi rPx -> cni-xtables-nft, + @{sbin}/xtables-nft-multi rPx -> cni-xtables-nft, @{PROC}/sys/net/ipv{4,6}/conf/cali[0-9a-z]*/route_localnet rw, - - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, include if exists } diff --git a/apparmor.d/groups/virt/cni-tuning b/apparmor.d/groups/virt/cni-tuning index ee7133b31..c6cc1f1dc 100644 --- a/apparmor.d/groups/virt/cni-tuning +++ b/apparmor.d/groups/virt/cni-tuning @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,8 +12,6 @@ profile cni-tuning @{exec_path} { @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-xtables-nft b/apparmor.d/groups/virt/cni-xtables-nft deleted file mode 100644 index d19f875bf..000000000 --- a/apparmor.d/groups/virt/cni-xtables-nft +++ /dev/null @@ -1,36 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Jeroen Rijken -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/xtables-nft-multi -profile cni-xtables-nft { - include - include - include - - capability net_admin, - capability net_raw, - - network inet dgram, - network inet6 dgram, - network inet raw, - network inet6 raw, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - @{bin}/xtables-legacy-multi mr, - - /etc/libnl/classid r, - /etc/iptables/{,**} rw, - /etc/nftables.conf rw, - - @{PROC}/@{pids}/net/ip_tables_names r, -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/virt/cockpit-askpass b/apparmor.d/groups/virt/cockpit-askpass index daa5cf009..b46a415ac 100644 --- a/apparmor.d/groups/virt/cockpit-askpass +++ b/apparmor.d/groups/virt/cockpit-askpass @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index ad3eee9f6..d8c71803d 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -2,15 +2,19 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/cockpit-bridge profile cockpit-bridge @{exec_path} { include - include + include + include + include + include include + include include include @@ -23,45 +27,83 @@ profile cockpit-bridge @{exec_path} { network inet stream, network inet6 dgram, network inet6 stream, + network netlink raw, - ptrace (read), + ptrace read, - signal (send) set=term peer=cockpit-pcp, - signal (send) set=term peer=dbus-daemon, - signal (send) set=term peer=journalctl, - signal (send) set=term peer=ssh-agent, - signal (send) set=term peer=sudo, - signal (send) set=term peer=unconfined, + signal send set=term peer=cockpit-pcp, + signal send set=term peer=dbus-daemon, + signal send set=term peer=journalctl, + signal send set=term peer=ssh-agent, + signal send set=term peer=unconfined, + signal (send receive) set=term peer=cockpit-bridge//sudo, + + #aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/** label=packagekitd + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label=@{p_systemd} + #aa:dbus talk bus=system name=org.libvirt label=libvirt-dbus @{exec_path} mr, - @{bin}/journalctl rPx, - @{lib}/cockpit/cockpit-pcp rPx, - @{lib}/cockpit/cockpit-ssh rPx, + @{bin}/cat ix, + @{bin}/date ix, + @{bin}/find ix, + @{bin}/ip ix, + @{python_path} ix, + @{bin}/test ix, + @{bin}/file ix, + @{bin}/chage Px, + @{sbin}/dmidecode Px, + @{bin}/findmnt Px, + @{bin}/journalctl Px, + @{bin}/last Px, + @{bin}/lastlog Px, + @{bin}/lscpu Px, + @{bin}/passwd Px, + @{bin}/ssh-agent Px, + @{bin}/sudo Cx -> sudo, + @{bin}/udevadm Cx -> udevadm, + @{bin}/virsh rPUx, + @{bin}/virt-install PUx, # TODO: rPx + @{lib}/cockpit/cockpit-pcp Px, + @{lib}/cockpit/cockpit-ssh Px, + + # The shell is not confined on purpose. + @{bin}/@{shells} Ux, + + /usr/{,local/}share/ r, /usr/share/cockpit/{,**} r, + /usr/share/file/** r, + /usr/share/iproute2/* r, + @{etc_ro}/login.defs r, /etc/cockpit/{,**} r, /etc/httpd/conf/mime.types r, - /etc/login.defs r, /etc/machine-id r, /etc/mime.types r, /etc/motd r, /etc/shadow r, /etc/shells r, + / r, + @{HOME}/ r, + owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw, + owner @{user_share_dirs}/ r, @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* rw, @{run}/utmp r, @{sys}/class/hwmon/ r, + @{sys}/class/net/ r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/fs/cgroup/ r, @{sys}/fs/cgroup/**/ r, @{sys}/fs/cgroup/**/cpu.{stat,weight} r, @{sys}/fs/cgroup/**/memory* r, + @{sys}/kernel/kexec_crash_size r, @{PROC}/ r, @{PROC}/@{pids}/cgroup r, @@ -78,6 +120,27 @@ profile cockpit-bridge @{exec_path} { /dev/ptmx rw, + profile sudo { + include + include + + signal (send receive) set=(cont hup term) peer=cockpit-bridge, + + @{bin}/cockpit-bridge Px, + @{lib}/cockpit/cockpit-askpass Px, + + include if exists + } + + profile udevadm { + include + include + + @{run}/udev/data/n@{int} r, # For network interfaces + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/virt/cockpit-certificate-ensure b/apparmor.d/groups/virt/cockpit-certificate-ensure index 0ef40f4ba..7429b0021 100644 --- a/apparmor.d/groups/virt/cockpit-certificate-ensure +++ b/apparmor.d/groups/virt/cockpit-certificate-ensure @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/cockpit-certificate-helper b/apparmor.d/groups/virt/cockpit-certificate-helper index 042c9cdad..303fd074c 100644 --- a/apparmor.d/groups/virt/cockpit-certificate-helper +++ b/apparmor.d/groups/virt/cockpit-certificate-helper @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,15 +13,16 @@ profile cockpit-certificate-helper @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/chmod rix, - @{bin}/id rix, - @{bin}/mkdir rix, - @{bin}/mv rix, - @{bin}/openssl rix, - @{bin}/rm rix, - @{bin}/sscg rix, - @{bin}/tr rix, + @{sh_path} rix, + @{bin}/chmod rix, + @{bin}/id rix, + @{bin}/mkdir rix, + @{bin}/mv rix, + @{bin}/openssl rix, + @{bin}/rm rix, + @{bin}/sscg rix, + @{bin}/sync rix, + @{bin}/tr rix, /etc/machine-id r, /etc/cockpit/ws-certs.d/* w, diff --git a/apparmor.d/groups/virt/cockpit-desktop b/apparmor.d/groups/virt/cockpit-desktop index d8e7f81de..bb1ba03bf 100644 --- a/apparmor.d/groups/virt/cockpit-desktop +++ b/apparmor.d/groups/virt/cockpit-desktop @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,6 +10,8 @@ include profile cockpit-desktop @{exec_path} { include + userns, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/virt/cockpit-pcp b/apparmor.d/groups/virt/cockpit-pcp index c1afe3fbf..8008fe360 100644 --- a/apparmor.d/groups/virt/cockpit-pcp +++ b/apparmor.d/groups/virt/cockpit-pcp @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 74ddd9e70..ba51fc8a5 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,14 +10,17 @@ include profile cockpit-session @{exec_path} flags=(attach_disconnected) { include include + include include include capability audit_write, + capability chown, capability dac_read_search, capability net_admin, capability setgid, capability setuid, + capability sys_resource, network netlink raw, @@ -26,6 +29,8 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{shells_path} rix, @{bin}/cockpit-bridge rPx, @{lib}/cockpit/cockpit-pcp rPx, + @{bin}/ssh-agent rPx, + @{bin}/ssh-add rix, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, @@ -36,16 +41,21 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { /etc/motd.d/ r, /etc/shells r, + @{att}/@{run}/systemd/sessions/*.ref rw, + + @{run}/cockpit/* r, @{run}/faillock/@{user} rwk, - @{run}/systemd/sessions/*.ref rw, - @{run}/utmp rwk, @{run}/motd.d/{,*} r, - @{run}/cockpit/active.motd r, + @{run}/utmp rwk, /var/log/btmp rw, /var/log/lastlog rw, /var/log/wtmp rwk, + /var/lib/lastlog/ r, + /var/lib/lastlog/lastlog2.db rwk, + /var/lib/lastlog/lastlog2.db-journal rw, + owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/virt/cockpit-ssh b/apparmor.d/groups/virt/cockpit-ssh index 2903d9eb9..e81eb492f 100644 --- a/apparmor.d/groups/virt/cockpit-ssh +++ b/apparmor.d/groups/virt/cockpit-ssh @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls index f83ac2c7b..8a345588a 100644 --- a/apparmor.d/groups/virt/cockpit-tls +++ b/apparmor.d/groups/virt/cockpit-tls @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,6 +17,9 @@ profile cockpit-tls @{exec_path} flags=(attach_disconnected) { /etc/cockpit/ws-certs.d/{,**} r, + @{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock rw, + @{att}/@{run}/cockpit/wsinstance/https-factory.sock rw, + owner @{run}/cockpit/tls/{,**} rw, include if exists diff --git a/apparmor.d/groups/virt/cockpit-update-motd b/apparmor.d/groups/virt/cockpit-update-motd index eaf340c6b..1de016aea 100644 --- a/apparmor.d/groups/virt/cockpit-update-motd +++ b/apparmor.d/groups/virt/cockpit-update-motd @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -26,12 +26,10 @@ profile cockpit-update-motd @{exec_path} { profile systemctl { include include - + capability net_admin, capability sys_ptrace, - @{PROC}/sys/kernel/cap_last_cap r, - include if exists } diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws index 589765f35..d4fb299fe 100644 --- a/apparmor.d/groups/virt/cockpit-ws +++ b/apparmor.d/groups/virt/cockpit-ws @@ -2,21 +2,28 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/cockpit/cockpit-ws -profile cockpit-ws @{exec_path} { +profile cockpit-ws @{exec_path} flags=(attach_disconnected) { include + include + include @{exec_path} mr, + @{sh_path} rix, @{lib}/cockpit/cockpit-session rPx, /usr/share/cockpit/{,**} r, + /etc/cockpit/ws-certs.d/{,**} r, /usr/share/pixmaps/{,**} r, - /etc/cockpit/ws-certs.d/ r, + /usr/share/plymouth/{,**} r, + + @{run}/cockpit/session rw, + @{run}/cockpit/wsinstance/https@@{hex64}.sock r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/virt/cockpit-wsinstance-factory b/apparmor.d/groups/virt/cockpit-wsinstance-factory index 61e7e8fa1..248ca43e8 100644 --- a/apparmor.d/groups/virt/cockpit-wsinstance-factory +++ b/apparmor.d/groups/virt/cockpit-wsinstance-factory @@ -2,18 +2,32 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/cockpit/cockpit-wsinstance-factory profile cockpit-wsinstance-factory @{exec_path} { include + include capability net_admin, + unix bind type=stream addr=@@{udbus}/bus/cockpit-wsinsta/system, + + dbus receive bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=JobRemoved + peer=(name=@{busname}, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=StartUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + @{exec_path} mr, + @{run}/cockpit/wsinstance/https-factory.sock w, + include if exists } diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index f85a3571c..95d332a45 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -46,8 +46,8 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/apparmor_parser rPx, - @{bin}/containerd-shim-runc-v2 rPUx, + @{sbin}/apparmor_parser rPx, + @{bin}/containerd-shim-runc-v2 rPx, @{bin}/kmod rPx, @{bin}/unpigz rPUx, /{usr/,}{local/,}{s,}bin/zfs rPx, @@ -71,8 +71,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /var/lib/cni/results/cni-loopback-@{uuid}-lo wl, /var/lib/cni/results/cni-loopback-[0-9a-z]*-lo wl, /var/lib/cni/results/k8s-pod-network-[0-9a-z]*-eth0 wl, - /var/lib/containerd/{,**} rwk, - /var/lib/containerd/tmpmounts/containerd-mount@{int}/** l, + /var/lib/containerd/{,**} rwlk, /var/lib/docker/containerd/{,**} rwk, /var/lib/kubelet/seccomp/{,**} r, /var/lib/security-profiles-operator/{,**} r, @@ -84,24 +83,24 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{run}/docker/containerd/{,**} rwk, @{run}/netns/ w, @{run}/netns/cni-@{uuid} rw, + @{run}/nri/ w, + @{run}/nri/nri.sock rw, @{run}/systemd/notify w, - /tmp/cri-containerd.apparmor.d@{int} rwl, - /tmp/ctd-volume@{int}/{,**} rw, - owner @{tmp}/** rwkl, - owner /var/tmp/** rwkl, + /tmp/cri-containerd.apparmor.d@{int} rwl, + /tmp/ctd-volume@{int}/{,**} rw, @{sys}/fs/cgroup/kubepods/** r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, + @{PROC}/@{pid}/task/@{tid}/mountinfo r, @{PROC}/@{pid}/task/@{tid}/ns/net rw, @{PROC}/sys/net/core/somaxconn r, - owner @{PROC}/@{pids}/attr/current r, - owner @{PROC}/@{pids}/cgroup r, - owner @{PROC}/@{pids}/mountinfo r, - owner @{PROC}/@{pids}/uid_map r, + owner @{PROC}/@{pid}/attr/current r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/uid_map r, /dev/bsg/ r, /dev/bus/ r, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index c705c0cc8..04b355a48 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,12 +25,12 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { signal (send) set=kill peer=cri-containerd.apparmor.d, signal (receive) set=kill peer=containerd, - mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, - umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, + mount -> @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, + umount @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, @{exec_path} mrix, - @{bin}/runc rPUx, + @{sbin}/runc rPx, /tmp/runc-process@{int} rw, /tmp/pty@{int}/ rw, @@ -49,13 +49,15 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/cgroup/kubepods/{,**} rw, @{sys}/kernel/mm/hugepages/ r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{PROC}/@{pid}/task/@{tid}/mountinfo r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/oom_score_adj rw, @{PROC}/sys/net/core/somaxconn r, + @{att}/dev/pts/ptmx rw, + include if exists } diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy index d549168ee..9a8cbe379 100644 --- a/apparmor.d/groups/virt/docker-proxy +++ b/apparmor.d/groups/virt/docker-proxy @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,13 +15,12 @@ profile docker-proxy @{exec_path} { network inet stream, network inet6 stream, + network netlink raw, - signal (receive) set=int peer=dockerd, + signal receive set=int peer=dockerd, @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/sys/net/core/somaxconn r, include if exists diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index f552c5289..0a214ccd1 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/dockerd +@{exec_path} = @{bin}/dockerd @{sbin}/dockerd #aa:lint ignore=sbin profile dockerd @{exec_path} flags=(attach_disconnected) { include include @@ -21,82 +21,182 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { capability kill, capability mknod, capability net_admin, + capability net_bind_service, + capability net_raw, capability setfcap, capability sys_admin, capability sys_chroot, capability sys_ptrace, network inet dgram, - network inet6 dgram, + network inet raw, network inet stream, + network inet6 dgram, network inet6 stream, network netlink raw, + network packet dgram, - mount /var/lib/docker/overlay2/**/, - mount options=(rw, bind) -> /run/docker/netns/*, - mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder@{int}/, - mount options=(rw, rprivate) -> /.pivot_root@{int}/, - mount options=(rw, rslave) -> /, + mount /tmp/containerd-mount@{int}/, + mount /var/lib/docker/**/, + mount options=(rw bind) -> @{run}/docker/netns/*, + mount options=(rw rprivate) -> /.pivot_root@{int}/, + mount options=(rw rslave) -> /, + + remount /tmp/containerd-mount@{int10}/, + remount /var/lib/docker/**/, umount /.pivot_root@{int}/, - umount /run/docker/netns/*, - umount /var/lib/docker/overlay*/**/, + umount @{run}/docker/netns/*, + umount /tmp/containerd-mount@{int}/, + umount /var/lib/docker/**/, - pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/ /var/lib/docker/overlay2/**/, - pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/ /var/lib/docker/tmp/**/, + pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/ /var/lib/docker/overlay2/**/, + pivot_root oldroot=/var/lib/docker/rootfs/overlayfs/@{hex64}/.pivot_root@{int}/ /var/lib/docker/rootfs/overlayfs/@{hex64}/, + pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/ /var/lib/docker/tmp/**/, - ptrace (read) peer=docker-*, - ptrace (read) peer=unconfined, + ptrace read peer=docker-*, + ptrace read peer=runc, + ptrace read peer=unconfined, - signal (send) set=int peer=docker-proxy, - signal (send) set=kill peer=docker-*, - signal (send) set=term peer=containerd, + signal send set=int peer=docker-proxy, + signal send set=kill peer=docker-*, + signal send set=term peer=containerd, @{exec_path} mrix, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, @{bin}/containerd rPx, - @{bin}/docker-init rix, + @{bin}/docker-init rCx -> init, + @{lib}/docker/docker-init rCx -> init, @{bin}/docker-proxy rPx, - @{bin}/kmod rPx, + @{bin}/tini-static rCx -> tini, + @{bin}/git rCx -> git, + @{bin}/kmod rCx -> kmod, @{bin}/ps rPx, - @{bin}/runc rUx, + @{sbin}/runc rUx, + @{bin}/runc rUx, #aa:lint ignore=sbin @{bin}/unpigz rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rCx -> nft, + @{sbin}/xtables-legacy-multi rCx -> nft, # Docker needs full access of the containers it manages. # TODO: should be in a sub profile started with pivot_root, not supported yet. - /{,**} rwl, + /{,**} rwl, #aa:only apt + + @{att}/@{lib}/containerd/** rw, + @{att}/var/lib/docker/{,**} rwk, + + /etc/docker/{,**} r, + + @{att}/ r, owner @{lib}/docker/overlay2/*/work/{,**} rw, + owner /var/lib/containerd/** rw, owner /var/lib/docker/{,**} rwk, owner /var/lib/docker/tmp/qemu-check@{int}/check rix, + /tmp/build/ w, + /tmp/containerd-mount@{int}/{,**} rw, + + @{run}/systemd/notify rw, + + @{run}/containerd/containerd.sock rw, + owner @{run}/docker.pid rw, + owner @{run}/docker/ rw, + owner @{run}/docker/** rwlk, + + @{sys}/devices/virtual/net/** r, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/cpuset.cpus.effective r, @{sys}/fs/cgroup/cpuset.mems.effective r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, @{PROC}/1/cgroup r, @{PROC}/1/environ r, @{PROC}/cmdline r, + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, @{PROC}/sys/kernel/keys/root_maxkeys r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/threads-max r, @{PROC}/sys/net/bridge/bridge-nf-call-ip*tables r, @{PROC}/sys/net/core/somaxconn r, - @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} rw, + @{PROC}/sys/net/ipv{4,6}/conf/*/disable_ipv{4,6} rw, @{PROC}/sys/net/ipv{4,6}/conf/docker@{int}/accept_ra rw, @{PROC}/sys/net/ipv{4,6}/ip_forward rw, @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r, - owner @{PROC}/@{pids}/attr/current r, - owner @{PROC}/@{pids}/cgroup r, - owner @{PROC}/@{pids}/fd/ r, - owner @{PROC}/@{pids}/mountinfo r, - owner @{PROC}/@{pids}/net/ip_tables_names r, - owner @{PROC}/@{pids}/uid_map r, + owner @{PROC}/@{pid}/attr/current r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/task/@{tid}/mountinfo r, + owner @{PROC}/@{pid}/uid_map r, + + /dev/ r, + /dev/**/ r, + + profile nft flags=(attach_disconnected) { + include + + capability net_admin, + capability net_raw, + + network inet raw, + network inet6 raw, + network netlink raw, + + @{sbin}/xtables-nft-multi rix, + @{sbin}/xtables-legacy-multi rix, + @{bin}/kmod rPx -> dockerd//kmod, + + @{PROC}/@{pid}/net/ip{,6}_tables_names r, + @{PROC}/sys/kernel/modprobe r, + + @{run}/xtables.lock rwk, + + include if exists + } + + profile kmod { + include + include + + capability sys_module, + + @{run}/xtables.lock r, + + @{sys}/module/compression r, + @{sys}/module/*/initstate r, + + include if exists + } + + profile tini { + include + + @{bin}/tini-static mr, + + include if exists + } + + profile init flags=(attach_disconnected) { + include + + @{bin}/docker-init mr, + @{lib}/docker/docker-init mr, + + include if exists + } + + profile git flags=(attach_disconnected) { + include + + @{bin}/git mr, + + include if exists + } include if exists } diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 5905d4895..59c4b9473 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -62,13 +62,12 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{bin}/systemd-run rix, @{bin}/{nano,emacs,ed} rPUx, @{bin}/vim{,.basic} rPUx, - @{bin}/xtables-nft-multi rPx -> cni-xtables-nft, + @{sbin}/xtables-nft-multi rPx -> cni-xtables-nft, @{lib}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, /var/lib/rancher/k3s/data/@{hex}/bin/* rix, @{lib}/kubernetes/kubelet-plugins/volume/exec/{,**} r, - /usr/share/mime/globs2 r, /etc/machine-id r, /etc/rancher/{,**} rw, @@ -130,7 +129,6 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/net/ipv{4,6}/conf/default/* rw, @{PROC}/sys/net/bridge/bridge-nf-call-iptables r, @{PROC}/sys/net/netfilter/* rw, - @{PROC}/sys/vm/overcommit_memory rw, @{PROC}/sys/vm/panic_on_oom r, @{sys}/class/net/ r, @@ -160,10 +158,9 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user-runtime-dir@@{uid}.service/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**/} r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{,**/} r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{,**/} r, @{sys}/kernel/mm/hugepages/ r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, @{sys}/kernel/security/apparmor/profiles r, diff --git a/apparmor.d/groups/virt/kubernetes-pause b/apparmor.d/groups/virt/kubernetes-pause index 8172d00fc..c762515a4 100644 --- a/apparmor.d/groups/virt/kubernetes-pause +++ b/apparmor.d/groups/virt/kubernetes-pause @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index 75c7d853b..971cdf55e 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/libvirt-dbus +@{exec_path} = @{sbin}/libvirt-dbus profile libvirt-dbus @{exec_path} { include include @@ -16,18 +16,26 @@ profile libvirt-dbus @{exec_path} { #aa:dbus own bus=session name=org.libvirt #aa:dbus own bus=system name=org.libvirt + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, - @{bin}/libvirtd rPx, + @{sbin}/libvirtd rPx, @{bin}/virtqemud rPx, /usr/share/dbus-1/interfaces/org.libvirt.*.xml r, owner @{user_cache_dirs}/libvirt/libvirtd.lock rwk, - @{run}/user/@{uid}/libvirt/ rw, - @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, - @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + @{run}/libvirt/libvirt-sock rw, + + @{run}/user/@{uid}/libvirt/ rw, + @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, + @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + owner @{run}/user/@{uid}/libvirt/libvirt-sock rw, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node*/meminfo r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 376749d9e..378449352 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -10,17 +10,20 @@ # Warning: Such a profile is limited as it gives access to a lot of resources. -abi , +abi , include -@{exec_path} = @{bin}/libvirtd +@{exec_path} = @{sbin}/libvirtd profile libvirtd @{exec_path} flags=(attach_disconnected) { include + include + include + include include - include include include + include include capability audit_write, @@ -46,12 +49,12 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { capability sys_pacct, capability sys_ptrace, capability sys_rawio, - capability sys_resource, + capability sys_resource, # Needed for vfio - network inet stream, network inet dgram, - network inet6 stream, + network inet stream, network inet6 dgram, + network inet6 stream, network netlink raw, network packet dgram, network packet raw, @@ -68,6 +71,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { ptrace (read,trace) peer=@{profile_name}, ptrace (read,trace) peer=dnsmasq, + ptrace (read,trace) peer=gnome-boxes, ptrace (read,trace) peer=libvirt-@{uuid}, ptrace (read,trace) peer=libvirt-dbus, ptrace (read,trace) peer=unconfined, @@ -84,45 +88,50 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper), unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), unix (send, receive) type=stream addr=none peer=(label=unconfined), + unix (send, receive) type=stream addr=none peer=(label=virt-manager), # Allow changing to our UUID-based named profiles change_profile -> libvirt-@{uuid}, + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{lib}/libvirt/libvirt_iohelper rix, @{lib}/libvirt/libvirt_parthelper rix, + @{lib}/{,qemu/}qemu-bridge-helper rPx, + @{lib}/{,qemu/}vhost-user-gpu rPUx, + @{lib}/{,qemu/}virtiofsd rux, # TODO: WIP @{lib}/udev/scsi_id rPUx, @{lib}/xen-*/bin/libxl-save-helper rPUx, @{lib}/xen-*/bin/pygrub rPUx, @{lib}/xen-common/bin/xen-toolstack rPUx, @{lib}/xen/bin/* rPUx, - /{usr/,}{lib,lib64,lib/qemu,libexec}/vhost-user-gpu rPUx, - /{usr/,}{lib,lib64,lib/qemu,libexec}/virtiofsd rux, # TODO: WIP - /{usr/,}{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, - - @{bin}/dmidecode rPx, - @{bin}/dnsmasq rPx, - @{bin}/kmod rPx, - @{bin}/lvm rPUx, + @{sbin}/dmidecode rPx, + @{sbin}/dnsmasq rPx, + @{bin}/kmod rCx -> kmod, + @{sbin}/lvm rPUx, @{bin}/mdevctl rPx, @{bin}/swtpm rPx, @{bin}/swtpm_ioctl rPx, @{bin}/swtpm_setup rPx, @{bin}/udevadm rPx, @{bin}/virtiofsd rux, # TODO: WIP - @{bin}/virtlogd rPx, + @{sbin}/virtlogd rPx, @{sh_path} rix, @{bin}/ip rix, - @{bin}/nft rix, + @{sbin}/nft rix, @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper - @{bin}/tc rix, + @{sbin}/tc rix, @{bin}/xmllint rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, @{lib}/libvirt/virt-aa-helper rPx, /etc/libvirt/hooks/** rPUx, @@ -131,8 +140,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /usr/share/edk2*/{,**} rk, /usr/share/hwdata/* r, + /usr/share/iproute2/{,**} r, /usr/share/libvirt/{,**} r, - /usr/share/mime/mime.cache r, /usr/share/misc/pci.ids r, /usr/share/qemu/{,**} r, @@ -143,7 +152,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /etc/xml/catalog r, /var/cache/libvirt/{,**} rw, - /var/lib/libvirt/{,**} rwk, + /var/lib/libvirt/ rw, + /var/lib/libvirt/** rwk, /var/log/swtpm/libvirt/{,**} rw, # User VM images and share @@ -152,43 +162,23 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{user_vm_dirs}/{,**} rwk, @{user_publicshare_dirs}/{,**} rwk, + owner @{user_config_dirs}/libvirt/{,**} rwk, + + owner @{run}/user/@{uid}/libvirt/ rw, + owner @{run}/user/@{uid}/libvirt/** rwk, + + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/libvirt/ rw, @{run}/libvirt/** rwk, @{run}/libvirtd.pid wk, @{run}/lock/LCK.._pts_@{int} rw, - @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/notify w, @{run}/utmp rk, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+dmi:* r, # for motherboard info - @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, - @{run}/udev/data/+input:input@{int} r, # For mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+sound:card@{int} r, # For sound card - @{run}/udev/data/+thunderbolt:* r, - @{run}/udev/data/c1:@{int} r, # For RAM disk - @{run}/udev/data/c6:@{int} r, # For parallel printer devices /dev/lp* - @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features - @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c21:@{int} r, # Generic SCSI access - @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* - @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c89:@{int} r, # For I2C bus interface - @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash - @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* - @{run}/udev/data/c108:@{int} r, # For /dev/ppp - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c202:@{int} r, # CPU model-specific registers - @{run}/udev/data/c203:@{int} r, # CPU CPUID information - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/bus/[a-z]*/devices/ r, @{sys}/bus/pci/drivers_probe w, @@ -245,6 +235,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{PROC}/devices r, @{PROC}/mtrr w, @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/uptime r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, @@ -262,12 +253,19 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /dev/vhost-net rw, # Force the use of virt-aa-helper - audit deny @{bin}/apparmor_parser rwxl, + audit deny @{sbin}/apparmor_parser rwxl, audit deny @{etc_rw}/apparmor.d/libvirt/** wxl, audit deny @{sys}/kernel/security/apparmor/features rwxl, audit deny @{sys}/kernel/security/apparmor/matching rwxl, audit deny @{sys}/kernel/security/apparmor/.* rwxl, + profile kmod { + include + include + + include if exists + } + profile qemu_bridge_helper { include @@ -286,9 +284,11 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /etc/qemu/{,**} r, - owner @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/status r, /dev/net/tun rw, + + include if exists } include if exists diff --git a/apparmor.d/groups/virt/qemu-bridge-helper b/apparmor.d/groups/virt/qemu-bridge-helper new file mode 100644 index 000000000..e462eeca1 --- /dev/null +++ b/apparmor.d/groups/virt/qemu-bridge-helper @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/{,qemu/}qemu-bridge-helper +profile qemu-bridge-helper @{exec_path} { + include + + capability net_admin, + capability setpcap, + + network inet stream, + + unix (send, receive) type=stream addr=none peer=(label=libvirtd), + + signal receive set=term peer=libvirtd, + + @{exec_path} mr, + + /etc/qemu/bridge.conf r, + + @{sys}/devices/system/node/ r, + + owner @{PROC}/@{pids}/status r, + + /dev/net/tun rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper index abbef1f88..b49368f07 100644 --- a/apparmor.d/groups/virt/virt-aa-helper +++ b/apparmor.d/groups/virt/virt-aa-helper @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,16 +19,36 @@ profile virt-aa-helper @{exec_path} { @{exec_path} mr, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, - /etc/apparmor.d/libvirt/* r, + @{etc_rw}/apparmor.d/libvirt/* r, @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw, + @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid}.files rw, /etc/libnl{,-3}/classid r, # Allow reading libnl's classid file - + # System VM images /var/lib/libvirt/images/{,**} r, - /var/lib/nova/instances/_base/* r, + + # Openstack Nova base images & snapshots (LP: #907269 #1244694 #1644507) + /var/lib/nova/images/{,**} r, + /var/lib/nova/instances/_base/{,**} r, + /var/lib/nova/instances/snapshots/{,**} r, + /var/snap/nova-hypervisor/common/instances/_base/{,**} r, + /var/snap/nova-hypervisor/common/instances/snapshots/{,**} r, + + # Eucalyptus disks & loader (LP: #564914 #637544) + /var/lib/eucalyptus/instances/**/disk* r, + /var/lib/eucalyptus/instances/**/loader* r, + + # For uvtool + /var/lib/uvtool/libvirt/images/{,**} r, + + # For multipass + /var/snap/multipass/common/data/multipassd/vault/instances/{,**} r, + + # Common mount directories + @{MOUNTDIRS}/{,**} r, # User VM images @{user_share_dirs}/ r, @@ -45,7 +65,6 @@ profile virt-aa-helper @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/net/psched r, deny @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/status r, # For gl enabled graphics /dev/dri/{,*} r, diff --git a/apparmor.d/groups/virt/virtinterfaced b/apparmor.d/groups/virt/virtinterfaced index 96d135912..4737dd806 100644 --- a/apparmor.d/groups/virt/virtinterfaced +++ b/apparmor.d/groups/virt/virtinterfaced @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,7 +20,7 @@ profile virtinterfaced @{exec_path} flags=(attach_disconnected) { @{lib}/gconv/gconv-modules rm, @{lib}/gconv/gconv-modules.d/{,*} r, - @{run}/systemd/inhibit/*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/user/@{uid}/libvirt/common/system.token rwk, owner @{run}/user/@{uid}/libvirt/interface/ rw, owner @{run}/user/@{uid}/libvirt/interface/run/{,*} rwk, diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd index 50efd188b..ae7ac5fa9 100644 --- a/apparmor.d/groups/virt/virtiofsd +++ b/apparmor.d/groups/virt/virtiofsd @@ -2,15 +2,15 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/{,qemu/}virtiofsd @{bin}/virtiofsd -profile virtiofsd @{exec_path} { +@{exec_path} = @{lib}/virtiofsd @{lib}/qemu/virtiofsd @{bin}/virtiofsd +profile virtiofsd @{exec_path} flags=(attach_disconnected) { include - # userns, + userns, capability chown, capability dac_override, @@ -31,13 +31,13 @@ profile virtiofsd @{exec_path} { mount options=(rw, rbind) -> @{user_publicshare_dirs}/, mount options=(rw, rbind) -> @{user_vm_dirs}/, - mount options=(rw, rbind) -> @{user_vm_shares}/, + mount options=(rw, rbind) -> @{user_vmshare_dirs}/, umount /, pivot_root @{user_publicshare_dirs}/, # TODO: -> pivoted, pivot_root @{user_vm_dirs}/, - pivot_root @{user_vm_shares}/, + pivot_root @{user_vmshare_dirs}/, signal (receive) set=term peer=libvirtd, @@ -50,7 +50,7 @@ profile virtiofsd @{exec_path} { @{user_publicshare_dirs}/{,**} r, @{user_vm_dirs}/{,**} r, - @{user_vm_shares}/{,**} r, + @{user_vmshare_dirs}/{,**} r, owner @{run}/libvirt/qemu/*.pid rw, diff --git a/apparmor.d/groups/virt/virtlockd b/apparmor.d/groups/virt/virtlockd index 44c5e20ef..ef28e59e9 100644 --- a/apparmor.d/groups/virt/virtlockd +++ b/apparmor.d/groups/virt/virtlockd @@ -2,11 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/virtlockd +@{exec_path} = @{sbin}/virtlockd profile virtlockd @{exec_path} { include diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd index 1a3ecb06b..d362ad108 100644 --- a/apparmor.d/groups/virt/virtlogd +++ b/apparmor.d/groups/virt/virtlogd @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/virtlogd +@{exec_path} = @{sbin}/virtlogd profile virtlogd @{exec_path} flags=(attach_disconnected) { include include @@ -24,12 +24,14 @@ profile virtlogd @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/libvirt/qemu/log/{,**} rw, owner @{run}/user/@{uid}/common/system.token rw, + owner @{run}/user/@{uid}/libvirt/common/system.token rwk, owner @{run}/user/@{uid}/libvirt/virtlogd.pid rwk, owner @{run}/user/@{uid}/libvirt/virtlogd* w, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/libvirt/common/system.token rwk, @{run}/libvirt/virtlogd-sock rw, - @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/virtlogd.pid rwk, @{sys}/devices/system/node/ r, diff --git a/apparmor.d/groups/virt/virtnetworkd b/apparmor.d/groups/virt/virtnetworkd index a2c02368b..2d7df07b6 100644 --- a/apparmor.d/groups/virt/virtnetworkd +++ b/apparmor.d/groups/virt/virtnetworkd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,14 +18,15 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/dnsmasq rPx, + @{sbin}/dnsmasq rPx, - /etc/libvirt/libvirt.conf r, + /etc/libvirt/*.conf r, owner /var/lib/libvirt/dnsmasq/*.macs* rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/libvirt/network/default.pid r, - @{run}/systemd/inhibit/*.ref rw, @{run}/utmp rk, owner @{run}/libvirt/common/system.token rwk, owner @{run}/libvirt/network/{,**} rwk, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 50b8e4889..fb593068e 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,11 +29,11 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { /usr/share/hwdata/*.ids r, /usr/share/pci.ids r, - /etc/libvirt/libvirt.conf r, - /etc/libvirt/virtnodedevd.conf r, + /etc/libvirt/*.conf r, /etc/mdevctl.d/{,**} r, - @{run}/systemd/inhibit/*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + owner @{run}/libvirt/common/system.token rwk, owner @{run}/libvirt/nodedev/ rw, owner @{run}/libvirt/nodedev/driver.pid wk, @@ -44,17 +44,18 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/utmp rk, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. @{run}/udev/data/+dmi:* r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{run}/udev/data/+sound:card@{int} r, # For sound card - @{run}/udev/data/+thunderbolt:* r, + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @@ -62,23 +63,25 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c21:@{int} r, # Generic SCSI access @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* @{run}/udev/data/c81:@{int} r, # For video4linux + @{run}/udev/data/c89:@{int} r, # For I2C bus interface @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash + @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c202:@{int} r, # CPU model-specific registers @{run}/udev/data/c203:@{int} r, # CPU CPUID information @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/ r, + @{sys}/devices/@{pci}/net/{,**} r, + @{sys}/devices/@{pci}/numa_node r, + @{sys}/devices/@{pci}/resource r, + @{sys}/devices/@{pci}/sriov_totalvfs r, @{sys}/devices/@{pci}/vpd r, @{sys}/devices/**/{class,revision,subsystem_vendor,subsystem_device} r, @{sys}/devices/**/{config,device,vendor} r, @{sys}/devices/**/uevent r, - @{sys}/devices/@{pci}/net/{,**} r, - @{sys}/devices/@{pci}/net/*/{duplex,address,speed,operstate} r, - @{sys}/devices/@{pci}/numa_node r, - @{sys}/devices/@{pci}/sriov_totalvfs r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/{product_name,product_serial,product_uuid,sys_vendor,board_vendor,bios_vendor,bios_date,bios_version,product_version} r, @@ -89,6 +92,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/mtrr w, + owner @{PROC}/uptime r, include if exists } diff --git a/apparmor.d/groups/virt/virtsecretd b/apparmor.d/groups/virt/virtsecretd index cdded1152..9b3e7dda4 100644 --- a/apparmor.d/groups/virt/virtsecretd +++ b/apparmor.d/groups/virt/virtsecretd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,7 +20,8 @@ profile virtsecretd @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/libvirt/secrets/ rw, owner @{user_config_dirs}/libvirt/secrets/run/{,*} rwk, - @{run}/systemd/inhibit/*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + owner @{run}/user/@{uid}/libvirt/common/system.token rwk, owner @{run}/user/@{uid}/libvirt/secrets/ rw, owner @{run}/user/@{uid}/libvirt/secrets/run/{,*} rwk, diff --git a/apparmor.d/groups/virt/virtstoraged b/apparmor.d/groups/virt/virtstoraged index 943315a8f..00565fcf5 100644 --- a/apparmor.d/groups/virt/virtstoraged +++ b/apparmor.d/groups/virt/virtstoraged @@ -4,7 +4,7 @@ # TODO: Similar with virtqemud. Could be merged? -abi , +abi , include @@ -25,7 +25,7 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) { @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper - /etc/libvirt/libvirt.conf r, + /etc/libvirt/{,**} r, # For disk images @{MOUNTS}/ r, @@ -54,7 +54,8 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) { owner @{run}/libvirt/storage/{,**} rwk, owner @{run}/virtstoraged.pid rwk, - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/utmp rwk, @{sys}/devices/system/node/ r, diff --git a/apparmor.d/groups/virt/xtables b/apparmor.d/groups/virt/xtables new file mode 100644 index 000000000..a10b75dde --- /dev/null +++ b/apparmor.d/groups/virt/xtables @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/xtables-nft-multi @{sbin}/xtables-legacy-multi +profile xtables { + include + include + include + + capability net_admin, + capability net_raw, + + network inet dgram, + network inet6 dgram, + network inet raw, + network inet6 raw, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /usr/share/iproute2/{,**} r, + + /etc/iproute2/{,**} r, + /etc/iptables/{,**} rw, + /etc/libnl/classid r, + /etc/nftables.conf rw, + + @{run}/xtables.lock rwk, + + @{PROC}/@{pids}/net/ip_tables_names r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/whonix/anondate b/apparmor.d/groups/whonix/anondate index cb263922c..325535cce 100644 --- a/apparmor.d/groups/whonix/anondate +++ b/apparmor.d/groups/whonix/anondate @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,10 +19,10 @@ profile anondate @{exec_path} { @{bin}/cat rix, @{bin}/cp rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/minimum-unixtime-show rix, @{bin}/rm rix, - @{bin}/systemd-cat rPx, + @{bin}/systemd-cat rix, @{bin}/tee rix, @{bin}/timeout rix, @{bin}/tor-circuit-established-check rix, diff --git a/apparmor.d/groups/whonix/msgcollector b/apparmor.d/groups/whonix/msgcollector index 0c3038d1e..05b07ec47 100644 --- a/apparmor.d/groups/whonix/msgcollector +++ b/apparmor.d/groups/whonix/msgcollector @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/msgcollector-br-add b/apparmor.d/groups/whonix/msgcollector-br-add index be5b7dd69..587094df6 100644 --- a/apparmor.d/groups/whonix/msgcollector-br-add +++ b/apparmor.d/groups/whonix/msgcollector-br-add @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/msgcollector-generic-gui-message b/apparmor.d/groups/whonix/msgcollector-generic-gui-message index 8b52e2db7..46b7847ff 100644 --- a/apparmor.d/groups/whonix/msgcollector-generic-gui-message +++ b/apparmor.d/groups/whonix/msgcollector-generic-gui-message @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/msgcollector-striphtml b/apparmor.d/groups/whonix/msgcollector-striphtml index 1e4e3d9ab..8cf1dec71 100644 --- a/apparmor.d/groups/whonix/msgcollector-striphtml +++ b/apparmor.d/groups/whonix/msgcollector-striphtml @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/msgdispatcher b/apparmor.d/groups/whonix/msgdispatcher index 02433106d..fd1a9f034 100644 --- a/apparmor.d/groups/whonix/msgdispatcher +++ b/apparmor.d/groups/whonix/msgdispatcher @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -39,7 +39,6 @@ profile msgdispatcher @{exec_path} { include include - @{bin}/sudo mr, @{lib}/msgcollector/* rPx, owner @{run}/msgcollector/user/msgdispatcher_x_* r, diff --git a/apparmor.d/groups/whonix/msgdispatcher-autostart b/apparmor.d/groups/whonix/msgdispatcher-autostart index c4dae811e..d292e3850 100644 --- a/apparmor.d/groups/whonix/msgdispatcher-autostart +++ b/apparmor.d/groups/whonix/msgdispatcher-autostart @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/msgdispatcher-delete b/apparmor.d/groups/whonix/msgdispatcher-delete index cf69e77c8..2a5839e0c 100644 --- a/apparmor.d/groups/whonix/msgdispatcher-delete +++ b/apparmor.d/groups/whonix/msgdispatcher-delete @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/msgdispatcher-dispatch b/apparmor.d/groups/whonix/msgdispatcher-dispatch index f42280e1a..5c2037c56 100644 --- a/apparmor.d/groups/whonix/msgdispatcher-dispatch +++ b/apparmor.d/groups/whonix/msgdispatcher-dispatch @@ -2,11 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/msgcollector/msgdispatcher_dispatch_x +@{exec_path} = @{lib}/msgcollector/msgdispatcher_dispatch_x profile msgdispatcher-dispatch @{exec_path} { include include diff --git a/apparmor.d/groups/whonix/open-link-confirmation b/apparmor.d/groups/whonix/open-link-confirmation index e74d2f26a..a6f7ec440 100644 --- a/apparmor.d/groups/whonix/open-link-confirmation +++ b/apparmor.d/groups/whonix/open-link-confirmation @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/pam-abort-on-locked-password b/apparmor.d/groups/whonix/pam-abort-on-locked-password index 79cb70d28..99ac5616d 100644 --- a/apparmor.d/groups/whonix/pam-abort-on-locked-password +++ b/apparmor.d/groups/whonix/pam-abort-on-locked-password @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/pam-info b/apparmor.d/groups/whonix/pam-info index d54cab832..23ab3aeb4 100644 --- a/apparmor.d/groups/whonix/pam-info +++ b/apparmor.d/groups/whonix/pam-info @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,8 +14,8 @@ profile pam-info @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/faillock rix, - @{bin}/grep rix, + @{sbin}/faillock rix, + @{bin}/{,e}grep rix, @{bin}/str_replace rix, @{bin}/wc rix, @{bin}/whoami rix, diff --git a/apparmor.d/groups/whonix/pam_faillock_not_if_x b/apparmor.d/groups/whonix/pam_faillock_not_if_x index c0d05d8a7..1934be8d5 100644 --- a/apparmor.d/groups/whonix/pam_faillock_not_if_x +++ b/apparmor.d/groups/whonix/pam_faillock_not_if_x @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/rads b/apparmor.d/groups/whonix/rads index fdacd13d4..8bdeb2c13 100644 --- a/apparmor.d/groups/whonix/rads +++ b/apparmor.d/groups/whonix/rads @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,8 +19,8 @@ profile rads @{exec_path} { @{bin}/cat rix, @{bin}/chvt rix, @{bin}/free rix, - @{bin}/gawk rix, - @{bin}/grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/{,e}grep rix, @{bin}/mkdir rix, @{bin}/rm rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/whonix/sdwdate b/apparmor.d/groups/whonix/sdwdate index 21b457aca..1e4850e7a 100644 --- a/apparmor.d/groups/whonix/sdwdate +++ b/apparmor.d/groups/whonix/sdwdate @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -30,7 +30,7 @@ profile sdwdate @{exec_path} flags=(attach_disconnected) { @{bin}/touch rix, @{lib}/helper-scripts/* rix, @{bin}/url_to_unixtime rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{lib}/helper-scripts/ r, @{lib}/sdwdate/ r, diff --git a/apparmor.d/groups/whonix/sdwdate-clock-jump b/apparmor.d/groups/whonix/sdwdate-clock-jump index f70da1977..02b0e866b 100644 --- a/apparmor.d/groups/whonix/sdwdate-clock-jump +++ b/apparmor.d/groups/whonix/sdwdate-clock-jump @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/sdwdate-gui b/apparmor.d/groups/whonix/sdwdate-gui index 642b14b46..84a6fb379 100644 --- a/apparmor.d/groups/whonix/sdwdate-gui +++ b/apparmor.d/groups/whonix/sdwdate-gui @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,7 +28,7 @@ profile sdwdate-gui @{exec_path} { @{lib}/sdwdate-gui/log-viewer rix, @{lib}/helper-scripts/* rix, - @{lib}/python3/dist-packages/sdwdate_gui/__pycache__/ rw, + @{lib}/@{python_name}/dist-packages/sdwdate_gui/__pycache__/ rw, @{lib}/sdwdate-gui/ r, diff --git a/apparmor.d/groups/whonix/sdwdate-start b/apparmor.d/groups/whonix/sdwdate-start index 0b952ce19..113f7504c 100644 --- a/apparmor.d/groups/whonix/sdwdate-start +++ b/apparmor.d/groups/whonix/sdwdate-start @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/sdwdate-wrapper b/apparmor.d/groups/whonix/sdwdate-wrapper index fe8390da9..19713faba 100644 --- a/apparmor.d/groups/whonix/sdwdate-wrapper +++ b/apparmor.d/groups/whonix/sdwdate-wrapper @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/sensible-browser b/apparmor.d/groups/whonix/sensible-browser index 48e2f0f08..1a6f4e26a 100644 --- a/apparmor.d/groups/whonix/sensible-browser +++ b/apparmor.d/groups/whonix/sensible-browser @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/systemcheck-canary b/apparmor.d/groups/whonix/systemcheck-canary index d46c227fb..17bedc43b 100644 --- a/apparmor.d/groups/whonix/systemcheck-canary +++ b/apparmor.d/groups/whonix/systemcheck-canary @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,9 +12,9 @@ profile systemcheck-canary @{exec_path} { include @{exec_path} mr, - + @{bin}/sleep rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/whoami rix, @{bin}/cat rix, @{bin}/date rix, diff --git a/apparmor.d/groups/whonix/timesanitycheck b/apparmor.d/groups/whonix/timesanitycheck index 3ca78981a..73f643099 100644 --- a/apparmor.d/groups/whonix/timesanitycheck +++ b/apparmor.d/groups/whonix/timesanitycheck @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/tor-bootstrap-check b/apparmor.d/groups/whonix/tor-bootstrap-check index 0795b0b35..7829b8318 100644 --- a/apparmor.d/groups/whonix/tor-bootstrap-check +++ b/apparmor.d/groups/whonix/tor-bootstrap-check @@ -2,11 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/helper-scripts/tor_bootstrap_check.py +@{exec_path} = @{lib}/helper-scripts/tor_bootstrap_check.py profile tor-bootstrap-check @{exec_path} { include include diff --git a/apparmor.d/groups/whonix/tor-consensus-valid-after b/apparmor.d/groups/whonix/tor-consensus-valid-after index d6656afe5..f7d806ef1 100644 --- a/apparmor.d/groups/whonix/tor-consensus-valid-after +++ b/apparmor.d/groups/whonix/tor-consensus-valid-after @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/torbrowser-start b/apparmor.d/groups/whonix/torbrowser-start deleted file mode 100644 index 266f8e349..000000000 --- a/apparmor.d/groups/whonix/torbrowser-start +++ /dev/null @@ -1,51 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ - -@{exec_path} = @{lib_dirs}/start-tor-browser -profile torbrowser-start @{exec_path} { - include - include - - @{exec_path} rm, - - @{sh_path} rix, - @{bin}/cp rix, - @{bin}/dirname rix, - @{bin}/env r, - @{bin}/expr rix, - @{bin}/file rix, - @{bin}/getconf rix, - @{bin}/grep rix, - @{bin}/id rix, - @{bin}/ln rix, - @{bin}/mkdir rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/sh rix, - @{bin}/srm rix, - @{lib_dirs}/abicheck rix, - - @{lib_dirs}/firefox{,.real} rPx, - - /etc/magic r, - - owner @{lib_dirs}/.config/ibus/{,**} rw, - owner @{lib_dirs}/.local/* rw, - owner @{lib_dirs}/sed@{rand6} rw, - owner @{lib_dirs}/start-tor-browser.desktop rw, - owner @{lib_dirs}/TorBrowser/Tor/tor r, - - owner @{HOME}/.xsession-errors rw, - owner @{HOME}/.tb/tor-browser/* rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/whonix/torbrowser-updater-permission-fix b/apparmor.d/groups/whonix/torbrowser-updater-permission-fix index 39ec37ae3..90aaca321 100644 --- a/apparmor.d/groups/whonix/torbrowser-updater-permission-fix +++ b/apparmor.d/groups/whonix/torbrowser-updater-permission-fix @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper index 5ae554b40..c86d91099 100644 --- a/apparmor.d/groups/whonix/torbrowser-wrapper +++ b/apparmor.d/groups/whonix/torbrowser-wrapper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,24 +17,24 @@ profile torbrowser-wrapper @{exec_path} { @{exec_path} rm, @{sh_path} rix, - @{bin}/basename rix, - @{bin}/cp rix, - @{bin}/dirname rix, - @{bin}/grep rix, - @{bin}/id rix, - @{bin}/mkdir rix, - @{bin}/mktemp rix, - @{bin}/mount rix, - @{bin}/str_replace rix, - @{bin}/sudo rCx -> sudo, - @{bin}/systemctl rCx -> systemctl, - @{bin}/touch rix, - @{bin}/tty rix, - @{bin}/whoami rix, + @{bin}/basename ix, + @{bin}/cp ix, + @{bin}/dirname ix, + @{bin}/{,e}grep ix, + @{bin}/id ix, + @{bin}/mkdir ix, + @{bin}/mktemp ix, + @{bin}/mount ix, + @{bin}/str_replace ix, + @{bin}/sudo Cx -> sudo, + @{bin}/systemctl Cx -> systemctl, + @{bin}/touch ix, + @{bin}/tty ix, + @{bin}/whoami ix, - @{lib_dirs}/start-tor-browser rPx, - @{lib}/msgcollector/msgcollector rPx, - @{lib}/open-link-confirmation/open-link-confirmation rPx, + @{lib_dirs}/start-tor-browser Px, # torbrowser-start + @{lib}/msgcollector/msgcollector Px, + @{lib}/open-link-confirmation/open-link-confirmation Px, @{lib}/helper-scripts/* r, @@ -44,11 +44,11 @@ profile torbrowser-wrapper @{exec_path} { owner @{HOME}/.tb/{,**} rw, owner @{HOME}/.xsession-errors rw, - + owner @{tmp}/tmp.@{rand10} rw, owner @{run}/mount/utab r, - + owner @{PROC}/@{pid}/mountinfo r, profile sudo { diff --git a/apparmor.d/groups/whonix/whonix-firewall-edit b/apparmor.d/groups/whonix/whonix-firewall-edit index aeea9cf05..28c1d01b4 100644 --- a/apparmor.d/groups/whonix/whonix-firewall-edit +++ b/apparmor.d/groups/whonix/whonix-firewall-edit @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/whonix-firewall-restarter b/apparmor.d/groups/whonix/whonix-firewall-restarter index 87a3713d4..a818e46a6 100644 --- a/apparmor.d/groups/whonix/whonix-firewall-restarter +++ b/apparmor.d/groups/whonix/whonix-firewall-restarter @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/whonix-firewalld b/apparmor.d/groups/whonix/whonix-firewalld index 53b1dba81..08322714f 100644 --- a/apparmor.d/groups/whonix/whonix-firewalld +++ b/apparmor.d/groups/whonix/whonix-firewalld @@ -2,12 +2,12 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/whonix_firewall @{lib}/whonix-firewall/reloadfirewall -profile whonix-firewall @{exec_path} { +profile whonix-firewalld @{exec_path} { include include include @@ -29,7 +29,7 @@ profile whonix-firewall @{exec_path} { @{bin}/rm rix, @{bin}/touch rix, @{bin}/whonix-*-firewall rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, @{bin}/qubesdb-read rPUx, @{bin}/qubesdb-cmd rPUx, @@ -45,7 +45,7 @@ profile whonix-firewall @{exec_path} { owner @{run}/updatesproxycheck/{,**} rw, owner @{run}/whonix_firewall/{,**} rw, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/xfce/mousepad b/apparmor.d/groups/xfce/mousepad index 1bcd283fa..d8bc79b95 100644 --- a/apparmor.d/groups/xfce/mousepad +++ b/apparmor.d/groups/xfce/mousepad @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/ristretto b/apparmor.d/groups/xfce/ristretto index d9151ca80..2aae3f0d3 100644 --- a/apparmor.d/groups/xfce/ristretto +++ b/apparmor.d/groups/xfce/ristretto @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/startxfce b/apparmor.d/groups/xfce/startxfce index 7d8a0165f..110da187b 100644 --- a/apparmor.d/groups/xfce/startxfce +++ b/apparmor.d/groups/xfce/startxfce @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,6 +19,7 @@ profile startxfce @{exec_path} { @{bin}/mkdir rix, @{bin}/id rix, + @{bin}/xdg-user-dirs-update rPx, @{bin}/xfce4-session rPx, @{bin}/xrdb rPx, @{bin}/systemctl rCx -> systemctl, @@ -27,15 +28,18 @@ profile startxfce @{exec_path} { /etc/X11/xinit/xinitrc.d/{,**} r, /etc/xdg/xfce4/{,**} r, + owner @{HOME}/.Xdefaults r, + profile systemctl flags=(attach_disconnected) { include include - + include if exists } profile dbus { include + include @{bin}/dbus-update-activation-environment mr, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index c16365f74..10096bce2 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -2,13 +2,14 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/thunar -profile thunar @{exec_path} { +profile thunar @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -17,6 +18,10 @@ profile thunar @{exec_path} { network netlink raw, + #aa:dbus own bus=session name=org.xfce.Thunar + #aa:dbus own bus=session name=org.xfce.FileManager + #aa:dbus own bus=session name=org.freedesktop.FileManager1 + @{exec_path} mr, @{bin}/thunar-volman rPx, @@ -30,6 +35,7 @@ profile thunar @{exec_path} { /etc/fstab r, /etc/timezone r, + /etc/xdg/{,xdg-xubuntu/}Thunar/{,**} r, # Full access to user's data / r, @@ -43,15 +49,20 @@ profile thunar @{exec_path} { owner @{run}/user/@{uid}/{,**} rw, owner @{tmp}/{,**} rw, + @{run}/mount/utab r, + + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + + owner @{PROC}/@{pid}/mountinfo r, + # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, deny /tmp/.*/{,**} rw, - owner @{PROC}/@{pid}/mountinfo r, - profile dbus { include include diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman index c49f71458..41e098548 100644 --- a/apparmor.d/groups/xfce/thunar-volman +++ b/apparmor.d/groups/xfce/thunar-volman @@ -2,13 +2,14 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/thunar-volman profile thunar-volman @{exec_path} { include + include include include diff --git a/apparmor.d/groups/xfce/tumblerd b/apparmor.d/groups/xfce/tumblerd index f85e6d4cb..3ba81c688 100644 --- a/apparmor.d/groups/xfce/tumblerd +++ b/apparmor.d/groups/xfce/tumblerd @@ -2,25 +2,37 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,@{multiarch}/}tumbler-1/tumblerd profile tumblerd @{exec_path} { include + include + include + include include include include + #aa:dbus own bus=session name=org.freedesktop.thumbnails.Cache1 + #aa:dbus own bus=session name=org.freedesktop.thumbnails.Manager1 + #aa:dbus own bus=session name=org.freedesktop.thumbnails.Thumbnailer1 + @{exec_path} mr, + @{bin}/gdk-pixbuf-thumbnailer rPx, + /usr/share/backgrounds/xfce/{,**} r, /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/xdg/tumbler/* r, + owner /tmp/tumbler-@{rand6}.png r, + owner /tmp/tumbler-@{rand6}.??? w, + owner @{PROC}/@{pid}/mountinfo r, /dev/ r, diff --git a/apparmor.d/groups/xfce/xfce-about b/apparmor.d/groups/xfce/xfce-about index 701e98773..0dae6e060 100644 --- a/apparmor.d/groups/xfce/xfce-about +++ b/apparmor.d/groups/xfce/xfce-about @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/xfce-appfinder b/apparmor.d/groups/xfce/xfce-appfinder index c0753acd8..4b574ce5e 100644 --- a/apparmor.d/groups/xfce/xfce-appfinder +++ b/apparmor.d/groups/xfce/xfce-appfinder @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/xfce-clipman b/apparmor.d/groups/xfce/xfce-clipman new file mode 100644 index 000000000..270f7266f --- /dev/null +++ b/apparmor.d/groups/xfce/xfce-clipman @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2025 Sighy Brantler +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xfce4-clipman +profile xfce-clipman @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /etc/xdg/xfce4/panel/xfce4-clipman-actions.xml r, + + owner @{user_cache_dirs}/xfce4/clipman/ r, + owner @{user_cache_dirs}/xfce4/clipman/* rw, + + owner @{user_config_dirs}/autostart/ r, + owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop rw, + owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop.@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings index 499980f17..021a377b8 100644 --- a/apparmor.d/groups/xfce/xfce-clipman-settings +++ b/apparmor.d/groups/xfce/xfce-clipman-settings @@ -2,15 +2,18 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xfce4-clipman-settings profile xfce-clipman-settings @{exec_path} { include + include include + #aa:dbus own bus=session name=org.xfce.clipman.settings + @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/xfce/xfce-dict b/apparmor.d/groups/xfce/xfce-dict index 423c09b4e..4b34a3d0b 100644 --- a/apparmor.d/groups/xfce/xfce-dict +++ b/apparmor.d/groups/xfce/xfce-dict @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/xfce-mime-helper b/apparmor.d/groups/xfce/xfce-mime-helper index 7851cd74e..b1708e58b 100644 --- a/apparmor.d/groups/xfce/xfce-mime-helper +++ b/apparmor.d/groups/xfce/xfce-mime-helper @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/xfce-notifyd b/apparmor.d/groups/xfce/xfce-notifyd index 06d2b1df3..be813a84d 100644 --- a/apparmor.d/groups/xfce/xfce-notifyd +++ b/apparmor.d/groups/xfce/xfce-notifyd @@ -3,13 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/notifyd/xfce4-notifyd profile xfce-notifyd @{exec_path} { include + include include include include @@ -22,6 +23,9 @@ profile xfce-notifyd @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.xfce.Notifyd + #aa:dbus own bus=session name=org.freedesktop.Notifications + @{exec_path} mr, owner @{user_cache_dirs}/xfce4/notifyd/ rw, diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel index 0b3530b48..00c5d8700 100644 --- a/apparmor.d/groups/xfce/xfce-panel +++ b/apparmor.d/groups/xfce/xfce-panel @@ -2,30 +2,40 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xfce4-panel @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 profile xfce-panel @{exec_path} { include + include + include + include + include include include include include include + ptrace (read) peer=xfce-terminal, + + #aa:dbus own bus=session name=org.xfce.Panel + #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher + @{exec_path} mr, @{bin}/exo-open rix, @{bin}/xfce4-mime-helper rix, @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 rix, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rix, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rix, @{lib}/gio-launch-desktop rix, - @{bin}/sudo rCx -> root, + @{bin}/sudo rCx -> root, /usr/share/desktop-directories/{,**} r, + /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, /usr/share/livecheck/** r, /usr/share/xfce4/{,**} r, @@ -33,22 +43,27 @@ profile xfce-panel @{exec_path} { /etc/machine-id r, /etc/timezone r, /etc/xdg/menus/{,**} r, - /etc/xdg/xfce4/{,**} r, + /etc/xdg/{,xdg-xubuntu/}xfce4/{,**} r, owner @{user_cache_dirs}/xfce4/notifyd/icons/ rw, + owner @{user_cache_dirs}/xfce4-indicator-plugin.log w, owner @{user_config_dirs}/xfce4/panel/{,**} rw, + owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} w, + @{PROC}/cmdline r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, + deny @{user_share_dirs}/gvfs-metadata/{,*} r, + profile root { include include @{bin}/lsblk rPx, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager index d286280f0..11ccca455 100644 --- a/apparmor.d/groups/xfce/xfce-power-manager +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -2,16 +2,22 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xfce4-power-manager profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { include + include + include + include include include + #aa:dbus own bus=session name=org.xfce.PowerManager + #aa:dbus own bus=session name=org.freedesktop.PowerManagement + @{exec_path} mr, @{bin}/xfpm-power-backlight-helper rPx, @@ -21,7 +27,7 @@ profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/stat r, - @{run}/systemd/inhibit/*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, include if exists } diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver index e441b84b8..e9e19cca5 100644 --- a/apparmor.d/groups/xfce/xfce-screensaver +++ b/apparmor.d/groups/xfce/xfce-screensaver @@ -2,18 +2,21 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xfce4-screensaver profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { include + include include include include include + #aa:dbus own bus=session name=org.xfce.ScreenSaver + @{exec_path} mr, @{sh_path} rix, @@ -25,7 +28,7 @@ profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { /etc/xdg/menus/xfce4-screensavers.menu r, - @{run}/systemd/inhibit/*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, include if exists } diff --git a/apparmor.d/groups/xfce/xfce-sensors b/apparmor.d/groups/xfce/xfce-sensors index c2eb97c30..c1bd98111 100644 --- a/apparmor.d/groups/xfce/xfce-sensors +++ b/apparmor.d/groups/xfce/xfce-sensors @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile xfce-sensors @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, @{sys}/class/thermal/ r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index f2b14b313..be0f5c73d 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -2,13 +2,16 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xfce4-session profile xfce-session @{exec_path} flags=(attach_disconnected) { include + include + include + include include include include @@ -16,6 +19,8 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=lightdm, + #aa:dbus own bus=session name=org.xfce.SessionManager + @{exec_path} mr, @{sh_path} rix, @@ -33,6 +38,7 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { @{lib}/msgcollector/msgdispatcher_xdg_autostart rPx, @{lib}/sdwdate-gui/start-maybe rPx, @{lib}/setup-wizard-dist/setup-dist_check_for_start rPx, + @{lib}/xapps/sn-watcher/xapp-sn-watcher rPUx, /usr/share/kde-power-savings-disable-in-vms/{,**} r, /usr/share/kde-screen-locker-disable-in-vms/{,**} r, @@ -48,17 +54,21 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { /etc/xdg/autostart/*.desktop r, owner @{user_cache_dirs}/sessions/{,**} rw, + owner @{user_config_dirs}/autostart/ r, + owner @{user_config_dirs}/autostart/*.desktop r, owner @{tmp}/.xfsm-ICE-@{rand6} rw, owner @{PROC}/@{pid}/stat r, + @{sys}/class/i2c-adapter/ r, + /dev/tty rw, profile systemctl flags=(attach_disconnected) { include include - + include if exists } diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 88a042dad..0f8836326 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -2,18 +2,26 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xfce4-terminal profile xfce-terminal @{exec_path} { include + include + include + include include include + include include include + signal send, + + #aa:dbus own bus=session name=org.xfce.Terminal5 + @{exec_path} mr, @{open_path} rPx -> child-open-help, @@ -26,7 +34,10 @@ profile xfce-terminal @{exec_path} { @{bin}/micro rPUx, @{bin}/nvtop rPx, + @{editor_path} rPUx, + /usr/share/ r, + /usr/share/desktop-base/profiles/xdg-config/ r, /usr/share/xfce4/ r, /usr/share/xfce4/terminal/{,**} r, @@ -34,6 +45,7 @@ profile xfce-terminal @{exec_path} { /etc/xdg/ r, /etc/xdg/xfce4/ r, + owner @{user_config_dirs}/xfce4/ r, owner @{user_config_dirs}/xfce4/terminal/{,**} r, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/groups/xfce/xfconfd b/apparmor.d/groups/xfce/xfconfd index 345851278..9cd273544 100644 --- a/apparmor.d/groups/xfce/xfconfd +++ b/apparmor.d/groups/xfce/xfconfd @@ -3,18 +3,21 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/xfconf/xfconfd profile xfconfd @{exec_path} { include + include include + #aa:dbus own bus=session name=org.xfce.Xfconf + @{exec_path} mr, - /etc/xdg/xfce4/xfconf/** r, + /etc/xdg/{,xdg-xubuntu/}xfce4/xfconf/** r, owner @{HOME}/ r, diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop index c01a057e7..6bc5ec15c 100644 --- a/apparmor.d/groups/xfce/xfdesktop +++ b/apparmor.d/groups/xfce/xfdesktop @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,14 +10,22 @@ include profile xfdesktop @{exec_path} { include include + include + include include include include + #aa:dbus own bus=session name=org.xfce.xfdesktop + @{exec_path} mr, @{bin}/xfce4-mime-helper rix, + /etc/xdg/{,xdg-xubuntu/}xfce4/helpers.rc r, + /etc/xdg/menus/{,*.menu} r, + /usr/share/xfce4/helpers/{,*.desktop} r, + /usr/share/desktop-directories/{,*.directory} r, /usr/share/backgrounds/xfce/{,**} r, /etc/fstab r, diff --git a/apparmor.d/groups/xfce/xfpm-power-backlight-helper b/apparmor.d/groups/xfce/xfpm-power-backlight-helper index a00ebb094..236028f2e 100644 --- a/apparmor.d/groups/xfce/xfpm-power-backlight-helper +++ b/apparmor.d/groups/xfce/xfpm-power-backlight-helper @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,14 +15,14 @@ profile xfpm-power-backlight-helper @{exec_path} { @{sys}/class/backlight/ r, @{sys}/class/leds/ r, - @{sys}/devices/@{pci}/backlight/**/{max_brightness,actual_brightness} r, - @{sys}/devices/@{pci}/backlight/**/{uevent,type} r, + @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, @{sys}/devices/@{pci}/backlight/**/brightness rw, - @{sys}/devices/@{pci}/drm/card@{int}/**/{max_brightness,actual_brightness} r, + @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, - @{sys}/devices/@{pci}/intel_backlight/{max_,}brightness rw, - @{sys}/devices/@{pci}/intel_backlight/type r, + @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, include if exists } diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd index ec46f5448..d3f88c196 100644 --- a/apparmor.d/groups/xfce/xfsettingsd +++ b/apparmor.d/groups/xfce/xfsettingsd @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,8 +10,13 @@ include profile xfsettingsd @{exec_path} { include include + include + include + include include + #aa:dbus own bus=session name=org.xfce.SettingsDaemon + @{exec_path} mr, /etc/xdg/autostart/xfsettingsd.desktop r, diff --git a/apparmor.d/groups/xfce/xfwm b/apparmor.d/groups/xfce/xfwm index 27bb23bfd..c41e5254f 100644 --- a/apparmor.d/groups/xfce/xfwm +++ b/apparmor.d/groups/xfce/xfwm @@ -2,13 +2,14 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xfwm4 profile xfwm @{exec_path} { include + include include include include diff --git a/apparmor.d/mappings/login/base b/apparmor.d/mappings/login/base new file mode 100644 index 000000000..f74b90418 --- /dev/null +++ b/apparmor.d/mappings/login/base @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# It is used by login to run pre login scripts (as root) such as the motd. +# After the login, Apparmor libpam will transition to the roles defined in +# other files under + + @{shells_path} rCx -> shell, + + profile shell flags=(attach_disconnected) { + include + include + include + + @{shells_path} rix, + @{bin}/env rix, + @{bin}/run-parts rix, #aa:only apt + + #aa:only apt + /etc/update-motd.d/ r, + /etc/update-motd.d/* rPx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, + + @{run}/motd.dynamic.new rw, #aa:only apt + + include if exists + } + +# vim:syntax=apparmor diff --git a/apparmor.d/mappings/sshd/base b/apparmor.d/mappings/sshd/base new file mode 100644 index 000000000..dd9218d9c --- /dev/null +++ b/apparmor.d/mappings/sshd/base @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# It is used by login to run pre login scripts (as root) such as the motd. +# After the login, Apparmor libpam will transition to the roles defined in +# other files under + + @{shells_path} rCx -> shell, + + profile shell flags=(attach_disconnected) { + include + include + include + + @{shells_path} rix, + @{bin}/env rix, + @{bin}/run-parts rix, #aa:only apt + + #aa:only apt + /etc/update-motd.d/ r, + /etc/update-motd.d/* rPx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, + + @{run}/motd.dynamic.new rw, #aa:only apt + + include if exists + } + +# vim:syntax=apparmor diff --git a/apparmor.d/mappings/sudo/base b/apparmor.d/mappings/sudo/base new file mode 100644 index 000000000..95e395501 --- /dev/null +++ b/apparmor.d/mappings/sudo/base @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# It is used by su/sudo to run pre login scripts (as root) such as the motd. +# After the login, Apparmor libpam will transition to the roles defined in +# other files under + + @{shells_path} rCx -> shell, + + profile shell flags=(attach_disconnected) { + include + include + include + + @{shells_path} rix, + @{bin}/env rix, + @{bin}/run-parts rix, #aa:only apt + + #aa:only apt + /etc/update-motd.d/ r, + /etc/update-motd.d/* rPx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, + + @{run}/motd.dynamic.new rw, #aa:only apt + + include if exists + } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify deleted file mode 100644 index 7c65b9be2..000000000 --- a/apparmor.d/profiles-a-f/aa-notify +++ /dev/null @@ -1,47 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/aa-notify -profile aa-notify @{exec_path} { - include - include - include - include - include - - capability setgid, - capability setuid, - capability sys_ptrace, - - ptrace (read), - - @{exec_path} mr, - - @{bin}/ r, - - /etc/apparmor/*.conf r, - /etc/inputrc r, - /usr/etc/inputrc.keys r, - /usr/share/terminfo/** r, - - /var/log/audit/audit.log r, - - owner @{HOME}/.inputrc r, - owner @{HOME}/.terminfo/@{int}/dumb r, - - owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-*.txt rw, - - @{PROC}/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/cmdline r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/abook b/apparmor.d/profiles-a-f/abook index f4252aeee..380faac53 100644 --- a/apparmor.d/profiles-a-f/abook +++ b/apparmor.d/profiles-a-f/abook @@ -2,7 +2,7 @@ # Copyright (C) 2024 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/acpi b/apparmor.d/profiles-a-f/acpi index 4f6132c25..3b42be234 100644 --- a/apparmor.d/profiles-a-f/acpi +++ b/apparmor.d/profiles-a-f/acpi @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,7 +19,6 @@ profile acpi @{exec_path} flags=(complain) { @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/virtual/thermal/{,**} r, - include if exists } diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index 9372f46b4..fd1d0af03 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,20 +11,18 @@ profile acpi-powerbtn flags=(attach_disconnected) { /etc/acpi/powerbtn-acpi-support.sh r, - @{bin}/{ba,da,}sh rix, + @{sh_path} rix, @{bin}/{e,}grep rix, - @{bin}/dbus-send rix, - @{bin}/killall5 rix, + @{sbin}/killall5 rix, @{bin}/pgrep rix, @{bin}/pinky rix, @{bin}/sed rix, - @{bin}/shutdown rix, /etc/acpi/powerbtn.sh rix, - @{bin}/systemctl rCx -> systemctl, - @{bin}/ps rPx, - - @{bin}/fgconsole rCx -> fgconsole, + @{bin}/dbus-send Cx -> bus, + @{bin}/fgconsole Cx -> fgconsole, + @{bin}/ps Px, + @{bin}/systemctl Cx -> systemctl, /usr/share/acpi-support/** r, @@ -44,12 +42,21 @@ profile acpi-powerbtn flags=(attach_disconnected) { /dev/tty rw, owner /dev/tty@{int} rw, + + include if exists + } + + profile bus flags=(complain) { + include + include + + include if exists } profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index 10600e3d7..4985bca3a 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/acpid +@{exec_path} = @{sbin}/acpid profile acpid @{exec_path} flags=(attach_disconnected) { include include @@ -26,8 +26,9 @@ profile acpid @{exec_path} flags=(attach_disconnected) { /etc/acpi/{,**} r, /etc/acpi/handler.sh rix, + @{run}/acpid.socket w, owner @{run}/acpid.socket rw, - owner @{run}/acpid.pid rw, + owner @{run}/acpid.pid rw, owner @{PROC}/@{pids}/fd/ r, owner @{PROC}/@{pids}/loginuid r, diff --git a/apparmor.d/profiles-a-f/adb b/apparmor.d/profiles-a-f/adb index 13863c03a..3affe4e7a 100644 --- a/apparmor.d/profiles-a-f/adb +++ b/apparmor.d/profiles-a-f/adb @@ -3,20 +3,22 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/adb @{exec_path} += @{lib}/android-sdk/platform-tools/adb -profile adb @{exec_path} { +profile adb @{exec_path} flags=(attach_disconnected) { include + include include include include network inet stream, network inet6 stream, + network netlink raw, signal (receive) set=(kill) peer=scrcpy, diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index 350f070b0..039518b51 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/add{user,group} +@{exec_path} = @{sbin}/adduser profile adduser @{exec_path} { include include @@ -24,7 +24,6 @@ profile adduser @{exec_path} { capability sys_admin, # For logger @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, @{bin}/find rix, @@ -34,12 +33,12 @@ profile adduser @{exec_path} { @{bin}/chage rPx, @{bin}/chfn rPx, @{bin}/gpasswd rPx, - @{bin}/groupadd rPx, - @{bin}/groupdel rPx, + @{sbin}/groupadd rPx, + @{sbin}/groupdel rPx, @{bin}/passwd rPx, - @{bin}/useradd rPx, - @{bin}/userdel rPx, - @{bin}/usermod rPx, + @{sbin}/useradd rPx, + @{sbin}/userdel rPx, + @{sbin}/usermod rPx, /etc/{group,passwd,shadow} r, /etc/adduser.conf r, diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index fe3e7565f..7025f9787 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,9 +17,8 @@ profile adequate @{exec_path} flags=(complain) { #capability sys_tty_config, @{exec_path} r, - @{bin}/perl r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, # It wants to ldd all binaries/libs in packages. @{bin}/ldd rCx -> ldd, @@ -55,15 +54,14 @@ profile adequate @{exec_path} flags=(complain) { @{bin}/* mr, /usr/games/* mr, - @{lib}{,x}/** mr, @{lib}/@{multiarch}/** mr, /usr/share/** r, /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} mr, @{lib}/@{multiarch}/ld-*.so rix, - @{lib}{,x}32/ld-*.so rix, + include if exists } profile frontend flags=(complain) { @@ -73,7 +71,6 @@ profile adequate @{exec_path} flags=(complain) { include /usr/share/debconf/frontend r, - @{bin}/perl r, @{bin}/adequate rPx, @@ -91,13 +88,14 @@ profile adequate @{exec_path} flags=(complain) { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, /etc/shadow r, + include if exists } profile pkg-config flags=(complain) { @@ -105,6 +103,7 @@ profile adequate @{exec_path} flags=(complain) { @{bin}/pkg-config mr, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index 80e64558a..87908dc9e 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -2,21 +2,22 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/alacarte -profile alacarte @{exec_path} { +profile alacarte @{exec_path} flags=(attach_disconnected) { include + include include include include @{exec_path} mr, - @{bin}/python3.@{int} rix, + @{python_path} rix, - @{lib}/python3.@{int}/site-packages/Alacarte/{,**/}__pycache__/*.cpython-@{int}.*.pyc.@{int} w, + @{lib}/@{python_name}/site-packages/Alacarte/{,**/}__pycache__/*.cpython-@{int}.*.pyc.@{int} w, /usr/share/alacarte/{,**} r, /usr/share/desktop-directories/{,**} r, @@ -30,6 +31,12 @@ profile alacarte @{exec_path} { owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, include if exists diff --git a/apparmor.d/profiles-a-f/alc b/apparmor.d/profiles-a-f/alc new file mode 100644 index 000000000..232f83860 --- /dev/null +++ b/apparmor.d/profiles-a-f/alc @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/alc +profile alc @{exec_path} { + include + include + include + + @{exec_path} mr, + @{user_torrents_dirs}/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/alcc b/apparmor.d/profiles-a-f/alcc new file mode 100644 index 000000000..c1e7d0602 --- /dev/null +++ b/apparmor.d/profiles-a-f/alcc @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/alcc +profile alcc @{exec_path} { + include + include + + @{exec_path} mr, + @{user_torrents_dirs}/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/alsactl b/apparmor.d/profiles-a-f/alsactl index bde626660..adf0d5cd3 100644 --- a/apparmor.d/profiles-a-f/alsactl +++ b/apparmor.d/profiles-a-f/alsactl @@ -2,11 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/alsactl +@{exec_path} = @{sbin}/alsactl profile alsactl @{exec_path} { include include @@ -22,6 +22,9 @@ profile alsactl @{exec_path} { @{run}/lock/card@{int}.lock rwk, owner @{run}/alsa/{,**} rw, + @{sys}/devices/@{pci}/subsystem_device r, + @{sys}/devices/@{pci}/subsystem_vendor r, + include if exists } diff --git a/apparmor.d/profiles-a-f/amixer b/apparmor.d/profiles-a-f/amixer index ea2842a74..85989a7bf 100644 --- a/apparmor.d/profiles-a-f/amixer +++ b/apparmor.d/profiles-a-f/amixer @@ -3,14 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/amixer profile amixer @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/amule b/apparmor.d/profiles-a-f/amule new file mode 100644 index 000000000..ce600200a --- /dev/null +++ b/apparmor.d/profiles-a-f/amule @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/amule +profile amule @{exec_path} { + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + + # Previewing files isn't allowed + # because aMule opens viewers directly instead of via `xdg-open`. + # If aMule uses `xdg-open` in your time, + # uncomment the following line to allow previewing files. + # @{open_path} rPx -> child-open, + + @{exec_path} mr, + @{bin}/uname rix, + @{sh_path} rix, + @{system_share_dirs}/amule/{,**} r, + owner @{HOME}/.aMule/{,**} rwk, + @{user_torrents_dirs}/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index b9031360f..43ecdb0cd 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -41,19 +41,18 @@ profile anyremote @{exec_path} { @{bin}/tail rix, @{bin}/tr rix, @{bin}/wc rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/convert-im6.q16 rCx -> imagemagic, @{bin}/killall rCx -> killall, @{bin}/pgrep rCx -> pgrep, - @{lib}/qt5/bin/qdbus rCx -> qdbus, - @{bin}/pacmd rPx, @{bin}/pactl rPx, - @{bin}/wmctrl rPx, - @{bin}/qtchooser rPx, @{bin}/ps rPx, + @{bin}/qtchooser rPx, + @{bin}/wmctrl rPx, + @{lib}/qt{5,6}/bin/qdbus rPx, # Players @{bin}/smplayer rPx, @@ -81,10 +80,10 @@ profile anyremote @{exec_path} { @{bin}/convert-im6.q16 mr, /usr/share/anyremote/cfg-data/Icons/common/*.png r, - - /usr/share/ImageMagick-[0-9]/*.xml rw, - /etc/ImageMagick-[0-9]/*.xml r, - + + /usr/share/ImageMagick-@{int}/*.xml rw, + /etc/ImageMagick-@{int}/*.xml r, + owner @{HOME}/.anyRemote/*.png rw, owner @{HOME}/.kde/share/apps/amarok/albumcovers/cache/* r, @@ -128,14 +127,6 @@ profile anyremote @{exec_path} { include if exists } - profile qdbus { - include - - @{lib}/qt5/bin/qdbus mr, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-a-f/aplay b/apparmor.d/profiles-a-f/aplay index 0bb417ae2..eba042635 100644 --- a/apparmor.d/profiles-a-f/aplay +++ b/apparmor.d/profiles-a-f/aplay @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,6 +19,8 @@ profile aplay @{exec_path} flags=(complain) { owner @{HOME}/.Xauthority r, + /dev/snd/controlC@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index 6b6bad8d8..f2231479d 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,6 +24,8 @@ profile appstreamcli @{exec_path} flags=(complain) { /usr/share/app-info/{,**} r, /usr/share/appdata/ r, + /usr/share/byobu/desktop/{,**} r, + /usr/share/gvfs/remote-volume-monitors/{,**} r, /usr/share/metainfo/ r, /usr/share/metainfo/*.{metainfo,appdata}.xml r, /usr/share/swcatalog/{,**} r, @@ -46,7 +48,7 @@ profile appstreamcli @{exec_path} flags=(complain) { /var/log/cron-apt/temp w, owner /var/cache/app-info/{,**} rw, owner /var/cache/swcatalog/{,**} rw, - + owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/appstream-cache-*.mdb rw, owner @{user_cache_dirs}/appstream/ rw, diff --git a/apparmor.d/profiles-a-f/arandr b/apparmor.d/profiles-a-f/arandr index 6baddcf18..77bf1bf96 100644 --- a/apparmor.d/profiles-a-f/arandr +++ b/apparmor.d/profiles-a-f/arandr @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,7 +19,7 @@ profile arandr @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/xrandr rPx, diff --git a/apparmor.d/profiles-a-f/archivemount b/apparmor.d/profiles-a-f/archivemount index 03836a9dc..d445df0e2 100644 --- a/apparmor.d/profiles-a-f/archivemount +++ b/apparmor.d/profiles-a-f/archivemount @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,34 +24,20 @@ profile archivemount @{exec_path} { owner @{HOME}/*/ r, owner @{HOME}/*/*/ r, - mount fstype=fuse.archivemount -> @{HOME}/*/, - mount fstype=fuse.archivemount -> @{HOME}/*/*/, - - /dev/fuse rw, - - profile fusermount { include - include - - # To mount anything: - capability sys_admin, - - @{bin}/fusermount{,3} mr, + include mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/, mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/*/, - /dev/fuse rw, + umount @{HOME}/*/, + umount @{HOME}/*/*/, - /etc/fuse.conf r, - - owner @{HOME}/ r, /**.{tar,tar.gz,zip} r, /**.{TAR,TAR.GZ,ZIP} r, - @{PROC}/@{pid}/mounts r, - + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/arduino b/apparmor.d/profiles-a-f/arduino index 47d784212..cfac12d42 100644 --- a/apparmor.d/profiles-a-f/arduino +++ b/apparmor.d/profiles-a-f/arduino @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -39,7 +39,7 @@ profile arduino @{exec_path} { @{bin}/chmod rix, @{bin}/avrdude rix, - @{bin}/xdg-open rCx -> open, + @{open_path} rCx -> child-open, @{bin}/dpkg-architecture rPx, @{bin}/arduino-builder rPx, @@ -109,31 +109,6 @@ profile arduino @{exec_path} { # Silencer deny /usr/share/arduino/** w, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - @{bin}/spacefm rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-a-f/arduino-builder b/apparmor.d/profiles-a-f/arduino-builder index 23f8628e5..2ef7e37fa 100644 --- a/apparmor.d/profiles-a-f/arduino-builder +++ b/apparmor.d/profiles-a-f/arduino-builder @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -39,8 +39,6 @@ profile arduino-builder @{exec_path} { owner @{HOME}/Arduino/{,**} r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - /tmp/ r, owner @{tmp}/cc* rw, owner @{tmp}/untitled[0-9]*.tmp/{,**} rw, diff --git a/apparmor.d/profiles-a-f/arduino-ctags b/apparmor.d/profiles-a-f/arduino-ctags index 0c3849643..d85a6f3a8 100644 --- a/apparmor.d/profiles-a-f/arduino-ctags +++ b/apparmor.d/profiles-a-f/arduino-ctags @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/aspell b/apparmor.d/profiles-a-f/aspell index c5bd8d4f4..629caca10 100644 --- a/apparmor.d/profiles-a-f/aspell +++ b/apparmor.d/profiles-a-f/aspell @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile aspell @{exec_path} flags=(complain) { /usr/share/aspell/{,*} r, - /usr/lib/aspell/{,*} r, + @{lib}/aspell/{,*} r, /var/lib/aspell/{,*} r, /var/lib/aspell/*.rws rw, diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index 078fa0139..14feb75df 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -3,18 +3,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/aspell-autobuildhash +@{exec_path} = @{sbin}/aspell-autobuildhash profile aspell-autobuildhash @{exec_path} flags=(complain) { include include include @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, @{bin}/basename rix, @@ -33,8 +32,8 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { /usr/share/aspell/{,*} r, - /usr/lib/aspell/{,*} r, - /usr/lib/aspell/*.rws rw, + @{lib}/aspell/{,*} r, + @{lib}/aspell/*.rws rw, /var/lib/aspell/ r, /var/lib/aspell/* rw, @@ -47,9 +46,8 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { include /usr/share/debconf/frontend r, - @{bin}/perl r, - @{bin}/aspell-autobuildhash rPx, + @{sbin}/aspell-autobuildhash rPx, @{sh_path} rix, @{bin}/stty rix, @@ -64,11 +62,12 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/at b/apparmor.d/profiles-a-f/at index 2da487b9c..0c309ad72 100644 --- a/apparmor.d/profiles-a-f/at +++ b/apparmor.d/profiles-a-f/at @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index b1b54f0fa..783d210fb 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/atd +@{exec_path} = @{sbin}/atd profile atd @{exec_path} { include include @@ -20,15 +20,15 @@ profile atd @{exec_path} { capability setuid, capability sys_resource, - signal (receive) set=hup peer=at, + signal receive set=hup peer=at, - ptrace (read) peer=unconfined, + ptrace read peer=unconfined, @{exec_path} mr, @{sh_path} rix, - @{bin}/sendmail rPUx, - @{bin}/exim4 rPx, + @{sbin}/sendmail rPUx, + @{sbin}/exim4 rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/ r, diff --git a/apparmor.d/profiles-a-f/atftpd b/apparmor.d/profiles-a-f/atftpd index 02a0a018b..2444bd128 100644 --- a/apparmor.d/profiles-a-f/atftpd +++ b/apparmor.d/profiles-a-f/atftpd @@ -3,14 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/atftpd profile atftpd @{exec_path} { include - include + include # For libwrap (TCP Wrapper) support include @@ -18,6 +18,12 @@ profile atftpd @{exec_path} { capability setgid, capability setuid, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, # FTP dirs (add "w" if you need write permissions and hence upload files) diff --git a/apparmor.d/profiles-a-f/atool b/apparmor.d/profiles-a-f/atool index 947245d2a..2782aacc0 100644 --- a/apparmor.d/profiles-a-f/atool +++ b/apparmor.d/profiles-a-f/atool @@ -2,7 +2,7 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,6 +11,7 @@ profile atool @{exec_path} { include include include + include include @{exec_path} mr, @@ -18,9 +19,9 @@ profile atool @{exec_path} { @{bin}/7z rix, @{bin}/arc rix, @{bin}/arj rix, - @{bin}/bzip2 rix, - @{bin}/bzip2 rix, @{bin}/bzip rix, + @{bin}/bzip2 rix, + @{bin}/bzip2 rix, @{bin}/compress rix, @{bin}/cpio rix, @{bin}/gunzip rix, @@ -29,9 +30,9 @@ profile atool @{exec_path} { @{bin}/jar rix, @{bin}/lha rix, @{bin}/lrunzip rix, + @{bin}/lrz rix, @{bin}/lrzcat rix, @{bin}/lrzip rix, - @{bin}/lrz rix, @{bin}/lrztar rix, @{bin}/lrzuntar rix, @{bin}/lzip rix, @@ -46,6 +47,10 @@ profile atool @{exec_path} { @{bin}/unzip rix, @{bin}/xz rix, @{bin}/zip rix, + @{lib}/p7zip/7z rix, + + /etc/atool.conf r, + owner @{HOME}/.atoolrc r, include if exists } diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 2163346cc..55502dd3e 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -3,36 +3,24 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/atril{,-*} profile atril @{exec_path} { include - include include - include - include include include - include - include - include + include include include include - include network netlink raw, - dbus send bus=session path=/org/mate/atril/{,**} - peer=(name=org.freedesktop.DBus, label=atrild), # all interfaces and members - - dbus send bus=session path=/org/mate/atril/Daemon - interface=org.mate.atril.Daemon - member={RegisterDocument,UnregisterDocument} - peer=(name=org.mate.atril.Daemon), # no peer's labels + #aa:dbus talk bus=session name=org.mate.atril.Daemon label=atrild @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/atrild b/apparmor.d/profiles-a-f/atrild index c44686d5a..f66f25936 100644 --- a/apparmor.d/profiles-a-f/atrild +++ b/apparmor.d/profiles-a-f/atrild @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/auditctl b/apparmor.d/profiles-a-f/auditctl index daaee243f..762273a9f 100644 --- a/apparmor.d/profiles-a-f/auditctl +++ b/apparmor.d/profiles-a-f/auditctl @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/auditctl +@{exec_path} = @{sbin}/auditctl profile auditctl @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index 4e93a5d22..41fb158c0 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/auditd +@{exec_path} = @{sbin}/auditd profile auditd @{exec_path} flags=(attach_disconnected) { include include @@ -27,10 +27,12 @@ profile auditd @{exec_path} flags=(attach_disconnected) { /var/log/audit/{,**} rw, - @{run}/systemd/journal/dev-log w, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + owner @{run}/auditd.pid rwl, owner @{run}/auditd.state rw, + @{PROC}/@{pid}/ r, owner @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/oom_score_adj rw, diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules index 5f192e8cc..5ae84876b 100644 --- a/apparmor.d/profiles-a-f/augenrules +++ b/apparmor.d/profiles-a-f/augenrules @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/augenrules +@{exec_path} = @{sbin}/augenrules profile augenrules @{exec_path} flags=(attach_disconnected) { include include @@ -16,7 +16,7 @@ profile augenrules @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{,e,f}grep rix, @{bin}/{,g,m}awk rix, - @{bin}/auditctl rPx, + @{sbin}/auditctl rPx, @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cmp rix, diff --git a/apparmor.d/profiles-a-f/badblocks b/apparmor.d/profiles-a-f/badblocks index 48b4cc8af..ff3a710c3 100644 --- a/apparmor.d/profiles-a-f/badblocks +++ b/apparmor.d/profiles-a-f/badblocks @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/badblocks +@{exec_path} = @{sbin}/badblocks profile badblocks @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab new file mode 100644 index 000000000..654e40117 --- /dev/null +++ b/apparmor.d/profiles-a-f/baobab @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/baobab +profile baobab @{exec_path} { + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + @{exec_path} mr, + + @{open_path} rPx -> child-open-help, + + #aa:lint ignore=too-wide + # As a directory tree analyzer it needs full access to the filesystem + / r, + /** r, + + deny @{efi}/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/biosdecode b/apparmor.d/profiles-a-f/biosdecode index caf8a50d2..87457a129 100644 --- a/apparmor.d/profiles-a-f/biosdecode +++ b/apparmor.d/profiles-a-f/biosdecode @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/biosdecode +@{exec_path} = @{sbin}/biosdecode profile biosdecode @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index b6314e942..771560c6b 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -40,7 +40,7 @@ profile birdtray @{exec_path} { owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/**/*.msf r, owner @{user_config_dirs}/ulduzsoft/ rw, - owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*, + owner @{user_config_dirs}/ulduzsoft/* rwkl -> @{user_config_dirs}/ulduzsoft/*, owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int}, diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index f9db3e96f..bff816339 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -3,22 +3,24 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/blkdeactivate +@{exec_path} = @{sbin}/blkdeactivate profile blkdeactivate @{exec_path} flags=(complain) { include include @{exec_path} rm, - @{bin}/dmsetup rPUx, - @{bin}/grep rix, + @{sh_path} rix, + @{sbin}/dmsetup rPx, + @{bin}/{,e}grep rix, + @{bin}/touch rix, @{bin}/lsblk rPx, - @{bin}/lvm rPx, - @{bin}/multipathd rPx, + @{sbin}/lvm rPx, + @{sbin}/multipathd rPx, @{bin}/sort rix, @{bin}/umount rPx, diff --git a/apparmor.d/profiles-a-f/bmon b/apparmor.d/profiles-a-f/bmon index 77feb3210..d29d9fde7 100644 --- a/apparmor.d/profiles-a-f/bmon +++ b/apparmor.d/profiles-a-f/bmon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 107330419..544be3be0 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,15 +21,19 @@ profile borg @{exec_path} { network inet6 dgram, network netlink raw, + mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/, + mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/*/, + @{exec_path} r, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/{,@{multiarch}-}ld.bfd rix, @{bin}/cat rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/uname rix, + @{bin}/ip rix, @{bin}/ccache rCx -> ccache, @{bin}/fusermount{,3} rCx -> fusermount, @@ -92,10 +96,7 @@ profile borg @{exec_path} { profile fusermount { include - include - include - - capability sys_admin, + include mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/, mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/*/, @@ -103,13 +104,8 @@ profile borg @{exec_path} { umount @{MOUNTS}/, umount @{MOUNTS}/*/, - @{bin}/fusermount{,3} mr, - - /etc/fuse.conf r, - - @{PROC}/@{pids}/mounts r, - - /dev/fuse rw, + @{MOUNTS}/ r, + @{MOUNTS}/*/ r, include if exists } diff --git a/apparmor.d/profiles-a-f/briar-desktop b/apparmor.d/profiles-a-f/briar-desktop new file mode 100644 index 000000000..1cfda03d9 --- /dev/null +++ b/apparmor.d/profiles-a-f/briar-desktop @@ -0,0 +1,97 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024-2025 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/briar-desktop +profile briar-desktop @{exec_path} { + include + include + include + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + + ptrace read peer=briar-desktop-tor, + ptrace read peer=@{profile_name}//jspawnhelper, + + @{exec_path} mr, + + @{lib}/jvm/java*/bin/java rix, + @{lib}/jvm/java*/lib/** rm, + @{lib}/jvm/java*/lib/jspawnhelper Cx -> jspawnhelper, + @{sh_path} mr, + + @{system_share_dirs}/java/briar-desktop.jar r, + + /etc/java*/{,**} r, + /etc/machine-id r, + + owner @{HOME}/.briar/desktop/{,**} rw, + owner @{HOME}/.briar/desktop/db/db.mv.db k, + + owner @{HOME}/.java/{,.userPrefs/{,org/}} w, + owner @{HOME}/.java/.userPrefs/.user.lock.@{user} wk, + owner @{HOME}/.java/.userPrefs/.userRootModFile.@{user} rw, + owner @{HOME}/.java/.userPrefs/{,org/}prefs.{xml,tmp} rw, + owner @{HOME}/.java/.userPrefs/org/briarproject/{,**} rw, + + owner @{HOME}/.skiko/ w, + owner @{HOME}/.skiko/@{hex64}/{,libskiko-*.so,skiko[0-9]*} mrw, + + owner @{user_pictures_dirs}/{,**} r, + + owner @{user_cache_dirs}/JNA/{,**} mrw, + + owner @{tmp}/hsperfdata_@{user}/ rw, + owner @{tmp}/hsperfdata_@{user}/@{pid} rwk, + owner @{tmp}/imageio@{u64}.tmp rw, + owner @{tmp}/jna@{u64}.tmp mrw, + + @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, + @{sys}/kernel/mm/{hugepages/,transparent_hugepage/enabled} r, + + @{PROC}/cgroups r, + @{PROC}/asound/version r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/coredump_filter rw, + owner @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/net/if_inet6 r, + owner @{PROC}/@{pid}/stat r, + + /dev/tty rw, + /dev/urandom rw, + + deny @{HOME}/ r, + + include if exists + + profile jspawnhelper flags=(attach_disconnected) { + include + + @{sbin}/ldconfig ix, + owner @{HOME}/.briar/desktop/tor/tor Px -> briar-desktop-tor, + + @{system_share_dirs}/java/briar-desktop.jar r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/stat r, + + deny owner @{HOME}/.briar/desktop/db/db.mv.db rw, # file_inherit + deny network inet6 stream, # file_inherit + + include if exists + } +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/briar-desktop-tor b/apparmor.d/profiles-a-f/briar-desktop-tor new file mode 100644 index 000000000..ae818d1df --- /dev/null +++ b/apparmor.d/profiles-a-f/briar-desktop-tor @@ -0,0 +1,86 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024-2025 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile briar-desktop-tor { + include + + network inet stream, + network inet6 stream, + network netlink raw, + + signal send set=term peer=briar-desktop-tor//lyrebird, + signal send set=term peer=briar-desktop-tor//obfs4proxy, + signal send set=term peer=briar-desktop-tor//snowflake, + + owner @{HOME}/.briar/desktop/tor/.tor/{,**} rw, + owner @{HOME}/.briar/desktop/tor/.tor/lock k, + owner @{HOME}/.briar/desktop/tor/lyrebird Cx -> lyrebird, + owner @{HOME}/.briar/desktop/tor/obfs4proxy Cx -> obfs4proxy, + owner @{HOME}/.briar/desktop/tor/snowflake Cx -> snowflake, + owner @{HOME}/.briar/desktop/tor/tor r, + owner @{HOME}/.briar/desktop/tor/torrc r, + + @{PROC}/sys/kernel/random/uuid r, + + include if exists + + profile lyrebird { + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + signal receive set=term peer=briar-desktop-tor, + + owner @{HOME}/.briar/desktop/tor/lyrebird mr, + @{PROC}/sys/net/core/somaxconn r, + + include if exists + } + + profile obfs4proxy { + include + + network inet stream, + network inet6 stream, + + signal receive set=term peer=briar-desktop-tor, + + owner @{HOME}/.briar/desktop/tor/.tor/pt_state/ w, + owner @{HOME}/.briar/desktop/tor/obfs4proxy mr, + @{PROC}/sys/net/core/somaxconn r, + + include if exists + } + + profile snowflake { + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + signal receive set=term peer=briar-desktop-tor, + + owner @{HOME}/.briar/desktop/tor/snowflake mr, + @{PROC}/sys/net/core/somaxconn r, + + include if exists + } +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index cfc5d3b0b..c896e96f8 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/browserpass +@{exec_path} = @{bin}/browserpass @{lib}/browserpass/browserpass-native profile browserpass @{exec_path} flags=(attach_disconnected) { include include @@ -22,11 +22,9 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.mozilla/firefox/@{rand8}.*/extensions/* r, owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/scriptCache-*.bin r, owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/startupCache.*.little r, - owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google[0-9]/goog-phish-proto-@{int}.vlpset rw, + owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google@{d}/goog-phish-proto-@{int}.vlpset rw, owner @{tmp}/mozilla-temp-@{int} r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - owner @{PROC}/@{pid}/mountinfo r, # Inherit Silencer @@ -50,8 +48,8 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{user_password_store_dirs}/ rw, - owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner @{user_passwordstore_dirs}/ rw, + owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, owner @{user_projects_dirs}/**/*-store/ rw, owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**, owner @{user_config_dirs}/*-store/ rw, diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index b6c3556ec..bac8aea75 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,15 +10,16 @@ include profile btop @{exec_path} { include include - include include + capability kill, + capability perfmon, capability sys_ptrace, network netlink raw, - signal (send), - ptrace (read), + signal send, + ptrace read, @{exec_path} mr, @@ -27,33 +28,42 @@ profile btop @{exec_path} { /etc/fstab r, owner @{user_config_dirs}/btop/{,**} rw, + owner @{user_state_dirs}/btop.log rw, @{sys}/bus/pci/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/**/stat r, + @{sys}/devices/@{pci}/ r, + @{sys}/devices/@{pci}/{,**}/ r, @{sys}/devices/@{pci}/net/*/{,**} r, + @{sys}/devices/@{pci}/nvme/nvme@{int}/ r, + @{sys}/devices/@{pci}/stat r, @{sys}/devices/@{pci}/usb@{int}/**/power_supply/** r, @{sys}/devices/**/hwmon@{int}/{,*} r, @{sys}/devices/**/power_supply/{AC,BAT@{int}}/{,**} r, + @{sys}/devices/*/events/{,*} r, + @{sys}/devices/platform/*/ r, + @{sys}/devices/power/{,**} r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/virtual/block/dm-@{int}/stat r, @{sys}/devices/virtual/net/{,**} r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,} r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, - @{PROC} r, - @{PROC}/@{pid}/statm r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/io r, - @{PROC}/@{pids}/stat r, - @{PROC}/devices r, - @{PROC}/driver/nvidia/capabilities/mig/monitor r, - @{PROC}/loadavg r, - @{PROC}/spl/kstat/zfs/arcstats r, - @{PROC}/uptime r, - owner @{PROC}/@{pid}/mounts r, + @{PROC} r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/task/@{tid}/comm rw, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/config r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + @{PROC}/loadavg r, + @{PROC}/spl/kstat/zfs/arcstats r, + @{PROC}/uptime r, /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/profiles-a-f/calibre similarity index 53% rename from apparmor.d/groups/apps/calibre rename to apparmor.d/profiles-a-f/calibre index f1b3e9050..281d15718 100644 --- a/apparmor.d/groups/apps/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -3,27 +3,24 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/calibre{,-parallel,-debug,-server,-smtp,-complete,-customize} -@{exec_path} += @{bin}/calibredb -@{exec_path} += @{bin}/ebook{-viewer,-edit,-device,-meta,-polish,-convert} +@{exec_path} = @{bin}/calibre{,-*} @{bin}/calibredb @{bin}/ebook{,-*} @{exec_path} += @{bin}/fetch-ebook-metadata -@{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer -@{exec_path} += @{bin}/web2disk +@{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer @{bin}/web2disk profile calibre @{exec_path} { include - include include - include - include - include + include + include + include include include include include + include include include include @@ -36,33 +33,36 @@ profile calibre @{exec_path} { capability sys_ptrace, + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink raw, - unix (send, receive) type=stream peer=(addr=none, label=xorg), + # unix (send, receive) type=stream peer=(addr=none, label=xorg), unix (bind, listen) type=stream addr="@*-calibre-gui.socket", unix (bind) type=stream addr="@calibre-*", @{exec_path} mrix, - @{bin}/python3.@{int} r, - @{bin}/ldconfig{,.real} rix, @{sh_path} rix, + @{python_path} rix, + @{bin}/env r, @{bin}/file rix, @{bin}/uname rix, - @{lib}/@{multiarch}/qt5/libexec/QtWebEngineProcess rix, + @{sbin}/ldconfig{,.real} rix, + @{lib}/{,@{multiarch}/}qt{5,6}{,/libexec/}QtWebEngineProcess rix, @{bin}/pdftoppm rPUx, # (#FIXME#) @{bin}/pdfinfo rPUx, @{bin}/pdftohtml rPUx, - @{bin}/xdg-open rPx -> child-open, - @{bin}/xdg-mime rPx, + @{open_path} rPx -> child-open, /usr/share/calibre/{,**} r, /etc/fstab r, + /etc/httpd/conf/mime.types r, /etc/inputrc r, /etc/magic r, /etc/mime.types r, @@ -70,51 +70,53 @@ profile calibre @{exec_path} { owner @{HOME}/ r, owner "@{HOME}/Calibre Library/{,**}" rw, owner "@{HOME}/Calibre Library/metadata.db" rwk, - owner @{user_documents_dirs}/{,**} rwl, + owner @{user_books_dirs}/{,**} rwl, + owner @{user_books_dirs}/Calibre/** rwk, + owner @{user_documents_dirs}/{,**} rwl, + owner @{user_documents_dirs}/Calibre/** rwk, owner @{user_torrents_dirs}/{,**} rwl, + owner @{user_torrents_dirs}/Calibre/** rwk, owner @{user_work_dirs}/{,**} rwl, + owner @{user_work_dirs}/Calibre/** rwk, owner @{user_config_dirs}/calibre/ rw, owner @{user_config_dirs}/calibre/** rwk, owner @{user_share_dirs}/calibre-ebook.com/ rw, - owner @{user_share_dirs}/calibre-ebook.com/calibre/ rw, - owner @{user_share_dirs}/calibre-ebook.com/calibre/** rwk, + owner @{user_share_dirs}/calibre-ebook.com/** rwk, - owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/calibre/ rw, owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**, - owner @{user_cache_dirs}/gstreamer-@{int}/ rw, - owner @{user_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, - - owner @{tmp}/calibre_*_tmp_*/{,**} rw, - owner @{tmp}/calibre-*/{,**} rw, - owner @{tmp}/@{int}-*/ rw, - owner @{tmp}/@{int}-*/** rwl, + owner @{tmp}/@{rand8} rw, + audit owner @{tmp}/@{int}-*/ rw, + audit owner @{tmp}/@{int}-*/** rwl, + audit owner @{tmp}/calibre_@{rand8}_tmp_*/{,**} rw, + audit owner @{tmp}/calibre-@{rand8}/{,**} rw, owner /dev/shm/#@{int} rw, @{sys}/devices/@{pci}/irq r, - @{PROC}/ r, - @{PROC}/@{pids}/net/route r, - @{PROC}/sys/fs/inotify/max_user_watches r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/vmstat r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat{,m} r, - owner @{PROC}/@{pid}/comm r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/status r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - deny owner @{PROC}/@{pid}/cmdline r, - deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, - deny @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/ r, + @{PROC}/@{pids}/net/route r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/vmstat r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/stat{,m} r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/status r, + /dev/tty r, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-a-f/cas b/apparmor.d/profiles-a-f/cas new file mode 100644 index 000000000..d843801ba --- /dev/null +++ b/apparmor.d/profiles-a-f/cas @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/cas +profile cas @{exec_path} { + include + include + + @{exec_path} mr, + + @{system_share_dirs}/cas/{,**} r, + + owner @{HOME}/.aMule/aMule-online-sign.html w, + owner @{HOME}/.aMule/amulesig.dat r, + owner @{HOME}/.aMule/casrc rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cawbird b/apparmor.d/profiles-a-f/cawbird index ee3bab550..0d8c6a000 100644 --- a/apparmor.d/profiles-a-f/cawbird +++ b/apparmor.d/profiles-a-f/cawbird @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -31,8 +31,12 @@ profile cawbird @{exec_path} { @{sh_path} rix, - @{bin}/xdg-open rCx -> open, - @{bin}/exo-open rCx -> open, + @{open_path} rPx -> child-open, + + /usr/share/xml/iso-codes/{,**} r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, owner @{user_config_dirs}/cawbird/ rw, owner @{user_config_dirs}/cawbird/** rwk, @@ -40,36 +44,8 @@ profile cawbird @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/cawbird-* rw, - /usr/share/xml/iso-codes/{,**} r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - owner @{PROC}/@{pid}/fd/ r, - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-a-f/cc-remote-login-helper b/apparmor.d/profiles-a-f/cc-remote-login-helper index bc12ec50b..d8128da74 100644 --- a/apparmor.d/profiles-a-f/cc-remote-login-helper +++ b/apparmor.d/profiles-a-f/cc-remote-login-helper @@ -1,7 +1,8 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cctk b/apparmor.d/profiles-a-f/cctk index 3795d9836..af7436f39 100644 --- a/apparmor.d/profiles-a-f/cctk +++ b/apparmor.d/profiles-a-f/cctk @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,6 +11,7 @@ profile cctk @{exec_path} { include include + capability dac_read_search, capability mknod, capability sys_admin, capability sys_rawio, diff --git a/apparmor.d/profiles-a-f/ccze b/apparmor.d/profiles-a-f/ccze index e51310b63..338f71a78 100644 --- a/apparmor.d/profiles-a-f/ccze +++ b/apparmor.d/profiles-a-f/ccze @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cemu b/apparmor.d/profiles-a-f/cemu new file mode 100644 index 000000000..1201f2476 --- /dev/null +++ b/apparmor.d/profiles-a-f/cemu @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/cemu +profile cemu @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /usr/share/Cemu/{,**} r, + + owner @{user_cache_dirs}/Cemu/{,**} rw, + owner @{user_config_dirs}/Cemu/{,**} rw, + owner @{user_share_dirs}/Cemu/{,**} rw, + + @{sys}/class/ r, + @{sys}/class/input/ r, + @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/abs r, + @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/ev r, + @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/key r, + @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/rel r, + + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/statm r, + + /dev/input/ r, + /dev/input/event@{int} rw, + /dev/input/js@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cert-sync b/apparmor.d/profiles-a-f/cert-sync index e2770bda1..fa70c395f 100644 --- a/apparmor.d/profiles-a-f/cert-sync +++ b/apparmor.d/profiles-a-f/cert-sync @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cfdisk b/apparmor.d/profiles-a-f/cfdisk index 7559b5c84..ee8d277f2 100644 --- a/apparmor.d/profiles-a-f/cfdisk +++ b/apparmor.d/profiles-a-f/cfdisk @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/cfdisk +@{exec_path} = @{sbin}/cfdisk profile cfdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/cgdisk b/apparmor.d/profiles-a-f/cgdisk index f19e70c26..8f3f11af0 100644 --- a/apparmor.d/profiles-a-f/cgdisk +++ b/apparmor.d/profiles-a-f/cgdisk @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/cgdisk +@{exec_path} = @{sbin}/cgdisk profile cgdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/cgrulesengd b/apparmor.d/profiles-a-f/cgrulesengd index 6c51eead1..6f31a43d5 100644 --- a/apparmor.d/profiles-a-f/cgrulesengd +++ b/apparmor.d/profiles-a-f/cgrulesengd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,19 +12,9 @@ profile cgrulesengd @{exec_path} { include include - # For creating Unix domain sockets/IPC sockets: - # socket(AF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR) = 3 - # ... - # bind(3, {sa_family=AF_NETLINK, nl_pid=13284, nl_groups=0x000001}, 12) = -1 EPERM (Operation - # not permitted) - capability net_admin, - - # To remove the following errors: - # readlink("/proc/12/exe", 0x7ffc9fa85cd0, 4096) = -1 EACCES (Permission denied) - capability sys_ptrace, - - # To be able to read the /proc/ files of all processes in the system. capability dac_read_search, + capability net_admin, + capability sys_ptrace, network netlink dgram, @@ -32,22 +22,22 @@ profile cgrulesengd @{exec_path} { @{exec_path} mr, - @{sys}/fs/cgroup/**/tasks w, + + /etc/cgconfig.conf r, + /etc/cgconfig.d/{,*} r, + + /etc/cgrules.conf r, + /etc/cgrules.d/{,*} r, + + owner @{run}/cgred.socket w, + + @{sys}/fs/cgroup/** rw, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/task/ r, - owner @{PROC}/@{pid}/mounts r, @{PROC}/cgroups r, - - @{sys}/fs/cgroup/unified/cgroup.controllers r, - - owner @{run}/cgred.socket w, - - /etc/cgconfig.conf r, - /etc/cgrules.conf r, - /etc/cgconfig.d/ r, - + owner @{PROC}/@{pid}/mounts r, include if exists } diff --git a/apparmor.d/profiles-a-f/changestool b/apparmor.d/profiles-a-f/changestool index 9dd650d51..c73243041 100644 --- a/apparmor.d/profiles-a-f/changestool +++ b/apparmor.d/profiles-a-f/changestool @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -33,6 +33,7 @@ profile changestool @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ r, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/check-bios-nx b/apparmor.d/profiles-a-f/check-bios-nx index 877677bca..c44b6eaa5 100644 --- a/apparmor.d/profiles-a-f/check-bios-nx +++ b/apparmor.d/profiles-a-f/check-bios-nx @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/check-bios-nx +@{exec_path} = @{sbin}/check-bios-nx profile check-bios-nx @{exec_path} { include include @@ -25,7 +25,7 @@ profile check-bios-nx @{exec_path} { @{bin}/kmod rCx -> kmod, - @{bin}/rdmsr rPx, + @{sbin}/rdmsr rPx, owner @{PROC}/@{pid}/fd/@{int} rw, diff --git a/apparmor.d/profiles-a-f/check-support-status b/apparmor.d/profiles-a-f/check-support-status index bdd9719d3..07baedfae 100644 --- a/apparmor.d/profiles-a-f/check-support-status +++ b/apparmor.d/profiles-a-f/check-support-status @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -65,16 +65,15 @@ profile check-support-status @{exec_path} { /usr/share/debian-security-support/ r, /usr/share/debian-security-support/* r, - profile debconf-escape { include include @{bin}/debconf-escape r, - @{bin}/perl r, owner @{tmp}/debian-security-support.postinst.*/output r, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index e0c312423..8101b3008 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,10 +24,10 @@ profile check-support-status-hook @{exec_path} { @{bin}/mktemp rix, @{bin}/rm rix, - @{bin}/adduser rPx, + @{sbin}/adduser rPx, @{bin}/check-support-status rPx, @{bin}/debconf-escape rCx -> debconf-escape, - @{bin}/runuser rCx -> runuser, + @{sbin}/runuser rCx -> runuser, # Think what to do about this (#FIXME#) /usr/share/debconf/frontend rPx, @@ -53,11 +53,11 @@ profile check-support-status-hook @{exec_path} { include @{bin}/debconf-escape r, - @{bin}/perl r, /tmp/ r, owner @{tmp}/debian-security-support.postinst.*/output r, + include if exists } profile frontend { @@ -67,7 +67,6 @@ profile check-support-status-hook @{exec_path} { include /usr/share/debconf/frontend r, - @{bin}/perl r, /usr/share/debian-security-support/ r, /usr/share/debian-security-support/check-support-status.hook rPx, @@ -85,11 +84,12 @@ profile check-support-status-hook @{exec_path} { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, + include if exists } profile runuser { @@ -111,7 +111,7 @@ profile check-support-status-hook @{exec_path} { # To write records to the kernel auditing log. capability audit_write, - @{bin}/runuser mr, + @{sbin}/runuser mr, @{sh_path} rix, @@ -124,6 +124,8 @@ profile check-support-status-hook @{exec_path} { /tmp/ r, owner @{tmp}/debian-security-support.postinst.*/output w, + + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese new file mode 100644 index 000000000..33b933be2 --- /dev/null +++ b/apparmor.d/profiles-a-f/cheese @@ -0,0 +1,57 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Roman Beslik +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/cheese +profile cheese @{exec_path} { + include + include + include + include + include + include + include + include + include + include + + network netlink raw, + + @{exec_path} mr, + + @{bin}/bwrap Px -> gnome-desktop-thumbnailers, + @{open_path} rPx -> child-open-help, + + @{system_share_dirs}/gnome-video-effects/{,*.effect} r, + @{system_share_dirs}/ladspa/rdf/{,**} r, + @{system_share_dirs}/thumbnailers/{,*.thumbnailer} r, + + /etc/machine-id r, + + owner @{HOME}/ r, # file save dialog + owner @{user_pictures_dirs}/{,**} rw, + owner @{user_videos_dirs}/{,**} rw, + + owner @{user_cache_dirs}/gnome-desktop-thumbnailer/gstreamer-1.0/ r, + + owner @{tmp}/flatpak-seccomp-@{rand6} rw, + owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, + + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/chronyd b/apparmor.d/profiles-a-f/chronyd index 5aa5c5ed2..e4a986c8a 100644 --- a/apparmor.d/profiles-a-f/chronyd +++ b/apparmor.d/profiles-a-f/chronyd @@ -4,14 +4,16 @@ # Based on https://salsa.debian.org/debian/chrony/-/blob/debian/latest/debian/usr.sbin.chronyd -abi , +abi , include -@{exec_path} = @{bin}/chronyd +@{exec_path} = @{sbin}/chronyd profile chronyd @{exec_path} flags=(attach_disconnected) { include include + include + include capability chown, capability dac_override, @@ -27,12 +29,15 @@ profile chronyd @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, + network inet stream, + network inet6 stream, network netlink raw, @{exec_path} mr, /etc/adjtime r, - /etc/chrony.* r, + /etc/chrony.conf r, + /etc/chrony.keys r, /etc/chrony.d/{,*} r, /etc/chrony/{,**} r, diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider new file mode 100644 index 000000000..be59811a1 --- /dev/null +++ b/apparmor.d/profiles-a-f/cider @@ -0,0 +1,57 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = {C,c}ider sh.cider.genten +@{domain} = sh.cider.genten org.chromium.Chromium +@{lib_dirs} = @{lib}/cider +@{cache_dirs} = @{user_cache_dirs}/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} + +@{exec_path} = @{bin}/{C,c}ider @{lib_dirs}/Cider +profile cider @{exec_path} { + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mrix, + + @{lib_dirs}/ r, + @{lib_dirs}/** r, + @{lib_dirs}/libffmpeg.so mr, + @{lib_dirs}/chrome-sandbox rPx, + + @{bin}/xdg-settings rPx, + + owner @{user_config_dirs}/sh.cider.genten/ rw, + owner @{user_config_dirs}/sh.cider.genten/** rwk, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_@{arch}/libwidevinecdm.so mr, + + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/ r, + @{PROC}/@{pid}/task/@{tid}/status r, + @{PROC}/sys/fs/inotify/max_user_watches r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/statm r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index 4de4543a4..263bb5794 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,14 +24,14 @@ profile claws-mail @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgsm rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/orage rPUx, - @{bin}/exim4 rPUx, + @{sbin}/exim4 rPUx, @{bin}/geany rPUx, /usr/share/publicsuffix/*.dafsa r, @@ -66,6 +66,7 @@ profile claws-mail @{exec_path} flags=(complain) { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/cmus b/apparmor.d/profiles-a-f/cmus new file mode 100644 index 000000000..750fe9345 --- /dev/null +++ b/apparmor.d/profiles-a-f/cmus @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/cmus +profile cmus @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/cmus/{,**} r, + /usr/share/terminfo/{,**} r, + + /etc/machine-id r, + + / r, + owner @{HOME}/ r, # For pwd + + owner @{user_music_dirs}/{,**} r, + + owner @{user_config_dirs}/ r, + owner @{user_config_dirs}/cmus/{,**} rw, + + owner @{run}/user/@{uid}/cmus-socket w, + + /dev/shm/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/code b/apparmor.d/profiles-a-f/code deleted file mode 100644 index 393598746..000000000 --- a/apparmor.d/profiles-a-f/code +++ /dev/null @@ -1,105 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{code_config_dirs} = @{user_config_dirs}/Code* @{HOME}/.vscode{,-oss} - -@{exec_path} = @{lib}/electron@{int}/electron -profile code flags=(attach_disconnected) { - include - include - include - include - include - include - include - include - - capability sys_ptrace, - - network inet stream, - network inet6 stream, - network inet dgram, - network inet6 dgram, - network netlink raw, - - signal (send), - - @{exec_path} mrix, - - @{lib}/code/node_modules.asar.unpacked/**.node rm, - - # Core tools - @{bin}/git rPx, - @{bin}/gpg{,2} rPx, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/rg rix, - @{open_path} rPx -> child-open, - - # The shell is not confined on purpose. - @{bin}/@{shells} rUx, - - # Confine some common tools - @{lib}/code/extensions/git/dist/askpass.sh rPx, - @{lib}/code/extensions/git/dist/git-editor.sh rPx, - - # Do NOT confine most of the extensions - @{bin}/[a-z0-9]* rPUx, - @{code_config_dirs}/extensions/** rPUx, - @{HOME}/.go/bin/* rPUx, - @{lib}/go/bin/* rPUx, - @{bin}/python3.@{int} rUx, - - /etc/shells r, - /etc/lsb-release r, - - owner @{HOME}/@{XDG_SSH_DIR}/config r, - - owner @{code_config_dirs}/** rwkl -> @{code_config_dirs}/**, - - owner @{user_projects_dirs}/ r, - owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, - - owner @{tmp}/@{uuid} rw, - owner @{tmp}/vscode-*/{,**} rw, - owner @{tmp}/vscode-ipc-@{uuid}.sock rw, - - owner @{run}/user/@{uid}/vscode-@{hex}-*-{shared,main}.sock rw, - owner @{run}/user/@{uid}/vscode-git-@{hex}.sock rw, - owner @{run}/user/@{uid}/git-graph-askpass-[a-zA-Z0-9]*.sock rw, - - @{run}/systemd/inhibit/*.ref rw, - - @{sys}/devices/system/cpu/present r, - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/tty/tty@{int}/active r, - - @{PROC}/ r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/loadavg r, - @{PROC}/sys/fs/inotify/max_user_watches r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/version r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/comm w, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pids}/clear_refs w, - owner @{PROC}/@{pids}/task/ r, - owner @{PROC}/@{pids}/task/@{tid}/status r, - - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/code-extension-git-askpass b/apparmor.d/profiles-a-f/code-extension-git-askpass index 6954ca966..674432b2e 100644 --- a/apparmor.d/profiles-a-f/code-extension-git-askpass +++ b/apparmor.d/profiles-a-f/code-extension-git-askpass @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh +@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh @{lib}/code/extensions/git/dist/ssh-askpass.sh profile code-extension-git-askpass @{exec_path} { include @@ -23,7 +23,7 @@ profile code-extension-git-askpass @{exec_path} { /usr/share/terminfo/** r, - owner @{tmp}/tmp.* rw, + owner @{tmp}/tmp.@{rand10} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/code-extension-git-editor b/apparmor.d/profiles-a-f/code-extension-git-editor index 104e01281..8e56ac3aa 100644 --- a/apparmor.d/profiles-a-f/code-extension-git-editor +++ b/apparmor.d/profiles-a-f/code-extension-git-editor @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/code-wrapper b/apparmor.d/profiles-a-f/code-wrapper deleted file mode 100644 index 707164b09..000000000 --- a/apparmor.d/profiles-a-f/code-wrapper +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/code{,-oss} -profile code-wrapper @{exec_path} { - include - include - - @{exec_path} r, - - @{sh_path} rix, - @{lib}/electron@{int}/electron rPx -> code, - - owner @{user_config_dirs}/code-flags.conf r, - owner @{user_config_dirs}/electron@{int}-flags.conf r, - - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/compton b/apparmor.d/profiles-a-f/compton index b27228807..a6c7d193f 100644 --- a/apparmor.d/profiles-a-f/compton +++ b/apparmor.d/profiles-a-f/compton @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky index 1e1b10abc..9e4372e1d 100644 --- a/apparmor.d/profiles-a-f/conky +++ b/apparmor.d/profiles-a-f/conky @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -104,7 +104,7 @@ profile conky @{exec_path} { deny ptrace (trace, read), # Display the hard disk model name - @{sys}/devices/@{pci}/{usb,ata}[0-9]/**/model r, + @{sys}/devices/@{pci}/{usb,ata}@{int}/**/model r, @{sys}/block/{s,v}d[a-z]/device/model r, # Display the disk write/read speed @{PROC}/diskstats r, @@ -200,6 +200,7 @@ profile conky @{exec_path} { deny @{PROC}/@{pid}/net/route r, deny @{sys}/devices/**/hwmon/**/temp*_input r, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup index d7b41ff20..aa0a56648 100644 --- a/apparmor.d/profiles-a-f/console-setup +++ b/apparmor.d/profiles-a-f/console-setup @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,9 +12,11 @@ profile console-setup @{exec_path} { @{exec_path} mr, - @{bin}/uname rPx, + @{sh_path} r, + @{bin}/uname rix, @{bin}/mkdir rix, + @{run}/console-setup/ rw, @{run}/console-setup/boot_completed w, include if exists diff --git a/apparmor.d/profiles-a-f/console-setup-cached b/apparmor.d/profiles-a-f/console-setup-cached new file mode 100644 index 000000000..332f05341 --- /dev/null +++ b/apparmor.d/profiles-a-f/console-setup-cached @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/console-setup/cached_setup_font.sh /etc/console-setup/cached_setup_terminal.sh +profile console-setup-cached @{exec_path} { + include + include + + capability sys_tty_config, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/gzip rix, + @{bin}/ls ix, + @{bin}/mkdir ix, + @{bin}/setfont ix, + + /usr/share/consolefonts/{,**} r, + + @{run}/console-setup/ w, + @{run}/console-setup/font-loaded w, + + /dev/ r, + /dev/tty rw, + /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/console-setup-keyboard b/apparmor.d/profiles-a-f/console-setup-keyboard new file mode 100644 index 000000000..1f4045e2e --- /dev/null +++ b/apparmor.d/profiles-a-f/console-setup-keyboard @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/console-setup/keyboard-setup.sh /etc/console-setup/cached_setup_keyboard.sh +profile console-setup-keyboard @{exec_path} { + include + include + + capability sys_tty_config, + + @{exec_path} mrix, + + @{sh_path} rix, + @{bin}/gzip rix, + @{bin}/kbd_mode rix, + @{bin}/loadkeys rix, + + /etc/console-setup/{,**} r, + + /dev/tty@{int} rw, + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/convertall b/apparmor.d/profiles-a-f/convertall index 28a393470..52e80cc54 100644 --- a/apparmor.d/profiles-a-f/convertall +++ b/apparmor.d/profiles-a-f/convertall @@ -3,42 +3,35 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/convertall /usr/share/convertall/convertall.py profile convertall @{exec_path} { include - include - include - include + include include - include - include - include - include - include - include + include include + include + include @{exec_path} r, @{sh_path} rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, + + /usr/share/convertall/{,**} r, + /usr/share/doc/convertall/{,*} r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, owner @{HOME}/.convertall rw, deny owner @{PROC}/@{pid}/cmdline r, - /usr/share/convertall/{,**} r, - /usr/share/doc/convertall/{,*} r, - - /usr/share/hwdata/pnp.ids r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - include if exists } diff --git a/apparmor.d/profiles-a-f/cppw-cpgr b/apparmor.d/profiles-a-f/cppw-cpgr index 9e0aa0ad1..a5b7d8302 100644 --- a/apparmor.d/profiles-a-f/cppw-cpgr +++ b/apparmor.d/profiles-a-f/cppw-cpgr @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cpuid b/apparmor.d/profiles-a-f/cpuid index 8df6f750e..332c1735c 100644 --- a/apparmor.d/profiles-a-f/cpuid +++ b/apparmor.d/profiles-a-f/cpuid @@ -3,13 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/cpuid profile cpuid @{exec_path} { include + include capability mknod, diff --git a/apparmor.d/profiles-a-f/cracklib-packer b/apparmor.d/profiles-a-f/cracklib-packer index d29bfbbee..4db396fa0 100644 --- a/apparmor.d/profiles-a-f/cracklib-packer +++ b/apparmor.d/profiles-a-f/cracklib-packer @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/cracklib-packer +@{exec_path} = @{sbin}/cracklib-packer profile cracklib-packer @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/crda b/apparmor.d/profiles-a-f/crda index 96fb4c706..d3b6cba6f 100644 --- a/apparmor.d/profiles-a-f/crda +++ b/apparmor.d/profiles-a-f/crda @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/crda +@{exec_path} = @{sbin}/crda profile crda @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/czkawka-cli b/apparmor.d/profiles-a-f/czkawka-cli index 6ad4c553b..ddbc8b59b 100644 --- a/apparmor.d/profiles-a-f/czkawka-cli +++ b/apparmor.d/profiles-a-f/czkawka-cli @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/czkawka-gui b/apparmor.d/profiles-a-f/czkawka-gui index 68a30c769..d7bb93f41 100644 --- a/apparmor.d/profiles-a-f/czkawka-gui +++ b/apparmor.d/profiles-a-f/czkawka-gui @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,7 +18,7 @@ profile czkawka-gui @{exec_path} { @{exec_path} mr, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, # Dirs to scan for duplicates #owner @{HOME}/** rw, @@ -38,32 +38,6 @@ profile czkawka-gui @{exec_path} { @{sys}/fs/cgroup/{,**} r, - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - #@{lib}/firefox/firefox rPx, - @{bin}/smplayer rPx, - @{bin}/geany rPx, - @{bin}/viewnior rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-a-f/ddclient b/apparmor.d/profiles-a-f/ddclient index 000e61013..0928f0da4 100644 --- a/apparmor.d/profiles-a-f/ddclient +++ b/apparmor.d/profiles-a-f/ddclient @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,6 @@ profile ddclient @{exec_path} { include @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, @{bin}/logger rix, diff --git a/apparmor.d/profiles-a-f/ddcutil b/apparmor.d/profiles-a-f/ddcutil index ee12dcd5d..d8cb23a5c 100644 --- a/apparmor.d/profiles-a-f/ddcutil +++ b/apparmor.d/profiles-a-f/ddcutil @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,14 +21,15 @@ profile ddcutil @{exec_path} { @{bin}/find rix, @{bin}/sed rix, @{bin}/xargs rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, / r, owner @{user_cache_dirs}/ddcutil/ rw, owner @{user_cache_dirs}/ddcutil/** rwlk, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/ r, @{sys}/bus/ r, diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index eaf12a933..2e7723995 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -3,29 +3,26 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{DCD_LIBDIR} = @{lib}/deltachat-desktop -@{DCD_LIBDIR} += @{lib}/deltachat -@{DCD_LIBDIR} += /opt/DeltaChat/ +@{domain} = org.chromium.Chromium +@{lib_dirs} = @{lib}/deltachat-desktop @{lib}/deltachat /opt/DeltaChat/ -@{exec_path} = /usr/bin/deltachat-desktop -@{exec_path} += /opt/DeltaChat/deltachat-desktop -#@{exec_path} += @{DCD_LIBDIR}/deltachat-desktop +@{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop profile deltachat-desktop @{exec_path} { include + include include include - include - include include + include include + include include include include - include network inet dgram, network inet6 dgram, @@ -35,15 +32,18 @@ profile deltachat-desktop @{exec_path} { @{exec_path} mrix, - @{DCD_LIBDIR}/ r, - @{DCD_LIBDIR}/** r, - @{DCD_LIBDIR}/libffmpeg.so mr, - @{DCD_LIBDIR}/{swiftshader/,}libGLESv2.so mr, - @{DCD_LIBDIR}/{swiftshader/,}libEGL.so mr, - @{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.node mr, - @{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.so mr, - @{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr, - @{DCD_LIBDIR}/chrome-sandbox rPx, + @{lib_dirs}/ r, + @{lib_dirs}/** r, + @{lib_dirs}/libffmpeg.so mr, + @{lib_dirs}/{swiftshader/,}libGLESv2.so mr, + @{lib_dirs}/{swiftshader/,}libEGL.so mr, + @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.node mr, + @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so mr, + @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr, + @{lib_dirs}/chrome-sandbox rPx, + + @{bin}/xdg-settings rPx, + @{open_path} rPx -> child-open-browsers, owner @{user_config_dirs}/DeltaChat/ rw, owner @{user_config_dirs}/DeltaChat/** rwk, @@ -53,58 +53,24 @@ profile deltachat-desktop @{exec_path} { owner @{tmp}/@{hex}/db.sqlite rwk, owner @{tmp}/@{hex}/db.sqlite-journal rw, - @{PROC}/ r, - owner @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pids}/task/ r, - @{PROC}/@{pids}/task/@{tid}/status r, - @{PROC}/@{pids}/stat r, - owner @{PROC}/@{pids}/statm r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pids}/oom_{,score_}adj r, - deny owner @{PROC}/@{pids}/oom_{,score_}adj w, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/ r, + @{PROC}/@{pid}/task/@{tid}/status r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/statm r, - /dev/ r, + /dev/ r, # (#FIXME#) deny @{sys}/bus/pci/devices/ r, - deny @{sys}/devices/virtual/tty/tty@{int}/active r, - # no new privs - @{bin}/xdg-settings rPx, - - @{bin}/xdg-open rCx -> open, - - # Allowed apps to open - @{lib}/firefox/firefox rPx, - - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 67e52b376..3f749a24b 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -3,41 +3,35 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/del{user,group} +@{exec_path} = @{sbin}/deluser profile deluser @{exec_path} { include include include include - # The deluser command is issued as root and its task is to delete regular user accounts. It - # optionally can remove user files (via --remove-home or --remove-all-files) or create a backup. - # Because of that, the deluser command needs the following CAPs to be able to do so. capability dac_read_search, capability dac_override, @{exec_path} r, - @{bin}/perl r, - @{sh_path} rix, - - @{bin}/userdel rPx, - @{bin}/groupdel rPx, - @{bin}/gpasswd rPx, - - @{bin}/crontab rPx, - - @{bin}/mount rCx -> mount, + @{sh_path} rix, + @{bin}/crontab rPx, + @{bin}/gpasswd rPx, + @{sbin}/groupdel rPx, + @{bin}/mount rCx -> mount, + @{sbin}/userdel rPx, /etc/adduser.conf r, /etc/deluser.conf r, owner /etc/shadow r, + #aa:lint ignore=too-wide # This is for the "--remove-all-files" flag, which it used to remove all files owned by the user # that's going to be deleted. Basically it scans all the files in the system in each dir and look # for matches. This also includes files required by the "--remove-home" flag as well as the @@ -45,7 +39,6 @@ profile deluser @{exec_path} { / r, /** rw, - profile mount { include @@ -55,6 +48,7 @@ profile deluser @{exec_path} { @{sys}/devices/virtual/block/**/name r, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/dfc b/apparmor.d/profiles-a-f/dfc index b4ccf6743..65f944638 100644 --- a/apparmor.d/profiles-a-f/dfc +++ b/apparmor.d/profiles-a-f/dfc @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,9 +12,8 @@ profile dfc @{exec_path} { include include - capability dac_read_search, - # No visible effect - deny capability dac_override, + capability dac_override, + capability dac_read_search, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/dhclient b/apparmor.d/profiles-a-f/dhclient index 20e45b87f..30d68f6e5 100644 --- a/apparmor.d/profiles-a-f/dhclient +++ b/apparmor.d/profiles-a-f/dhclient @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index 4261a8be7..9d84a4065 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -3,20 +3,26 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/dhclient-script profile dhclient-script @{exec_path} { include - include + include include capability net_admin, capability sys_admin, audit capability sys_module, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, @{sh_path} mrix, @@ -36,22 +42,22 @@ profile dhclient-script @{exec_path} { @{bin}/ping rPx, @{bin}/printenv rix, @{bin}/readlink rix, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, - @{bin}/sysctl rix, + @{sbin}/sysctl rCx -> sysctl, @{bin}/tr rix, @{bin}/xxd rix, + @{etc_rw}/resolv.conf rw, + @{etc_rw}/resolv.conf.dhclient-new.@{pid} rw, + @{etc_rw}/samba/dhcp.conf{,.new} rw, /etc/default/ddclient r, /etc/dhcp/{,**} r, /etc/fstab r, /etc/iproute2/rt_tables r, /etc/iproute2/rt_tables.d/{,*} r, - @{etc_rw}/resolv.conf rw, - @{etc_rw}/resolv.conf.dhclient-new.@{pid} rw, - @{etc_rw}/samba/dhcp.conf{,.new} rw, /var/lib/dhcp/dhclient.leases r, /var/lib/samba/dhcp.conf{,.new} rw, @@ -65,7 +71,16 @@ profile dhclient-script @{exec_path} { @{sys}/devices/virtual/dmi/id/board_vendor r, owner @{PROC}/@{pid}/loginuid r, - @{PROC}/sys/net/ipv6/conf/*/stable_secret w, + + profile sysctl { + include + + @{sbin}/sysctl mr, + + @{PROC}/sys/net/ipv6/conf/*/stable_secret w, + + include if exists + } profile run-parts { include @@ -77,6 +92,7 @@ profile dhclient-script @{exec_path} { # file_inherit owner /var/lib/dhcp/dhclient.leases r, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/dig b/apparmor.d/profiles-a-f/dig index 87b80e3da..a8b482788 100644 --- a/apparmor.d/profiles-a-f/dig +++ b/apparmor.d/profiles-a-f/dig @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,9 +27,9 @@ profile dig @{exec_path} { owner @{HOME}/.digrc r, owner @{HOME}/batch_mode.dig r, owner @{HOME}/tsig.key r, - + /tmp/batch_mode.dig r, - + owner @{PROC}/@{pids}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/profiles-a-f/dino b/apparmor.d/profiles-a-f/dino new file mode 100644 index 000000000..e2ee5e9b2 --- /dev/null +++ b/apparmor.d/profiles-a-f/dino @@ -0,0 +1,53 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/dino{,-im} +profile dino @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + # Not in a subprofile because of no new privs + @{bin}/gpg{,2} rix, + @{bin}/gpgconf rix, + @{bin}/gpgsm rix, + @{lib}/gnupg/keyboxd rix, + + owner @{HOME}/@{XDG_GPG_DIR}/ rw, + owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + + owner @{user_share_dirs}/dino/ rw, + owner @{user_share_dirs}/dino/** rwk, + + owner @{run}/user/@{uid}/gnupg/ rw, + owner @{run}/user/@{uid}/gnupg/S.keyboxd rw, + + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dino-im b/apparmor.d/profiles-a-f/dino-im deleted file mode 100644 index f06989836..000000000 --- a/apparmor.d/profiles-a-f/dino-im +++ /dev/null @@ -1,54 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/dino-im -profile dino-im @{exec_path} { - include - include - include - include - include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - - # Needed for GPG/PGP support - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/gpgconf rCx -> gpg, - @{bin}/gpgsm rCx -> gpg, - - owner @{user_share_dirs}/dino/ rw, - owner @{user_share_dirs}/dino/** rwk, - - owner @{PROC}/@{pid}/fd/ r, - - profile gpg { - include - - @{bin}/gpg{,2} mr, - @{bin}/gpgconf mr, - @{bin}/gpgsm mr, - - owner @{HOME}/.gnupg/ rw, - owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, - - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apps/discord b/apparmor.d/profiles-a-f/discord similarity index 62% rename from apparmor.d/groups/apps/discord rename to apparmor.d/profiles-a-f/discord index 3c70844c1..0991a243e 100644 --- a/apparmor.d/groups/apps/discord +++ b/apparmor.d/profiles-a-f/discord @@ -3,20 +3,23 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = discord +@{domain} = org.chromium.Chromium @{lib_dirs} = /usr/share/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{user_config_dirs}/discordptb @{cache_dirs} = @{user_cache_dirs}/@{name} -@{exec_path} = @{bin}/discord{,-ptb} @{lib_dirs}/Discord{,PTB} -profile discord @{exec_path} { +@{exec_path} = @{bin}/discord{,-ptb} @{lib_dirs}/Discord{,PTB} +profile discord @{exec_path} flags=(attach_disconnected) { include include + include include + include include include @@ -32,19 +35,29 @@ profile discord @{exec_path} { @{lib_dirs}/chrome-sandbox rix, @{lib_dirs}/chrome_crashpad_handler rix, - @{open_path} rPx -> child-open-browsers, + @{bin}/lsb_release rPx, + @{bin}/xdg-mime rPx, + @{open_path} rPx -> child-open-strict, - /var/lib/dbus/machine-id r, - /etc/machine-id r, + /etc/ r, + /etc/lsb-release r, + + owner @{user_videos_dirs}/{,**} rwl, + owner @{user_pictures_dirs}/{,**} rwl, + + owner @{config_dirs}/@{version}/modules/** m, - owner @{tmp}/net-export/ rw, - owner @{tmp}/discord.sock rw, owner "@{tmp}/Discord Crashes/" rw, - - owner @{config_dirs}/*/modules/** rm, + owner @{tmp}/discord.sock rw, + owner @{tmp}/net-export/ rw, owner @{run}/user/@{uid}/discord-ipc-@{int} rw, + owner @{PROC}/@{pid}/mem r, + owner @{PROC}/@{pid}/task/@{tid}/comm r, + + deny ptrace read, + include if exists } diff --git a/apparmor.d/groups/apps/discord-chrome-sandbox b/apparmor.d/profiles-a-f/discord-chrome-sandbox similarity index 92% rename from apparmor.d/groups/apps/discord-chrome-sandbox rename to apparmor.d/profiles-a-f/discord-chrome-sandbox index d30a2a57f..0599fa486 100644 --- a/apparmor.d/groups/apps/discord-chrome-sandbox +++ b/apparmor.d/profiles-a-f/discord-chrome-sandbox @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = discord -@{lib_dirs} = /usr/share/@{name} /opt/@{name} +@{lib_dirs} = /usr/share/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{user_config_dirs}/discordptb @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 03fab4ec9..8d5ff99b6 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -4,11 +4,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/dkms +@{exec_path} = @{sbin}/dkms profile dkms @{exec_path} flags=(attach_disconnected) { include include @@ -27,28 +27,40 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{coreutils_path} rix, @{bin}/as rix, + @{bin}/bc rix, + @{bin}/clang-@{version} rix, + @{bin}/g++ rix, @{bin}/gcc rix, @{bin}/getconf rix, + @{bin}/hostname rix, + @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @{bin}/ld rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/ld.lld rix, + @{bin}/llvm-objcopy rix, + @{bin}/lsb_release rPx, @{bin}/make rix, @{bin}/objcopy rix, @{bin}/pahole rix, @{bin}/readelf rix, @{bin}/rpm rPUx, @{bin}/strip rix, - @{bin}/update-secureboot-policy rPUx, + @{bin}/xz rix, @{bin}/zstd rix, + @{sbin}/update-secureboot-policy rPUx, - @{lib}/gcc/@{multiarch}/@{int}*/* rix, + @{lib}/gcc/@{multiarch}/@{version}/* rix, @{lib}/linux-kbuild-*/scripts/** rix, @{lib}/linux-kbuild-*/tools/objtool/objtool rix, @{lib}/llvm-[0-9]*/bin/clang rix, + @{lib}/modules/*/build/arch/x86/** rix, + @{lib}/modules/*/build/include/** rix, @{lib}/modules/*/build/scripts/** rix, @{lib}/modules/*/build/tools/** rix, + @{lib}/os-release rix, /var/lib/dkms/**/build/* rix, + /var/lib/dkms/vboxhost/*/build/** rw, /var/lib/dkms/**/configure rix, /var/lib/dkms/**/dkms.postbuild rix, @@ -95,6 +107,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, + /dev/pts/@{int} rw, + profile kmod { include include @@ -102,9 +116,9 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{lib}/modules/*/modules.* rw, /var/lib/dkms/**/module/*.ko* r, - owner /boot/System.map-* r, + owner @{efi}/System.map-* r, - audit owner @{tmp}/tmp.* r, + owner @{tmp}/tmp.@{rand10} r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-a-f/dkms-autoinstaller b/apparmor.d/profiles-a-f/dkms-autoinstaller index f266791a1..2d799987f 100644 --- a/apparmor.d/profiles-a-f/dkms-autoinstaller +++ b/apparmor.d/profiles-a-f/dkms-autoinstaller @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile dkms-autoinstaller @{exec_path} { @{exec_path} rm, @{sh_path} rix, - @{bin}/dkms rPx, + @{sbin}/dkms rPx, @{bin}/echo rix, @{bin}/plymouth rix, @{bin}/readlink rix, @@ -40,7 +40,7 @@ profile dkms-autoinstaller @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-a-f/dleyna-renderer-service b/apparmor.d/profiles-a-f/dleyna-renderer-service index d56098048..139dfaeaf 100644 --- a/apparmor.d/profiles-a-f/dleyna-renderer-service +++ b/apparmor.d/profiles-a-f/dleyna-renderer-service @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dleyna-server-service b/apparmor.d/profiles-a-f/dleyna-server-service index f41d250f6..552abeadc 100644 --- a/apparmor.d/profiles-a-f/dleyna-server-service +++ b/apparmor.d/profiles-a-f/dleyna-server-service @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dlocate b/apparmor.d/profiles-a-f/dlocate index e17a72c84..f7d1e915e 100644 --- a/apparmor.d/profiles-a-f/dlocate +++ b/apparmor.d/profiles-a-f/dlocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -49,16 +49,16 @@ profile dlocate @{exec_path} { / r, - profile md5sum { include @{bin}/md5sum mr, # For the md5 check - /boot/** r, + @{efi}/** r, /usr/** r, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/dmcrypt-get-device b/apparmor.d/profiles-a-f/dmcrypt-get-device index 2fa3fc6a9..7d5b8062a 100644 --- a/apparmor.d/profiles-a-f/dmcrypt-get-device +++ b/apparmor.d/profiles-a-f/dmcrypt-get-device @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dmeventd b/apparmor.d/profiles-a-f/dmeventd index 2d904eec0..984545508 100644 --- a/apparmor.d/profiles-a-f/dmeventd +++ b/apparmor.d/profiles-a-f/dmeventd @@ -2,11 +2,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/dmeventd +@{exec_path} = @{sbin}/dmeventd profile dmeventd @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-a-f/dmidecode b/apparmor.d/profiles-a-f/dmidecode index 061bc40ac..680d25992 100644 --- a/apparmor.d/profiles-a-f/dmidecode +++ b/apparmor.d/profiles-a-f/dmidecode @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/dmidecode +@{exec_path} = @{sbin}/dmidecode profile dmidecode @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dmsetup b/apparmor.d/profiles-a-f/dmsetup new file mode 100644 index 000000000..eb9d1dc19 --- /dev/null +++ b/apparmor.d/profiles-a-f/dmsetup @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/dmsetup +profile dmsetup @{exec_path} { + include + include + include + + capability sys_admin, + + @{exec_path} mr, + + @{PROC}/devices r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dnscrypt-proxy b/apparmor.d/profiles-a-f/dnscrypt-proxy index 03d47e395..5573aaf83 100644 --- a/apparmor.d/profiles-a-f/dnscrypt-proxy +++ b/apparmor.d/profiles-a-f/dnscrypt-proxy @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,17 +27,17 @@ profile dnscrypt-proxy @{exec_path} { @{exec_path} mrix, /etc/dnscrypt-proxy/{,**} r, - + owner /etc/dnscrypt-proxy/public-resolvers.md rw, owner /etc/dnscrypt-proxy/public-resolvers.md.minisig rw, owner /etc/dnscrypt-proxy/relays.md rw, owner /etc/dnscrypt-proxy/relays.md.minisig rw, owner /etc/dnscrypt-proxy/sf-*.tmp rw, - + /var/cache/private/dnscrypt-proxy/{,**} r, /var/cache/private/dnscrypt-proxy/public-resolvers.md{,.minisig} rw, /var/cache/private/dnscrypt-proxy/sf-*.tmp rw, - + /var/log/dnscrypt-proxy/ r, /var/log/dnscrypt-proxy/*.log w, /var/log/private/dnscrypt-proxy/ rw, @@ -52,8 +52,6 @@ profile dnscrypt-proxy @{exec_path} { @{PROC}/sys/kernel/hostname r, @{PROC}/sys/net/core/somaxconn r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/profiles-a-f/downloadhelper b/apparmor.d/profiles-a-f/downloadhelper index 05b4085b3..bb54ca251 100644 --- a/apparmor.d/profiles-a-f/downloadhelper +++ b/apparmor.d/profiles-a-f/downloadhelper @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install new file mode 100644 index 000000000..e99760a73 --- /dev/null +++ b/apparmor.d/profiles-a-f/dracut-install @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/dracut/dracut-install +profile dracut-install @{exec_path} { + include + include + + @{exec_path} mr, + + @{bin}/cp rix, + + /etc/modprobe.d/{,**} r, + + @{sys}/devices/platform/{,**/} r, + @{sys}/devices/platform/**/modalias r, + @{sys}/module/compression r, + + @{PROC}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dring b/apparmor.d/profiles-a-f/dring index 8d0045030..32a914268 100644 --- a/apparmor.d/profiles-a-f/dring +++ b/apparmor.d/profiles-a-f/dring @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apps/dropbox b/apparmor.d/profiles-a-f/dropbox similarity index 88% rename from apparmor.d/groups/apps/dropbox rename to apparmor.d/profiles-a-f/dropbox index ddb62bf60..57487b15c 100644 --- a/apparmor.d/groups/apps/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,11 +15,15 @@ include @{exec_path} = @{bin}/dropbox profile dropbox @{exec_path} { include + include + include include include include + include include include + include include @{exec_path} mr, @@ -29,14 +33,14 @@ profile dropbox @{exec_path} { @{bin}/readlink rix, @{bin}/dirname rix, @{bin}/uname rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/python3.@{int} rix, @{lib}/llvm-[0-9]*/bin/clang rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/{,@{multiarch}-}objdump rix, - @{bin}/xdg-open rCx -> child-open, - @{bin}/lsb_release rPx -> lsb_release, + @{open_path} rPx -> child-open-strict, + @{bin}/lsb_release rPx, owner @{HOME}/ r, owner @{config_dirs}/ rw, @@ -58,7 +62,6 @@ profile dropbox @{exec_path} { # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead owner @{tmp}/dropbox-antifreeze-* rw, owner @{tmp}/#@{int} rw, - owner /var/tmp/etilqs_@{hex16} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/profiles-a-f/dumpcap b/apparmor.d/profiles-a-f/dumpcap index e03ad1742..a1050aa94 100644 --- a/apparmor.d/profiles-a-f/dumpcap +++ b/apparmor.d/profiles-a-f/dumpcap @@ -3,23 +3,21 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/dumpcap profile dumpcap @{exec_path} { include + include + include include - include - include # To capture packekts capability net_raw, capability net_admin, - signal (receive) peer=wireshark, - network inet dgram, network inet6 dgram, network netlink raw, @@ -27,6 +25,8 @@ profile dumpcap @{exec_path} { network packet raw, network bluetooth raw, + signal (receive) peer=wireshark, + dbus (eavesdrop) bus=session, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index 725f725c5..a4184a358 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/dumpe2fs @{bin}/e2mmpstatus +@{exec_path} = @{sbin}/dumpe2fs @{sbin}/e2mmpstatus profile dumpe2fs @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dunst b/apparmor.d/profiles-a-f/dunst index 8fb895029..e73e3370c 100644 --- a/apparmor.d/profiles-a-f/dunst +++ b/apparmor.d/profiles-a-f/dunst @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,10 +17,13 @@ profile dunst @{exec_path} { @{exec_path} mr, /etc/xdg/dunst/dunstrc r, + owner @{user_config_dirs}/dunst/dunstrc r, owner @{HOME}/.Xauthority r, + owner /dev/shm/dunst-@{rand6} rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/dunstctl b/apparmor.d/profiles-a-f/dunstctl index 42276c6c6..45ec6886c 100644 --- a/apparmor.d/profiles-a-f/dunstctl +++ b/apparmor.d/profiles-a-f/dunstctl @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,12 +13,13 @@ profile dunstctl @{exec_path} { @{exec_path} mr, - @{bin}/dbus-send rCx -> dbus, + @{bin}/dbus-send Cx -> bus, - profile dbus { + profile bus { include + include - @{bin}/dbus-send mr, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/dunstify b/apparmor.d/profiles-a-f/dunstify index 3a8f16c2f..c62e87f66 100644 --- a/apparmor.d/profiles-a-f/dunstify +++ b/apparmor.d/profiles-a-f/dunstify @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,8 @@ profile dunstify @{exec_path} { @{exec_path} mr, + owner @{PROC}/@{pid}/cgroup r, + # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck index 8ce1ed3c7..c120a3590 100644 --- a/apparmor.d/profiles-a-f/e2fsck +++ b/apparmor.d/profiles-a-f/e2fsck @@ -3,13 +3,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/e2fsck @{bin}/fsck.ext2 @{bin}/fsck.ext3 @{bin}/fsck.ext4 +@{exec_path} = @{sbin}/e2fsck @{sbin}/fsck.ext2 @{sbin}/fsck.ext3 @{sbin}/fsck.ext4 profile e2fsck @{exec_path} { include + include include include @@ -20,7 +21,7 @@ profile e2fsck @{exec_path} { # To check for badblocks @{sh_path} rix, - @{bin}/badblocks rPx, + @{sbin}/badblocks rPx, /usr/share/file/misc/magic.mgc r, diff --git a/apparmor.d/profiles-a-f/e2image b/apparmor.d/profiles-a-f/e2image index ccb4cc5a4..c7238f262 100644 --- a/apparmor.d/profiles-a-f/e2image +++ b/apparmor.d/profiles-a-f/e2image @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/e2image +@{exec_path} = @{sbin}/e2image profile e2image @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/e2scrub b/apparmor.d/profiles-a-f/e2scrub new file mode 100644 index 000000000..2e7e88487 --- /dev/null +++ b/apparmor.d/profiles-a-f/e2scrub @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/e2scrub +profile e2scrub @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all index de648cac2..e5d13f1de 100644 --- a/apparmor.d/profiles-a-f/e2scrub_all +++ b/apparmor.d/profiles-a-f/e2scrub_all @@ -2,23 +2,24 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/e2scrub_all +@{exec_path} = @{sbin}/e2scrub_all profile e2scrub_all @{exec_path} flags=(attach_disconnected) { include include include + capability setuid, capability sys_admin, capability sys_rawio, @{exec_path} mr, - @{sh_path} r, - @{bin}/readlink rix, + @{sh_path} mr, + @{bin}/readlink ix, /etc/e2scrub.conf r, diff --git a/apparmor.d/profiles-a-f/earlyoom b/apparmor.d/profiles-a-f/earlyoom new file mode 100644 index 000000000..01484cdc6 --- /dev/null +++ b/apparmor.d/profiles-a-f/earlyoom @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/earlyoom +profile earlyoom @{exec_path} { + include + + capability kill, + + @{exec_path} mr, + + @{PROC}/ r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/oom_adj r, + @{PROC}/@{pid}/oom_score r, + @{PROC}/@{pid}/oom_score_adj r, + @{PROC}/@{pid}/stat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/ed2k b/apparmor.d/profiles-a-f/ed2k new file mode 100644 index 000000000..f92e3b74d --- /dev/null +++ b/apparmor.d/profiles-a-f/ed2k @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ed2k +profile ed2k @{exec_path} { + include + include + + @{exec_path} mr, + + owner @{HOME}/.aMule/ED2KLinks w, + owner @{HOME}/.aMule/ED2KLinks_lock wk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/edid-decode b/apparmor.d/profiles-a-f/edid-decode index 8925e5e2d..f15d6db6c 100644 --- a/apparmor.d/profiles-a-f/edid-decode +++ b/apparmor.d/profiles-a-f/edid-decode @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 1dd15b4b9..59cfa3577 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -2,24 +2,25 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = {E,e}lement -@{lib_dirs} = @{lib}/@{name} +@{domain} = org.chromium.Chromium +@{lib_dirs} = @{lib}/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/element-desktop -profile element-desktop @{exec_path} { +profile element-desktop @{exec_path} flags=(attach_disconnected) { include include - include - include + include include include include + include include network inet dgram, @@ -30,8 +31,9 @@ profile element-desktop @{exec_path} { @{exec_path} mr, - @{sh_path} r, - @{open_path} rPx -> child-open-strict, + #aa:stack X xdg-settings + @{bin}/xdg-settings rPx -> element-desktop//&xdg-settings, + @{open_path} Px -> child-open-strict, /usr/share/webapps/element/{,**} r, diff --git a/apparmor.d/profiles-a-f/elinks b/apparmor.d/profiles-a-f/elinks index 1909ab896..f833c303d 100644 --- a/apparmor.d/profiles-a-f/elinks +++ b/apparmor.d/profiles-a-f/elinks @@ -2,7 +2,7 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 78fa87937..3e650962f 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -3,18 +3,15 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/engrampa profile engrampa @{exec_path} { include - include include - include - include - include + include include include include @@ -75,8 +72,7 @@ profile engrampa @{exec_path} { owner @{user_share_dirs}/ r, - /tmp/ r, - owner @{tmp}/** rw, + /tmp/ r, @{run}/mount/utab r, diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index 6f10293c7..5c4108094 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -48,6 +48,7 @@ profile etckeeper @{exec_path} { /etc/etckeeper/*.d/* rix, /etc/etckeeper/daily rix, + #aa:lint ignore=too-wide /etc/ rw, /etc/** rwkl -> /etc/**, @@ -73,6 +74,7 @@ profile etckeeper @{exec_path} { owner @{PROC}/@{pid}/fd/ r, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 73d73eb02..10b5ad4af 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -2,22 +2,21 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/evince @{lib}/evinced profile evince @{exec_path} { include - include include - include include include - include + include include include include + include include include include @@ -30,12 +29,7 @@ profile evince @{exec_path} { #aa:dbus own bus=session name=org.gnome.evince - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys - - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member={Set,GetTreeFromDevice} - peer=(name=:*, label=gvfsd-metadata), + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} rix, @@ -48,13 +42,14 @@ profile evince @{exec_path} { /usr/share/poppler/{,**} r, /usr/share/thumbnailers/{,*} r, - owner @{user_share_dirs}/ r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_config_dirs}/evince/{,*} rw, + owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/*.pdf r, - owner @{tmp}/evince-*/{,**} rw, - owner @{tmp}/gtkprint* rw, + owner @{tmp}/evince-@{int}/{,**} rw, + owner @{tmp}/gtkprint_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/evince-previewer b/apparmor.d/profiles-a-f/evince-previewer index 7a2b939a6..dcd28ddc9 100644 --- a/apparmor.d/profiles-a-f/evince-previewer +++ b/apparmor.d/profiles-a-f/evince-previewer @@ -2,14 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/evince-previewer profile evince-previewer @{exec_path} { include - include + include include include include diff --git a/apparmor.d/profiles-a-f/evince-thumbnailer b/apparmor.d/profiles-a-f/evince-thumbnailer index d4e63c924..6fbabaf28 100644 --- a/apparmor.d/profiles-a-f/evince-thumbnailer +++ b/apparmor.d/profiles-a-f/evince-thumbnailer @@ -2,17 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/evince-thumbnailer profile evince-thumbnailer @{exec_path} flags=(attach_disconnected) { include + include @{exec_path} mr, - /usr/share/mime/mime.cache r, /usr/share/poppler/{,**} r, owner @{tmp}/gnome-desktop-file-to-thumbnail.pdf r, diff --git a/apparmor.d/profiles-a-f/execute-dcut b/apparmor.d/profiles-a-f/execute-dcut index 9f03de7fc..817ba6215 100644 --- a/apparmor.d/profiles-a-f/execute-dcut +++ b/apparmor.d/profiles-a-f/execute-dcut @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,7 @@ profile execute-dcut @{exec_path} flags=(complain) { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, include if exists } diff --git a/apparmor.d/profiles-a-f/execute-dput b/apparmor.d/profiles-a-f/execute-dput index 10edc6164..7161c5900 100644 --- a/apparmor.d/profiles-a-f/execute-dput +++ b/apparmor.d/profiles-a-f/execute-dput @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile execute-dput @{exec_path} flags=(complain) { @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, @@ -46,6 +46,7 @@ profile execute-dput @{exec_path} flags=(complain) { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/exiftool b/apparmor.d/profiles-a-f/exiftool index 23aac34d4..fecb1af22 100644 --- a/apparmor.d/profiles-a-f/exiftool +++ b/apparmor.d/profiles-a-f/exiftool @@ -2,7 +2,7 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,6 +11,7 @@ profile exiftool @{exec_path} { include include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/exim4 b/apparmor.d/profiles-a-f/exim4 index 3dae4cae6..3af283014 100644 --- a/apparmor.d/profiles-a-f/exim4 +++ b/apparmor.d/profiles-a-f/exim4 @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/exim4 -profile exim4 @{exec_path} { +@{exec_path} = @{sbin}/exim4 +profile exim4 @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-a-f/exo-compose-mail b/apparmor.d/profiles-a-f/exo-compose-mail index 990c67b85..e03e35403 100644 --- a/apparmor.d/profiles-a-f/exo-compose-mail +++ b/apparmor.d/profiles-a-f/exo-compose-mail @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,6 @@ profile exo-compose-mail @{exec_path} { include @{exec_path} r, - @{bin}/perl r, # Mail clients @{bin}/thunderbird rPx, diff --git a/apparmor.d/profiles-a-f/exo-helper b/apparmor.d/profiles-a-f/exo-helper index af38a5fa3..b9d7652ee 100644 --- a/apparmor.d/profiles-a-f/exo-helper +++ b/apparmor.d/profiles-a-f/exo-helper @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/exo-open b/apparmor.d/profiles-a-f/exo-open index 7d265e566..2c5e86e30 100644 --- a/apparmor.d/profiles-a-f/exo-open +++ b/apparmor.d/profiles-a-f/exo-open @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,10 +19,10 @@ profile exo-open @{exec_path} { @{exec_path} mr, - @{lib}/@{multiarch}/xfce4/exo-[0-9]/exo-helper-[0-9] rPx, + @{lib}/@{multiarch}/xfce4/exo-@{version}/exo-helper-@{version} rPx, # It looks like gio-launch-desktop decides what app should be opened - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rPx, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/f3brew b/apparmor.d/profiles-a-f/f3brew index 8572f369c..312512010 100644 --- a/apparmor.d/profiles-a-f/f3brew +++ b/apparmor.d/profiles-a-f/f3brew @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/f3fix b/apparmor.d/profiles-a-f/f3fix index a5d327e72..a2cfe43c5 100644 --- a/apparmor.d/profiles-a-f/f3fix +++ b/apparmor.d/profiles-a-f/f3fix @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,7 +21,7 @@ profile f3fix @{exec_path} { @{sh_path} rix, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{bin}/udevadm rCx -> udevadm, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-a-f/f3probe b/apparmor.d/profiles-a-f/f3probe index c7843c91f..d935075eb 100644 --- a/apparmor.d/profiles-a-f/f3probe +++ b/apparmor.d/profiles-a-f/f3probe @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/f3read b/apparmor.d/profiles-a-f/f3read index a25e7e0cc..93058cfa9 100644 --- a/apparmor.d/profiles-a-f/f3read +++ b/apparmor.d/profiles-a-f/f3read @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/f3write b/apparmor.d/profiles-a-f/f3write index 25282dff8..25c56778d 100644 --- a/apparmor.d/profiles-a-f/f3write +++ b/apparmor.d/profiles-a-f/f3write @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/fail2ban-client b/apparmor.d/profiles-a-f/fail2ban-client index 23fd61125..d432bee94 100644 --- a/apparmor.d/profiles-a-f/fail2ban-client +++ b/apparmor.d/profiles-a-f/fail2ban-client @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile fail2ban-client @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, /etc/fail2ban/{,**} r, diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index 2706c8e43..629208bc6 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,11 +20,11 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, @{bin}/iptables rix, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, /etc/fail2ban/{,**} r, diff --git a/apparmor.d/profiles-a-f/fatlabel b/apparmor.d/profiles-a-f/fatlabel index df95d83c0..c8bdedaa3 100644 --- a/apparmor.d/profiles-a-f/fatlabel +++ b/apparmor.d/profiles-a-f/fatlabel @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/fatlabel +@{exec_path} = @{sbin}/fatlabel profile fatlabel @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/fatresize b/apparmor.d/profiles-a-f/fatresize index b94e0e49c..6f4c86647 100644 --- a/apparmor.d/profiles-a-f/fatresize +++ b/apparmor.d/profiles-a-f/fatresize @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/fatresize +@{exec_path} = @{sbin}/fatresize profile fatresize @{exec_path} { include include @@ -21,7 +21,7 @@ profile fatresize @{exec_path} { @{sh_path} rix, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{bin}/udevadm rCx -> udevadm, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-a-f/fdisk b/apparmor.d/profiles-a-f/fdisk index 815e3bc76..bab152574 100644 --- a/apparmor.d/profiles-a-f/fdisk +++ b/apparmor.d/profiles-a-f/fdisk @@ -3,21 +3,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/fdisk +@{exec_path} = @{sbin}/fdisk profile fdisk @{exec_path} { include + include include - # Needed to inform the system of newly created/removed partitions - # ioctl(3, BLKRRPART) = -1 EACCES (Permission denied) capability sys_admin, - - # To remove the following errors: - # kernel: device-mapper: core: fdisk: sending ioctl 5331 to DM device without required privilege. capability sys_rawio, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/ffmpeg b/apparmor.d/profiles-a-f/ffmpeg index 864becf32..8633444d8 100644 --- a/apparmor.d/profiles-a-f/ffmpeg +++ b/apparmor.d/profiles-a-f/ffmpeg @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,6 +28,7 @@ profile ffmpeg @{exec_path} { /var/lib/dbus/machine-id r, owner @{HOME}/.Xauthority r, + owner @{HOME}/.spotdl/** rw, # For spotdl owner @{user_music_dirs}/** rw, owner @{user_videos_dirs}/** rw, @@ -36,7 +37,7 @@ profile ffmpeg @{exec_path} { owner @{tmp}/vidcutter/** rw, # TMP files for apps using ffmpeg @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node[0-9]/meminfo r, + @{sys}/devices/system/node/node@{int}/meminfo r, include if exists } diff --git a/apparmor.d/profiles-a-f/ffmpegthumbnailer b/apparmor.d/profiles-a-f/ffmpegthumbnailer index 5c0d7e2f8..acc33199c 100644 --- a/apparmor.d/profiles-a-f/ffmpegthumbnailer +++ b/apparmor.d/profiles-a-f/ffmpegthumbnailer @@ -2,13 +2,14 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/ffmpegthumbnailer profile ffmpegthumbnailer @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/ffplay b/apparmor.d/profiles-a-f/ffplay index 0615d1042..4152ed49a 100644 --- a/apparmor.d/profiles-a-f/ffplay +++ b/apparmor.d/profiles-a-f/ffplay @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,10 +11,9 @@ include profile ffplay @{exec_path} { include include - include + include include include - include network inet stream, network inet6 stream, @@ -30,7 +29,7 @@ profile ffplay @{exec_path} { owner @{user_videos_dirs}/** rw, @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node[0-9]/meminfo r, + @{sys}/devices/system/node/node@{int}/meminfo r, include if exists } diff --git a/apparmor.d/profiles-a-f/ffprobe b/apparmor.d/profiles-a-f/ffprobe index f5448d7ef..793361489 100644 --- a/apparmor.d/profiles-a-f/ffprobe +++ b/apparmor.d/profiles-a-f/ffprobe @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 4e432e2f1..3d13b813f 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -2,40 +2,35 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/file-roller profile file-roller @{exec_path} { include - include - include - include include + include include - include - include - include #aa:dbus own bus=session name=org.gnome.ArchiveManager1 #aa:dbus own bus=session name=org.gnome.FileRoller @{exec_path} mr, + @{open_path} rPx -> child-open-help, + + @{bin}/mv rix, + @{bin}/rm rix, + # Archivers - @{bin}/7z rix, - @{bin}/ar rix, - @{bin}/bzip2 rix, - @{bin}/cpio rix, - @{bin}/gzip rix, - @{bin}/tar rix, - @{bin}/unrar-nonfree rix, - @{bin}/unzip rix, - @{bin}/xz rix, - @{bin}/zip rix, - @{bin}/zstd rix, - @{lib}/p7zip/7z rix, + @{archive_path} rix, + + #aa:lint ignore=too-wide + # Full access to user's data + @{MOUNTS}/** rw, + owner @{HOME}/** rw, + owner @{tmp}/** rw, @{run}/mount/utab r, diff --git a/apparmor.d/profiles-a-f/fileview b/apparmor.d/profiles-a-f/fileview new file mode 100644 index 000000000..9237f2a98 --- /dev/null +++ b/apparmor.d/profiles-a-f/fileview @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/fileview +profile fileview @{exec_path} { + include + include + + @{exec_path} mr, + + # This program parses aMule internal data files like "server.met". + # The paths to these files are given as arguments. + # The following directories are those that users likely want to read. + # However, this program is usable without the permissions below. + owner @{HOME}/.aMule/{,**} r, + @{user_torrents_dirs}/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apps/filezilla b/apparmor.d/profiles-a-f/filezilla similarity index 66% rename from apparmor.d/groups/apps/filezilla rename to apparmor.d/profiles-a-f/filezilla index 29654c955..16bafb886 100644 --- a/apparmor.d/groups/apps/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -3,21 +3,33 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/filezilla profile filezilla @{exec_path} { include - include - include + include + include + include + include include - include - include + include + include + include + include include - signal (send) set=(term, kill) peer=fzsftp, + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink dgram, + network netlink raw, + + signal send set=(term, kill) peer=fzsftp, + signal send set=(term, kill) peer=fzputtygen, @{exec_path} mr, @@ -25,7 +37,8 @@ profile filezilla @{exec_path} { @{bin}/uname rix, @{bin}/fzsftp rPx, # When using SFTP protocol - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/fzputtygen rPUx, + @{bin}/lsb_release rPx, /usr/share/filezilla/{,**} r, @@ -46,15 +59,16 @@ profile filezilla @{exec_path} { owner @{user_cache_dirs}/filezilla/ rw, owner @{user_cache_dirs}/filezilla/default_*.png rw, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - /tmp/ r, owner @{tmp}/fz[0-9]temp-@{int}/ rw, owner @{tmp}/fz[0-9]temp-@{int}/fz*-lockfile rwk, owner @{tmp}/fz[0-9]temp-@{int}/empty_file_* rw, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /dev/tty rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd new file mode 100644 index 000000000..7ce69ab64 --- /dev/null +++ b/apparmor.d/profiles-a-f/finalrd @@ -0,0 +1,82 @@ + +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/finalrd +profile finalrd @{exec_path} { + include + include + + capability dac_read_search, + capability sys_admin, + capability sys_chroot, + + remount options=(rw nodev nosuid relatime remount) @{run}/, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/cp ix, + @{bin}/dirname ix, + @{bin}/env ix, + @{bin}/find ix, + @{bin}/{,e}grep ix, + @{bin}/ln ix, + @{bin}/mkdir ix, + @{bin}/mount ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/run-parts ix, + @{bin}/sed ix, + @{bin}/touch ix, + @{sbin}/ldconfig{,.real} ix, + + @{bin}/ldd Cx -> ldd, + @{bin}/systemd-tmpfiles Px, + @{lib}/@{multiarch}/ld-linux-*so* Cx -> ldd, + @{lib}/systemd/systemd-shutdown Px, + /usr/share/finalrd/*.finalrd ix, + + @{bin}/{,*} r, + @{lib}/{,*} r, + @{sbin}/{,*} r, + + /usr/share/finalrd/{,**} r, + /usr/share/initramfs-tools/hook-functions r, + + /etc/fstab r, + /etc/iscsi/initiatorname.iscsi r, + /etc/iscsi/iscsid.conf r, + + / r, + + @{run}/ r, + @{run}/finalrd-libs.conf rw, + @{run}/initramfs/{,**} rw, + @{run}/mount/ r, + @{run}/mount/utab r, + + @{PROC}/@{pid}/mountinfo r, + + profile ldd { + include + include + include + + @{bin}/* mr, + @{sbin}/* mr, + @{lib}/@{multiarch}/ld-linux-*so* mrix, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index c470d068a..d8086715a 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,11 +19,13 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, + + @{etc_ro}/login.defs r, - /etc/login.defs r, /etc/firejail/firejail.users r, /etc/firejail/firecfg.config r, + /etc/firejail/firecfg.d/{,*} r, /usr/local/bin/ r, /usr/local/bin/* rw, @@ -32,10 +34,14 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { /usr/share/applications/ r, /usr/share/applications/*.desktop r, @{user_share_dirs}/applications/ r, - @{user_share_dirs}/applications/*.desktop rw, - /dev/tty rw, + @{user_config_dirs}/firejail/{,*} r, + + /dev/tty rw, + /dev/tty@{int} rw, + owner /dev/pts/@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld deleted file mode 100644 index 143719f0d..000000000 --- a/apparmor.d/profiles-a-f/firewalld +++ /dev/null @@ -1,82 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/firewalld -profile firewalld @{exec_path} { - include - include - include - include - include - include - - capability mknod, - capability net_admin, - capability net_raw, - capability setpcap, - - network inet raw, - network inet6 raw, - network netlink raw, - - dbus receive bus=system path=/org/fedoraproject/FirewallD1 - interface=org.fedoraproject.FirewallD1.direct - member=passthrough - peer=(name=:*, label=libvirtd), - - dbus receive bus=system path=/org/fedoraproject/FirewallD1 - interface=org.fedoraproject.FirewallD1.zone - member={changeZoneOfInterface,getZones} - peer=(name=:*, label=libvirtd), - - dbus receive bus=system path=/org/fedoraproject/FirewallD1 - interface=org.fedoraproject.FirewallD1.zone - member={changeZoneOfInterface,removeInterface} - peer=(name=:*, label=libvirtd), - - #aa:dbus own bus=system name=org.fedoraproject.FirewallD1 - - @{exec_path} mr, - - @{bin}/ r, - @{bin}/alts rix, - @{bin}/ebtables-legacy rix, - @{bin}/ebtables-legacy-restore rix, - @{bin}/false rix, - @{bin}/ipset rix, - @{bin}/kmod rPx, - @{bin}/xtables-legacy-multi rix, - @{bin}/xtables-nft-multi rix, - - /usr/local/lib/python3.10/dist-packages/ r, - - /usr/share/libalternatives/ r, - /usr/share/libalternatives/ebtables*/{,*} r, - /usr/share/libalternatives/ip{,4,6}tables*/{,*} r, - - /etc/firewalld/{,**} rw, - /etc/iproute2/group r, - /etc/iproute2/rt_realms r, - - /var/lib/ebtables/lock rwk, - - /var/log/firewalld rw, - - @{run}/firewalld/{,*} rw, - @{run}/xtables.lock rwk, - - @{PROC}/sys/kernel/modprobe r, - @{PROC}/sys/net/ipv{4,6}/ip_forward rw, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pids}/net/ip_tables_names r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/flameshot b/apparmor.d/profiles-a-f/flameshot index 877e42912..f0d042ba8 100644 --- a/apparmor.d/profiles-a-f/flameshot +++ b/apparmor.d/profiles-a-f/flameshot @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index 8498285d1..a07976ce9 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,6 +15,7 @@ profile foliate @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_override, @@ -24,33 +25,23 @@ profile foliate @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=com.github.johnfactotum.Foliate + @{exec_path} mr, @{bin}/bwrap rix, @{bin}/gjs-console rix, - @{bin}/xdg-dbus-proxy rix, - - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, + @{bin}/speech-dispatcher rPx, + @{open_path} rPx -> child-open-help, /usr/share/com.github.johnfactotum.Foliate/{,**} r, - owner /bindfile@{rand6} rw, - owner /.flatpak-info r, - owner @{user_books_dirs}/{,**} r, owner @{user_torrents_dirs}/{,**} r, owner @{user_cache_dirs}/com.github.johnfactotum.Foliate/{,**} rwlk, owner @{user_share_dirs}/com.github.johnfactotum.Foliate/{,**} rwlk, - owner @{run}/user/@{uid}/.flatpak/ w, - owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, - owner @{run}/user/@{uid}/webkitgtk/ w, - owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, - @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.gnome.Nautilus.slice/dbus*org.gnome.Nautilus@*.service/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-com.github.johnfactotum.Foliate-@{int}.scope/memory.* r, @@ -60,9 +51,7 @@ profile foliate @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/smaps r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index 6d7096ad7..56941f60b 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,11 +11,9 @@ include profile font-manager @{exec_path} { include include + include include - include - include include - include include include diff --git a/apparmor.d/profiles-a-f/fping b/apparmor.d/profiles-a-f/fping index 5d30e4522..ee6213cb5 100644 --- a/apparmor.d/profiles-a-f/fping +++ b/apparmor.d/profiles-a-f/fping @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index d856867a3..8a5f9c01a 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,6 +15,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, capability sys_nice, network netlink raw, @@ -27,13 +28,12 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { /var/lib/fprint/{,**} rw, - @{run}/systemd/journal/socket rw, - @{run}/systemd/inhibit/*.ref w, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/class/hidraw/ r, - @{sys}/devices/@{pci}/hidraw/hidraw@{int}/uevent r, - @{sys}/devices/virtual/**/hidraw/hidraw@{int}/uevent r, + @{sys}/devices/**/hidraw/hidraw@{int}/uevent r, include if exists } diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index c6355c2ff..a7222a664 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile fractal @{exec_path} flags=(attach_disconnected) { include include include + include include network inet dgram, @@ -21,24 +22,46 @@ profile fractal @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + signal send set=kill peer=fractal//bwrap, + @{exec_path} mr, - owner @{tmp}/.@{rand6} rw, + @{open_path} rPx -> child-open-help, + @{bin}/bwrap rCx -> bwrap, + + /usr/share/glycin-loaders/{,**} r, + /usr/share/xml/iso-codes/{,**} r, + + owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + owner @{run}/user/@{uid}/fractal/{,**} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/ r, + profile bwrap flags=(attach_disconnected) { + include + include + + signal receive set=kill peer=fractal, + + @{bin}/bwrap mr, + @{lib}/glycin-loaders/*/glycin-* rix, + + owner @{run}/user/@{uid}/fractal/.tmp@{rand6} r, + + owner @{PROC}/@{pid}/fd/ r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-a-f/freefall b/apparmor.d/profiles-a-f/freefall index 0499beb0a..7af1ef8c9 100644 --- a/apparmor.d/profiles-a-f/freefall +++ b/apparmor.d/profiles-a-f/freefall @@ -2,7 +2,7 @@ # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apps/freetube b/apparmor.d/profiles-a-f/freetube similarity index 56% rename from apparmor.d/groups/apps/freetube rename to apparmor.d/profiles-a-f/freetube index d59762cfd..b820f249c 100644 --- a/apparmor.d/groups/apps/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -3,23 +3,26 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{name} = {F,f}reetube{,-vue} -@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{name} = {F,f}ree{T,t}ube{,-vue} +@{domain} = org.chromium.Chromium +@{lib_dirs} = @{lib}/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} -@{exec_path} = @{lib_dirs}/@{name} -profile freetube @{exec_path} { +@{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} +profile freetube @{exec_path} flags=(attach_disconnected) { include include + include include include - include + include include + include network inet dgram, network inet6 dgram, @@ -27,17 +30,15 @@ profile freetube @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.freetube path=/org/mpris/MediaPlayer2 + @{exec_path} mrix, + #aa:stack X xdg-settings + @{bin}/xdg-settings rPx -> freetube//&xdg-settings, @{open_path} rPx -> child-open-strict, - /etc/fstab r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - - owner @{run}/user/@{uid}/ r, - - owner /dev/tty@{int} rw, + deny @{sys}/devices/@{pci}/usb@{int}/** r, include if exists } diff --git a/apparmor.d/profiles-a-f/fritzing b/apparmor.d/profiles-a-f/fritzing index 3e3dde2e9..c57323c6a 100644 --- a/apparmor.d/profiles-a-f/fritzing +++ b/apparmor.d/profiles-a-f/fritzing @@ -3,23 +3,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/fritzing{,.real} profile fritzing @{exec_path} { include - include - include - include - include - include - include - include + include include - include + include + include + include include + include network inet dgram, network inet6 dgram, @@ -30,26 +27,25 @@ profile fritzing @{exec_path} { @{exec_path} mrix, + /usr/share/fritzing/{,**} r, + /usr/share/hwdata/pnp.ids r, + + /etc/debian_version r, + /etc/fstab r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + owner @{user_config_dirs}/Fritzing/ rw, owner @{user_config_dirs}/Fritzing/** rwkl -> @{user_config_dirs}/Fritzing/**, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/ rw, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/** rw, - /usr/share/fritzing/{,**} r, + owner @{run}/lock/LCK..ttyACM[0-9]* rwk, - /usr/share/hwdata/pnp.ids r, - - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - - /etc/fstab r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /etc/debian_version r, + @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c166:@{int} r, # for /dev/ttyACM[0-9]* @{sys}/bus/ r, @{sys}/class/ r, @@ -57,15 +53,13 @@ profile fritzing @{exec_path} { @{sys}/devices/**/tty*/uevent r, @{sys}/devices/**/tty/**/uevent r, - @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c166:@{int} r, # for /dev/ttyACM[0-9]* + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, /dev/ttyS@{int} rw, /dev/ttyACM@{int} rw, - owner @{run}/lock/LCK..ttyACM[0-9]* rwk, - include if exists } diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend deleted file mode 100644 index eb90c18d6..000000000 --- a/apparmor.d/profiles-a-f/frontend +++ /dev/null @@ -1,129 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /usr/share/debconf/frontend -profile frontend @{exec_path} flags=(complain) { - include - include - include - include - include - include - include - include - - capability dac_read_search, - - @{exec_path} r, - @{bin}/perl r, - - @{sh_path} rix, - @{bin}/hostname rix, - @{bin}/locale rix, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/stty rix, - @{bin}/update-secureboot-policy rPx, - - # debconf apps - @{bin}/adequate rPx, - @{bin}/aspell-autobuildhash rPx, - @{bin}/debconf-apt-progress rPx, - @{bin}/linux-check-removal rPx, - @{bin}/pam-auth-update rPx, - @{bin}/ucf rPx, - @{bin}/whiptail rPx, - @{lib}/tasksel/tasksel-debconf rPx -> tasksel, - /usr/share/debian-security-support/check-support-status.hook rPx, - - # Grub - @{lib}/grub/grub-multi-install rPx, - /usr/share/grub/grub-check-signatures rPx, - - # Run the package maintainer's scripts - # What to do with it? Maintainer scripts can use lots of tools. (#FIXME#) - #/var/lib/dpkg/info/*.{config,templates} rPUx, - #/var/lib/dpkg/info/*.{preinst,postinst} rPUx, - #/var/lib/dpkg/info/*.{prerm,postrm} rPUx, - /var/lib/dpkg/info/*.control r, - #/var/lib/dpkg/tmp.ci/{config,templates} rPUx, - #/var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx, - #/var/lib/dpkg/tmp.ci/{prerm,postrm} rPUx, - /var/lib/dpkg/tmp.ci/control r, - /var/lib/dpkg/info/*.{config,templates} rCx -> scripts, - /var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts, - /var/lib/dpkg/info/*.{prerm,postrm} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts, - - # DKMS scipts - # What to do with it? (#FIXME#) - @{lib}/dkms/common.postinst rPUx, - @{lib}/dkms/dkms-* rPUx, - @{lib}/dkms/dkms_* rPUx, - - /usr/share/debconf/{,**} r, - - /etc/debconf.conf r, - /etc/inputrc r, - /etc/shadow r, - - owner @{tmp}/file* w, - owner /var/cache/debconf/* rwk, - - @{HOME}/.Xauthority r, - - @{run}/user/@{uid}/pk-debconf-socket rw, - - owner @{PROC}/@{pid}/mounts r, - - profile scripts flags=(complain) { - include - include - - capability dac_read_search, - - /var/lib/dpkg/info/*.config r, - /var/lib/dpkg/info/*.{preinst,postinst} r, - /var/lib/dpkg/info/*.{prerm,postrm} r, - /var/lib/dpkg/tmp.ci/config r, - /var/lib/dpkg/tmp.ci/{preinst,postinst} r, - /var/lib/dpkg/tmp.ci/{prerm,postrm} r, - - / r, - - @{bin}/ r, - @{bin}/* rPUx, - - @{lib}/ r, - @{lib}/** rPUx, - - /usr/share/ r, - /usr/share/** rPUx, - - /etc/init.d/ r, - /etc/init.d/* rPUx, - - /etc/ r, - /etc/** rw, - /var/ r, - /var/** rw, - @{sys}/ r, - @{sys}/**/ r, - @{run}/ r, - @{run}/** rw, - /tmp/ r, - owner @{tmp}/** rw, - - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fuse-overlayfs b/apparmor.d/profiles-a-f/fuse-overlayfs index 643371c60..91b279d20 100644 --- a/apparmor.d/profiles-a-f/fuse-overlayfs +++ b/apparmor.d/profiles-a-f/fuse-overlayfs @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,14 +10,21 @@ include profile fuse-overlayfs @{exec_path} { include - capability sys_admin, + capability chown, capability dac_override, capability dac_read_search, - capability chown, + capability fowner, + capability setfcap, + capability setuid, + capability sys_admin, + + mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/merged/ -> **, + mount fstype=fuse.overlayfs options=(rw,nodev,noatime) fuse-overlayfs -> @{user_share_dirs}/containers/storage/overlay/**/merged/, @{exec_path} mr, - mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/merged/ -> **, + @{bin}/mount rix, + @{bin}/umount rix, owner @{user_share_dirs}/containers/storage/overlay/{,**} rwl, diff --git a/apparmor.d/profiles-a-f/fuseiso b/apparmor.d/profiles-a-f/fuseiso index e4d6cfd99..75d19a0d5 100644 --- a/apparmor.d/profiles-a-f/fuseiso +++ b/apparmor.d/profiles-a-f/fuseiso @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -36,28 +36,19 @@ profile fuseiso @{exec_path} { profile fusermount { include - include - - # To mount anything: - capability sys_admin, - - capability dac_read_search, + include mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/, mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/*/, mount fstype={fuse,fuse.fuseiso} -> @{user_cache_dirs}/**/, - @{bin}/fusermount{,3} mr, + umount @{HOME}/*/, + umount @{HOME}/*/*/, + umount @{user_cache_dirs}/**/, - /etc/fuse.conf r, - - # Image files to be mounted - owner @{user_img_dirs}/{,**} r, - - @{PROC}/@{pid}/mounts r, - - /dev/fuse rw, + owner @{user_img_dirs}/{,**} r, # Image files to be mounted + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index 6774ffa96..a84b85322 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -3,17 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/fusermount{,3} profile fusermount @{exec_path} { include - include - - capability dac_read_search, - capability sys_admin, + include # Be able to mount ISO images mount fstype={fuse,fuse.*} -> @{HOME}/*/, @@ -23,7 +20,7 @@ profile fusermount @{exec_path} { mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/*/, mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/*/, mount fstype={fuse,fuse.*} -> /var/tmp/flatpak-cache-*/*/, - mount fstype={fuse,fuse.*} -> /tmp/.mount_nextcl@{rand6}/, + mount fstype={fuse,fuse.*} -> /tmp/.mount_*@{rand6}/, umount @{HOME}/*/, umount @{HOME}/*/*/, @@ -33,10 +30,10 @@ profile fusermount @{exec_path} { umount /tmp/.mount_*/, umount @{run}/user/@{uid}/*/, umount /var/tmp/flatpak-cache-*/*/, + umount /tmp/fsa/*/, # fsarchiver @{exec_path} mr, - /etc/fuse.conf r, /etc/machine-id r, /var/tmp/flatpak-cache-*/*/ r, @@ -47,12 +44,10 @@ profile fusermount @{exec_path} { owner @{user_cache_dirs}/**/ rw, + /tmp/.mount_*@{rand6}/ r, + @{run}/user/@{uid}/doc/ r, - @{PROC}/@{pid}/mounts r, - - /dev/fuse rw, - include if exists } diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 316f6ebdd..65793364d 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -3,23 +3,24 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,fwupd/}fwupd -profile fwupd @{exec_path} flags=(complain,attach_disconnected) { +profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include - include + include include include - include - include include - include + include include + include include + include + include capability dac_override, capability dac_read_search, @@ -31,19 +32,21 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { capability sys_rawio, capability syslog, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, network netlink raw, #aa:dbus own bus=system name=org.freedesktop.fwupd path=/ + #aa:dbus talk bus=system name=org.bluez.GattCharacteristic1 label=bluetoothd + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd + #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), - - dbus send bus=system path=/org/freedesktop/UDisks2/Manager - interface=org.freedesktop.UDisks2.Manager - member=GetBlockDevices - peer=(name=:*, label=udisksd), + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded + peer=(name=@{busname}, label=bluetoothd), @{exec_path} mr, @@ -54,52 +57,62 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { @{bin}/gpgsm rCx -> gpg, /usr/share/fwupd/{,**} r, - /usr/share/mime/mime.cache r, + /usr/share/hwdata/* r, + /usr/share/libdrm/*.ids r, + /usr/share/misc/*.ids r, /etc/fwupd/{,**} rw, /etc/lsb-release r, /etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd/{,**} r, - /var/cache/fwupd/{,**} rw, - /var/lib/flatpak/exports/share/mime/mime.cache r, - /var/lib/fwupd/{,**} rw, - /var/lib/fwupd/pending.db rwk, - /var/tmp/etilqs_@{hex16} rw, - - /boot/{,**} r, - /boot/EFI/*/.goutputstream-@{rand6} rw, - /boot/EFI/*/fw/fwupd-*.cap{,.*} rw, - /boot/EFI/*/fwupdx@{int}.efi rw, - @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, - /etc/machine-id r, /var/lib/dbus/machine-id r, - # In order to get to this file, the attach_disconnected flag has to be set + @{efi}/{,**} r, + @{efi}/EFI/*/.goutputstream-@{rand6} rw, + @{efi}/EFI/*/fw/fwupd-*.cap{,.*} rw, + @{efi}/EFI/*/fwupdx@{int}.efi rw, + @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, + + @{MOUNTDIRS}/*/{,@{efi}/} r, + @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, + + owner /var/cache/fwupd/ rw, + owner /var/cache/fwupd/** rwk, + owner /var/lib/fwupd/ rw, + owner /var/lib/fwupd/** rwk, + + @{att}/@{user_cache_dirs}/gnome-software/fwupd/{,**} r, owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r, owner @{user_cache_dirs}/gnome-software/fwupd/{,**} r, @{sys}/**/ r, @{sys}/devices/** r, + @{sys}/**/uevent r, @{sys}/firmware/acpi/** r, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, @{sys}/firmware/efi/** r, - @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, + @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw, + @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, @{sys}/firmware/efi/efivars/fwupd-* rw, + @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @{sys}/kernel/security/lockdown r, - @{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r, + @{sys}/kernel/security/tpm@{int}/binary_bios_measurements r, @{sys}/power/mem_sleep r, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/motd.d/ r, @{run}/motd.d/@{int}-fwupd* rw, @{run}/motd.d/fwupd/{,**} rw, @{run}/mount/utab r, - @{run}/systemd/inhibit/[0-9]*.ref rw, - @{run}/udev/data/* r, + + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/mountinfo r, @@ -113,6 +126,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /dev/bus/usb/ r, /dev/bus/usb/@{int}/@{int} rw, /dev/cpu/@{int}/msr rw, + /dev/dri/card@{int} rw, /dev/drm_dp_aux@{int} rw, /dev/gpiochip@{int} r, /dev/hidraw@{int} rw, @@ -120,12 +134,9 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /dev/mei@{int} rw, /dev/mem r, /dev/mtd@{int} rw, - /dev/sd[a-z]* r, - /dev/tpm@{int} rw, - /dev/tpmrm@{int} rw, /dev/wmi/* r, - profile gpg flags=(complain) { + profile gpg flags=(attach_disconnected,complain) { include include @@ -137,11 +148,12 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { @{bin}/gpg-agent rix, @{lib}/{,gnupg/}scdaemon rix, - + owner /var/lib/fwupd/gnupg/ rw, owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**, - owner @{PROC}/@{pids}/fd/ r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 6064c0ff1..2d781a734 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -3,22 +3,23 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/fwupdmgr -profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { +profile fwupdmgr @{exec_path} flags=(attach_disconnected) { include include include include + include include include capability sys_nice, - signal (send), + signal send, network inet stream, network inet6 stream, @@ -26,23 +27,26 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { network inet6 dgram, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ - + #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/ + @{exec_path} mr, - @{bin}/dbus-launch rCx -> dbus, - @{bin}/pkttyagent rPx, + @{bin}/dbus-launch Cx -> bus, + @{bin}/pkttyagent Px, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/terminfo/** r, + /etc/inputrc r, /etc/machine-id r, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, - /var/lib/flatpak/exports/share/mime/mime.cache r, - owner @{user_cache_dirs}/ rw, + owner /var/lib/fwupd/ w, + owner /var/lib/fwupd/.cache/ w, + @{user_cache_dirs}/dconf/user rw, + owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/fwupd/ rw, owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw, @@ -52,16 +56,12 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { /dev/i2c-@{int} rw, /dev/tty rw, + /dev/pts/@{int} rw, - profile dbus { + profile bus flags=(attach_disconnected) { include - include - - @{bin}/dbus-launch mr, - - owner @{HOME}/.Xauthority r, - - include if exists + include + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 5888743ef..561e1af61 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -33,7 +33,7 @@ profile gajim @{exec_path} { @{bin}/ r, @{sh_path} rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/uname rix, # To play sounds @@ -73,7 +73,7 @@ profile gajim @{exec_path} { owner @{user_cache_dirs}/gajim/** rwk, owner @{user_cache_dirs}/farstream/ rw, - owner @{user_cache_dirs}/farstream/codecs.audio.x86_64.cache{,.tmp@{rand6}} rw, + owner @{user_cache_dirs}/farstream/codecs.audio.@{arch}.cache{,.tmp@{rand6}} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, @@ -86,7 +86,7 @@ profile gajim @{exec_path} { # Silencer deny /usr/share/gajim/** w, - deny /usr/lib/python3/dist-packages/** w, + deny @{lib}/@{python_name}/dist-packages/** w, profile ccache { include @@ -100,15 +100,16 @@ profile gajim @{exec_path} { @{bin}/{,@{multiarch}-}ld.bfd rix, @{lib}/gcc/@{multiarch}/@{int}/collect2 rix, - owner @{tmp}/cc* rw, - owner @{tmp}/tmp* rw, + /etc/debian_version r, /media/ccache/*/** rw, + owner @{tmp}/cc* rw, + owner @{tmp}/tmp* rw, + owner @{run}/user/@{uid}/ccache-tmp/ rw, - /etc/debian_version r, - + include if exists } profile gpg { @@ -121,8 +122,8 @@ profile gajim @{exec_path} { @{bin}/gpg-agent rix, @{lib}/{,gnupg/}scdaemon rix, - owner @{run}/user/@{uid}/gnupg/d.*/ rw, - owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.extra,.browser,.ssh} w, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, @@ -134,6 +135,7 @@ profile gajim @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/task/@{tid}/comm rw, + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/gamemoded b/apparmor.d/profiles-g-l/gamemoded new file mode 100644 index 000000000..eb2d3fc1e --- /dev/null +++ b/apparmor.d/profiles-g-l/gamemoded @@ -0,0 +1,81 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gamemoded +profile gamemoded @{exec_path} flags=(attach_disconnected) { + include + + capability sys_ptrace, + + ptrace read, + + @{exec_path} mr, + + @{bin}/pkexec Cx -> pkexec, + @{lib}/gamemode/gpuclockctl Cx -> pkexec, + + /etc/gamemode.ini r, + + owner @{user_config_dirs}/ r, + + @{sys}/devices/@{pci}/vendor r, + @{sys}/devices/@{pci}/power_dpm_force_performance_level r, + @{sys}/devices/system/cpu/{,**} r, + @{sys}/devices/virtual/powercap/{,**} r, + + @{PROC}/sys/kernel/split_lock_mitigate r, + owner @{PROC}/@{pid}/ r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/environ r, + owner @{PROC}/@{pid}/fdinfo/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, + owner @{PROC}/@{pid}/task/ r, + + profile pkexec flags=(attach_disconnected) { + include + include + include + + capability audit_write, + capability mknod, + capability setgid, + capability sys_ptrace, + + ptrace read peer=gamemoded, + + network netlink raw, + + @{bin}/pkexec mr, + + @{lib}/gamemode/{,**} r, + @{lib}/gamemode/cpugovctl ix, + @{lib}/gamemode/gpuclockctl ix, + @{lib}/gamemode/procsysctl ix, + + @{etc_ro}/security/limits.d/ r, + @{etc_ro}/security/limits.d/@{int}-gamemode.conf r, + /etc/shells r, + + @{sys}/devices/@{pci}/power_dpm_force_performance_level rw, + @{sys}/devices/@{pci}/vendor r, + @{sys}/devices/system/cpu/ r, + @{sys}/devices/system/cpu/cpu@{int}/cpufreq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw, + + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/loginuid r, + @{PROC}/@{pid}/stat r, + @{PROC}/sys/kernel/split_lock_mitigate rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote index 7db7a5cb8..727bf8cdf 100644 --- a/apparmor.d/profiles-g-l/ganyremote +++ b/apparmor.d/profiles-g-l/ganyremote @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,7 +22,7 @@ profile ganyremote @{exec_path} { network inet6 stream, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, @@ -30,7 +30,7 @@ profile ganyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, diff --git a/apparmor.d/profiles-g-l/gconfd b/apparmor.d/profiles-g-l/gconfd index 5dffe8a0c..7ceee1022 100644 --- a/apparmor.d/profiles-g-l/gconfd +++ b/apparmor.d/profiles-g-l/gconfd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gdisk b/apparmor.d/profiles-g-l/gdisk index 8c3662ba1..b49e20570 100644 --- a/apparmor.d/profiles-g-l/gdisk +++ b/apparmor.d/profiles-g-l/gdisk @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/gdisk +@{exec_path} = @{sbin}/gdisk profile gdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders index a01425bb9..04c9a33f2 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,8 +18,10 @@ profile gdk-pixbuf-query-loaders @{exec_path} { @{exec_path} mr, - @{lib}/gdk-pixbuf-[0-9].@{int}/{,*}/loaders.cache.* rw, - @{lib}/gdk-pixbuf-[0-9].@{int}/*/loaders.cache rw, + @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/ w, + @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/loaders.cache w, + @{lib}/gdk-pixbuf-@{version}/{,*}/loaders.cache.* rw, + @{lib}/gdk-pixbuf-@{version}/@{version}/loaders.cache rw, /usr/share/gvfs/remote-volume-monitors/{,**} r, diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer new file mode 100644 index 000000000..d3df6f5f3 --- /dev/null +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gdk-pixbuf-thumbnailer +profile gdk-pixbuf-thumbnailer @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ghc-pkg b/apparmor.d/profiles-g-l/ghc-pkg index 8fdffbf87..3ccfdec4a 100644 --- a/apparmor.d/profiles-g-l/ghc-pkg +++ b/apparmor.d/profiles-g-l/ghc-pkg @@ -2,11 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/ghc-pkg{,-*} +@{exec_path} = @{bin}/ghc-pkg{,-*} @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} profile ghc-pkg @{exec_path} { include include @@ -26,6 +26,8 @@ profile ghc-pkg @{exec_path} { @{sys}/devices/system/node/ r, + @{PROC}/@{pid}/task/@{tid}/comm rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp new file mode 100644 index 000000000..ad324e153 --- /dev/null +++ b/apparmor.d/profiles-g-l/gimp @@ -0,0 +1,90 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gimp{,-*} +profile gimp @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + + signal (send) set=(term, kill) peer=xsane-gimp, + + #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + @{exec_path} mr, + + @{python_path} rix, + @{bin}/env rix, + @{bin}/gimp-debug-tool-3.0 rix, + @{bin}/gimp-script-fu-interpreter-* rix, + @{bin}/gjs-console rix, + @{bin}/lua rix, + @{lib}/gimp/@{version}/extensions/*/* rix, + @{lib}/gimp/*/plug-ins/** rix, + + @{bin}/xsane-gimp rPx, + @{open_path} rPx -> child-open-help, + + @{lib}/gimp/@{version}/plug-ins/python-console/__pycache__/{,*} w, + + /usr/share/gimp/{,**} r, + /usr/share/mypaint-data/{,**} r, + /usr/share/poppler/{,**} r, + /usr/share/xml/iso-codes/{,**} r, + + /etc/fstab r, + /etc/gimp/{,**} r, + + owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, + + owner @{user_documents_dirs}/{,**} rw, + owner @{user_pictures_dirs}/{,**} rw, + owner @{user_work_dirs}/{,**} rw, + + owner @{user_cache_dirs}//thumbnails/normal/gimp-thumb* rw, + owner @{user_cache_dirs}/babl/{,**} rw, + owner @{user_cache_dirs}/gegl-*/{,**} r, + owner @{user_cache_dirs}/gegl-*/{,**} r, + owner @{user_cache_dirs}/gimp/{,**} rw, + owner @{user_cache_dirs}/GIMP/{,**} rw, + + owner @{user_config_dirs}/gimp/{,**} rw, + owner @{user_config_dirs}/GIMP/{,**} rw, + + owner @{user_share_dirs}/gegl-*/{,**} r, + owner @{user_share_dirs}/GIMP/{,**} rw, + + owner @{tmp}/gimp/{,**} rw, + + @{run}/mount/utab r, + + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gio-querymodules b/apparmor.d/profiles-g-l/gio-querymodules index 3520ec06e..494fef0ab 100644 --- a/apparmor.d/profiles-g-l/gio-querymodules +++ b/apparmor.d/profiles-g-l/gio-querymodules @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gio-querymodules profile gio-querymodules @{exec_path} flags=(attach_disconnected) { include + include capability dac_read_search, capability mknod, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index d147d77b0..01b491b98 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ include @{exec_path} = @{bin}/git @{bin}/git-* @{exec_path} += @{lib_dirs}/git @{lib_dirs}/git-* @{lib_dirs}/mergetools/* -profile git @{exec_path} { +profile git @{exec_path} flags=(attach_disconnected) { include include include @@ -24,7 +24,7 @@ profile git @{exec_path} { network inet6 stream, network netlink raw, - signal (send) peer=aurpublish, + signal send peer=aurpublish, @{exec_path} mrix, @@ -38,11 +38,13 @@ profile git @{exec_path} { deny /usr/local/games/ r, deny /var/lib/flatpak/exports/bin/ r, deny owner @{HOME}/.go/bin/ r, + deny owner @{HOME}/bin/ r, deny owner @{user_bin_dirs}/ r, # These are needed for "git submodule update" @{sh_path} rix, @{bin}/{,e}grep rix, + @{bin}/alts rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/date rix, @@ -61,23 +63,21 @@ profile git @{exec_path} { @{bin}/wc rix, @{bin}/whoami rix, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, + @{pager_path} rPx -> child-pager, + @{bin}/gh rPUx, @{bin}/man rPx, @{bin}/meld rPUx, - @{lib}/code/extensions/git/dist/askpass.sh rPx, - @{lib}/code/extensions/git/dist/git-editor.sh rPx, - /usr/share/aurpublish/*.hook rPx, + @{lib}/code/extensions/git/dist/askpass.sh rPx, + @{lib}/code/extensions/git/dist/git-editor.sh rPx, + /usr/share/aurpublish/*.hook rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/ssh rCx -> ssh, - @{bin}/sensible-editor rCx -> editor, - @{bin}/vim rCx -> editor, - @{bin}/vim.* rCx -> editor, - + @{editor_path} rCx -> editor, + /usr/share/git{,-core}/{,**} r, + /usr/share/libalternatives/{,**} r, /usr/share/terminfo/** r, /etc/gitconfig r, @@ -90,27 +90,22 @@ profile git @{exec_path} { owner @{user_cache_dirs}/*/ rw, owner @{user_cache_dirs}/*/** rwkl -> @{user_cache_dirs}/*/**, - owner @{tmp}/** rwkl -> /tmp/**, - owner @{tmp}/**/bin/* rCx -> exec, - owner @{HOME}/.gitconfig* rw, owner @{HOME}/.netrc r, owner @{user_config_dirs}/git/{,*} rw, - owner @{tmp}/git-difftool.*/ rw, # For diffs - owner @{tmp}/git-difftool.*/right/{,**} rw, - owner @{tmp}/git-difftool.*/left/{,**} rw, - owner @{tmp}/* rw, - owner @{tmp}/tmp*/ rw, # For TWRP-device-tree-generator - owner @{tmp}/tmp*/** rwkl -> /tmp/tmp*/**, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner @{tmp}/git-commit-msg-.txt rw, # For android studio + owner @{tmp}/git-difftool.*/{,**} rw, # For diffs - deny @{user_share_dirs}/gvfs-metadata/* r, - deny /dev/shm/.org.chromium.Chromium* rw, deny owner @{code_config_dirs}/** rw, + deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_share_dirs}/vulkan/** r, + deny owner @{user_share_dirs}/zed/**/data.mdb rw, + deny /usr/share/nvidia/nvidia-application-profiles-* r, + deny /dev/shm/.org.chromium.Chromium.@{rand6} rw, - profile gpg { + profile gpg flags=(attach_disconnected) { include include @@ -122,13 +117,16 @@ profile git @{exec_path} { owner @{tmp}/.git_vtag_tmp@{rand6} r, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } - profile ssh { + profile ssh flags=(attach_disconnected) { include + include include network inet dgram, @@ -138,16 +136,20 @@ profile git @{exec_path} { network netlink raw, @{bin}/ssh mr, + @{bin}/ksshaskpass ix, + @{lib}/code/extensions/git/dist/ssh-askpass.sh Px, - /etc/ssh/ssh_config.d/{,*} r, - /etc/ssh/ssh_config r, + @{etc_ro}/ssh/ssh_config.d/{,*} r, + @{etc_ro}/ssh/ssh_config r, - owner @{HOME}/@{XDG_SSH_DIR}/* r, - owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl, + owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, + owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_* rwl, - owner @{tmp}/git@*:@{int} rwl -> /tmp/git@*:@{int}.*, + owner @{tmp}/git@*:@{int} rwl -> @{tmp}/git@*:@{int}.*, owner @{tmp}/ssh-*/agent.@{int} rw, + owner @{run}/user/@{uid}/keyring/ssh rw, owner @{PROC}/@{pid}/fd/ r, @@ -156,7 +158,7 @@ profile git @{exec_path} { include if exists } - profile exec { + profile exec flags=(attach_disconnected) { include owner @{user_build_dirs}/**/bin/* mr, @@ -164,14 +166,14 @@ profile git @{exec_path} { include if exists } - profile editor { + profile editor flags=(attach_disconnected) { include include - + owner @{user_projects_dirs}/**/ r, owner @{user_projects_dirs}/**/.git/@{int} rw, owner @{user_projects_dirs}/**/.git/*MSG rw, - + # The git repository files owner @{user_build_dirs}/ r, owner @{user_build_dirs}/** rw, diff --git a/apparmor.d/profiles-g-l/gitg b/apparmor.d/profiles-g-l/gitg new file mode 100644 index 000000000..d668fbfd2 --- /dev/null +++ b/apparmor.d/profiles-g-l/gitg @@ -0,0 +1,44 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gitg +profile gitg @{exec_path} { + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /usr/share/gitg/{,**} r, + + owner @{user_projects_dirs}/ rw, + owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, + owner @{user_projects_dirs}/**/.git/hooks/* rix, + + owner @{user_config_dirs}/git/{,*} rw, + + owner @{user_share_dirs}/gitg/{,**} rw, + + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index da5566f9f..aabde9cef 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -2,26 +2,34 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = /usr/share/zsh-theme-powerlevel[0-9]*k/gitstatus/usrbin/gitstatusd{,-*} +@{exec_path} = @{user_cache_dirs}/gitstatus/gitstatusd{,-*} +@{exec_path} += /usr/share/zsh-theme-powerlevel{9,10}k/gitstatus/usrbin/gitstatusd{,-*} profile gitstatusd @{exec_path} { include + include + + signal receive set=term peer=*//shell, + signal receive set=term peer={,vs}code, @{exec_path} mr, owner @{user_projects_dirs}/{,**} r, - owner @{user_projects_dirs}/**/.git/.gitstatus.@{rand6}/{,**} rw, + owner @{user_projects_dirs}/**/.git/{,**/}.gitstatus.@{rand6}/{,**} rw, owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, + owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo r, + # Silencer deny capability dac_read_search, deny capability dac_override, deny owner @{HOME}/.*-store/{,**} r, + deny owner @{user_share_dirs}/zed/**/data.mdb rw, include if exists } diff --git a/apparmor.d/profiles-g-l/glib-compile-resources b/apparmor.d/profiles-g-l/glib-compile-resources index 45e787840..f52aa33d7 100644 --- a/apparmor.d/profiles-g-l/glib-compile-resources +++ b/apparmor.d/profiles-g-l/glib-compile-resources @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas index 5463405f9..59c56bb12 100644 --- a/apparmor.d/profiles-g-l/glib-compile-schemas +++ b/apparmor.d/profiles-g-l/glib-compile-schemas @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/glib-compile-schemas +@{exec_path} = @{bin}/glib-compile-schemas @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas profile glib-compile-schemas @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/glib-pacrunner b/apparmor.d/profiles-g-l/glib-pacrunner index e3dfec88c..bf7c7c53a 100644 --- a/apparmor.d/profiles-g-l/glib-pacrunner +++ b/apparmor.d/profiles-g-l/glib-pacrunner @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/globaltime b/apparmor.d/profiles-g-l/globaltime index 566f58ee3..7f349b650 100644 --- a/apparmor.d/profiles-g-l/globaltime +++ b/apparmor.d/profiles-g-l/globaltime @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/glxgears b/apparmor.d/profiles-g-l/glxgears index 9ad458720..cfd9f0dac 100644 --- a/apparmor.d/profiles-g-l/glxgears +++ b/apparmor.d/profiles-g-l/glxgears @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,6 +25,7 @@ profile glxgears @{exec_path} { @{exec_path} mr, owner @{HOME}/.Xauthority r, + owner @{run}/user/@{uid}/xauth_@{rand6} r, include if exists } diff --git a/apparmor.d/profiles-g-l/glxinfo b/apparmor.d/profiles-g-l/glxinfo index 7defbaf80..eea7b6050 100644 --- a/apparmor.d/profiles-g-l/glxinfo +++ b/apparmor.d/profiles-g-l/glxinfo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gpa b/apparmor.d/profiles-g-l/gpa index 9ed18534e..8a9c42443 100644 --- a/apparmor.d/profiles-g-l/gpa +++ b/apparmor.d/profiles-g-l/gpa @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index f225b5c06..d74945777 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -3,46 +3,40 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/gparted -profile gparted @{exec_path} { +@{exec_path} = @{sbin}/gparted +profile gparted @{exec_path} flags=(attach_disconnected) { include + include - ptrace (read), + ptrace read, @{exec_path} r, - @{bin}/ r, + @{bin}/ r, + @{coreutils_path} rix, @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{m,g,}awk rix, - @{bin}/cut rix, - @{bin}/id rix, - @{bin}/ls rix, - @{bin}/mkdir rix, - @{bin}/pidof rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/touch rix, - @{bin}/gpartedbin rPx, + @{sbin}/killall5 rCx -> killall, + @{bin}/systemctl rCx -> systemctl, + @{bin}/udevadm rCx -> udevadm, + + @{bin}/pidof rPx, + @{bin}/pkexec rPx, + @{bin}/ps rPx, + @{bin}/xhost rPx, + + @{sbin}/gpartedbin rPx, @{lib}/gparted/gpartedbin rPx, @{lib}/gpartedbin rPx, @{lib}/{,udisks2/}udisks2-inhibit rix, + @{run}/udev/rules.d/ rw, - @{run}/udev/rules.d/90-udisks-inhibit.rules rw, - - @{bin}/udevadm rCx -> udevadm, - @{bin}/killall5 rCx -> killall, - - @{bin}/ps rPx, - @{bin}/xhost rPx, - @{bin}/pkexec rPx, - @{bin}/systemctl rCx -> systemctl, + @{run}/udev/rules.d/@{int}-*.rules rw, # For shell pwd / r, @@ -57,7 +51,6 @@ profile gparted @{exec_path} { # file_inherit owner /dev/tty@{int} rw, - profile udevadm { include include @@ -78,13 +71,11 @@ profile gparted @{exec_path} { ptrace (read), - @{bin}/killall5 mr, + @{sbin}/killall5 mr, - # The /proc/ dir is needed to avoid the following error: - # /proc: Permission denied - @{PROC}/ r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/cmdline r, + @{PROC}/ r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/cmdline r, include if exists } @@ -92,7 +83,9 @@ profile gparted @{exec_path} { profile systemctl { include include - + + capability net_admin, + include if exists } diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index b60e386bb..35dc03584 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -3,18 +3,20 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/gpartedbin @{lib}/{,gparted/}gpartedbin -profile gpartedbin @{exec_path} { +@{exec_path} = @{sbin}/gpartedbin @{lib}/{,gparted/}gpartedbin +profile gpartedbin @{exec_path} flags=(attach_disconnected) { include include include include include + include + capability dac_override, capability dac_read_search, capability ipc_lock, capability sys_admin, @@ -28,50 +30,52 @@ profile gpartedbin @{exec_path} { @{sh_path} rix, - @{bin}/blkid rPx, - @{bin}/dmidecode rPx, - @{bin}/hdparm rPx, + @{sbin}/blkid rPx, + @{sbin}/dmidecode rPx, + @{sbin}/hdparm rPx, @{bin}/kmod rPx, @{bin}/mount rCx -> mount, @{bin}/udevadm rCx -> udevadm, @{bin}/umount rCx -> umount, - @{bin}/btrfs rPx, - @{bin}/btrfstune rPx, - @{bin}/dmraid rPUx, - @{bin}/dmsetup rPUx, - @{bin}/dumpe2fs rPx, - @{bin}/e2fsck rPx, - @{bin}/e2image rPx, - @{bin}/fsck.btrfs rPx, - @{bin}/fsck.fat rPx, - @{bin}/lvm rPUx, - @{bin}/mdadm rPUx, - @{bin}/mke2fs rPx, - @{bin}/mkfs.* rPx, - @{bin}/mkntfs rPx, - @{bin}/mkswap rPx, + @{sbin}/btrfs rPx, + @{sbin}/btrfstune rPx, + @{sbin}/dmraid rPUx, + @{sbin}/dmsetup rPUx, + @{sbin}/dumpe2fs rPx, + @{sbin}/e2fsck rPx, + @{sbin}/e2image rPx, + @{sbin}/fsck.* rPUx, + @{sbin}/lvm rPUx, + @{sbin}/mdadm rPUx, + @{sbin}/mke2fs rPx, + @{sbin}/mkfs.* rPUx, + @{sbin}/mkntfs rPx, + @{sbin}/mkswap rPx, @{bin}/mtools rPx, @{bin}/ntfsinfo rPx, - @{bin}/ntfslabel rPx, - @{bin}/ntfsresize rPx, - @{bin}/resize2fs rPx, - @{bin}/swaplabel rPx, - @{bin}/swapoff rPx, - @{bin}/swapon rPx, - @{bin}/tune2fs rPx, - @{bin}/xfs_io rPUx, + @{sbin}/ntfslabel rPx, + @{sbin}/ntfsresize rPx, + @{sbin}/resize2fs rPx, + @{sbin}/swaplabel rPx, + @{sbin}/swapoff rPx, + @{sbin}/swapon rPx, + @{bin}/tune.* rPUx, + @{sbin}/tune2fs rPx, + @{sbin}/xfs_io rPUx, @{open_path} rPx -> child-open, + /etc/fstab r, + @{HOME}/.Xauthority r, owner @{HOME}/*.htm w, owner @{tmp}/gparted-*/ rw, @{run}/mount/utab r, - + @{PROC}/devices r, @{PROC}/partitions r, @{PROC}/swaps r, @@ -88,13 +92,13 @@ profile gpartedbin @{exec_path} { mount /dev/{s,v}d[a-z]*@{int} -> /tmp/gparted-*/, - mount /dev/{s,v}d[a-z]*@{int} -> /boot/, + mount /dev/{s,v}d[a-z]*@{int} -> @{efi}/, mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/, mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/*/, @{bin}/mount mr, - include if exists + include if exists } profile umount { @@ -104,7 +108,7 @@ profile gpartedbin @{exec_path} { umount /tmp/gparted-*/, - umount /boot/, + umount @{efi}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, diff --git a/apparmor.d/profiles-g-l/gping b/apparmor.d/profiles-g-l/gping index 956a1781f..34a9401a4 100644 --- a/apparmor.d/profiles-g-l/gping +++ b/apparmor.d/profiles-g-l/gping @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index 97c89a433..46ff3eec5 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,10 +11,11 @@ include profile gpo @{exec_path} { include include - include include - include + include + include include + include network inet dgram, network inet6 dgram, @@ -22,14 +23,12 @@ profile gpo @{exec_path} { network inet6 stream, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, @{bin}/uname rix, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, + @{pager_path} rPx -> child-pager, /etc/inputrc r, @@ -38,8 +37,6 @@ profile gpo @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner /var/tmp/etilqs_@{hex16} rw, - owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index 10b8492e9..e60034172 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,6 +14,7 @@ profile gpodder @{exec_path} { include include include + include include include @@ -24,7 +25,7 @@ profile gpodder @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, @@ -47,8 +48,6 @@ profile gpodder @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner /var/tmp/etilqs_@{hex16} rw, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-g-l/gpodder-migrate2tres b/apparmor.d/profiles-g-l/gpodder-migrate2tres index f8e2c73f4..55033d107 100644 --- a/apparmor.d/profiles-g-l/gpodder-migrate2tres +++ b/apparmor.d/profiles-g-l/gpodder-migrate2tres @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,7 @@ profile gpodder-migrate2tres @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 4444662fc..0ad848c50 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,15 +16,16 @@ profile gpu-manager @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/grep rix, + @{sh_path} rix, + @{bin}/{,e}grep rix, /etc/modprobe.d/{,**} r, - /usr/lib/modprobe.d/{,**} r, + @{lib}/modprobe.d/{,**} r, /var/lib/ubuntu-drivers-common/* rw, /var/log/gpu-manager.log w, + /var/log/gpu-manager-switch.log w, @{sys}/devices/@{pci}/boot_vga r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim new file mode 100644 index 000000000..5717837ec --- /dev/null +++ b/apparmor.d/profiles-g-l/grim @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/grim +profile grim @{exec_path} { + include + include + include + + @{exec_path} mr, + + owner @{HOME}/@{int8}_**_grim.png w, + + owner /dev/shm/grim-@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/groups b/apparmor.d/profiles-g-l/groups index 4c0f07d87..916a73b22 100644 --- a/apparmor.d/profiles-g-l/groups +++ b/apparmor.d/profiles-g-l/groups @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index cd7ce37ce..9b8eca8ee 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -2,19 +2,20 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gsettings -profile gsettings @{exec_path} { +profile gsettings @{exec_path} flags=(attach_disconnected) { include include + include include + include @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, @@ -22,7 +23,13 @@ profile gsettings @{exec_path} { owner @{desktop_config_dirs}/dconf/user rw, owner @{DESKTOP_HOME}/greeter-dconf-defaults r, - /dev/tty@{int} rw, + # file_inherit + deny network netlink raw, + deny /etc/nsswitch.conf r, + deny /etc/passwd r, + deny /opt/*/** r, + deny owner @{user_config_dirs}/[^d]*/** rw, # all but dconf + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/gsimplecal b/apparmor.d/profiles-g-l/gsimplecal index ba7ba4da4..b0b743359 100644 --- a/apparmor.d/profiles-g-l/gsimplecal +++ b/apparmor.d/profiles-g-l/gsimplecal @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gsmartcontrol b/apparmor.d/profiles-g-l/gsmartcontrol index f6f6b300f..988c547f0 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol +++ b/apparmor.d/profiles-g-l/gsmartcontrol @@ -3,50 +3,38 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gsmartcontrol profile gsmartcontrol @{exec_path} { include - include - include - include - include + include include capability dac_read_search, - - # Needed? - deny capability sys_nice, + capability sys_nice, @{exec_path} mr, - @{bin}/smartctl rPx, - @{bin}/xterm rCx -> terminal, + @{bin}/dbus-launch Cx -> bus, + @{bin}/dbus-send Cx -> bus, + @{sbin}/smartctl Px, + @{bin}/xterm Cx -> terminal, - # When gsmartcontrol is run as root, it wants to exec dbus-launch, and hence it creates the two - # following root processes: - # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr - # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session - # - # Should this be allowed? Gsmartcontrol works fine without this. - #@{bin}/dbus-launch rCx -> dbus, - #@{bin}/dbus-send rCx -> dbus, - deny @{bin}/dbus-launch rx, - deny @{bin}/dbus-send rx, + /etc/fstab r, - owner @{user_config_dirs}/gsmartcontrol/ rw, - owner @{user_config_dirs}/gsmartcontrol/gsmartcontrol.conf rw, - - # As it's started as root - @{HOME}/.Xauthority r, + /var/lib/dbus/machine-id r, + /etc/machine-id r, # For saving SMART raport owner /root/ r, owner /root/**.txt w, + owner @{user_config_dirs}/gsmartcontrol/ rw, + owner @{user_config_dirs}/gsmartcontrol/** rw, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, @@ -55,57 +43,37 @@ profile gsmartcontrol @{exec_path} { owner @{PROC}/scsi/scsi r, owner @{PROC}/scsi/sg/devices r, - /etc/fstab r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - # The Help menu (and links in it) requires access to a web browser. Since gsmartcontrol is run as # root (even when used sudo or gsmartcontrol-root), the web browser will also be run as root and # hence this behavior should be blocked. - deny @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rx, + deny @{open_path} rx, - - profile dbus { + profile bus flags=(complain) { include - include + include - @{bin}/dbus-launch mr, - @{bin}/dbus-send mr, - @{bin}/dbus-daemon rPUx, - - # for dbus-launch - owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, - - @{HOME}/.Xauthority r, + include if exists } profile terminal { include include + include include - include + include - capability setuid, - capability setgid, capability fsetid, + capability setgid, + capability setuid, @{bin}/xterm mr, - - /usr/sbin/update-smart-drivedb rPx, - - owner @{HOME}/.Xauthority r, - - /etc/shells r, - - /etc/X11/app-defaults/XTerm-color r, - /etc/X11/app-defaults/XTerm r, - /etc/X11/cursors/*.theme r, + @{sbin}/update-smart-drivedb rPx, /usr/include/X11/bitmaps/vlines2 r, /dev/ptmx rw, + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/gsmartcontrol-root b/apparmor.d/profiles-g-l/gsmartcontrol-root index 01b7d22e1..4fdb1084b 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol-root +++ b/apparmor.d/profiles-g-l/gsmartcontrol-root @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,9 +15,16 @@ profile gsmartcontrol-root @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, - @{bin}/pkexec rPx, + @{bin}/pkexec rCx -> pkexec, + + profile pkexec { + include + include + + include if exists + } include if exists } diff --git a/apparmor.d/profiles-g-l/gssproxy b/apparmor.d/profiles-g-l/gssproxy index 6a16d1dc7..8fa3da0d7 100644 --- a/apparmor.d/profiles-g-l/gssproxy +++ b/apparmor.d/profiles-g-l/gssproxy @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules index e67def6d2..e6d37db44 100644 --- a/apparmor.d/profiles-g-l/gtk-query-immodules +++ b/apparmor.d/profiles-g-l/gtk-query-immodules @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0 +@{exec_path} = @{bin}/gtk-query-immodules-* @{lib}/@{multiarch}/libgtk-*/gtk-query-immodules-* profile gtk-query-immodules @{exec_path} { include + include capability dac_override, capability dac_read_search, diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index a91dc3069..b709511e2 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,6 +12,8 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { include include + capability fowner, + @{exec_path} mr, @{system_share_dirs}/icons/{,**/} r, diff --git a/apparmor.d/profiles-g-l/gtk-youtube-viewer b/apparmor.d/profiles-g-l/gtk-youtube-viewer index 96b114461..0b9075bc1 100644 --- a/apparmor.d/profiles-g-l/gtk-youtube-viewer +++ b/apparmor.d/profiles-g-l/gtk-youtube-viewer @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,7 +25,6 @@ profile gtk-youtube-viewer @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, @@ -40,8 +39,7 @@ profile gtk-youtube-viewer @{exec_path} { @{lib}/firefox/firefox rPx, - @{bin}/xdg-open rCx -> open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + @{open_path} rPx -> child-open, owner @{user_config_dirs}/youtube-viewer/{,*} rw, @@ -91,30 +89,7 @@ profile gtk-youtube-viewer @{exec_path} { # file_inherit owner @{HOME}/.xsession-errors w, - } - - profile open { - include - include - - @{bin}/xdg-open mr, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 9cadb774a..5d78a90e3 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,9 +12,7 @@ profile hardinfo @{exec_path} { include include include - include - include - include + include include include include @@ -40,16 +38,16 @@ profile hardinfo @{exec_path} { @{bin}/locale rix, @{bin}/make rix, @{bin}/perl rix, - @{bin}/python3.@{int} rix, - @{bin}/route rix, - @{bin}/ruby[0-9].@{int} rix, + @{python_path} rix, + @{sbin}/route rix, + @{bin}/ruby@{int}.@{int} rix, @{bin}/strace rix, @{bin}/tr rix, @{bin}/valgrind{,.bin} rix, @{lib}/@{multiarch}/valgrind/memcheck-*-linux rix, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/xdg-open rCx -> open, + @{bin}/lsb_release rPx, + @{open_path} rPx -> child-open, @{bin}/ccache rCx -> ccache, @{bin}/kmod rCx -> kmod, @@ -60,10 +58,24 @@ profile hardinfo @{exec_path} { @{bin}/netstat rPx, @{bin}/qtchooser rPx, - @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac, + @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/javac rCx -> javac, + /usr/share/gdb/python/ r, + /usr/share/gdb/python/** r, /usr/share/hardinfo/{,**} r, + /etc/fstab r, + /etc/exports r, + /etc/samba/smb.conf r, + + /etc/gdb/gdbinit.d/ r, + + /var/log/wtmp r, + + owner @{HOME}/.hardinfo/ rw, + + owner @{tmp}/#@{int} rw, + @{sys}/class/power_supply/ r, @{sys}/class/thermal/ r, @{sys}/bus/i2c/drivers/eeprom/ r, @@ -78,48 +90,27 @@ profile hardinfo @{exec_path} { @{sys}/devices/@{pci}/hwmon/hwmon@{int}/temp* r, @{sys}/devices/**/power_supply/** r, - @{PROC}/@{pid}/net/wireless r, - @{PROC}/@{pid}/net/dev r, @{PROC}/@{pid}/net/arp r, + @{PROC}/@{pid}/net/dev r, + @{PROC}/@{pid}/net/route r, + @{PROC}/@{pid}/net/wireless r, + @{PROC}/@{pids}/loginuid r, + @{PROC}/asound/cards r, + @{PROC}/bus/input/devices r, + @{PROC}/dma r, + @{PROC}/iomem r, + @{PROC}/ioports r, + @{PROC}/loadavg r, + @{PROC}/scsi/scsi r, + @{PROC}/sys/kernel/random/entropy_avail r, + @{PROC}/uptime r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - @{PROC}/@{pids}/loginuid r, - @{PROC}/uptime r, - @{PROC}/loadavg r, - @{PROC}/ioports r, - @{PROC}/iomem r, - @{PROC}/dma r, - @{PROC}/asound/cards r, - @{PROC}/scsi/scsi r, - @{PROC}/bus/input/devices r, - @{PROC}/sys/kernel/random/entropy_avail r, - @{PROC}/@{pids}/net/route r, - /etc/fstab r, - /etc/exports r, - /etc/samba/smb.conf r, - - /etc/gdb/gdbinit.d/ r, - - /usr/share/gdb/python/ r, - /usr/share/gdb/python/** r, - - /var/log/wtmp r, - - owner @{HOME}/.hardinfo/ rw, - - owner @{tmp}/#@{int} rw, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # Silencer - deny /usr/share/gdb/python/** w, - - # file_inherit owner /dev/tty@{int} rw, + deny /usr/share/gdb/python/** w, profile ccache { include @@ -134,15 +125,15 @@ profile hardinfo @{exec_path} { /etc/debian_version r, + include if exists } profile javac { include include - @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/* mr, - - @{lib}/jvm/java-[0-9]*-openjdk-amd64/lib/** mr, + @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/* mr, + @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/lib/** mr, /etc/java-[0-9]*-openjdk/** r, @@ -157,29 +148,7 @@ profile hardinfo @{exec_path} { owner @{tmp}/hsperfdata_@{user}/ rw, owner @{tmp}/hsperfdata_@{user}/@{pid} rw, - } - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - + include if exists } profile kmod { diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index ff3870880..527629202 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -3,13 +3,13 @@ # Copyright (C) 2011-2014 Jérémy Bobbio ; # Copyright (C) 2020 krathalan https://git.sr.ht/~krathalan/apparmor-profiles/ # Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-3.0-only +# SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/haveged +@{exec_path} = @{sbin}/haveged profile haveged @{exec_path} { include @@ -20,10 +20,9 @@ profile haveged @{exec_path} { @{sys}/devices/system/cpu/cpu@{int}/cache/ r, @{sys}/devices/system/cpu/cpu@{int}/cache/index*/{type,size,level} r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/poolsize r, - @{PROC}/sys/kernel/random/write_wakeup_threshold w, - owner @{PROC}/@{pid}/status r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/poolsize r, + @{PROC}/sys/kernel/random/write_wakeup_threshold w, /dev/random w, diff --git a/apparmor.d/profiles-g-l/hbbr b/apparmor.d/profiles-g-l/hbbr index 78c15672b..09b71b77f 100644 --- a/apparmor.d/profiles-g-l/hbbr +++ b/apparmor.d/profiles-g-l/hbbr @@ -1,11 +1,12 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = /{,usr/}{,local/}bin/hbbr +@{exec_path} = @{bin}/hbbr profile hbbr @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/hbbs b/apparmor.d/profiles-g-l/hbbs index 69ac0cc8c..4e7532724 100644 --- a/apparmor.d/profiles-g-l/hbbs +++ b/apparmor.d/profiles-g-l/hbbs @@ -1,11 +1,12 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = /{,usr/}{,local/}bin/hbbs +@{exec_path} = @{bin}/hbbs profile hbbs @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/hciconfig b/apparmor.d/profiles-g-l/hciconfig index eb0319c5f..1bf4c02f8 100644 --- a/apparmor.d/profiles-g-l/hciconfig +++ b/apparmor.d/profiles-g-l/hciconfig @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/hddtemp b/apparmor.d/profiles-g-l/hddtemp index e0be907a6..55d2abb5d 100644 --- a/apparmor.d/profiles-g-l/hddtemp +++ b/apparmor.d/profiles-g-l/hddtemp @@ -3,39 +3,27 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/hddtemp profile hddtemp @{exec_path} { include + include + include - # To remove the following errors: - # /dev/sda: Permission denied + capability sys_admin, capability sys_rawio, - # There's the following error in strace: - # ioctl(3, HDIO_DRIVE_CMD, 0x7ffdfeafc074) = -1 EACCES (Permission denied) - # This should be covered by CAP_SYS_RAWIO instead. - # (see: https://www.kernel.org/doc/Documentation/ioctl/hdio.rst) - # It looks like hddtemp works just fine without it. - deny capability sys_admin, - network inet stream, network inet6 stream, @{exec_path} mr, - # Monitored hard drives - /dev/sd[a-z]* r, - # Database file that allows hddtemp to recognize supported drives /etc/hddtemp.db r, - # Needed when the hddtemp daemon is started in the TCP/IP mode - /etc/gai.conf r, - include if exists } diff --git a/apparmor.d/profiles-g-l/hdparm b/apparmor.d/profiles-g-l/hdparm index f29bc1c20..53e520509 100644 --- a/apparmor.d/profiles-g-l/hdparm +++ b/apparmor.d/profiles-g-l/hdparm @@ -3,16 +3,16 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/hdparm +@{exec_path} = @{sbin}/hdparm profile hdparm @{exec_path} flags=(complain) { include + include include include - include # To remove the following errors: # re-writing sector *: BLKFLSBUF failed: Permission denied diff --git a/apparmor.d/profiles-g-l/hexchat b/apparmor.d/profiles-g-l/hexchat index aaa550dfc..064e850c2 100644 --- a/apparmor.d/profiles-g-l/hexchat +++ b/apparmor.d/profiles-g-l/hexchat @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/highlight b/apparmor.d/profiles-g-l/highlight index fb90c4475..bd375b520 100644 --- a/apparmor.d/profiles-g-l/highlight +++ b/apparmor.d/profiles-g-l/highlight @@ -2,7 +2,7 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/homebank b/apparmor.d/profiles-g-l/homebank new file mode 100644 index 000000000..7fbe74040 --- /dev/null +++ b/apparmor.d/profiles-g-l/homebank @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/homebank +profile homebank @{exec_path} flags=(attach_disconnected) { + include + include + include + + @{exec_path} mr, + + /usr/share/homebank/{,**} r, + + owner @{user_config_dirs}/homebank/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index 5894c85a0..ab0cf0cba 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,13 +18,15 @@ profile host @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, + network netlink raw, @{exec_path} mr, - owner @{PROC}/@{pids}/task/@{tid}/comm rw, - @{sys}/kernel/mm/transparent_hugepage/enabled r, + @{PROC}/version_signature r, + owner @{PROC}/@{pids}/task/@{tid}/comm rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname index efda5b4a8..7e87173cc 100644 --- a/apparmor.d/profiles-g-l/hostname +++ b/apparmor.d/profiles-g-l/hostname @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/{hostname,domainname,ypdomainname,nisdomainname,nisdomainname} -profile hostname @{exec_path} { +profile hostname @{exec_path} flags=(attach_disconnected) { include include include @@ -16,11 +16,14 @@ profile hostname @{exec_path} { capability sys_admin, network inet dgram, + network inet6 dgram, # network ip=127.0.0.1:53, TODO: abi 4.0 network netlink raw, @{exec_path} mr, + owner /dev/tty@{int} rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/profiles-g-l/hugeadm b/apparmor.d/profiles-g-l/hugeadm index 731483cf6..95bc7037b 100644 --- a/apparmor.d/profiles-g-l/hugeadm +++ b/apparmor.d/profiles-g-l/hugeadm @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index fcb585020..fd9c3dfa0 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -3,13 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/hugo profile hugo @{exec_path} { include + include include include @@ -26,7 +27,6 @@ profile hugo @{exec_path} { @{lib}/go/bin/go rix, /usr/share/git{,-core}/{,**} r, - /usr/share/mime/{,**} r, /usr/share/terminfo/** r, /etc/mime.types r, @@ -37,12 +37,17 @@ profile hugo @{exec_path} { owner @{user_cache_dirs}/hugo_cache/{,**} rwkl, + owner @{user_config_dirs}/git/*config r, + owner @{user_config_dirs}/go/telemetry/mode r, + owner @{tmp}/hugo_cache/{,**} rwkl, owner @{tmp}/go-codehost-@{int} rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{sys}/kernel/mm/hugepages/ r, - @{PROC}/sys/net/core/somaxconn r, + @{PROC}/sys/net/core/somaxconn r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 7c6b87b6c..739073201 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,6 @@ include profile hw-probe @{exec_path} flags=(attach_disconnected) { include include - include capability sys_admin, @@ -19,13 +18,12 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { network inet6 dgram, @{exec_path} rm, - @{bin}/perl r, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/dd rix, - @{bin}/efibootmgr rix, + @{sbin}/efibootmgr rix, @{bin}/efivar rix, @{bin}/find rix, @{bin}/md5sum rix, @@ -35,35 +33,26 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/tar rix, @{bin}/uname rix, + @{bin}/vulkaninfo rPUx, @{bin}/acpi rPx, @{bin}/amixer rPx, @{bin}/aplay rPx, - @{bin}/biosdecode rPx, @{bin}/cpuid rPx, @{bin}/cpupower rPx, @{bin}/curl rCx -> curl, @{bin}/df rPx, - @{bin}/dkms rPx, @{bin}/dmesg rPx, - @{bin}/dmidecode rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/edid-decode rPx, - @{bin}/ethtool rCx -> netconfig, - @{bin}/fdisk rPx, @{bin}/glxgears rPx, @{bin}/glxinfo rPx, @{bin}/hciconfig rPx, - @{bin}/hdparm rPx, - @{bin}/hwinfo rPx, @{bin}/i2cdetect rPx, - @{bin}/ifconfig rCx -> netconfig, @{bin}/inxi rPx, - @{bin}/iw rCx -> netconfig, - @{bin}/iwconfig rCx -> netconfig, @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, - @{bin}/kmod rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/kmod rCx -> kmod, + @{bin}/lsb_release rPx, @{bin}/lsblk rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, @@ -71,10 +60,8 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/memtester rPx, @{bin}/nmcli rPx, @{bin}/pacman rCx -> pacman, - @{bin}/rfkill rPx, - @{bin}/rpm rCx -> rpm, + @{bin}/rpm rCx -> rpm, @{bin}/sensors rPx, - @{bin}/smartctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-analyze rPx, @{bin}/udevadm rCx -> udevadm, @@ -84,12 +71,23 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/xdpyinfo rPx, @{bin}/xinput rPx, @{bin}/xrandr rPx, + @{sbin}/biosdecode rPx, + @{sbin}/dkms rPx, + @{sbin}/dmidecode rPx, + @{sbin}/fdisk rPx, + @{sbin}/hdparm rPx, + @{bin}/boltctl rPUx, + @{sbin}/hwinfo rPx, + @{sbin}/rfkill rPx, + @{sbin}/smartctl rPx, /etc/modprobe.d/{,*.conf} r, + @{efi}/EFI/{,**} r, + owner @{HOME}/HW_PROBE/{,**} rw, - audit owner @{tmp}/*/ rw, + owner @{tmp}/@{rand10}/ rw, owner @{tmp}/*/cpu_perf rw, @{sys}/class/drm/ r, @@ -99,19 +97,34 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/* r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/* r, - @{sys}/module/*/ r, - @{sys}/module/*/{coresize,refcnt} r, - @{sys}/module/*/holders/ r, @{PROC}/bus/input/devices r, @{PROC}/cmdline r, @{PROC}/interrupts r, @{PROC}/ioports r, - @{PROC}/modules r, @{PROC}/scsi/scsi r, /dev/{,**} r, + profile kmod { + include + include + + capability syslog, + + @{sys}/module/{,**} r, + + include if exists + } + + profile curl flags=(attach_disconnected) { + include + + @{bin}/curl mr, + + include if exists + } + profile pacman flags=(attach_disconnected) { include include @@ -159,9 +172,12 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{run}/log/ rw, /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, owner @{PROC}/@{pid}/stat r, @@ -192,35 +208,10 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { include if exists } - profile netconfig flags=(attach_disconnected) { - include - - # Not needed - deny capability net_admin, - deny capability net_raw, - - network inet dgram, - network inet6 dgram, - network ipx dgram, - network ax25 dgram, - network appletalk dgram, - network netlink raw, - - @{bin}/iw mr, - @{bin}/ifconfig mr, - @{bin}/iwconfig mr, - @{bin}/ethtool mr, - - owner @{PROC}/@{pid}/net/if_inet6 r, - owner @{PROC}/@{pid}/net/dev r, - - include if exists - } - profile systemctl flags=(attach_disconnected) { include include - + include if exists } diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index f7953e346..314975208 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/hwinfo +@{exec_path} = @{sbin}/hwinfo profile hwinfo @{exec_path} { include include @@ -27,9 +27,10 @@ profile hwinfo @{exec_path} { @{bin}/kmod rCx -> kmod, @{bin}/udevadm rCx -> udevadm, - @{bin}/acpidump rPUx, + @{sbin}/acpidump rPUx, + @{bin}/lsscsi rPx, - @{bin}/dmraid rPUx, + @{sbin}/dmraid rPUx, /usr/share/hwinfo/{,**} r, @@ -39,7 +40,7 @@ profile hwinfo @{exec_path} { @{sys}/bus/{,**/} r, @{sys}/class/*/ r, - @{sys}/devices/@{pci}/** r, + @{sys}/devices/@{pci}/{,**} r, @{sys}/devices/**/{modalias,uevent} r, @{sys}/devices/**/input/**/dev r, @{sys}/devices/virtual/net/*/{type,carrier,address} r, @@ -70,9 +71,12 @@ profile hwinfo @{exec_path} { include include + capability sys_module, + owner @{tmp}/hwinfo*.txt rw, @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{sys}/module/compression r, include if exists } diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix index 3a9a6131d..ce1ad519b 100644 --- a/apparmor.d/profiles-g-l/hypnotix +++ b/apparmor.d/profiles-g-l/hypnotix @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -31,14 +31,13 @@ profile hypnotix @{exec_path} { network netlink raw, @{exec_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, @{sh_path} rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/mkdir rix, - @{bin}/xdg-screensaver rCx -> xdg-screensaver, - + @{bin}/xdg-screensaver rPx, @{bin}/youtube-dl rPUx, @{bin}/yt-dlp rPUx, @{lib}/firefox/firefox rPx, @@ -63,29 +62,6 @@ profile hypnotix @{exec_path} { # Silencer deny @{lib}/hypnotix/** w, - profile xdg-screensaver { - include - include - - @{bin}/xdg-screensaver mr, - - @{sh_path} rix, - @{bin}/mv rix, - @{bin}/{,e}grep rix, - @{bin}/sed rix, - @{bin}/which{,.debianutils} rix, - @{bin}/xset rix, - @{bin}/xautolock rix, - @{bin}/dbus-send rix, - - owner @{HOME}/.Xauthority r, - - # file_inherit - /dev/dri/card@{int} rw, - network inet stream, - network inet6 stream, - } - include if exists } diff --git a/apparmor.d/profiles-g-l/i2cdetect b/apparmor.d/profiles-g-l/i2cdetect index f045b489d..f101c56e6 100644 --- a/apparmor.d/profiles-g-l/i2cdetect +++ b/apparmor.d/profiles-g-l/i2cdetect @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,8 +13,13 @@ profile i2cdetect @{exec_path} { @{exec_path} mr, + @{sys}/class/i2c-dev/ r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + owner @{PROC}/@{pid}/mounts r, + /dev/i2c-@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/i3lock b/apparmor.d/profiles-g-l/i3lock index d2fbdff2c..ea72704c1 100644 --- a/apparmor.d/profiles-g-l/i3lock +++ b/apparmor.d/profiles-g-l/i3lock @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/i3lock-fancy b/apparmor.d/profiles-g-l/i3lock-fancy index fce4ff7d4..b192856d2 100644 --- a/apparmor.d/profiles-g-l/i3lock-fancy +++ b/apparmor.d/profiles-g-l/i3lock-fancy @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -52,8 +52,8 @@ profile i3lock-fancy @{exec_path} { @{bin}/import-im6.q16 mr, @{bin}/scrot mr, - /usr/share/ImageMagick-[0-9]/*.xml r, - /etc/ImageMagick-[0-9]/*.xml r, + /usr/share/ImageMagick-@{int}/*.xml r, + /etc/ImageMagick-@{int}/*.xml r, owner @{HOME}/.Xauthority r, @@ -67,6 +67,7 @@ profile i3lock-fancy @{exec_path} { # file_inherit owner /dev/tty@{int} rw, + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/iceauth b/apparmor.d/profiles-g-l/iceauth index 66111ff55..d46374984 100644 --- a/apparmor.d/profiles-g-l/iceauth +++ b/apparmor.d/profiles-g-l/iceauth @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,9 +14,9 @@ profile iceauth @{exec_path} { @{exec_path} mr, owner @{tmp}/.xfsm-ICE-@{rand6} r, - owner @{tmp}/user/@{uid}/.xfsm-ICE-@{rand6} r, + owner @{tmp}/user/@{uid}/.xfsm-ICE-@{rand6} r, - owner @{run}/user/@{uid}/ICEauthority rl -> @{run}/user/@{uid}/ICEauthority-n, + owner @{run}/user/@{uid}/ICEauthority rwl -> @{run}/user/@{uid}/ICEauthority-n, owner @{run}/user/@{uid}/ICEauthority-c w, owner @{run}/user/@{uid}/ICEauthority-l wl -> @{run}/user/@{uid}/ICEauthority-c, owner @{run}/user/@{uid}/ICEauthority-n rw, diff --git a/apparmor.d/profiles-g-l/id b/apparmor.d/profiles-g-l/id index 061313d42..933e5d712 100644 --- a/apparmor.d/profiles-g-l/id +++ b/apparmor.d/profiles-g-l/id @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/id -profile id @{exec_path} { +profile id @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-g-l/ifconfig b/apparmor.d/profiles-g-l/ifconfig index 8dd7eaac0..48181e130 100644 --- a/apparmor.d/profiles-g-l/ifconfig +++ b/apparmor.d/profiles-g-l/ifconfig @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/ifconfig +@{exec_path} = @{sbin}/ifconfig profile ifconfig @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/iftop b/apparmor.d/profiles-g-l/iftop new file mode 100644 index 000000000..232aff538 --- /dev/null +++ b/apparmor.d/profiles-g-l/iftop @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/iftop +profile iftop @{exec_path} { + include + include + include + + capability net_raw, + + network inet dgram, + network inet6 dgram, + network netlink raw, + network packet raw, + + @{exec_path} mr, + + /usr/share/terminfo/** r, + + owner @{HOME}/.iftoprc r, + + # When running in promiscuous mode + @{sys}/devices/**/net/*/statistics/* r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index 605c26f92..3c641f8e1 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,7 +20,7 @@ profile ifup @{exec_path} { @{sh_path} rix, @{bin}/ip rix, - @{bin}/route rix, + @{sbin}/route rix, @{bin}/seq rix, @{bin}/sleep rix, @{bin}/wc rix, @@ -32,7 +32,7 @@ profile ifup @{exec_path} { @{bin}/run-parts rCx -> run-parts, @{bin}/kmod rCx -> kmod, - @{bin}/sysctl rCx -> sysctl, + @{sbin}/sysctl rCx -> sysctl, /etc/network/interfaces r, /etc/network/interfaces.d/{,*} r, @@ -85,13 +85,14 @@ profile ifup @{exec_path} { /etc/network/if-up.d/ r, /etc/network/if-up.d/*resolvconf rPUx, - /etc/network/if-up.d/resolved rPUx, + /etc/network/if-up.d/resolved rPUx, /etc/network/if-up.d/chrony rPUx, /etc/network/if-up.d/ethtool rPUx, /etc/network/if-up.d/ifenslave rPUx, /etc/network/if-up.d/openvpn rPUx, /etc/network/if-up.d/wpasupplicant rPUx, + include if exists } profile kmod { @@ -106,12 +107,10 @@ profile ifup @{exec_path} { profile sysctl { include -# capability mac_admin, - capability net_admin, - capability sys_admin, -# capability sys_resource, + capability net_admin, + capability sys_admin, - @{bin}/sysctl mr, + @{sbin}/sysctl mr, @{PROC}/sys/ r, @{PROC}/sys/** r, @@ -119,6 +118,7 @@ profile ifup @{exec_path} { @{PROC}/sys/net/ipv6/conf/*/accept_ra rw, @{PROC}/sys/net/ipv6/conf/*/autoconf rw, + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/im-launch b/apparmor.d/profiles-g-l/im-launch index 5520e990c..04abb7e0c 100644 --- a/apparmor.d/profiles-g-l/im-launch +++ b/apparmor.d/profiles-g-l/im-launch @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,6 +22,7 @@ profile im-launch @{exec_path} { @{bin}/sed rix, @{bin}/sleep rix, @{bin}/startplasma-x11 rPx, + @{bin}/startxfce4 rPx, @{bin}/true rix, @{bin}/uim-toolbar-gtk3 rPUx, @{bin}/uim-xim rPUx, diff --git a/apparmor.d/profiles-g-l/img2txt b/apparmor.d/profiles-g-l/img2txt index 41d77339b..5529ded9b 100644 --- a/apparmor.d/profiles-g-l/img2txt +++ b/apparmor.d/profiles-g-l/img2txt @@ -2,7 +2,7 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/imv-wayland b/apparmor.d/profiles-g-l/imv similarity index 91% rename from apparmor.d/profiles-g-l/imv-wayland rename to apparmor.d/profiles-g-l/imv index 72eaecc9c..f75e4c957 100644 --- a/apparmor.d/profiles-g-l/imv-wayland +++ b/apparmor.d/profiles-g-l/imv @@ -2,7 +2,7 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,7 +25,7 @@ profile imv @{exec_path} { owner @{run}/user/@{uid}/imv-*.sock w, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/initd-kexec b/apparmor.d/profiles-g-l/initd-kexec index f17356fcc..199483f4f 100644 --- a/apparmor.d/profiles-g-l/initd-kexec +++ b/apparmor.d/profiles-g-l/initd-kexec @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,7 +19,7 @@ profile initd-kexec @{exec_path} { @{bin}/tput rix, @{bin}/echo rix, - @{bin}/kexec rPx, + @{sbin}/kexec rPx, @{bin}/run-parts rCx -> run-parts, @{bin}/systemctl rCx -> systemctl, @@ -41,7 +41,7 @@ profile initd-kexec @{exec_path} { profile systemctl { include include - + capability sys_resource, @{bin}/systemd-tty-ask-password-agent rix, diff --git a/apparmor.d/profiles-g-l/initd-kexec-load b/apparmor.d/profiles-g-l/initd-kexec-load index d36584ec9..522d003f3 100644 --- a/apparmor.d/profiles-g-l/initd-kexec-load +++ b/apparmor.d/profiles-g-l/initd-kexec-load @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,7 +25,7 @@ profile initd-kexec-load @{exec_path} { @{bin}/readlink rix, @{bin}/tput rix, - @{bin}/kexec rPx, + @{sbin}/kexec rPx, @{bin}/run-parts rCx -> run-parts, @{bin}/systemctl rCx -> systemctl, @@ -36,7 +36,7 @@ profile initd-kexec-load @{exec_path} { @{sys}/kernel/kexec_loaded r, - owner /boot/grub/{grub.cfg,grubenv} r, + owner @{efi}/grub/{grub.cfg,grubenv} r, @{PROC}/cmdline r, @@ -48,6 +48,7 @@ profile initd-kexec-load @{exec_path} { /etc/default/kexec.d/ r, + include if exists } profile systemctl { @@ -74,6 +75,7 @@ profile initd-kexec-load @{exec_path} { owner @{run}/systemd/ask-password/ rw, owner @{run}/systemd/ask-password-block/* rw, + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/initd-kmod b/apparmor.d/profiles-g-l/initd-kmod index f8f975211..a73ddb8bf 100644 --- a/apparmor.d/profiles-g-l/initd-kmod +++ b/apparmor.d/profiles-g-l/initd-kmod @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/install-catalog b/apparmor.d/profiles-g-l/install-catalog index 370cbf154..6a26d4dea 100644 --- a/apparmor.d/profiles-g-l/install-catalog +++ b/apparmor.d/profiles-g-l/install-catalog @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile install-catalog @{exec_path} { @{sh_path} rix, @{bin}/basename rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sed rix, diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info index 54e40386f..f155339b1 100644 --- a/apparmor.d/profiles-g-l/install-info +++ b/apparmor.d/profiles-g-l/install-info @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/install-printerdriver b/apparmor.d/profiles-g-l/install-printerdriver index ddbf2e31c..facd2fa3b 100644 --- a/apparmor.d/profiles-g-l/install-printerdriver +++ b/apparmor.d/profiles-g-l/install-printerdriver @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile install-printerdriver @{exec_path} flags=(complain) { @{exec_path} mrix, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 0dbe03687..e80875ca2 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,7 +20,6 @@ profile inxi @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/perl r, @{bin}/ r, @{sh_path} rix, @@ -44,11 +43,11 @@ profile inxi @{exec_path} { # shared object file): ignored. @{bin}/dpkg-query rpx, - @{bin}/blockdev rPx, + @{sbin}/blockdev rPx, @{bin}/compton rPx, @{bin}/df rPx, @{bin}/dig rPx, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{bin}/glxinfo rPx, @{bin}/hddtemp rPx, @{bin}/lsblk rPx, @@ -57,7 +56,7 @@ profile inxi @{exec_path} { @{bin}/openbox rPx, @{bin}/ps rPx, @{bin}/sensors rPx, - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, @{bin}/sudo rPx, @{bin}/uptime rPx, @{bin}/who rPx, @@ -153,7 +152,7 @@ profile inxi @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-g-l/ioping b/apparmor.d/profiles-g-l/ioping index 497e5cb1c..0cb507e36 100644 --- a/apparmor.d/profiles-g-l/ioping +++ b/apparmor.d/profiles-g-l/ioping @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -35,7 +35,7 @@ profile ioping @{exec_path} { /bin/* r, /sbin/* r, /etc/** r, - /boot/** r, + @{efi}/** r, /opt/** r, /var/** r, @{MOUNTS}/** r, diff --git a/apparmor.d/profiles-g-l/iotop b/apparmor.d/profiles-g-l/iotop index be2738443..8ea787ea6 100644 --- a/apparmor.d/profiles-g-l/iotop +++ b/apparmor.d/profiles-g-l/iotop @@ -3,39 +3,35 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/iotop profile iotop @{exec_path} { include - include include + include - # Needed? - audit deny capability net_admin, - - # To set processes' priorities capability sys_nice, - @{exec_path} r, - @{bin}/python3.@{int} r, + network netlink raw, - @{bin}/file rix, + @{exec_path} r, @{bin}/ r, + @{bin}/file rix, + @{python_path} r, + + /etc/magic r, @{PROC}/ r, - @{PROC}/vmstat r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/task/ r, @{PROC}/sys/kernel/pid_max r, - - # For file - /etc/magic r, + @{PROC}/vmstat r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, include if exists } diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 7fee79abc..0a27c4b59 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,25 +20,31 @@ profile ip @{exec_path} flags=(attach_disconnected) { network netlink raw, - mount options=(rw, bind, rshared) -> /{var/,}run/netns/, - mount options=(rw, rslave) -> /, - mount options=(rw, bind) / -> /{var/,}run/netns/*, - mount options=(rw, bind) /etc/netns/firefox/resolv.conf -> /etc/resolv.conf, - mount fstype=sysfs -> /sys/, + mount fstype=sysfs -> @{sys}, + mount options=(rw bind) / -> @{run}/netns/*, + mount options=(rw rbind) @{run}/netns/ -> @{run}/netns/, + mount options=(rw, bind) @{att}/ -> @{run}/netns/*, + mount options=(rw, bind) /etc/netns/*/resolv.conf -> /etc/resolv.conf, + mount options=(rw, rshared) -> @{run}/netns/, + mount options=(rw, rslave) -> /, umount @{run}/netns/*, - umount /sys/, + umount @{sys}, @{exec_path} mrix, - @{sh_path} rix, - / r, + # To run command with 'ip netns exec' + @{shells_path} rUx, + @{bin}/sudo rPx, + + @{att}/ r, /etc/iproute2/{,**} r, /etc/netns/*/ r, /usr/share/iproute2/{,**} r, + @{run}/netns/ r, @{run}/netns/* rw, owner @{run}/netns/ rwk, diff --git a/apparmor.d/profiles-g-l/ipcalc b/apparmor.d/profiles-g-l/ipcalc index dd750b8c9..c6dfa762a 100644 --- a/apparmor.d/profiles-g-l/ipcalc +++ b/apparmor.d/profiles-g-l/ipcalc @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,6 @@ profile ipcalc @{exec_path} { include @{exec_path} r, - @{bin}/perl r, include if exists } diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance index 2226e6dd2..022dc92d5 100644 --- a/apparmor.d/profiles-g-l/irqbalance +++ b/apparmor.d/profiles-g-l/irqbalance @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/irqbalance +@{exec_path} = @{sbin}/irqbalance profile irqbalance @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/profiles-g-l/ischroot b/apparmor.d/profiles-g-l/ischroot new file mode 100644 index 000000000..8c18782f9 --- /dev/null +++ b/apparmor.d/profiles-g-l/ischroot @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ischroot +profile ischroot @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} mr, + + /var/lib/update-notifier/tmp.@{rand10} w, + + @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index a54b024ad..093cd7100 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -2,29 +2,38 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/issue-generator +@{exec_path} = @{sbin}/issue-generator profile issue-generator @{exec_path} { include + include include @{exec_path} mr, + @{sh_path} r, @{bin}/basename rix, @{bin}/cat rix, + @{bin}/chmod rix, @{bin}/cmp rix, + @{bin}/mkdir rix, @{bin}/mktemp rix, + @{bin}/mv rix, @{bin}/rm rix, @{bin}/sort rix, /etc/issue.d/{,**} r, + /etc/sysconfig/issue-generator r, - @{run}/issue r, + @{run}/agetty.reload w, + @{run}/issue rw, @{run}/issue.@{rand10} rw, - @{run}/issue.d/{,**} r, + @{run}/issue.d/{,**} rw, + + /dev/tty rw, include if exists } diff --git a/apparmor.d/profiles-g-l/iw b/apparmor.d/profiles-g-l/iw index 3b62c32ba..631b0b9d1 100644 --- a/apparmor.d/profiles-g-l/iw +++ b/apparmor.d/profiles-g-l/iw @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/iw +@{exec_path} = @{sbin}/iw profile iw @{exec_path} { include @@ -21,7 +21,7 @@ profile iw @{exec_path} { @{exec_path} mr, - @{sys}/devices/@{pci}/ieee80211/phy[0-9]*/index r, + @{sys}/devices/@{pci}/ieee80211/phy@{int}/index r, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/iwconfig b/apparmor.d/profiles-g-l/iwconfig index 62bc16041..ec6b9a46b 100644 --- a/apparmor.d/profiles-g-l/iwconfig +++ b/apparmor.d/profiles-g-l/iwconfig @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/iwconfig +@{exec_path} = @{sbin}/iwconfig profile iwconfig @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/iwlist b/apparmor.d/profiles-g-l/iwlist index ef2a280e0..b89af77b9 100644 --- a/apparmor.d/profiles-g-l/iwlist +++ b/apparmor.d/profiles-g-l/iwlist @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/iwlist +@{exec_path} = @{sbin}/iwlist profile iwlist @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/jackdbus b/apparmor.d/profiles-g-l/jackdbus index ed1094a17..8326a3e40 100644 --- a/apparmor.d/profiles-g-l/jackdbus +++ b/apparmor.d/profiles-g-l/jackdbus @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/jami-gnome b/apparmor.d/profiles-g-l/jami-gnome deleted file mode 100644 index 9d22933fc..000000000 --- a/apparmor.d/profiles-g-l/jami-gnome +++ /dev/null @@ -1,61 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/jami-gnome -profile jami-gnome @{exec_path} { - include - include - include - include - include - include - include - include - include - include - include - - network netlink raw, - - @{exec_path} mr, - - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, - - /usr/share/ring/{,**} r, - /usr/share/sounds/jami-gnome/{,**} r, - - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/jami-gnome/ rw, - owner @{user_cache_dirs}/jami-gnome/** rw, - - owner @{user_share_dirs}/jami/ rw, - owner @{user_share_dirs}/jami/** rwkl -> @{user_share_dirs}/jami/, - - owner @{user_config_dirs}/autostart/jami-gnome.desktop w, - - owner @{user_share_dirs}/ r, - owner @{user_share_dirs}/webkitgtk/deviceidhashsalts/1/ r, - owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v0 w, - owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v1/ w, - - @{sys}/firmware/acpi/pm_profile r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/fs/cgroup/** r, - - owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pid}/smaps r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/zoneinfo r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/jdownloader b/apparmor.d/profiles-g-l/jdownloader deleted file mode 100644 index 424074da4..000000000 --- a/apparmor.d/profiles-g-l/jdownloader +++ /dev/null @@ -1,128 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{JD_INSTALLDIR} = /home/*/jd2 - -@{exec_path} = @{JD_INSTALLDIR}/*JDownloader* -profile jdownloader @{exec_path} { - include - include - include - include - include - include - include - - @{exec_path} rix, - - @{bin}/basename rix, - @{bin}/dirname rix, - @{bin}/expr rix, - @{bin}/cut rix, - @{bin}/ls rix, - @{bin}/{,e}grep rix, - @{bin}/find rix, - @{bin}/sed rix, - @{bin}/chmod rix, - - @{bin}/ffmpeg rPx, - - # These are needed when the above tools are in some nonstandard locations - #@{bin}/which{,.debianutils} rix, - #/usr/ r, - #/usr/local/ r, - #@{bin}/ r, - #@{lib}/ r, - - deny /opt/ r, - - owner @{HOME}/ r, - owner @{JD_INSTALLDIR}/ rw, - owner @{JD_INSTALLDIR}/** rwk, - owner @{JD_INSTALLDIR}/jre/bin/java rix, - owner @{JD_INSTALLDIR}/jre/lib/*/jli/libjli.so mrw, - owner @{JD_INSTALLDIR}/jre/lib/*/server/libjvm.so mrw, - owner @{JD_INSTALLDIR}/jre/lib/*/*.so mrw, - owner @{JD_INSTALLDIR}/tmp/jna/jna@{int}.tmp mrw, - owner @{JD_INSTALLDIR}/tmp/7zip/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw, - - owner @{HOME}/.oracle_jre_usage/@{hex}.timestamp rw, - owner @{HOME}/.java/.userPrefs/.user.lock.* rwk, - owner @{HOME}/.java/.userPrefs/com/install4j/installations/prefs.xml rw, - owner @{HOME}/.java/fonts/@{int}/ rw, - owner @{HOME}/.java/fonts/@{int}/fcinfo*.tmp rw, - owner @{HOME}/.java/fonts/@{int}/fcinfo-*.properties rw, - - owner @{HOME}/.install4j rw, - - owner @{tmp}/hsperfdata_@{user}/ rw, - owner @{tmp}/hsperfdata_@{user}/@{pid} rw, - # If the @{JD_INSTALLDIR}/tmp/ dir can't be accessed, the /tmp/ dir will be used instead - owner @{tmp}/SevenZipJBinding-*/ rw, - owner @{tmp}/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw, - # For auto updates - owner @{tmp}/lastChanceSrc@{int}lch rw, - owner @{tmp}/lastChanceDst@{int}.jar rw, - owner @{tmp}/i4j_log_jd2_@{int}.log rw, - owner @{tmp}/install4jError@{int}.log rw, - - owner @{HOME}/.Xauthority r, - - # What's this for? - deny owner @{HOME}/.mozilla/firefox/ r, - deny owner @{HOME}/.mozilla/firefox/*.*/prefs.js r, - - owner @{PROC}/@{pid}/fd/ r, - deny @{PROC}/@{pid}/net/ipv6_route r, - deny @{PROC}/@{pid}/net/if_inet6 r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny owner @{PROC}/@{pid}/cmdline r, - deny @{PROC}/asound/version r, - - # For Reconnect -> Share Settings/Get Route - #@{bin}/netstat rix, - #@{bin}/route rix, - #@{bin}/ping rix, - #@{bin}/ip rix, - #@{PROC}/@{pid}/net/route r, - - # To open a web browser for CAPTCHA - @{bin}/xdg-open rCx -> open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, - - - profile open { - include - include - - @{bin}/xdg-open mr, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/jekyll b/apparmor.d/profiles-g-l/jekyll index 667b9304f..d3444fea5 100644 --- a/apparmor.d/profiles-g-l/jekyll +++ b/apparmor.d/profiles-g-l/jekyll @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/jgmenu b/apparmor.d/profiles-g-l/jgmenu index 6c7f3c1ff..044eda493 100644 --- a/apparmor.d/profiles-g-l/jgmenu +++ b/apparmor.d/profiles-g-l/jgmenu @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/jitterentropy-rngd b/apparmor.d/profiles-g-l/jitterentropy-rngd index 5b96e0c58..49d5c6c57 100644 --- a/apparmor.d/profiles-g-l/jitterentropy-rngd +++ b/apparmor.d/profiles-g-l/jitterentropy-rngd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/jmtpfs b/apparmor.d/profiles-g-l/jmtpfs index 77127171c..618ac14e7 100644 --- a/apparmor.d/profiles-g-l/jmtpfs +++ b/apparmor.d/profiles-g-l/jmtpfs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,8 +18,7 @@ profile jmtpfs @{exec_path} { @{bin}/fusermount{,3} rCx -> fusermount, - owner @{tmp}/tmp* rw, - owner @{tmp}/#@{int} rw, + /etc/magic r, # Mount points owner @{HOME}/*/ r, @@ -27,37 +26,22 @@ profile jmtpfs @{exec_path} { owner @{user_cache_dirs}/*/mtp{,-@{int}}/ rw, - mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/, - mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/, - mount fstype={fuse,fuse.jmtpfs} -> @{user_cache_dirs}/*/*/, - - /etc/magic r, - - /dev/fuse rw, - + owner @{tmp}/tmp* rw, + owner @{tmp}/#@{int} rw, profile fusermount { include - include - - # To mount anything: - capability sys_admin, - - # - capability dac_read_search, - - @{bin}/fusermount{,3} mr, + include mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/, mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/, mount fstype={fuse,fuse.jmtpfs} -> @{user_cache_dirs}/*/*/, - /etc/fuse.conf r, - - /dev/fuse rw, - - @{PROC}/@{pid}/mounts r, + umount @{HOME}/*/, + umount @{HOME}/*/*/, + umount @{user_cache_dirs}/*/*/, + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote index fef624841..91eb37c58 100644 --- a/apparmor.d/profiles-g-l/kanyremote +++ b/apparmor.d/profiles-g-l/kanyremote @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -31,7 +31,7 @@ profile kanyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, @{bin}/head rix, diff --git a/apparmor.d/profiles-g-l/kcheckpass b/apparmor.d/profiles-g-l/kcheckpass index 9dddbe470..33bd9c641 100644 --- a/apparmor.d/profiles-g-l/kcheckpass +++ b/apparmor.d/profiles-g-l/kcheckpass @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/kconfig-hardened-check b/apparmor.d/profiles-g-l/kconfig-hardened-check index 6858f1b45..947cfabd1 100644 --- a/apparmor.d/profiles-g-l/kconfig-hardened-check +++ b/apparmor.d/profiles-g-l/kconfig-hardened-check @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,13 +13,13 @@ profile kconfig-hardened-check @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, # The usual kernel config locations - /boot/config-* r, + @{efi}/config-* r, @{PROC}/config.gz r, # This is for kernels, which are built manually diff --git a/apparmor.d/profiles-g-l/kdestroy b/apparmor.d/profiles-g-l/kdestroy new file mode 100644 index 000000000..ccc0a2b25 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdestroy @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/kdestroy +profile kdestroy @{exec_path} { + include + include + + #Allow root to destroy other users' creds cache + capability dac_override, + + @{exec_path} mr, + + #Credentials cache + /tmp/krb5cc_* rwk, + /tmp/tkt* rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config new file mode 100644 index 000000000..75c536612 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdump-config @@ -0,0 +1,110 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/kdump-config +profile kdump-config @{exec_path} flags=(attach_disconnected) { + include + + capability sys_admin, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cmp ix, + @{bin}/cp ix, + @{bin}/cut ix, + @{bin}/file ix, + @{bin}/find ix, + @{bin}/flock ix, + @{bin}/hexdump ix, + @{bin}/ln ix, + @{bin}/logger ix, + @{bin}/plymouth Px, + @{bin}/readlink ix, + @{bin}/rev ix, + @{bin}/rm ix, + @{bin}/run-parts ix, + @{bin}/sed ix, + @{bin}/systemctl Cx -> systemctl, + @{bin}/uname ix, + @{sbin}/kexec Cx -> kexec, + @{sbin}/sysctl Cx -> sysctl, + + /etc/kernel/postinst.d/kdump-tools rPx, + + /etc/kdump/{,**} r, + /etc/default/kdump-tools r, + /etc/magic r, + + / r, + @{efi}/ r, + + /var/crash/kdump_lock wk, + /var/crash/kexec_cmd w, + /var/lib/kdump/{,**} rw, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + + @{sys}/firmware/efi/efivars/ r, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, + @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, + @{sys}/kernel/kexec_crash_loaded r, + + @{PROC}/cmdline r, + @{PROC}/iomem r, + + profile systemctl flags=(attach_disconnected) { + include + include + + capability net_admin, + capability sys_ptrace, + + ptrace read peer=@{p_systemd}, + + include if exists + } + + profile sysctl { + include + + @{sbin}/sysctl mr, + + @{PROC}/sys/kernel/panic_on_oops rw, + + include if exists + } + + profile kexec { + include + + capability sys_admin, + capability sys_boot, + + @{sbin}/kexec mr, + + @{efi}/* r, + + owner /var/lib/kdump/* r, + + @{PROC}/iomem r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kdump-tools-init b/apparmor.d/profiles-g-l/kdump-tools-init new file mode 100644 index 000000000..7767831a8 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdump-tools-init @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/init.d/kdump-tools +profile kdump-tools-init @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + @{sh_path} mr, + + @{bin}/cat ix, + @{bin}/plymouth Px, + @{bin}/run-parts ix, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/kdump-config Px, + + /etc/default/kdump-tools r, + + @{PROC}/cmdline r, + + profile systemctl flags=(attach_disconnected) { + include + include + + capability net_admin, + + ptrace read peer=@{p_systemd}, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kdump_mem_estimator b/apparmor.d/profiles-g-l/kdump_mem_estimator new file mode 100644 index 000000000..5f85af3fe --- /dev/null +++ b/apparmor.d/profiles-g-l/kdump_mem_estimator @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/kdump-tools/kdump_mem_estimator +profile kdump_mem_estimator @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/cat ix, + @{bin}/mkdir ix, + @{bin}/uname ix, + @{bin}/systemctl Cx -> systemctl, + @{bin}/uname ix, + + owner /var/lib/kdump/mem* w, + + profile systemctl { + include + include + + capability net_admin, + + ptrace read peer=@{p_systemd}, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index 20be091cc..de95d3c9f 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,7 +18,6 @@ profile keepassxc @{exec_path} { include include include - include include include include @@ -38,25 +37,26 @@ profile keepassxc @{exec_path} { @{lib}/firefox/firefox rPx, @{open_path} rPx -> child-open, - /usr/share/hwdata/pnp.ids r, /usr/share/keepassxc/{,**} r, /etc/fstab r, + @{bin}/ r, + owner @{HOME}/ r, owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw, owner @{HOME}/@{XDG_SSH_DIR}/ r, owner @{HOME}/@{XDG_SSH_DIR}/* r, - owner @{user_password_store_dirs}/ r, - owner @{user_password_store_dirs}/*.csv rw, - owner @{user_password_store_dirs}/*.kdbx* rwl -> @{KP_DB}/#@{int}, - owner @{user_password_store_dirs}/#@{int} rw, + owner @{user_passwordstore_dirs}/ r, + owner @{user_passwordstore_dirs}/*.csv rw, + owner @{user_passwordstore_dirs}/*.kdbx* rwl -> @{user_passwordstore_dirs}/#@{int}, + owner @{user_passwordstore_dirs}/#@{int} rw, owner @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, - owner @{user_config_dirs}/{,kdedefaults/}kdeglobals r, + owner @{user_config_dirs}/keepassxcrc r, # Database locations owner @{user_cache_dirs}/keepassxc/ rw, @@ -74,6 +74,7 @@ profile keepassxc @{exec_path} { owner @{tmp}/keepassxc-*.socket rw, owner @{tmp}/keepassxc.lock rw, owner @{tmp}/keepassxc.socket rw, + owner @{tmp}/runtime-user/ w, owner @{run}/user/@{pid}/app/ w, owner @{run}/user/@{pid}/app/org.keepassxc.KeePassXC/{,**} rw, @@ -82,16 +83,17 @@ profile keepassxc @{exec_path} { owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC/ w, - @{PROC}/@{pids}/comm r, - @{PROC}/modules r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - deny owner @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/stat r, + @{PROC}/modules r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, /dev/shm/#@{int} rw, /dev/tty rw, - /dev/urandom rw, + /dev/urandom w, owner /dev/tty@{int} rw, # Silencer diff --git a/apparmor.d/profiles-g-l/keepassxc-cli b/apparmor.d/profiles-g-l/keepassxc-cli index b1d6e0e86..c8e189f4e 100644 --- a/apparmor.d/profiles-g-l/keepassxc-cli +++ b/apparmor.d/profiles-g-l/keepassxc-cli @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/keepassxc-proxy b/apparmor.d/profiles-g-l/keepassxc-proxy index 5e9736108..24a30c56c 100644 --- a/apparmor.d/profiles-g-l/keepassxc-proxy +++ b/apparmor.d/profiles-g-l/keepassxc-proxy @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,14 +12,14 @@ profile keepassxc-proxy @{exec_path} { include include - signal (receive) set=(term, kill), - network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, + signal receive set=(term, kill) peer=firefox, + @{exec_path} mr, /usr/share/icons/*/index.theme r, @@ -32,7 +32,7 @@ profile keepassxc-proxy @{exec_path} { # file_inherit deny owner @{run}/user/@{uid}/.[a-zA-Z]*/{,s} rw, deny owner @{run}/user/@{uid}/kpxc_server rw, - deny /dev/shm/org.chromium.* rw, + deny /dev/shm/org.chromium.@{rand6} rw, deny owner /dev/shm/org.mozilla.ipc.@{int}.@{int} rw, deny owner @{HOME}/.mozilla/** rw, deny owner @{user_cache_dirs}/mozilla/** rw, diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel new file mode 100644 index 000000000..c46b5556e --- /dev/null +++ b/apparmor.d/profiles-g-l/kernel @@ -0,0 +1,80 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/kernel/{,header_}postinst.d/* /etc/kernel/postrm.d/* +@{exec_path} += /etc/kernel/preinst.d/* /etc/kernel/prerm.d/* +profile kernel @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{,m,g}awk rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/cut rix, + @{bin}/dirname rix, + @{bin}/kmod rCx -> kmod, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/rmdir rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/uname rix, + @{bin}/which{,.debianutils} rix, + + @{bin}/apt-config rPx, + @{bin}/bootctl rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/kernel-install rPx, + @{bin}/systemd-detect-virt rPx, + @{bin}/update-alternatives rPx, + @{lib}/dkms/dkms_autoinstaller rPx, + @{sbin}/dkms rPx, + @{sbin}/update-grub rPx, + @{sbin}/update-initramfs rPx, + + @{lib}/modules/*/updates/ w, + @{lib}/modules/*/updates/dkms/ w, + + /etc/kernel/header_postinst.d/* r, + /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, + + # For shell pwd + / r, + @{efi}/ r, + + /etc/apt/apt.conf.d/ r, + /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, + + @{run}/reboot-required w, + @{run}/reboot-required.pkgs rw, + + @{PROC}/devices r, + @{PROC}/cmdline r, + + profile kmod { + include + include + + capability sys_module, + + @{sys}/module/compression r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index 808528ce7..dede5da41 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,21 +11,20 @@ include profile kernel-install @{exec_path} { include include + include include + capability sys_rawio, + capability sys_resource, + + ptrace read peer=@{p_systemd}, + @{exec_path} r, @{sh_path} rix, - - @{bin}/mountpoint rix, - @{bin}/sort rix, - @{bin}/rm rix, - @{bin}/mkdir rix, - @{bin}/cp rix, - @{bin}/chown rix, - @{bin}/chmod rix, - @{bin}/basename rix, - + @{coreutils_path} rix, @{bin}/kmod rCx -> kmod, + @{bin}/mountpoint rix, + @{pager_path} rPx -> child-pager, @{lib}/kernel/install.d/ r, @{lib}/kernel/install.d/@{int2}-*.install rix, @@ -36,27 +35,39 @@ profile kernel-install @{exec_path} { @{lib}/os-release r, /etc/kernel/cmdline r, /etc/kernel/tries r, + /etc/kernel/entry-token r, /etc/machine-id r, /etc/os-release r, /var/lib/dbus/machine-id r, @{lib}/modules/*/modules.* w, - owner /boot/{vmlinuz,initrd.img}-* r, - owner /boot/[a-f0-9]*/*/ rw, - owner /boot/[a-f0-9]*/*/{linux,initrd} w, - owner /boot/loader/ rw, - owner /boot/loader/entries/ rw, - owner /boot/loader/entries/*.conf w, + / r, + + @{efi}/@{hex32}/** rw, + @{efi}/loader/entries.srel r, + owner @{efi}/{vmlinuz,initrd.img}-* r, + owner @{efi}/loader/ rw, + owner @{efi}/loader/entries/ rw, + owner @{efi}/loader/entries/*.conf w, + + owner /tmp/kernel-install.staging.@{rand6}/{,**} rw, owner @{tmp}/sh-thd.* rw, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/1/environ r, @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, profile kmod { include include + @{lib}/modules/*/modules.* w, + + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump new file mode 100644 index 000000000..eb17c5355 --- /dev/null +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -0,0 +1,62 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/kernel/postinst.d/kdump-tools +profile kernel-postinst-kdump @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/cp rix, + @{bin}/du rix, + @{bin}/find rix, + @{bin}/kmod rCx -> kmod, + @{bin}/ischroot rPx, + @{bin}/linux-version rPx, + @{bin}/mkdir rix, + @{bin}/mktemp rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/sync rix, + @{bin}/cut rix, + @{sbin}/mkinitramfs rPx, + + / r, + + /etc/initramfs-tools/{,**} r, + + owner /var/lib/kdump/** rw, + + owner /tmp/tmp.@{rand10}/ rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + + profile kmod { + include + include + + @{sys}/module/*/ r, + @{sys}/module/*/coresize r, + @{sys}/module/*/holders/ r, + @{sys}/module/*/refcnt r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kerneloops b/apparmor.d/profiles-g-l/kerneloops index f3c7e3b37..70c8b9460 100644 --- a/apparmor.d/profiles-g-l/kerneloops +++ b/apparmor.d/profiles-g-l/kerneloops @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/kerneloops +@{exec_path} = @{sbin}/kerneloops profile kerneloops @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet index e6860c5b9..d9d556879 100644 --- a/apparmor.d/profiles-g-l/kerneloops-applet +++ b/apparmor.d/profiles-g-l/kerneloops-applet @@ -3,15 +3,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kerneloops-applet profile kerneloops-applet @{exec_path} { include - include + include + include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/kexec b/apparmor.d/profiles-g-l/kexec index dc027eae6..09c414430 100644 --- a/apparmor.d/profiles-g-l/kexec +++ b/apparmor.d/profiles-g-l/kexec @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/kexec +@{exec_path} = @{sbin}/kexec profile kexec @{exec_path} flags=(complain) { include @@ -15,7 +15,7 @@ profile kexec @{exec_path} flags=(complain) { @{exec_path} mr, - owner /boot/{initrd.img,vmlinuz}-* r, + owner @{efi}/{initrd.img,vmlinuz}-* r, @{sys}/firmware/memmap/ r, @{sys}/firmware/memmap/@{int}/{start,end,type} r, diff --git a/apparmor.d/profiles-g-l/kinit b/apparmor.d/profiles-g-l/kinit new file mode 100644 index 000000000..706a11c10 --- /dev/null +++ b/apparmor.d/profiles-g-l/kinit @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/kinit +profile kinit @{exec_path} { + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + #User keytab file + /var/lib/krb5/user/@{uid}/client.keytab r, + + #Credentials cache + /tmp/krb5cc_* rwk, + /tmp/tkt* rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist new file mode 100644 index 000000000..f21f34295 --- /dev/null +++ b/apparmor.d/profiles-g-l/klist @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/klist +profile klist @{exec_path} { + include + include + + #Allow root to list other users' creds cache + capability dac_override, + capability dac_read_search, + + @{exec_path} mr, + + #User keytab file + /var/lib/krb5/user/@{uid}/client.keytab rk, + + #Credentials cache + /tmp/krb5cc_* rk, + /tmp/tkt* rk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index ac03c2501..1d67b5678 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -3,14 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/{kmod,lsmod,depmod,insmod,rmmod,modinfo,modprobe} profile kmod @{exec_path} flags=(attach_disconnected) { include - include + include include capability dac_read_search, @@ -28,17 +28,13 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{bin}/basename rix, @{bin}/false rix, @{bin}/id rix, - @{bin}/sysctl rPx, + @{sbin}/sysctl rCx -> sysctl, @{bin}/true rix, - @{lib}/modprobe.d/{,*.conf} r, @{lib}/modules/*/modules.* rw, @{run}/modprobe.d/{,*.conf} r, - /etc/depmod.d/{,**} r, - /etc/modprobe.d/{,*.conf} r, - /tmp/**/*.ko{,.zst} r, /usr/src/*/*.ko r, /var/lib/dkms/**/module/*.ko r, @@ -48,7 +44,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { owner /var/tmp/*modules*/{,**} rw, owner /var/tmp/dracut.*/{,**} rw, - owner /boot/System.map-* r, + owner @{efi}/System.map-* r, owner @{tmp}/mkinitcpio.*/{,**} rw, # For local kernel build @@ -66,14 +62,23 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{sys}/module/{,**} r, - @{PROC}/cmdline r, - @{PROC}/modules r, - /dev/tty@{int} rw, deny @{user_share_dirs}/gvfs-metadata/* r, deny unix (receive) type=stream, + profile sysctl { + include + + @{sbin}/sysctl mr, + + /etc/sysctl.conf r, + /etc/sysctl.d/{,**} r, + @{lib}/sysctl.d/{,**} r, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi index 3d8800cc7..9d6c9d1c2 100644 --- a/apparmor.d/profiles-g-l/kodi +++ b/apparmor.d/profiles-g-l/kodi @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -30,11 +30,11 @@ profile kodi @{exec_path} { @{bin}/df rix, @{bin}/dirname rix, @{bin}/find rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/mv rix, @{bin}/uname rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/kodi/{,**} r, /usr/share/publicsuffix/* r, @@ -50,7 +50,8 @@ profile kodi @{exec_path} { owner @{HOME}/core w, owner @{HOME}/kodi_crashlog-@{int}_@{int}.log w, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/**/ r, @{sys}/devices/@{pci}/usb@{int}/{bDeviceClass,idProduct,idVendor} r, diff --git a/apparmor.d/profiles-g-l/kodi-xrandr b/apparmor.d/profiles-g-l/kodi-xrandr index 932b869b8..450600d78 100644 --- a/apparmor.d/profiles-g-l/kodi-xrandr +++ b/apparmor.d/profiles-g-l/kodi-xrandr @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/kvm-ok b/apparmor.d/profiles-g-l/kvm-ok index 22e087146..f62e9ddf9 100644 --- a/apparmor.d/profiles-g-l/kvm-ok +++ b/apparmor.d/profiles-g-l/kvm-ok @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/kvm-ok +@{exec_path} = @{sbin}/kvm-ok profile kvm-ok @{exec_path} { include @@ -20,7 +20,7 @@ profile kvm-ok @{exec_path} { @{bin}/kmod rCx -> kmod, - @{bin}/rdmsr rPx, + @{sbin}/rdmsr rPx, #/proc/cpuinfo r, #/dev/kvm r, diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index 8fa7552af..ab624f099 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -38,12 +38,11 @@ profile labwc @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/**/uevent r, - @{run}/udev/data/+acpi:* r, # for ? + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad? @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index a9df8a2b3..47cbb22a2 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -2,13 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/landscape-sysinfo profile landscape-sysinfo @{exec_path} { include + include include include @@ -20,19 +21,24 @@ profile landscape-sysinfo @{exec_path} { network inet6 dgram, network netlink raw, - ptrace (read), + ptrace read, @{exec_path} mr, - @{bin}/who rix, + @{bin}/who rPx, + + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/**.pyc w, + @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, /var/log/landscape/{,**} rw, + @{run}/systemd/sessions/{,*} r, @{run}/utmp rwk, @{sys}/class/hwmon/ r, @{sys}/class/thermal/ r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index e33195eb1..056b2d83c 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -2,15 +2,21 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = /usr/share/landscape/landscape-sysinfo.wrapper profile landscape-sysinfo.wrapper @{exec_path} { include + include + + capability dac_override, + capability fowner, + capability fsetid, @{exec_path} mr, + @{python_path} mr, @{sh_path} rix, @{bin}/bc rix, @@ -19,14 +25,16 @@ profile landscape-sysinfo.wrapper @{exec_path} { @{bin}/cut rix, @{bin}/date rix, @{bin}/find rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/landscape-sysinfo rPx, / r, /etc/default/locale r, - + /var/lib/landscape/landscape-sysinfo.cache rw, + @{run}/motd.dynamic.new w, + @{PROC}/loadavg r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate index e77d997c5..3d7383aef 100644 --- a/apparmor.d/profiles-g-l/language-validate +++ b/apparmor.d/profiles-g-l/language-validate @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,10 +15,9 @@ profile language-validate @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, - /usr/share/locale-langpack/{,*} r, /usr/share/language-tools/{,*} r, include if exists diff --git a/apparmor.d/profiles-g-l/last b/apparmor.d/profiles-g-l/last index fd0c403a4..ee40f81af 100644 --- a/apparmor.d/profiles-g-l/last +++ b/apparmor.d/profiles-g-l/last @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 313b34a23..7e4feed45 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,11 +11,22 @@ include profile libreoffice @{exec_path} { include include + include include + include + include + include + include + include + include include include include + include + include + include include + include include include include @@ -26,67 +37,93 @@ profile libreoffice @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.libreoffice.LibreOfficeIpc0 + #aa:dbus own bus=session name=org.libreoffice interface+=org.gtk.Actions @{exec_path} mr, @{sh_path} rix, @{bin}/basename rix, @{bin}/dirname rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ls rix, @{bin}/paperconf rix, @{bin}/sed rix, @{bin}/uname rix, - @{open_path} rpx -> child-open-browsers, + @{open_path} rPx -> child-open-browsers, - @{bin}/gpgconf rPx, - @{bin}/gpgsm rPx, - @{bin}/gpg rPx, + @{bin}/gpg rPx, + @{bin}/gpgconf rPx, + @{bin}/gpgsm rPx, + @{lib}/jvm/java*/bin/java rix, + @{lib}/jvm/java*/lib/** rm, @{lib}/libreoffice/program/javaldx rix, @{lib}/libreoffice/program/oosplash rix, @{lib}/libreoffice/program/soffice.bin rix, - @{lib}/jvm/java*/bin/java rix, - @{lib}/jvm/java*/lib/** rm, + @{lib}/libreoffice/program/xpdfimport rix, - @{lib}/libreoffice/share/uno_packages/cache/stamp.sys w, @{lib}/libreoffice/{,**} rm, + @{lib}/libreoffice/share/uno_packages/cache/stamp.sys w, + @{lib}/libreoffice/program/{,**/}__pycache__/ w, + @{lib}/libreoffice/share/extensions/{,**/}__pycache__/ w, /usr/share/hyphen/{,**} r, /usr/share/libexttextcat/{,**} r, /usr/share/liblangtag/{,**} r, /usr/share/libreoffice/{,**} r, /usr/share/mythes/{,**} r, + /usr/share/thumbnailers/{,**} r, - /etc/java-openjdk/{,**} r, + /etc/cups/ppd/*.ppd r, + /etc/java{,-}{,@{version}}-openjdk/{,**} r, /etc/libreoffice/{,**} r, + /etc/papersize r, /etc/paperspecs r, + /etc/xdg/* r, + + /var/tmp/ r, + owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w, owner @{user_cache_dirs}/libreoffice/{,**} rw, + + owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/libreoffice/ rw, owner @{user_config_dirs}/libreoffice/** rwk, + owner @{user_config_dirs}/plasma_workspace.notifyrc r, + owner @{user_config_dirs}/soffice.*.lock rwk, + owner @{user_config_dirs}/soffice.binrc r, - owner @{tmp}/@{rand6} rwk, - owner @{tmp}/*.tmp/{,**} rwk, - owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} w, + owner @{user_share_dirs}/#@{int} rw, + owner @{user_share_dirs}/user-places.xbel r, + + @{tmp}/ r, owner @{tmp}/.java_pid@{int}{,.tmp} rw, + owner @{tmp}/@{hex} rw, + owner @{tmp}/@{rand6} rwk, + owner @{tmp}/@{u64} rw, + owner @{tmp}/*.tmp/{,**} rwk, owner @{tmp}/hsperfdata_@{user}/ rw, owner @{tmp}/hsperfdata_@{user}/@{int} rwk, + owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} rw, + + owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, @{sys}/devices/virtual/block/**/queue/rotational r, @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, - owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/app.slice/**/memory.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, @{PROC}/cgroups r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/coredump_filter rw, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, /dev/tty rw, diff --git a/apparmor.d/profiles-g-l/light b/apparmor.d/profiles-g-l/light index d4ff8a7d7..6ce5f2f57 100644 --- a/apparmor.d/profiles-g-l/light +++ b/apparmor.d/profiles-g-l/light @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,12 +23,14 @@ profile light @{exec_path} { @{sys}/class/backlight/ r, @{sys}/class/leds/ r, - - @{sys}/devices/@{pci}/drm/**/intel_backlight/{,max_}brightness r, - @{sys}/devices/@{pci}/drm/**/intel_backlight/brightness rw, - - @{sys}/devices/@{pci}/backlight/*/{,max_}brightness r, - @{sys}/devices/@{pci}/backlight/*/brightness rw, + @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/brightness rw, + @{sys}/devices/**/leds/**/{,max_,actual_}brightness rw, + @{sys}/devices/**/leds/**/{uevent,type,enabled} r, + @{sys}/devices/**/leds/**/brightness_hw_changed r, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker index 8e8732c19..60189d911 100644 --- a/apparmor.d/profiles-g-l/light-locker +++ b/apparmor.d/profiles-g-l/light-locker @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,19 +11,12 @@ include profile light-locker @{exec_path} { include include - include - include - include + include include - include include - include @{exec_path} mr, - @{PROC}/1/cgroup r, - owner @{PROC}/@{pid}/cgroup r, - # when locking the screen and switching/closing sessions @{run}/systemd/sessions/* r, @@ -33,6 +26,9 @@ profile light-locker @{exec_path} { @{sys}/devices/@{pci}/subsystem_vendor r, @{sys}/devices/@{pci}/subsystem_device r, + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/light-locker-command b/apparmor.d/profiles-g-l/light-locker-command index 21daa1853..78e9983b3 100644 --- a/apparmor.d/profiles-g-l/light-locker-command +++ b/apparmor.d/profiles-g-l/light-locker-command @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/lightworks b/apparmor.d/profiles-g-l/lightworks index f2e6c74cf..6462a0b6c 100644 --- a/apparmor.d/profiles-g-l/lightworks +++ b/apparmor.d/profiles-g-l/lightworks @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/lightworks-ntcardvt b/apparmor.d/profiles-g-l/lightworks-ntcardvt index b4dc21398..941798245 100644 --- a/apparmor.d/profiles-g-l/lightworks-ntcardvt +++ b/apparmor.d/profiles-g-l/lightworks-ntcardvt @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/linssid b/apparmor.d/profiles-g-l/linssid deleted file mode 100644 index 615f51b62..000000000 --- a/apparmor.d/profiles-g-l/linssid +++ /dev/null @@ -1,113 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/linssid @{bin}/linssid-pkexec -profile linssid @{exec_path} { - include - include - include - include - include - include - include - include - include - include - - # For reading/saving config/log files when linssid is started via pkexec - #capability dac_read_search, - #capability dac_override, - - # Needed? - deny capability sys_admin, - deny capability sys_nice, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/cat rix, - - # When linssid is run as root, it wants to exec dbus-launch, and hence it creates the two - # following root processes: - # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr - # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session - # - # Should this be allowed? Linssid works fine without this. - #@{bin}/dbus-launch rCx -> dbus, - #@{bin}/dbus-send rCx -> dbus, - deny @{bin}/dbus-launch rx, - deny @{bin}/dbus-send rx, - - @{bin}/iw rCx -> iw, - @{bin}/pkexec rPx, - - # For regular run as root user - owner @{HOME}/.linssid.prefs rw, - owner @{HOME}/LinSSID.datalog rw, - # For pkexec - #@{HOME}/.linssid.prefs rw, - #@{HOME}/LinSSID.datalog rw, - - /usr/share/linssid/{,*} r, - - /usr/share/hwdata/pnp.ids r, - - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/net/wireless r, - owner @{PROC}/@{pid}/cmdline r, - - owner @{tmp}/runtime-root/ rw, - owner @{tmp}/linssid_* rw, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # For shell pwd - /root/ r, - - # file_inherit - owner /dev/tty@{int} rw, - - - profile iw { - include - - capability net_admin, - deny capability sys_module, - - network netlink raw, - - @{bin}/iw mr, - - # file_inherit - owner @{HOME}/.linssid.prefs rw, - owner @{HOME}/LinSSID.datalog rw, - owner @{tmp}/linssid_* rw, - owner /dev/dri/card@{int} rw, - - } - - profile dbus { - include - include - - @{bin}/dbus-launch mr, - @{bin}/dbus-send mr, - @{bin}/dbus-daemon rPUx, - - # for dbus-launch - owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, - - @{HOME}/.Xauthority r, - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 41813c1a1..f2895299f 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -3,50 +3,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/linux-check-removal -profile linux-check-removal @{exec_path} flags=(complain) { +profile linux-check-removal @{exec_path} { include - include - include + include - @{exec_path} r, - @{bin}/perl r, + @{exec_path} rmix, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, + @{bin}/stty rix, - - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - @{bin}/perl r, - - @{bin}/linux-check-removal rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - owner @{tmp}/file* w, - - /usr/share/debconf/confmodule r, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - } + /etc/shadow r, include if exists } diff --git a/apparmor.d/profiles-g-l/linux-update-symlinks b/apparmor.d/profiles-g-l/linux-update-symlinks new file mode 100644 index 000000000..b97a0305b --- /dev/null +++ b/apparmor.d/profiles-g-l/linux-update-symlinks @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/linux-update-symlinks +profile linux-update-symlinks @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/kernel-img.conf r, + + @{efi}/ r, + @{efi}/* rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/linux-version b/apparmor.d/profiles-g-l/linux-version index 998c48780..c718b6495 100644 --- a/apparmor.d/profiles-g-l/linux-version +++ b/apparmor.d/profiles-g-l/linux-version @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,9 +14,8 @@ profile linux-version @{exec_path} { include @{exec_path} r, - @{bin}/perl r, - /boot/ r, + @{efi}/ r, include if exists } diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq new file mode 100644 index 000000000..ff2ffe6b8 --- /dev/null +++ b/apparmor.d/profiles-g-l/linuxqq @@ -0,0 +1,50 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = QQ +@{domain} = org.chromium.Chromium +@{lib_dirs} = /opt/QQ/ +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{bin}/linuxqq @{lib_dirs}/qq +profile linuxqq @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + network netlink raw, + network netlink dgram, + network inet stream, + network inet dgram, + network inet6 dgram, + network inet6 stream, + + @{exec_path} mrix, + + @{sh_path} r, + @{bin}/{,e}grep rix, + @{lib_dirs}/chrome_crashpad_handler ix, + @{lib_dirs}/resources/app/{,**} m, + @{open_path} rPx -> child-open-strict, + + /etc/machine-id r, + + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/utmp r, + + owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/mounts r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/localepurge b/apparmor.d/profiles-g-l/localepurge index 30018bf00..f6781f4b1 100644 --- a/apparmor.d/profiles-g-l/localepurge +++ b/apparmor.d/profiles-g-l/localepurge @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/localsend b/apparmor.d/profiles-g-l/localsend new file mode 100644 index 000000000..ad2e23fc6 --- /dev/null +++ b/apparmor.d/profiles-g-l/localsend @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/localsend +profile localsend @{exec_path} { + include + include + include + include + include + include + +# --system-talk-name=org.freedesktop.NetworkManager +# - --system-talk-name=org.freedesktop.hostname1 +# --talk-name=org.kde.StatusNotifierWatcher + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 6004b8a35..781a01a27 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/logrotate +@{exec_path} = @{sbin}/logrotate profile logrotate @{exec_path} flags=(attach_disconnected) { include include @@ -21,8 +21,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability setgid, capability setuid, - signal (send) set=(hup), - signal (send) set=(term cont) peer=systemd-tty-ask-password-agent, + signal send set=hup, + signal send set=(term cont) peer=systemd-tty-ask-password-agent, @{exec_path} mr, @@ -30,9 +30,9 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gzip rix, - @{bin}/invoke-rc.d rix, + @{sbin}/invoke-rc.d rix, @{bin}/kill rix, @{bin}/ls rix, @{bin}/setfacl rix, @@ -50,19 +50,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { @{bin}/squid rPUx, @{bin}/pgrep rCx -> pgrep, - - # no new privs - #@{bin}/systemctl rCx -> systemctl, - @{bin}/systemctl rix, - @{bin}/runlevel rix, - include - ptrace (read), - capability sys_ptrace, - owner @{PROC}/@{pid}/stat r, - @{PROC}/1/environ r, - @{PROC}/1/sched r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, + @{bin}/systemctl rCx -> systemctl, /etc/ r, @{etc_ro}/logrotate.conf rk, @@ -92,13 +80,22 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, + ptrace read peer=@{p_systemd}, + + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=KillUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + + @{run}/utmp rk, + include if exists } profile pgrep { include include - + include if exists } diff --git a/apparmor.d/profiles-g-l/low-memory-monitor b/apparmor.d/profiles-g-l/low-memory-monitor index 4471dbd2e..e2baa4a26 100644 --- a/apparmor.d/profiles-g-l/low-memory-monitor +++ b/apparmor.d/profiles-g-l/low-memory-monitor @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release new file mode 100644 index 000000000..5214632dc --- /dev/null +++ b/apparmor.d/profiles-g-l/lsb-release @@ -0,0 +1,47 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Note: named "lsb-release" to not conflict with upstreamed "lsb_release" that +# does attach @{bin}/lsb_release. + +abi , + +include + +@{exec_path} = @{bin}/lsb_release +profile lsb-release @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/ r, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/find rix, + @{bin}/getopt rix, + @{bin}/head rix, + @{bin}/sed rix, + @{bin}/tr rix, + + #aa:only apt + @{bin}/dpkg-query px, + + @{etc_ro}/ r, + @{etc_ro}/*-release r, + @{etc_ro}/lsb-release r, + @{etc_ro}/lsb-release.d/{,*} r, + + # file_inherit + deny /opt/*/** r, + deny owner @{user_config_dirs}/*/** r, + deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lsinitramfs b/apparmor.d/profiles-g-l/lsinitramfs index e5b6ff750..2e3a20ad0 100644 --- a/apparmor.d/profiles-g-l/lsinitramfs +++ b/apparmor.d/profiles-g-l/lsinitramfs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/lxappearance b/apparmor.d/profiles-g-l/lxappearance index a400ef80c..a7c3a2177 100644 --- a/apparmor.d/profiles-g-l/lxappearance +++ b/apparmor.d/profiles-g-l/lxappearance @@ -3,66 +3,38 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/lxappearance profile lxappearance @{exec_path} { include - include - include - include - include + include @{exec_path} mr, - # When lxappearance is run as root, it wants to exec dbus-launch, and hence it creates the two - # following root processes: - # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr - # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session - # - # Should this be allowed? Lxappearance works fine without this. - #@{bin}/dbus-launch rCx -> dbus, - #@{bin}/dbus-send rCx -> dbus, - deny @{bin}/dbus-launch rx, - deny @{bin}/dbus-send rx, + @{bin}/dbus-launch Cx -> bus, + @{bin}/dbus-send Cx -> bus, /usr/share/lxappearance/{,**} r, - owner @{HOME}/.themes/{,**} r, - owner @{HOME}/.icons/{,**} rw, - - owner @{HOME}/.gtkrc-2.0{,.*} rw, - owner @{user_config_dirs}/gtk-3.0/settings.ini{,.*} rw, - - /etc/X11/cursors/*.theme r, - - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - /etc/fstab r, /etc/machine-id r, /var/lib/dbus/machine-id r, - # file_inherit + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner /dev/tty@{int} rw, - - profile dbus { + profile bus { include - include + include - @{bin}/dbus-launch mr, - @{bin}/dbus-send mr, - @{bin}/dbus-daemon rPUx, - - # for dbus-launch - owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, - - @{HOME}/.Xauthority r, + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/lynx b/apparmor.d/profiles-g-l/lynx index 143472569..a9613e7c1 100644 --- a/apparmor.d/profiles-g-l/lynx +++ b/apparmor.d/profiles-g-l/lynx @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,7 +23,7 @@ profile lynx @{exec_path} { @{exec_path} mr, @{sh_path} rix, - + /usr/share/terminfo/{,**} r, /usr/share/doc/lynx-common/** r, @@ -33,8 +33,7 @@ profile lynx @{exec_path} { /etc/mailcap r, /etc/mime.types r, - owner @{tmp}/lynxXXXX*/ rw, - owner @{tmp}/lynxXXXX*/*TMP.html{,.gz} rw, + owner @{tmp}/lynxXXXX*/{,**} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks new file mode 100644 index 000000000..89a57310f --- /dev/null +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -0,0 +1,97 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/initramfs-tools/hooks/** /etc/initramfs-tools/hooks/** +profile initramfs-hooks @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/cpio ix, + @{bin}/dpkg Px, + @{bin}/fc-cache ix, + @{bin}/ischroot Px, + @{bin}/ldd Cx -> ldd, + @{bin}/plymouth Px, + @{bin}/update-alternatives Px, + @{lib}/dracut/dracut-install Px, + @{lib}/initramfs-tools/bin/busybox ix, + @{lib}/klibc/bin/fstype ix, + @{sbin}/blkid Px, + @{sbin}/cryptsetup PUx, + @{sbin}/dmsetup Px, + @{sbin}/iucode_tool ix, + /usr/share/mdadm/mkconf Px, + + @{bin}/* mr, + @{sbin}/* mr, + @{lib}/ r, + @{lib}/** mr, + + /usr/share/*/initramfs/{,**} r, + /usr/share/initramfs-tools/{,**} r, + /usr/share/plymouth/{,**} r, + + /etc/console-setup/{,**} r, + /etc/cryptsetup-initramfs/{,**} r, + /etc/crypttab r, + /etc/default/* r, + /etc/fstab r, + /etc/iscsi/*.iscsi r, + /etc/lvm/{,**} r, + /etc/mdadm/mdadm.conf r, + /etc/systemd/network/{,**} r, + /etc/udev/{,**} r, + + / r, + @{efi}/config-* r, + + /var/tmp/ r, + /var/tmp/modules_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6}/ rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + owner /var/tmp/mkinitramfs-@{rand6} rw, + owner /var/tmp/mkinitramfs-*_@{rand6} rw, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, + + @{sys}/firmware/efi/efivars/ r, + + @{PROC}/@{pid}/mounts r, + @{PROC}/cmdline r, + @{PROC}/swaps r, + + profile ldd { + include + include + include + + @{bin}/* mr, + @{sbin}/* mr, + + @{lib}/@{multiarch}/ld-linux-*so* mrix, + @{lib}/ld-linux.so* mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts new file mode 100644 index 000000000..d280c145a --- /dev/null +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -0,0 +1,56 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/initramfs-tools/scripts/** /etc/initramfs-tools/scripts/** +profile initramfs-scripts @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{sbin}/blkid Px, + @{bin}/dd ix, + @{bin}/debconf-escape Px, + @{bin}/ischroot Px, + @{bin}/ldd Cx -> ldd, + @{bin}/plymouth Px, + @{bin}/update-alternatives Px, + @{lib}/dracut/dracut-install Px, + @{lib}/initramfs-tools/bin/busybox Px, + /usr/share/mdadm/mkconf Px, + + /usr/share/initramfs-tools/{,**} r, + + /etc/cryptsetup-initramfs/{,**} r, + /etc/crypttab r, + /etc/default/console-setup r, + /etc/fstab r, + /etc/initramfs-tools/{,**} r, + /etc/mdadm/mdadm.conf r, + /etc/udev/rules.d/{,**} r, + + /var/tmp/modules_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + + profile ldd { + include + include + + @{bin}/ldd mr, + @{lib}/@{multiarch}/ld-linux-*so* mrix, + @{lib}/ld-linux.so* mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/macchanger b/apparmor.d/profiles-m-r/macchanger index 8f4efc921..c3e0c0556 100644 --- a/apparmor.d/profiles-m-r/macchanger +++ b/apparmor.d/profiles-m-r/macchanger @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/man b/apparmor.d/profiles-m-r/man index aa0195853..c60325742 100644 --- a/apparmor.d/profiles-m-r/man +++ b/apparmor.d/profiles-m-r/man @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index beeba50e8..551a6fec0 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/mandb -profile mandb @{exec_path} flags=(complain) { +profile mandb @{exec_path} { include include include @@ -17,12 +17,11 @@ profile mandb @{exec_path} flags=(complain) { @{exec_path} mr, + @{bin}/bzip2 rix, + /etc/man_db.conf r, /etc/manpath.config r, - /var/cache/man/ r, - /var/cache/man/** rwk, - /usr/share/man/{,**} r, /usr/local/man/{,**} r, /usr/local/share/man/{,**} r, @@ -30,7 +29,10 @@ profile mandb @{exec_path} flags=(complain) { /usr/{,share/}man/{,**} r, /usr/local/{,share/}man/{,**} r, - /usr/share/**/man/man@{int}/*.@{int}.gz r, + /usr/share/**/man/man@{u8}/*.@{int}.gz r, + + owner /var/cache/man/ rw, + owner /var/cache/man/** rwk, owner @{user_share_dirs}/man/** rwk, diff --git a/apparmor.d/profiles-m-r/mate-notification-daemon b/apparmor.d/profiles-m-r/mate-notification-daemon index 871434151..19b0c7fba 100644 --- a/apparmor.d/profiles-m-r/mate-notification-daemon +++ b/apparmor.d/profiles-m-r/mate-notification-daemon @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm new file mode 100644 index 000000000..b0397eb8d --- /dev/null +++ b/apparmor.d/profiles-m-r/mdadm @@ -0,0 +1,57 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/mdadm +profile mdadm @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability dac_read_search, + capability sys_admin, + capability mknod, + capability net_admin, + + network netlink raw, + + mqueue (read getattr) type=posix /, + + @{exec_path} mr, + + @{sh_path} rix, + @{sbin}/sendmail rPUx, + + /etc/{,mdadm/}mdadm.conf r, + /etc/{,mdadm/}mdadm.conf.d/* r, + + @{run}/initctl r, + @{run}/mdadm/* rwk, + + /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, + + @{sys}/bus/pci/drivers/*/ r, + @{sys}/devices/@{pci}/class r, + @{sys}/devices/@{pci}/device r, + @{sys}/devices/@{pci}/vendor r, + @{sys}/devices/virtual/block/md*/** rw, + @{sys}/module/md_mod/** rw, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/cmdline r, + @{PROC}/kcore r, + @{PROC}/partitions r, + @{PROC}/mdstat rw, + + /dev/**/ r, + /dev/.tmp.md.* rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf new file mode 100644 index 000000000..120138905 --- /dev/null +++ b/apparmor.d/profiles-m-r/mdadm-mkconf @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/mdadm/mkconf +profile mdadm-mkconf @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/date ix, + @{bin}/cat ix, + @{bin}/sed ix, + @{sbin}/mdadm Px, + + /etc/default/mdadm r, + /etc/mdadm/mdadm.conf r, + + / r, + + /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, + /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index a2631c768..408947c83 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -2,13 +2,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/mdevctl profile mdevctl @{exec_path} { include + include @{exec_path} mr, @@ -18,8 +19,6 @@ profile mdevctl @{exec_path} { @{sys}/class/mdev_bus/ r, @{sys}/devices/@{pci}/mdev_supported_types/{,**} r, - @{PROC}/@{pids}/maps r, - include if exists } diff --git a/apparmor.d/profiles-m-r/mediainfo b/apparmor.d/profiles-m-r/mediainfo index bb7c2d59b..c3333b860 100644 --- a/apparmor.d/profiles-m-r/mediainfo +++ b/apparmor.d/profiles-m-r/mediainfo @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mediainfo-gui b/apparmor.d/profiles-m-r/mediainfo-gui index 4648d4ddf..5a723d002 100644 --- a/apparmor.d/profiles-m-r/mediainfo-gui +++ b/apparmor.d/profiles-m-r/mediainfo-gui @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,29 +19,7 @@ profile mediainfo-gui @{exec_path} { @{exec_path} mr, - @{bin}/xdg-open rCx -> open, - - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - @{lib}/firefox/firefox rPx, - - owner @{HOME}/ r, - owner @{run}/user/@{uid}/ r, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } + @{open_path} rPx -> child-open-browsers, include if exists } diff --git a/apparmor.d/profiles-m-r/megasync b/apparmor.d/profiles-m-r/megasync index 236041778..3796c2b75 100644 --- a/apparmor.d/profiles-m-r/megasync +++ b/apparmor.d/profiles-m-r/megasync @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/memtester b/apparmor.d/profiles-m-r/memtester index 506892f0e..aeb26d004 100644 --- a/apparmor.d/profiles-m-r/memtester +++ b/apparmor.d/profiles-m-r/memtester @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/merkaartor b/apparmor.d/profiles-m-r/merkaartor index 739d18e2f..e43460210 100644 --- a/apparmor.d/profiles-m-r/merkaartor +++ b/apparmor.d/profiles-m-r/merkaartor @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner index 142ccb78a..808427d85 100644 --- a/apparmor.d/profiles-m-r/metadata-cleaner +++ b/apparmor.d/profiles-m-r/metadata-cleaner @@ -2,46 +2,40 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/metadata-cleaner profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include - include - include - include + include include include include include @{exec_path} mr, - @{bin}/python3.@{int} rix, + @{python_path} rix, - @{bin}/bwrap rCx -> bwrap, - @{open_path} rPx -> child-open-help, + @{bin}/bwrap Cx -> bwrap, + @{open_path} Px -> child-open-help, - /usr/share/metadata-cleaner/{,**} r, /usr/share/metadata-cleaner/src/metadatacleaner/{,*/}__pycache__/ w, - /usr/share/poppler/{,**} r, /etc/httpd/conf/mime.types r, /etc/mime.types r, - owner @{tmp}/@{hex64}.png r, - owner @{tmp}/@{hex64}.png w, + owner @{tmp}/@{hex64}.* rw, owner @{tmp}/@{rand8} rw, - owner @{tmp}/tmp@{rand4}_*/{,**} rw, - owner @{tmp}/tmp@{rand8}/{,**} rw, + owner @{tmp}/tmp@{word8} rw, + owner @{tmp}/tmp@{word8}/{,**} rw, @{run}/mount/utab r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, deny owner @{user_share_dirs}/gvfs-metadata/* r, deny owner @{user_cache_dirs}/thumbnails/** r, @@ -51,7 +45,7 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=(kill) peer=metadata-cleaner, + signal receive set=(kill) peer=metadata-cleaner, @{bin}/bwrap mr, @{bin}/vendor_perl/exiftool rix, diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index da56703c3..32950dbc4 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -3,30 +3,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/mimetype +@{exec_path} = @{bin}/mimetype @{bin}/*_perl/mimetype profile mimetype @{exec_path} { include + include include @{exec_path} r, - /usr/bin/perl r, - - /usr/share/mime/**.xml r, - /usr/share/mime/globs r, - /usr/share/mime/aliases r, - /usr/share/mime/magic r, - - owner @{user_share_dirs}/mime/**.xml r, - owner @{user_share_dirs}/mime/globs r, - owner @{user_share_dirs}/mime/aliases r, - owner @{user_share_dirs}/mime/magic r, # To read files - /** r, + owner /** r, #aa:lint ignore=too-wide include if exists } diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube index 4d4d26655..ce8380261 100644 --- a/apparmor.d/profiles-m-r/minitube +++ b/apparmor.d/profiles-m-r/minitube @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -30,9 +30,7 @@ profile minitube @{exec_path} { @{exec_path} mr, - # Be able to turn off the screensaver while playing movies - @{bin}/xdg-screensaver rCx -> xdg-screensaver, - + @{bin}/xdg-screensaver rPx, @{open_path} rPx -> child-open, /usr/share/minitube/{,**} r, @@ -69,31 +67,6 @@ profile minitube @{exec_path} { /dev/shm/#@{int} rw, owner /dev/tty@{int} rw, - profile xdg-screensaver { - include - include - - @{bin}/xdg-screensaver mr, - - @{sh_path} rix, - @{bin}/mv rix, - @{bin}/{,e}grep rix, - @{bin}/sed rix, - @{bin}/which{,.debianutils} rix, - @{bin}/xset rix, - @{bin}/xautolock rix, - @{bin}/dbus-send rix, - - owner @{HOME}/.Xauthority r, - - # file_inherit - /dev/dri/card@{int} rw, - network inet stream, - network inet6 stream, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index 267fb9d1a..bf6c55093 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,21 +10,22 @@ include profile mission-control @{exec_path} flags=(attach_disconnected) { include include + include network netlink raw, @{exec_path} mr, /usr/share/telepathy/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_share_dirs}/telepathy/ rw, owner @{user_share_dirs}/telepathy/mission-control/ rw, owner @{user_share_dirs}/telepathy/mission-control/*.cfg* rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk, + owner @{user_cache_dirs}/.mc_connections rw, - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, include if exists } diff --git a/apparmor.d/profiles-m-r/mkcert b/apparmor.d/profiles-m-r/mkcert new file mode 100644 index 000000000..3ae643e1d --- /dev/null +++ b/apparmor.d/profiles-m-r/mkcert @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/mkcert +profile mkcert @{exec_path} { + include + include + include + include + include + + network netlink raw, + + @{exec_path} mr, + + @{bin}/certutil rix, + @{bin}/rm rix, + @{bin}/sudo rix, + @{bin}/tee rix, + @{bin}/trust rix, + @{bin}/update-ca-trust rPx, + + owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db{,-journal} rwk, + + owner @{HOME}/.pki/ rw, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + + owner @{user_share_dirs}/mkcert/{,**} rw, + + owner @{PROC}/@{pids}//cgroup r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 692d79184..d94e5aa44 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -4,11 +4,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/mkinitramfs +@{exec_path} = @{sbin}/mkinitramfs profile mkinitramfs @{exec_path} { include include @@ -19,11 +19,10 @@ profile mkinitramfs @{exec_path} { capability fsetid, @{exec_path} r, - @{sh_path} rix, + @{sh_path} rix, - @{bin}/ r, - @{lib}/ r, - @{lib}64/ r, + @{bin}/ r, + @{lib}/ r, @{bin}/{,e}grep rix, @{bin}/basename rix, @@ -34,6 +33,7 @@ profile mkinitramfs @{exec_path} { @{bin}/cpio rix, @{bin}/dirname rix, @{bin}/env rix, + @{bin}/find rix, @{bin}/getopt rix, @{bin}/gzip rix, @{bin}/id rix, @@ -43,36 +43,43 @@ profile mkinitramfs @{exec_path} { @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/readlink rix, + @{bin}/realpath rix, @{bin}/rm rix, @{bin}/rmdir rix, @{bin}/sed rix, @{bin}/sort rix, + @{bin}/stat rix, @{bin}/touch rix, @{bin}/tr rix, @{bin}/tsort rix, + @{bin}/uname rix, + @{bin}/uniq rix, @{bin}/xargs rix, @{bin}/xz rix, @{bin}/zstd rix, @{lib}/dracut/dracut-install rix, + @{sbin}/blkid rPx, - @{bin}/find rCx -> find, @{bin}/kmod rCx -> kmod, - @{bin}/ldconfig rCx -> ldconfig, + @{sbin}/ldconfig rCx -> ldconfig, @{bin}/ldd rCx -> ldd, + @{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd, @{lib}/ld-linux.so* rCx -> ldd, @{bin}/dpkg rPx -> child-dpkg, @{bin}/linux-version rPx, - # What to do with it? (#FIXME#) - /usr/share/initramfs-tools/hooks/* rPUx, - /usr/share/initramfs-tools/scripts/*/* rPUx, - /etc/initramfs-tools/hooks/* rPUx, - /etc/initramfs-tools/scripts/*/* rPUx, + @{lib}/initramfs-tools/hooks/** rPx, + /etc/initramfs-tools/hooks/** rPx, + /etc/initramfs-tools/scripts/** rPx, + /usr/share/initramfs-tools/hooks/** rPx, + /usr/share/initramfs-tools/scripts/** rPx, /usr/share/initramfs-tools/{,**} r, /etc/initramfs-tools/{,**} r, + /etc/xattr.conf r, + # For shell pwd / r, /etc/ r, @@ -80,34 +87,61 @@ profile mkinitramfs @{exec_path} { /etc/modprobe.d/{,*.conf} r, - /boot/ r, - owner /boot/initrd.img-*.new rw, - owner /boot/config-* r, + @{efi}/ r, + owner @{efi}/config-* r, + owner @{efi}/initrd.img-*.new rw, - /var/tmp/ r, - owner /var/tmp/mkinitramfs_*/ rw, - owner /var/tmp/mkinitramfs_*/** rwl -> /var/tmp/mkinitramfs_*/**, - /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw, - owner /var/tmp/mkinitramfs-* rw, + owner /var/lib/kdump/initramfs-tools/** rw, + owner /var/lib/kdump/initrd.* rw, - owner @{PROC}/@{pid}/fd/ r, + /var/tmp/ r, + /var/tmp/mkinitramfs_@{rand6}/** w, + /var/tmp/modules_@{rand6} rw, + /var/tmp/mkinitramfs_@{rand6} rw, + /var/tmp/mkinitramfs_@{rand6}/ rw, + /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + /var/tmp/mkinitramfs-@{rand6} rw, + /var/tmp/mkinitramfs-*_@{rand6} rw, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** w, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, + + @{sys}/bus/ r, + @{sys}/bus/*/drivers/ r, + @{sys}/devices/ r, + @{sys}/devices/**/ r, + @{sys}/devices/**/modalias r, + @{sys}/devices/**/uevent r, + @{sys}/module/compression r, + @{sys}/module/firmware_class/parameters/path r, + @{sys}/class/ r, + @{sys}/class/*/ r, + + @{sys}/bus/platform/drivers/simple-framebuffer/ r, + + @{PROC}/@{pid}/mounts r, @{PROC}/cmdline r, @{PROC}/modules r, + owner @{PROC}/@{pid}/fd/ r, profile ldd { include include include - @{bin}/ldd mr, - - @{sh_path} rix, - @{bin}/kmod mr, - @{lib}/initramfs-tools/bin/* mr, - + @{sh_path} rix, @{lib}/@{multiarch}/ld-*.so* rix, @{lib}/ld-*.so{,.2} rix, + @{bin}/* mr, + @{sbin}/* mr, + @{lib}/** mr, + include if exists } @@ -117,55 +151,34 @@ profile mkinitramfs @{exec_path} { capability sys_chroot, - @{bin}/ldconfig mr, + @{sbin}/ldconfig mr, @{sh_path} rix, - @{bin}/ldconfig.real rix, + @{sbin}/ldconfig.real rix, - owner /var/tmp/mkinitramfs_*/etc/ld.so.conf r, - owner /var/tmp/mkinitramfs_*/etc/ld.so.conf.d/{,*.conf} r, - - owner /var/tmp/mkinitramfs_*/{usr/,}lib{,32,x32}/ r, - owner /var/tmp/mkinitramfs_*/{usr/,}lib/@{multiarch}/ r, - owner /var/tmp/mkinitramfs_*/{usr/,}lib/@{multiarch}/*.so* rw, - owner /var/tmp/mkinitramfs_*/{usr/,}lib{,32,x32}/*.so* rw, - - owner /var/tmp/mkinitramfs_*/etc/ld.so.cache{,~} rw, - - owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/ rw, - owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/aux-cache{,~} rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, include if exists } - profile find { - include - include - - @{bin}/find mr, - - # pwd dir - / r, - /etc/ r, - /root/ r, - - /usr/share/initramfs-tools/scripts/{,**/} r, - /etc/initramfs-tools/scripts/{,**/} r, - - owner /var/tmp/mkinitramfs_*/{,**/} r, - - include if exists - } - profile kmod { include include - owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/ r, - owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.* rw, - owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/updates/{,**} r, - owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/{,**/} r, - owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/**/*.ko r, + owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/ r, + owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw, + owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/updates/{,**} r, + owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r, + owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r, + + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/ r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/modules.* rw, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/updates/{,**} r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/{,**/} r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/**/*.ko* r, + + @{sys}/module/compression r, include if exists } diff --git a/apparmor.d/profiles-m-r/mkosi b/apparmor.d/profiles-m-r/mkosi new file mode 100644 index 000000000..f6489a501 --- /dev/null +++ b/apparmor.d/profiles-m-r/mkosi @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This profile is large on purpose: +# - It is required to have a profile for mkosi to allow userns. +# - Mkosi uses a lot of different binaries and scripts inside sandbox. +# - Using the unconfined flag would Pix everything, we do not want that as the +# transitioned profile would have to account for mkosi paths too. + +abi , + +include + +@{exec_path} = @{bin}/mkosi @{user_share_dirs}/pipx/venvs/*/bin/mkosi +profile mkosi @{exec_path} flags=(attach_disconnected,mediate_deleted) { + include + + all, + userns, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkvmerge b/apparmor.d/profiles-m-r/mkvmerge index 22251b87e..a13a22e7ed 100644 --- a/apparmor.d/profiles-m-r/mkvmerge +++ b/apparmor.d/profiles-m-r/mkvmerge @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index 595a24666..4e0ace19a 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -3,26 +3,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/mkvtoolnix-gui profile mkvtoolnix-gui @{exec_path} { include - include + include include - include - include - include - include + include include - include include include + include include include - include signal (send) set=(term, kill) peer=mkvmerge, diff --git a/apparmor.d/profiles-m-r/mlocate b/apparmor.d/profiles-m-r/mlocate index 08fdee129..f54b2f047 100644 --- a/apparmor.d/profiles-m-r/mlocate +++ b/apparmor.d/profiles-m-r/mlocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index 29125f192..90bf73cf3 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,9 +17,9 @@ profile modprobed-db @{exec_path} { @{bin}/cat rix, @{bin}/cp rix, @{bin}/cut rix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/getent rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/logname rix, @{bin}/md5sum rix, @{bin}/rm rix, @@ -28,9 +28,10 @@ profile modprobed-db @{exec_path} { @{bin}/uniq rix, @{bin}/wc rix, + /usr/share/modprobed-db/** r, /usr/share/terminfo/** r, - owner @{user_config_dirs}/modprobed-db.conf r, + owner @{user_config_dirs}/modprobed-db.conf rw, owner @{user_config_dirs}/modprobed.db rw, owner @{tmp}/.inmem rw, diff --git a/apparmor.d/profiles-m-r/molly-guard b/apparmor.d/profiles-m-r/molly-guard index d75a5092b..281be7e0d 100644 --- a/apparmor.d/profiles-m-r/molly-guard +++ b/apparmor.d/profiles-m-r/molly-guard @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -36,7 +36,7 @@ profile molly-guard @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index cb220a7b6..6cbef400b 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -3,17 +3,18 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/monitorix profile monitorix @{exec_path} { include - include - include - include + include include + include + include + include capability net_admin, capability chown, @@ -28,80 +29,76 @@ profile monitorix @{exec_path} { network inet stream, network inet6 stream, - ptrace (read), + ptrace read, - signal (receive) set=(hup) peer=logroate, + signal receive set=(hup) peer=logroate, @{exec_path} mr, @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/df rix, - @{bin}/cat rix, - @{bin}/tail rix, - @{bin}/{m,g,}awk rix, - @{bin}/free rix, - @{bin}/ss rix, - @{bin}/who rix, - @{bin}/lvm rix, - @{bin}/xtables-nft-multi rix, - @{bin}/sensors rix, - @{bin}/getconf rix, - @{bin}/ps rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/cat ix, + @{bin}/df ix, + @{bin}/free ix, + @{bin}/getconf ix, + @{bin}/ps Px, + @{bin}/sensors Px, + @{bin}/tail ix, + @{bin}/who Px, + @{sbin}/lvm Px, + @{sbin}/ss Px, + @{sbin}/xtables-nft-multi ix, - /etc/monitorix/monitorix.conf r, - /etc/monitorix/conf.d/ r, - /etc/monitorix/conf.d/@{int2}-*.conf r, + /var/lib/monitorix/www/cgi/monitorix.cgi ix, + + /etc/monitorix/{,**} r, + + /var/lib/monitorix/ rw, + /var/lib/monitorix/** rwk, /var/log/monitorix w, /var/log/monitorix-* w, - owner @{run}/monitorix.pid w, - - /var/lib/monitorix/*.rrd* rwk, - /var/lib/monitorix/www/** rw, - /var/lib/monitorix/www/cgi/monitorix.cgi rwix, + /srv/http/monitorix/ rw, + /srv/http/monitorix/** rwk, / r, /tmp/ r, - /etc/shadow r, - /dev/tty r, + owner @{run}/monitorix.pid w, @{run}/utmp rk, - @{PROC}/ r, - @{PROC}/swaps r, - @{PROC}/diskstats r, - @{PROC}/loadavg r, - @{PROC}/sys/kernel/random/entropy_avail r, - @{PROC}/uptime r, - @{PROC}/interrupts r, - @{PROC}/sys/fs/dentry-state r, - @{PROC}/sys/fs/file-nr r, - @{PROC}/sys/fs/inode-nr r, - @{PROC}/sys/kernel/osrelease r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/net/dev r, - owner @{PROC}/@{pid}/net/ip_tables_names r, - owner @{PROC}/@{pid}/net/ip6_tables_names r, - @{PROC}/@{pid}/net/udp{,6} r, - @{PROC}/@{pid}/net/tcp{,6} r, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/fdinfo/ r, - @{PROC}/@{pids}/io r, - @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/class/hwmon/ r, @{sys}/devices/**/thermal*/{,**} r, @{sys}/devices/**/hwmon*/{,**} r, - /etc/sensors3.conf r, - /etc/sensors.d/ r, + @{PROC}/ r, + @{PROC}/@{pid}/net/dev r, + @{PROC}/@{pid}/net/tcp{,6} r, + @{PROC}/@{pid}/net/udp{,6} r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/fdinfo/ r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/stat r, + @{PROC}/diskstats r, + @{PROC}/interrupts r, + @{PROC}/loadavg r, + @{PROC}/swaps r, + @{PROC}/sys/fs/dentry-state r, + @{PROC}/sys/fs/file-nr r, + @{PROC}/sys/fs/inode-nr r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/random/entropy_avail r, + @{PROC}/uptime r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/net/ip_tables_names r, + owner @{PROC}/@{pid}/net/ip6_tables_names r, include if exists } diff --git a/apparmor.d/profiles-m-r/mono-sgen b/apparmor.d/profiles-m-r/mono-sgen index e010a83d7..bdaafd9c8 100644 --- a/apparmor.d/profiles-m-r/mono-sgen +++ b/apparmor.d/profiles-m-r/mono-sgen @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/motd b/apparmor.d/profiles-m-r/motd new file mode 100644 index 000000000..de742b2c9 --- /dev/null +++ b/apparmor.d/profiles-m-r/motd @@ -0,0 +1,102 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/update-motd.d/* +profile motd @{exec_path} { + include + include + include + + capability net_admin, + + network inet6 stream, + network inet6 stream, + + @{exec_path} mr, + @{bin}/ r, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/cloud-id rix, + @{bin}/systemctl rCx -> systemctl, + @{bin}/hostname rPx, + @{bin}/snap rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/systemd-detect-virt rPx, + @{bin}/wget rCx -> wget, + + @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, + @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, + @{lib}/update-notifier/update-motd-reboot-required rix, + /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, + /usr/share/update-notifier/notify-updates-outdated rPx, + + / r, + /etc/cloud/cloud.cfg r, + /etc/cloud/cloud.cfg.d/{,*} r, + /etc/default/motd-news r, + /etc/lsb-release r, + /etc/update-motd.d/* r, + /etc/wgetrc r, + + /var/cache/motd-news rw, + /var/lib/update-notifier/updates-available r, + /var/lib/ubuntu-advantage/messages/motd-esm-announce r, + /var/lib/cloud/instances/nocloud/cloud-config.txt r, + + /tmp/tmp.@{rand10} rw, + + @{run}/cloud-init/cloud.cfg r, + @{run}/motd.d/{,*} r, + @{run}/motd.dynamic.new rw, + @{run}/reboot-required r, + + @{PROC}/@{pids}/mounts r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + + /dev/tty@{int} rw, + + profile wget { + include + include + include + + capability net_admin, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{bin}/wget mr, + + /etc/wgetrc r, + + /tmp/tmp.@{rand10} rw, + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + + @{run}/systemd/private rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mpd b/apparmor.d/profiles-m-r/mpd index 14a6c4acf..89b66253a 100644 --- a/apparmor.d/profiles-m-r/mpd +++ b/apparmor.d/profiles-m-r/mpd @@ -4,7 +4,7 @@ # Copyright (C) 2023 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy new file mode 100644 index 000000000..3a5dfffb6 --- /dev/null +++ b/apparmor.d/profiles-m-r/mpris-proxy @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/mpris-proxy +profile mpris-proxy @{exec_path} { + include + include + include + include + + #aa:dbus own bus=session name=org.mpris.MediaPlayer2 + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mpsyt b/apparmor.d/profiles-m-r/mpsyt index 46f239fce..a66fc287f 100644 --- a/apparmor.d/profiles-m-r/mpsyt +++ b/apparmor.d/profiles-m-r/mpsyt @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,10 +24,10 @@ profile mpsyt @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/tset rix, @{bin}/uname rix, diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv index 1629176dd..3d044049e 100644 --- a/apparmor.d/profiles-m-r/mpv +++ b/apparmor.d/profiles-m-r/mpv @@ -3,14 +3,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/mpv profile mpv @{exec_path} { include - include + include include include include @@ -32,8 +32,7 @@ profile mpv @{exec_path} { @{exec_path} mr, - @{bin}/xdg-screensaver rCx -> xdg-screensaver, - + @{bin}/xdg-screensaver Px, @{bin}/youtube-dl rPx, @{bin}/yt-dlp rPx, @@ -77,34 +76,14 @@ profile mpv @{exec_path} { @{sys}/devices/**/input/**/uevent r, @{sys}/devices/**/sound/**/capabilities/* r, @{sys}/devices/**/sound/**/uevent r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, /dev/input/event@{int} r, owner /dev/tty@{int} rw, - profile xdg-screensaver { - include - include - - @{bin}/xdg-screensaver mr, - - @{sh_path} rix, - @{bin}/mv rix, - @{bin}/{,e}grep rix, - @{bin}/sed rix, - @{bin}/which{,.debianutils} rix, - @{bin}/xset rix, - @{bin}/xautolock rix, - @{bin}/dbus-send rix, - @{bin}/xscreensaver-command rix, - - owner @{HOME}/.Xauthority r, - - # file_inherit - /dev/dri/card@{int} rw, - network inet stream, - network inet6 stream, - } - include if exists } diff --git a/apparmor.d/profiles-m-r/mtr b/apparmor.d/profiles-m-r/mtr index 5b341d8f5..4ff851662 100644 --- a/apparmor.d/profiles-m-r/mtr +++ b/apparmor.d/profiles-m-r/mtr @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mtr-packet b/apparmor.d/profiles-m-r/mtr-packet index 4bf15b7d5..d771c58ec 100644 --- a/apparmor.d/profiles-m-r/mtr-packet +++ b/apparmor.d/profiles-m-r/mtr-packet @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index db29113ce..bc20a0f9a 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -2,16 +2,24 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = /opt/Mullvad*/resources/mullvad-setup profile mullvad-setup @{exec_path} { include + include @{exec_path} mr, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + + @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/cgroup r, # File Inherit diff --git a/apparmor.d/profiles-m-r/multipath b/apparmor.d/profiles-m-r/multipath index 918e5a0c2..588f4b6b1 100644 --- a/apparmor.d/profiles-m-r/multipath +++ b/apparmor.d/profiles-m-r/multipath @@ -2,11 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/multipath +@{exec_path} = @{sbin}/multipath profile multipath @{exec_path} flags=(attach_disconnected) { include include @@ -27,6 +27,7 @@ profile multipath @{exec_path} flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/class/ r, + @{sys}/module/*/parameters/multipath r, @{PROC}/devices r, @{PROC}/sys/fs/nr_open r, diff --git a/apparmor.d/profiles-m-r/multipathd b/apparmor.d/profiles-m-r/multipathd index 510fb3417..bbb6a87a6 100644 --- a/apparmor.d/profiles-m-r/multipathd +++ b/apparmor.d/profiles-m-r/multipathd @@ -2,11 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/multipathd +@{exec_path} = @{sbin}/multipathd profile multipathd @{exec_path} { include include @@ -20,7 +20,8 @@ profile multipathd @{exec_path} { network netlink raw, - unix (send, receive, connect) type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"), + unix type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"), + unix type=stream addr=@/org/kernel/linux/storage/multipathd, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mumble b/apparmor.d/profiles-m-r/mumble index 879d2b9bf..a85eb6790 100644 --- a/apparmor.d/profiles-m-r/mumble +++ b/apparmor.d/profiles-m-r/mumble @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -30,7 +30,7 @@ profile mumble @{exec_path} { @{exec_path} mrix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{browsers_path} rPx, @{open_path} rPx -> child-open, diff --git a/apparmor.d/profiles-m-r/mumble-overlay b/apparmor.d/profiles-m-r/mumble-overlay index 61b287329..86792860c 100644 --- a/apparmor.d/profiles-m-r/mumble-overlay +++ b/apparmor.d/profiles-m-r/mumble-overlay @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile mumble-overlay @{exec_path} { @{sh_path} rix, @{bin}/file rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/glxgears rPx, diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd index aca74e562..e0bd8d976 100644 --- a/apparmor.d/profiles-m-r/murmurd +++ b/apparmor.d/profiles-m-r/murmurd @@ -2,13 +2,15 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +abi , + include @{exec_path} = @{bin}/murmurd profile murmurd @{exec_path} { include include - include + include include include @@ -27,7 +29,7 @@ profile murmurd @{exec_path} { @{exec_path} mr, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /etc/mumble-server.ini r, diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index 1ed63e68e..a91aba241 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -2,7 +2,7 @@ # Copyright (C) 2023 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,23 +27,18 @@ profile mutt @{exec_path} { # There are countless programs that can be executed from the mailcap. # This profile includes only the most basic. @{sh_path} rix, - + @{lib}/{,sendmail/}sendmail rPUx, - @{bin}/ispell rPUx, + @{bin}/ispell rPUx, @{bin}/abook rPUx, @{bin}/mutt_dotlock rix, # Misc mutt scripts @{lib}/mutt/* rix, - + @{bin}/w3m rCx -> html-renderer, @{bin}/lynx rCx -> html-renderer, - @{bin}/vim rCx -> editor, - @{bin}/vim.* rCx -> editor, - @{bin}/sensible-editor rCx -> editor, - - @{bin}/less rCx -> pager, - @{bin}/more rCx -> pager, - @{bin}/pager rCx -> pager, + @{editor_path} rCx -> editor, + @{pager_path} rCx -> pager, @{bin}/gpg{2,} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @@ -67,6 +62,7 @@ profile mutt @{exec_path} { owner @{HOME}/.mutthistory rwk, owner @{HOME}/.muttrc* r, owner @{HOME}/.signature r, # Mutt signature file + owner @{HOME}/ r, # User mbox # Could be a file or dir depending on mbox_type variable @@ -89,18 +85,21 @@ profile mutt @{exec_path} { # Used When viewing attachments owner /{var/,}tmp/* lrw, - + profile html-renderer { include @{bin}/w3m mrix, @{bin}/lynx mrix, - - owner @{HOME}/.w3m/* rw, + + owner @{HOME}/.w3m/{,**} rw, owner @{user_mail_dirs}/{,**} r, owner @{user_mail_dirs}/tmp/{,**} rw, owner /{var/,}tmp/mutt* rw, + owner /tmp/w3m-@{rand6} rw, + owner /tmp/w3m-@{rand6}/{,**} rw, + include if exists } @@ -116,21 +115,7 @@ profile mutt @{exec_path} { profile pager { include - include - - @{bin}/less mr, - @{bin}/more mr, - @{bin}/pager mr, - - /usr/share/terminfo/** r, - /usr/share/file/misc/magic.mgc r, - - owner @{HOME}/ r, - owner @{HOME}/.lesshs* rw, - owner @{HOME}/.terminfo/@{int}/* r, - owner @{user_cache_dirs}/lesshs* rw, - owner @{user_state_dirs}/ r, - owner @{user_state_dirs}/lesshs* rw, + include # This is the file that holds the message owner /{var/,}tmp/mutt* rw, @@ -149,9 +134,9 @@ profile mutt @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - + owner /{var/,}tmp/mutt* lrw, - + include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index e3222d2ff..a09008ac3 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -2,64 +2,58 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/needrestart +@{exec_path} = @{sbin}/needrestart profile needrestart @{exec_path} flags=(attach_disconnected) { include - include - include - include + include include - include capability checkpoint_restore, capability dac_read_search, - capability kill, capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mrix, @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, - @{bin}/locale rix, - @{bin}/python3.@{int} rix, - @{bin}/sed rix, @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, - @{bin}/udevadm rPx, - @{bin}/unix_chkpwd rPx, - @{bin}/whiptail rPx, - @{bin}/who rix, - @{lib}/needrestart/iucode-scan-versions rPx, - /usr/share/debconf/frontend rix, + @{bin}/udevadm rCx -> udevadm, + @{bin}/who rPx, + @{lib}/needrestart/* rPx, + @{python_path} rix, + @{sbin}/unix_chkpwd rPx, - @{bin}/networkd-dispatcher r, - @{bin}/gettext.sh r, - /usr/share/needrestart/{,**} r, - /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, + @{etc_ro}/needrestart/hook.d/* rPx, + @{etc_ro}/needrestart/notify.d/* rPx, + @{etc_ro}/needrestart/restart.d/* rPx, - /etc/debconf.conf r, /etc/init.d/* r, /etc/needrestart/{,**} r, - /etc/needrestart/*.d/* rix, /etc/shadow r, / r, - /boot/ r, - /boot/intel-ucode.img r, - /boot/vmlinuz* r, + @{efi}/ r, + @{efi}/* r, + /opt/*/** r, + @{bin}/* r, + @{lib}/** r, + @{sbin}/** r, + @{att}/@{lib}/** r, + /usr/share/** r, + /var/lib/*/** r, - owner /var/lib/juju/agents/{,**} r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + @{run}/systemd/sessions/* r, - owner @{run}/sshd.pid r, + /tmp/@{word10}/ rw, @{PROC}/ r, @{PROC}/@{pids}/cgroup r, @@ -67,20 +61,35 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/fd/ r, /dev/ r, /dev/**/ r, + deny mqueue type=posix /, + profile systemctl { include include + capability sys_resource, capability net_admin, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + @{bin}/systemd-tty-ask-password-agent Px, + include if exists } + profile udevadm { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke index 805f69678..b70a49be8 100644 --- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke +++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke @@ -2,26 +2,30 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/needrestart/apt-pinvoke -profile needrestart-apt-pinvoke @{exec_path} { +profile needrestart-apt-pinvoke @{exec_path} flags=(attach_disconnected) { include include include include + capability dac_read_search, + @{exec_path} mr, @{sh_path} rix, @{bin}/dbus-send rix, - @{bin}/needrestart rPx, + @{sbin}/needrestart rPx, @{bin}/rm rix, @{run}/needrestart/{,**} rw, + /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart-dpkg-status b/apparmor.d/profiles-m-r/needrestart-dpkg-status index fff97e67c..3d54f896d 100644 --- a/apparmor.d/profiles-m-r/needrestart-dpkg-status +++ b/apparmor.d/profiles-m-r/needrestart-dpkg-status @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/needrestart-hook b/apparmor.d/profiles-m-r/needrestart-hook new file mode 100644 index 000000000..c8c9a12c4 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-hook @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{etc_ro}/needrestart/hook.d/* +profile needrestart-hook @{exec_path} { + include + include + include + + @{exec_path} mr, + @{sh_path} rix, + + @{bin}/dpkg-query px, + + /tmp/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 37dd180c3..3c826cd74 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,21 +12,24 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{exec_path} mr, - @{bin}/iucode_tool rix, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/bsdtar rix, @{bin}/cat rix, + @{sbin}/iucode_tool rix, /usr/share/misc/ r, + /usr/share/misc/amd-microcode* r, /usr/share/misc/intel-microcode* r, + /etc/default/amd-microcode r, /etc/default/intel-microcode r, /etc/needrestart/iucode.sh r, - /boot/intel-ucode.img r, - /boot/early_ucode.cpio r, - + @{efi}/amd-ucode.img r, + @{efi}/intel-ucode.img r, + @{efi}/early_ucode.cpio r, + @{sys}/devices/system/cpu/cpu@{int}/microcode/processor_flags r, /dev/tty rw, diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify new file mode 100644 index 000000000..82465ceb2 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-notify @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{etc_ro}/needrestart/notify.d/* +profile needrestart-notify @{exec_path} { + include + include + + capability dac_read_search, + capability sys_ptrace, + + ptrace read, + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/fold ix, + @{bin}/gettext.sh r, + @{bin}/mail Px, + @{bin}/notify-send Px, + @{bin}/sed ix, + + /etc/needrestart/notify.conf r, + + @{PROC}/@{pid}/environ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-restart b/apparmor.d/profiles-m-r/needrestart-restart new file mode 100644 index 000000000..964ff1a74 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-restart @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{etc_ro}/needrestart/restart.d/* +profile needrestart-restart @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/systemctl Cx -> systemctl, + @{sh_path} r, + + /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version new file mode 100644 index 000000000..3828f9228 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/needrestart/vmlinuz-get-version +profile needrestart-vmlinuz-get-version @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/bzip2 rix, + @{bin}/{,e}grep rix, + @{bin}/gunzip rix, + @{bin}/gzip rix, + @{bin}/lzop rix, + @{bin}/mktemp rix, + @{bin}/rm rix, + @{bin}/tail rix, + @{bin}/tr rix, + @{bin}/which{,.debianutils} rPx, + @{bin}/xz rix, + + @{efi}/amd-ucode.img r, + @{efi}/intel-ucode.img r, + @{efi}/vmlinuz* r, + + owner @{tmp}/tmp.@{rand10} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nemo b/apparmor.d/profiles-m-r/nemo index f28d053cd..c7c9160d7 100644 --- a/apparmor.d/profiles-m-r/nemo +++ b/apparmor.d/profiles-m-r/nemo @@ -3,22 +3,44 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/nemo profile nemo @{exec_path} { include + include + include include include + include network inet stream, network inet6 stream, @{exec_path} mr, -# @{lib}/@{multiarch}/nemo/** mrix, + @{open_path} rPx -> child-open, + + @{bin}/gdk-pixbuf-thumbnailer rPx, + + /usr/share/nemo/** r, + /usr/share/thumbnailers/{,*.thumbnailer} r, + + # Full access to user's data + / r, + /*/ r, + @{bin}/ r, + @{lib}/ r, + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/** rw, + owner @{HOME}/{,**} rw, + owner @{run}/user/@{uid}/{,**} rw, + owner @{tmp}/{,**} rw, + + @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/nethogs b/apparmor.d/profiles-m-r/nethogs index e39e64621..c1a9f611a 100644 --- a/apparmor.d/profiles-m-r/nethogs +++ b/apparmor.d/profiles-m-r/nethogs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,6 +24,8 @@ profile nethogs @{exec_path} { @{exec_path} mr, + /usr/share/terminfo/** r, + @{PROC}/ r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-m-r/netstat b/apparmor.d/profiles-m-r/netstat index 039109ea2..a23a095e9 100644 --- a/apparmor.d/profiles-m-r/netstat +++ b/apparmor.d/profiles-m-r/netstat @@ -5,7 +5,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,12 +13,18 @@ include profile netstat @{exec_path} { include include - include + include capability dac_read_search, capability sys_ptrace, capability syslog, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + ptrace (trace,read), @{exec_path} rmix, diff --git a/apparmor.d/profiles-m-r/nmap b/apparmor.d/profiles-m-r/nmap index 0eb1eceba..348c3ac0e 100644 --- a/apparmor.d/profiles-m-r/nmap +++ b/apparmor.d/profiles-m-r/nmap @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nslookup b/apparmor.d/profiles-m-r/nslookup index 9ee225d9d..41435f2f0 100644 --- a/apparmor.d/profiles-m-r/nslookup +++ b/apparmor.d/profiles-m-r/nslookup @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nullmailer-send b/apparmor.d/profiles-m-r/nullmailer-send index e27e15429..6f7b8f225 100644 --- a/apparmor.d/profiles-m-r/nullmailer-send +++ b/apparmor.d/profiles-m-r/nullmailer-send @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/numlockx b/apparmor.d/profiles-m-r/numlockx index 25903ed8b..5c88ec846 100644 --- a/apparmor.d/profiles-m-r/numlockx +++ b/apparmor.d/profiles-m-r/numlockx @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nvidia-detector b/apparmor.d/profiles-m-r/nvidia-detector index b0465ef85..d438b598d 100644 --- a/apparmor.d/profiles-m-r/nvidia-detector +++ b/apparmor.d/profiles-m-r/nvidia-detector @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nvidia-persistenced b/apparmor.d/profiles-m-r/nvidia-persistenced index 33dac3dba..9f44c8f13 100644 --- a/apparmor.d/profiles-m-r/nvidia-persistenced +++ b/apparmor.d/profiles-m-r/nvidia-persistenced @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings index d4bda6123..893770a4b 100644 --- a/apparmor.d/profiles-m-r/nvidia-settings +++ b/apparmor.d/profiles-m-r/nvidia-settings @@ -2,12 +2,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/nvidia-settings -profile nvidia-settings @{exec_path} { +profile nvidia-settings @{exec_path} flags=(attach_disconnected) { include include include @@ -17,6 +17,23 @@ profile nvidia-settings @{exec_path} { /usr/share/pixmaps/{,**} r, + owner @{HOME}/.nvidia-settings-rc rw, + + @{sys}/bus/pci/devices/ r, + @{sys}/devices/@{pci}/config r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/cpumap r, + + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/config r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 + /dev/nvidia-caps/ rw, + /dev/nvidia-caps/nvidia-cap@{int} r, + include if exists } diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi new file mode 100644 index 000000000..eb42bd59b --- /dev/null +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/nvidia-smi +profile nvidia-smi @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/cpumap r, + + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/config r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 + /dev/nvidia-caps/ rw, + /dev/nvidia-caps/nvidia-cap@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index 54c9c5959..fc51b5b9e 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,7 +10,7 @@ include profile nvtop @{exec_path} flags=(attach_disconnected) { include include - include + include include capability sys_ptrace, @@ -23,27 +23,37 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/nvtop/{,**} rw, - @{run}/systemd/inhibit/*.ref r, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, + @{sys}/devices/@{pci}/ r, + @{sys}/devices/@{pci}/current_link_{speed,width} r, @{sys}/devices/@{pci}/enable r, + @{sys}/devices/@{pci}/hwmon/hwmon@{int}/fan@{int}_{enable,max} r, + @{sys}/devices/@{pci}/hwmon/hwmon@{int}/power@{int}_cap r, + @{sys}/devices/@{pci}/hwmon/hwmon@{int}/pwm@{int} r, + @{sys}/devices/@{pci}/hwmon/hwmon@{int}/pwm@{int}_{enable,max} r, + @{sys}/devices/@{pci}/hwmon/hwmon@{int}/temp@{int}_crit r, + @{sys}/devices/@{pci}/max_link_{speed,width} r, + @{sys}/devices/@{pci}/pcie_bw r, @{sys}/devices/system/node/node@{int}/cpumap r, - @{PROC}/ r, - @{PROC}/@{pids}/ r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/@{pids}/fdinfo/ r, - @{PROC}/@{pids}/fdinfo/@{int} r, - @{PROC}/@{pids}/stat r, - @{PROC}/devices r, - @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/stat r, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/dri/ r, /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, diff --git a/apparmor.d/profiles-m-r/obamenu b/apparmor.d/profiles-m-r/obamenu index 070ac10af..9d9ed2a94 100644 --- a/apparmor.d/profiles-m-r/obamenu +++ b/apparmor.d/profiles-m-r/obamenu @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,7 @@ profile obamenu @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/ r, diff --git a/apparmor.d/profiles-m-r/obconf b/apparmor.d/profiles-m-r/obconf index 37e94369e..d283466f5 100644 --- a/apparmor.d/profiles-m-r/obconf +++ b/apparmor.d/profiles-m-r/obconf @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,7 @@ include profile obconf @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/profiles-m-r/obxprop b/apparmor.d/profiles-m-r/obxprop index 724f83de7..b0f1c7c27 100644 --- a/apparmor.d/profiles-m-r/obxprop +++ b/apparmor.d/profiles-m-r/obxprop @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/odt2txt b/apparmor.d/profiles-m-r/odt2txt index 0636f6ee8..065e953f3 100644 --- a/apparmor.d/profiles-m-r/odt2txt +++ b/apparmor.d/profiles-m-r/odt2txt @@ -2,13 +2,14 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/odt2txt profile odt2txt @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/ollama b/apparmor.d/profiles-m-r/ollama new file mode 100644 index 000000000..73447e33e --- /dev/null +++ b/apparmor.d/profiles-m-r/ollama @@ -0,0 +1,59 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ollama +profile ollama @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /tmp/ollama@{int}/runners/*/* mr, + /tmp/ollama@{int}/runners/*/ollama_*_server rix, # TODO: rPx and remove graphics from here. + + /usr/ r, + /usr/local/ r, + /usr/local/lib/ r, + + @{lib}/ r, + + owner /var/lib/ollama/ rw, + owner /var/lib/ollama/** rwlk, + + /tmp/ r, + owner @{tmp}/ollama@{int}/{,**} rw, + owner @{tmp}/ollama@{int}/runners/{,**} mr, + + @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{sys}/devices/@{pci}/drm/card@{int}/*/ r, + @{sys}/devices/@{pci}/mem_info_vram_total r, + @{sys}/devices/@{pci}/mem_info_vram_used r, + @{sys}/devices/@{pci}/numa_node r, + @{sys}/devices/system/node/node@{int}/cpumap r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, + + @{PROC}/devices r, + @{PROC}/sys/net/core/somaxconn r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index d9b5a412e..d6426f717 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -3,21 +3,23 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/on_ac_power +@{exec_path} = @{sbin}/on_ac_power profile on-ac-power @{exec_path} { include @{exec_path} r, @{sh_path} rix, + @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/cat rix, @{sys}/class/power_supply/ r, + @{sys}/class/typec/ r, @{sys}/devices/**/power_supply/**/{online,type} r, @{PROC}/pmu/info r, diff --git a/apparmor.d/profiles-m-r/onefetch b/apparmor.d/profiles-m-r/onefetch index 84a68634c..ded4a204a 100644 --- a/apparmor.d/profiles-m-r/onefetch +++ b/apparmor.d/profiles-m-r/onefetch @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler b/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler new file mode 100644 index 000000000..2593b78ac --- /dev/null +++ b/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/open-iscsi/net-interface-handler +profile open-iscsi-net-interface-handler @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + @{sh_path} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox index ac0831f05..899290792 100644 --- a/apparmor.d/profiles-m-r/openbox +++ b/apparmor.d/profiles-m-r/openbox @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -58,7 +58,7 @@ profile openbox @{exec_path} { @{lib}/@{multiarch}/openbox-xdg-autostart rix, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, # Apps allowed to run @{bin}/* rPUx, @@ -75,7 +75,7 @@ profile openbox @{exec_path} { /etc/xdg/autostart/{,*} r, # Silencer - deny @{lib}/python3/** w, + deny @{lib}/@{python_name}/** w, deny owner @{user_lib_dirs}/python*/site-packages/ r, # file_inherit diff --git a/apparmor.d/profiles-m-r/openbox-session b/apparmor.d/profiles-m-r/openbox-session index 61666f756..5313ed948 100644 --- a/apparmor.d/profiles-m-r/openbox-session +++ b/apparmor.d/profiles-m-r/openbox-session @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/orage b/apparmor.d/profiles-m-r/orage index 571532b4f..f87c0fa92 100644 --- a/apparmor.d/profiles-m-r/orage +++ b/apparmor.d/profiles-m-r/orage @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,9 +21,9 @@ profile orage @{exec_path} { @{bin}/globaltime rPx, - @{bin}/xdg-open rCx -> open, - @{bin}/exo-open rCx -> open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + @{open_path} rPx -> child-open, + + /etc/fstab r, owner @{user_config_dirs}/orage/ rw, owner @{user_config_dirs}/orage/* rw, @@ -35,38 +35,8 @@ profile orage @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - /etc/fstab r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index 819c4c9bd..f9e5b2058 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,34 +10,40 @@ include profile os-prober @{exec_path} flags=(attach_disconnected) { include include + include capability dac_read_search, capability sys_admin, + mount options=(rprivate, rw) -> /, + mount options=(rw, nosuid, nodev) -> /var/lib/os-prober/mount/, + umount /var/lib/os-prober/mount/, + mqueue (read getattr) type=posix /, + @{exec_path} mrix, @{sh_path} rix, @{bin}/{e,f,}grep rix, - @{bin}/blkid rPx, - @{bin}/btrfs rPx, + @{sbin}/blkid rPx, + @{sbin}/btrfs rPx, @{bin}/cat rix, @{bin}/cut rix, - @{bin}/dmraid rPUx, + @{sbin}/dmraid rPUx, @{bin}/find rix, @{bin}/grub-mount rPx, - @{bin}/grub-probe rPx, + @{sbin}/grub-probe rPx, @{bin}/head rix, @{bin}/kmod rPx, @{bin}/logger rix, @{bin}/ls rix, @{bin}/lsblk rPx, - @{bin}/lvm rPx, + @{sbin}/lvm rPx, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mount rix, - @{bin}/multipath rPx, + @{sbin}/multipath rPx, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/rmdir rix, @@ -45,7 +51,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{bin}/udevadm rPx, @{bin}/umount rix, @{bin}/uname rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib}/newns rix, @{lib}/os-prober/* rix, @{lib}/os-probes/{,**} rix, @@ -57,13 +63,14 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/ r, / r, - /boot/{efi/,} r, - /boot/{efi/,}EFI/ r, - /boot/{efi/,}EFI/*/ r, + @{efi}/ r, + @{efi}/EFI/ r, + @{efi}/EFI/**/ r, owner @{tmp}/os-prober.*/{,**} rw, - @{sys}/block/ r, + @{run}/mount/utab r, + @{sys}/devices/@{pci}/block/*/ r, @{sys}/devices/virtual/block/*/ r, diff --git a/apparmor.d/profiles-m-r/ouch b/apparmor.d/profiles-m-r/ouch new file mode 100644 index 000000000..d0bb4a1ed --- /dev/null +++ b/apparmor.d/profiles-m-r/ouch @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ouch +profile ouch @{exec_path} { + include + include + include + + @{exec_path} mr, + + owner @{HOME}/.tmp@{rand6}/{,**} rw, + owner @{HOME}/.tmp-ouch@{rand6}/{,**} rw, + + owner /tmp/ w, + owner /tmp/.tmp@{rand6}/{,**} rw, + owner /tmp/.tmp-ouch@{rand6}/{,**} rw, + + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, + + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index b61426196..e5b54c34e 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -2,18 +2,18 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/packagekitd profile packagekitd @{exec_path} flags=(attach_disconnected) { include + include #aa:only apt include include include include - include #aa:only apt include include @@ -36,13 +36,9 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { network netlink raw, signal send set=int peer=apt-methods-*, + signal send set=term peer=systemd-inhibit, - #aa:dbus own bus=system name=org.freedesktop.PackageKit - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + #aa:dbus own bus=system name=org.freedesktop.PackageKit path=/** @{exec_path} mr, @@ -55,8 +51,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/gzip rix, - @{bin}/ischroot rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/repo2solv rix, @{bin}/tar rix, @{bin}/test rix, @@ -68,6 +63,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/fc-cache rPx, @{bin}/glib-compile-schemas rPx, @{bin}/install-info rPx, + @{bin}/ischroot rPx, + @{bin}/rpm rPUx, #aa:only opensuse @{bin}/rpmdb2solv rPUx, #aa:only opensuse @{bin}/systemd-inhibit rPx, @{bin}/update-desktop-database rPx, @@ -77,10 +74,11 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile /usr/share/libalpm/scripts/* rPx, + #aa:lint ignore=too-wide # Install/update packages / r, /*{,/} rw, - /boot/** rwl -> /boot/**, + @{efi}/** rwl -> @{efi}/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, @@ -93,7 +91,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { owner @{tmp}/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw, owner @{tmp}/packagekit* rw, - @{run}/systemd/inhibit/*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + owner @{run}/systemd/users/@{uid} r, #aa:only opensuse diff --git a/apparmor.d/profiles-m-r/pacmd b/apparmor.d/profiles-m-r/pacmd index 752c3edd7..8512c1c67 100644 --- a/apparmor.d/profiles-m-r/pacmd +++ b/apparmor.d/profiles-m-r/pacmd @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pactl b/apparmor.d/profiles-m-r/pactl index 2f8092a02..1e89ef3f2 100644 --- a/apparmor.d/profiles-m-r/pactl +++ b/apparmor.d/profiles-m-r/pactl @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pagesize b/apparmor.d/profiles-m-r/pagesize index f6615a71e..0ec7c31f6 100644 --- a/apparmor.d/profiles-m-r/pagesize +++ b/apparmor.d/profiles-m-r/pagesize @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 3d805f24c..947fb2f4e 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -3,64 +3,28 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/pam-auth-update +@{exec_path} = @{sbin}/pam-auth-update profile pam-auth-update @{exec_path} flags=(complain) { include - include - include + include - @{exec_path} mr, - @{bin}/perl r, + @{exec_path} mrix, - @{bin}/md5sum rix, - @{bin}/cp rix, + @{bin}/cp ix, + @{bin}/md5sum ix, + @{bin}/stty ix, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, - - /etc/pam.d/* rw, - /var/lib/pam/* rw, /usr/share/pam{,-configs}/{,*} r, + /etc/pam.d/* rw, + /etc/shadow r, - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - @{bin}/perl r, - - @{bin}/pam-auth-update rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - # The following is needed when debconf uses GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - owner @{PROC}/@{pid}/mounts r, - @{HOME}/.Xauthority r, - - /etc/shadow r, - - } + /var/lib/dpkg/info/libpam-runtime.templates r, + /var/lib/pam/* rw, include if exists } diff --git a/apparmor.d/profiles-m-r/pam-tmpdir-helper b/apparmor.d/profiles-m-r/pam-tmpdir-helper index 983ca7d42..fc767e5b3 100644 --- a/apparmor.d/profiles-m-r/pam-tmpdir-helper +++ b/apparmor.d/profiles-m-r/pam-tmpdir-helper @@ -2,11 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/pam-tmpdir-helper +@{exec_path} = @{bin}/pam-tmpdir-helper @{lib}/pam-tmpdir/pam-tmpdir-helper profile pam-tmpdir-helper @{exec_path} { include include @@ -15,7 +15,7 @@ profile pam-tmpdir-helper @{exec_path} { @{exec_path} mr, - owner @{tmp}/user/ rw, + owner /tmp/user/ rw, owner @{tmp}/ rw, /dev/ptmx rw, diff --git a/apparmor.d/profiles-m-r/pam/mappings b/apparmor.d/profiles-m-r/pam/mappings deleted file mode 100644 index cbcb539ed..000000000 --- a/apparmor.d/profiles-m-r/pam/mappings +++ /dev/null @@ -1,72 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# See more at: https://gitlab.com/apparmor/apparmor/wikis/Pam_apparmor_example - -# This file contains the mappings from users to roles for the binaries -# confined with AppArmor and configured for use with libpam-apparmor. Users -# without a mapping will not be able to login. -# -# The default hat is a confined user. The hat contains only the permissions -# necessary to transition to the user's login shell. All other permissions have -# been moved into the default_user profile. -^DEFAULT { - include - include - - capability dac_override, - capability setgid, - capability setuid, - - /etc/default/su r, - @{etc_ro}/environment r, - - @{shells_path} rPx -> user_default, - - include if exists -} - -# USER is a confined user. The hat contains only the permissions necessary -# to transition to gray's login shell. All other permissions have been -# moved into the confined_user profile. -^USER { - include - include - - capability dac_override, - capability audit_write, - capability setgid, - capability setuid, - - @{shells_path} rPx -> user_confined, - - /etc/default/su r, - @{etc_ro}/environment r, - - include if exists -} - -# Don't confine members whose primary group is 'admin' who are not specifically -# confined. Systems without this special primary group may want to define an -# unconfined 'root' hat in this manner (depending on site policy). -^root { - include - include - include - - capability dac_override, - capability audit_write, - capability setgid, - capability setuid, - - @{shells_path} rUx, - - /etc/default/su r, - @{etc_ro}/environment r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/parted b/apparmor.d/profiles-m-r/parted index 9408674f8..1ae7f5478 100644 --- a/apparmor.d/profiles-m-r/parted +++ b/apparmor.d/profiles-m-r/parted @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/parted +@{exec_path} = @{sbin}/parted profile parted @{exec_path} { include include @@ -22,7 +22,7 @@ profile parted @{exec_path} { @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, /etc/inputrc r, diff --git a/apparmor.d/profiles-m-r/partprobe b/apparmor.d/profiles-m-r/partprobe index 9e384c66c..79e4b0ffb 100644 --- a/apparmor.d/profiles-m-r/partprobe +++ b/apparmor.d/profiles-m-r/partprobe @@ -3,13 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/partprobe +@{exec_path} = @{sbin}/partprobe profile partprobe @{exec_path} { include + include include capability sys_admin, @@ -22,7 +23,7 @@ profile partprobe @{exec_path} { @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{PROC}/devices r, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 724bd8f38..30f92c964 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,52 +15,52 @@ profile pass @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/base64 rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cp rix, - @{bin}/diff rix, - @{bin}/dirname rix, - @{bin}/env rix, - @{bin}/find rix, - @{bin}/getopt rix, - @{bin}/grep rix, - @{bin}/head rix, - @{bin}/mkdir rix, - @{bin}/mktemp rix, - @{bin}/mv rix, - @{bin}/pkill rix, - @{bin}/rm rix, - @{bin}/rmdir rix, - @{bin}/sed rix, - @{bin}/shred rix, - @{bin}/sleep rix, - @{bin}/sort rix, - @{bin}/tail rix, - @{bin}/touch rix, - @{bin}/tr rix, - @{bin}/tree rix, - @{bin}/tty rix, - @{bin}/which rix, + @{bin}/base64 ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cp ix, + @{bin}/diff ix, + @{bin}/dirname ix, + @{bin}/env r, + @{bin}/find ix, + @{bin}/getopt ix, + @{bin}/{,e}grep ix, + @{bin}/head ix, + @{bin}/mkdir ix, + @{bin}/mktemp ix, + @{bin}/mv ix, + @{bin}/rm ix, + @{bin}/rmdir ix, + @{bin}/sed ix, + @{bin}/shred ix, + @{bin}/sleep ix, + @{bin}/sort ix, + @{bin}/tail ix, + @{bin}/touch ix, + @{bin}/tr ix, + @{bin}/tree ix, + @{bin}/tty ix, + @{bin}/which{,.debianutils} rix, - @{bin}/git rCx -> git, - @{lib}/git{,-core}/git rCx -> git, - @{bin}/gpg{2,} rCx -> gpg, - @{bin}/qdbus rCx -> qdbus, - @{bin}/vim{,.*} rCx -> editor, - @{bin}/wl-{copy,paste} rPx, - @{bin}/xclip rPx, + @{bin}/git Cx -> git, + @{bin}/gpg{2,} Cx -> gpg, + @{bin}/pkill Cx -> pkill, + @{bin}/qdbus Cx -> qdbus, + @{bin}/wl-{copy,paste} Px, + @{bin}/xclip Px, + @{editor_path} Cx -> editor, + @{lib}/git{,-core}/git Cx -> git, # Pass extensions - @{bin}/oathtool rix, # pass-otp - @{bin}/python3.@{int} rPx -> pass-import, # pass-import, pass-audit - @{bin}/qrencode rPUx, # pass-otp - @{bin}/tomb rPUx, # pass-tomb + @{bin}/oathtool ix, # pass-otp + @{python_path} Px -> pass-import, # pass-import, pass-audit + @{bin}/qrencode PUx, # pass-otp + @{bin}/tomb PUx, # pass-tomb /usr/share/terminfo/** r, - owner @{user_password_store_dirs}/{,**} rw, - owner /dev/shm/pass.*/{,*} rw, + owner @{user_passwordstore_dirs}/{,**} rw, + owner /dev/shm/pass.@{rand}/{,*} rw, @{sys}/devices/system/node/ r, @@ -72,6 +72,15 @@ profile pass @{exec_path} { /dev/tty rw, + profile pkill { + include + include + + @{bin}/pkill mr, + + include if exists + } + profile editor { include include @@ -79,9 +88,9 @@ profile pass @{exec_path} { /tmp/ r, - owner @{user_password_store_dirs}/{,**/} r, + owner @{user_passwordstore_dirs}/{,**/} r, - owner /dev/shm/pass.*/{,*} rw, + owner /dev/shm/pass.@{rand}/{,*} rw, deny owner @{HOME}/ r, @@ -103,10 +112,7 @@ profile pass @{exec_path} { @{bin}/git* mrix, @{lib}/git{,-core}/git* mrix, - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - + @{pager_path} rPx -> child-pager, @{bin}/gpg{2,} rPx -> pass//gpg, /usr/share/git{,-core}/{,**} r, @@ -114,11 +120,11 @@ profile pass @{exec_path} { owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, - owner @{user_password_store_dirs}/ rw, - owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner @{user_passwordstore_dirs}/ rw, + owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature - owner /dev/shm/pass.*/.git_vtag_tmp@{rand6} rw, + owner /dev/shm/pass.@{rand}/.git_vtag_tmp@{rand6} rw, include if exists } @@ -136,10 +142,11 @@ profile pass @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{user_password_store_dirs}/ rw, - owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, - owner /dev/shm/pass.*/{,*} rw, + owner @{user_passwordstore_dirs}/ rw, + owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner /dev/shm/pass.@{rand}/* rw, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index 655804ccc..8d55dd156 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,16 +24,16 @@ profile pass-import @{exec_path} { @{bin}/ r, @{bin}/gcc rix, # TODO: Test deny @{bin}/ld rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/pass rPx, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{lib}/gcc/**/collect2 rix, @{lib}/python{2.[4-7],3,3.@{int}}/** w, # TODO: Test deny /usr/share/file/misc/magic.mgc r, - owner @{user_password_store_dirs}/{,**} rw, + owner @{user_passwordstore_dirs}/{,**} rw, owner @{tmp}/[a-zA-Z0-9]* rw, diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd index 8afbac8e5..c0aafeaf9 100644 --- a/apparmor.d/profiles-m-r/passimd +++ b/apparmor.d/profiles-m-r/passimd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -26,9 +26,7 @@ profile passimd @{exec_path} flags=(attach_disconnected) { /etc/passim.conf r, - /var/lib/passim/{,**} r, - /var/lib/passim/data/{,**} rw, - + owner /var/lib/passim/{,**} rw, owner /var/log/passim/* rw, @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-m-r/pavucontrol b/apparmor.d/profiles-m-r/pavucontrol index de3782b09..596cbacbd 100644 --- a/apparmor.d/profiles-m-r/pavucontrol +++ b/apparmor.d/profiles-m-r/pavucontrol @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pcb-gtk b/apparmor.d/profiles-m-r/pcb-gtk index 99ad50a64..2923f70cd 100644 --- a/apparmor.d/profiles-m-r/pcb-gtk +++ b/apparmor.d/profiles-m-r/pcb-gtk @@ -3,20 +3,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/pcb-gtk profile pcb-gtk @{exec_path} { include - include - include - include + include include - include - include - include + include include include @@ -24,7 +20,7 @@ profile pcb-gtk @{exec_path} { /usr/share/pcb/ListLibraryContents.sh rix, - @{bin}/dash rix, + @{sh_path} rix, @{bin}/cat rix, @{bin}/tr rix, diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index 085061b15..d5bcc4293 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/pcscd +@{exec_path} = @{sbin}/pcscd profile pcscd @{exec_path} { include include @@ -16,17 +16,18 @@ profile pcscd @{exec_path} { network netlink raw, - ptrace (read) peer=gsd-smartcard, - ptrace (read) peer=pkcs11-register, - ptrace (read) peer=rngd, - ptrace (read) peer=scdaemon, + ptrace read peer=@{p_systemd_user}, + ptrace read peer=gsd-smartcard, + ptrace read peer=keepassxc, + ptrace read peer=pkcs11-register, + ptrace read peer=rngd, + ptrace read peer=scdaemon, + ptrace read peer=veracrypt, @{exec_path} mr, /etc/libccid_Info.plist r, - /etc/reader.conf.d/ r, - /etc/reader.conf.d/libccidtwin r, - /etc/reader.conf.d/reader.conf r, + /etc/reader.conf.d/{,**} r, owner @{run}/pcscd/{,pcscd.pid} rw, diff --git a/apparmor.d/profiles-m-r/pdftotext b/apparmor.d/profiles-m-r/pdftotext index c122cbdcb..0394687f7 100644 --- a/apparmor.d/profiles-m-r/pdftotext +++ b/apparmor.d/profiles-m-r/pdftotext @@ -2,13 +2,14 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/pdftotext profile pdftotext @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/picom b/apparmor.d/profiles-m-r/picom index 124d5c9c3..7d423f148 100644 --- a/apparmor.d/profiles-m-r/picom +++ b/apparmor.d/profiles-m-r/picom @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof index e2ea46e57..76b9942fb 100644 --- a/apparmor.d/profiles-m-r/pidof +++ b/apparmor.d/profiles-m-r/pidof @@ -2,13 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/pidof -profile pidof @{exec_path} { +profile pidof @{exec_path} flags=(attach_disconnected) { include + include capability sys_ptrace, @@ -27,7 +28,7 @@ profile pidof @{exec_path} { @{PROC}/sys/kernel/osrelease r, @{PROC}/uptime r, - owner /dev/tty@{int} rw, + /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/pinentry b/apparmor.d/profiles-m-r/pinentry index c30bc5def..b69fcecaf 100644 --- a/apparmor.d/profiles-m-r/pinentry +++ b/apparmor.d/profiles-m-r/pinentry @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,6 +15,7 @@ profile pinentry @{exec_path} { @{bin}/pinentry-* rPx, @{sh_path} rix, + @{bin}/ldd rix, /etc/pinentry/preexec r, diff --git a/apparmor.d/profiles-m-r/pinentry-curses b/apparmor.d/profiles-m-r/pinentry-curses index 1fd585f47..c14b41027 100644 --- a/apparmor.d/profiles-m-r/pinentry-curses +++ b/apparmor.d/profiles-m-r/pinentry-curses @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,6 +17,8 @@ profile pinentry-curses @{exec_path} { /usr/share/terminfo/** r, + owner /dev/tty@{int} r, + include if exists } diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index d6fc0abb0..b60d929e2 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -2,16 +2,19 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/pinentry-gnome3 profile pinentry-gnome3 @{exec_path} { include + include + include include + include - signal (receive) set=(int) peer=gpg-agent, + signal receive set=int, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/pinentry-gtk-2 b/apparmor.d/profiles-m-r/pinentry-gtk similarity index 51% rename from apparmor.d/profiles-m-r/pinentry-gtk-2 rename to apparmor.d/profiles-m-r/pinentry-gtk index efad3a6f1..d07a64a5a 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk-2 +++ b/apparmor.d/profiles-m-r/pinentry-gtk @@ -3,25 +3,24 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/pinentry-gtk-2 -profile pinentry-gtk-2 @{exec_path} { +@{exec_path} = @{bin}/pinentry-gtk{,-2} +profile pinentry-gtk @{exec_path} { include - include - include + include include - include + include @{exec_path} mr, - /usr/share/gtk-2.0/gtkrc r, + @{PROC}/@{pid}/cmdline r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, + owner /dev/tty@{int} r, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pinentry-kwallet b/apparmor.d/profiles-m-r/pinentry-kwallet index 235c256a7..adff98c53 100644 --- a/apparmor.d/profiles-m-r/pinentry-kwallet +++ b/apparmor.d/profiles-m-r/pinentry-kwallet @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,42 +11,31 @@ include profile pinentry-kwallet @{exec_path} { include include - include + include signal (send) set=(term, kill) peer=gpg-agent, @{exec_path} mr, - @{bin}/pinentry-* rPx, - - @{bin}/kwalletcli_getpin rix, - @{bin}/kwalletcli rCx -> kwalletcli, - - # when wrong PIN is provided @{bin}/date rix, - - @{bin}/mksh rix, @{bin}/env rix, - - owner @{HOME}/.Xauthority r, - - /usr/share/hwdata/pnp.ids r, - + @{bin}/kwalletcli rCx -> kwalletcli, + @{bin}/kwalletcli_getpin rix, + @{bin}/mksh rix, + @{bin}/pinentry-* rPx, profile kwalletcli { include + include @{bin}/kwalletcli mr, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwalletrc r, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, - owner @{HOME}/.Xauthority r, - - /usr/share/hwdata/pnp.ids r, + owner @{user_config_dirs}/kwalletrc r, + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index 947350b8a..66729769f 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -3,47 +3,30 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/pinentry-qt profile pinentry-qt @{exec_path} { include - include + include include - include - include - include - include + include + include include include - include - include - include + + ptrace read peer=gpg-agent, @{exec_path} mr, - /usr/share/hwdata/pnp.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - - /var/lib/dbus/machine-id r, /etc/machine-id r, - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, - - owner @{user_cache_dirs}/#@{int} rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, - - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, + /var/lib/dbus/machine-id r, owner @{tmp}/xauth_@{rand6} r, owner /dev/shm/#@{int} rw, - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/meminfo r, - owner @{PROC}/@{pid}/cmdline r, include if exists diff --git a/apparmor.d/profiles-m-r/pkcs11-register b/apparmor.d/profiles-m-r/pkcs11-register index c8238688e..d775cafe5 100644 --- a/apparmor.d/profiles-m-r/pkcs11-register +++ b/apparmor.d/profiles-m-r/pkcs11-register @@ -2,18 +2,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/pkcs11-register profile pkcs11-register @{exec_path} { include + include @{exec_path} mr, - /etc/{,opensc/}opensc.conf r, - owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/profiles.ini r, owner @{HOME}/.pki/nssdb/pkcs11.txt r, diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec deleted file mode 100644 index 923d955af..000000000 --- a/apparmor.d/profiles-m-r/pkexec +++ /dev/null @@ -1,66 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2022 Mikhail Morfikov -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/pkexec -profile pkexec @{exec_path} { - include - include - include - include - include - include - - capability audit_write, - capability dac_read_search, - capability net_admin, - capability setgid, # gdbus - capability setuid, # gmain - capability sys_ptrace, - capability sys_resource, - audit deny capability sys_nice, - - network netlink raw, - - signal (send) set=(term, kill) peer=polkit-agent-helper, - - ptrace (read), - - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1.Authority label=polkitd - - @{exec_path} mr, - - # Apps to be run via pkexec - @{bin}/* rPUx, - @{lib}/{,gvfs/}gvfsd-admin rPx, - @{lib}/cc-remote-login-helper rPx, - @{lib}/update-notifier/package-system-locked rPx, - /usr/share/apport/apport-gtk rPx, - #aa:exec polkit-agent-helper - - @{etc_ro}/environment r, - @{etc_ro}/security/limits.d/{,*} r, - /etc/default/locale r, - /etc/shells r, - - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pids}/stat r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/loginuid r, - - # file_inherit - owner /dev/tty@{int} rw, - owner @{HOME}/.xsession-errors w, - - # Silencer - deny @{user_share_dirs}/gvfs-metadata/* r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/plank b/apparmor.d/profiles-m-r/plank index 77bad6788..9619326f2 100644 --- a/apparmor.d/profiles-m-r/plank +++ b/apparmor.d/profiles-m-r/plank @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/plocate b/apparmor.d/profiles-m-r/plocate index e66d0c14c..3877f89cd 100644 --- a/apparmor.d/profiles-m-r/plocate +++ b/apparmor.d/profiles-m-r/plocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/plocate-build b/apparmor.d/profiles-m-r/plocate-build index 5e81be8a3..afc322958 100644 --- a/apparmor.d/profiles-m-r/plocate-build +++ b/apparmor.d/profiles-m-r/plocate-build @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pokemmo b/apparmor.d/profiles-m-r/pokemmo new file mode 100644 index 000000000..324b08f17 --- /dev/null +++ b/apparmor.d/profiles-m-r/pokemmo @@ -0,0 +1,98 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pokemmo-launcher +profile pokemmo @{exec_path} flags=(attach_disconnected) { + include + include + include # Installer + include + include # Installer + include + include + include + include # Installer + include + + # The installer is a GTK app and requires a few extra abstractions + # GTK/QT/fonts abstractions are unused by the game itself and can + # be removed if this profile is later split into stacked profiles + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{coreutils_path} ix, + @{python_path} ix, + @{sh_path} ix, + + @{bin}/java ix, + @{bin}/perl ix, + @{bin}/which{,.debianutils} ix, + @{lib}/jvm/java-@{int}-openjdk/bin/java ix, + + # Installer + @{bin}/openssl ix, + @{bin}/ps ix, + @{bin}/wget ix, + @{bin}/zenity ix, + @{lib}/jvm/java-@{int}-openjdk/lib/jspawnhelper ix, + + /etc/lsb-release r, # Installer + /etc/java-openjdk/** r, + /etc/timezone r, + /etc/wgetrc r, # Installer + + # Installer + owner @{HOME}/ r, + owner @{HOME}/.java/fonts/** rw, + owner @{HOME}/.wget-hsts rwk, + + owner @{user_config_dirs}/pokemmo/{,**} rw, + owner @{user_share_dirs}/pokemmo/{,**} rw, + + owner /tmp/hsperfdata_user/ rw, + owner /tmp/hsperfdata_user/@{int} rwk, + owner /tmp/libgdxuser/{,**} rw, + owner /tmp/libgdxuser/**/*.so mrw, + owner /tmp/lwjgl_user/{,**} rw, + owner /tmp/lwjgl_user/**/*.so mrwk, + + @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, + + @{PROC}/@{pid}/net/if_inet6 r, + @{PROC}/cgroups r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/coredump_filter rw, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + # Installer + @{PROC}/ r, + @{PROC}/uptime r, + @{PROC}/sys/kernel/pid_max r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/environ r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/stat r, + + /dev/input/ r, + /dev/input/event@{int} rw, + /dev/input/js@{int} rw, + + /dev/tty rw, + owner /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pollinate b/apparmor.d/profiles-m-r/pollinate new file mode 100644 index 000000000..5a10cc9e2 --- /dev/null +++ b/apparmor.d/profiles-m-r/pollinate @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pollinate +profile pollinate @{exec_path} { + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/curl rix, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg-query rpx, + @{bin}/hostname rix, + @{bin}/logger rix, + @{bin}/systemd-detect-virt rPx, + @{bin}/xxd rix, + + /etc/cloud/build.info r, + /etc/default/pollinate r, + /etc/lsb-release r, + /etc/pollinate/{,**} r, + + owner /var/cache/pollinate/seeded w, + + owner /tmp/pollinate.@{rand12}/{,**} rw, + + @{PROC}/uptime r, + + /dev/urandom w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/popularity-contest b/apparmor.d/profiles-m-r/popularity-contest index a4b93d5b5..0bbd727ae 100644 --- a/apparmor.d/profiles-m-r/popularity-contest +++ b/apparmor.d/profiles-m-r/popularity-contest @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,7 +21,6 @@ profile popularity-contest @{exec_path} { ptrace (read), @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, @{bin}/env rix, @@ -42,11 +41,11 @@ profile popularity-contest @{exec_path} { /var/lib/ r, /var/lib/dpkg/info/{,*.list} r, /var/log/ r, - /var/log/popularity-contest.[0-9]* w, + /var/log/popularity-contest.@{int} w, /var/log/popularity-contest.new w, owner @{tmp}/#@{int} rw, - + @{PROC}/ r, include if exists diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 067968258..e4e923159 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_read_search, capability net_admin, @@ -27,22 +28,23 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { /var/lib/power-profiles-daemon/{,**} rw, - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{sys}/bus/ r, @{sys}/bus/platform/devices/ r, @{sys}/class/ r, + @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/uevent r, + @{sys}/devices/**/status r, @{sys}/devices/**/power_supply/*/scope r, - @{sys}/devices/**/power_supply/*/uevent r, - @{sys}/devices/platform/**/uevent r, + @{sys}/devices/**/uevent r, @{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r, - @{sys}/devices/system/cpu/*_pstate/status r, @{sys}/devices/system/cpu/cpu@{int}/power/energy_perf_bias rw, @{sys}/devices/system/cpu/cpufreq/ r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/* rw, @{sys}/firmware/acpi/platform_profile* rw, @{sys}/firmware/acpi/pm_profile* rw, diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail new file mode 100644 index 000000000..8a6a2982e --- /dev/null +++ b/apparmor.d/profiles-m-r/protonmail @@ -0,0 +1,44 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 curiosityseeker +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = proton-mail "Proton Mail" +@{domain} = org.chromium.Chromium +@{lib_dirs} = /opt/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{bin}/proton-mail /opt/proton-mail/Proton* +profile protonmail @{exec_path} flags=(attach_disconnected) { + include + include + include + + network inet stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + ptrace read peer=protonmail//&xdg-settings, + + @{exec_path} mrix, + + #aa:stack X xdg-settings + @{bin}/xdg-settings rPx -> protonmail//&xdg-settings, + @{open_path} Px -> child-open, + + owner @{user_config_dirs}/ibus/bus/ r, + + @{sys}/devices/@{pci}/boot_vga r, + + owner @{tmp}/gtkprint_ppd_@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/protonmail-bridge b/apparmor.d/profiles-m-r/protonmail-bridge index 3d3878c3e..fc8092ef9 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge +++ b/apparmor.d/profiles-m-r/protonmail-bridge @@ -2,13 +2,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{config_dirs} = @{user_config_dirs}/protonmail/bridge-v3 -@{cache_dirs} = @{user_cache_dirs}/protonmail/bridge-v3 "@{user_cache_dirs}/Proton AG/Proton Mail Bridge" -@{share_dirs} = @{user_share_dirs}/protonmail/bridge-v3 +@{config_dirs} = @{user_config_dirs}/protonmail/{,bridge-v3} +@{cache_dirs} = @{user_cache_dirs}/protonmail/{,bridge-v3} "@{user_cache_dirs}/Proton AG/{,Proton Mail Bridge}" +@{share_dirs} = @{user_share_dirs}/protonmail/{,bridge-v3} @{exec_path} = @{lib}/protonmail/bridge/bridge-gui profile protonmail-bridge @{exec_path} { diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index b7fd0c98a..a9bd819e3 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -2,19 +2,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# To force the use of the Gnome Keyring or Kwallet secret-service, add the +# To force the use of the Gnome Keyring or Kwallet secret-service, add the # following lines in your local/protonmail-bridge-core file: # deny @{bin}/pass x, -# deny owner @{user_password_store_dirs}/** r, +# deny owner @{user_passwordstore_dirs}/** r, -abi , +abi , include @{exec_path} = @{lib}/protonmail/bridge/bridge -profile protonmail-bridge-core @{exec_path} { +profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { include + include include + include + include network inet dgram, network inet6 dgram, @@ -24,13 +27,16 @@ profile protonmail-bridge-core @{exec_path} { @{exec_path} mr, - @{bin}/pass rCx -> pass, + @{bin}/pass Cx -> pass, + + @{lib}/protonmail/bridge/bridge-gui ix, /etc/lsb-release r, /etc/machine-id r, + /etc/os-release r, - owner @{user_password_store_dirs}/docker-credential-helpers/{,**} r, - owner @{user_password_store_dirs}/protonmail-credentials/{,**} r, + owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} r, + owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} r, owner @{user_cache_dirs}/protonmail/{,**} rwk, owner @{user_config_dirs}/protonmail/{,**} rwk, @@ -39,15 +45,12 @@ profile protonmail-bridge-core @{exec_path} { owner "@{user_config_dirs}/autostart/Proton Mail Bridge.desktop" rw, owner @{tmp}/bridge@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, - owner /var/tmp/etilqs_@{hex16} rw, @{PROC}/ r, + @{PROC}/1/cgroup r, @{PROC}/sys/net/core/somaxconn r, - @{PROC}/@{pid}/cgroup r, - deny @{bin}/pass x, - deny owner @{user_password_store_dirs}/** r, + deny owner @{user_passwordstore_dirs}/** r, profile pass { include @@ -69,12 +72,13 @@ profile protonmail-bridge-core @{exec_path} { @{bin}/tail rix, @{bin}/tree rix, @{bin}/tty rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, - owner @{user_password_store_dirs}/ r, - owner @{user_password_store_dirs}/.gpg-id r, - owner @{user_password_store_dirs}/protonmail-credentials/{,**} rw, - deny owner @{user_password_store_dirs}/**/ r, + owner @{user_passwordstore_dirs}/ r, + owner @{user_passwordstore_dirs}/.gpg-id r, + owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} rw, + owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} rw, + deny owner @{user_passwordstore_dirs}/**/ r, /dev/tty rw, diff --git a/apparmor.d/profiles-m-r/ps-mem b/apparmor.d/profiles-m-r/ps-mem index f34992ccb..08b286b5a 100644 --- a/apparmor.d/profiles-m-r/ps-mem +++ b/apparmor.d/profiles-m-r/ps-mem @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,7 +17,7 @@ profile ps-mem @{exec_path} { ptrace (read), @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index e764b69f8..2ff7b4e71 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,6 +18,7 @@ profile psi @{exec_path} { include include include + include include include include @@ -34,7 +35,7 @@ profile psi @{exec_path} { @{bin}/aplay rCx -> aplay, @{bin}/gpg{,2} rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, @@ -46,8 +47,6 @@ profile psi @{exec_path} { /var/lib/dbus/machine-id r, owner @{HOME}/ r, - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/psi/{,**} rw, owner @{user_config_dirs}/autostart/psi.desktop rw, owner @{user_config_dirs}/psi/ rw, @@ -56,10 +55,9 @@ profile psi @{exec_path} { owner @{user_share_dirs}/psi/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index d9b1f7fd5..f72147cc6 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,6 +18,7 @@ profile psi-plus @{exec_path} { include include include + include include include include @@ -34,7 +35,7 @@ profile psi-plus @{exec_path} { @{bin}/aplay rCx -> aplay, @{bin}/gpg{,2} rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, @@ -46,8 +47,6 @@ profile psi-plus @{exec_path} { /var/lib/dbus/machine-id r, owner @{HOME}/ r, - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/psi+/{,**} rw, owner @{user_config_dirs}/autostart/psi-plus.desktop rw, owner @{user_config_dirs}/psi+/ rw, @@ -56,10 +55,9 @@ profile psi-plus @{exec_path} { owner @{user_share_dirs}/psi+/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, - @{run}/systemd/inhibit/[0-9]*.ref rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-m-r/pulseeffects b/apparmor.d/profiles-m-r/pulseeffects index 0ef899263..e57e221dd 100644 --- a/apparmor.d/profiles-m-r/pulseeffects +++ b/apparmor.d/profiles-m-r/pulseeffects @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile new file mode 100644 index 000000000..105264ec2 --- /dev/null +++ b/apparmor.d/profiles-m-r/pycompile @@ -0,0 +1,52 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/py{,3}compile @{bin}/py{,3}clean +profile pycompile @{exec_path} flags=(attach_disconnected,complain) { + include + include + include + include + + capability dac_override, + capability dac_read_search, + + @{exec_path} mr, + @{python_path} rix, + + @{bin}/dpkg rCx -> dpkg, + + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/*.pyc w, + @{lib}/@{python_name}/**/__pycache__/*.pyc.* w, + + /usr/share/python3/{,**} r, + + / r, + @{bin}/ r, + + profile dpkg { + include + include + include + + capability dac_read_search, + + @{bin}/dpkg mr, + @{bin}/dpkg-query rpx, + + /etc/dpkg/dpkg.cfg.d/{,*} r, + /etc/dpkg/dpkg.cfg r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index f9502cf75..e0d430443 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -3,17 +3,15 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/qbittorrent profile qbittorrent @{exec_path} { include - include include include - include include include include @@ -29,7 +27,7 @@ profile qbittorrent @{exec_path} { include include - signal send set=(term, kill) peer=qbittorrent//python3, + signal send set=(term, kill) peer=qbittorrent//python, network inet dgram, network inet6 dgram, @@ -42,7 +40,7 @@ profile qbittorrent @{exec_path} { interface=org.kde.StatusNotifierItem member={NewToolTip,NewIcon} peer=(name=org.freedesktop.DBus), - + dbus receive bus=session path=/StatusNotifierItem interface=org.kde.StatusNotifierItem member=Activate @@ -52,12 +50,12 @@ profile qbittorrent @{exec_path} { interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*), - + dbus send bus=session path=/MenuBar interface=com.canonical.dbusmenu member=ItemsPropertiesUpdated peer=(name=org.freedesktop.DBus), - + dbus receive bus=session path=/MenuBar interface=com.canonical.dbusmenu member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event} @@ -68,7 +66,7 @@ profile qbittorrent @{exec_path} { @{exec_path} mr, @{open_path} rPx -> child-open, - @{bin}/python3.@{int} rCx -> python, # For "search engine" + @{python_path} rCx -> python, # For "search engine" # Allowed apps to open @{bin}/ebook-viewer rPx, @@ -85,8 +83,6 @@ profile qbittorrent @{exec_path} { /usr/share/GeoIP/GeoIP.dat r, /usr/share/gvfs/remote-volume-monitors/{,*} r, - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/qBittorrent/{,**} rw, owner @{user_config_dirs}/qBittorrent/ rw, @@ -131,13 +127,13 @@ profile qbittorrent @{exec_path} { network inet6 stream, network netlink raw, - @{bin}/python3.@{int} r, + @{python_path} r, - owner @{user_share_dirs}/{,data/}qBittorrent/nova[0-9]/{,**} rw, + owner @{user_share_dirs}/{,data/}qBittorrent/nova@{int}/{,**} rw, owner @{user_torrents_dirs}/** r, - owner /dev/shm/sem.mp-???????? rwl -> /dev/shm/@{int}, # unconventional '_' tail + owner /dev/shm/sem.mp-@{word8} rwl -> /dev/shm/@{int}, owner /dev/shm/* rw, owner @{tmp}/@{int} rw, diff --git a/apparmor.d/profiles-m-r/qbittorrent-nox b/apparmor.d/profiles-m-r/qbittorrent-nox index 87bc84d51..5129f203b 100644 --- a/apparmor.d/profiles-m-r/qbittorrent-nox +++ b/apparmor.d/profiles-m-r/qbittorrent-nox @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -51,7 +51,7 @@ profile qbittorrent-nox @{exec_path} { /dev/disk/by-label/ r, /dev/shm/#@{int} rw, - + deny owner @{user_share_dirs}/data/qBittorrent/ rw, # Old dir, not recommended to use include if exists diff --git a/apparmor.d/profiles-s-z/uuidd b/apparmor.d/profiles-m-r/qdbus similarity index 59% rename from apparmor.d/profiles-s-z/uuidd rename to apparmor.d/profiles-m-r/qdbus index c98d8175f..6816079ac 100644 --- a/apparmor.d/profiles-s-z/uuidd +++ b/apparmor.d/profiles-m-r/qdbus @@ -2,17 +2,18 @@ # Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/uuidd -profile uuidd @{exec_path} { +@{exec_path} = @{bin}/qdbus @{lib}/qt{5,6}/bin/qdbus +profile qdbus @{exec_path} { include + include @{exec_path} mr, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 958706374..f8fd84d3f 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -2,46 +2,43 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/qemu-ga +@{exec_path} = @{sbin}/qemu-ga @{bin}/qemu-ga #aa:lint ignore=sbin profile qemu-ga @{exec_path} { include - include - - capability mknod, - capability net_admin, - capability sys_ptrace, - - network inet stream, - network inet6 stream, - network netlink raw, - - ptrace (read) peer=@{p_systemd}, - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={ScheduleShutdown,SetWallMessage} - peer=(name=org.freedesktop.login1, label=systemd-logind), @{exec_path} mr, - @{bin}/systemctl rix, + @{bin}/systemctl Cx -> systemctl, /etc/qemu/qemu-ga.conf r, - owner @{run}/qga.state* rw, + owner @{run}/qga.state rw, + owner @{run}/qga.state.@{rand6} rw, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{PROC}/sys/vm/max_map_count r, - owner @{PROC}/@{pid}/net/dev r, + @{PROC}/sys/vm/max_map_count r, /dev/vport@{int}p@{int} rw, + profile systemctl { + include + include + + capability net_admin, + + unix type=stream addr=@@{udbus}/bus/shutdown/system, + + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index 911519459..d02ff9426 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -55,7 +55,6 @@ profile qnapi @{exec_path} { /tmp/ r, owner @{tmp}/@{hex}.* rw, - owner @{tmp}/** rw, owner @{tmp}/#@{int} rw, owner @{tmp}/QNapi-*-rc wl -> /tmp/#@{int}, owner @{tmp}/QNapi-*-rc.lock rwk, diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview index e1ff13a92..f743e95b3 100644 --- a/apparmor.d/profiles-m-r/qpdfview +++ b/apparmor.d/profiles-m-r/qpdfview @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/qt5ct b/apparmor.d/profiles-m-r/qt5ct index 43964d950..880476b14 100644 --- a/apparmor.d/profiles-m-r/qt5ct +++ b/apparmor.d/profiles-m-r/qt5ct @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,11 +28,6 @@ profile qt5ct @{exec_path} { owner @{user_config_dirs}/fontconfig/** rw, owner @{user_config_dirs}/fontconfig/fonts.conf.back rwl -> @{user_config_dirs}/fontconfig/#@{int}, - owner @{user_config_dirs}/kdeglobals r, - - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{PROC}/@{pid}/cmdline r, /dev/shm/#@{int} rw, diff --git a/apparmor.d/profiles-m-r/qtchooser b/apparmor.d/profiles-m-r/qtchooser index 2202d8c5f..a2485b41d 100644 --- a/apparmor.d/profiles-m-r/qtchooser +++ b/apparmor.d/profiles-m-r/qtchooser @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/qtox b/apparmor.d/profiles-m-r/qtox index e97bcc2ec..4b0d9b79c 100644 --- a/apparmor.d/profiles-m-r/qtox +++ b/apparmor.d/profiles-m-r/qtox @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index 1154ff337..73b8f7488 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -3,29 +3,24 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/quiterss profile quiterss @{exec_path} { include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include include + include + include + include + include + include + include + include + include + include + include network inet dgram, network inet6 dgram, @@ -36,9 +31,14 @@ profile quiterss @{exec_path} { @{exec_path} mr, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, /usr/share/quiterss/** r, + + /etc/fstab r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + owner @{user_config_dirs}/QuiteRss/ rw, owner @{user_config_dirs}/QuiteRss/** rwkl -> @{user_config_dirs}/QuiteRss/**, owner @{user_share_dirs}/QuiteRss/ rw, @@ -46,55 +46,19 @@ profile quiterss @{exec_path} { owner @{user_cache_dirs}/QuiteRss/ rw, owner @{user_cache_dirs}/QuiteRss/** rwl -> @{user_cache_dirs}/QuiteRss/**, - owner @{PROC}/@{pid}/fd/ r, - deny @{PROC}/sys/kernel/random/boot_id r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, + owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, + owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, - /etc/fstab r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /usr/share/hwdata/pnp.ids r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, /dev/shm/#@{int} rw, - owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, - owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, - owner /var/tmp/etilqs_@{hex16} rw, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-m-r/rdmsr b/apparmor.d/profiles-m-r/rdmsr index c3a4a8a22..81f43b3e6 100644 --- a/apparmor.d/profiles-m-r/rdmsr +++ b/apparmor.d/profiles-m-r/rdmsr @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/rdmsr +@{exec_path} = @{sbin}/rdmsr profile rdmsr @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index dcee35f62..80e58fd7c 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -2,54 +2,60 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/remmina profile remmina @{exec_path} { include - include + include + include include include - include include - include - include + include include include - include - include + include + include include include + include + include include - include + include + include network inet stream, network inet6 stream, + network inet dgram, + network inet6 dgram, network netlink raw, - #aa:dbus own bus=session name=org.remmina.Remmina + #aa:dbus own bus=session name=org.remmina.Remmina interface+=org.gtk.Actions + #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - dbus (send, receive) bus=session path=/org/ayatana/NotificationItem/remmina_icon{,/**} - peer=(name="{:*,org.freedesktop.DBus}"), # all interfaces and members + @{exec_path} rm, - @{exec_path} r, + @{open_path} rPx -> child-open-browsers, /usr/share/remmina/{,**} r, /usr/share/themes/{,**} r, - /etc/timezone r, + /etc/fstab r, /etc/ssh/ssh_config r, /etc/ssh/ssh_config.d/{,*} r, - /etc/gtk-3.0/settings.ini r, + /etc/timezone r, - owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, + owner @{HOME}/@{XDG_SSH_DIR}/config r, + owner @{HOME}/@{XDG_SSH_DIR}/known_hosts r, + owner @{user_cache_dirs}/org.remmina.Remmina/{,**} rw, owner @{user_cache_dirs}/remmina/{,**} rw, owner @{user_config_dirs}/autostart/remmina-applet.desktop r, owner @{user_config_dirs}/freerdp/known_hosts2 rwk, - owner @{user_config_dirs}/gtk-3.0/bookmarks r, owner @{user_config_dirs}/remmina/{,**} rw, owner @{user_share_dirs}/remmina/{,**} rw, @@ -58,6 +64,9 @@ profile remmina @{exec_path} { owner @{run}/user/@{uid}/keyring/ssh rw, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + include if exists } diff --git a/apparmor.d/profiles-m-r/repo b/apparmor.d/profiles-m-r/repo index 6f3ba2417..5ad84fb15 100644 --- a/apparmor.d/profiles-m-r/repo +++ b/apparmor.d/profiles-m-r/repo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,7 +27,7 @@ profile repo @{exec_path} { @{bin}/curl rix, @{bin}/env rix, @{bin}/git rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/uname rix, @{lib}/git{,-core}/git* rix, @@ -51,7 +51,7 @@ profile repo @{exec_path} { owner @{tmp}/ssh-*/ rw, owner /dev/shm/* rw, - owner /dev/shm/sem.mp-???????? rwl -> /dev/shm/*, # unconventional '_' tail + owner /dev/shm/sem.mp-@{word8} rwl -> /dev/shm/*, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/reprepro b/apparmor.d/profiles-m-r/reprepro index 4ef5e6b42..866b7cbfa 100644 --- a/apparmor.d/profiles-m-r/reprepro +++ b/apparmor.d/profiles-m-r/reprepro @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -55,7 +55,6 @@ profile reprepro @{exec_path} { owner @{user_build_dirs}/pbuilder/result/*.deb r, owner @{user_build_dirs}/pbuilder/result/*.tar.* r, - profile gpg { include @@ -66,6 +65,7 @@ profile reprepro @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/resize2fs b/apparmor.d/profiles-m-r/resize2fs index 114846812..38d482326 100644 --- a/apparmor.d/profiles-m-r/resize2fs +++ b/apparmor.d/profiles-m-r/resize2fs @@ -3,13 +3,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/resize2fs +@{exec_path} = @{sbin}/resize2fs profile resize2fs @{exec_path} { include + include include include diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf index 6dfe82b6e..8e39c7620 100644 --- a/apparmor.d/profiles-m-r/resolvconf +++ b/apparmor.d/profiles-m-r/resolvconf @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/resolvconf +@{exec_path} = @{sbin}/resolvconf profile resolvconf @{exec_path} { include include @@ -15,6 +15,7 @@ profile resolvconf @{exec_path} { @{sh_path} rix, @{bin}/cat rix, + @{bin}/cp rix, @{bin}/flock rix, @{bin}/mkdir rix, @{bin}/mv rix, @@ -22,19 +23,34 @@ profile resolvconf @{exec_path} { @{bin}/rm rix, @{bin}/run-parts rix, @{bin}/sed rix, + @{bin}/systemctl rCx -> systemctl, @{lib}/resolvconf/list-records rix, - /usr/lib/resolvconf/{,**} r, + @{lib}/resolvconf/{,**} r, + @{etc_rw}/resolv.conf.bak rw, @{etc_rw}/resolv.conf rw, + /etc/resolvconf.conf r, /etc/resolvconf/{,**} r, /etc/resolvconf/update.d/libc rix, + / r, + owner @{run}/resolvconf/{,**} rw, owner @{run}/resolvconf/run-lock wk, /dev/tty rw, + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/rfkill b/apparmor.d/profiles-m-r/rfkill index f64dd20ba..c65298b27 100644 --- a/apparmor.d/profiles-m-r/rfkill +++ b/apparmor.d/profiles-m-r/rfkill @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/rfkill +@{exec_path} = @{sbin}/rfkill profile rfkill @{exec_path} { include @@ -15,8 +15,8 @@ profile rfkill @{exec_path} { /dev/rfkill rw, - @{sys}/devices/@{pci}/rfkill[0-9]/{name,type} r, - @{sys}/devices/platform/**/rfkill/rfkill[0-9]/{name,type} r, + @{sys}/devices/@{pci}/rfkill@{int}/{name,type} r, + @{sys}/devices/platform/**/rfkill/rfkill@{int}/{name,type} r, include if exists } diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 0f65d8f71..2e548d40c 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -3,15 +3,16 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/rngd +@{exec_path} = @{sbin}/rngd profile rngd @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_read_search, capability net_admin, @@ -24,7 +25,6 @@ profile rngd @{exec_path} flags=(attach_disconnected) { /etc/conf.d/rngd r, /etc/machine-id r, - /etc/{,opensc/}opensc.conf r, /var/lib/dbus/machine-id r, @{sys}/devices/virtual/misc/hw_random/rng_available r, diff --git a/apparmor.d/profiles-m-r/rpi-imager b/apparmor.d/profiles-m-r/rpi-imager index 641217f56..7b48d57b1 100644 --- a/apparmor.d/profiles-m-r/rpi-imager +++ b/apparmor.d/profiles-m-r/rpi-imager @@ -3,29 +3,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/rpi-imager -profile rpi-imager @{exec_path} { +profile rpi-imager @{exec_path} flags=(complain) { include include + include include - include - include include - include - include - include - include + include include - include - include include include include - include #capability sys_admin, # deny capability sys_nice, @@ -42,18 +35,15 @@ profile rpi-imager @{exec_path} { @{bin}/lsblk rPx, /etc/fstab r, - /etc/X11/cursors/*.theme r, - /usr/share/hwdata/pnp.ids r, - /usr/share/X11/xkb/{,**} r, /etc/machine-id r, /var/lib/dbus/machine-id r, owner "@{user_cache_dirs}/Raspberry Pi/" rw, owner "@{user_cache_dirs}/Raspberry Pi/**" rwl -> "@{user_cache_dirs}/Raspberry Pi/**", - owner "@{user_config_dirs}/Raspberry Pi/{,**}" rw, - owner @{user_cache_dirs}/ rw, - owner @{user_config_dirs}/QtProject.conf r, + + owner "@{user_config_dirs}/Raspberry Pi/" rw, + owner "@{user_config_dirs}/Raspberry Pi/**" rwlk -> "@{user_config_dirs}/Raspberry Pi/**", owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-m-r/rredtool b/apparmor.d/profiles-m-r/rredtool index d8024b279..97e96d652 100644 --- a/apparmor.d/profiles-m-r/rredtool +++ b/apparmor.d/profiles-m-r/rredtool @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 423e7e41a..c5e5ac051 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -3,37 +3,36 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -# Debugging the syslogger can be difficult if it can't write to the file -# that the kernel is logging denials to. In these cases, you can do the -# following: -# watch -n 1 'dmesg | tail -5' - -@{exec_path} = @{bin}/rsyslogd +@{exec_path} = @{sbin}/rsyslogd profile rsyslogd @{exec_path} { include - include + include - capability chown, # For creating new log files and changing their owner/group - capability net_admin, # For remote logs - capability setgid, # For downgrading privileges + capability dac_override, + capability dac_read_search, + capability setgid, capability setuid, capability sys_nice, + capability sys_tty_config, capability syslog, + network inet dgram, + network inet6 dgram, + + signal receive set=hup peer=@{p_systemd}, + @{exec_path} mr, + @{sh_path} mr, @{lib}/@{multiarch}/rsyslog/*.so mr, /etc/rsyslog.conf r, /etc/rsyslog.d/{,**} r, - /etc/CA/*.crt r, - /etc/CA/*.key r, - /var/log/** rw, /var/spool/rsyslog/ r, /var/spool/rsyslog/** rw, @@ -46,6 +45,7 @@ profile rsyslogd @{exec_path} { @{PROC}/cmdline r, @{PROC}/kmsg r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, include if exists } diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index 21e715579..68837a52d 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,11 +23,6 @@ profile rtkit-daemon @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.RealtimeKit1 - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), - @{exec_path} mr, # When applying policies to processes diff --git a/apparmor.d/profiles-m-r/rtkitctl b/apparmor.d/profiles-m-r/rtkitctl index d855c0a35..733573d6b 100644 --- a/apparmor.d/profiles-m-r/rtkitctl +++ b/apparmor.d/profiles-m-r/rtkitctl @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/rtkitctl +@{exec_path} = @{sbin}/rtkitctl profile rtkitctl @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 8fe649ff5..e5d44e13a 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -4,7 +4,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,10 +14,12 @@ profile run-parts @{exec_path} { include include - @{exec_path} mr, - + capability mknod, + + @{exec_path} mrix, + @{sh_path} rix, - @{bin}/anacron rix, + @{sbin}/anacron rix, @{bin}/cat rix, @{bin}/date rix, @{bin}/nice rix, @@ -29,8 +31,9 @@ profile run-parts @{exec_path} { /etc/ r, /etc/anacrontab r, /etc/conf.d/snapper{,**} r, + /etc/default/* r, + /etc/profile.d/{,**} r, /etc/snapper/configs/root r, - # Crontab /etc/cron.{hourly,daily,weekly,monthly}/ r, @@ -43,7 +46,6 @@ profile run-parts @{exec_path} { /etc/cron.{hourly,daily,weekly,monthly}/aptitude rPx, /etc/cron.{hourly,daily,weekly,monthly}/bsdmainutils rPUx, /etc/cron.{hourly,daily,weekly,monthly}/checksecurity rPUx, - /etc/cron.{hourly,daily,weekly,monthly}/cracklib-runtime rPx, /etc/cron.{hourly,daily,weekly,monthly}/debsums rPx, /etc/cron.{hourly,daily,weekly,monthly}/debtags rPx, /etc/cron.{hourly,daily,weekly,monthly}/dlocate rPx, @@ -56,6 +58,7 @@ profile run-parts @{exec_path} { /etc/cron.{hourly,daily,weekly,monthly}/passwd rPUx, /etc/cron.{hourly,daily,weekly,monthly}/plocate rPx, /etc/cron.{hourly,daily,weekly,monthly}/popularity-contest rPx, + /etc/cron.{hourly,daily,weekly,monthly}/snapper rPUx, /etc/cron.{hourly,daily,weekly,monthly}/spamassassin rPUx, /etc/cron.{hourly,daily,weekly,monthly}/sysstat rPx, /etc/cron.{hourly,daily,weekly,monthly}/tor rPUx, @@ -104,140 +107,39 @@ profile run-parts @{exec_path} { # Motd /etc/update-motd.d/ r, - /etc/update-motd.d/* rCx -> motd, - - # Kernel - /etc/kernel/header_postinst.d/ r, - /etc/kernel/header_postinst.d/dkms rCx -> kernel, - - /etc/kernel/postinst.d/ r, - /etc/kernel/postinst.d/apt-auto-removal rCx -> kernel, - /etc/kernel/postinst.d/dkms rCx -> kernel, - /etc/kernel/postinst.d/initramfs-tools rCx -> kernel, - /etc/kernel/postinst.d/unattended-upgrades rCx -> kernel, - /etc/kernel/postinst.d/zz-update-grub rCx -> kernel, - /etc/kernel/postinst.d/zz-shim rCx -> kernel, - /etc/kernel/postinst.d/xx-update-initrd-links rCx -> kernel, + /etc/update-motd.d/* rPx, + # Kernel + /etc/kernel/{,header_}postinst.d/ r, + /etc/kernel/{,header_}postinst.d/* rPx, /etc/kernel/postrm.d/ r, - /etc/kernel/postrm.d/initramfs-tools rCx -> kernel, - /etc/kernel/postrm.d/zz-update-grub rCx -> kernel, - + /etc/kernel/postrm.d/* rPx, /etc/kernel/preinst.d/ r, - /etc/kernel/preinst.d/intel-microcode rCx -> kernel, - + /etc/kernel/preinst.d/* rPx, /etc/kernel/prerm.d/ r, - /etc/kernel/prerm.d/dkms rCx -> kernel, + /etc/kernel/prerm.d/* rPx, + # Finalrd /usr/share/finalrd/ r, - /usr/share/finalrd/mdadm.finalrd rPUx, - /usr/share/finalrd/open-iscsi.finalrd rPUx, + /usr/share/finalrd/mdadm.finalrd rPUx, + /usr/share/finalrd/open-iscsi.finalrd rPUx, - /usr/share/landscape/landscape-sysinfo.wrapper rPUx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, + + /root/ r, + + /var/spool/anacron/cron.daily k, owner @{tmp}/#@{int} rw, - owner @{tmp}/$anacron* rw, - owner @{tmp}/file@{rand6} ra, - - owner @{sys}/class/power_supply/ r, + owner @{tmp}/$anacron@{rand6} rw, + owner @{tmp}/file@{rand6} rw, + + owner @{sys}/class/power_supply/ r, + + @{run}/motd.dynamic.new w, /dev/tty@{int} rw, - profile motd { - include - include - - @{sh_path} rix, - @{bin}/{e,}grep rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/find rix, - @{bin}/head rix, - @{bin}/id rix, - @{bin}/sort rix, - @{bin}/tr rix, - @{bin}/uname rix, - - @{bin}/snap rPUx, - @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, - @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, - @{lib}/update-notifier/update-motd-reboot-required rix, - /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, - /usr/share/update-notifier/notify-updates-outdated rPx, - - / r, - /etc/default/motd-news r, - /etc/lsb-release r, - /etc/update-motd.d/* r, - - /var/cache/motd-news rw, - /var/lib/update-notifier/updates-available r, - /var/lib/ubuntu-advantage/messages/motd-esm-announce r, - - @{run}/motd.d/{,*} r, - - @{PROC}/@{pids}/mounts r, - - /dev/tty@{int} rw, - } - - profile kernel { - include - include - include - - capability sys_module, - - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,m,g}awk rix, - @{bin}/cat rix, - @{bin}/chmod rix, - @{bin}/cut rix, - @{bin}/dirname rix, - @{bin}/kmod rix, - @{bin}/mv rix, - @{bin}/rm rix, - @{bin}/rmdir rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/touch rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/which{,.debianutils} rix, - - @{bin}/apt-config rPx, - @{bin}/dkms rPx, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/systemd-detect-virt rPx, - @{bin}/update-alternatives rPx, - @{bin}/update-grub rPUx, - @{bin}/update-initramfs rPx, - @{lib}/dkms/dkms_autoinstaller rPx, - - @{lib}/modules/*/updates/ w, - @{lib}/modules/*/updates/dkms/ w, - - /etc/kernel/header_postinst.d/* r, - /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, - - # For shell pwd - / r, - /boot/ r, - - /etc/apt/apt.conf.d/ r, - /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, - /etc/modprobe.d/ r, - /etc/modprobe.d/*.conf r, - - @{run}/reboot-required w, - @{run}/reboot-required.pkgs rw, - - @{PROC}/devices r, - @{PROC}/cmdline r, - - } - include if exists } diff --git a/apparmor.d/profiles-m-r/runit-helper b/apparmor.d/profiles-m-r/runit-helper new file mode 100644 index 000000000..94b3816c9 --- /dev/null +++ b/apparmor.d/profiles-m-r/runit-helper @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/runit-helper/runit-helper +profile runit-helper @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/mkdir rix, + + @{run}/runit/ rw, + @{run}/runit/supervise/ w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/runuser b/apparmor.d/profiles-m-r/runuser index 97100f32a..4bd569955 100644 --- a/apparmor.d/profiles-m-r/runuser +++ b/apparmor.d/profiles-m-r/runuser @@ -3,50 +3,37 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/runuser +@{exec_path} = @{sbin}/runuser profile runuser @{exec_path} { include - include include + include include include - # To remove the following errors: - # runuser: cannot set user id: Operation not permitted capability setuid, - - # To remove the following errrors: - # runuser: cannot set groups: Operation not permitted capability setgid, - - # To write records to the kernel auditing log. capability audit_write, - - # Needed? (#FIXME#) capability sys_resource, network netlink raw, @{exec_path} mr, - # Shells to use - @{bin}/{,b,d,rb}ash rpux, - @{bin}/{c,k,tc,z}sh rpux, - - owner @{PROC}/@{pid}/loginuid r, - @{PROC}/1/limits r, + @{bin}/@{shells} rUx, @{etc_ro}/security/limits.d/ r, - /etc/default/runuser r, - # file_inherit owner @{tmp}/debian-security-support.postinst.*/output w, + @{PROC}/1/limits r, + owner @{PROC}/@{pid}/loginuid r, + include if exists } diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index 956aaeaa4..3e6791ddc 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -1,7 +1,8 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -9,9 +10,7 @@ include profile rustdesk @{exec_path} { include include - include include - include include include include @@ -34,9 +33,9 @@ profile rustdesk @{exec_path} { @{bin}/curl rix, @{bin}/ls rix, - @{bin}/sudo rCx -> sudo, - @{bin}/python3.@{int} rPx -> rustdesk_python, - @{sh_path} rPx -> rustdesk_shell, + @{bin}/sudo rCx -> sudo, + @{python_path} rCx -> python, + @{sh_path} rCx -> shell, /etc/gdm{,3}/custom.conf r, @@ -59,80 +58,72 @@ profile rustdesk @{exec_path} { profile sudo { include - include include + include @{bin}/rustdesk rPx, - @{bin}/python3.@{int} rPx -> rustdesk_python, + @{python_path} rPx -> rustdesk//python, include if exists } + profile python { + include + include + + capability dac_read_search, + capability dac_override, + + @{python_path} r, + + @{sh_path} rix, + @{bin}/chmod rix, + @{bin}/uname rix, + /usr/share/rustdesk/files/pynput_service.py rix, + + /usr/share/[rR]ust[dD]esk/files/{,**} r, + /tmp/[rR]ust[dD]esk/ w, + /tmp/[rR]ust[dD]esk/pynput_service rw, + + @{run}/user/@{uid}/gdm{,3}/Xauthority r, + + owner @{PROC}/@{pid}/fd/ r, + + # X-tiny + /tmp/.X11-unix/* rw, + owner @{HOME}/.xsession-errors w, + owner @{HOME}/.Xauthority r, + + include if exists + } + + profile shell { + include + + capability dac_override, + capability dac_read_search, + capability sys_ptrace, + + ptrace read, + + @{sh_path} r, + + @{bin}/tr rix, + @{bin}/{,e}grep rix, + @{bin}/tail rix, + @{bin}/xargs rix, + @{bin}/sed rix, + @{bin}/cat rix, + + @{bin}/ps rPx, + + @{PROC}/@{pid}/environ r, + owner @{PROC}/@{pid}/fd/ r, + + include if exists + } + include if exists } -profile rustdesk_pynput_service /usr/share/rustdesk/files/pynput_service.py { - include - - @{exec_path} r, - - include if exists -} - -profile rustdesk_python { - include - include - - capability dac_read_search, - capability dac_override, - - @{bin}/python3.@{int} r, - - @{sh_path} rix, - @{bin}/chmod rix, - @{bin}/uname rPx, - /usr/share/rustdesk/files/pynput_service.py rPx, - - /usr/share/[rR]ust[dD]esk/files/{,**} r, - /tmp/[rR]ust[dD]esk/ w, - /tmp/[rR]ust[dD]esk/pynput_service rw, - - @{run}/user/@{uid}/gdm{,3}/Xauthority r, - - owner @{PROC}/@{pid}/fd/ r, - - # X-tiny - /tmp/.X11-unix/* rw, - owner @{HOME}/.xsession-errors w, - owner @{HOME}/.Xauthority r, - - include if exists -} - -profile rustdesk_shell { - include - - capability sys_ptrace, - capability dac_read_search, - deny capability dac_override, - - ptrace (read), - - @{sh_path} r, - - @{bin}/tr rix, - @{bin}/{,e}grep rix, - @{bin}/tail rix, - @{bin}/xargs rix, - @{bin}/sed rix, - @{bin}/cat rix, - - @{bin}/ps rPx, - - owner @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/environ r, - - include if exists -} - # vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rustdesk-utils b/apparmor.d/profiles-m-r/rustdesk-utils index 0707f9c8f..fc0c7d9bd 100644 --- a/apparmor.d/profiles-m-r/rustdesk-utils +++ b/apparmor.d/profiles-m-r/rustdesk-utils @@ -1,11 +1,12 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = /{,usr/}{,local/}bin/rustdesk-utils +@{exec_path} = @{bin}/rustdesk-utils profile rustdesk-utils @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/YACReader b/apparmor.d/profiles-s-z/YACReader index ccbbb2494..3552b6dc0 100644 --- a/apparmor.d/profiles-s-z/YACReader +++ b/apparmor.d/profiles-s-z/YACReader @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -37,10 +37,10 @@ profile YACReader @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/YACReader/YACReader/ rw, owner @{user_share_dirs}/YACReader/YACReader/** rwlk, - /dev/shm/ r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index 418167345..e6c231df3 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -2,23 +2,27 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/YACReaderLibrary profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include include include + include include + include + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink dgram, + network netlink raw, @{exec_path} mr, @@ -29,7 +33,7 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted /etc/machine-id r, - owner @{user_books_dirs}/{,**} r, + owner @{user_books_dirs}/{,**} rw, owner @{user_books_dirs}/**/.yacreaderlibrary/{,**} rwk, owner @{user_cache_dirs}/YACReader/ rw, @@ -43,7 +47,10 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted owner @{tmp}/@{uuid} w, + @{run}/mount/utab r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs index d614330d2..aaf34d49c 100644 --- a/apparmor.d/profiles-s-z/s3fs +++ b/apparmor.d/profiles-s-z/s3fs @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -38,33 +38,22 @@ profile s3fs @{exec_path} { profile fusermount { include - include - - capability dac_read_search, - capability sys_admin, + include network inet stream, network inet6 stream, mount fstype=fuse.s3fs -> @{MOUNTS}/, mount fstype=fuse.s3fs -> @{MOUNTS}/*/, - + umount @{MOUNTS}/, umount @{MOUNTS}/*/, - - @{bin}/fusermount{,3} mr, - - /etc/fuse.conf r, @{MOUNTS}/ r, @{MOUNTS}/*/ r, owner @{tmp}/s3fstmp.* rw, - @{PROC}/@{pids}/mounts r, - - /dev/fuse rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/sanoid b/apparmor.d/profiles-s-z/sanoid index aadad6860..04ee747bf 100644 --- a/apparmor.d/profiles-s-z/sanoid +++ b/apparmor.d/profiles-s-z/sanoid @@ -2,32 +2,29 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = /{usr/,}{local/,}{s,}bin/sanoid +@{exec_path} = @{bin}/sanoid profile sanoid @{exec_path} flags=(complain) { include include - @{exec_path} mr, + @{exec_path} mr, @{sh_path} rix, @{bin}/perl rix, @{bin}/ps rPx, - /{usr/,}{local/,}{s,}bin/zfs rPx, + @{bin}/zfs rPx, - /etc/sanoid/{*,} r, + /usr/share/sanoid/{,**} r, - /var/cache/sanoid/snapshots.txt rw, + /etc/sanoid/{,*} r, - /usr/share/sanoid/{**,} r, + /var/cache/sanoid/{,**} rw, @{run}/sanoid/ rw, - @{run}/sanoid/sanoid_cacheupdate.lock rwk, - @{run}/sanoid/sanoid_pruning.lock rwk, - - owner @{tmp}/** rw, + @{run}/sanoid/** rwk, include if exists } diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index 938ecb638..a4fdbac88 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -2,13 +2,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/sbctl profile sbctl @{exec_path} { include + include capability dac_read_search, capability linux_immutable, @@ -18,11 +19,15 @@ profile sbctl @{exec_path} { @{bin}/lsblk rPx, /usr/share/secureboot/{,**} rw, + /var/lib/sbctl/{,**} rw, /{boot,efi}/{,**} r, /{boot,efi}/EFI/{,**} rw, /{boot,efi}/vmlinuz-linux* rw, @{lib}/fwupd/efi/{,**} rw, + @{lib}/systemd/boot/efi/systemd-boot*.efi.signed rw, + + @{sys}/devices/virtual/dmi/id/* r, @{sys}/firmware/efi/efivars/db-@{uuid} rw, @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @@ -30,10 +35,6 @@ profile sbctl @{exec_path} { @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - - /dev/pts/@{int} rw, - # File Inherit deny network inet stream, deny network inet6 stream, diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 8903fe287..83af575dd 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,7 +25,6 @@ profile scrcpy @{exec_path} { @{bin}/adb rPx, /usr/share/scrcpy/{,*} r, - /usr/share/icons/{,**} r, /etc/machine-id r, @@ -34,6 +33,8 @@ profile scrcpy @{exec_path} { owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, + owner @{PROC}/@{pid}/cmdline r, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists diff --git a/apparmor.d/profiles-s-z/scrot b/apparmor.d/profiles-s-z/scrot index 377bb7962..9573da520 100644 --- a/apparmor.d/profiles-s-z/scrot +++ b/apparmor.d/profiles-s-z/scrot @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/sdcv b/apparmor.d/profiles-s-z/sdcv index cfc6c1b3c..4f6b26e39 100644 --- a/apparmor.d/profiles-s-z/sdcv +++ b/apparmor.d/profiles-s-z/sdcv @@ -3,7 +3,7 @@ # Copyright (C) 2023 Andy Ramos # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/secure-time-sync b/apparmor.d/profiles-s-z/secure-time-sync index 3ded8b7ae..9c3f6d9df 100644 --- a/apparmor.d/profiles-s-z/secure-time-sync +++ b/apparmor.d/profiles-s-z/secure-time-sync @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,7 +23,7 @@ profile secure-time-sync @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/curl rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/id rPx, @{bin}/sed rix, diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index 618332bce..ca2d43a65 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,19 +18,12 @@ profile sensors @{exec_path} { /etc/sensors.d/{,*} r, /etc/sensors3.conf r, + @{sys}/bus/i2c/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/**/hwmon*/{,**/} r, - @{sys}/devices/**/hwmon*/{in[0-9]_label,in[0-9]_min,in[0-9]_max} r, - @{sys}/devices/**/hwmon*/{name,temp*,*_input} r, - @{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r, - @{sys}/devices/**/hwmon/hwmon@{int}/power@{int}_crit r, - @{sys}/devices/**/hwmon/hwmon@{int}/fan@{int}_{label,max,min} r, - @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-@{int}/name r, + @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-*/name r, @{sys}/devices/@{pci}/name r, - @{sys}/devices/platform/**/power_supply/**/hwmon@{int}/curr1_max r, - @{sys}/devices/virtual/hwmon/hwmon@{int}/ r, - @{sys}/devices/virtual/hwmon/hwmon@{int}/{name,temp*} r, + @{sys}/devices/**/hwmon*/{,**} r, # file_inherit deny @{PROC}/@{pid}/net/dev r, diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index 5eececb0b..d21cf6f56 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/sensors-detect +@{exec_path} = @{sbin}/sensors-detect profile sensors-detect @{exec_path} { include include @@ -15,7 +15,7 @@ profile sensors-detect @{exec_path} { capability syslog, @{exec_path} rm, - + @{bin}/kmod rCx -> kmod, @{bin}/perl r, @{bin}/systemctl rCx -> systemctl, @@ -27,7 +27,7 @@ profile sensors-detect @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/class/i2c-adapter/ r, @{sys}/devices/@{pci}/{class,vendor,device} r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/@{pci}/modalias r, @{sys}/devices/virtual/dmi/id/board_{version,vendor,name} r, @{sys}/devices/virtual/dmi/id/chassis_type r, @@ -50,7 +50,7 @@ profile sensors-detect @{exec_path} { include include - include if exists + include if exists } profile systemctl { diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop new file mode 100644 index 000000000..4fd9dff69 --- /dev/null +++ b/apparmor.d/profiles-s-z/session-desktop @@ -0,0 +1,47 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = {S,s}ession +@{domain} = org.chromium.Chromium +@{lib_dirs} = /opt/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{bin}/session-messenger-desktop @{lib_dirs}/session-desktop +profile session-desktop @{exec_path} { + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mrix, + + @{lib_dirs}/resources/app.asar.unpacked/ts/webworker/workers/node/**.node mr, + + @{open_path} rPx -> child-open-strict, + + deny / r, + deny @{HOME}/ r, + deny @{HOME}/.pki/{,**} rw, + deny @{user_share_dirs}/gvfs-metadata/* r, + deny @{user_cache_dirs}/thumbnails/** rw, + deny /etc/machine-id r, + deny /var/lib/dbus/machine-id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci index 25fe43065..019e89e23 100644 --- a/apparmor.d/profiles-s-z/setpci +++ b/apparmor.d/profiles-s-z/setpci @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,6 +16,7 @@ profile setpci @{exec_path} flags=(complain) { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/** r, + @{sys}/devices/@{pci}/config w, include if exists } diff --git a/apparmor.d/profiles-s-z/setvtrgb b/apparmor.d/profiles-s-z/setvtrgb index 79398e82d..7fdfddcbb 100644 --- a/apparmor.d/profiles-s-z/setvtrgb +++ b/apparmor.d/profiles-s-z/setvtrgb @@ -2,11 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/setvtrgb +@{exec_path} = @{sbin}/setvtrgb profile setvtrgb @{exec_path} { include include @@ -15,6 +15,8 @@ profile setvtrgb @{exec_path} { @{exec_path} mr, + /etc/console-setup/vtrgb r, + /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-s-z/sfdisk b/apparmor.d/profiles-s-z/sfdisk index 5b75a27ef..05ab2273f 100644 --- a/apparmor.d/profiles-s-z/sfdisk +++ b/apparmor.d/profiles-s-z/sfdisk @@ -3,22 +3,16 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/sfdisk +@{exec_path} = @{sbin}/sfdisk profile sfdisk @{exec_path} { include + include include - # Needed to avoid the following error: - # ioctl(3, BLKRRPART) = -1 EACCES (Permission denied) - # - # Checking that no-one is using this disk right now ... FAILED - # This disk is currently in use - repartitioning is probably a bad idea. - # Umount all file systems, and swapoff all swap partitions on this disk. - # Use the --no-reread flag to suppress this check. capability sys_admin, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/sgdisk b/apparmor.d/profiles-s-z/sgdisk index 00a8c7a56..4e68816d7 100644 --- a/apparmor.d/profiles-s-z/sgdisk +++ b/apparmor.d/profiles-s-z/sgdisk @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/sgdisk +@{exec_path} = @{sbin}/sgdisk profile sgdisk @{exec_path} { include include diff --git a/apparmor.d/groups/apps/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop similarity index 51% rename from apparmor.d/groups/apps/signal-desktop rename to apparmor.d/profiles-s-z/signal-desktop index 6c8525f48..53f3d20b1 100644 --- a/apparmor.d/groups/apps/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -3,22 +3,29 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = signal-desktop{,-beta} -@{lib_dirs} = @{lib}/signal-desktop "/opt/Signal{, Beta}" -@{config_dirs} = "@{user_config_dirs}/Signal{, Beta}" +@{domain} = org.chromium.Chromium +@{lib_dirs} = @{lib}/signal-desktop /opt/Signal{,?Beta} +@{config_dirs} = @{user_config_dirs}/Signal{,?Beta} @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{lib_dirs}/@{name} -profile signal-desktop @{exec_path} { +profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include + include + include + include include - include + include + include + include include + include network inet dgram, network inet6 dgram, @@ -26,25 +33,18 @@ profile signal-desktop @{exec_path} { network inet6 stream, network netlink raw, + ptrace read peer=signal-desktop//&xdg-settings, + @{exec_path} mrix, - @{bin}/getconf rix, - @{bin}/xdg-settings rPx, - - @{lib_dirs}/chrome-sandbox rPx, @{lib_dirs}/chrome_crashpad_handler rix, + @{lib_dirs}/chrome-sandbox rPx, - /var/lib/dbus/machine-id r, - /etc/machine-id r, + #aa:stack X xdg-settings + @{bin}/xdg-settings rPx -> signal-desktop//&xdg-settings, + @{open_path} rPx -> child-open-strict, - @{run}/systemd/inhibit/*.ref rw, - - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, - - @{PROC}/@{pid}/fd/ r, - @{PROC}/vmstat r, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, include if exists } diff --git a/apparmor.d/groups/apps/signal-desktop-chrome-sandbox b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox similarity index 65% rename from apparmor.d/groups/apps/signal-desktop-chrome-sandbox rename to apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox index 8a5083143..51c625d53 100644 --- a/apparmor.d/groups/apps/signal-desktop-chrome-sandbox +++ b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox @@ -3,12 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{lib_dirs} = @{lib}/signal-desktop "/opt/Signal{, Beta}" -@{config_dirs} = "@{user_config_dirs}/Signal{, Beta}" +@{name} = signal-desktop{,-beta} +@{lib_dirs} = @{lib}/signal-desktop /opt/Signal{,?Beta} +@{config_dirs} = @{user_config_dirs}/Signal{,?Beta} +@{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{lib_dirs}/chrome-sandbox profile signal-desktop-chrome-sandbox @{exec_path} { @@ -16,17 +18,20 @@ profile signal-desktop-chrome-sandbox @{exec_path} { capability sys_admin, capability sys_chroot, + capability dac_override, @{exec_path} mr, - @{lib_dirs}/signal-desktop{,-beta} rPx, + @{lib_dirs}/@{name} rPx, @{PROC}/@{pid}/ r, @{PROC}/@{pid}/oom_adj w, @{PROC}/@{pid}/oom_score_adj w, + # Silencer + deny /dev/pts/@{int} rw, # file_inherit + include if exists } - # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/simple-scan b/apparmor.d/profiles-s-z/simple-scan new file mode 100644 index 000000000..a005708db --- /dev/null +++ b/apparmor.d/profiles-s-z/simple-scan @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/simple-scan +profile simple-scan @{exec_path} { + include + include + include + include + + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mr, + + @{open_path} rPx -> child-open-help, + + /usr/share/snmp/{,**} r, + + /etc/sane.d/{,**} r, + + @{sys}/bus/scsi/devices/ r, + @{sys}/devices/virtual/dmi/id/board_name r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/board_version r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + @{PROC}/scsi/scsi r, + + /dev/video@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sing-box b/apparmor.d/profiles-s-z/sing-box index eb9866b53..1890510ae 100644 --- a/apparmor.d/profiles-s-z/sing-box +++ b/apparmor.d/profiles-s-z/sing-box @@ -4,7 +4,7 @@ # https://github.com/SagerNet/sing-box -abi , +abi , include @@ -12,7 +12,6 @@ include profile sing-box @{exec_path} { include include - include capability net_bind_service, @@ -31,8 +30,6 @@ profile sing-box @{exec_path} { owner @{user_share_dirs}/certmagic/** rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/profiles-s-z/slirp4netns b/apparmor.d/profiles-s-z/slirp4netns index 0ec43cc9b..ed4dd8d5e 100644 --- a/apparmor.d/profiles-s-z/slirp4netns +++ b/apparmor.d/profiles-s-z/slirp4netns @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,7 +10,7 @@ include profile slirp4netns @{exec_path} flags=(attach_disconnected) { include - # userns, + userns, capability net_admin, capability setpcap, diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp new file mode 100644 index 000000000..740af9b7b --- /dev/null +++ b/apparmor.d/profiles-s-z/slurp @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/slurp +profile slurp @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/icons/{,**} r, + + # often used in combination with grim screen cature tool + owner /dev/shm/grim-@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/smartctl b/apparmor.d/profiles-s-z/smartctl index 6487e82e3..d025d160b 100644 --- a/apparmor.d/profiles-s-z/smartctl +++ b/apparmor.d/profiles-s-z/smartctl @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/smartctl +@{exec_path} = @{sbin}/smartctl profile smartctl @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd index 4548813bf..60a77a782 100644 --- a/apparmor.d/profiles-s-z/smartd +++ b/apparmor.d/profiles-s-z/smartd @@ -4,21 +4,19 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/smartd +@{exec_path} = @{sbin}/smartd profile smartd @{exec_path} { include include include - capability sys_rawio, + capability net_admin, capability sys_admin, - - # Needed? - audit capability net_admin, + capability sys_rawio, @{exec_path} mr, @@ -41,8 +39,6 @@ profile smartd @{exec_path} { /var/lib/smartmontools/smartd.*.state{,~} rw, /var/lib/smartmontools/attrlog.*.csv rw, - /tmp/tmp.* rw, - @{run}/systemd/notify rw, @{sys}/class/scsi_host/ r, diff --git a/apparmor.d/profiles-s-z/smbspool b/apparmor.d/profiles-s-z/smbspool index 010226342..a0d9600ad 100644 --- a/apparmor.d/profiles-s-z/smbspool +++ b/apparmor.d/profiles-s-z/smbspool @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/smplayer b/apparmor.d/profiles-s-z/smplayer index d8de18f20..858c73637 100644 --- a/apparmor.d/profiles-s-z/smplayer +++ b/apparmor.d/profiles-s-z/smplayer @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,22 +12,13 @@ profile smplayer @{exec_path} { include include include - include + include include - include - include - include - include + include include - include include include include - include - include - - # Needed for hardware decoding - ##include signal (send) set=(term, kill), signal (receive) set=(term, kill), @@ -44,7 +35,7 @@ profile smplayer @{exec_path} { @{bin}/pacmd rPx, @{bin}/smtube rPx, @{bin}/youtube-dl rPx, - @{bin}/yt-dlp rPx, + @{bin}/{y,}t-dlp rPx, /usr/share/hwdata/pnp.ids r, @@ -62,8 +53,6 @@ profile smplayer @{exec_path} { owner @{user_config_dirs}/smplayer/ rw, owner @{user_config_dirs}/smplayer/* rwkl -> @{user_config_dirs}/smplayer/#@{int}, - owner @{user_cache_dirs}/#@{int} rw, - owner @{tmp}/qtsingleapp-smplay-* rw, owner @{tmp}/qtsingleapp-smplay-*-lockfile rwk, owner @{tmp}/smplayer_preview/ rw, @@ -87,5 +76,4 @@ profile smplayer @{exec_path} { include if exists } - # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/smtube b/apparmor.d/profiles-s-z/smtube index af761d43c..c318328b6 100644 --- a/apparmor.d/profiles-s-z/smtube +++ b/apparmor.d/profiles-s-z/smtube @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -68,38 +68,11 @@ profile smtube @{exec_path} { @{bin}/youtube-dl rPUx, @{bin}/yt-dlp rPUx, - @{bin}/xdg-open rCx -> open, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, + @{open_path} rPx -> child-open, # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap deleted file mode 100644 index f59fd9226..000000000 --- a/apparmor.d/profiles-s-z/snap +++ /dev/null @@ -1,115 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} - -@{exec_path} = @{bin_dirs}/snap -profile snap @{exec_path} { - include - include - include - include - include - include - - capability dac_read_search, - capability setuid, - capability sys_admin, - - network netlink raw, - - unix (send, receive) type=stream peer=(label=apt), - - mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/, - - #aa:dbus own bus=session name=io.snapcraft.Launcher - #aa:dbus own bus=session name=io.snapcraft.Settings - - #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" - - dbus send bus=session path=/org/freedesktop/portal/documents - interface=org.freedesktop.portal.Documents - member=GetMountPoint - peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"), - - @{exec_path} mrix, - - @{bin}/mount rix, - - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/systemctl rCx -> systemctl, - - @{lib_dirs}/snapd/snap-confine rPx, - @{lib_dirs}/snapd/snap-seccomp rPx, - @{lib_dirs}/snapd/snapd rPx, - - /etc/fstab r, - - /var/lib/snapd/{,**} rwk, - /var/cache/snapd/commands.db rwk, - /var/cache/snapd/names r, - - @{DESKTOP_HOME}/snap/{,**} rw, - @{HOME}/snap/{,**} rw, - /snap/{,**} rw, - - owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, - - @{run}/user/@{uid}/bus rw, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, - owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/snapd-session-agent.socket rw, - owner @{run}/user/@{uid}/systemd/notify rw, - - @{run}/mount/utab r, - @{run}/snapd.socket rw, - - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{sys}/kernel/security/apparmor/features/{,**} r, - - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/mountinfo r, - @{PROC}/cgroups r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/random/uuid r, - @{PROC}/sys/kernel/seccomp/actions_avail r, - @{PROC}/version r, - owner @{PROC}/@{pid}/mounts r, - - /dev/tty@{int} rw, - /dev/ttyS@{int} rw, - - deny @{user_share_dirs}/gvfs-metadata/* r, - - profile gpg { - include - - @{bin}/gpg{,2} mr, - - @{bin}/dirmngr rix, - @{bin}/gpg-agent rix, - @{bin}/gpg-connect-agent rix, - - owner @{HOME}/.snap/gnupg/ rw, - owner @{HOME}/.snap/gnupg/** rwkl, - - include if exists - } - - profile systemctl { - include - include - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snap-bootstrap b/apparmor.d/profiles-s-z/snap-bootstrap deleted file mode 100644 index 71a4ad8f2..000000000 --- a/apparmor.d/profiles-s-z/snap-bootstrap +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/snapd/snap-bootstrap -profile snap-bootstrap @{exec_path} { - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snapd-core-fixup b/apparmor.d/profiles-s-z/snapd-core-fixup deleted file mode 100644 index fffbc4468..000000000 --- a/apparmor.d/profiles-s-z/snapd-core-fixup +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/snapd/snapd.core-fixup.sh -profile snapd-core-fixup @{exec_path} { - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snapshot b/apparmor.d/profiles-s-z/snapshot new file mode 100644 index 000000000..91ca7cd69 --- /dev/null +++ b/apparmor.d/profiles-s-z/snapshot @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# vim:syntax=apparmor + +abi , + +include + +@{exec_path} = @{bin}/snapshot +profile snapshot @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + @{exec_path} mr, + + @{open_path} rPx -> child-open-help, + + owner @{user_pictures_dirs}/Camera/{,**} rw, + owner @{user_videos_dirs}/Camera/{,**} rw, + + @{sys}/devices/virtual/dmi/id/bios_vendor r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spacefm-auth b/apparmor.d/profiles-s-z/spacefm-auth index 754908eac..60111288f 100644 --- a/apparmor.d/profiles-s-z/spacefm-auth +++ b/apparmor.d/profiles-s-z/spacefm-auth @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker deleted file mode 100644 index 33c02ce44..000000000 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ /dev/null @@ -1,184 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /{,usr/}{,local/}bin/spectre-meltdown-checker{,.sh} -profile spectre-meltdown-checker @{exec_path} { - include - include - - # Needed to read the /dev/cpu/@{int}/msr device - capability sys_rawio, - - # Needed to read system logs - capability syslog, - - # Used by readlink - capability sys_ptrace, - ptrace (read), - - @{exec_path} r, - - @{bin}/ r, - @{bin}/{,@{multiarch}-}objdump rix, - @{bin}/{,@{multiarch}-}readelf rix, - @{bin}/{,@{multiarch}-}strings rix, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,g,m}awk rix, - @{bin}/base64 rix, - @{bin}/basename rix, - @{bin}/bunzip2 rix, - @{bin}/cat rix, - @{bin}/ccache rCx -> ccache, - @{bin}/cut rix, - @{bin}/date rix, - @{bin}/dd rix, - @{bin}/dirname rix, - @{bin}/dmesg rix, - @{bin}/find rix, - @{bin}/gunzip rix, - @{bin}/gzip rix, - @{bin}/head rix, - @{bin}/id rix, - @{bin}/iucode_tool rix, - @{bin}/kmod rCx -> kmod, - @{bin}/lzop rix, - @{bin}/mktemp rix, - @{bin}/mount rix, - @{bin}/nproc rix, - @{bin}/od rix, - @{bin}/perl rix, - @{bin}/pgrep rCx -> pgrep, - @{bin}/rdmsr rix, - @{bin}/readlink rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/seq rix, - @{bin}/sort rix, - @{bin}/stat rix, - @{bin}/tail rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/unzip rix, - @{bin}/xargs rix, - @{bin}/xz rix, - @{bin}/zstd rix, - - # To fetch MCE.db from the MCExtractor project - @{bin}/wget rCx -> mcedb, - @{bin}/sqlite3 rCx -> mcedb, - owner @{tmp}/mcedb-* rw, - owner @{tmp}/smc-* rw, - owner @{tmp}/{,smc-}intelfw-*/ rw, - owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, - owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw, - owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw, - - owner @{HOME}/.mcedb rw, - - /tmp/ r, - owner @{tmp}/{config,kernel}-* rw, - - owner /dev/cpu/@{int}/cpuid r, - owner /dev/cpu/@{int}/msr rw, - owner /dev/kmsg r, - - /boot/ r, - /boot/{config,vmlinuz,System.map}-* r, - - @{sys}/devices/system/cpu/vulnerabilities/* r, - @{sys}/module/kvm_intel/parameters/ept r, - - @{PROC}/ r, - @{PROC}/config.gz r, - @{PROC}/cmdline r, - @{PROC}/kallsyms r, - @{PROC}/modules r, - - # find and denoise - @{PROC}/@{pids}/{status,exe} r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/*/ r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # For shell pwd - /root/ r, - /etc/ r, - - profile ccache { - include - - @{bin}/ccache mr, - - @{lib}/llvm-[0-9]*/bin/clang rix, - @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{bin}/{,@{multiarch}-}g++-[0-9]* rix, - - /media/ccache/*/** rw, - - /etc/debian_version r, - - include if exists - } - - profile pgrep { - include - include - - include if exists - } - - profile mcedb { - include - include - include - include - - deny capability net_admin, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{bin}/wget mr, - @{bin}/sqlite3 mr, - - /etc/wgetrc r, - owner @{HOME}/.wget-hsts rwk, - owner @{HOME}/.mcedb rw, - - /tmp/ r, - owner @{tmp}/{,smc-}mcedb-* rwk, - owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, - - /usr/share/publicsuffix/public_suffix_list.* r, - - include if exists - } - - profile kmod { - include - include - - capability sys_module, - - owner @{sys}/module/cpuid/** r, - owner @{sys}/module/msr/** r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/speech-dispatcher b/apparmor.d/profiles-s-z/speech-dispatcher new file mode 100644 index 000000000..0267d6889 --- /dev/null +++ b/apparmor.d/profiles-s-z/speech-dispatcher @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/speech-dispatcher +profile speech-dispatcher @{exec_path} { + include + include + include + include + include + + network inet stream, + network inet6 stream, + + @{exec_path} mr, + + @{sh_path} ix, + @{lib}/speech-dispatcher-modules/* ix, + @{lib}/speech-dispatcher/** r, + @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix, + + /etc/machine-id r, + /etc/speech-dispatcher/{,**} r, + + owner @{user_config_dirs}/speech-dispatcher/{,**} r, + + owner @{run}/user/@{uid}/speech-dispatcher/ rw, + owner @{run}/user/@{uid}/speech-dispatcher/** rwk, + + owner /dev/shm/sem.@{rand6} rw, + owner /dev/shm/sem.speechd-modules-dummy-@{int} rwl -> /dev/shm/sem.@{rand6}, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/speedtest b/apparmor.d/profiles-s-z/speedtest index 511f32a96..7e9728fc9 100644 --- a/apparmor.d/profiles-s-z/speedtest +++ b/apparmor.d/profiles-s-z/speedtest @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,6 +12,7 @@ profile speedtest @{exec_path} { include include include + include network inet dgram, network inet6 dgram, @@ -20,18 +21,16 @@ profile speedtest @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/file rix, @{bin}/uname rix, - owner @{PROC}/@{pid}/fd/ r, - - /usr/local/lib/python*/dist-packages/ r, - /etc/magic r, + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper index 1847c93d7..58da03738 100644 --- a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper +++ b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,10 +17,7 @@ profile spice-client-glib-usb-acl-helper @{exec_path} { @{exec_path} mr, - @{lib}/gconv/gconv-modules r, - owner @{PROC}/@{pid}/stat r, - @{PROC}/sys/kernel/cap_last_cap r, include if exists } diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index c2fd27ced..2af3f99ae 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,18 +11,17 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include - include include include - include include include include - include - include - include + include include + include + include include + include dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime @@ -31,19 +30,21 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), @{exec_path} mr, owner @{desktop_config_dirs}/user-dirs.dirs r, - owner @{user_config_dirs}/user-dirs.dirs r, @{run}/spice-vdagentd/spice-vdagent-sock rw, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + owner @{PROC}/@{pids}/task/@{tid}/comm rw, - owner /dev/tty@{int} rw, + /dev/udmabuf rw, include if exists } diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index e9a8b6330..33957504c 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -2,21 +2,21 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/spice-vdagentd +@{exec_path} = @{sbin}/spice-vdagentd profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_nice, @{exec_path} mr, - @{run}/systemd/journal/dev-log w, @{run}/systemd/seats/seat@{int} r, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, @@ -25,7 +25,6 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, - /dev/uinput rw, /dev/vport@{int}p@{int} rw, include if exists diff --git a/apparmor.d/profiles-s-z/spotdl b/apparmor.d/profiles-s-z/spotdl new file mode 100644 index 000000000..be31bb0d0 --- /dev/null +++ b/apparmor.d/profiles-s-z/spotdl @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 tpaau-17DB +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/spotdl +profile spotdl @{exec_path} { + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + @{exec_path} mr, + @{python_path} r, + + @{bin}/ffmpeg rPx, + @{bin}/ffprobe rPx, + + owner @{user_music_dirs}/{,**} rwk, + + owner @{HOME}/.spotdl/** rw, + + owner @{user_cache_dirs}/spotdl/{,**} rw, + owner @{user_config_dirs}/spotdl/{,**} rw, + + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index db2e7ebe9..b04432e39 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -3,20 +3,32 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = spotify -@{lib_dirs} = /opt/spotify/ +@{domain} = org.chromium.Chromium +@{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} -profile spotify @{exec_path} { +profile spotify @{exec_path} flags=(attach_disconnected) { include include + include + include + include + include + include include + include + include + include + include + include + include network inet dgram, network inet6 dgram, @@ -24,16 +36,30 @@ profile spotify @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell + #aa:dbus talk bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Secret + member=RetrieveSecret + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + @{exec_path} mrix, - @{bin}/grep rix, + @{sh_path} mr, + @{bin}/{,e}grep rix, @{open_path} rPx -> child-open-strict, + /usr/local/lib/spotify-adblock.so mr, + /etc/machine-id r, /etc/spotify-adblock/* r, /var/lib/dbus/machine-id r, + owner @{HOME}/.tmp rw, + owner @{user_music_dirs}/{,**} r, owner @{user_config_dirs}/spotify-adblock/* r, @@ -41,18 +67,16 @@ profile spotify @{exec_path} { owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, + owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, - @{sys}/bus/ r, - @{sys}/bus/*/devices/ r, - - @{PROC}/pressure/* r, + @{PROC}/@{pid}/net/unix r, + @{PROC}/pressure/* r, + owner @{PROC}/@{pid}/clear_refs w, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/tty rw, deny @{user_share_dirs}/gvfs-metadata/* r, - deny @{sys}/class/*/ r, - deny owner @{PROC}/@{pid}/clear_refs w, include if exists } diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss index 36f4c988d..2ce6b6b4d 100644 --- a/apparmor.d/profiles-s-z/ss +++ b/apparmor.d/profiles-s-z/ss @@ -2,11 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/ss +@{exec_path} = @{sbin}/ss profile ss @{exec_path} { include include @@ -16,7 +16,7 @@ profile ss @{exec_path} { capability dac_read_search, capability sys_ptrace, - ptrace (read), # unconfined, TODO + ptrace read, network netlink raw, @@ -24,24 +24,23 @@ profile ss @{exec_path} { /etc/iproute2/{,**} r, - owner @{tmp}/*.ss rw, - owner @{HOME}/*.ss rw, + owner @{tmp}/*.ss rw, + owner @{HOME}/*.ss rw, + + @{sys}/fs/cgroup/{,**/} r, @{PROC} r, - @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r, + @{PROC}/@{pids}/attr/current r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/attr/current r, - owner @{PROC}/@{pids}/net/sockstat r, - owner @{PROC}/@{pids}/net/snmp r, - owner @{PROC}/@{pids}/net/unix r, + @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r, + owner @{PROC}/@{pids}/mounts r, owner @{PROC}/@{pids}/net/raw r, + owner @{PROC}/@{pids}/net/snmp r, + owner @{PROC}/@{pids}/net/sockstat r, owner @{PROC}/@{pids}/net/tcp r, owner @{PROC}/@{pids}/net/udp r, - - # [e]xtended - owner @{PROC}/@{pids}/mounts r, - @{sys}/fs/cgroup/{,**/} r, + owner @{PROC}/@{pids}/net/unix r, include if exists } diff --git a/apparmor.d/profiles-s-z/sslocal b/apparmor.d/profiles-s-z/sslocal index beff6a1e9..b71c97f55 100644 --- a/apparmor.d/profiles-s-z/sslocal +++ b/apparmor.d/profiles-s-z/sslocal @@ -1,14 +1,15 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # shadowsocks-rust only: # https://github.com/shadowsocks/shadowsocks-rust -abi , +abi , include -@{exec_path} = /{,usr/}{,local/}bin/sslocal +@{exec_path} = @{bin}/sslocal profile sslocal @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/ssmanager b/apparmor.d/profiles-s-z/ssmanager index 7a89ea8bd..6165d433b 100644 --- a/apparmor.d/profiles-s-z/ssmanager +++ b/apparmor.d/profiles-s-z/ssmanager @@ -1,14 +1,15 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # shadowsocks-rust only: # https://github.com/shadowsocks/shadowsocks-rust -abi , +abi , include -@{exec_path} = /{,usr/}{,local/}bin/ssmanager +@{exec_path} = @{bin}/ssmanager profile ssmanager @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/ssserver b/apparmor.d/profiles-s-z/ssserver index 51dc62837..11ca72434 100644 --- a/apparmor.d/profiles-s-z/ssserver +++ b/apparmor.d/profiles-s-z/ssserver @@ -1,14 +1,15 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # shadowsocks-rust only: # https://github.com/shadowsocks/shadowsocks-rust -abi , +abi , include -@{exec_path} = /{,usr/}{,local/}bin/ssserver +@{exec_path} = @{bin}/ssserver profile ssserver @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/ssservice b/apparmor.d/profiles-s-z/ssservice index 1c62764b2..4e4642895 100644 --- a/apparmor.d/profiles-s-z/ssservice +++ b/apparmor.d/profiles-s-z/ssservice @@ -1,14 +1,15 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # shadowsocks-rust only: # https://github.com/shadowsocks/shadowsocks-rust -abi , +abi , include -@{exec_path} = /{,usr/}{,local/}bin/ssservice +@{exec_path} = @{bin}/ssservice profile ssservice @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/ssurl b/apparmor.d/profiles-s-z/ssurl index e1c7b9068..9555a9825 100644 --- a/apparmor.d/profiles-s-z/ssurl +++ b/apparmor.d/profiles-s-z/ssurl @@ -1,14 +1,15 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # shadowsocks-rust only: # https://github.com/shadowsocks/shadowsocks-rust -abi , +abi , include -@{exec_path} = /{,usr/}{,local/}bin/ssurl +@{exec_path} = @{bin}/ssurl profile ssurl @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/start-pulseaudio-x11 b/apparmor.d/profiles-s-z/start-pulseaudio-x11 index 616b66963..85ec45d5c 100644 --- a/apparmor.d/profiles-s-z/start-pulseaudio-x11 +++ b/apparmor.d/profiles-s-z/start-pulseaudio-x11 @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/startx b/apparmor.d/profiles-s-z/startx index 26cf4027f..34f6d4724 100644 --- a/apparmor.d/profiles-s-z/startx +++ b/apparmor.d/profiles-s-z/startx @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index a790e6b7b..ae22e1f1d 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -3,15 +3,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/strawberry -profile strawberry @{exec_path} { +profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include @@ -20,6 +21,7 @@ profile strawberry @{exec_path} { include include include + include include include @@ -36,10 +38,12 @@ profile strawberry @{exec_path} { @{exec_path} mr, - @{bin}/strawberry-tagreader rPx, + @{bin}/strawberry-tagreader rPx -> strawberry//&strawberry-tagreader, @{open_path} rPx -> child-open-help, + /etc/fstab r, + /var/lib/dbus/machine-id r, /etc/machine-id r, @@ -50,6 +54,7 @@ profile strawberry @{exec_path} { owner @{user_config_dirs}/strawberry/ rw, owner @{user_config_dirs}/strawberry/* rwkl -> @{user_config_dirs}/strawberry/#@{int}, + owner @{user_config_dirs}/strawberryrc r, owner @{user_share_dirs}/strawberry/ rw, owner @{user_share_dirs}/strawberry/** rwk, @@ -64,7 +69,8 @@ profile strawberry @{exec_path} { owner @{tmp}/.*/s rw, owner @{tmp}/*= w, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/kdsingleapp-*-strawberry w, + owner @{tmp}/kdsingleapp-*-strawberry.lock rwk, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, owner @{tmp}/strawberry-cover-@{rand6}.jpg rwl -> @{tmp}/#@{int}, owner @{tmp}/strawberry*[0-9] w, diff --git a/apparmor.d/profiles-s-z/strawberry-tagreader b/apparmor.d/profiles-s-z/strawberry-tagreader index 0e1aced4f..8de73c57c 100644 --- a/apparmor.d/profiles-s-z/strawberry-tagreader +++ b/apparmor.d/profiles-s-z/strawberry-tagreader @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 0ba2694bd..b2074ba04 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,20 +21,17 @@ profile sudo @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - ptrace (read), + ptrace read, - signal (send,receive) peer=cockpit-bridge, - signal (send) peer=@{p_systemd}, - signal (send) set=(cont,hup,winch) peer=su, - signal (send) set=(winch) peer=child-pager, - signal (send) set=(winch) peer=journalctl, - signal (send) set=(winch) peer=pacman, + signal send set=(winch, hup, term), @{bin}/@{shells} rUx, @{lib}/** PUx, /opt/*/** PUx, /snap/snapd/@{int}@{bin}/snap rPUx, + /etc/default/locale r, + /var/db/sudo/lectured/ r, owner /var/db/sudo/lectured/@{uid} rw, owner /var/lib/extrausers/shadow r, @@ -44,6 +41,9 @@ profile sudo @{exec_path} flags=(attach_disconnected) { @{run}/ r, @{run}/systemd/sessions/* r, + @{run}/systemd/sessions/?@{int}.ref rw, + + @{sys}/fs/cgroup/*.slice{,/*.slice}/*.service/cgroup.procs r, include if exists } diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity new file mode 100644 index 000000000..f812fc570 --- /dev/null +++ b/apparmor.d/profiles-s-z/superproductivity @@ -0,0 +1,45 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = super{p,P}roductivity Super?Productivity +@{domain} = org.chromium.Chromium +@{lib_dirs} = /opt/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} +profile superproductivity @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + include + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mrix, + + @{bin}/speech-dispatcher rPx, + @{open_path} rPx -> child-open-strict, + + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/swayimg b/apparmor.d/profiles-s-z/swayimg new file mode 100644 index 000000000..a3ed158b1 --- /dev/null +++ b/apparmor.d/profiles-s-z/swayimg @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/swayimg +profile swayimg @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + owner @{user_config_dirs}/swayimg/** r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index 4cfa8ba96..eecb98b28 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,6 +12,7 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, capability sys_nice, network netlink raw, @@ -23,7 +24,7 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* + @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/profiles-s-z/switcherooctl b/apparmor.d/profiles-s-z/switcherooctl index 9979c9246..538931554 100644 --- a/apparmor.d/profiles-s-z/switcherooctl +++ b/apparmor.d/profiles-s-z/switcherooctl @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ profile switcherooctl @{exec_path} { include include - #aa:dbus own bus=system name=net.hadess.SwitcherooControl + #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/swtpm b/apparmor.d/profiles-s-z/swtpm index 4f6d1b38c..369046b6b 100644 --- a/apparmor.d/profiles-s-z/swtpm +++ b/apparmor.d/profiles-s-z/swtpm @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,11 +14,11 @@ profile swtpm @{exec_path} { @{exec_path} mr, - /var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk, - /var/lib/libvirt/swtpm/@{uuid}/tpm2/*.permall rw, - /var/log/swtpm/libvirt/qemu/*-swtpm.log w, + owner /var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk, + owner /var/lib/libvirt/swtpm/@{uuid}/tpm2/* rw, + /tmp/.swtpm_setup.pidfile.* rw, /tmp/@{int}/.lock rwk, /tmp/@{int}/TMP* rw, diff --git a/apparmor.d/profiles-s-z/swtpm_ioctl b/apparmor.d/profiles-s-z/swtpm_ioctl index c77810624..f1e41aa6e 100644 --- a/apparmor.d/profiles-s-z/swtpm_ioctl +++ b/apparmor.d/profiles-s-z/swtpm_ioctl @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/swtpm_localca b/apparmor.d/profiles-s-z/swtpm_localca index a9749c91f..dbe202581 100644 --- a/apparmor.d/profiles-s-z/swtpm_localca +++ b/apparmor.d/profiles-s-z/swtpm_localca @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/swtpm_setup b/apparmor.d/profiles-s-z/swtpm_setup index f4b01f0e0..5795ddfcc 100644 --- a/apparmor.d/profiles-s-z/swtpm_setup +++ b/apparmor.d/profiles-s-z/swtpm_setup @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,9 +21,9 @@ profile swtpm_setup @{exec_path} { /var/log/swtpm/{,**} w, /var/lib/libvirt/swtpm/@{uuid}/tpm2/ r, - owner @{tmp}/swtpm_setup.certs.*/ w, - owner @{tmp}/swtpm_setup.certs.*/*.cert rw, - owner @{tmp}/.swtpm_setup.pidfile* rw, + owner @{tmp}/.swtpm_setup.pidfile.@{rand6} rw, + owner @{tmp}/swtpm_setup.certs.@{rand6}/ w, + owner @{tmp}/swtpm_setup.certs.@{rand6}/*.cert rw, include if exists } diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index c90665cdf..fc30c5fd6 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile syncoid @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/mbuffer rix, @{bin}/perl rix, @{bin}/ps rPx, @@ -25,10 +25,6 @@ profile syncoid @{exec_path} flags=(complain) { /etc/mbuffer.rc r, - owner @{tmp}/** rw, - - @{PROC}/@{pids}/maps r, - include if exists } diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 50b04668b..d504b0c15 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -3,14 +3,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/syncthing profile syncthing @{exec_path} { include + include + include include + include include network inet dgram, @@ -24,24 +27,21 @@ profile syncthing @{exec_path} { @{open_path} rPx -> child-open, @{bin}/ip rix, - /usr/share/mime/{,**} r, - - /etc/mime.types r, - - owner @{HOME}/ r, - owner @{HOME}/@{XDG_DATA_DIR}/syncthing/{,**} rwk, - owner @{user_config_dirs}/syncthing/{,**} rwk, - owner @{user_state_dirs}/syncthing/{,**} rwk, + @{HOME}/ r, + @{HOME}/** rwk, /home/ r, @{user_sync_dirs}/{,**} rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/@{pids}/net/route r, + @{PROC}/bus/pci/devices r, + @{PROC}/modules r, + @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/net/core/somaxconn r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/statm r, include if exists } diff --git a/apparmor.d/profiles-s-z/sysstat-sa b/apparmor.d/profiles-s-z/sysstat-sa new file mode 100644 index 000000000..9dcc199bc --- /dev/null +++ b/apparmor.d/profiles-s-z/sysstat-sa @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/sysstat/sa{1,2} @{lib}/sysstat/debian-sa{1,2} +profile sysstat-sa @{exec_path} { + include + include + + @{exec_path} mr, + @{bin}/ r, + + @{sh_path} rix, + @{bin}/date ix, + @{bin}/find ix, + @{bin}/{,e}grep ix, + @{bin}/rm ix, + @{bin}/sar.sysstat ix, + @{bin}/xargs ix, + @{lib}/sysstat/sadc Px, + + /etc/sysstat/sysstat r, + + /var/log/sysstat/ r, + /var/log/sysstat/** rw, + + @{tmp}/#@{int} rw, + + @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc new file mode 100644 index 000000000..7d9143938 --- /dev/null +++ b/apparmor.d/profiles-s-z/sysstat-sadc @@ -0,0 +1,52 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/sysstat/sadc +profile sysstat-sadc @{exec_path} { + include + include + + capability sys_admin, + + @{exec_path} mr, + + /etc/sensors.d/{,**} r, + /etc/sensors3.conf r, + + /var/log/sysstat/{,**} rwk, + + @{sys}/bus/i2c/devices/ r, + @{sys}/class/fc_host/ r, + @{sys}/class/hwmon/ r, + @{sys}/class/i2c-adapter/ r, + @{sys}/devices/@{pci}/net/*/duplex r, + @{sys}/devices/**/hwmon@{int}/ r, + @{sys}/devices/**/name r, + @{sys}/devices/**/net/*/duplex r, + @{sys}/devices/**/net/*/speed r, + @{sys}/devices/virtual/net/*/duplex r, + @{sys}/devices/virtual/net/*/speed r, + + @{PROC}/@{pid}/net/* r, + @{PROC}/diskstats r, + @{PROC}/loadavg r, + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, + @{PROC}/sys/fs/dentry-state r, + @{PROC}/sys/fs/file-nr r, + @{PROC}/sys/fs/inode-state r, + @{PROC}/sys/kernel/pty/nr r, + @{PROC}/tty/driver/serial r, + @{PROC}/uptime r, + @{PROC}/vmstat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index ab36047f2..84f6d52d3 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,7 +28,7 @@ profile system-config-printer @{exec_path} flags=(complain) { @{exec_path} mrix, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, @{lib}/cups/*/* rPUx, /usr/share/hplip/query.py rPUx, @@ -46,8 +46,6 @@ profile system-config-printer @{exec_path} flags=(complain) { @{run}/cups/cups.sock rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner @{tmp}/* rw, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/system-config-printer-applet b/apparmor.d/profiles-s-z/system-config-printer-applet index 0112b152a..71892b04e 100644 --- a/apparmor.d/profiles-s-z/system-config-printer-applet +++ b/apparmor.d/profiles-s-z/system-config-printer-applet @@ -3,13 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/system-config-printer-applet /usr/share/system-config-printer/applet.py profile system-config-printer-applet @{exec_path} { include + include include include @@ -19,7 +20,7 @@ profile system-config-printer-applet @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/profiles-s-z/task b/apparmor.d/profiles-s-z/task index bd7f276a8..3cffb0748 100644 --- a/apparmor.d/profiles-s-z/task +++ b/apparmor.d/profiles-s-z/task @@ -2,7 +2,7 @@ # Copyright (C) 2024 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,10 +23,7 @@ profile task @{exec_path} { @{exec_path} mr, @{sh_path} rix, - - @{bin}/vim rCx -> editor, - @{bin}/vim.* rCx -> editor, - @{bin}/sensible-editor rCx -> editor, + @{editor_path} rCx -> editor, /usr/share/{doc/,}task{warrior,}/** r, @@ -44,7 +41,7 @@ profile task @{exec_path} { include if exists } - + include if exists } diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index b96200dea..8a33649a0 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -3,79 +3,38 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/tasksel profile tasksel @{exec_path} flags=(complain) { include - include + include @{exec_path} r, - @{bin}/perl r, - @{sh_path} rix, - @{bin}/tempfile rix, - @{lib}/tasksel/tasksel-debconf rix, - - @{lib}/tasksel/tests/* rCx -> tasksel-tests, - - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, + @{bin}/tempfile ix, + @{lib}/tasksel/tasksel-debconf ix, + @{lib}/tasksel/tests/* Cx -> tasksel-tests, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-query rpx, + @{bin}/dpkg-query px, # - @{bin}/apt-cache rPx, - - @{bin}/debconf-apt-progress rPx, - - /usr/share/tasksel/** r, - - /usr/share/debconf/confmodule r, - - owner @{tmp}/file* w, + @{bin}/apt-cache Px, + @{bin}/debconf-apt-progress Px, + /usr/share/tasksel/{,**} r, profile tasksel-tests flags=(complain) { include + @{sh_path} rix, @{lib}/tasksel/tests/* r, - @{sh_path} rix, - - } - - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - @{bin}/perl r, - - @{bin}/tasksel rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - owner @{tmp}/file* w, - - /usr/share/debconf/confmodule r, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - /etc/shadow r, + include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/taskwarrior-tui b/apparmor.d/profiles-s-z/taskwarrior-tui index f125c993d..8a02b8d04 100644 --- a/apparmor.d/profiles-s-z/taskwarrior-tui +++ b/apparmor.d/profiles-s-z/taskwarrior-tui @@ -2,7 +2,7 @@ # Copyright (C) 2024 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop similarity index 58% rename from apparmor.d/groups/apps/telegram-desktop rename to apparmor.d/profiles-s-z/telegram-desktop index be043e150..c1544af72 100644 --- a/apparmor.d/groups/apps/telegram-desktop +++ b/apparmor.d/profiles-s-z/telegram-desktop @@ -3,23 +3,30 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/telegram-desktop +@{exec_path} = @{bin}/telegram-desktop @{bin}/Telegram profile telegram-desktop @{exec_path} { include include - include + include + include + include include + include + include include include + include include include include include + include include + include network inet dgram, network inet6 dgram, @@ -30,25 +37,25 @@ profile telegram-desktop @{exec_path} { @{exec_path} mrix, - @{sh_path} rix, + @{sh_path} rix, + @{open_path} rPx -> child-open-strict, + @{bin}/systemd-detect-virt rPx, - @{open_path} rPx -> child-open, - - /usr/share/TelegramDesktop/{,**} r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, + owner @{user_share_dirs}/TelegramDesktop/ rw, + owner @{user_share_dirs}/TelegramDesktop/** rwlk -> @{user_share_dirs}/TelegramDesktop/**, owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw, - owner @{tmp}/@{hex}-* rwk, - owner @{run}/user/@{uid}/@{hex}-* rwk, - owner /dev/shm/#@{int} rw, + owner @{tmp}/@{hex32}-?@{uuid}? rwk, + audit owner /dev/shm/#@{int} rw, + + @{sys}/kernel/mm/transparent_hugepage/enabled r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 3f9ba6e25..e8a2533b9 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -2,19 +2,19 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/terminator profile terminator @{exec_path} flags=(attach_disconnected) { include - include + include include - include include include include + include include include @@ -22,12 +22,19 @@ profile terminator @{exec_path} flags=(attach_disconnected) { ptrace, + signal send set=hup peer=unconfined, + #aa:dbus own bus=session name=net.tenshu.Terminator@{hex} + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=StartTransientUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + @{exec_path} mr, @{bin}/ r, - @{bin}/python3.@{int} rix, + @{python_path} rix, # The shell is not confined on purpose. @{bin}/@{shells} rUx, diff --git a/apparmor.d/profiles-s-z/texstudio b/apparmor.d/profiles-s-z/texstudio new file mode 100644 index 000000000..52e9e53e6 --- /dev/null +++ b/apparmor.d/profiles-s-z/texstudio @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/texstudio +profile texstudio @{exec_path} { + include + include + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/pdflatex ix, + @{bin}/pdftex ix, + @{bin}/kpsewhich ix, + @{bin}/gsettings ix, + @{bin}/which{,.debianutils} ix, + + /usr/share/texmf-dist/{,**} r, + /usr/share/doc/texstudio/{,**} r, + /usr/share/hunspell/{,**} r, + /usr/share/texstudio/{,**} r, + /usr/share/poppler/{,**} r, + + /etc/texmf/{,**} r, + /etc/machine-id r, + + /var/lib/texmf/{,**} r, + + owner @{user_config_dirs}/texstudio/{,**} rwlk, + owner /tmp/qtsingleapp-TeXstu-** rw, + owner /tmp/qtsingleapp-TeXstu-**-lockfile rwk, + + ## silencer + deny owner /usr/share/hunspell/en_US-large.ign w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tftp b/apparmor.d/profiles-s-z/tftp index fb848cb1c..bb0a1c37b 100644 --- a/apparmor.d/profiles-s-z/tftp +++ b/apparmor.d/profiles-s-z/tftp @@ -3,16 +3,22 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/tftp profile tftp @{exec_path} { include - include + include include + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, include if exists diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index 1e72d45ec..4c27ee2ca 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -4,19 +4,19 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/thermald +@{exec_path} = @{sbin}/thermald profile thermald @{exec_path} flags=(attach_disconnected) { include include include - include + include capability sys_boot, - + #aa:dbus own bus=system name=org.freedesktop.thermald @{exec_path} mr, @@ -24,8 +24,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { /etc/thermald/{,*} r, owner @{run}/thermald/ rw, - owner @{run}/thermald/thd_preference.conf rw, - owner @{run}/thermald/thd_preference.conf.save w, + owner @{run}/thermald/** rw, owner @{run}/thermald/thermald.pid rwk, @{sys}/class/hwmon/ r, @@ -38,7 +37,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/cpu/intel_pstate/no_turbo rw, @{sys}/devices/system/cpu/intel_pstate/status r, - @{sys}/devices/@{pci}/drm/**/intel_backlight/max_brightness r, + @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness r, @{sys}/devices/@{pci}/power_limits/power_limit_@{int}_max_uw r, @{sys}/devices/@{pci}/power_limits/power_limit_@{int}_min_uw r, @{sys}/devices/@{pci}/power_limits/power_limit_@{int}_tmax_us r, diff --git a/apparmor.d/profiles-s-z/thinkfan b/apparmor.d/profiles-s-z/thinkfan index 56a39736e..ddf7e1ff2 100644 --- a/apparmor.d/profiles-s-z/thinkfan +++ b/apparmor.d/profiles-s-z/thinkfan @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index d6553d990..da163c2ae 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -3,72 +3,30 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{name} = thunderbird{,.sh,-bin} +@{name} = thunderbird{,-bin} @{lib_dirs} = @{lib}/@{name} @{config_dirs} = @{HOME}/.@{name}/ @{cache_dirs} = @{user_cache_dirs}/@{name}/ @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} -profile thunderbird @{exec_path} { +profile thunderbird @{exec_path} flags=(attach_disconnected) { include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include + include include - - # userns, - - capability sys_admin, # If kernel.unprivileged_userns_clone = 1 - capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - ptrace peer=@{profile_name}, + include #aa:dbus own bus=session name=org.mozilla.thunderbird - dbus receive bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={UserAdded,UserRemoved} - peer=(name=:*, label=systemd-logind), - - dbus receive bus=system - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - @{exec_path} mrix, - @{sh_path} rix, - @{bin}/which.debianutils rix, - - @{lib_dirs}/{,**} r, - @{lib_dirs}/*.so mr, - @{lib_dirs}/glxtest rPx, - @{lib_dirs}/thunderbird-wrapper-helper.sh rix, - @{lib_dirs}/vaapitest rPx, + @{lib_dirs}/glxtest rPx -> thunderbird//&thunderbird-glxtest, + @{lib_dirs}/vaapitest rPx -> thunderbird//&thunderbird-vaapitest, + @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, # GPG integration @@ -77,105 +35,40 @@ profile thunderbird @{exec_path} { @{bin}/gpgsm rPx, # Desktop integration - @{bin}/lsb_release rPx -> lsb_release, @{open_path} rPx -> child-open, - # Allowed apps to open - @{bin}/engrampa rPx, - @{bin}/geany rPx, - @{bin}/qpdfview rPx, - @{bin}/viewnior rPUx, - @{brave_path} rPx, - @{chrome_path} rPx, - @{firefox_path} rPx, - @{opera_path} rPx, + # Extensions + @{bin}/SysTray-X rPUx, - /usr/share/@{name}/{,**} r, - /usr/share/gvfs/remote-volume-monitors/{,*} r, /usr/share/lightning/{,**} r, - /usr/share/mozilla/extensions/{,**} r, - /usr/share/xul-ext/kwallet5/* r, - /etc/@{name}/{,**} r, - /etc/fstab r, - /etc/mailcap r, - /etc/mime.types r, - /etc/timezone r, - /etc/xul-ext/kwallet5.js r, - - owner /var/mail/* rwk, - - owner @{HOME}/ r, - - owner @{user_config_dirs}/kwalletrc r, - owner @{user_config_dirs}/mimeapps.list.* rw, + owner /var/mail/** rwk, owner @{user_mail_dirs}/ rw, owner @{user_mail_dirs}/** rwl -> @{user_mail_dirs}/**, - owner @{config_dirs}/ rw, - owner @{user_config_dirs}/gtk-3.0/assets/* r, - owner @{config_dirs}/*/ rw, - owner @{config_dirs}/*/** rwk, - owner @{config_dirs}/installs.ini rw, - owner @{config_dirs}/profiles.ini rw, + owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, + owner @{user_config_dirs}/ibus/bus/ r, + owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, - owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, - - owner @{cache_dirs}/{,**} rw, - - /tmp/ r, - /var/tmp/ r, - owner @{tmp}/@{name}{,_*}/ rw, - owner @{tmp}/@{name}{,_*}/* rwk, - owner @{tmp}/* rw, - owner @{tmp}/mozilla_*/ rw, - owner @{tmp}/mozilla_*/* rw, owner @{tmp}/MozillaMailnews/ rw, owner @{tmp}/MozillaMailnews/*.msf rw, - owner @{tmp}/Temp-@{uuid}/ rw, + owner @{tmp}/nscopy.tmp rw, + owner @{tmp}/nsemail{,-@{int}}.eml rw, + owner @{tmp}/nsma{,-@{int}} rw, + owner @{tmp}/pid-@{pid}/{,**} w, + owner @{tmp}/remote-settings-startup-bundle- rw, - @{run}/mount/utab r, - - @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, - @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, - - @{PROC}/@{pids}/net/arp r, - @{PROC}/@{pids}/net/route r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/environ r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 - owner @{PROC}/@{pid}/smaps r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 - - /dev/shm/ r, - owner /dev/shm/org.chromium.* rw, - owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, - owner /dev/shm/wayland.mozilla.ipc.@{int} rw, - - /dev/tty rw, - - # file_inherit - owner /dev/tty@{int} rw, + /dev/urandom w, # Silencer - deny @{HOME}/.mozilla/** mrwkl, - deny @{config_dirs}/*.*/pepmda/ rw, - deny @{config_dirs}/*.*/pepmda/** rwklmx, + deny capability sys_ptrace, deny @{lib_dirs}/** w, - deny /dev/ r, - deny /dev/urandom w, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + deny @{lib_dirs}/crashreporter x, + deny @{lib_dirs}/minidump-analyzer x, + deny @{HOME}/.mozilla/** mrwkl, include if exists } diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index 17fda9d56..53fdb1ffd 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,14 +11,19 @@ include @{config_dirs} = @{HOME}/.@{name}/ @{exec_path} = @{lib_dirs}/glxtest -profile thunderbird-glxtest @{exec_path} { +profile thunderbird-glxtest @{exec_path} flags=(attach_disconnected) { include include include + include include + network netlink raw, + @{exec_path} mr, + / r, + owner @{config_dirs}/*/.parentlock rw, owner @{tmp}/thunderbird/.parentlock rw, diff --git a/apparmor.d/profiles-s-z/thunderbird-vaapitest b/apparmor.d/profiles-s-z/thunderbird-vaapitest index 85c1a08cb..c93d14bd7 100644 --- a/apparmor.d/profiles-s-z/thunderbird-vaapitest +++ b/apparmor.d/profiles-s-z/thunderbird-vaapitest @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name}/ @{exec_path} = @{lib_dirs}/vaapitest -profile thunderbird-vaapitest @{exec_path} { +profile thunderbird-vaapitest @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/tint2 b/apparmor.d/profiles-s-z/tint2 index 2e44d0fab..8b6f0dc45 100644 --- a/apparmor.d/profiles-s-z/tint2 +++ b/apparmor.d/profiles-s-z/tint2 @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/tint2conf b/apparmor.d/profiles-s-z/tint2conf index 776b843a3..737bc90f8 100644 --- a/apparmor.d/profiles-s-z/tint2conf +++ b/apparmor.d/profiles-s-z/tint2conf @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp new file mode 100644 index 000000000..1592d3aee --- /dev/null +++ b/apparmor.d/profiles-s-z/tlp @@ -0,0 +1,120 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# Copyright (C) 2024 Barmogund +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/tlp +profile tlp @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + + capability dac_read_search, + capability sys_nice, + capability sys_rawio, + capability sys_tty_config, + + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/cp rix, + @{sbin}/ethtool rix, + @{bin}/flock rix, + @{bin}/{,e}grep rix, + @{sbin}/hdparm rPx, + @{bin}/head rix, + @{bin}/id rPx, + @{sbin}/iw rPx, + @{bin}/logger rix, + @{bin}/mktemp rix, + @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/systemctl rCx -> systemctl, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/udevadm rCx -> udevadm, + @{bin}/uname rix, + @{bin}/timeout rix, + /usr/share/tlp/tlp-readconfs rix, + + / r, + + /etc/tlp.d/ r, + /etc/tlp.d/** rw, + /etc/tlp.conf rw, + + /usr/share/tlp/{,**} r, + + /var/lib/tlp/{,**} rw, + /var/lib/power-profiles-daemon/state.ini rw, + + owner /tmp/tlp-run.conf_tmp@{rand6} rw, + + owner @{run}/tlp/{,**} rw, + owner @{run}/tlp/lock_tlp rwk, + + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + + @{sys}/bus/pci/devices/ r, + @{sys}/bus/pci/drivers/*/ r, + @{sys}/bus/platform/devices/ r, + @{sys}/class/drm/ r, + @{sys}/class/net/ r, + @{sys}/class/power_supply/ r, + @{sys}/devices/@{pci}/ r, + @{sys}/devices/@{pci}/{,**/}power/control w, + @{sys}/devices/@{pci}/**/host@{int}/**/link_power_management_policy w, + @{sys}/devices/@{pci}/class r, + @{sys}/devices/**/net/**/uevent r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/net/**/uevent r, + @{sys}/firmware/acpi/platform_profile* rw, + @{sys}/firmware/acpi/pm_profile* rw, + @{sys}/module/*/parameters/power_save rw, + @{sys}/module/*/parameters/power_save_controller rw, + @{sys}/module/pcie_aspm/parameters/policy rw, + + owner @{PROC}/sys/fs/xfs/xfssyncd_centisecs rw, + owner @{PROC}/sys/kernel/nmi_watchdog rw, + owner @{PROC}/sys/vm/dirty_*_centisecs rw, + owner @{PROC}/sys/vm/laptop_mode rw, + + profile systemctl { + include + include + + capability net_admin, + + include if exists + } + + profile udevadm { + include + include + + @{run}/tlp/lock_tlp rw, # file_inherit + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb new file mode 100644 index 000000000..df4258b8c --- /dev/null +++ b/apparmor.d/profiles-s-z/tomb @@ -0,0 +1,134 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/tomb +profile tomb @{exec_path} { + include + include + include + include + include + include + + capability chown, + capability fowner, + capability sys_ptrace, + capability sys_rawio, + + signal send set=cont peer=gpg, + signal send set=cont peer=pinentry-*, + + ptrace read peer=@{p_systemd_user}, + + @{exec_path} mr, + + @{bin}/{,e,f}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/chown rix, + @{bin}/cp rix, + @{bin}/date rix, + @{bin}/dcfldd rix, + @{bin}/dd rix, + @{bin}/df rix, + @{bin}/dirname rix, + @{bin}/env rix, + @{bin}/file rix, + @{bin}/findmnt rix, + @{bin}/getent rix, + @{bin}/gettext rix, + @{bin}/head rix, + @{bin}/hostname rix, + @{bin}/id rix, + @{bin}/kill rix, + @{bin}/locate rix, + @{bin}/ls rix, + @{bin}/lsof rix, + @{bin}/mkdir rix, + @{bin}/mktemp rix, + @{bin}/realpath rix, + @{bin}/recoll rix, + @{bin}/rm rix, + @{bin}/rmdir rix, + @{bin}/sha*sum rix, + @{bin}/shred rix, + @{bin}/sleep rix, + @{bin}/stat rix, + @{bin}/sudo rix, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/zsh rix, + @{sbin}/losetup rix, + + @{sbin}/btrfs rPx, + @{sbin}/cryptsetup rPUx, + @{sbin}/e2fsck rPx, + @{sbin}/fsck rPx, + @{bin}/gpg{,2} rPx, + @{bin}/lsblk rPx, + @{sbin}/mkfs.* rPUx, + @{bin}/mount rPx, + @{bin}/pinentry rPx, + @{bin}/pinentry-* rPx, + @{bin}/qrencode rPx, + @{sbin}/resize2fs rPx, + @{bin}/tomb-kdb-pbkdf2 rPUx, + @{sbin}/tune2fs rPx, + @{bin}/umount rCx -> umount, + @{bin}/updatedb.mlocate rPx, + @{sbin}/zramctl rPx, + + /usr/share/file/** r, + /usr/share/terminfo/** r, + + @{MOUNTDIRS}/ rw, + @{MOUNTS}/ rw, + @{MOUNTS}/** w, + @{MOUNTS}/**/ rw, + owner @{MOUNTS}/.{host,last,tty,uid,cleanexit} rw, + + # TODO: access to tomb files and key. + @{user_private_dirs}/**/*tomb* rw, + + /tmp/ r, + owner @{tmp}/@{int} rw, + owner @{tmp}/@{int}@{int} rw, + owner @{tmp}/zsh@{rand6} rw, + owner @{tmp}/zshm@{rand6} rw, + + @{sys}/devices/virtual/block/zram@{int}/backing_dev r, + + @{PROC}/swaps r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + + /dev/loop-control rw, + /dev/loop@{int} rw, + + profile umount { + include + include + + capability dac_read_search, + capability sys_admin, + + umount @{MOUNTS}/{,**/}, + + @{bin}/umount mr, + + owner @{run}/mount/utab r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/torify b/apparmor.d/profiles-s-z/torify index fcc4c9b98..c4cb88902 100644 --- a/apparmor.d/profiles-s-z/torify +++ b/apparmor.d/profiles-s-z/torify @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/torsocks b/apparmor.d/profiles-s-z/torsocks index 8d75133da..ad258189c 100644 --- a/apparmor.d/profiles-s-z/torsocks +++ b/apparmor.d/profiles-s-z/torsocks @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,7 +19,7 @@ profile torsocks @{exec_path} { @{sh_path} rix, @{bin}/* rPUx, @{lib}/uwt/uwtexec rPUx, - @{bin}/getcap rix, + @{sbin}/getcap rix, /etc/tor/torsocks.conf r, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem new file mode 100644 index 000000000..d1e429d45 --- /dev/null +++ b/apparmor.d/profiles-s-z/totem @@ -0,0 +1,101 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/totem +profile totem @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + + network netlink raw, + + signal (send) set=(kill) peer=totem//bwrap, + + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.totem + #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus + #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + @{exec_path} mr, + + @{bin}/bwrap rCx -> bwrap, + @{open_path} rPx -> child-open-help, + + /usr/share/xml/iso-codes/{,**} r, + /usr/share/grilo-plugins/{,**} r, + /usr/share/thumbnailers/{,**} r, + + owner @{HOME}/ r, + owner @{MOUNTS}/ r, + + owner @{user_music_dirs}/{,**} rw, + owner @{user_pictures_dirs}/{,**} rw, + owner @{user_torrents_dirs}/{,**} rw, + owner @{user_videos_dirs}/{,**} rw, + + owner @{user_cache_dirs}/gnome-desktop-thumbnailer/gstreamer-1.0/{,**} r, + owner @{user_share_dirs}/grilo-plugins/ rw, + owner @{user_share_dirs}/grilo-plugins/** rwlk, + + owner @{tmp}/flatpak-seccomp-@{rand6} rw, + owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, + + owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, + owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r, + + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + profile bwrap flags=(attach_disconnected) { + include + include + include + include + include + include + + capability dac_override, + capability sys_ptrace, + + network inet dgram, + network inet6 dgram, + + @{bin}/bwrap mr, + @{bin}/totem-video-thumbnailer rix, + + /usr/share/ladspa/rdf/{,*} r, + + owner @{user_cache_dirs}/gnome-desktop-thumbnailer/{,**} rw, + + owner @{tmp}/flatpak-seccomp-@{rand6} rw, + owner @{tmp}/gnome-desktop-file-to-thumbnail.* rw, + owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, + owner @{tmp}/gnome-desktop-thumbnailer.png rw, + + @{PROC}/sys/vm/mmap_min_addr r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm w, + + /dev/ r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tpacpi-bat b/apparmor.d/profiles-s-z/tpacpi-bat index 673f46e32..b4666bb96 100644 --- a/apparmor.d/profiles-s-z/tpacpi-bat +++ b/apparmor.d/profiles-s-z/tpacpi-bat @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,6 @@ profile tpacpi-bat @{exec_path} { include @{exec_path} mr, - @{bin}/perl r, @{sh_path} rix, @{bin}/cat rix, diff --git a/apparmor.d/profiles-s-z/transmission-gtk b/apparmor.d/profiles-s-z/transmission similarity index 65% rename from apparmor.d/profiles-s-z/transmission-gtk rename to apparmor.d/profiles-s-z/transmission index 40586fa03..9c4a8e673 100644 --- a/apparmor.d/profiles-s-z/transmission-gtk +++ b/apparmor.d/profiles-s-z/transmission @@ -2,17 +2,20 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/transmission-gtk -profile transmission-gtk @{exec_path} { +@{exec_path} = @{bin}/transmission-{gtk,qt} +profile transmission @{exec_path} flags=(attach_disconnected) { include + include + include include include include include + include include include include @@ -23,20 +26,29 @@ profile transmission-gtk @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=com.transmissionbt.Transmission + #aa:dbus own bus=session name=com.transmissionbt.transmission_* + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + @{exec_path} mr, @{open_path} rPx -> child-open, + /usr/share/transmission/{,**} r, + + owner @{HOME}/ r, + owner @{user_torrents_dirs}/ r, owner @{user_torrents_dirs}/** rw, owner @{user_config_dirs}/transmission/ rw, owner @{user_config_dirs}/transmission/** rwk, - owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/transmission/ rw, owner @{user_cache_dirs}/transmission/** rwk, + owner @{tmp}/tr_session_id_* rwk, + @{run}/mount/utab r, @{PROC}/@{pid}/net/route r, @@ -45,10 +57,12 @@ profile transmission-gtk @{exec_path} { owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny @{user_share_dirs}/gvfs-metadata/* r, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/transmission-qt b/apparmor.d/profiles-s-z/transmission-qt deleted file mode 100644 index bbfe5bff4..000000000 --- a/apparmor.d/profiles-s-z/transmission-qt +++ /dev/null @@ -1,56 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/transmission-qt -profile transmission-qt @{exec_path} { - include - include - include - include - include - include - include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink dgram, - network netlink raw, - - @{exec_path} mr, - - # Torrent files - owner @{user_torrents_dirs}/ r, - owner @{user_torrents_dirs}/** rw, - - owner @{user_config_dirs}/transmission/ rw, - owner @{user_config_dirs}/transmission/** rwk, - - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/transmission/ rw, - owner @{user_cache_dirs}/transmission/** rwk, - - owner @{tmp}/tr_session_id_* rwk, - - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - @{PROC}/@{pid}/net/route r, - @{PROC}/sys/kernel/random/uuid r, - - /usr/share/hwdata/pnp.ids r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tune2fs b/apparmor.d/profiles-s-z/tune2fs index d9a8c5409..6f0fdad94 100644 --- a/apparmor.d/profiles-s-z/tune2fs +++ b/apparmor.d/profiles-s-z/tune2fs @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/u-d-c-print-pci-ids b/apparmor.d/profiles-s-z/u-d-c-print-pci-ids new file mode 100644 index 000000000..2ae7f66ef --- /dev/null +++ b/apparmor.d/profiles-s-z/u-d-c-print-pci-ids @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/u-d-c-print-pci-ids +profile u-d-c-print-pci-ids @{exec_path} { + include + + @{exec_path} mr, + @{sh_path} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf new file mode 100644 index 000000000..47826d336 --- /dev/null +++ b/apparmor.d/profiles-s-z/ucf @@ -0,0 +1,62 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ucf +profile ucf @{exec_path} { + include + include + include + include + + @{exec_path} rix, + @{sh_path} rix, + + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cp rix, + @{bin}/dirname rix, + @{bin}/getopt rix, + @{bin}/id rix, + @{bin}/md5sum rix, + @{bin}/mkdir rix, + @{bin}/mv rix, + @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/seq rix, + @{bin}/stat rix, + @{bin}/tr rix, + @{bin}/which{,.debianutils} rix, + + @{bin}/dpkg-query rpx, + @{bin}/dpkg-divert rPx, + @{pager_path} rCx -> child-pager, + + # For md5sum + /usr/share/** r, + + # For writing new config files + /etc/** rw, #aa:lint ignore=too-wide + + # For shell pwd + / r, + /root/ r, + + owner /var/lib/ucf/** rw, + + owner /tmp/tmp.@{rand10} r, + + deny capability sys_admin, # optional: no audit + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucfq b/apparmor.d/profiles-s-z/ucfq new file mode 100644 index 000000000..b6ca3e7b1 --- /dev/null +++ b/apparmor.d/profiles-s-z/ucfq @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ucfq +profile ucfq @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/md5sum rix, + + /etc/ r, + /etc/default/ r, + /etc/default/grub r, + + /var/lib/ucf/* r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucfr b/apparmor.d/profiles-s-z/ucfr new file mode 100644 index 000000000..4cc149a28 --- /dev/null +++ b/apparmor.d/profiles-s-z/ucfr @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ucfr +profile ucfr @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/dirname ix, + @{bin}/getopt ix, + @{bin}/id ix, + @{bin}/readlink ix, + @{bin}/sed ix, + + /usr/share/ucf/{,**} r, + + /etc/ucf.conf r, + + / r, + + /var/lib/ucf/ r, + /var/lib/ucf/registry r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-ata_id b/apparmor.d/profiles-s-z/udev-ata_id new file mode 100644 index 000000000..f12ed105f --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-ata_id @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/ata_id +profile udev-ata_id @{exec_path} { + include + include + + capability sys_rawio, + + @{exec_path} mr, + + /etc/udev/udev.conf r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-bcache-export-cached b/apparmor.d/profiles-s-z/udev-bcache-export-cached new file mode 100644 index 000000000..e42b10c26 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-bcache-export-cached @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/bcache-export-cached +profile udev-bcache-export-cached @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{sbin}/bcache-super-show rix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-bridge-network-interface b/apparmor.d/profiles-s-z/udev-bridge-network-interface new file mode 100644 index 000000000..7e3ba52f9 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-bridge-network-interface @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/bridge-network-interface +profile udev-bridge-network-interface @{exec_path} { + include + + @{exec_path} mr, + @{sh_path} r, + + /etc/default/bridge-utils r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-cdrom_id b/apparmor.d/profiles-s-z/udev-cdrom_id new file mode 100644 index 000000000..552159867 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-cdrom_id @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/cdrom_id +profile udev-cdrom_id @{exec_path} { + include + + capability sys_rawio, + + @{exec_path} mr, + + /etc/udev/udev.conf r, + + /dev/sr@{int} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-dmi-memory-id b/apparmor.d/profiles-s-z/udev-dmi-memory-id index ab6a2de77..1d6580311 100644 --- a/apparmor.d/profiles-s-z/udev-dmi-memory-id +++ b/apparmor.d/profiles-s-z/udev-dmi-memory-id @@ -2,11 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/udev/dmi_memory_id +@{exec_path} = @{lib}/udev/dmi_memory_id profile udev-dmi-memory-id @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id new file mode 100644 index 000000000..453e0093a --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-fido_id @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/fido_id +profile udev-fido_id @{exec_path} { + include + include + + @{exec_path} mr, + + /etc/udev/udev.conf r, + /etc/udev/udev.conf.d/{,**} r, + + @{sys}/devices/@{pci}/report_descriptor r, + @{sys}/devices/platform/**/report_descriptor r, + @{sys}/devices/virtual/**/report_descriptor r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-hdparm b/apparmor.d/profiles-s-z/udev-hdparm new file mode 100644 index 000000000..bca98163b --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-hdparm @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/hdparm +profile udev-hdparm @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/sed rix, + @{bin}/udevadm rPx, + + /etc/hdparm.conf r, + + @{PROC}/cmdline r, + @{PROC}/mdstat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-probe-bcache b/apparmor.d/profiles-s-z/udev-probe-bcache new file mode 100644 index 000000000..e02e070a8 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-probe-bcache @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/probe-bcache +profile udev-probe-bcache @{exec_path} { + include + include + + capability sys_rawio, + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/unhide-linux b/apparmor.d/profiles-s-z/unhide-linux index d03561452..0d543513c 100644 --- a/apparmor.d/profiles-s-z/unhide-linux +++ b/apparmor.d/profiles-s-z/unhide-linux @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/unhide-posix b/apparmor.d/profiles-s-z/unhide-posix index 1277e299c..730d1aaa6 100644 --- a/apparmor.d/profiles-s-z/unhide-posix +++ b/apparmor.d/profiles-s-z/unhide-posix @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/unhide-rb b/apparmor.d/profiles-s-z/unhide-rb index e503f639a..ecc19849a 100644 --- a/apparmor.d/profiles-s-z/unhide-rb +++ b/apparmor.d/profiles-s-z/unhide-rb @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/unhide-tcp b/apparmor.d/profiles-s-z/unhide-tcp index bb54d19b1..8827bca14 100644 --- a/apparmor.d/profiles-s-z/unhide-tcp +++ b/apparmor.d/profiles-s-z/unhide-tcp @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,7 +22,7 @@ profile unhide-tcp @{exec_path} { @{bin}/fuser rix, @{bin}/netstat rix, @{bin}/sed rix, - @{bin}/ss rix, + @{sbin}/ss rix, @{PROC}/@{pids}/net/tcp{,6} r, @{PROC}/@{pids}/net/udp{,6} r, diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index c24da3bab..7407a9f99 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -3,17 +3,18 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/unix_chkpwd +@{exec_path} = @{sbin}/unix_chkpwd profile unix-chkpwd @{exec_path} { include include include capability audit_write, + capability dac_read_search, # To read shadow with 000 permissions. network netlink raw, diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index d5d1cb953..2d641f994 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,25 +18,21 @@ profile unmkinitramfs @{exec_path} { @{exec_path} r, @{sh_path} rix, + @{archive_path} rix, @{bin}/{,e}grep rix, - @{bin}/bzip2 rix, @{bin}/cat rix, - @{bin}/cpio rix, @{bin}/dd rix, @{bin}/getopt rix, - @{bin}/gzip rix, @{bin}/lz4cat rix, @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/rm rix, - @{bin}/xz rix, @{bin}/xzcat rix, - @{bin}/zstd rix, - /boot/ r, - owner /boot/initrd.img-* r, + @{efi}/ r, + owner @{efi}/initrd.img-* r, /tmp/ r, owner @{tmp}/initrd.img-* r, /mnt/ r, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index dfe7725d8..8f08b74fa 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,6 +12,8 @@ profile update-alternatives @{exec_path} { include include + capability dac_override, + @{exec_path} mr, @{bin}/* w, diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index f08383fba..df9c08fe4 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/update-ca-certificates +@{exec_path} = @{sbin}/update-ca-certificates profile update-ca-certificates @{exec_path} { include include @@ -33,6 +33,7 @@ profile update-ca-certificates @{exec_path} { @{bin}/test rix, @{bin}/trust rix, @{bin}/wc rix, + @{bin}/run-parts rix, @{lib}/ca-certificates/update.d/ r, @{lib}/ca-certificates/update.d/* rix, @@ -45,7 +46,7 @@ profile update-ca-certificates @{exec_path} { /etc/ca-certificates.conf r, /etc/ssl/certs/ca-certificates.crt{,.new} rw, /etc/ssl/certs/*.pem rw, - /etc/ssl/certs/@{hex}.[0-9] rw, + /etc/ssl/certs/@{hex}.@{d} rw, /var/lib/ca-certificates/ rwk, /var/lib/ca-certificates/** rw, diff --git a/apparmor.d/profiles-s-z/update-ca-trust b/apparmor.d/profiles-s-z/update-ca-trust index 6ebcf7f83..c0f220919 100644 --- a/apparmor.d/profiles-s-z/update-ca-trust +++ b/apparmor.d/profiles-s-z/update-ca-trust @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,12 +24,9 @@ profile update-ca-trust @{exec_path} { / r, /usr/share/p11-kit/modules/{,*} r, - /etc/ca-certificates/extracted/{tls,email,objsign}-ca-bundle.pem{,.*} w, - /etc/ca-certificates/extracted/ca-bundle.trust.crt{,.*} w, - /etc/ca-certificates/extracted/cadir/{,*} rw, - /etc/ca-certificates/extracted/edk2-cacerts.bin{,.*} w, + /etc/ca-certificates/extracted/** rw, /etc/ssl/certs/{,*} rw, - /etc/ssl/certs/java/cacerts{,.*} w, + /etc/ssl/certs/java/** rw, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/update-catalog b/apparmor.d/profiles-s-z/update-catalog new file mode 100644 index 000000000..feac2d3c5 --- /dev/null +++ b/apparmor.d/profiles-s-z/update-catalog @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/update-catalog +profile update-catalog @{exec_path} { + include + include + + @{exec_path} mr, + + /etc/sgml/ r, + /etc/sgml/* r, + + /var/lib/sgml-base/*catalog rw, + /var/lib/sgml-base/*catalog.new rw, + /var/lib/sgml-base/*catalog.old w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-command-not-found b/apparmor.d/profiles-s-z/update-command-not-found index 56c215402..9801f8737 100644 --- a/apparmor.d/profiles-s-z/update-command-not-found +++ b/apparmor.d/profiles-s-z/update-command-not-found @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,7 +20,7 @@ profile update-command-not-found @{exec_path} { @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{lib}/ r, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib index 6b4192903..8f848b0ad 100644 --- a/apparmor.d/profiles-s-z/update-cracklib +++ b/apparmor.d/profiles-s-z/update-cracklib @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/update-cracklib +@{exec_path} = @{sbin}/update-cracklib profile update-cracklib @{exec_path} { include include @@ -16,12 +16,12 @@ profile update-cracklib @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/cracklib-format rix, - @{bin}/cracklib-packer rPx, + @{sbin}/cracklib-format rix, + @{sbin}/cracklib-packer rPx, @{bin}/env rix, @{bin}/file rix, @{bin}/find rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gzip rix, @{bin}/install rix, @{bin}/install rix, diff --git a/apparmor.d/profiles-s-z/update-dlocatedb b/apparmor.d/profiles-s-z/update-dlocatedb index 08687c6c8..e9d92e421 100644 --- a/apparmor.d/profiles-s-z/update-dlocatedb +++ b/apparmor.d/profiles-s-z/update-dlocatedb @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -26,7 +26,7 @@ profile update-dlocatedb @{exec_path} { /usr/share/dlocate/updatedb rCx -> updatedb, @{bin}/dpkg rPx -> child-dpkg, - owner @{PROC}/@{pid}/fd/2 w, + owner @{PROC}/@{pid}/fd/@{int} w, /var/lib/dlocate/dpkg-list w, @@ -39,7 +39,6 @@ profile update-dlocatedb @{exec_path} { include /usr/share/dlocate/updatedb r, - @{bin}/perl r, /etc/default/dlocate r, @@ -58,6 +57,7 @@ profile update-dlocatedb @{exec_path} { @{bin}/gzip rix, /var/lib/dlocate/dlocatedb.gz rw, + include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir new file mode 100644 index 000000000..dc2a0d7aa --- /dev/null +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/update-info-dir +profile update-info-dir @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/cp ix, + @{bin}/find ix, + @{bin}/install-info Px, + @{bin}/rm ix, + + /etc/environment r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index fc62d99f2..50f11caea 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -3,11 +3,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/update-initramfs +@{exec_path} = @{sbin}/update-initramfs profile update-initramfs @{exec_path} { include include @@ -22,17 +22,20 @@ profile update-initramfs @{exec_path} { @{bin}/cat rix, @{bin}/{m,g,}awk rix, @{bin}/getopt rix, - @{bin}/ischroot rix, @{bin}/ln rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sha1sum rix, @{bin}/sync rix, @{bin}/uname rix, + @{bin}/run-parts rix, @{bin}/dpkg-trigger rPx, + @{bin}/ischroot rPx, @{bin}/linux-version rPx, - @{bin}/mkinitramfs rPx, + @{sbin}/mkinitramfs rPx, + + /etc/initramfs/post-update.d/* rPUx, /var/lib/initramfs-tools/* w, @@ -47,9 +50,9 @@ profile update-initramfs @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner /boot/ r, - owner /boot/initrd.img-* rw, - owner /boot/initrd.img-*.dpkg-bak rwl -> /boot/initrd.img-*, + owner @{efi}/ r, + owner @{efi}/initrd.img-* rw, + owner @{efi}/initrd.img-*.dpkg-bak rwl -> @{efi}/initrd.img-*, include if exists } diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids index 233ed60be..901dae9a0 100644 --- a/apparmor.d/profiles-s-z/update-pciids +++ b/apparmor.d/profiles-s-z/update-pciids @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/update-pciids +@{exec_path} = @{sbin}/update-pciids profile update-pciids @{exec_path} { include include @@ -24,7 +24,7 @@ profile update-pciids @{exec_path} { @{bin}/chmod rix, @{bin}/echo rix, @{bin}/cat rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/bunzip2 rix, @{bin}/bzip2 rix, @{bin}/gzip rix, @@ -38,7 +38,7 @@ profile update-pciids @{exec_path} { /usr/share/misc/ r, /usr/share/misc/* rwl -> /usr/share/misc/*, - # For shell pwd + # For shell pwd /root/ r, @@ -62,6 +62,7 @@ profile update-pciids @{exec_path} { /usr/share/misc/pci.ids.new w, /usr/share/misc/pci.ids.gz.new w, + include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index 8431fd1e6..31a03ef7b 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -3,32 +3,28 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/update-secureboot-policy +@{exec_path} = @{sbin}/update-secureboot-policy profile update-secureboot-policy @{exec_path} { include - include + include @{exec_path} rm, - @{sh_path} rix, - @{bin}/{,m,g}awk rix, - @{bin}/dpkg-trigger rPx, - @{bin}/find rix, - @{bin}/id rix, - @{bin}/od rix, - @{bin}/sort rix, - @{bin}/touch rix, - @{bin}/wc rix, - /usr/share/debconf/frontend rPx, + @{bin}/{,m,g}awk ix, + @{bin}/dpkg-trigger Px, + @{bin}/find ix, + @{bin}/id ix, + @{bin}/od ix, + @{bin}/sort ix, + @{bin}/touch ix, + @{bin}/wc ix, / r, - /usr/share/debconf/confmodule r, - /var/lib/dkms/ r, /var/lib/shim-signed/dkms-list rw, diff --git a/apparmor.d/profiles-s-z/update-shells b/apparmor.d/profiles-s-z/update-shells new file mode 100644 index 000000000..5922c1a14 --- /dev/null +++ b/apparmor.d/profiles-s-z/update-shells @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/update-shells +profile update-shells @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/basename ix, + @{bin}/chmod ix, + @{bin}/chown ix, + @{bin}/dirname ix, + @{bin}/dpkg-realpath rix, + @{bin}/mv ix, + @{bin}/sync ix, + @{bin}/readlink ix, + + /usr/share/debianutils/shells r, + /usr/share/debianutils/shells.d/{,**} r, + /usr/share/dpkg/sh/dpkg-error.sh r, + + /etc/shells r, + /etc/shells.tmp w, + + /var/lib/shells.state r, + /var/lib/shells.state.tmp w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-smart-drivedb b/apparmor.d/profiles-s-z/update-smart-drivedb index 7140bbd5b..70b9bc6e2 100644 --- a/apparmor.d/profiles-s-z/update-smart-drivedb +++ b/apparmor.d/profiles-s-z/update-smart-drivedb @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/update-smart-drivedb +@{exec_path} = @{sbin}/update-smart-drivedb profile update-smart-drivedb @{exec_path} { include include @@ -28,7 +28,7 @@ profile update-smart-drivedb @{exec_path} { @{bin}/cmp rix, @{bin}/ r, - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/wget rCx -> browse, @@ -58,6 +58,7 @@ profile update-smart-drivedb @{exec_path} { owner /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/ rw, owner /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/** rwkl -> /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/**, + include if exists } profile browse { @@ -88,6 +89,7 @@ profile update-smart-drivedb @{exec_path} { /var/lib/smartmontools/drivedb/drivedb.h.new{,.raw.asc} w, + include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/updatedb-mlocate b/apparmor.d/profiles-s-z/updatedb-mlocate index 9e470d878..518a8d7df 100644 --- a/apparmor.d/profiles-s-z/updatedb-mlocate +++ b/apparmor.d/profiles-s-z/updatedb-mlocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,13 +19,13 @@ profile updatedb-mlocate @{exec_path} { @{exec_path} mr, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, # For shell pwd / r, - /boot/ r, - /boot/**/ r, + @{efi}/ r, + @{efi}/**/ r, /home/ r, @{HOME}/ r, @@ -47,7 +47,7 @@ profile updatedb-mlocate @{exec_path} { /srv/**/ r, # Silence the noise - deny /efi/ r, + deny @{efi}/ r, deny /hugepages/ r, deny /lost+found/ r, deny /mnt/ r, diff --git a/apparmor.d/profiles-s-z/updatedb.plocate b/apparmor.d/profiles-s-z/updatedb.plocate index 67ea546fd..60aa760d4 100644 --- a/apparmor.d/profiles-s-z/updatedb.plocate +++ b/apparmor.d/profiles-s-z/updatedb.plocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/uptimed b/apparmor.d/profiles-s-z/uptimed index a850d7771..7e978c1dd 100644 --- a/apparmor.d/profiles-s-z/uptimed +++ b/apparmor.d/profiles-s-z/uptimed @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/utmpdump b/apparmor.d/profiles-s-z/utmpdump index 054bb69ce..363524355 100644 --- a/apparmor.d/profiles-s-z/utmpdump +++ b/apparmor.d/profiles-s-z/utmpdump @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/utox b/apparmor.d/profiles-s-z/utox index e5642c263..483fef619 100644 --- a/apparmor.d/profiles-s-z/utox +++ b/apparmor.d/profiles-s-z/utox @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/uupdate b/apparmor.d/profiles-s-z/uupdate index f49441ebf..88a6cd406 100644 --- a/apparmor.d/profiles-s-z/uupdate +++ b/apparmor.d/profiles-s-z/uupdate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,7 +18,7 @@ profile uupdate @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/basename rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{,e}grep rix, @{bin}/getopt rix, @@ -50,7 +50,7 @@ profile uupdate @{exec_path} flags=(complain) { # For package building owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/v2ray b/apparmor.d/profiles-s-z/v2ray new file mode 100644 index 000000000..046151222 --- /dev/null +++ b/apparmor.d/profiles-s-z/v2ray @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/v2ray +profile v2ray @{exec_path} flags=(attach_disconnected) { + include + include + + network inet dgram, + network inet stream, + network inet raw, + network inet6 dgram, + network inet6 raw, + network netlink raw, + + @{exec_path} mr, + + /etc/v2ray/{,*} r, + /usr/share/v2ray/**.dat r, + + @{PROC}/sys/net/core/somaxconn r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/v4l2-ctl b/apparmor.d/profiles-s-z/v4l2-ctl new file mode 100644 index 000000000..ddb86b9a2 --- /dev/null +++ b/apparmor.d/profiles-s-z/v4l2-ctl @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/v4l2-ctl +profile v4l2-ctl @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vcsi b/apparmor.d/profiles-s-z/vcsi index 37422840c..eaf6ca24b 100644 --- a/apparmor.d/profiles-s-z/vcsi +++ b/apparmor.d/profiles-s-z/vcsi @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile vcsi @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/ffmpeg rPx, diff --git a/apparmor.d/profiles-s-z/veracrypt b/apparmor.d/profiles-s-z/veracrypt new file mode 100644 index 000000000..b9b92a721 --- /dev/null +++ b/apparmor.d/profiles-s-z/veracrypt @@ -0,0 +1,96 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/veracrypt +profile veracrypt @{exec_path} { + include + include + include + include + include + include + include + include + + capability chown, + capability dac_read_search, + capability fsetid, + capability sys_admin, + capability sys_ptrace, + + mount fstype=fuse.veracrypt options=(rw nodev nosuid) veracrypt -> /tmp/.veracrypt_*/, + + @{exec_path} mrix, + + @{sh_path} rix, + @{open_path} rPx -> child-open-help, + @{sbin}/dmsetup rPx, + @{bin}/{,e}grep rix, + @{bin}/kmod rix, + @{sbin}/ldconfig rix, + @{sbin}/losetup rCx -> losetup, + @{bin}/mount rPx, + @{bin}/sudo rix, + @{bin}/umount rCx -> umount, + @{bin}/wc rix, + @{file_explorers_path} rPx, + + /home/ r, + + # Mount points + @{MOUNTS}/ rw, + @{MOUNTS}/*/ rw, + + owner @{HOME}/ r, + owner @{HOME}/.VeraCrypt-lock-@{user} rwk, + + owner @{user_config_dirs}/VeraCrypt/ rw, + owner @{user_config_dirs}/VeraCrypt/** rwk, + + /tmp/.veracrypt_*/ rw, + /tmp/.veracrypt_*/** rwk, + + @{sys}/module/compression r, + @{sys}/module/dm_mod/initstate r, + + @{PROC}/partitions r, + owner @{PROC}/@{pid}/mounts r, + + /dev/fuse rw, + /dev/tty rw, + + profile umount { + include + + capability sys_admin, + + umount /tmp/.veracrypt_*/, + umount @{MOUNTS}/{,*/}, + + @{bin}/umount mr, + + owner @{run}/mount/utab r, + + include if exists + } + + profile losetup { + include + include + + capability sys_rawio, + + @{sbin}/losetup mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vesktop b/apparmor.d/profiles-s-z/vesktop new file mode 100644 index 000000000..4f4432650 --- /dev/null +++ b/apparmor.d/profiles-s-z/vesktop @@ -0,0 +1,52 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = vesktop +@{domain} = org.chromium.Chromium +@{lib_dirs} = @{lib}/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{bin}/vesktop +profile vesktop @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{bin}/speech-dispatcher rPx, + @{open_path} rPx -> child-open, + + owner @{run}/user/@{uid}/discord-ipc-@{int} rw, + + @{sys}/devices/@{pci}/usb@{int}/**/interface r, + + @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + owner /dev/ r, + + deny /dev/tty rw, + deny owner /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 226a0dd98..7cf741dc2 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,10 +25,10 @@ profile vidcutter @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/ffmpeg rPx, @{bin}/ffprobe rPx, diff --git a/apparmor.d/profiles-s-z/vipw-vigr b/apparmor.d/profiles-s-z/vipw-vigr index 835267c2d..396f1e4f8 100644 --- a/apparmor.d/profiles-s-z/vipw-vigr +++ b/apparmor.d/profiles-s-z/vipw-vigr @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,11 +16,9 @@ profile vipw-vigr @{exec_path} { @{exec_path} mr, @{sh_path} rix, + @{editor_path} rCx -> editor, - @{bin}/sensible-editor rCx -> editor, - @{bin}/vim.* rCx -> editor, - - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow,gshadow,group}{,.edit} rw, /etc/{passwd,shadow,gshadow,group}.@{pid} rw, @@ -37,7 +35,6 @@ profile vipw-vigr @{exec_path} { # modify the /etc/passwd or /etc/shadow password database. /etc/.pwd.lock rwk, - profile editor { include include @@ -45,6 +42,8 @@ profile vipw-vigr @{exec_path} { capability fsetid, /etc/{passwd,shadow,gshadow,group}.edit rw, + + include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 9fa13e500..92dc977d9 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,12 +12,18 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include + include + include + include + include + include include include include include include include + include include include include @@ -28,25 +34,25 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.virt-manager.virt-manager + @{exec_path} rix, @{sh_path} rix, - @{bin}/python3.@{int} r, - @{lib}/python3.@{int}/site-packages/__pycache__/guestfs.cpython-@{int}.pyc.@{int} w, + @{python_path} rix, + @{lib}/@{python_name}/site-packages/__pycache__/guestfs.cpython-@{int}.pyc.@{int} w, @{bin}/ r, @{bin}/env rix, @{bin}/getfacl rix, @{bin}/setfacl rix, - @{bin}/libvirtd rPx, + @{sbin}/libvirtd rPx, @{bin}/ssh rPx, @{lib}/spice-client-glib-usb-acl-helper rPx, @{open_path} rPx -> child-open, - /usr/share/gtksourceview-4/{,**} r, - /usr/share/hwdata/*.ids r, /usr/share/ladspa/rdf/{,ladspa.rdfs} r, /usr/share/misc/*.ids r, /usr/share/osinfo/{,**} r, @@ -61,15 +67,15 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { /etc/fstab r, /etc/libnl/classid r, - owner @{HOME}/ r, - owner @{user_cache_dirs}/virt-manager/{,**} rw, + # System VM images + /var/lib/libvirt/images/{,**} rw, # For disk images @{MOUNTS}/ r, @{user_img_dirs}/{,**} r, - # System VM images - /var/lib/libvirt/images/{,**} rw, + owner @{HOME}/ r, + owner @{user_cache_dirs}/virt-manager/{,**} rw, # User VM images owner @{user_share_dirs}/ r, @@ -79,21 +85,24 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + @{run}/libvirt/libvirt-sock rw, @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, @{sys}/devices/virtual/drm/ttm/uevent r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, @{PROC}/@{pids}/net/route r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, - /dev/media@{int} r, - /dev/video@{int} rw, - # Silence the noise deny /usr/share/virt-manager/{,**} w, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 5d113ba3b..05866296d 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,13 +11,10 @@ include profile vlc @{exec_path} { include include - include include - include - include - include - include include + include + include include include include @@ -25,8 +22,11 @@ profile vlc @{exec_path} { include include include + include include include + include + include include include @@ -36,11 +36,9 @@ profile vlc @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.mpris.MediaPlayer2.vlc - #aa:dbus talk bus=session name=org.mpris.MediaPlayer2.Player label=unconfined - @{exec_path} mrix, + @{open_path} rPx -> child-open-help, @{bin}/xdg-screensaver rPx, /usr/share/vlc/{,**} r, @@ -48,12 +46,13 @@ profile vlc @{exec_path} { /etc/fstab r, owner @{HOME}/ r, + owner @{MOUNTS}/ r, + owner @{user_music_dirs}/{,**} rw, owner @{user_pictures_dirs}/{,**} rw, owner @{user_torrents_dirs}/{,**} rw, owner @{user_videos_dirs}/{,**} rw, - owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/vlc/ rw, owner @{user_cache_dirs}/vlc/{,**} rw, @@ -73,10 +72,16 @@ profile vlc @{exec_path} { @{run}/mount/utab r, + @{sys}/devices/virtual/dmi/id/board_name r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/board_version r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + /dev/shm/#@{int} rw, /dev/snd/ r, /dev/tty r, - /dev/video@{int} rw, owner /dev/tty@{int} rw, # Silencer diff --git a/apparmor.d/profiles-s-z/vlc-cache-gen b/apparmor.d/profiles-s-z/vlc-cache-gen index b464f1712..1c089b0f8 100644 --- a/apparmor.d/profiles-s-z/vlc-cache-gen +++ b/apparmor.d/profiles-s-z/vlc-cache-gen @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/vnstat b/apparmor.d/profiles-s-z/vnstat index 25bdcfb1b..edce31840 100644 --- a/apparmor.d/profiles-s-z/vnstat +++ b/apparmor.d/profiles-s-z/vnstat @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,35 +12,17 @@ profile vnstat @{exec_path} { include include - # The following rules are needed when adding a new interface to the vnstat database. Usually this - # action is performed as root, but the vnstatd daemon is run as vnstat (user/group), and all the - # database files under /var/lib/vnstat/ are owned by vnstat:vnstat. Because of the above, the - # dac_override CAP is needed to allow writing files in that dir. - # - # If this CAP was denied, then the following error is printed when adding new interfaces: - # - # Error: Exec step failed (8: attempt to write a readonly database): "insert into interface - # (name, active, created, updated, rxcounter, txcounter, rxtotal, txtotal) values ('eth0', 1, - # datetime('now', 'localtime'), datetime('now', 'localtime'), 0, 0, 0, 0)" - # Error: Adding interface "ifb0" to database failed. - # - capability dac_override, - # - # Also the vnstat.db file has to have the write permission: - /var/lib/vnstat/vnstat.db w, - /var/lib/vnstat/vnstat.db-journal rw, - # - # This is needed to change the owner:group to vnstat:vnstat of the database file. capability chown, + capability dac_override, @{exec_path} mr, - # Many apps/users can query vnstat database, so don't use owner here. - /var/lib/vnstat/ r, - /var/lib/vnstat/vnstat.db rk, - /etc/vnstat.conf r, + /var/lib/vnstat/ r, + /var/lib/vnstat/vnstat.db rwk, + /var/lib/vnstat/vnstat.db-journal rw, + @{sys}/class/net/ r, @{sys}/devices/@{pci}/net/*/statistics/{tx,rx}_{bytes,packets} r, diff --git a/apparmor.d/profiles-s-z/vnstatd b/apparmor.d/profiles-s-z/vnstatd index c37c8b6d7..1270ecf42 100644 --- a/apparmor.d/profiles-s-z/vnstatd +++ b/apparmor.d/profiles-s-z/vnstatd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/volumeicon b/apparmor.d/profiles-s-z/volumeicon index c58381d7d..e354c3cbd 100644 --- a/apparmor.d/profiles-s-z/volumeicon +++ b/apparmor.d/profiles-s-z/volumeicon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/vsftpd b/apparmor.d/profiles-s-z/vsftpd index aa45b805e..8fe33af50 100644 --- a/apparmor.d/profiles-s-z/vsftpd +++ b/apparmor.d/profiles-s-z/vsftpd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ profile vsftpd @{exec_path} { include include include - include + include include # To be able to listen on ports < 1024 @@ -41,6 +41,12 @@ profile vsftpd @{exec_path} { capability dac_read_search, # If session_support=YES, vsftpd will also try and update utmp and wtmp + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, # To validate allowed users shells diff --git a/apparmor.d/profiles-s-z/w3m b/apparmor.d/profiles-s-z/w3m index 5b919ecc0..ade896ea5 100644 --- a/apparmor.d/profiles-s-z/w3m +++ b/apparmor.d/profiles-s-z/w3m @@ -1,14 +1,16 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/w3m profile w3m @{exec_path} { include + include include include include @@ -21,13 +23,20 @@ profile w3m @{exec_path} { @{exec_path} mr, + @{sh_path} rix, + @{lib}/w3m/cgi-bin/* rix, + @{lib}/w3m/* rix, + /usr/share/terminfo/{,**} r, + /etc/mime.types r, /etc/w3m/{,**} r, - owner @{HOME}/.w3m/{,**} r, - owner @{user_config_dirs}/w3m/{,**} r, - owner /tmp/@{rand6}/{,**} rw, + owner @{HOME}/.w3m/{,**} rw, + + owner @{user_config_dirs}/w3m/{,**} rw, + + owner @{tmp}/w3m-@{rand6}/{,**} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/wavemon b/apparmor.d/profiles-s-z/wavemon index 9ec082580..6c2fee4df 100644 --- a/apparmor.d/profiles-s-z/wavemon +++ b/apparmor.d/profiles-s-z/wavemon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar new file mode 100644 index 000000000..b8d1d5326 --- /dev/null +++ b/apparmor.d/profiles-s-z/waybar @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/waybar +profile waybar @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mr, + + /etc/machine-id r, + + owner @{user_config_dirs}/waybar/{,**} r, + + @{sys}/devices/@{pci}/uevent r, + @{sys}/devices/system/cpu/present r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/dmi/id/uevent r, + + @{PROC}/@{pid}/net/dev r, + @{PROC}/spl/kstat/zfs/arcstats r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/rfkill r, + + owner /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat new file mode 100644 index 000000000..00fe0a8c5 --- /dev/null +++ b/apparmor.d/profiles-s-z/wechat @@ -0,0 +1,46 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = wechat +@{domain} = org.chromium.Chromium +@{lib_dirs} = /opt/wechat/ +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{lib_dirs}/wechat +profile wechat @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + network netlink raw, + network netlink dgram, + network inet stream, + network inet dgram, + network inet6 dgram, + network inet6 stream, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/ip rix, + @{bin}/lsblk Px, + @{bin}/mkdir rix, + @{bin}/xdg-user-dir rix, + @{lib_dirs}/crashpad_handler ix, + @{open_path} Px -> child-open-strict, + + owner @{HOME}/.xwechat/{,**} rwk, + owner @{user_documents_dirs}/xwechat_files/{,**} rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage new file mode 100755 index 000000000..335860d07 --- /dev/null +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -0,0 +1,82 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = wechat-appimage +@{domain} = org.chromium.Chromium +@{lib_dirs} = /opt/wechat-appimage/ +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{bin}/wechat @{lib_dirs}/wechat-appimage.Appimage /tmp/.mount_wechat??????/user/bin/wechat +profile wechat-appimage @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + network netlink raw, + network netlink dgram, + network inet stream, + network inet dgram, + network inet6 dgram, + network inet6 stream, + + mount fstype=fuse.wechat-appimage.AppImage options=(ro nodev nosuid) -> @{tmp}/.mount_wechat@{word6}/, + + umount @{tmp}/.mount_wechat@{word6}/, + + @{exec_path} r, + + @{sh_path} rix, + @{bin}/dirname rix, + @{bin}/fusermount{,3} Cx -> fusermount, + @{bin}/{m,g,}awk rix, + @{bin}/lsblk Px, + @{bin}/mkdir rix, + @{bin}/readlink rix, + @{bin}/xdg-user-dir rix, + @{bin}/ip rix, + @{lib_dirs}/wechat-appimage.AppImage ix, + @{open_path} Px -> child-open-strict, + + @{bin}/fusermount{,3} Cx -> fusermount, + @{bin}/dirname rix, + @{bin}/readlink rix, + + @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, + @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, + @{tmp}/.mount_wechat@{word6}/AppRun ix, + + /etc/machine-id r, + + @{HOME}/.xwechat/{,**} rwk, + + owner @{user_documents_dirs}/xwechat_files/{,**} rwk, + + /dev/fuse rw, + /dev/tty rw, + + profile fusermount { + include + include + + mount fstype=fuse.wechat-appimage.AppImage options=(ro nodev nosuid) -> @{tmp}/.mount_wechat@{word6}/, + + umount @{tmp}/.mount_wechat@{word6}/, + + @{lib_dirs}/wechat-appimage.AppImage r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal new file mode 100644 index 000000000..94da6c60e --- /dev/null +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -0,0 +1,60 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = wechat-universal +@{domain} = org.chromium.Chromium +@{lib_dirs} = /opt/wechat-universal/ +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{bin}/wechat-universal @{lib_dirs}/wechat +profile wechat-universal @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + + network netlink raw, + network netlink dgram, + network inet stream, + network inet dgram, + network inet6 dgram, + network inet6 stream, + + @{exec_path} mrix, + + @{sh_path} rix, + @{bin}/bwrap rix, + @{bin}/ln ix, + @{bin}/lsblk Px, + @{bin}/mkdir ix, + @{bin}/sed ix, + @{bin}/xdg-user-dir rix, + @{lib_dirs}/crashpad_handler ix, + @{lib}/wechat-appimage.AppImage ix, + @{open_path} Px -> child-open-strict, + + /etc/lsb-release r, + /etc/machine-id r, + + owner @{user_documents_dirs}/WeChat_Data/{,**} rwk, + owner @{HOME}/.xwechat/{,**} rwk, + owner @{HOME}/.sys1og.conf rw, + + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/utmp r, + + @{PROC}/@{pid}/net/route r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet new file mode 100644 index 000000000..0b83e44c8 --- /dev/null +++ b/apparmor.d/profiles-s-z/wemeet @@ -0,0 +1,64 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{domain} = org.chromium.Chromium + +@{exec_path} = @{bin}/wemeet +@{exec_path} += /opt/wemeet/bin/wemeetapp +@{exec_path} += /opt/wemeet/bin/QtWebEngineProcess +profile wemeet @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + + network netlink raw, + network netlink dgram, + network inet stream, + network inet dgram, + network inet6 dgram, + network inet6 stream, + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/basename rix, + @{bin}/bwrap rix, + @{bin}/id rix, + @{bin}/mkdir rix, + /opt/wemeet/bin/** rix, + + /etc/machine-id r, + /var/cache/ w, + + owner @{user_share_dirs}/wemeetapp/ rw, + owner @{user_share_dirs}/wemeetapp/** rwlk -> @{user_share_dirs}/wemeetapp/**, + + @{PROC}/ r, + @{PROC}/asound/ r, + @{PROC}/@{pid}/net/route r, + @{PROC}/@{pid}/net/wireless r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/statm r, + @{PROC}/sys/fs/inotify/max_user_watches r, + owner @{PROC}/@{pid}/cmdline r, + + /dev/ r, + /dev/tty rw, + /dev/shm/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whatis b/apparmor.d/profiles-s-z/whatis index e99900304..3febd0b0b 100644 --- a/apparmor.d/profiles-s-z/whatis +++ b/apparmor.d/profiles-s-z/whatis @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,7 @@ profile whatis @{exec_path} { include @{exec_path} mr, - @{bin}/grep rix, + @{bin}/{,e}grep rix, /usr/{,**/}man/{,**/}{,whatis} r, diff --git a/apparmor.d/profiles-s-z/whdd b/apparmor.d/profiles-s-z/whdd index e5e111b8b..41541ea84 100644 --- a/apparmor.d/profiles-s-z/whdd +++ b/apparmor.d/profiles-s-z/whdd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,7 +25,7 @@ profile whdd @{exec_path} { @{bin}/tr rix, # To read SMART attributes - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, owner @{PROC}/@{pid}/mounts r, @{PROC}/partitions r, diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index 32d0945e1..c4de427ff 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/which{.debianutils,} +@{exec_path} = @{bin}/which{,.debianutils} profile which @{exec_path} flags=(attach_disconnected) { include include @@ -17,7 +17,9 @@ profile which @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/ r, + @{sbin}/ r, @{bin}/**/ r, + @{sbin}/**/ r, @{lib}/ r, @{lib}/**/ r, /opt/**/bin/ r, @@ -31,6 +33,7 @@ profile which @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{int} rw, + deny @{user_share_dirs}/gnome-shell/session.gvdb rw, deny @{user_share_dirs}/gvfs-metadata/* r, include if exists diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index f2339717a..a42a63312 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -3,12 +3,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/whiptail -profile whiptail @{exec_path} flags=(complain) { +profile whiptail @{exec_path} { include include @@ -16,9 +16,9 @@ profile whiptail @{exec_path} flags=(complain) { @{exec_path} mr, - /etc/newt/palette.* r, + /usr/share/terminfo/** r, - owner @{tmp}/gpm* w, + /etc/newt/palette.* r, include if exists } diff --git a/apparmor.d/profiles-s-z/whoami b/apparmor.d/profiles-s-z/whoami index 3072d7da0..3fc9e26b4 100644 --- a/apparmor.d/profiles-s-z/whoami +++ b/apparmor.d/profiles-s-z/whoami @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/whois b/apparmor.d/profiles-s-z/whois new file mode 100644 index 000000000..a1549db03 --- /dev/null +++ b/apparmor.d/profiles-s-z/whois @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whois +profile whois @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /etc/whois.conf r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whoopsie b/apparmor.d/profiles-s-z/whoopsie new file mode 100644 index 000000000..8a2c83904 --- /dev/null +++ b/apparmor.d/profiles-s-z/whoopsie @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whoopsie +profile whoopsie @{exec_path} { + include + include + include + + capability setgid, + capability setuid, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mr, + + /var/crash/ r, + + /var/lib/whoopsie/ rw, + /var/lib/whoopsie/whoopsie-id rw, + /var/lib/whoopsie/whoopsie-id.@{rand6} rw, + + /var/crash/*.@{uid}.crash r, + owner /var/crash/*.@{uid}.uploaded rw, + + owner @{run}/lock/whoopsie/ rw, + owner @{run}/lock/whoopsie/lock rwk, + + @{sys}/devices/virtual/dmi/id/product_uuid r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whoopsie-preferences b/apparmor.d/profiles-s-z/whoopsie-preferences new file mode 100644 index 000000000..3b720d0da --- /dev/null +++ b/apparmor.d/profiles-s-z/whoopsie-preferences @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whoopsie-preferences +profile whoopsie-preferences @{exec_path} { + include + include + include + + #aa:dbus own bus=system name=com.ubuntu.WhoopsiePreferences + + @{exec_path} mr, + + @{bin}/systemctl Cx -> systemctl, + + /etc/whoopsie w, + /etc/whoopsie.@{rand6} rw, + + profile systemctl { + include + include + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index ed8fd0efa..a07d6bad1 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -4,14 +4,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/wireshark profile wireshark @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-s-z/wl-copy b/apparmor.d/profiles-s-z/wl-copy index 3ea916395..1b4ae7501 100644 --- a/apparmor.d/profiles-s-z/wl-copy +++ b/apparmor.d/profiles-s-z/wl-copy @@ -2,13 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/wl-{copy,paste} -profile wl-copy @{exec_path} { +profile wl-copy @{exec_path} flags=(attach_disconnected) { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/wmctrl b/apparmor.d/profiles-s-z/wmctrl index 8d99da352..51feb0071 100644 --- a/apparmor.d/profiles-s-z/wmctrl +++ b/apparmor.d/profiles-s-z/wmctrl @@ -3,13 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/wmctrl profile wmctrl @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/wpa-action b/apparmor.d/profiles-s-z/wpa-action index 3495849e7..b6764ba0e 100644 --- a/apparmor.d/profiles-s-z/wpa-action +++ b/apparmor.d/profiles-s-z/wpa-action @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/wpa_action +@{exec_path} = @{sbin}/wpa_action profile wpa-action @{exec_path} { include @@ -17,7 +17,7 @@ profile wpa-action @{exec_path} { @{exec_path} mr, - @{bin}/wpa_cli rPx, + @{sbin}/wpa_cli rPx, @{sh_path} rix, @{bin}/{,e}grep rix, diff --git a/apparmor.d/profiles-s-z/wpa-cli b/apparmor.d/profiles-s-z/wpa-cli index 5edd2f177..eb4efeee9 100644 --- a/apparmor.d/profiles-s-z/wpa-cli +++ b/apparmor.d/profiles-s-z/wpa-cli @@ -3,17 +3,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/wpa_cli +@{exec_path} = @{sbin}/wpa_cli profile wpa-cli @{exec_path} { include @{exec_path} mr, - /{usr/,}{s,}/wpa_action rPx, + @{sbin}/wpa_action rPx, /etc/inputrc r, @@ -21,7 +21,7 @@ profile wpa-cli @{exec_path} { owner @{HOME}/.wpa_cli_history-@{int}.tmp rw, owner @{run}/wpa_supplicant/ r, - owner @{tmp}/wpa_ctrl_@{pid}-[0-9] rw, + owner @{tmp}/wpa_ctrl_@{pid}-@{d} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/wpa-gui b/apparmor.d/profiles-s-z/wpa-gui index ceefecbf2..f833c812e 100644 --- a/apparmor.d/profiles-s-z/wpa-gui +++ b/apparmor.d/profiles-s-z/wpa-gui @@ -3,28 +3,21 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/wpa_gui profile wpa-gui @{exec_path} { include - include + include include - include - include - include - include + include include - include - include @{exec_path} mr, - /usr/share/hwdata/pnp.ids r, - - owner @{tmp}/wpa_ctrl_@{pid}-[0-9] w, + owner @{tmp}/wpa_ctrl_@{pid}-@{d} w, owner /dev/shm/#@{int} rw, @{run}/wpa_supplicant/ r, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index f3da61258..b20c6f1b4 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/wpa_supplicant +@{exec_path} = @{sbin}/wpa_supplicant profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { include include @@ -42,6 +42,7 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { @{user_config_dirs}/cat_installer/*.pem r, owner @{run}/wpa_supplicant/{,**} rw, + owner @{run}/netplan/* r, @{sys}/devices/@{pci}/ieee*/phy@{int}/name r, diff --git a/apparmor.d/profiles-s-z/wrmsr b/apparmor.d/profiles-s-z/wrmsr index 1ee5bd806..6ef05cc0f 100644 --- a/apparmor.d/profiles-s-z/wrmsr +++ b/apparmor.d/profiles-s-z/wrmsr @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/wrmsr +@{exec_path} = @{sbin}/wrmsr profile wrmsr @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 92b0f360f..b72cff3c4 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -2,29 +2,39 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/wsdd profile wsdd @{exec_path} { include + include include + include + + # wsdd can create its own chroot as a built-in security mechanism. + # This is used by default in the systemd wsdd-server service. + capability sys_chroot, network inet dgram, + network inet stream, network inet6 dgram, + network inet6 stream, network netlink raw, @{exec_path} mr, @{bin}/env r, - @{bin}/python3.@{int} rix, + @{python_path} rix, /etc/machine-id r, owner /var/lib/libuuid/clock.txt rw, - owner @{run}/user/@{uid}/gvfsd/wsdd w, + @{run}/uuidd/request rw, + owner @{run}/user/@{uid}/wsdd w, + owner @{run}/user/@{uid}/*/wsdd w, include if exists } diff --git a/apparmor.d/profiles-s-z/wttrbar b/apparmor.d/profiles-s-z/wttrbar new file mode 100644 index 000000000..37933679d --- /dev/null +++ b/apparmor.d/profiles-s-z/wttrbar @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/wttrbar +profile wttrbar @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + @{exec_path} mr, + + owner /tmp/wttrbar--wttr.in.json rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index a5ec89fd9..4d2766101 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,76 +28,30 @@ profile xarchiver @{exec_path} { @{bin}/cp rix, # Archivers - @{bin}/7z rix, - @{lib}/p7zip/7z rix, - @{bin}/unrar-nonfree rix, - @{bin}/zip rix, - @{bin}/unzip rix, - @{bin}/tar rix, - @{bin}/xz rix, - @{bin}/bzip2 rix, - @{bin}/cpio rix, - @{bin}/gzip rix, - @{bin}/zstd rix, - # For deb packages + @{archive_path} rix, @{bin}/{,@{multiarch}-}ar rix, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, + + /etc/fstab r, owner @{user_config_dirs}/xarchiver/ rw, owner @{user_config_dirs}/xarchiver/xarchiverrc{,.*} rw, owner @{HOME}/.bz2 rw, - / r, - /home/ r, - #owner @{HOME}/ r, - #owner @{HOME}/** rw, - @{MOUNTS}/ r, - @{MOUNTS}/** rw, - /tmp/ r, + #aa:lint ignore=too-wide + # Full access to user's data + @{MOUNTS}/** rw, + owner @{HOME}/** rw, owner @{tmp}/** rw, - owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, - /etc/fstab r, - - # Allowed apps to open - @{bin}/engrampa rPUx, - @{bin}/geany rPUx, - @{bin}/viewnior rPUx, - - # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{bin}/engrampa rPUx, - @{bin}/geany rPUx, - @{bin}/viewnior rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth index f051fdc0c..e1a4199db 100644 --- a/apparmor.d/profiles-s-z/xauth +++ b/apparmor.d/profiles-s-z/xauth @@ -3,13 +3,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xauth profile xauth @{exec_path} { include + include include @{exec_path} mr, @@ -35,6 +36,7 @@ profile xauth @{exec_path} { owner @{tmp}/xauth_@{rand6} r, owner @{tmp}/xauth_@{rand6}-c w, owner @{tmp}/xauth_@{rand6}-l wl, + owner @{tmp}/xauth.@{rand10}-c w, owner @{run}/user/@{uid}/xauth_@{rand6} rw, owner @{run}/user/@{uid}/xauth_@{rand6}-c w, diff --git a/apparmor.d/profiles-s-z/xautolock b/apparmor.d/profiles-s-z/xautolock index 89de67bd1..cb9426583 100644 --- a/apparmor.d/profiles-s-z/xautolock +++ b/apparmor.d/profiles-s-z/xautolock @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/xbacklight b/apparmor.d/profiles-s-z/xbacklight index 19eb4a9f3..b2be0446b 100644 --- a/apparmor.d/profiles-s-z/xbacklight +++ b/apparmor.d/profiles-s-z/xbacklight @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/xbrlapi b/apparmor.d/profiles-s-z/xbrlapi index dc30114bd..b2f94975f 100644 --- a/apparmor.d/profiles-s-z/xbrlapi +++ b/apparmor.d/profiles-s-z/xbrlapi @@ -2,20 +2,21 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xbrlapi profile xbrlapi @{exec_path} flags=(attach_disconnected) { include + include network inet stream, network inet6 stream, @{exec_path} mr, - /dev/tty@{int} rw, + owner @{HOME}/.xsession-errors w, include if exists } diff --git a/apparmor.d/profiles-s-z/xclip b/apparmor.d/profiles-s-z/xclip index 378e8cae3..cdb68ed70 100644 --- a/apparmor.d/profiles-s-z/xclip +++ b/apparmor.d/profiles-s-z/xclip @@ -3,21 +3,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xclip profile xclip @{exec_path} { include + include include network unix stream, @{exec_path} mr, - deny /dev/tty rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/xdpyinfo b/apparmor.d/profiles-s-z/xdpyinfo index 902905d09..169851550 100644 --- a/apparmor.d/profiles-s-z/xdpyinfo +++ b/apparmor.d/profiles-s-z/xdpyinfo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/xeyes b/apparmor.d/profiles-s-z/xeyes new file mode 100644 index 000000000..c602e7fce --- /dev/null +++ b/apparmor.d/profiles-s-z/xeyes @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022-2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xeyes +profile xeyes @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 521a182ba..9abc02350 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -3,13 +3,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xinit profile xinit @{exec_path} { include + include include signal (receive) set=(usr1) peer=xorg, @@ -34,7 +35,7 @@ profile xinit @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, /etc/X11/xinit/xinitrc rix, /etc/X11/xinit/xserverrc rix, diff --git a/apparmor.d/profiles-s-z/xinput b/apparmor.d/profiles-s-z/xinput index 18eab6a78..c88210cca 100644 --- a/apparmor.d/profiles-s-z/xinput +++ b/apparmor.d/profiles-s-z/xinput @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp new file mode 100644 index 000000000..0d6c4d65f --- /dev/null +++ b/apparmor.d/profiles-s-z/xournalpp @@ -0,0 +1,45 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xournalpp +profile xournalpp @{exec_path} { + include + include + include + include + include + include + include + include + + @{exec_path} mr, + + @{open_path} rPx -> child-open-browsers, + + /usr/share/xournalpp/** r, + + /etc/machine-id r, + /etc/pipewire/jack.conf.d/ r, + + owner @{user_config_dirs}/xournalpp/{,**} rw, + owner @{user_cache_dirs}/xournalpp/{,**} rw, + + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/snd/controlC@{int} w, + /dev/snd/pcmC@{int}D@{int}[cp] w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xray b/apparmor.d/profiles-s-z/xray new file mode 100644 index 000000000..79c3104dc --- /dev/null +++ b/apparmor.d/profiles-s-z/xray @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xray +profile xray @{exec_path} flags=(attach_disconnected) { + include + include + + network inet dgram, + network inet stream, + network inet raw, + network inet6 dgram, + network inet6 raw, + network netlink raw, + + @{exec_path} mr, + + /etc/xray/{,*} r, + /usr/share/xray/**.dat r, + /usr/share/v2ray/**.dat r, + + @{PROC}/sys/net/core/somaxconn r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xsane-gimp b/apparmor.d/profiles-s-z/xsane-gimp new file mode 100644 index 000000000..4273e803d --- /dev/null +++ b/apparmor.d/profiles-s-z/xsane-gimp @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# Copyright (C) 2024-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xsane-gimp +profile xsane-gimp @{exec_path} { + include + include + include + + network inet dgram, + network inet6 dgram, + network netlink raw, + + signal receive set=(term, kill) peer=gimp, + + @{exec_path} mr, + + @{system_share_dirs}/gimp/{,**} r, + @{system_share_dirs}/sane/xsane/{,**} r, + @{system_share_dirs}/snmp/mibs/{,**} r, + + /etc/sane.d/{,**} r, + + owner @{HOME}/.sane/{,**} rw, + owner @{tmp}/xsane-*-@{rand6} rw, + + @{sys}/bus/scsi/devices/ r, + @{sys}/devices/@{pci}/{model,type,vendor} r, + + @{PROC}/scsi/scsi r, + @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xsel b/apparmor.d/profiles-s-z/xsel index 949aa19f7..05b93fed9 100644 --- a/apparmor.d/profiles-s-z/xsel +++ b/apparmor.d/profiles-s-z/xsel @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,6 +11,7 @@ include profile xsel @{exec_path} { include include + include @{exec_path} mr, @@ -18,9 +19,6 @@ profile xsel @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/xsel.log rw, - owner @{HOME}/.Xauthority r, - owner @{tmp}/xauth-@{int}-_[0-9] r, - # file_inherit owner /dev/tty@{int} rw, owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-s-z/yadifad b/apparmor.d/profiles-s-z/yadifad index c22e3cdd9..15599fa72 100644 --- a/apparmor.d/profiles-s-z/yadifad +++ b/apparmor.d/profiles-s-z/yadifad @@ -2,6 +2,8 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +abi , + include @{exec_path} = @{bin}/yadifad @@ -21,14 +23,15 @@ profile yadifad @{exec_path} { @{exec_path} mr, - /etc/yadifa/yadifad.conf r, + /etc/yadifa/* r, /var/log/yadifa/{,**} rw, - owner /var/lib/yadifa/{,**} rw, + owner /var/lib/yadifa/ rw, + owner /var/lib/yadifa/** rwk, - owner @{run}/yadifa/{,*} rw, - owner @{run}/yadifa/yadifad.pid rwk, + owner @{run}/yadifa/ rw, + owner @{run}/yadifa/** rwk, include if exists } diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl index 85da6bfe0..d0b1c1988 100644 --- a/apparmor.d/profiles-s-z/youtube-dl +++ b/apparmor.d/profiles-s-z/youtube-dl @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,13 +13,11 @@ profile youtube-dl @{exec_path} { include include include - include - include + include include include include include - include network inet dgram, network inet6 dgram, @@ -30,7 +28,7 @@ profile youtube-dl @{exec_path} { signal (receive) set=(term, kill), @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ffmpeg rPx, @{bin}/ffprobe rPx, @@ -38,7 +36,7 @@ profile youtube-dl @{exec_path} { @{bin}/ r, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/git rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/rtmpdump rix, @{bin}/uname rix, @{lib}/git{,-core}/git rix, diff --git a/apparmor.d/profiles-s-z/youtube-viewer b/apparmor.d/profiles-s-z/youtube-viewer index 1c405e8fe..100ae9985 100644 --- a/apparmor.d/profiles-s-z/youtube-viewer +++ b/apparmor.d/profiles-s-z/youtube-viewer @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,7 +24,6 @@ profile youtube-viewer @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, @{bin}/infocmp rix, @@ -32,12 +31,6 @@ profile youtube-viewer @{exec_path} { @{bin}/wget rCx -> wget, - owner @{user_config_dirs}/youtube-viewer/{,*} rw, - owner @{user_cache_dirs}/youtube-viewer/{,*} rw, - owner @{HOME}/Downloads/youtube-viewer/{,*} rw, - - /etc/inputrc r, - # Players @{bin}/mpv rPUx, @{bin}/vlc rPUx, @@ -45,6 +38,11 @@ profile youtube-viewer @{exec_path} { @{bin}/ffmpeg rPUx, + /etc/inputrc r, + + owner @{user_config_dirs}/youtube-viewer/{,*} rw, + owner @{user_cache_dirs}/youtube-viewer/{,*} rw, + owner @{HOME}/Downloads/youtube-viewer/{,*} rw, profile wget { include @@ -62,6 +60,7 @@ profile youtube-viewer @{exec_path} { owner @{HOME}/.wget-hsts r, owner @{HOME}/wget-log{,.@{int}} rw, + include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/yt-dlp b/apparmor.d/profiles-s-z/yt-dlp index c71b87efd..ffa78eda3 100644 --- a/apparmor.d/profiles-s-z/yt-dlp +++ b/apparmor.d/profiles-s-z/yt-dlp @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,7 +24,7 @@ profile yt-dlp @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/file rix, diff --git a/apparmor.d/profiles-s-z/ytdl b/apparmor.d/profiles-s-z/ytdl index 230e15f80..a76bf0d89 100644 --- a/apparmor.d/profiles-s-z/ytdl +++ b/apparmor.d/profiles-s-z/ytdl @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,10 +24,10 @@ profile ytdl @{exec_path} { signal (receive) set=(term, kill), @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/uname rix, /etc/mime.types r, diff --git a/apparmor.d/profiles-s-z/zathura b/apparmor.d/profiles-s-z/zathura index b055fe31b..5d0d1a745 100644 --- a/apparmor.d/profiles-s-z/zathura +++ b/apparmor.d/profiles-s-z/zathura @@ -2,11 +2,11 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/zathura +@{exec_path} = @{bin}/zathura{,-sandbox} profile zathura @{exec_path} { include include @@ -18,11 +18,13 @@ profile zathura @{exec_path} { @{exec_path} mr, /usr/share/file/{,**} r, + /usr/share/poppler/{,**} r, /etc/xdg/{,**} r, /etc/zathurarc r, owner @{user_config_dirs}/zathura/** r, + owner @{user_share_dirs}/zathura/ r, owner @{user_share_dirs}/zathura/** rwk, owner @{tmp}/gtkprint* rw, diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index c966ce839..893cead5b 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,11 +10,11 @@ include profile zed @{exec_path} { include include - + capability sys_admin, network netlink raw, - + @{exec_path} mr, @{bin}/{m,g,}awk rix, @@ -23,7 +23,7 @@ profile zed @{exec_path} { @{bin}/diff rix, @{bin}/expr rix, @{bin}/flock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/hostname rix, @{bin}/logger rix, @{bin}/ls rix, @@ -46,9 +46,10 @@ profile zed @{exec_path} { owner @{tmp}/tmp.* rw, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/module/zfs/parameters/zfs_zevent_len_max rw, - + @{PROC}/@{pids}/mounts r, owner @{PROC}/@{pids}/fd/ r, @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/profiles-s-z/zenmap b/apparmor.d/profiles-s-z/zenmap index bc4090be8..f4dc9fc77 100644 --- a/apparmor.d/profiles-s-z/zenmap +++ b/apparmor.d/profiles-s-z/zenmap @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,7 +20,7 @@ profile zenmap @{exec_path} { signal (send) set=(term, kill) peer=nmap, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/nmap rPx, diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs index 9538b9c13..e28a2e439 100644 --- a/apparmor.d/profiles-s-z/zfs +++ b/apparmor.d/profiles-s-z/zfs @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,13 +10,13 @@ include profile zfs @{exec_path} { include include - + capability sys_admin, capability dac_read_search, mount fstype=zfs, umount fstype=zfs, - + @{exec_path} mr, /etc/zfs/zfs-list.cache/{,*} rwk, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 7d12cf3b7..e6033d9d2 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -31,6 +31,7 @@ profile zpool @{exec_path} { @{sys}/module/zfs/** r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/zsys-system-autosnapshot b/apparmor.d/profiles-s-z/zsys-system-autosnapshot index 653690898..799262482 100644 --- a/apparmor.d/profiles-s-z/zsys-system-autosnapshot +++ b/apparmor.d/profiles-s-z/zsys-system-autosnapshot @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ profile zsys-system-autosnapshot @{exec_path} flags=(complain) { include @{exec_path} mr, - + @{sh_path} rix, @{bin}/cat rix, @{bin}/cp rix, diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd index c325e216d..42181500b 100644 --- a/apparmor.d/profiles-s-z/zsysd +++ b/apparmor.d/profiles-s-z/zsysd @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,11 +20,11 @@ profile zsysd @{exec_path} flags=(complain) { /{usr/,}{local/,}{s,}bin/zfs rPx, /{usr/,}{local/,}{s,}bin/zpool rPx, # ALLOWED zsysd exec /usr/sbin/update-grub info="no new privs" comm=zsysd requested_mask=x denied_mask=x error=-1 - @{bin}/update-grub rPx, + @{sbin}/update-grub rPx, /etc/hostid r, /etc/zsys.conf r, - + /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, @{run}/systemd/notify rw, @@ -37,8 +37,6 @@ profile zsysd @{exec_path} flags=(complain) { @{PROC}/cmdline r, @{PROC}/sys/kernel/spl/hostid r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - /dev/pts/@{int} rw, /dev/zfs rw, diff --git a/apparmor.d/tunables/alias.d/coreutils b/apparmor.d/tunables/alias.d/coreutils new file mode 100644 index 000000000..9fed4fefc --- /dev/null +++ b/apparmor.d/tunables/alias.d/coreutils @@ -0,0 +1,112 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# In ubuntu 25.10, to make room for the coming rust utils, classic coreutils has +# moved to /usr/bin/gnu* names. To avoid breaking existing profiles, we +# provide aliases for all the coreutils names to their gnu* counterpart. + + alias /{,usr/}bin/dd -> /usr/bin/gnudd, + alias /{,usr/}bin/tee -> /usr/bin/gnutee, + alias /{,usr/}bin/paste -> /usr/bin/gnupaste, + alias /{,usr/}bin/sha256sum -> /usr/bin/gnusha256sum, + alias /{,usr/}bin/env -> /usr/bin/gnuenv, + alias /{,usr/}bin/expr -> /usr/bin/gnuexpr, + alias /{,usr/}bin/sleep -> /usr/bin/gnusleep, + alias /{,usr/}bin/shred -> /usr/bin/gnushred, + alias /{,usr/}bin/dircolors -> /usr/bin/gnudircolors, + alias /{,usr/}bin/nohup -> /usr/bin/gnunohup, + alias /{,usr/}bin/stty -> /usr/bin/gnustty, + alias /{,usr/}bin/sha384sum -> /usr/bin/gnusha384sum, + alias /{,usr/}bin/pr -> /usr/bin/gnupr, + alias /{,usr/}bin/nice -> /usr/bin/gnunice, + alias /{,usr/}bin/basenc -> /usr/bin/gnubasenc, + alias /{,usr/}bin/sha224sum -> /usr/bin/gnusha224sum, + alias /{,usr/}bin/unexpand -> /usr/bin/gnuunexpand, + alias /{,usr/}bin/logname -> /usr/bin/gnulogname, + alias /{,usr/}bin/uniq -> /usr/bin/gnuuniq, + alias /{,usr/}bin/chown -> /usr/bin/gnuchown, + alias /{,usr/}bin/vdir -> /usr/bin/gnuvdir, + alias /{,usr/}bin/printf -> /usr/bin/gnuprintf, + alias /{,usr/}bin/true -> /usr/bin/gnutrue, + alias /{,usr/}bin/groups -> /usr/bin/gnugroups, + alias /{,usr/}bin/printenv -> /usr/bin/gnuprintenv, + alias /{,usr/}bin/truncate -> /usr/bin/gnutruncate, + alias /{,usr/}bin/md5sum -> /usr/bin/gnumd5sum, + alias /{,usr/}bin/pinky -> /usr/bin/gnupinky, + alias /{,usr/}bin/rm -> /usr/bin/gnurm, + alias /{,usr/}bin/cat -> /usr/bin/gnucat, + alias /{,usr/}bin/tac -> /usr/bin/gnutac, + alias /{,usr/}bin/b2sum -> /usr/bin/gnub2sum, + alias /{,usr/}bin/seq -> /usr/bin/gnuseq, + alias /{,usr/}bin/cut -> /usr/bin/gnucut, + alias /{,usr/}bin/csplit -> /usr/bin/gnucsplit, + alias /{,usr/}bin/split -> /usr/bin/gnusplit, + alias /{,usr/}bin/realpath -> /usr/bin/gnurealpath, + alias /{,usr/}bin/ptx -> /usr/bin/gnuptx, + alias /{,usr/}bin/who -> /usr/bin/gnuwho, + alias /{,usr/}bin/whoami -> /usr/bin/gnuwhoami, + alias /{,usr/}bin/cksum -> /usr/bin/gnucksum, + alias /{,usr/}bin/ls -> /usr/bin/gnuls, + alias /{,usr/}bin/runcon -> /usr/bin/gnuruncon, + alias /{,usr/}bin/arch -> /usr/bin/gnuarch, + alias /{,usr/}bin/head -> /usr/bin/gnuhead, + alias /{,usr/}bin/date -> /usr/bin/gnudate, + alias /{,usr/}bin/wc -> /usr/bin/gnuwc, + alias /{,usr/}bin/mktemp -> /usr/bin/gnumktemp, + alias /{,usr/}bin/pathchk -> /usr/bin/gnupathchk, + alias /{,usr/}bin/mkfifo -> /usr/bin/gnumkfifo, + alias /{,usr/}bin/du -> /usr/bin/gnudu, + alias /{,usr/}bin/cp -> /usr/bin/gnucp, + alias /{,usr/}bin/tty -> /usr/bin/gnutty, + alias /{,usr/}bin/sync -> /usr/bin/gnusync, + alias /{,usr/}bin/fold -> /usr/bin/gnufold, + alias /{,usr/}bin/users -> /usr/bin/gnuusers, + alias /{,usr/}bin/dirname -> /usr/bin/gnudirname, + alias /{,usr/}bin/nproc -> /usr/bin/gnunproc, + alias /{,usr/}bin/sort -> /usr/bin/gnusort, + alias /{,usr/}bin/[ -> /usr/bin/gnu[, + alias /{,usr/}bin/base64 -> /usr/bin/gnubase64, + alias /{,usr/}bin/od -> /usr/bin/gnuod, + alias /{,usr/}bin/tr -> /usr/bin/gnutr, + alias /{,usr/}bin/join -> /usr/bin/gnujoin, + alias /{,usr/}bin/sha512sum -> /usr/bin/gnusha512sum, + alias /{,usr/}bin/false -> /usr/bin/gnufalse, + alias /{,usr/}bin/expand -> /usr/bin/gnuexpand, + alias /{,usr/}bin/base32 -> /usr/bin/gnubase32, + alias /{,usr/}bin/chmod -> /usr/bin/gnuchmod, + alias /{,usr/}bin/rmdir -> /usr/bin/gnurmdir, + alias /{,usr/}bin/factor -> /usr/bin/gnufactor, + alias /{,usr/}bin/mknod -> /usr/bin/gnumknod, + alias /{,usr/}bin/chcon -> /usr/bin/gnuchcon, + alias /{,usr/}bin/basename -> /usr/bin/gnubasename, + alias /{,usr/}bin/chgrp -> /usr/bin/gnuchgrp, + alias /{,usr/}bin/sha1sum -> /usr/bin/gnusha1sum, + alias /{,usr/}bin/ln -> /usr/bin/gnuln, + alias /{,usr/}bin/tsort -> /usr/bin/gnutsort, + alias /{,usr/}bin/echo -> /usr/bin/gnuecho, + alias /{,usr/}bin/timeout -> /usr/bin/gnutimeout, + alias /{,usr/}bin/dir -> /usr/bin/gnudir, + alias /{,usr/}bin/numfmt -> /usr/bin/gnunumfmt, + alias /{,usr/}bin/touch -> /usr/bin/gnutouch, + alias /{,usr/}bin/mv -> /usr/bin/gnumv, + alias /{,usr/}bin/sum -> /usr/bin/gnusum, + alias /{,usr/}bin/stat -> /usr/bin/gnustat, + alias /{,usr/}bin/yes -> /usr/bin/gnuyes, + alias /{,usr/}bin/install -> /usr/bin/gnuinstall, + alias /{,usr/}bin/readlink -> /usr/bin/gnureadlink, + alias /{,usr/}bin/pwd -> /usr/bin/gnupwd, + alias /{,usr/}bin/tail -> /usr/bin/gnutail, + alias /{,usr/}bin/stdbuf -> /usr/bin/gnustdbuf, + alias /{,usr/}bin/comm -> /usr/bin/gnucomm, + alias /{,usr/}bin/shuf -> /usr/bin/gnushuf, + alias /{,usr/}bin/uname -> /usr/bin/gnuuname, + alias /{,usr/}bin/test -> /usr/bin/gnutest, + alias /{,usr/}bin/mkdir -> /usr/bin/gnumkdir, + alias /{,usr/}bin/link -> /usr/bin/gnulink, + alias /{,usr/}bin/df -> /usr/bin/gnudf, + alias /{,usr/}bin/unlink -> /usr/bin/gnuunlink, + alias /{,usr/}bin/hostid -> /usr/bin/gnuhostid, + alias /{,usr/}bin/fmt -> /usr/bin/gnufmt, + alias /{,usr/}bin/id -> /usr/bin/gnuid, + alias /{,usr/}bin/nl -> /usr/bin/gnunl, diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index c23a8d956..c791f5376 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -11,30 +11,7 @@ # First part, second part in /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d -# Extra user personal directories -@{XDG_SCREENSHOTS_DIR}="Pictures/Screenshots" -@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers" -@{XDG_BOOKS_DIR}="Books" -@{XDG_GAMES_DIR}=".games" -@{XDG_PROJECTS_DIR}="Projects" -@{XDG_WORK_DIR}="Work" -@{XDG_MAIL_DIR}="Mail" ".{m,M}ail" -@{XDG_SYNC_DIR}="Sync" -@{XDG_TORRENTS_DIR}="Torrents" -@{XDG_VM_DIR}=".vm" -@{XDG_VM_SHARES_DIR}="VM_Shares" -@{XDG_IMG_DIR}="images" -@{XDG_GAMESSTUDIO_DIR}="unity3d" - -# User personal keyrings -@{XDG_GPG_DIR}=".gnupg" -@{XDG_SSH_DIR}=".ssh" -@{XDG_PASSWORD_STORE_DIR}=".password-store" - -# User personal private directories -@{XDG_PRIVATE_DIR}=".{p,P}rivate" "{p,P}rivate" - -# Definition of local user configuration directories +# Define the XDG Base Directory @{XDG_CACHE_DIR}=".cache" @{XDG_CONFIG_DIR}=".config" @{XDG_DATA_DIR}=".local/share" @@ -42,29 +19,59 @@ @{XDG_BIN_DIR}=".local/bin" @{XDG_LIB_DIR}=".local/lib" -# Full path of the user configuration directories +# Define extended user directories not defined in the XDG standard but commonly +# used in profiles +@{XDG_SCREENSHOTS_DIR}="Pictures/Screenshots" +@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers" +@{XDG_BOOKS_DIR}="Books" +@{XDG_GAMES_DIR}="Games" +@{XDG_PROJECTS_DIR}="Projects" +@{XDG_WORK_DIR}="Work" +@{XDG_MAIL_DIR}="Mail" ".{m,M}ail" +@{XDG_SYNC_DIR}="Sync" +@{XDG_TORRENTS_DIR}="Torrents" +@{XDG_GAMESSTUDIO_DIR}="unity3d" + +# Define user directories for virtual machines, shared folders and disk images +@{XDG_VM_DIR}=".vm" +@{XDG_VMSHARE_DIR}=".vmshare" +@{XDG_IMG_DIR}=".img" + +# Define user build directories and artifacts output +@{XDG_BUILD_DIR}=".build" +@{XDG_PKG_DIR}=".pkg" + +# Define user personal keyrings +@{XDG_GPG_DIR}=".gnupg" +@{XDG_SSH_DIR}=".ssh" +@{XDG_PASSWORDSTORE_DIR}=".password-store" + +# Define user personal private directories +@{XDG_PRIVATE_DIR}=".{p,P}rivate" "{p,P}rivate" + +# Full path of the XDG Base Directory @{user_cache_dirs}=@{HOME}/@{XDG_CACHE_DIR} @{user_config_dirs}=@{HOME}/@{XDG_CONFIG_DIR} +@{user_state_dirs}=@{HOME}/@{XDG_STATE_DIR} @{user_bin_dirs}=@{HOME}/@{XDG_BIN_DIR} @{user_lib_dirs}=@{HOME}/@{XDG_LIB_DIR} -@{user_state_dirs}=@{HOME}/@{XDG_STATE_DIR} - -# User build directories and output -@{user_build_dirs}="/tmp/build/" -@{user_pkg_dirs}="/tmp/pkg/" -@{user_tmp_dirs}=@{run}/user/@{uid} /tmp/ -@{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR} # Other user directories @{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR} @{user_games_dirs}=@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR} -@{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR} -@{user_password_store_dirs}=@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR} +@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR} @{user_work_dirs}=@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR} @{user_mail_dirs}=@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR} -@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR} -@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR} +@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/@{XDG_SYNC_DIR} @{user_torrents_dirs}=@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR} @{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR} +@{user_vmshare_dirs}=@{HOME}/@{XDG_VMSHARE_DIR} @{MOUNTS}/@{XDG_VMSHARE_DIR} +@{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR} +@{user_build_dirs}=@{HOME}/@{XDG_BUILD_DIR} @{MOUNTS}/@{XDG_BUILD_DIR} +@{user_pkg_dirs}=@{HOME}/@{XDG_PKG_DIR} @{MOUNTS}/@{XDG_PKG_DIR} +@{user_gpg_dirs}=@{HOME}/@{XDG_GPG_DIR} @{MOUNTS}/@{XDG_GPG_DIR} +@{user_ssh_dirs}=@{HOME}/@{XDG_SSH_DIR} @{MOUNTS}/@{XDG_SSH_DIR} +@{user_passwordstore_dirs}=@{HOME}/@{XDG_PASSWORDSTORE_DIR} @{MOUNTS}/@{XDG_PASSWORDSTORE_DIR} +@{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR} # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/base b/apparmor.d/tunables/multiarch.d/base new file mode 100644 index 000000000..9661b1e51 --- /dev/null +++ b/apparmor.d/tunables/multiarch.d/base @@ -0,0 +1,93 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Base variables, upstreamed in apparmor 4.1 + +# Any digit +@{d}=[0-9] + +# Any letter +@{l}=[a-zA-Z] + +# Single alphanumeric character +@{c}=[0-9a-zA-Z] + +# Word character: matches any letter, digit or underscore. +@{w}=[a-zA-Z0-9_] + +# Single hexadecimal character +@{h}=[0-9a-fA-F] + +# Integer up to 10 digits (0-9999999999) +@{int}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},} + +# hexadecimal, alphanumeric and word up to 64 characters +@{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} +@{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},} +@{word}=@{w}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} + +# Unsigned integer over 8 bits (0...255) +@{u8}=[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5] + +# Unsigned integer over 16 bits (0...65,535 5 digits) +@{u16}={@{d},[1-9]@{d},[1-9][@{d}@{d},[1-9]@{d}@{d}@{d},[1-6]@{d}@{d}@{d}@{d}} + +# Unsigned integer over 32 bits (0...4,294,967,295 10 digits) +@{u32}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-4]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} + +# Unsigned integer over 64 bits (0...18,446,744,073,709,551,615 20 digits). +@{u64}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},1@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} + +# Any x digits characters +@{int2}=@{d}@{d} +@{int4}=@{int2}@{int2} +@{int6}=@{int4}@{int2} +@{int8}=@{int4}@{int4} +@{int9}=@{int8}@{d} +@{int10}=@{int8}@{int2} +@{int12}=@{int8}@{int4} +@{int15}=@{int8}@{int4}@{int2}@{d} +@{int16}=@{int8}@{int8} +@{int32}=@{int16}@{int16} +@{int64}=@{int32}@{int32} + +# Any x hexadecimal characters +@{hex2}=@{h}@{h} +@{hex4}=@{hex2}@{hex2} +@{hex6}=@{hex4}@{hex2} +@{hex8}=@{hex4}@{hex4} +@{hex9}=@{hex8}@{h} +@{hex10}=@{hex8}@{hex2} +@{hex12}=@{hex8}@{hex4} +@{hex15}=@{hex8}@{hex4}@{hex2}@{h} +@{hex16}=@{hex8}@{hex8} +@{hex32}=@{hex16}@{hex16} +@{hex38}=@{hex32}@{hex6} +@{hex64}=@{hex32}@{hex32} + +# Any x alphanumeric characters +@{rand2}=@{c}@{c} +@{rand4}=@{rand2}@{rand2} +@{rand6}=@{rand4}@{rand2} +@{rand8}=@{rand4}@{rand4} +@{rand9}=@{rand8}@{c} +@{rand10}=@{rand8}@{rand2} +@{rand12}=@{rand8}@{rand4} +@{rand15}=@{rand8}@{rand4}@{rand2}@{c} +@{rand16}=@{rand8}@{rand8} +@{rand32}=@{rand16}@{rand16} +@{rand64}=@{rand32}@{rand32} + +# Any x word characters +@{word2}=@{w}@{w} +@{word4}=@{word2}@{word2} +@{word6}=@{word4}@{word2} +@{word8}=@{word4}@{word4} +@{word9}=@{word8}@{w} +@{word10}=@{word8}@{word2} +@{word12}=@{word8}@{word4} +@{word15}=@{word8}@{word4}@{word2}@{w} +@{word16}=@{word8}@{word8} +@{word32}=@{word16}@{word16} +@{word64}=@{word32}@{word32} diff --git a/apparmor.d/tunables/multiarch.d/extensions b/apparmor.d/tunables/multiarch.d/extensions new file mode 100644 index 000000000..d7f7450aa --- /dev/null +++ b/apparmor.d/tunables/multiarch.d/extensions @@ -0,0 +1,651 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +# Define commonly used extensions + +# All variables that refer to an extension must have the `_ext` suffix. + +# Packages +@{package_ext} = [aA][bB][bB] # abb +@{package_ext} += [aA][pP][kK] # apk +@{package_ext} += [aA][pP][pP][xX] # appx +@{package_ext} += [aA][pP][pP][xX][bB][uU][nN][dD][lL][eE] # appxbundle +@{package_ext} += [cC][rR][xX] # crx +@{package_ext} += [dD][eE][bB] # deb +@{package_ext} += [eE][mM][sS][iI][xX] # emsix +@{package_ext} += [eE][mM][sS][iI][xX][bB][uU][nN][dD][lL][eE] # emsixbundle +@{package_ext} += [jJ][aA][rR] # jar +@{package_ext} += [mM][pP][kK][gG] # mpkg +@{package_ext} += [mM][sS][iI] # msi +@{package_ext} += [mM][sS][iI][xX] # msix +@{package_ext} += [mM][sS][iI][xX][bB][uU][nN][dD][lL][eE] # msixbundle +@{package_ext} += [pP][kK][gG] # pkg +@{package_ext} += [pP][kK][gG].[tT][aA][rR]{,[zZ][sS][tT]} # pkg.tar{,.zst} +@{package_ext} += [rR][pP][mM] # rpm +@{package_ext} += [tT][gG][zZ] # tgz + +# Disk images +@{diskimage_ext} = [aA][dD][fF] # adf +@{diskimage_ext} += [aA][dD][zZ] # adz +@{diskimage_ext} += [bB][wW][tT] # bwt +@{diskimage_ext} += [cC][iI][fF] # cif +@{diskimage_ext} += [cC][uU][eE] # cue +@{diskimage_ext} += [cC][dD][iI] # cdi +@{diskimage_ext} += [bB]5[tT] # b5t +@{diskimage_ext} += [bB]6[tT] # b6t +@{diskimage_ext} += [dD][aA][aA] # daa +@{diskimage_ext} += [dD][mM][gG] # dmg +@{diskimage_ext} += [dD][mM][sS] # dms +@{diskimage_ext} += [dD][sS][kK] # dsk +@{diskimage_ext} += [dD]64 # d64 +@{diskimage_ext} += [iI][sS][oO] # iso +@{diskimage_ext} += [iI][mM][gG] # img +@{diskimage_ext} += [iI][mM][aA] # ima +@{diskimage_ext} += [nN][rR][gG] # nrg +@{diskimage_ext} += [mM][dD][fF] # mdf +@{diskimage_ext} += [mM][dD][sS] # mds +@{diskimage_ext} += [mM][dD][xX] # mdx +@{diskimage_ext} += [pP][aA][rR][tT][iI][mM][gG] # partimg +@{diskimage_ext} += [sS][dD][iI] # sdi +@{diskimage_ext} += [wW][iI][mM] # wim +@{diskimage_ext} += [sS][wW][mM] # swm +@{diskimage_ext} += [eE][sS][dD] # esd + +# Archives +@{archive_ext} = @{diskimage_ext} @{package_ext} +@{archive_ext} += ??_ # ??_ +@{archive_ext} += ?[qQ]? # ?q? +@{archive_ext} += ?[zZ]? # ?z? +@{archive_ext} += [aA] # a +@{archive_ext} += [aA][aA][rR] # aar +@{archive_ext} += [aA][cC][eE] # ace +@{archive_ext} += [aA][fF][aA] # afa +@{archive_ext} += [aA][lL][zZ] # alz +@{archive_ext} += [aA][rR] # ar +@{archive_ext} += [aA][rR][cC] # arc +@{archive_ext} += [aA][rR][jJ] # arj +@{archive_ext} += [bB][aA][hH] # bah +@{archive_ext} += [bB][aA][rR] # bar +@{archive_ext} += [bB][rR] # br +@{archive_ext} += [bB][zZ]2 # bz2 +@{archive_ext} += [bB]1 # b1 +@{archive_ext} += [bB]6[zZ] # b6z +@{archive_ext} += [cC][aA][bB] # cab +@{archive_ext} += [cC][aA][rR] # car +@{archive_ext} += [cC][dD][xX] # cdx +@{archive_ext} += [cC][fF][sS] # cfs +@{archive_ext} += [cC][pP][iI][oO] # cpio +@{archive_ext} += [dD][aA][rR] # dar +@{archive_ext} += [dD][gG][cC] # dgc +@{archive_ext} += [eE][aA][rR] # ear +@{archive_ext} += [gG][cC][aA] # gca +@{archive_ext} += [gG][eE][nN][oO][zZ][iI][pP] # genozip +@{archive_ext} += [gG][zZ] # gz +@{archive_ext} += [hH][aA] # ha +@{archive_ext} += [hH][kK][iI] # hki +@{archive_ext} += [iI][cC][eE] # ice +@{archive_ext} += [iI][oO] # io +@{archive_ext} += [kK][gG][bB] # kgb +@{archive_ext} += [lL][bB][rR] # lbr +@{archive_ext} += [lL][hH][aA] # lha +@{archive_ext} += [lL][pP][aA][qQ]@{int} # lpaq@{int} +@{archive_ext} += [lL][zZ] # lz +@{archive_ext} += [lL][zZ][hH] # lzh +@{archive_ext} += [lL][zZ][mM][aA] # lzma +@{archive_ext} += [lL][zZ][oO] # lzo +@{archive_ext} += [lL][zZ][xX] # lzx +@{archive_ext} += [mM][aA][rR] # mar +@{archive_ext} += [pP][aA][kK] # pak +@{archive_ext} += [pP][aA][qQ]@{int} # paq@{int} +@{archive_ext} += [pP][aA][rR] # par +@{archive_ext} += [pP][aA][rR]2 # par2 +@{archive_ext} += [pP][aA][xX] # pax +@{archive_ext} += [pP][eE][aA] # pea +@{archive_ext} += [pP][hH][aA][rR] # phar +@{archive_ext} += [pP][iI][mM] # pim +@{archive_ext} += [pP][iI][tT] # pit +@{archive_ext} += [pP][kK][aA] # pka +@{archive_ext} += [pP][mM][aA] # pma +@{archive_ext} += [pP][sS][tT] # pst +@{archive_ext} += [qQ][dD][aA] # qda +@{archive_ext} += [rR][aA][rR] # rar +@{archive_ext} += [rR][kK] # rk +@{archive_ext} += [rR][uU][nN] # run +@{archive_ext} += [rR][zZ] # rz +@{archive_ext} += [rR]@{int} # r@{int} +@{archive_ext} += [sS][bB][xX] # sbx +@{archive_ext} += [sS][dD][aA] # sda +@{archive_ext} += [sS][eE][aA] # sea +@{archive_ext} += [sS][eE][nN] # sen +@{archive_ext} += [sS][fF][aA][rR][kK] # sfark +@{archive_ext} += [sS][fF][xX] # sfx +@{archive_ext} += [sS][hH][aA][rR] # shar +@{archive_ext} += [sS][hH][kK] # shk +@{archive_ext} += [sS][iI][tT] # sit +@{archive_ext} += [sS][iI][tT][xX] # sitx +@{archive_ext} += [sS][qQ][sS] # sqs +@{archive_ext} += [sS][zZ] # sz +@{archive_ext} += [sS]7[zZ] # s7z +@{archive_ext} += [tT][aA][rR] # tar +@{archive_ext} += [tT][aA][rR].[bB][zZ]2 # tar.bz2 +@{archive_ext} += [tT][aA][rR].[gG][zZ] # tar.gz +@{archive_ext} += [tT][aA][rR].[lL][zZ] # tar.lz +@{archive_ext} += [tT][aA][rR].[lL][zZ][mM][aA] # tar.lzma +@{archive_ext} += [tT][aA][rR].[xX][zZ] # tar.xz +@{archive_ext} += [tT][aA][rR].[zZ] # tar.z +@{archive_ext} += [tT][aA][rR].[zZ][sS][tT] # tar.zst +@{archive_ext} += [tT][gG][zZ] # tgz +@{archive_ext} += [tT][lL][zZ] # tlz +@{archive_ext} += [tT][xX][zZ] # txz +@{archive_ext} += [uU][cC] # uc +@{archive_ext} += [uU][cC][aA] # uca +@{archive_ext} += [uU][cC][nN] # ucn +@{archive_ext} += [uU][cC]0 # uc0 +@{archive_ext} += [uU][cC]2 # uc2 +@{archive_ext} += [uU][eE]2 # ue2 +@{archive_ext} += [uU][hH][aA] # uha +@{archive_ext} += [uU][rR]2 # ur2 +@{archive_ext} += [wW][aA][rR] # war +@{archive_ext} += [xX][aA][rR] # xar +@{archive_ext} += [xX][pP]3 # xp3 +@{archive_ext} += [xX][zZ] # xz +@{archive_ext} += [yY][zZ]1 # yz1 +@{archive_ext} += [zZ][iI][pP] # zip +@{archive_ext} += [zZ][iI][pP][xX] # zipx +@{archive_ext} += [zZ][oO][oO] # zoo +@{archive_ext} += [zZ][pP][aA][qQ] # zpaq +@{archive_ext} += [zZ][sS][tT] # zst +@{archive_ext} += [zZ][zZ] # zz +@{archive_ext} += 7[zZ] # 7z + +# Audio +@{audio_ext} = [aA][aA][cC] # aac +@{audio_ext} += [aA][aA][lL] # aal +@{audio_ext} += [aA][aA]3 # aa3 +@{audio_ext} += [aA][cC][nN] # acn +@{audio_ext} += [aA][cC]3 # ac3 +@{audio_ext} += [aA][dD][tT][sS] # adts +@{audio_ext} += [aA][iI][fF] # aif +@{audio_ext} += [aA][iI][fF][cC] # aifc +@{audio_ext} += [aA][iI][fF][fF] # aiff +@{audio_ext} += [aA][lL][aA][cC] # alac +@{audio_ext} += [aA][mM][rR] # amr +@{audio_ext} += [aA][sS][sS] # ass +@{audio_ext} += [aA][tT][xX] # atx +@{audio_ext} += [aA][uU] # au +@{audio_ext} += [aA][wW][bB] # awb +@{audio_ext} += [aA][xX][aA] # axa +@{audio_ext} += [dD][lL][sS] # dls +@{audio_ext} += [dD][tT][sS] # dts +@{audio_ext} += [dD][tT][sS][hH][dD] # dtshd +@{audio_ext} += [eE][cC][eE][lL][pP]4800 # ecelp4800 +@{audio_ext} += [eE][cC][eE][lL][pP]7470 # ecelp7470 +@{audio_ext} += [eE][cC][eE][lL][pP]9600 # ecelp9600 +@{audio_ext} += [eE][nN][wW] # enw +@{audio_ext} += [eE][oO][lL] # eol +@{audio_ext} += [eE][vV][bB] # evb +@{audio_ext} += [eE][vV][cC] # evc +@{audio_ext} += [eE][vV][wW] # wvw +@{audio_ext} += [fF][lL][aA][cC] # flac +@{audio_ext} += [kK][aA][rR] # kar +@{audio_ext} += [kK][oO][zZ] # koz +@{audio_ext} += [lL][bB][cC] # lbc +@{audio_ext} += [lL][oO][aA][sS] # loas +@{audio_ext} += [lL][vV][pP] # lvp +@{audio_ext} += [lL]16 # l16 +@{audio_ext} += [mM][eE][dD] # med +@{audio_ext} += [mM][hH][aA][sS] # mhas +@{audio_ext} += [mM][iI][dD] # mid +@{audio_ext} += [mM][iI][dD][iI] # midi +@{audio_ext} += [mM][kK][aA] # mka +@{audio_ext} += [mM][lL][pP] # mlp +@{audio_ext} += [mM][oO][dD] # mod +@{audio_ext} += [mM][pP][gG][aA] # mpga +@{audio_ext} += [mM][pP]1 # mp1 +@{audio_ext} += [mM][pP]2 # mp2 +@{audio_ext} += [mM][pP]3 # mp3 +@{audio_ext} += [mM][tT][mM] # mtm +@{audio_ext} += [mM][uU][lL][tT][iI][tT][rR][aA][cC][kK] # multitrack +@{audio_ext} += [mM][xX][mM][fF] # mxmf +@{audio_ext} += [mM]15 # m15 +@{audio_ext} += [mM]3[uU] # m3u +@{audio_ext} += [mM]4[aA] # m4a +@{audio_ext} += [oO][gG] # og +@{audio_ext} += [oO][gG][aA] # oga +@{audio_ext} += [oO][mM][gG] # omg +@{audio_ext} += [oO][pP][uU][sS] # opus +@{audio_ext} += [pP][lL][jJ] # plj +@{audio_ext} += [pP][sS][iI][dD] # psid +@{audio_ext} += [pP][yY][aA] # pya +@{audio_ext} += [qQ][cC][pP] # qcp +@{audio_ext} += [rR][aA] # ra +@{audio_ext} += [rR][aA][mM] # ram +@{audio_ext} += [rR][iI][pP] # rip +@{audio_ext} += [rR][mM] # rm +@{audio_ext} += [sS][iI][dD] # sid +@{audio_ext} += [sS][mM][pP] # smp +@{audio_ext} += [sS][mM][pP]3 # smp3 +@{audio_ext} += [sS][mM][vV] # smv +@{audio_ext} += [sS][nN][dD] # snd +@{audio_ext} += [sS][oO][fF][aA] # sofa +@{audio_ext} += [sS][pP][xX] # spx +@{audio_ext} += [sS][tT][mM] # stm +@{audio_ext} += [sS]1[mM] # s1m +@{audio_ext} += [sS]3[mM] # s3m +@{audio_ext} += [uU][lL][tT] # ult +@{audio_ext} += [uU][nN][iI] # uni +@{audio_ext} += [uU][vV][aA] # uva +@{audio_ext} += [uU][vV][vV][aA] # uvva +@{audio_ext} += [vV][bB][kK] # vbk +@{audio_ext} += [wW][aA][vV] # wav +@{audio_ext} += [wW][aA][xX] # wax +@{audio_ext} += [wW][mM][aA] # wma +@{audio_ext} += [xX][hH][eE] # xhe +@{audio_ext} += 669 # 669 + +# Lyrics +@{lyrics_ext} = [lL][rR][cC] # lrc +@{lyrics_ext} += [lL][yY][rR][iI][cC] # lyric + +# Videos +@{video_ext} = [aA][sS][xX] # asx +@{video_ext} += [aA][vV][iI] # avi +@{video_ext} += [aA][xX][vV] # axv +@{video_ext} += [bB][iI][kK] # bik +@{video_ext} += [bB][kK]2 # bk2 +@{video_ext} += [dD][vV][bB] # dvb +@{video_ext} += [fF][lL][vV] # flv +@{video_ext} += [fF][vV][tT] # fvt +@{video_ext} += [fF][xX][mM] # fxm +@{video_ext} += [mM][jJ][pP]2 # mjp2 +@{video_ext} += [mM][jJ]2 # mj2 +@{video_ext} += [mM][kK][vV] # mkv +@{video_ext} += [mM][kK]3[dD] # mk3d +@{video_ext} += [mM][oO][vV] # mov +@{video_ext} += [mM][pP][eE] # mpe +@{video_ext} += [mM][pP][eE][gG] # mpeg +@{video_ext} += [mM][pP][gG] # mpg +@{video_ext} += [mM][pP][gG]4 # mpg4 +@{video_ext} += [mM][pP]4 # mp4 +@{video_ext} += [mM][xX][uU] # mxu +@{video_ext} += [mM]1[vV] # m1v +@{video_ext} += [mM]2[vV] # m2v +@{video_ext} += [mM]4[sS] # m4s +@{video_ext} += [mM]4[uU] # m4u +@{video_ext} += [mM]4[vV] # m4v +@{video_ext} += [nN][iI][mM] # nim +@{video_ext} += [oO][gG][vV] # ogv +@{video_ext} += [pP][yY][vV] # pyv +@{video_ext} += [qQ][tT] # qt +@{video_ext} += [sS][mM][kK] # smk +@{video_ext} += [sS][mM][oO] # smo +@{video_ext} += [sS][mM][pP][gG] # smpg +@{video_ext} += [sS][sS][mM][oO][vV] # ssmov +@{video_ext} += [sS][sS][wW][fF] # sswf +@{video_ext} += [sS]1[qQ] # s1q +@{video_ext} += [sS]11 # s11 +@{video_ext} += [sS]14 # s14 +@{video_ext} += [uU][vV][hH] # uvh +@{video_ext} += [uU][vV][mM] # uvm +@{video_ext} += [uU][vV][pP] # uvp +@{video_ext} += [uU][vV][sS] # uvs +@{video_ext} += [uU][vV][uU] # uvu +@{video_ext} += [uU][vV][vV][hH] # uvvh +@{video_ext} += [uU][vV][vV][mM] # uvvm +@{video_ext} += [uU][vV][vV][pP] # uvvp +@{video_ext} += [uU][vV][vV][sS] # uvvs +@{video_ext} += [uU][vV][vV][uU] # uvvu +@{video_ext} += [uU][vV][vV][vV] # uvv +@{video_ext} += [vV][iI][vV] # viv +@{video_ext} += [wW][eE][bB][mM] # webm +@{video_ext} += [wW][mM] # wm +@{video_ext} += [wW][mM][vV] # wmv +@{video_ext} += [wW][mM][xX] # wmx +@{video_ext} += [wW][vV][xX] # wvx +@{video_ext} += [yY][tT] # yt +@{video_ext} += 3[gG][pP] # 3gp +@{video_ext} += 3[gG][pP][pP] # 3gpp +@{video_ext} += 3[gG][pP][pP]2 # 3gpp2 +@{video_ext} += 3[gG]2 # 3g2 + +# Subtitles +@{subtitles_ext} = [aA][qQ][tT] # aqt +@{subtitles_ext} += [aA][sS][sS] # ass +@{subtitles_ext} += [gG][sS][uU][bB] # gsub +@{subtitles_ext} += [uU][sS][fF] # usf +@{subtitles_ext} += [pP][aA][cC] # pac +@{subtitles_ext} += [pP][jJ][sS] # pjs +@{subtitles_ext} += [pP][sS][bB] # psb +@{subtitles_ext} += [rR][tT] # rt +@{subtitles_ext} += [sS][bB][vV] # sbv +@{subtitles_ext} += [sS][mM][iI] # smi +@{subtitles_ext} += [sS][rR][tT] # srt +@{subtitles_ext} += [sS][sS][aA] # ssa +@{subtitles_ext} += [sS][sS][fF] # ssf +@{subtitles_ext} += [sS][tT][lL] # stl +@{subtitles_ext} += [sS][uU][bB] # sub +@{subtitles_ext} += [tT][t][mM][lL] # ttml +@{subtitles_ext} += [tT][t][xX][tT] # ttxt +@{subtitles_ext} += [vV][tT][t] # vtt + +# Images +@{image_ext} = [aA][pP][nN][gG] # apng +@{image_ext} += [aA][vV][cC][iI] # avci +@{image_ext} += [aA][vV][cC][sS] # avcs +@{image_ext} += [aA][vV][iI][fF] # avif +@{image_ext} += [aA][zZ][vV] # azv +@{image_ext} += [bB][mM][pP] # bmp +@{image_ext} += [bB][tT][fF] # btf +@{image_ext} += [bB][tT][iI][fF] # btif +@{image_ext} += [bB]16 # b16 +@{image_ext} += [cC][gG][mM] # cgm +@{image_ext} += [dD][iI][bB] # dib +@{image_ext} += [dD][jJ][vV] # djv +@{image_ext} += [dD][jJ][vV][uU] # djvu +@{image_ext} += [dD][pP][xX] # dpx +@{image_ext} += [dD][rR][lL][eE] # drle +@{image_ext} += [dD][wW][gG] # dwg +@{image_ext} += [dD][xX][fF] # dxf +@{image_ext} += [eE][mM][fF] # emf +@{image_ext} += [eE][xX][rR] # exr +@{image_ext} += [fF][bB][sS] # fbs +@{image_ext} += [fF][iI][tT] # fit +@{image_ext} += [fF][iI][tT][sS] # fits +@{image_ext} += [fF][pP][xX] # fpx +@{image_ext} += [fF][sS][tT] # fst +@{image_ext} += [fF][tT][sS] # fts +@{image_ext} += [gG][iI][fF] # gif +@{image_ext} += [hH][dD][rR] # hdr +@{image_ext} += [hH][eE][iI][cC] # heic +@{image_ext} += [hH][eE][iI][cC][sS][hH][eE][iI][fF] # heics +@{image_ext} += [hH][eE][iI][fF][sS] # heif +@{image_ext} += [hH][eE][jJ]2 # heifs +@{image_ext} += [hH][iI][fF] # hif +@{image_ext} += [hH][sS][jJ]2 # hsj2 +@{image_ext} += [iE][eE][fF] # ief +@{image_ext} += [iI][cC][oO] # ico +@{image_ext} += [jJ][fF][iI][fF] # jfif +@{image_ext} += [jJ][hH][cC] # jhc +@{image_ext} += [jJ][lL][sS] # jls +@{image_ext} += [jJ][pP][eE][gG] # jpeg +@{image_ext} += [jJ][pP][fF] # jpf +@{image_ext} += [jJ][pP][gG] # jpg +@{image_ext} += [jJ][pP][gG][mM] # jpgm +@{image_ext} += [jJ][pP][gG]2 # jpg2 +@{image_ext} += [jJ][pP][hH] # jph +@{image_ext} += [jJ][pP][mM] # jpm +@{image_ext} += [jJ][pP][xX] # jpx +@{image_ext} += [jJ][pP]2 # jp2 +@{image_ext} += [jJ][xX][lL] # jxl +@{image_ext} += [jJ][xX][rR] # jxr +@{image_ext} += [jJ][xX][rR][aA] # jxra +@{image_ext} += [jJ][xX][rR][sS] # jxrs +@{image_ext} += [jJ][xX][sS][cC] # jxsc +@{image_ext} += [jJ][xX][sS][iI] # jxsi +@{image_ext} += [jJ][xX][sS][sS] # jxss +@{image_ext} += [kK][tT][xX] # ktx +@{image_ext} += [kK][tT][xX]2 # ktx2 +@{image_ext} += [mM][dD][iI] # mdi +@{image_ext} += [mM][mM][rR] # mmr +@{image_ext} += [pP][bB][mM] # pbm +@{image_ext} += [pP][cC][xX] # pcx +@{image_ext} += [pP][gG][bB] # pgb +@{image_ext} += [pP][gG][mM] # pgm +@{image_ext} += [pP][nN][gG] # png +@{image_ext} += [pP][nN][mM] # pnm +@{image_ext} += [pP][pP][mM] # ppm +@{image_ext} += [pP][sS][dD] # psd +@{image_ext} += [pP][sS][dD][cC] # psdc +@{image_ext} += [pP][tT][iI] # pti +@{image_ext} += [rR][aA][sS] # ras +@{image_ext} += [rR][gG][bB] # rgb +@{image_ext} += [rR][gG][bB][eE] # rgbe +@{image_ext} += [rR][lL][cC] # rlc +@{image_ext} += [sS][gG][iI] # sgi +@{image_ext} += [sS][gG]1[gG] # s1g +@{image_ext} += [sS][jJ][pP] # sjp +@{image_ext} += [sS][jJ][pP][gG] # sjpg +@{image_ext} += [sS][pP][nN] # spn +@{image_ext} += [sS][pP][nN][gG] # spng +@{image_ext} += [sS][vV][gG] # svg +@{image_ext} += [sS][vV][gG][zZ] # svgz +@{image_ext} += [sS]1[jJ] # s1j +@{image_ext} += [sS]1[nN] # s1n +@{image_ext} += [tT][aA][pP] # tap +@{image_ext} += [tT][gG][aA] # tga +@{image_ext} += [tT][iI][fF] # tif +@{image_ext} += [tT][iI][fF][fF] # tiff +@{image_ext} += [tT]38 # t38 +@{image_ext} += [uU][vV][gG] # uvg +@{image_ext} += [uU][vV][iI] # uvi +@{image_ext} += [uU][vV][vV][gG] # uvvg +@{image_ext} += [uU][vV][vV][iI] # uvvi +@{image_ext} += [vV][bB][mM] # vtf +@{image_ext} += [wW][eE][bB][pP] # webp +@{image_ext} += [wW][mM][fF] # wmf +@{image_ext} += [xX][bB][mM] # xbm +@{image_ext} += [xX][cC][fF] # xcf +@{image_ext} += [xX][iI][fF] # xif +@{image_ext} += [xX][pP][mM] # xpm +@{image_ext} += [xX][wW][dD] # xwd +@{image_ext} += [xX][yY][zZ][eE] # xyze + +# Models +@{model_ext} = [bB][aA][rR][yY] # bary +@{model_ext} += [bB][sS][pP] # bsp +@{model_ext} += [cC][lL][dD] # cld +@{model_ext} += [dD][aA][eE] # dae +@{model_ext} += [dD][oO][rR] # dor +@{model_ext} += [dD][wW][fF] # dwf +@{model_ext} += [gG][lL][bB] # glb +@{model_ext} += [gG][lL][dD] # gld +@{model_ext} += [gG][lL][tT][fF] # gltf +@{model_ext} += [gG][sS][mM] # gsm +@{model_ext} += [gG][tT][wW] # gtw +@{model_ext} += [iI][gG][eE][sS] # iges +@{model_ext} += [iI][gG][sS] # igs +@{model_ext} += [iI][sS][mM] # ism +@{model_ext} += [jJ][tT] # jt +@{model_ext} += [lL][mM][pP] # lmp +@{model_ext} += [mM][eE][sS][hH] # mesh +@{model_ext} += [mM][oO][mM][lL] # moml +@{model_ext} += [mM][sS][hH] # msh +@{model_ext} += [mM][sS][mM] # msm +@{model_ext} += [mM][tT][lL] # mtl +@{model_ext} += [mM][tT][sS] # mts +@{model_ext} += [oO][bB][jJ] # obj +@{model_ext} += [oO][gG][eE][xX] # ogex +@{model_ext} += [pP][yY][oO] # pyo +@{model_ext} += [pP][yY][oO][xX] # pyox +@{model_ext} += [rR][sS][mM] # rsm +@{model_ext} += [sS][iI][lL][oO] # silo +@{model_ext} += [sS][tT][lL] # stl +@{model_ext} += [sS][tT][pP][xX] # stpx +@{model_ext} += [sS][tT][pP][xX][zZ] # stpxz +@{model_ext} += [uU][sS][dD][aA] # usda +@{model_ext} += [uU][sS][dD][zZ] # usdz +@{model_ext} += [uU]3[dD] # u3d +@{model_ext} += [vV][dD][sS] # vds +@{model_ext} += [vV][rR][mM][lL] # vrml +@{model_ext} += [vV][tT][uU] # vtu +@{model_ext} += [wW][iI][nN] # win +@{model_ext} += [wW][rR][lL] # wrl +@{model_ext} += [xX]_[bB] # x_b +@{model_ext} += [xX]_[tT] # x_t +@{model_ext} += [xX][mM][tT]_[bB][iI][nN] # xmt_bin +@{model_ext} += [xX][mM][tT]_[tT][xX][tT] # xmt_txt +@{model_ext} += [xX]3[dD][bB] # x3db +@{model_ext} += [xX]3[dD][vV] # x3dv +@{model_ext} += [xX]3[dD][vV][zZ] # x3dvz + +# Fonts +@{font_ext} = [tT][tT][cC] # ttc +@{font_ext} += [tT][tT][fF] # ttf +@{font_ext} += [oO][tT][fF] # otf +@{font_ext} += [wW][oO][fF] # woff +@{font_ext} += [wW][oO][fF]2 # woff2 + +# Documents +@{document_ext} = [aA][dD][xX] # adx +@{document_ext} += [cC][dD][fF] # cdf +@{document_ext} += [dD][oO][cC] # doc +@{document_ext} += [dD][oO][cC][mM] # docm +@{document_ext} += [dD][oO][cC][xX] # docx +@{document_ext} += [dD][oO][tT] # dot +@{document_ext} += [dD][oO][tT][xX] # dotx +@{document_ext} += [fF][nN][iI] # fni +@{document_ext} += [fF][oO][dD][gG] # fodg +@{document_ext} += [fF][oO][dD][pP] # fodp +@{document_ext} += [fF][oO][dD][sS] # fods +@{document_ext} += [fF][oO][dD][tT] # fodt +@{document_ext} += [iI][nN][fF][oO] # info +@{document_ext} += [lL][aA][tT][eE][xX] # latex +@{document_ext} += [mM][dD][iI] # mdi +@{document_ext} += [oO][dD][bB] # odb +@{document_ext} += [oO][dD][cC] # odc +@{document_ext} += [oO][dD][fF] # odf +@{document_ext} += [oO][dD][gG] # odg +@{document_ext} += [oO][dD][iI] # odi +@{document_ext} += [oO][dD][mM] # odm +@{document_ext} += [oO][dD][pP] # odp +@{document_ext} += [oO][dD][sS] # ods +@{document_ext} += [oO][dD][tT] # odt +@{document_ext} += [oO][tT][cC] # otc +@{document_ext} += [oO][tT][fF] # otf +@{document_ext} += [oO][tT][gG] # otg +@{document_ext} += [oO][tT][hH] # oth +@{document_ext} += [oO][tT][iI] # oti +@{document_ext} += [oO][tT][pP] # otp +@{document_ext} += [oO][tT][sS] # ots +@{document_ext} += [oO][tT][tT] # ott +@{document_ext} += [oO][xX][tT] # oxt +@{document_ext} += [pP][aA][gG][eE][sS] # pages +@{document_ext} += [pP][dD][fF] # pdf +@{document_ext} += [pP][pP][tT][sS] # ppts +@{document_ext} += [pP][pP][tT][xX] # pptx +@{document_ext} += [sS][tT][cC] # stc +@{document_ext} += [sS][tT][dD] # std +@{document_ext} += [sS][tT][iI] # sti +@{document_ext} += [sS][tT][wW] # stw +@{document_ext} += [sS][xX][cC] # sxc +@{document_ext} += [sS][xX][dD] # sxd +@{document_ext} += [sS][xX][gG][sS][xX][iI] # sxgsxi +@{document_ext} += [sS][xX][mM] # sxm +@{document_ext} += [sS][xX][wW] # sxw +@{document_ext} += [tT][eE][xX] # tex +@{document_ext} += [tT][eE][xX][iI] # texi +@{document_ext} += [tT][eE][xX][iI][nN][fF][oO] # texinfo +@{document_ext} += [xX][lL][sS] # xls +@{document_ext} += [xX][lL][sS][bB] # xlsb +@{document_ext} += [xX][lL][sS][mM] # xlsm +@{document_ext} += [xX][lL][sS][xX] # xlsx +@{document_ext} += [xX][oO][dD][pP] # xodp +@{document_ext} += [xX][oO][dD][sS] # xods +@{document_ext} += [xX][oO][dD][tT] # xodt +@{document_ext} += [xX][oO][tT][pP] # xotp +@{document_ext} += [xX][oO][tT][sS] # xots +@{document_ext} += [xX][oO][tT][tT] # xott +@{document_ext} += [xX][pP][sS] # xps + +# Texts +@{text_ext} = [aA][pP][pP][cC][aA][cC][hH][eE] # appcache +@{text_ext} += [aA] # a +@{text_ext} += [aA][bB][cC] # abc +@{text_ext} += [aA][sS][cC] # asc +@{text_ext} += [aA][sS][cC][iI][iI] # ascii +@{text_ext} += [cC] # c +@{text_ext} += [cC][cC] # cc +@{text_ext} += [cC][cC][cC] # ccc +@{text_ext} += [cC][nN][dD] # cnd +@{text_ext} += [cC][oO][nN][fF] # conf +@{text_ext} += [cC][oO][pP][yY][rR][iI][gG][hH][tT] # copyright +@{text_ext} += [cC][qQ][lL] # cql +@{text_ext} += [cC][sS][sS] # css +@{text_ext} += [cC][sS][vV] # csv +@{text_ext} += [cC][sS][vV][sS] # csvs +@{text_ext} += [cC][xX][xX] # cxx +@{text_ext} += [dD][mM][sS] # dms +@{text_ext} += [dD][oO][tT] # dot +@{text_ext} += [dD][sS][cC] # dsc +@{text_ext} += [eE][lL] # el +@{text_ext} += [eE][nN][tT] # ent +@{text_ext} += [eE][tT][xX] # etx +@{text_ext} += [fF][lL][tT] # flt +@{text_ext} += [fF][lL][xX] # flx +@{text_ext} += [fF][lL][yY] # fly +@{text_ext} += [fF]90 # f90 +@{text_ext} += [gG][eE][dD] # ged +@{text_ext} += [gG][fF][fF]3 # gff3 +@{text_ext} += [gG][vV] # gv +@{text_ext} += [hH] # h +@{text_ext} += [hH][aA][nN][sS] # hans +@{text_ext} += [hH][gG][lL] # hgl +@{text_ext} += [hH][hH] # hh +@{text_ext} += [hH][tT][mM] # htm +@{text_ext} += [hH][tT][mM][lL] # html +@{text_ext} += [hH][xX][xX] # hxx +@{text_ext} += [iI][cC][sS] # ics +@{text_ext} += [iI][fF][bB] # ifb +@{text_ext} += [jJ][aA][dD] # jad +@{text_ext} += [jJ][sS] # js +@{text_ext} += [jJ][tT][dD] # jtd +@{text_ext} += [lL][oO][gG] # log +@{text_ext} += [mM][aA][nN][iI][fF][eE][sS][tT] # manifest +@{text_ext} += [mM][aA][rR][kK][dD][oO][wW][nN] # markdown +@{text_ext} += [mM][cC]2 # mc2 +@{text_ext} += [mM][dD] # md +@{text_ext} += [mM][iI][zZ] # miz +@{text_ext} += [mM][jJ][sS] # mjs +@{text_ext} += [mM][pP][fF] # mpf +@{text_ext} += [nN]3 # n3 +@{text_ext} += [pP][mM] # pm +@{text_ext} += [pP][oO][dD] # pod +@{text_ext} += [pP][rR][oO][vV][nN] # provn +@{text_ext} += [rR][nN][gG] # rng +@{text_ext} += [rR][oO][fF][fF] # roff +@{text_ext} += [rR][sS][tT] # rst +@{text_ext} += [rR][tT][xX] # rtx +@{text_ext} += [sS][aA][nN][dD][bB][oO][xX][eE][dD] # sandboxed +@{text_ext} += [sS][gG][mM] # sgm +@{text_ext} += [sS][gG][mM][lL] # sgml +@{text_ext} += [sS][hH][aA][cC][lL][cC] # shaclc +@{text_ext} += [sS][hH][cC] # shc +@{text_ext} += [sS][hH][eE][xX] # shex +@{text_ext} += [sS][iI] # si +@{text_ext} += [sS][lL] # sl +@{text_ext} += [sS][oO][aA] # soa +@{text_ext} += [sS][oO][sS] # sos +@{text_ext} += [sS][pP][dD][xX] # spdx +@{text_ext} += [sS][pP][oO] # spo +@{text_ext} += [sS][pP][oO][tT] # spot +@{text_ext} += [sS][uU][bB] # sub +@{text_ext} += [tT] # t +@{text_ext} += [tT][aA][gG] # tag +@{text_ext} += [tT][eE][xX][tT] # text +@{text_ext} += [tT][rR] # tr +@{text_ext} += [tT][sS] # ts +@{text_ext} += [tT][sS][vV] # tsv +@{text_ext} += [tT][tT][lL] # ttl +@{text_ext} += [tT][xX][tT] # txt +@{text_ext} += [uU][rR][iI] # uri +@{text_ext} += [uU][rR][iI][cC] # uric +@{text_ext} += [uU][rR][iI][sS] # uris +@{text_ext} += [vV][cC][aA][rR][dD] # vcard +@{text_ext} += [vV][cC][fF] # vcf +@{text_ext} += [vV][fF][kK] # vfk +@{text_ext} += [vV][tT][tT] # vtt +@{text_ext} += [wW][gG][sS][lL] # wgsl +@{text_ext} += [wW][mM][lL] # wml +@{text_ext} += [wW][mM][lL][sS] # wmls +@{text_ext} += [xX][mM][lL] # xml +@{text_ext} += [xX][sS][dD] # xsd +@{text_ext} += [zZ][oO][nN][eE] # zone +@{text_ext} += 3[dD][mM] # 3dm +@{text_ext} += 3[dD][mM][lL] # 3dml + +# Dpkg maintainer's scripts +@{dpkg_script_ext} = config templates preinst postinst prerm postrm + +# vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 67f32bf8c..cca544370 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -13,6 +13,9 @@ # Coreutils programs that should not have dedicated profile @{coreutils_path} = @{bin}/@{coreutils} +# Python interpreters +@{python_path} = @{bin}/@{python_name} + # Browsers @{brave_path} = @{brave_lib_dirs}/@{brave_name} @{chrome_path} = @{opera_lib_dirs}/@{chrome_name} @@ -28,30 +31,48 @@ # Emails @{thunderbird_path} = @{bin}/@{thunderbird_name} @{thunderbird_lib_dirs}/@{thunderbird_name} -@{emails_path} = @{thunderbird_path} @{bin}/@{emails} +@{emails_path} = @{thunderbird_path} @{bin}/@{emails_names} # Open -@{open_path} = @{bin}/exo-open @{bin}/xdg-open @{bin}/gio -@{open_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop -@{open_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop +@{open_path} = @{bin}/@{open_names} +@{open_path} += @{lib}/gio-launch-desktop +@{open_path} += @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop + +# Editors +@{editor_path} = @{bin}/@{editor_names} +@{editor_ui_path} = @{bin}/@{editor_ui_names} + +# Pager +@{pager_path} = @{bin}/@{pager_names} # File explorers -@{file_explorers_path} = @{bin}/@{file_explorers} +@{file_explorers_path} = @{bin}/@{file_explorers_names} # Text editors -@{text_editors_path} = @{bin}/@{text_editors} /usr/share/code/{bin/,}code +@{text_editors_path} = @{bin}/@{text_editors_names} /usr/share/code/{bin/,}code # Document viewers -@{document_viewers_path} = @{bin}/@{document_viewers} +@{document_viewers_path} = @{bin}/@{document_viewers_names} # Image viewers -@{image_viewers_path} = @{bin}/@{image_viewers} +@{image_viewers_path} = @{bin}/@{image_viewers_names} # Archive viewers -@{archive_viewers_path} = @{bin}/@{archive_viewers} +@{archive_viewers_path} = @{bin}/@{archive_viewers_names} # Office suites -@{offices_path} = @{bin}/@{offices} @{lib}/libreoffice/program/soffice +@{offices_path} = @{bin}/@{offices_names} @{lib}/libreoffice/program/soffice +# Help +@{help_path} = @{bin}/@{help_names} + +# Terminal emulator +@{terminal_path} = @{bin}/@{terminal_names} + +# Backup +@{backup_path} = @{bin}/@{backup_names} @{lib}/deja-dup/deja-dup-monitor + +# Archives +@{archive_path} = @{bin}/@{archive_names} @{lib}/p7zip/7z # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index dd9386b09..d4fefb0b0 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -2,13 +2,78 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Define some variables for some commonly used profile. They may be used in +# Define some variables for some commonly used profile. They may be used in # other profiles peer label. # All variables that refer to a profile name should be prefixed with `p_` # Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user` -@{p_systemd}=unconfined +@{p_sd}=unconfined +@{p_sdu}=unconfined @{p_systemd_user}=unconfined +@{p_systemd}=unconfined + +# Name of the dbus daemon profiles +@{p_dbus_accessibility}=dbus-accessibility +#aa:only apparmor4.1 +@{p_dbus_system}={dbus-system,unconfined} +@{p_dbus_session}={dbus-session,unconfined} + +#aa:exclude apparmor4.1 +@{p_dbus_system}=dbus-system +@{p_dbus_session}=dbus-session + +@{p_accounts_daemon}=accounts-daemon +@{p_apt_news}=apt_news +@{p_at_spi2_registryd}=at-spi2-registryd +@{p_avahi_daemon}=avahi-daemon +@{p_bluetoothd}=bluetoothd +@{p_colord}=colord +@{p_e2scrub_all}=e2scrub_all +@{p_e2scrub}=e2scrub +@{p_file_roller}=file-roller +@{p_fprintd}=fprintd +@{p_fwupd}=fwupd +@{p_fwupdmgr}=fwupdmgr +@{p_geoclue}=geoclue +@{p_gnome_shell}=gnome-shell +@{p_gsd_media_keys}=gsd-media-keys +@{p_irqbalance}=irqbalance +@{p_logrotate}=logrotate +@{p_ModemManager}=ModemManager +@{p_nm_priv_helper}=nm-priv-helper +@{p_packagekitd}=packagekitd +@{p_pcscd}=pcscd +@{p_polkitd}=polkitd +@{p_power_profiles_daemon}=power-profiles-daemon +@{p_rsyslogd}=rsyslogd +@{p_rtkit_daemon}=rtkit-daemon +@{p_snap}=snap +@{p_systemd_coredump}=systemd-coredump +@{p_systemd_homed}=systemd-homed +@{p_systemd_hostnamed}=systemd-hostnamed +@{p_systemd_importd}=systemd-importd +@{p_systemd_initctl}=systemd-initctl +@{p_systemd_journal_remote}=systemd-journal-remote +@{p_systemd_journald}=systemd-journald +@{p_systemd_localed}=systemd-localed +@{p_systemd_logind}=systemd-logind +@{p_systemd_networkd}=systemd-networkd +@{p_systemd_oomd}=systemd-oomd +@{p_systemd_resolved}=systemd-resolved +@{p_systemd_rfkill}=systemd-rfkill +@{p_systemd_timedated}=systemd-timedated +@{p_systemd_timesyncd}=systemd-timesyncd +@{p_systemd_userdbd}=systemd-userdbd +@{p_upowerd}=upowerd +@{p_xdg_desktop_portal}=xdg-desktop-portal + +# Profiles Patterns +# Fit to an action that can be handled by multiple profiles depending on the software installed and the distribution + +# Notification +@{pp_notification}={plasmashell,gjs-console} +@{pp_app_indicator}={plasmashell,gnome-shell} +@{pp_dbusmenu}={plasmashell,nautilus} # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index a118d0cbe..a7cbaf831 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -5,21 +5,39 @@ # Define some some commonly used programs. This is not an exhaustive list. # It is meant to label programs to easily provide access in profiles. +# All variables that refer to a program name should have the `_name` suffix. +# variables that refer to a list of progran should have the `_names` suffix. +# @{sh}, @{shells}, and @{coreutils} are the only exceptions. + # Default distribution shells @{sh} = sh bash dash # All interactive shells users may want to use @{shells} = sh zsh bash dash fish rbash ksh tcsh csh -# Coreutils programs that should not have dedicated profile +# Coreutils programs that should not have dedicated profile. Also includes findutils and diffutils. @{coreutils} = {,g,m}awk b2sum base32 base64 basename basenc cat chcon chgrp chmod chown -@{coreutils} += cksum comm cp csplit cut date dd df dir dircolors dirname diff du echo env expand +@{coreutils} += cksum cmp comm cp csplit cut date dd df dir dircolors dirname diff diff3 du echo env expand @{coreutils} += expr factor false find fmt fold {,e,f}grep head hostid id install join link -@{coreutils} += ln logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt +@{coreutils} += ln locate logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt @{coreutils} += od paste pathchk pinky pr printenv printf ptx pwd readlink realpath rm rmdir -@{coreutils} += runcon sed seq sha1sum sha224sum sha256sum sha384sum sha512sum shred shuf sleep -@{coreutils} += sort split stat stdbuf stty sum sync tac tail tee test timeout touch tr true -@{coreutils} += truncate tsort tty uname unexpand uniq unlink vdir wc who whoami xargs yes +@{coreutils} += runcon sdiff sed seq sha1sum sha224sum sha256sum sha384sum sha512sum shred shuf sleep +@{coreutils} += sort split stat stdbuf stty sum tac tail tee test timeout touch tr true +@{coreutils} += truncate tsort tty uname unexpand uniq unlink updatedb vdir wc who whoami xargs yes + +# Python interpreters +@{python_version} = 3 3.[0-9] 3.1[0-9] +@{python_name} = python python@{python_version} + +# Open +@{open_names} = exo-open xdg-open gio kde-open gio-launch-desktop + +# Editors +@{editor_names} = sensible-editor vim{,.*} vim-nox11 nvim nano +@{editor_ui_names} = gnome-text-editor gedit mousepad + +# Pager +@{pager_names} = sensible-pager pager less more nvimpager # Browsers @@ -44,29 +62,41 @@ @{torbrowser_name} = torbrowser "tor browser" @{torbrowser_lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ -# Emails +# Emails -@{thunderbird_name} = thunderbird{,.sh,-bin} +@{thunderbird_name} = thunderbird{,-bin} @{thunderbird_lib_dirs} = @{lib}/@{thunderbird_name} -@{emails} = evolution geary +@{emails_names} = evolution geary # File explorers -@{file_explorers} = dolphin nautilus thunar +@{file_explorers_names} = dolphin nautilus thunar # Text editors -@{text_editors} = code gedit mousepad gnome-text-editor +@{text_editors_names} = code gedit mousepad gnome-text-editor zeditor zedit zed-cli # Document viewers -@{document_viewers} = evince okular *{F,f}oliate YACReader +@{document_viewers_names} = evince papers okular *{F,f}oliate YACReader # Image viewers -@{image_viewers} = eog loupe ristretto +@{image_viewers_names} = eog loupe ristretto # Archive viewers -@{archive_viewers} = engrampa file-roller xarchiver +@{archive_viewers_names} = engrampa file-roller xarchiver # Office suites -@{offices} = libreoffice soffice +@{offices_names} = libreoffice soffice wps + +# Help +@{help_names} = yelp + +# Terminal emulator +@{terminal_names} = kgx terminator konsole ptyxis + +# Backup +@{backup_names} = deja-dup borg + +# Archives +@{archive_names} = 7z 7zz ar bzip2 cpio gzip lzip rar tar unrar-nonfree unzip xz zip zstd # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index d219c1d4d..b29be3f0c 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -2,70 +2,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# To allow extended personalisation without breaking everything. -# All apparmor profiles should always use the variables defined here. - -# Single hexadecimal character -@{h}=[0-9a-fA-F] - -# Single alphanumeric character -@{c}=[0-9a-zA-Z] - -# Integer up to 10 digits (0-9999999999) -@{int}=[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],} - -# hexadecimal, alphanumeric up to 64 characters -@{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} -@{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},} - -# Any x digits characters -@{int2}=[0-9][0-9] -@{int4}=@{int2}@{int2} -@{int6}=@{int4}@{int2} -@{int8}=@{int4}@{int4} -@{int10}=@{int8}@{int2} -@{int16}=@{int8}@{int8} -@{int32}=@{int16}@{int16} -@{int64}=@{int32}@{int32} - -# Any x hexadecimal characters -@{hex2}=@{h}@{h} -@{hex4}=@{hex2}@{hex2} -@{hex6}=@{hex4}@{hex2} -@{hex8}=@{hex4}@{hex4} -@{hex9}=@{hex8}@{h} -@{hex10}=@{hex8}@{hex2} -@{hex16}=@{hex8}@{hex8} -@{hex32}=@{hex16}@{hex16} -@{hex38}=@{hex32}@{hex6} -@{hex64}=@{hex32}@{hex32} - -# Any x alphanumeric characters -@{rand2}=@{c}@{c} -@{rand4}=@{rand2}@{rand2} -@{rand6}=@{rand4}@{rand2} -@{rand8}=@{rand4}@{rand4} -@{rand9}=@{rand8}@{c} -@{rand10}=@{rand8}@{rand2} -@{rand16}=@{rand8}@{rand8} -@{rand32}=@{rand16}@{rand16} -@{rand64}=@{rand64}@{rand64} - -# Universally unique identifier -@{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} - -# Username & group valid characters -@{u}=[a-z0-9_] -@{user}=[a-z_]{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},} -@{group}=@{user} - -# Shortcut for PCI device -@{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h} -@{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h} -@{pci}=@{pci_bus}/**/ - -# hci devices -@{hci_id}=dev_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c} +# System Paths +# ------------ # @{MOUNTDIRS} is a space-separated list of where user mount directories # are stored, for programs that must enumerate all mount directories on a @@ -76,17 +14,61 @@ @{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/ # Common places for binaries and libraries across distributions -@{bin}=/{,usr/}{,s}bin +@{bin}=/{,usr/}bin +@{sbin}=/{,usr/}sbin #aa:only apt zypper +@{sbin}=/{,usr/}{,s}bin #aa:only pacman @{lib}=/{,usr/}lib{,exec,32,64} # Common places for temporary files +# /tmp/user/@{uid}/ is needed when using .... (default on Debian) @{tmp}=/tmp/ /tmp/user/@{uid}/ +# Common places for EFI +@{efi}=/boot/ /efi/ /boot/efi/ + +# System Variables +# ---------------- + +# Common architecture names +@{arch}=x86_64 x64 amd64 i386 i686 + +# Dbus unique name +@{busname}=:1.@{u16} :not.active.yet + +# Unix dbus address prefix +@{udbus}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} + +# Universally unique identifier +@{uuid}=@{hex8}[-_]@{hex4}[-_]@{hex4}[-_]@{hex4}[-_]@{hex12} + +# Username & group valid characters +@{user}=[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} +@{group}=@{user} + +# Semantic version +@{version}=@{u16}{.@{u16},}{.@{u16},}{{-,_}@{rand},} + +#aa:only opensuse +# OpenSUSE does not have the same multiarch structure +@{multiarch}+=*-suse-linux* + + +# System Internal +# --------------- + +# Shortcut for PCI device +@{pci_id}=@{hex}:@{hex2}:@{hex2}.@{h} +@{pci_bus}=pci@{hex4}:@{hex2} +@{pci}=@{pci_bus}/**/ + # Udev data dynamic assignment ranges +# See https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt @{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511 -# OpenSUSE does not have the same multiarch structure -@{multiarch}+=*-suse-linux* #aa:only opensuse +# Default attachment path when re-attached path disconnected path is ignored. +# Disabled on abi3 and Ubuntu 25.04+ +# See https://apparmor.pujol.io/development/internal/#re-attached-path +@{att}="" # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 885913da3..07450efff 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -5,11 +5,12 @@ # Define some extra paths for some commonly used system user # Full path of the GDM configuration directories -@{GDM_HOME}=/var/lib/gdm{,3}/ +@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/{,home/}{,gdm-}greeter/ @{gdm_cache_dirs}=@{GDM_HOME}/.cache/ @{gdm_config_dirs}=@{GDM_HOME}/.config/ @{gdm_local_dirs}=@{GDM_HOME}/.local/ @{gdm_share_dirs}=@{GDM_HOME}/.local/share/ +@{gdm_state_dirs}=@{GDM_HOME}/.local/state/ # Full path of the SDDM configuration directories @{SDDM_HOME}=/var/lib/sddm/ @@ -17,6 +18,7 @@ @{sddm_config_dirs}=@{SDDM_HOME}/.config/ @{sddm_local_dirs}=@{SDDM_HOME}/.local/ @{sddm_share_dirs}=@{SDDM_HOME}/.local/share/ +@{sddm_state_dirs}=@{SDDM_HOME}/.local/state/ # Full path of the LIGHTDM configuration directories @{LIGHTDM_HOME}=/var/lib/lightdm/ @@ -24,6 +26,7 @@ @{lightdm_config_dirs}=@{LIGHTDM_HOME}/.config/ @{lightdm_local_dirs}=@{LIGHTDM_HOME}/.local/ @{lightdm_share_dirs}=@{LIGHTDM_HOME}/.local/share/ +@{lightdm_state_dirs}=@{LIGHTDM_HOME}/.local/state/ # Full path of all DE configuration directories @{DESKTOP_HOME}=@{GDM_HOME} @{SDDM_HOME} @{LIGHTDM_HOME} @@ -31,5 +34,6 @@ @{desktop_config_dirs}=@{gdm_config_dirs} @{sddm_config_dirs} @{lightdm_config_dirs} @{desktop_local_dirs}=@{gdm_local_dirs} @{sddm_local_dirs} @{lightdm_local_dirs} @{desktop_share_dirs}=@{gdm_share_dirs} @{sddm_share_dirs} @{lightdm_share_dirs} +@{desktop_state_dirs}=@{gdm_state_dirs} @{sddm_state_dirs} @{lightdm_state_dirs} # vim:syntax=apparmor diff --git a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d index 00231cbce..52be8b920 100644 --- a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d +++ b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d @@ -14,14 +14,14 @@ @{XDG_DOWNLOAD_DIR}+=".tb/tor-browser/Browser/Downloads" # Other user directories -@{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR} +@{user_desktop_dirs}=@{HOME}/@{XDG_DESKTOP_DIR} @{MOUNTS}/@{XDG_DESKTOP_DIR} @{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR} +@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR} +@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR} +@{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR} @{user_music_dirs}=@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR} @{user_pictures_dirs}=@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR} @{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR} -@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR} -@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR} -@{user_vm_shares}=@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR} include if exists diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index 184e6d118..ccd6e9cca 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -15,15 +15,15 @@ import ( "github.com/roddhjav/apparmor.d/pkg/logs" ) -const usage = `aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile] +const usage = `aa-log [-h] [--systemd] [--file file] [--rules | --raw] [--since] [profile] - Review AppArmor generated messages in a colorful way. Supports logs from + Review AppArmor generated messages in a colorful way. It supports logs from auditd, systemd, syslog as well as dbus session events. It can be given an optional profile name to filter the output with. - Default logs are read from '/var/log/audit/audit.log'. Other files in - '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' + Default logs are read from '/var/log/audit/audit.log'. Other files in + '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' Options: -h, --help Show this help message and exit. @@ -31,6 +31,7 @@ Options: -s, --systemd Parse systemd logs from journalctl. -r, --rules Convert the log into AppArmor rules. -R, --raw Print the raw log without any formatting. + -S, --since DATE Show entries not older than the specified date. ` @@ -41,6 +42,7 @@ var ( path string systemd bool raw bool + since string ) func aaLog(logger string, path string, profile string) error { @@ -51,9 +53,9 @@ func aaLog(logger string, path string, profile string) error { case "auditd": file, err = logs.GetAuditLogs(path) case "systemd": - file, err = logs.GetJournalctlLogs(path, !slices.Contains(logs.LogFiles, path)) + file, err = logs.GetJournalctlLogs(path, since, !slices.Contains(logs.LogFiles, path)) default: - err = fmt.Errorf("Logger %s not supported.", logger) + err = fmt.Errorf("logger %s not supported", logger) } if err != nil { return err @@ -64,7 +66,7 @@ func aaLog(logger string, path string, profile string) error { return nil } - aaLogs := logs.NewApparmorLogs(file, profile) + aaLogs := logs.New(file, profile) if rules { profiles := aaLogs.ParseToProfiles() for _, p := range profiles { @@ -90,6 +92,8 @@ func init() { flag.BoolVar(&rules, "rules", false, "Convert the log into AppArmor rules.") flag.BoolVar(&raw, "R", false, "Print the raw log without any formatting.") flag.BoolVar(&raw, "raw", false, "Print the raw log without any formatting.") + flag.StringVar(&since, "S", "", "Display logs since the START time.") + flag.StringVar(&since, "since", "", "Display logs since the START time.") } func main() { diff --git a/cmd/aa/main.go b/cmd/aa/main.go index 8fa7cce66..b0737de77 100644 --- a/cmd/aa/main.go +++ b/cmd/aa/main.go @@ -8,20 +8,24 @@ import ( "flag" "fmt" "os" + "os/exec" + "regexp" + "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/aa" "github.com/roddhjav/apparmor.d/pkg/logging" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/util" ) -const usage = `aa [-h] [--lint | --format | --tree] [-s] [-F file] [profiles...] +const usage = `aa [-h] [--lint | --format | --tree | --complain | --enfore] [-s] [-F file] [profiles...] Various AppArmor profiles development tools Options: -h, --help Show this help message and exit. + -e, --enforce Switch the given profile(s) to enforce mode. + -c, --complain Switch the given profile(s) to complain mode. -f, --format Format the AppArmor profiles. -l, --lint Lint the AppArmor profiles. -t, --tree Generate a tree of visited profiles. @@ -32,12 +36,19 @@ Options: // Command line options var ( - help bool - path string - systemd bool - lint bool - format bool - tree bool + help bool + path string + systemd bool + enforce bool + complain bool + lint bool + format bool + tree bool +) + +var ( + regFlags = regexp.MustCompile(`flags=\(([^)]+)\) `) + regProfileHeader = regexp.MustCompile(` {\n`) ) type kind uint8 @@ -61,6 +72,10 @@ func init() { flag.StringVar(&path, "file", "", "Set a logfile or a suffix to the default log file.") flag.BoolVar(&systemd, "s", false, "Parse systemd logs from journalctl.") flag.BoolVar(&systemd, "systemd", false, "Parse systemd logs from journalctl.") + flag.BoolVar(&enforce, "e", false, "Switch the given profile to enforce mode.") + flag.BoolVar(&enforce, "enforce", false, "Switch the given profile to enforce mode.") + flag.BoolVar(&complain, "c", false, "Switch the given profile to complain mode.") + flag.BoolVar(&complain, "complain", false, "Switch the given profile to complain mode.") } func getIndentationLevel(input string) int { @@ -76,10 +91,10 @@ func getIndentationLevel(input string) int { return level } -func parse(kind kind, profile string) ([]aa.Rules, []string, error) { +func parse(kind kind, profile string) (aa.ParaRules, []string, error) { var raw string paragraphs := []string{} - rulesByParagraph := []aa.Rules{} + rulesByParagraph := aa.ParaRules{} switch kind { case isTunable, isProfile: @@ -110,12 +125,9 @@ func formatFile(kind kind, profile string) (string, error) { return "", err } for idx, rules := range rulesByParagraph { - if err := rules.Validate(); err != nil { - return "", err - } aa.IndentationLevel = getIndentationLevel(paragraphs[idx]) rules = rules.Merge().Sort().Format() - profile = strings.Replace(profile, paragraphs[idx], rules.String()+"\n", -1) + fmt.Printf(rules.String() + "\n") } return profile, nil } @@ -139,7 +151,7 @@ func aaFormat(files paths.PathList) error { if !file.Exist() { return nil } - profile, err := util.ReadFile(file) + profile, err := file.ReadFileAsString() if err != nil { return err } @@ -156,17 +168,95 @@ func aaFormat(files paths.PathList) error { return nil } +func aaLint(files paths.PathList) error { + for _, file := range files { + fmt.Printf("wip: %v\n", file) + } + return nil +} + +func setFlag(profile string, flag string) (string, error) { + f := aa.DefaultTunables() + if _, err := f.Parse(profile); err != nil { + return profile, err + } + + flags := f.GetDefaultProfile().Flags + switch flag { + case "enforce": + if len(flags) == 0 || slices.Contains(flags, "enforce") { + return profile, nil // Nothing to do + } + idx := slices.Index(flags, "complain") + if idx == -1 { + return profile, nil // No complain flag, nothing to do + } + flags = slices.Delete(flags, idx, idx+1) + + case "complain": + if slices.Contains(flags, "complain") { + return profile, nil // Nothing to do + } + flags = append(flags, "complain") + + default: + return profile, fmt.Errorf("unknown flag: %s", flag) + } + strFlags := " flags=(" + strings.Join(flags, ",") + ") {\n" + + // Remove all flags definition, then the new flags + profile = regFlags.ReplaceAllLiteralString(profile, "") + if len(flags) > 0 { + profile = regProfileHeader.ReplaceAllLiteralString(profile, strFlags) + } + return profile, nil +} + +func aaSetFlag(files paths.PathList, flag string) error { + for _, file := range files { + profile, err := file.ReadFileAsString() + if err != nil { + return err + } + profile, err = setFlag(profile, flag) + if err != nil { + return err + } + if err = file.WriteFile([]byte(profile)); err != nil { + return err + } + if err = reloadProfile(file); err != nil { + return err + } + } + return nil +} + func aaTree() error { return nil } +func reloadProfile(file *paths.Path) error { + cmd := exec.Command("apparmor_parser", "--replace", file.String()) + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + if err := cmd.Run(); err != nil { + return fmt.Errorf("apparmor_parser failed: %w", err) + } + return nil +} + func pathsFromArgs() (paths.PathList, error) { res := paths.PathList{} for _, arg := range flag.Args() { path := paths.New(arg) switch { case !path.Exist(): - return nil, fmt.Errorf("file %s not found", path) + if aa.MagicRoot.Join(arg).Exist() { + res = append(res, aa.MagicRoot.Join(arg)) + } else { + return nil, fmt.Errorf("file %s not found", path) + } case path.IsDir(): files, err := path.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), @@ -194,19 +284,42 @@ func main() { var err error var files paths.PathList switch { + case enforce: + files, err = pathsFromArgs() + if err != nil { + logging.Fatal("%s", err.Error()) + } + err = aaSetFlag(files, "enforce") + + case complain: + files, err = pathsFromArgs() + if err != nil { + logging.Fatal("%s", err.Error()) + } + err = aaSetFlag(files, "complain") + case lint: + files, err = pathsFromArgs() + if err != nil { + logging.Fatal("%s", err.Error()) + } + err = aaLint(files) case format: files, err = pathsFromArgs() if err != nil { - logging.Fatal(err.Error()) + logging.Fatal("%s", err.Error()) } err = aaFormat(files) + case tree: err = aaTree() + + default: + flag.Usage() } if err != nil { - logging.Fatal(err.Error()) + logging.Fatal("%s", err.Error()) } } diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index c39d4cbbd..455621e5b 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -5,92 +5,83 @@ package main import ( - "flag" - "fmt" - "os" - - "github.com/roddhjav/apparmor.d/pkg/logging" "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" - "github.com/roddhjav/apparmor.d/pkg/prebuild/directive" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cli" "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" ) -const usage = `prebuild [-h] [--full] [--complain | --enforce] - - Prebuild apparmor.d profiles for a given distribution and apply - internal built-in directives. - -Options: - -h, --help Show this help message and exit. - -f, --full Set AppArmor for full system policy. - -c, --complain Set complain flag on all profiles. - -e, --enforce Set enforce flag on all profiles. - --abi4 Convert the profiles to Apparmor abi/4.0. - -` - -var ( - help bool - full bool - complain bool - enforce bool - abi4 bool -) - +// Cli arguments have priority over the settings entered here func init() { - flag.BoolVar(&help, "h", false, "Show this help message and exit.") - flag.BoolVar(&help, "help", false, "Show this help message and exit.") - flag.BoolVar(&full, "f", false, "Set AppArmor for full system policy.") - flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.") - flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.") - flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.") - flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.") - flag.BoolVar(&enforce, "enforce", false, "Set enforce flag on all profiles.") - flag.BoolVar(&abi4, "abi4", false, "Convert the profiles to Apparmor abi/4.0.") -} + // Define the default ABI + prebuild.ABI = 4 -func aaPrebuild() error { - logging.Step("Building apparmor.d profiles for %s.", cfg.Distribution) + // Define the default version + prebuild.Version = 4.1 - if full { - prepare.Register("fsp") - builder.Register("fsp") - } else { - prepare.Register("systemd-early") + // Define the tasks applied by default + prepare.Register( + "synchronise", // Initialize a new clean apparmor.d build directory + "ignore", // Ignore profiles and files from dist/ignore + "merge", // Merge profiles (from group/, profiles-*-*/) to a unified apparmor.d directory + "configure", // Set distribution specificities + "setflags", // Set flags as definied in dist/flags + "overwrite", // Overwrite dummy upstream profiles + "systemd-default", // Set systemd unit drop in files for dbus profiles + ) + + // Build tasks applied by default + builder.Register( + "userspace", // Resolve variable in profile attachments + "hotfix", // Temporary fix for #74, #80 & #235 + "base-strict", // Use base-strict as base abstraction + ) + + // Matrix of ABI/Apparmor version to integrate with + switch prebuild.Distribution { + case "arch": + + case "ubuntu": + switch prebuild.Release["VERSION_CODENAME"] { + case "jammy": + prebuild.ABI = 3 + prebuild.Version = 3.0 + case "noble": + prebuild.ABI = 4 + prebuild.Version = 4.0 + case "questing": + prebuild.ABI = 4 + prebuild.Version = 5.0 + } + + case "debian": + switch prebuild.Release["VERSION_CODENAME"] { + case "bullseye", "bookworm": + prebuild.ABI = 3 + prebuild.Version = 3.0 + } + + case "whonix": + prebuild.ABI = 3 + prebuild.Version = 3.0 + + // Hide rewritten Whonix profiles + prebuild.Hide += `/etc/apparmor.d/abstractions/base.d/kicksecure + /etc/apparmor.d/home.tor-browser.firefox + /etc/apparmor.d/tunables/homsanitycheck + /etc/apparmor.d/usr.bin.url_e.d/anondist + /etc/apparmor.d/tunables/home.d/live-mode + /etc/apparmor.d/tunables/home.d/qubes-whonix-anondist + /etc/apparmor.d/usr.bin.hexchat + /etc/apparmor.d/usr.bin.sdwdate + /etc/apparmor.d/usr.bin.systemcheck + /etc/apparmor.d/usr.bin.timeto_unixtime + /etc/apparmor.d/whonix-firewall + ` } - - if complain { - builder.Register("complain") - } else if enforce { - builder.Register("enforce") - } - - if abi4 { - builder.Register("abi3") - } - - if err := prebuild.Prepare(); err != nil { - return err - } - return prebuild.Build() } func main() { - flag.Usage = func() { - fmt.Printf("%s%s\n%s\n%s", usage, - cfg.Help("Prepare", prepare.Tasks), - cfg.Help("Build", builder.Builders), - cfg.Usage("Directives", directive.Directives), - ) - } - flag.Parse() - if help { - flag.Usage() - os.Exit(0) - } - if err := aaPrebuild(); err != nil { - logging.Fatal(err.Error()) - } + cli.Configure() + cli.Prebuild() } diff --git a/cmd/prebuild/main_test.go b/cmd/prebuild/main_test.go deleted file mode 100644 index 8e80c3ab3..000000000 --- a/cmd/prebuild/main_test.go +++ /dev/null @@ -1,89 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package main - -import ( - "os" - "os/exec" - "testing" - - "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" - "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" -) - -func chdirGitRoot() { - cmd := exec.Command("git", "rev-parse", "--show-toplevel") - out, err := cmd.Output() - if err != nil { - panic(err) - } - root := string(out[0 : len(out)-1]) - if err := os.Chdir(root); err != nil { - panic(err) - } -} - -func Test_AAPrebuild(t *testing.T) { - tests := []struct { - name string - wantErr bool - full bool - complain bool - dist string - }{ - { - name: "Build for Archlinux", - wantErr: false, - full: false, - complain: true, - dist: "arch", - }, - { - name: "Build for Ubuntu", - wantErr: false, - full: true, - complain: false, - dist: "ubuntu", - }, - { - name: "Build for Debian", - wantErr: false, - full: true, - complain: false, - dist: "debian", - }, - { - name: "Build for OpenSUSE Tumbleweed", - wantErr: false, - full: true, - complain: true, - dist: "opensuse", - }, - // { - // name: "Build for Fedora", - // wantErr: true, - // full: false, - // complain: false, - // dist: "fedora", - // }, - } - chdirGitRoot() - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - cfg.Distribution = tt.dist - if tt.full { - prepare.Register("fsp") - builder.Register("fsp") - } - if tt.complain { - builder.Register("complain") - } - if err := aaPrebuild(); (err != nil) != tt.wantErr { - t.Errorf("aaPrebuild() error = %v, wantErr %v", err, tt.wantErr) - } - }) - } -} diff --git a/debian/apparmor.d.hide b/debian/apparmor.d.hide index 20725a133..8fc1d019d 100644 --- a/debian/apparmor.d.hide +++ b/debian/apparmor.d.hide @@ -1 +1 @@ -# This file is generated by "make", all edit will be lost. +# This file is generated by "just", all edit will be lost. diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index 4e659173c..840f3196b 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -7,6 +7,7 @@ set -e #DEBHELPER# -systemctl is-active -q apparmor && systemctl reload apparmor ||: +apparmor_parser --purge-cache || true +deb-systemd-invoke reload apparmor.service || true exit 0 diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index 4e659173c..840f3196b 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -7,6 +7,7 @@ set -e #DEBHELPER# -systemctl is-active -q apparmor && systemctl reload apparmor ||: +apparmor_parser --purge-cache || true +deb-systemd-invoke reload apparmor.service || true exit 0 diff --git a/debian/control b/debian/control index 3d15800b8..85c4d3786 100644 --- a/debian/control +++ b/debian/control @@ -6,19 +6,18 @@ Build-Depends: debhelper (>= 13.4), debhelper-compat (= 13), golang-any, config-package-dev, + just, Homepage: https://github.com/roddhjav/apparmor.d Vcs-Browser: https://github.com/roddhjav/apparmor.d Vcs-Git: https://github.com/roddhjav/apparmor.d.git -Standards-Version: 4.5.0 +Standards-Version: 4.6.0 Rules-Requires-Root: no Package: apparmor.d Architecture: any -Depends: - apparmor-profiles, - ${shlibs:Depends} +Depends: apparmor-profiles Conflicts: apparmor-profiles-extra Provides: apparmor-profiles-extra -Description: Full set of AppArmor profiles (~ 1500 profiles) - apparmor.d is a set of over 1500 AppArmor profiles whose aim is to confine +Description: Full set of AppArmor profiles (~ 2000 profiles) + apparmor.d is a set of over 2000 AppArmor profiles whose aim is to confine most Linux based applications and processes. diff --git a/debian/rules b/debian/rules index 6e7d2d6e4..d78e652ca 100755 --- a/debian/rules +++ b/debian/rules @@ -8,3 +8,10 @@ # golang/1.19 compresses debug symbols itself. override_dh_dwz: + +override_dh_auto_build: + just complain + +override_dh_auto_install: + just destdir="${CURDIR}/debian/apparmor.d" install + diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index b00b12eca..d60841581 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -15,6 +15,7 @@ URL: https://github.com/roddhjav/apparmor.d Source0: %{name}-%{version}.tar.gz Requires: apparmor-profiles BuildRequires: distribution-release +BuildRequires: just BuildRequires: golang-packaging BuildRequires: apparmor-profiles @@ -25,14 +26,14 @@ AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most %autosetup %build -%make_build +just complain %install -%make_install +just destdir="%{buildroot}" install %posttrans -rm -f /var/cache/apparmor/* 2>/dev/null -systemctl is-active -q apparmor && systemctl reload apparmor ||: +apparmor_parser --purge-cache +%restart_on_update apparmor %files %license LICENSE @@ -51,4 +52,6 @@ systemctl is-active -q apparmor && systemctl reload apparmor ||: %dir /usr/share/zsh/site-functions /usr/share/zsh/site-functions/_aa-log.zsh +%doc %{_mandir}/man8/aa-log.8.gz + %changelog diff --git a/dists/build.sh b/dists/build.sh index a566291bd..e33c48695 100644 --- a/dists/build.sh +++ b/dists/build.sh @@ -3,12 +3,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: make [ dpkg | pkg | rpm ] +# Usage: just [ dpkg | pkg | rpm ] set -eu -o pipefail readonly COMMAND="$1" -readonly OUTPUT="${PKGDEST:-$PWD}" +readonly OUTPUT="$PWD/.pkg" readonly PKGNAME=apparmor.d VERSION="0.$(git rev-list --count HEAD)" readonly VERSION @@ -16,11 +16,11 @@ readonly VERSION main() { case "$COMMAND" in pkg) - PKGDEST="$OUTPUT" makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar + PKGDEST="$OUTPUT" BUILDDIR=/tmp/makepkg makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar ;; dpkg) - dch --newversion="$VERSION-1" --urgency=medium --distribution=stable --controlmaint "Release $VERSION-1" + dch --newversion="$VERSION-1" --urgency=medium --distribution="$(lsb_release -sc)" --controlmaint "Release $VERSION-1" dpkg-buildpackage -b -d --no-sign lintian || true mv ../"${PKGNAME}_${VERSION}-1"_*.deb "$OUTPUT" diff --git a/dists/docker.sh b/dists/docker.sh index 500918c5f..45191adb8 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -3,7 +3,10 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: make package dist= +# Usage: +# just package ubuntu24 +# just package archlinux +# just package opensuse set -eu -o pipefail @@ -12,14 +15,17 @@ readonly PREFIX="builder-" readonly PKGNAME=apparmor.d readonly VOLUME=/tmp/build readonly BUILDIR=/home/build/tmp -readonly COMMAND="$1" +readonly OUTDIR=".pkg" +readonly OUTPUT="$PWD/$OUTDIR" +readonly DISTRIBUTION="${1:-}" +readonly RELEASE="${2:-}" VERSION="0.$(git rev-list --count HEAD)" PACKAGER="$(git config user.name) <$(git config user.email)>" readonly VERSION PACKAGER _start() { local img="$1" - docker start "$img" + docker start "$img" || return 1 } _is_running() { @@ -59,33 +65,37 @@ build_in_docker_makepkg() { --env PKGDEST="$BUILDIR" --env PACKAGER="$PACKAGER" \ --env BUILDDIR=/tmp/build \ "$BASEIMAGE/$dist" + docker exec "$img" sudo pacman -Sy --noconfirm --noprogressbar fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh pkg - mv "$VOLUME/$PKGNAME"-*.pkg.* . + mv "$VOLUME/$PKGNAME/$OUTDIR/$PKGNAME"-*.pkg.* "$OUTPUT" } build_in_docker_dpkg() { - local dist="$1" target="$1" - local img="$PREFIX$dist" + local img dist="$1" target="$1" release="$2" [[ "$dist" == whonix ]] && dist=debian + [[ "$release" == "13" ]] && release=trixie + img="$PREFIX$dist$release" if _exist "$img"; then if ! _is_running "$img"; then _start "$img" fi else - docker pull "$BASEIMAGE/$dist" + docker pull "$BASEIMAGE/$dist:$release" docker run -tid --name "$img" --volume "$VOLUME:$BUILDIR" \ - --env DISTRIBUTION="$target" "$BASEIMAGE/$dist" + --env DISTRIBUTION="$target" "$BASEIMAGE/$dist:$release" docker exec "$img" sudo apt-get update -q - docker exec "$img" sudo apt-get install -y config-package-dev rsync - [[ "$dist" == debian ]] && aptopt=(-t bookworm-backports) + docker exec "$img" sudo apt-get install -y config-package-dev lsb-release libdistro-info-perl + if [[ "$dist" == debian && "$release" == "12" ]]; then + aptopt=(-t bookworm-backports) + fi docker exec "$img" sudo apt-get install -y "${aptopt[@]}" golang-go fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh dpkg - mv "$VOLUME/$PKGNAME/${PKGNAME}_${VERSION}-1"_*.* . + mv "$VOLUME/$PKGNAME/$OUTDIR/${PKGNAME}_${VERSION}-1"_*.* "$OUTPUT" } build_in_docker_rpm() { @@ -100,32 +110,32 @@ build_in_docker_rpm() { docker pull "$BASEIMAGE/$dist" docker run -tid --name "$img" --volume "$VOLUME:$BUILDIR" \ "$BASEIMAGE/$dist" - docker exec "$img" sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles + docker exec "$img" sudo zypper install -y distribution-release golang-packaging apparmor-profiles fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh rpm - mv "$VOLUME/$PKGNAME/$PKGNAME-$VERSION-"*.rpm . + mv "$VOLUME/$PKGNAME/$OUTDIR/$PKGNAME-$VERSION-"*.rpm "$OUTPUT" } main() { - case "$COMMAND" in + case "$DISTRIBUTION" in archlinux) - # build_in_docker_makepkg "$COMMAND" - PKGDEST=. makepkg -Cf + build_in_docker_makepkg "$DISTRIBUTION" ;; debian | ubuntu | whonix) sync - build_in_docker_dpkg "$COMMAND" + build_in_docker_dpkg "$DISTRIBUTION" "$RELEASE" ;; opensuse) sync - build_in_docker_rpm "$COMMAND" + build_in_docker_rpm "$DISTRIBUTION" ;; *) ;; esac } +mkdir -p "$OUTPUT" main "$@" diff --git a/dists/flags/arch.flags b/dists/flags/arch.flags index b94fae2c2..8910bb280 100644 --- a/dists/flags/arch.flags +++ b/dists/flags/arch.flags @@ -1,15 +1,4 @@ -archlinux-keyring-wkd-sync complain +aurpublish complain makepkg complain mkinitcpio attach_disconnected,complain pacman attach_disconnected,complain -pacman-conf attach_disconnected,complain -pacman-hook-dconf complain -pacman-hook-depmod complain -pacman-hook-dkms attach_disconnected,complain -pacman-hook-fontconfig complain -pacman-hook-gio complain -pacman-hook-gtk complain -pacman-hook-mkinitcpio attach_disconnected,complain -pacman-hook-perl complain -pacman-hook-systemd attach_disconnected,complain -pacman-key complain diff --git a/dists/flags/debian.flags b/dists/flags/debian.flags index b659675b6..5e29c0153 100644 --- a/dists/flags/debian.flags +++ b/dists/flags/debian.flags @@ -1,3 +1,4 @@ +apt-helper complain dhclient complain dhclient-script complain dpkg complain diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 1bcf1e7d9..cd9a0e5a6 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -1,16 +1,9 @@ # Common profile flags definition for all distributions # File format: one profile by line using the format: ' ' -bwrap attach_disconnected,mediate_deleted,complain -bwrap-app attach_disconnected,mediate_deleted,complain -default attach_disconnected,mediate_deleted,complain -default-sudo attach_disconnected,complain systemd attach_disconnected,mediate_deleted,complain -systemd-service attach_disconnected,complain systemd-user attach_disconnected,mediate_deleted,complain -aa-load complain -acpid attach_disconnected,complain akonadi_akonotes_resource complain akonadi_archivemail_agent complain akonadi_birthdays_resource complain @@ -28,14 +21,10 @@ akonadi_newmailnotifier_agent complain akonadi_notes_agent complain akonadi_sendlater_agent complain akonadi_unifiedmailbox_agent complain -alacarte complain anacron complain -appimagelauncherd complain -apport attach_disconnected,complain -apt-helper complain +apt-methods-sqv complain at complain atd complain -atril-previewer complain auditctl attach_disconnected,complain auditd attach_disconnected,complain augenrules attach_disconnected,complain @@ -46,12 +35,9 @@ avahi-resolve complain avahi-set-host-name complain baloo complain baloorunner complain -busctl complain +calibre complain cc-remote-login-helper complain cctk complain -child-modprobe-nvidia attach_disconnected,complain -child-open complain -chronyd attach_disconnected,complain cockpit-askpass complain cockpit-bridge complain cockpit-certificate-ensure attach_disconnected,complain @@ -60,9 +46,8 @@ cockpit-desktop complain cockpit-session attach_disconnected,complain cockpit-ssh complain cockpit-tls attach_disconnected,complain -cockpit-ws complain +cockpit-ws attach_disconnected,complain cockpit-wsinstance-factory complain -ctop complain cups-backend-beh complain cups-backend-bluetooth complain cups-backend-brf complain @@ -85,12 +70,27 @@ cups-notifier-rss complain cups-pk-helper-mechanism complain cupsd attach_disconnected,complain ddcutil complain +deb-systemd-helper complain +deb-systemd-invoke complain +debconf-escape complain +decibels complain +dino attach_disconnected,complain +discord attach_disconnected,complain +discord-chrome-sandbox complain DiscoverNotifier complain dkms attach_disconnected,complain +dmsetup complain dockerd attach_disconnected,complain dolphin complain downloadhelper complain -dpkg-genbuildinfo complain +dpkg-db-backup complain +dpkg-maintscript-helper complain +dpkg-script-apparmor complain +dpkg-script-kmod complain +dpkg-script-linux complain +dpkg-script-systemd complain +dpkg-scripts complain +dracut-install complain drkonqi complain drkonqi-coredump-cleanup complain drkonqi-coredump-processor complain @@ -102,23 +102,19 @@ evolution-user-prompter complain fail2ban-client attach_disconnected,complain fail2ban-server attach_disconnected,complain fdisk complain -file-roller complain -firefox-kmozillahelper complain +filezilla complain +finalrd complain firewall-applet attach_disconnected,complain firewall-config complain flameshot complain flatpak attach_disconnected,mediate_deleted,complain flatpak-app attach_disconnected,mediate_deleted,complain flatpak-oci-authenticator complain -flatpak-portal attach_disconnected,complain flatpak-session-helper attach_disconnected,complain flatpak-system-helper complain flatpak-validate-icon complain -foliate attach_disconnected,complain -fractal attach_disconnected,complain fuse-overlayfs complain -fusermount complain -gcr-ssh-agent complain +gdk-pixbuf-thumbnailer complain gdm-generate-config complain gdm-runtime-config complain gdm-session attach_disconnected,complain @@ -128,19 +124,10 @@ gnome-browser-connector-host complain gnome-control-center attach_disconnected,complain gnome-control-center-goa-helper complain gnome-disk-image-mounter complain -gnome-disks complain gnome-extension-gsconnect complain gnome-extension-manager complain gnome-initial-setup complain -gnome-music attach_disconnected,complain -gnome-photos-thumbnailer complain gnome-remote-desktop-daemon complain -gnome-session complain -gnome-software complain -gnome-system-monitor attach_disconnected,complain -gnome-terminal-server complain -gnome-text-editor complain -gnome-tweaks complain grub-bios-setup complain grub-editenv complain grub-file complain @@ -170,19 +157,20 @@ grub-set-default complain grub-syslinux2cfg complain gsd-printer attach_disconnected,complain gsd-wwan complain -gsettings complain -gvfs-udisks2-volume-monitor attach_disconnected,complain gvfsd-dav complain gvfsd-wsdd complain hostnamectl complain +hyprctl attach_disconnected,complain +hyprlock attach_disconnected,complain +hyprpaper attach_disconnected,complain +hyprpicker complain +hyprpm complain ibus-engine-table complain -ibus-memconf complain +ibus-memconf attach_disconnected,complain im-launch complain -init-exim4 complain install-info complain iwctl complain iwd complain -jitterentropy-rngd complain kaccess complain kactivitymanagerd complain kalendarac complain @@ -197,14 +185,20 @@ kconf_update complain kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain +kdestroy complain +kdump_mem_estimator complain +kdump-config attach_disconnected,complain +kdump-tools-init complain,attach_disconnected +kernel complain kernel-install complain +kernel-postinst-kdump complain keyboxd complain kglobalacceld complain -kgx complain +kinit complain kio_http_cache_cleaner complain kiod complain kioworker complain -kmod attach_disconnected,complain +klist complain konsole attach_disconnected,mediate_deleted,complain kscreen_backend_launcher complain kscreen_osd_service complain @@ -222,11 +216,16 @@ libreoffice complain libvirt-dbus complain libvirtd attach_disconnected,complain lightdm attach_disconnected,complain +lightdm-session complain +linux-check-removal complain +linux-update-symlinks complain locale-gen complain localectl complain +localsearch complain +localsearch-control complain +localsearch-writeback complain login attach_disconnected,complain loginctl complain -loupe attach_disconnected,complain low-memory-monitor attach_disconnected,complain lvm attach_disconnected,complain lvmconfig complain @@ -234,33 +233,31 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain -mdevctl complain -metadata-cleaner attach_disconnected,complain -mke2fs complain +mdadm attach_disconnected,complain +mdadm-mkconf complain ModemManager attach_disconnected,complain mount attach_disconnected,complain multipath attach_disconnected,complain multipathd complain -netplan complain -netplan.script attach_disconnected,complain +needrestart-hook complain +needrestart-notify complain +needrestart-restart complain +netplan attach_disconnected,complain networkctl attach_disconnected,complain networkd-dispatcher complain nm-online complain nm-openvpn-service-openvpn-helper complain nm-priv-helper complain -nmap complain nmcli complain nvidia-detector complain nvidia-persistenced complain -okular complain +ollama attach_disconnected,complain os-prober attach_disconnected,complain -package-data-downloader complain -packagekitd attach_disconnected,complain pam_kwallet_init complain -pam-tmpdir-helper complain -passim complain +papers complain passimd attach_disconnected,complain -pidof complain +pkla-admin-identities complain +pkla-check-authorization complain pkttyagent complain plank complain plasma_waitforname complain @@ -271,8 +268,11 @@ plymouth complain plymouth-set-default-theme attach_disconnected,complain plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted +pollinate complain +ptyxis complain +ptyxis-agent complain +pycompile complain qdbus complain -realmd complain remmina complain run-parts complain runuser complain @@ -283,17 +283,17 @@ secure-time-sync attach_disconnected,complain sftp-server complain sing-box complain slirp4netns attach_disconnected,complain -snap complain -snap-bootstrap complain +snap attach_disconnected,complain snap-device-helper complain snap-discard-ns complain snap-failure complain -snap-repair complain -snap-seccomp complain +snap-seccomp attach_disconnected,complain snap-update-ns complain snapd complain snapd-apparmor complain -snapd-core-fixup complain +snapshot complain +speech-dispatcher complain +sshd-auth complain ssservice complain startplasma complain startx attach_disconnected,complain @@ -302,28 +302,26 @@ steam-fossilize attach_disconnected,complain steam-game-native attach_disconnected,complain steam-game-proton attach_disconnected,complain steam-gameoverlayui attach_disconnected,complain -steam-launch complain +steam-launch attach_disconnected,complain steam-launcher attach_disconnected,complain steam-runtime attach_disconnected,complain steamerrorreporter attach_disconnected,complain +strawberry attach_disconnected,mediate_deleted,complain sulogin complain -switcherooctl complain swtpm complain swtpm_ioctl complain swtpm_localca complain swtpm_setup complain +sysstat-sa complain +sysstat-sadc complain systemd-analyze complain systemd-ask-password complain -systemd-battery-check complain systemd-binfmt attach_disconnected,complain -systemd-bsod complain systemd-cgls complain systemd-cgtop complain -systemd-coredump attach_disconnected,mediate_deleted,complain -systemd-cryptsetup complain +systemd-cryptsetup attach_disconnected,complain systemd-dissect attach_disconnected,complain systemd-escape complain -systemd-firstboot complain systemd-generator-bless-boot attach_disconnected,complain systemd-generator-cloud-init attach_disconnected,complain systemd-generator-cryptsetup attach_disconnected,complain @@ -331,41 +329,68 @@ systemd-generator-debug attach_disconnected,complain systemd-generator-ds-identify attach_disconnected,complain systemd-generator-environment-arch complain systemd-generator-environment-flatpak complain +systemd-generator-environment-snapd attach_disconnected,complain +systemd-generator-friendly-recovery attach_disconnected,complain systemd-generator-fstab attach_disconnected,complain systemd-generator-getty attach_disconnected,complain systemd-generator-gpt-auto attach_disconnected,complain systemd-generator-hibernate-resume attach_disconnected,complain +systemd-generator-import attach_disconnected,complain systemd-generator-integritysetup attach_disconnected,complain +systemd-generator-openvpn attach_disconnected,complain systemd-generator-ostree attach_disconnected,complain +systemd-generator-rc-local attach_disconnected,complain systemd-generator-run attach_disconnected,complain +systemd-generator-snapd attach_disconnected,complain +systemd-generator-ssh attach_disconnected,complain +systemd-generator-sshd-socket attach_disconnected,complain systemd-generator-system-update attach_disconnected,complain -systemd-generator-user-autostart complain -systemd-generator-user-environment complain +systemd-generator-sysv attach_disconnected,complain +systemd-generator-tpm2 attach_disconnected,complain +systemd-generator-user-autostart attach_disconnected,complain +systemd-generator-user-environment attach_disconnected,complain systemd-generator-veritysetup attach_disconnected,complain systemd-homed attach_disconnected,complain systemd-homework complain systemd-inhibit attach_disconnected,complain +systemd-initctl attach_disconnected,complain +systemd-journald attach_disconnected,mediate_deleted systemd-mount complain -systemd-network-generator complain -systemd-pcrphase complain +systemd-network-generator attach_disconnected,complain +systemd-nsresourced attach_disconnected,complain +systemd-nsresourcework complain systemd-portabled complain -systemd-remount-fs complain -systemd-resolve complain systemd-shutdown complain +systemd-sleep-tlp complain systemd-socket-proxyd complain systemd-udevd attach_disconnected,complain -systemd-user-sessions complain -systemd-userdbd attach_disconnected,mediate_deleted,complain +systemd-user-sessions attach_disconnected,complain systemd-userwork attach_disconnected,complain systemsettings complain +telegram-desktop complain +totem attach_disconnected,complain tracker-writeback complain +ucf complain +ucfq complain +ucfr complain +udev-ata_id complain +udev-bcache-export-cached complain +udev-cdrom_id complain udev-dmi-memory-id complain +udev-fido_id complain +udev-hdparm complain +udev-probe-bcache complain udisksctl complain udisksd attach_disconnected,complain +ufw complain +update-catalog complain update-grub complain +update-info-dir complain update-secureboot-policy complain -userdbctl complain +update-shells complain +userdbctl attach_disconnected,complain utempter attach_disconnected,complain +veracrypt complain virt-manager attach_disconnected,complain virtinterfaced attach_disconnected,complain virtiofsd complain,attach_disconnected @@ -374,18 +399,22 @@ virtnetworkd complain,attach_disconnected virtnodedevd attach_disconnected,complain virtsecretd attach_disconnected,complain virtstoraged attach_disconnected,complain -wg complain +waybar attach_disconnected,complain +wechat attach_disconnected,complain +wechat-appimage attach_disconnected,complain wg-quick complain +whoopsie complain +whoopsie-preferences complain wsdd complain xdg-dbus-proxy attach_disconnected,complain xdg-desktop-icon complain xdg-desktop-portal-kde complain xdg-desktop-portal-rewrite-launchers complain +xdg-desktop-portal-validate-icon attach_disconnected,complain xdg-user-dirs-gtk-update complain xdm-xsession complain xembedsniproxy complain xfce-session attach_disconnected,complain xsettingsd complain -xwaylandvideobridge complain zpool complain diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index c491729dc..125575ce1 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -1,20 +1,27 @@ +apport attach_disconnected,complain apport-checkreports complain apport-gtk complain +apt_news attach_disconnected,complain apt-esm-hook complain apt-esm-json-hook complain +apt-helper complain check-new-release-gtk complain do-release-upgrade complain +dpkg-genbuildinfo complain +esm_cache complain +fanctl attach_disconnected,complain hwe-support-status complain list-oem-metapackages complain livepatch-notification complain notify-reboot-required complain +package-data-downloader complain package-system-locked attach_disconnected,complain -pro complain release-upgrade-motd complain software-properties-gtk complain ubuntu-advantage complain ubuntu-advantage-notification complain ubuntu-distro-info complain +ubuntu-fan-net attach_disconnected,complain ubuntu-report complain update-manager attach_disconnected,complain update-motd-fsck-at-reboot complain diff --git a/dists/flags/whonix.flags b/dists/flags/whonix.flags index bbb744355..dc984d690 100644 --- a/dists/flags/whonix.flags +++ b/dists/flags/whonix.flags @@ -1,4 +1,6 @@ anondate complain +apt-helper complain +dpkg-genbuildinfo complain msgcollector complain msgcollector-br-add complain msgcollector-generic-gui-message complain @@ -28,8 +30,10 @@ torbrowser-plugin-container complain torbrowser-start complain torbrowser-updater complain torbrowser-updater-permission-fix complain +torbrowser-updater-permission-fix complain torbrowser-vaapitest complain torbrowser-wrapper complain +torbrowser-wrapper complain whonix-firewall-edit complain whonix-firewall-restarter complain whonix-firewalld complain diff --git a/dists/ignore/debian.ignore b/dists/ignore/debian.ignore index 9843d249a..bfd8998ae 100644 --- a/dists/ignore/debian.ignore +++ b/dists/ignore/debian.ignore @@ -1,6 +1,6 @@ # Archlinux specific apparmor.d/groups/pacman -root/usr/share/libalpm +share/libalpm # Ubuntu specific definition apparmor.d/groups/ubuntu diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index 0e89a76c5..0665edf85 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -2,25 +2,13 @@ # File format: one ignore by line, it can be a profile name or a directory to ignore # Contains profiles and configuration for full system confinement, only included -# when built with 'make full' +# when built with 'just fsp' apparmor.d/groups/_full -# Apps that should be sandboxed -apparmor.d/groups/apps -code -code-wrapper - # Provided by other packages man # Work in progress profiles +apparmor.d/groups/steam +dunst plasma-discover -steam -steam-fossilize -steam-game-native -steam-game-proton -steam-gameoverlayui -steam-launch -steam-launcher -steam-runtime -steamerrorreporter diff --git a/dists/ignore/opensuse.ignore b/dists/ignore/opensuse.ignore index 0d393c6c1..7f79b77ef 100644 --- a/dists/ignore/opensuse.ignore +++ b/dists/ignore/opensuse.ignore @@ -1,6 +1,6 @@ # Archlinux specific apparmor.d/groups/pacman -root/usr/share/libalpm +share/libalpm # Debian specific definition apparmor.d/groups/apt diff --git a/dists/ignore/ubuntu.ignore b/dists/ignore/ubuntu.ignore index 714fa3273..eb0df718f 100644 --- a/dists/ignore/ubuntu.ignore +++ b/dists/ignore/ubuntu.ignore @@ -1,7 +1,6 @@ # Archlinux specific apparmor.d/groups/pacman -root/etc/xdg/autostart/apparmor-notify.desktop -root/usr/share/libalpm +share/libalpm # OpenSUSE specific definition apparmor.d/groups/suse diff --git a/dists/ignore/whonix.ignore b/dists/ignore/whonix.ignore index 5370a0f95..959f8ce6e 100644 --- a/dists/ignore/whonix.ignore +++ b/dists/ignore/whonix.ignore @@ -1,6 +1,6 @@ # Archlinux specific definition apparmor.d/groups/pacman -root/usr/share/libalpm +share/libalpm # OpenSUSE specific definition apparmor.d/groups/suse diff --git a/dists/overwrite b/dists/overwrite index bea6d574b..70ee1cc41 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -1,10 +1,12 @@ -# Apparmor 4.0 ships several profiles that allow userns and are otherwise -# unconfined. This file keeps track of them and allow apparmor.d to replace -# them by our own. +# Apparmor 4.0 and over ships a few profiles that can conflict with apparmor.d +# This file keeps track of them and allow apparmor.d to replace them by our own. # File format: one profile name by line. +# Overwrite unconfined upstream profiles that only allow userns brave chrome +chromium +cockpit-desktop element-desktop epiphany firefox @@ -12,11 +14,31 @@ flatpak foliate loupe msedge +mullvad nautilus opera +os-prober plasmashell +signal-desktop slirp4netns systemd-coredump thunderbird -unix-chkpwd virtiofsd + +# Overwrite upstreamed profiles, our local version may be more up to date +unix-chkpwd + +# Overwrite some profiles recently added in apparmor while being already present in apparmor.d for a while +# They can be multiple justification for keeping our profiles here, or or the contrary using upstream ones: +# - Keep ours: If we/they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile +# - Drop ours: when upstream profiles is better (see pkg/prebuild/prepare/configure.go) +fusermount3 +lsblk +lsusb +openvpn +remmina +transmission +wg-quick +systemd-detect-virt # Missing integration with @{p_systemd} +hostname # Has @{bin} denied in header, would conflict with apparmor.d's @{bin} tunables + diff --git a/dists/ubuntu/abstractions/trash b/dists/ubuntu/abstractions/trash index aab16b92c..d9ad01221 100644 --- a/dists/ubuntu/abstractions/trash +++ b/dists/ubuntu/abstractions/trash @@ -1,4 +1,4 @@ -abi , +abi , # requires diff --git a/docs/abbreviations.md b/docs/abbreviations.md new file mode 100644 index 000000000..32f567afe --- /dev/null +++ b/docs/abbreviations.md @@ -0,0 +1,5 @@ + +*[MAC]: Mandatory Access Control +*[W^X]: Write XOR Execute +*[FSP]: Full System Policy +*[AppArmor tunables]: AppArmor global variables diff --git a/docs/assets/avatar-icon.png b/docs/assets/avatar-icon.png new file mode 100644 index 000000000..80170da1e Binary files /dev/null and b/docs/assets/avatar-icon.png differ diff --git a/docs/assets/stylesheets/extra.css b/docs/assets/stylesheets/extra.css index 3b0fc1db6..8691707db 100644 --- a/docs/assets/stylesheets/extra.css +++ b/docs/assets/stylesheets/extra.css @@ -4,9 +4,58 @@ --md-footer-fg-color--lighter: #b6b6b6; --md-footer-bg-color: transparent; --md-footer-bg-color--dark: transparent; + --pg-purple: #603aa0; + --pg-red: #c0322f; + --pg-orange: #ac2f09; + --pg-teal: #04756a; + --pg-brown: #8d6e62; + --pg-blue: #0e66ae; + --pg-green: #2e7e31; + --pg-blue-gray: #546d78; } [data-md-color-scheme=slate] { --md-footer-bg-color: transparent; --md-footer-bg-color--dark: var(--md-default-bg-color--darkest); -} \ No newline at end of file + --pg-purple: #af94de; + --pg-red: #ff6c6a; + --pg-orange: #e97b5a; + --pg-teal: #8dc6c1; + --pg-brown: #4b1d0b; + --pg-blue: #74b9f1; + --pg-green: #72cd75; + --pg-blue-gray: #9ab2bc; +} + +/* Badge colors */ +.pg-purple { + color: var(--pg-purple); +} + +.pg-red { + color: var(--pg-red); +} + +.pg-orange { + color: var(--pg-orange); +} + +.pg-teal { + color: var(--pg-teal); +} + +.pg-brown { + color: var(--pg-brown); +} + +.pg-blue { + color: var(--pg-blue); +} + +.pg-green { + color: var(--pg-green); +} + +.pg-blue-gray { + color: var(--pg-blue-gray); +} diff --git a/docs/configuration.md b/docs/configuration.md index e784dcb82..5e1c7992f 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -2,107 +2,206 @@ title: Configuration --- -## AppArmor - -As there are a lot of rules, it is recommended to enable caching AppArmor profiles. In `/etc/apparmor/parser.conf`, add `write-cache` and `Optimize=compress-fast`. - -```sh -echo 'write-cache' | sudo tee -a /etc/apparmor/parser.conf -echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf -``` - -!!! info - - See [Speed up AppArmor Start] on the Arch Wiki for more information: - [Speed up AppArmor Start]: https://wiki.archlinux.org/title/AppArmor#Speed-up_AppArmor_start_by_caching_profiles - - -## Personal directories +This project is designed in such a way that it is easy to personalize it to fit any system. +It is mostly done by setting personalized XDG like directories in AppArmor tunables. More advanced configuration can be done by adding your own rules in local profile addition. !!! danger - You need to ensure that all personal directories you are using are well-defined XDG directory. You may need to edit these variables to your own settings. + You need to ensure that all personal directories you are using are well-defined XDG directory. You may need to edit these variables to your own settings. -This project is designed in such a way that it is easy to personalize the directories your programs have access by defining a few variables. + This part is vital to ensure that the profiles are correctly configured for your system. It will lead to breakage if not done correctly. -The profiles heavily use the (largely extended) XDG directory variables defined in the **[Variables Reference](variables.md)** page. -??? note "XDG variables overview" +## Personalize Apparmor - See **[Variables Reference](variables.md)** page for more. +### Tunables - | Description | Name | Value | - |-------------|:----:|---------| - | Desktop | `@{XDG_DESKTOP_DIR}` | `Desktop` | - | Download | `@{XDG_DOWNLOAD_DIR}` | `Downloads` | - | Templates | `@{XDG_TEMPLATES_DIR}` | `Templates` | - | Public | `@{XDG_PUBLICSHARE_DIR}` | `Public` | - | Documents | `@{XDG_DOCUMENTS_DIR}` | `Documents` | - | Music | `@{XDG_MUSIC_DIR}` | `Music` | - | Pictures | `@{XDG_PICTURES_DIR}` | `Pictures` | - | Videos | `@{XDG_VIDEOS_DIR}` | `Videos` | - | Books | `@{XDG_BOOKS_DIR}` | `Books` | - | Projects | `@{XDG_PROJECTS_DIR}` | `Projects` | - | Screenshots | `@{XDG_SCREENSHOTS_DIR}` | `@{XDG_PICTURES_DIR}/Screenshots` | - | Sync | `@{XDG_SYNC_DIR}` | `Sync` | - | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` | - | Vm | `@{XDG_VM_DIR}` | `.vm` - | Wallpapers | `@{XDG_WALLPAPERS_DIR}` | `@{XDG_PICTURES_DIR}/Wallpapers` | +The profiles heavily use the **largely extended** [XDG directory variables](#xdg-variables). All the variables are list you can append with your own values. -You can personalize these values. +1. First create the directory `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d`: + ```sh + sudo mkdir -p /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d + ``` +2. Then create a `local` addition file in it where you define your own personal directories. *Example:* + ```sh + @{XDG_VIDEOS_DIR}+="Films" + @{XDG_MUSIC_DIR}+="Musique" + @{XDG_PICTURES_DIR}+="Images" + @{XDG_BOOKS_DIR}+="BD" "Comics" + @{XDG_PROJECTS_DIR}+="Git" "Papers" + ``` +3. Then restart the AppArmor service to reload the profiles in the kernel: + ```sh + sudo systemctl reload apparmor.service + ``` -First create the directory `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d`: -``` -sudo mkdir /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d -``` -Then create a `local` addition file in it where you define your own personal -directories. Example: -```sh -@{XDG_VIDEOS_DIR}+="Films" -@{XDG_MUSIC_DIR}+="Musique" -@{XDG_PICTURES_DIR}+="Images" -@{XDG_BOOKS_DIR}+="BD" "Comics" -@{XDG_PROJECTS_DIR}+="Git" "Papers" -``` +### Profile Additions -Then restart the AppArmor service to reload the profiles in the kernel: -```sh -sudo systemctl restart apparmor.service -``` +You can extend any profile with your own rules by creating a file in the `/etc/apparmor.d/local/` directory with the name of the profile you want to personalize. -**Examples** +**Example** + +By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behavior by creating a local profile addition file for `nautilus`: + +1. Create the file `/etc/apparmor.d/local/nautilus` and add the following rules in it: + ```sh + /** r, + ``` + You call also restrict this to specific directories: + ```sh + /etc/** r, + /srv/** r, + /var/** r, + ``` +2. Then restart the AppArmor service to reload the profiles in the kernel: + ```sh + sudo systemctl reload apparmor.service + ``` + +### XDG variables + +Please ensure that all personal directories you are using are well-defined XDG directory defined below. If not, personalize the [variables](#tunables) to your own settings. + +??? quote "**User directories**" + +
+ + | Description | Name | Default Value(s) | + |-------------|------|---------------| + | Desktop | `@{XDG_DESKTOP_DIR}` | `Desktop` | + | Documents | `@{XDG_DOCUMENTS_DIR}` | `Documents` | + | Downloads | `@{XDG_DOWNLOAD_DIR}` | `Downloads` | + | Music | `@{XDG_MUSIC_DIR}` | `Music` | + | Pictures | `@{XDG_PICTURES_DIR}` | `Pictures` | + | Videos | `@{XDG_VIDEOS_DIR}` | `Videos` | + | Screenshots | `@{XDG_SCREENSHOTS_DIR}` | `@{XDG_PICTURES_DIR}/Screenshots` | + | Wallpapers | `@{XDG_WALLPAPERS_DIR}` | `@{XDG_PICTURES_DIR}/Wallpapers` | + | Books | `@{XDG_BOOKS_DIR}` | `Books` | + | Games | `@{XDG_GAMES_DIR}` | `.games` | + | Templates | `@{XDG_TEMPLATES_DIR}` | `Templates` | + | Public | `@{XDG_PUBLICSHARE_DIR}` | `Public` | + | Projects | `@{XDG_PROJECTS_DIR}` | `Projects` | + | Private | `@{XDG_PRIVATE_DIR}` | `.{p,P}rivate {p,P}rivate` | + | Work | `@{XDG_WORK_DIR}` | `Work` | + | Mail | `@{XDG_MAIL_DIR}` | `Mail .{m,M}ail` | + | Sync | `@{XDG_SYNC_DIR}` | `Sync` | + | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` | + | Vm | `@{XDG_VM_DIR}` | `.vm` | + | Vm Shares | `@{XDG_VM_SHARES_DIR}` | `VM_Shares` | + | Disk images | `@{XDG_IMG_DIR}` | `images` | + | Games Studio | `@{XDG_GAMESSTUDIO_DIR}` | `.unity3d` | + +
+ +??? quote "**Dotfiles**" + +
+ + | Description | Name | Default Value(s) | + |-------------|------|------------------| + | Cache | ` @{XDG_CACHE_DIR}` | `.cache` | + | Config | `@{XDG_CONFIG_DIR}` | `.config` | + | Data | `@{XDG_DATA_DIR}` | `.local/share` | + | State | `@{XDG_STATE_DIR}` | `.local/state` | + | Bin | `@{XDG_BIN_DIR}` | `.local/bin` | + | Lib | `@{XDG_LIB_DIR}` | `.local/lib` | + | GPG | `@{XDG_GPG_DIR}` | `.gnupg` | + | SSH | `@{XDG_SSH_DIR}` | `.ssh` | + | Private | `@{XDG_PRIVATE_DIR}` | `.{p,P}rivate {p,P}rivate` | + | Passwords | `@{XDG_PASSWORD_STORE_DIR}` | `.password-store` | + +
+ +??? quote "**Full configuration path**" + +
+ + | Description | Name | Default Value(s) | + |-------------|:----:|---------------| + | Cache | `@{user_cache_dirs}` | `@{HOME}/@{XDG_CACHE_DIR}` | + | Config | `@{user_config_dirs}` | `@{HOME}/@{XDG_CONFIG_DIR}` | + | Bin | `@{user_bin_dirs}` | `@{HOME}/@{XDG_BIN_DIR}` | + | Lib | `@{user_lib_dirs}` | `@{HOME}/@{XDG_LIB_DIR}` | + | Share | `@{user_share_dirs}` | ` @{HOME}/@{XDG_DATA_DIR}` | + | State | `@{user_state_dirs}` | ` @{HOME}/@{XDG_STATE_DIR}` | + | Build | `@{user_build_dirs}` | `/tmp/build/` | + | Packages | `@{user_pkg_dirs}` | `/tmp/pkg/` | + +
+ +??? quote "**Full user path**" + +
+ + | Description | Name | Default Value(s) | + |-------------|:----:|---------------| + | Documents | `@{user_documents_dirs}` | `@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR}` | + | Downloads | `@{user_download_dirs}` | `@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR}` | + | Music | `@{user_music_dirs}` | `@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR}` | + | Pictures | `@{user_pictures_dirs}` | `@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR}` | + | Videos | `@{user_videos_dirs}` | `@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}` | + | Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` | + | Games | `@{user_games_dirs}` | `@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}` | + | Private | `@{user_private_dirs}` | `@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}` | + | Passwords | `@{user_passwordstore_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | + | Work | `@{user_work_dirs}` | `@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}` | + | Mail | `@{user_mail_dirs}` | `@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}` | + | Projects | `@{user_projects_dirs}` | `@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}` | + | Public | `@{user_publicshare_dirs}` | `@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR}` | + | Templates | `@{user_templates_dirs}` | `@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR}` | + | Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` | + | Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` | + | Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` | + | Vm Shares | `@{user_vmshare_dirs}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | + | Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` | + +
+ +System variables can also be personalized, they are defined in the **[Variables Reference](variables.md)** page. + + +## Program Personalization + +### Examples + +All profiles use the variables defined above. Therefore, you can personalize them by setting your own values in `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d/local`. - For git support, you may want to add your `GO_PATH` in the `XDG_PROJECTS_DIR`: ```sh @{XDG_PROJECTS_DIR}+="go" ``` + - If you use Keepass, personalize `XDG_PASSWORD_STORE_DIR` with your password directory. Eg: ```sh @{XDG_PASSWORD_STORE_DIR}+="@{HOME}/.keepass/" ``` + - Add pacman integration with your AUR helper. Eg for `yay`: ```sh @{user_pkg_dirs}+=@{user_cache_dirs}/yay/ ``` -## Local profile extensions +### Mount points -You can extend any profile with your own rules by creating a file in the `/etc/apparmor.d/local/` directory with the name of your profile. For example, to extend the `foo` profile, create a file `/etc/apparmor.d/local/foo` and add your rules in it. +Common mount points are defined in the `@{MOUNTS}` variable. If you mount a disk on a different location, you can add it to the `@{MOUNTS}` variable. **Example** -- `child-open`, a profile that allows other program to open resources (URL, picture, books...) with some predefined GUI application. To allow it to open URLs with Firefox, create the file `/etc/apparmor.d/local/child-open` with: - ```sh - @{bin}/firefox rPx, - ``` +If you mount a disk on `/ssd/`, add the following to `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d/local`: +```sh +@{MOUNTS}+=/ssd/ +``` -!!! note + -!!! info +### File browsers - `rPx` allows transition to the Firefox profile. Use `rPUx` to allow transition to an unconfined state if you do not have the profile for a given program. +All supported file browsers (`nautilus`, `dolphin`, `thunar`) are configured to only access user files. If you want to allow access to system files, you can create a local profile addition file for the file browser you are using. +### Games -Then, reload the AppArmor rules with `sudo systemctl restart AppArmor`. +In order to not allow access to user data, game profiles use the `@{XDG_GAMESSTUDIO_DIR}` variable. It may need to be expanded with other game studio directory. The default is `@{XDG_GAMESSTUDIO_DIR}="unity3d"`. + +The `@{XDG_GAMES_DIR}` variable is used to define the game directory such as steam storage directory. If your steam storage is on another drive, you should personalize `@{user_games_dirs}` instead. diff --git a/docs/development/abstractions.md b/docs/development/abstractions.md index 82c7f4b04..cd82f5d21 100644 --- a/docs/development/abstractions.md +++ b/docs/development/abstractions.md @@ -19,6 +19,27 @@ This project and the official apparmor-profiles project provide a large selectio All of these abstractions can be extended by a system admin by adding rules in a file under `/etc/apparmor.d/.d` where `` is the name of one of these abstractions. +## Architecture + +Abstraction are structured in layers as follows: + +- **Layer 0:** for core atomic functionalities. They cannot include other abstractions. + + E.g.: *this resource uses* `mesa`, `openssl`, `bash-strict`, `gtk`... + +- **Layer 1:** for generic access. Cannot be architecture or device specific. Needs to be agnostic. + + E.g.: *This program needs/has this resource.* `nameservice`, `authentication`, `base`, `shell`, `graphics`, `audio-client`, `desktop`, `kde`, `gnome`... + +- **Layer 2:** for common kind of program. Only present inside `abstraction/common`. Multiple layer 2 can be used alongside with layer 1 and 0 abstractions. + + E.g.: *This program kind is* is a game, an electron app, a gnome app, sandboxed with bwrap app, a systemd app... + +- **Layer 3:** for application. Only present inside `abstraction/app`. The use of a layer 3 abstraction usually means you should not use any other abstractions (but base). Not a strict rule, but a good practice. Mostly used to provide common rules for subprofiles where the subprofiles only need to add rules for the specific use case. + + E.g.: *This program is* `firefox`, `sudo`, `systemctl`, `pgrep`, `editor`, `chromium`... + + ## Application helper Abstraction that aims at including a complete set of rules for a given program. The calling profile only needs to add rules dependant of its use case/program. @@ -43,9 +64,67 @@ A full set of rules for all chromium based browsers. It works as a *function* an If your application requires chromium to run use [`common/chromium`](#commonchromium) or [`common/electron`](#commonelectron) instead. +### **`app/firefox`** + +Similar to `app/chromium` but for Firefox based browsers (and thunderbird). It requires the same *arguments* as `app/chromium`: + + +## Context helper + +These are context helper to be used for in sub profile, they aim at providing a minimal set of rules for a given program. The calling profile only needs to add rules dependant of its use case. + +### **`app/editor`** + +A minimal set of rules for profiles including terminal editor. It is intended to be used in profiles or sub-profiles that need to edit file using the user editor of choice. The following editors are supported: + +- neo vim +- vim +- nano + +```sh + @{editor_path} rCx -> editor, + + profile editor { + include + include + + include if exists _editor> + } +``` + +### **`app/kmod`** + +A minimal set of rules for profiles that need to load kernel modules. It is intended to be used in profiles or sub-profiles that need to load kernel modules for a very specific action: + +```sh + @{bin}/modprobe rCx -> kmod, + + profile kmod { + include + include + + include if exists _kmod> + } +``` + +### **`app/open`** + +Set of rules for `child-open-*` profiles. It should usually not be used directly in a profile. ### **`app/pgrep`** + Minimal set of rules for pgrep/pkill. It is intended to be used in profiles or sub-profiles that need to use `pgrep` or `pkill` for a very specific action: + + ```sh + @{bin}/pgrep rCx -> pgrep, + + profile pgrep { + include + include + + include if exists _pgrep> + } + ``` ### **`app/sudo`** @@ -61,9 +140,26 @@ A minimal set of rules for profiles including internal `sudo`. Interactive sudo } ``` + +### **`app/pkexec`** + +A minimal set of rules for profiles including internal `pkexec`. Like `app/sudo`, it should be used in profiles or sub-profiles that need to elevate their privileges using `pkexec` for a very specific action: + +```sh + @{bin}/pkexec rCx -> pkexec, + + profile pkexec { + include + include + + include if exists _pkexec> + } +``` + ### **`app/systemctl`** -An alternative solution for [child-systemctl](structure.md#children-profiles), when the child profile provides too much/not enough access. This abstraction should be used by a sub profile as follows: +An alternative solution for [child-systemctl](internal.md#children-profiles), when the child profile provides too much/not enough access. This abstraction should be used by a sub profile as follows: + ```sh @{bin}/systemctl rCx -> systemctl, @@ -75,6 +171,20 @@ An alternative solution for [child-systemctl](structure.md#children-profiles), w } ``` +### **`app/udevadm`** + +A minimal set of rules for profiles including internal `udevadm` as read-only. It is intended to be used in profiles or sub-profiles that need to use `udevadm` for a very specific action: + +```sh + @{bin}/udevadm rCx -> udevadm, + + profile udevadm { + include + include + + include if exists _udevadm> + } +``` ## Common Dependencies @@ -107,6 +217,14 @@ Minimal set of rules for sandboxed programs using `bwrap`. A profile using this A minimal set of rules for chromium based application. Handle access for internal sandbox. +It works as a *function* and requires some variables to be provided as *arguments* and set in the header of the calling profile: + +!!! note "" + + [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/steam/steam#L24-L25) + ``` sh linenums="24" + @{domain} = org.chromium.Chromium + ``` ### **`common/electron`** @@ -117,11 +235,21 @@ A minimal set of rules for all electron based UI applications. It works as a *fu [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/7d1380530aa56f31589ccc6a360a8144f3601731/apparmor.d/profiles-s-z/spotify#L10-L13) ``` sh linenums="10" @{name} = spotify + @{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} ``` +### **`common/game`** + +Core set of resources for any games on Linux. Runtimes such as sandboxing, wine, proton, game launchers should use this abstraction. + +This abstraction uses the following tunables: + +- `@{XDG_GAMESSTUDIO_DIR}` for game studio and game engines specific directories (Default: `@{XDG_GAMESSTUDIO_DIR}="unity3d"`) +- `@{user_games_dirs}` for user specific game directories (e.g.: steam storage dir) + ### **`common/systemd`** Common set of rules for internal systemd suite. @@ -198,6 +326,9 @@ Common rules for interactive shell using bash. Common rules for interactive shell using zsh. +### **`fish`** + +Common rules for interactive shell using fish. ## System @@ -213,6 +344,10 @@ Use this abstraction instead of upstream `abstractions/nameservice` as upstream Instead of allowing the run of all software under `@{bin}` or `@{lib}` the purpose of this abstraction is to list all GUI program that can open resources. Ultimately, only sandbox manager program such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until this day, this profile will be a controlled mess. +### **`app-launcher-root`** + +### **`app-launcher-user`** + ## Devices diff --git a/docs/development/build.md b/docs/development/build.md new file mode 100644 index 000000000..b767e4e4e --- /dev/null +++ b/docs/development/build.md @@ -0,0 +1,168 @@ +--- +title: Building the profiles +--- + +The profiles in `apparmor.d` must not be used directly. They need to be prebuilt (by running `just complain`). This page documents all possibles prebuild tasks. It is not intended to be read by end user, and it is only targeted at developers and maintainers. + +The build system is fully configurable, general usage can be seen with: +```sh +go run ./cmd/prebuild -h +``` + +``` +aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE] + + Prebuild apparmor.d profiles for a given distribution and apply + internal built-in directives. + +Options: + -h, --help Show this help message and exit. + -c, --complain Set complain flag on all profiles. + -e, --enforce Set enforce flag on all profiles. + -a, --abi ABI Target apparmor ABI. + -v, --version V Target apparmor version. + -f, --full Set AppArmor for full system policy. + -s, --server Set AppArmor for server. + -b, --buildir DIR Root build directory. + -F, --file Only prebuild a given file. + --debug Enable debug mode. + +Prepare tasks: + configure - Set distribution specificities + setflags - Set flags on some profiles + fsp - Configure AppArmor for full system policy + merge - Merge profiles (from group/, profiles-*-*/) to a unified apparmor.d directory + overwrite - Overwrite dummy upstream profiles + synchronise - Initialize a new clean apparmor.d build directory + ignore - Ignore profiles and files from: + server - Configure AppArmor for server + systemd-default - Configure systemd unit drop in files to a profile for some units + systemd-early - Configure systemd unit drop in files to ensure some service start after apparmor + attach - Configure tunable for re-attached path + +Build tasks: + userspace - Fix: resolve variable in profile attachments + abi3 - Build: convert all profiles from abi 4.0 to abi 3.0 + attach - Feat: re-attach disconnected path + base-strict - Feat: use 'base-strict' as base abstraction + complain - Build: set complain flag on all profiles + debug - Build: debug mode enabled + enforce - Build: all profiles have been enforced + fsp - Feat: prevent unconfined transitions in profile rules + hotfix - Fix: temporary solution for #74, #80 & #235 + stacked-dbus - Fix: resolve peer label variable in dbus rules + +Directive: + #aa:dbus own bus= name= [interface=AARE] [path=AARE] + #aa:dbus talk bus= name= label= [interface=AARE] [path=AARE] + #aa:dbus common bus= name= label= + #aa:exec [P|U|p|u|PU|pu|] profiles... + #aa:only filters... + #aa:exclude filters... + #aa:stack [X] profiles... +``` + +## Prepare Tasks + +### **`synchronise`** + +Initialize a new clean `apparmor.d` build directory in `.build/`. + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`ignore`** + +Ignore profiles and files as defined in the `dist/ignore` directory. See [workflow](workflow.md#ignore-profiles). + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`server`** + +Configure AppArmor for server. Desktop related groups and profiles that use desktop abstraction are not included. [hotfix](#hotfix) is also disabled, as it is only needed on desktop system. It is mostly intended to be used on server with FSP enabled. E.g: [the play machine](https://github.com/roddhjav/play). + +*Enable with the `--server` option in the prebuild command.* + +### **`merge`** + +Merge profiles from `apparmor.d/group/`, `apparmor.d/profiles-*-*/` to a unified directory in `.build/apparmor.d` that AppArmor can parse. + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`configure`** + +Set distribution specificities as defined in [`pkg/prebuild/prepare/configure.go`](https://github.com/roddhjav/apparmor.d/blob/main/pkg/prebuild/prepare/configure.go) + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`setflags`** + +Set flags on profiles as defined in the [flags manifest](workflow.md#profile-flags). + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`overwrite`** + +Overwrite (dummy) upstream profiles as defined in `dist/overwrite`. + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`systemd-default`** + +Install systemd unit drop in files from `systemd/default`. They configure the various dbus daemon to use specific profiles. + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`systemd-early`** + +Install systemd unit drop in files from `systemd/early` to ensure some services start after AppArmor. THis task will be removed in the future, as it will not be needed any more. + +*Enabled by default. Can be disabled in `pkg/prebuild/cli/cli.go`* + +### **`fsp`** + +Configure AppArmor for full system policy. + +*Enable with the `--full` option in the prebuild command.* + + +## Build Tasks + +### **`abi3`** + +This task will convert all profiles from `abi/4.0` to `abi/3.0`. The rules not supported by `abi/3.0` are commented in the build profiles. + +*Enable with the `--abi 3` option in the prebuild command.* + +### **`complain | enforce`** + +Set or remove the complain flag on all profiles. The `complain` task is enabled by default. When building in enforce mode, it is disabled. Enabling the `enforce` task will enforce **all** profiles including the one set in the [flags manifest](workflow.md#profile-flags). It is intended to be used in specialized system such as a CTF challenge or in (very) high security VM. + +*Enable with the `--complain` or `--enforce` option in the prebuild command.* + +### **`userspace`** + +Resolve variables in profile attachments. It fixes issues with the userland AppArmor tools (aa-enforce, aa-logprof...) that do not support identical variable in the profiles attachments. + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`attach`** + +This task reattaches disconnected paths. See the [Re-attached path](internal.md#re-attached-path) page. It will: + +- Add the `attach_disconnected.path` flag on all profiles with the `attach_disconnected` flag +- Add the `` abstraction in the profile +- For compatibility, non-disconnected profile will have the `@{att}` variable set to `/` + +*Enabled when abi >= 4.0* + +### **`hotfix`** + +Temporary fix for #74, #80 & #235. Only an issue on Gnome, can be disabled on server. + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`fsp`** + +Prevent unconfined transitions in profile rules. + +*Enable with the `--full` option in the prebuild command.* diff --git a/docs/development/dbus.md b/docs/development/dbus.md index 98b46501c..165626f24 100644 --- a/docs/development/dbus.md +++ b/docs/development/dbus.md @@ -20,12 +20,19 @@ Default **system**, **session**, and **accessibility** bus access are provided w - `abstractions/bus-session` - `abstractions/bus-accessibility` +Do not use the dbus abstractions from apparmor in this project, they won't work as expected as the dbus daemon is confined. Furthermore, in `apparmor.d` there is no such thing as a strict dbus abstraction (`abstractions/dbus-strict`) as they are strict by default: bus access needs to be explicitly allowed using an interface abstraction or a directive. + ### Interfaces Access to common dbus interfaces is done using the abstractions under **[`abstractions/bus/`](https://github.com/roddhjav/apparmor.d/tree/main/apparmor.d/abstractions/bus)**. They are kept minimal on purpose. The goal is not to give full talk access an interface but to provide a *read-only* like view of it. It may be required to have a look at the dbus interface documentation to check what method can be safely allowed. For more access, simply use the [`aa:dbus talk`](#dbus-directive) directive. +There is a trade of between security and maintenance to make: + +- `aa:dbus talk` will generate less issue as it gives full talk access +- `abstractions/bus/*` will provide more restriction, and possibly more issue. In the future, these rules will be automatically generated from the interface documentation. + ## Dbus Directive We use a special [directive](directives.md) to generate more advanced dbus access. The directive format is on purpose very similar to the AppArmor dbus rule. diff --git a/docs/development/directives.md b/docs/development/directives.md index 9cff8840e..841bc6608 100644 --- a/docs/development/directives.md +++ b/docs/development/directives.md @@ -40,6 +40,7 @@ The `only` and `exclude` directives can be used to filter individual rule or rul - A supported target distribution: `arch`, `debian`, `ubuntu`, `opensuse`, `whonix`. - A supported distribution family: `apt`, `pacman`, `zypper`. + - A supported ABI: `abi3`, `abi4`. **Example** @@ -63,7 +64,7 @@ The `only` and `exclude` directives can be used to filter individual rule or rul ## Exec -The `exec` directive is useful to allow executing transitions to a profile without having to manage the possible long list of profile attachments (it varies depending on the distribution). The directives parse and resolve the attachment variable (`@{exec_path}`) of the target profile and includes it in the current profile. +The `exec` directive is useful to allow executing transitions to a profile without having to manage the possible long list of profile attachments (it varies depending on the distribution). The directive parses and resolves the attachment variable (`@{exec_path}`) of the target profile and includes it in the current profile. **Format** @@ -103,7 +104,7 @@ The `exec` directive is useful to allow executing transitions to a profile witho ## Stack -[Stacked](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking) profiles can be hard to maintain. The *parent* profile needs to manage its own rules as well as always include the stacked profile rules. This directive automatically include the stacked profile rules into the parent profile. +[Stacked](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking) profiles can be hard to maintain. The *parent* profile needs to manage its own rules as well as always including access from the *child* profile. In most profile using stacking, the *child* profile is often naturally included in the *parent*. However, sometime the child profile is fully different. This directive automatically include the stacked profile rules into the parent profile. **Format** @@ -115,6 +116,9 @@ The `exec` directive is useful to allow executing transitions to a profile witho : List a profile **files** to stack at the end of the current profile. +**`[X]`** + +: If `X` is set, the directive will conserve the `x` file rules regardless of the transition. It is not enabled by default as it may conflict with the parent profile. Indeed, automatically adding `Px` and `ix` transition in a profile is a very effective way to have conflict between transitions as you can automatically add rule already present in the profile but with another transition (you would then get the AppArmor error: `profile has merged rule with conflicting x modifiers`). **Example** @@ -136,14 +140,13 @@ The `exec` directive is useful to allow executing transitions to a profile witho include capability dac_override, capability kill, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-oomd/bus-api-oom, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom, #aa:dbus own bus=system name=org.freedesktop.oom1 /etc/systemd/oomd.conf r, /etc/systemd/oomd.conf.d/{,**} r, @{run}/systemd/io.system.ManagedOOM rw, @{run}/systemd/io.systemd.ManagedOOM rw, @{run}/systemd/notify rw, - owner @{run}/systemd/journal/socket w, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/memory.pressure r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r, diff --git a/docs/development/guidelines.md b/docs/development/guidelines.md index b359576aa..fad901581 100644 --- a/docs/development/guidelines.md +++ b/docs/development/guidelines.md @@ -11,7 +11,7 @@ The logic behind it is that if a rule is present in a profile, it should only be For example, if a program needs to run executable binaries then the rules allowing it can only be in a specific rule block (just after the `@{exec_path} mr,` rule). It is therefore easy to ensure some profile features such as: * A profile has access to a given resource -* A profile enforces a strict [write xor execute] (W^X) policy. +* A profile enforces a strict [write xor execute](https://en.wikipedia.org/wiki/W%5EX) (W^X) policy. It also improves compatibilities and makes personalization easier thanks to the use of more variables. @@ -78,14 +78,14 @@ The file block should be sorted as follows: The dbus block should be sorted as follows: - The system bus should be sorted *before* the session bus -- The bind rules should be sorted *after* the send & receive rules +- The bind rules should be sorted *after* send & receive rules For DBus, try to determine peer's label when possible. E.g.: ``` dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), ``` If there is no predictable label it can be omitted. @@ -115,14 +115,20 @@ If there is no predictable label it can be omitted. /var/lib/dbus/machine-id r, ``` +#### :material-numeric-5-circle: Limit the use of `deny` -## Additional recommended documentation +: The use of `deny` should be limited to the minimum: -* [The AppArmor Core Policy Reference](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference) -* [The openSUSE Documentation](https://doc.opensuse.org/documentation/leap/security/html/book-security/part-apparmor.html) -* https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-apparmor-intro.html -* [The AppArmor.d man page](https://man.archlinux.org/man/apparmor.d.5) -* [F**k AppArmor](https://presentations.nordisch.org/apparmor/#/) -* [A Brief Tour of Linux Security Modules](https://www.starlab.io/blog/a-brief-tour-of-linux-security-modules) + - In MAC policies, we only allow access ([Rule :material-numeric-1-circle:](index.md#rule-mandatory-access-control "Mandatory Access Control")) + - `deny` rules are enforced even in complain mode, + - If it works on your machine does not mean it will work on others ([Rule :material-numeric-4-circle:](index.md#rule-distribution-and-devices-agnostic "Distribution and devices agnostic")). + +#### :material-numeric-6-circle: Comments + +: Ensure you only have useful comments. E.g.: + ``` + # Config files for foo + owner @{user_config_dirs}/foo/{,**} r, + ``` + Does not help, and if generalized it would add a lot of complexity to any profiles. -[write xor execute]: https://en.wikipedia.org/wiki/W%5EX diff --git a/docs/development/index.md b/docs/development/index.md index c12226a7a..f44d86aee 100644 --- a/docs/development/index.md +++ b/docs/development/index.md @@ -4,31 +4,38 @@ title: Development If you're looking to contribute to `apparmor.d` you can get started by going to the project [GitHub repository](https://github.com/roddhjav/apparmor.d/)! All contributions are welcome no matter how small. In this page you will find all the useful information needed to contribute to the apparmor.d project. -??? info "How to contribute pull requests" +??? info "How to contribute pull requests?" 1. If you don't have git on your machine, [install it](https://help.github.com/articles/set-up-git/). - 2. Fork this repo by clicking on the fork button on the top of the [project GitHub][project] page. - 3. Clone the forked repository and go to the directory: + 1. Fork this repo by clicking on the fork button on the top of the [project GitHub](https://github.com/roddhjav/apparmor.d) page. + 1. [Generate a new SSH key]( https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent) and add it to your GitHub account. + 1. Clone the forked repository and go to the directory: ```sh - git clone https://github.com/your-github-username/apparmor.d.git + git clone git@github.com:your-github-username/apparmor.d.git cd apparmor.d ``` - 4. Create a branch: + 1. Create a branch: ``` git checkout -b my_contribution ``` - 5. Make the changes and commit: + 1. Make the changes and commit: ``` git add git commit -m "A message to sum up my contribution" ``` - 6. Push changes to GitHub: + 1. Push changes to GitHub: ``` git push origin my_contribution ``` - 7. Submit your changes for review: If you go to your repository on GitHub, + 1. Submit your changes for review: If you go to your repository on GitHub, you'll see a Compare & pull request button, fill and submit the pull request. +
+ +- :material-arrow-right:   **[See the workflow to write profiles](workflow.md)** + +
+ ## Project rules @@ -55,48 +62,11 @@ If you're looking to contribute to `apparmor.d` you can get started by going to your devices or for your use case. -## Add a profile +## Recommended documentation -!!! danger "Warning" - - Following the [profile guidelines](guidelines.md) is **mandatory** for all new profiles. - - -1. To add a new profile `foo`, add the file `foo` in [`apparmor.d/profile-a-f`][profiles-a-f]. - If your profile is part of a large group of profiles, it can also go in - [`apparmor.d/groups`][groups]. - -2. Write the profile content, the rules depend on the confined program, - Here is the bare minimum for the program `foo`: -``` sh -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023 You -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/foo -profile foo @{exec_path} { - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor -``` - - -3. You can automatically set the `complain` flag on your profile by editing the file [`dists/flags/main.flags`][flags] and add a new line with: `foo complain` - -4. Build & install for your distribution. - - -[project]: https://github.com/roddhjav/apparmor.d - -[flags]: https://github.com/roddhjav/apparmor.d/blob/main/dists/flags/main.flags -[profiles-a-f]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/profiles-a-f -[groups]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups +* [The AppArmor Core Policy Reference](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference) +* [The openSUSE Documentation](https://doc.opensuse.org/documentation/leap/security/html/book-security/part-apparmor.html) +* [SUSE Documentation](https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-apparmor-intro.html) +* [The AppArmor.d man page](https://man.archlinux.org/man/apparmor.d.5) +* [F**k AppArmor](https://presentations.nordisch.org/apparmor/#/) +* [A Brief Tour of Linux Security Modules](https://www.starlab.io/blog/a-brief-tour-of-linux-security-modules) diff --git a/docs/development/install.md b/docs/development/install.md deleted file mode 100644 index 74271c13c..000000000 --- a/docs/development/install.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Installation ---- - -## Development Install - -!!! warning - - Do **not** install this project *"manually"* (with `make`, `sudo make install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream. You have been warned! - - See `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`. - - -**:material-docker: Docker** - -For any system with docker installed you can simply build the package with: -```sh -make package dist= -``` -Then you can install the package with `dpkg`, `pacman` or `rpm`. - -**:material-arch: Arch Linux** -```sh -make pkg -``` - -**:material-ubuntu: Ubuntu & :material-debian: Debian** -```sh -make dpkg -``` - -**:simple-suse: openSUSE** -```sh -make rpm -``` - - -## Profile flags - -Flags for all profiles in this project are tracked under the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory. It is used for profile that are not considered stable. Files in this directory should respect the following format: ` `, flags should be comma separated. - -For instance, to move `adb` in complain mode, edit **[`dists/flags/main.flags`](https://github.com/roddhjav/apparmor.d/blob/main/dists/flags/main.flags)** and add the following line: -```sh -adb complain -``` - -Beware, flags defined in this file overwrite flags in the profile. So you may need to add other flags. Example for `gnome-shell`: -```sh -gnome-shell attach_disconnected,mediate_deleted,complain -``` - - -## Ignore profiles - -It can be handy to not install a profile for a given distribution. Profiles and directories to ignore are tracked under the [`dists/ignore`](https://github.com/roddhjav/apparmor.d/tree/main/dists/ignore) directory. Files in this directory should respect the following format: ``. One ignore by line. It can be a profile name or a directory to ignore (relative to the project root). diff --git a/docs/development/integration.md b/docs/development/integration.md index f829fb69f..b5c740f78 100644 --- a/docs/development/integration.md +++ b/docs/development/integration.md @@ -2,147 +2,61 @@ title: Integration Tests --- -!!! danger "Work in Progress" - The purpose of integration testing in apparmor.d is to ensure the profiles are not going to break programs found in Linux distributions and Desktop Environment that we support. +Although the integration test suite is intended to be run in a [Development VM](vm.md), it is also deployed the GitHub Action pipeline. + **Workflow** 1. Create a testing VM -2. Start the VM, do some dev -3. Run the integration tests against the testing VM -4. Ensure no new logs have been raised +2. Run the integration tests against the testing VM +3. Ensure no new logs have been raised +## Getting started -## Test Virtual Machines - -The test VMs are built using [`cloud-init`][cloud-init] (when available), [`packer`][packer], and [`vagrant`][vagrant] on Qemu/KVM using Libvirt. No other hypervisor will be targeted for these tests. The files that generate these images can be found in the **[tests/packer](https://github.com/roddhjav/apparmor.d/tree/main/tests/packer)** directory. - -[cloud-init]: https://cloud-init.io/ -[packer]: https://www.packer.io/ -[vagrant]: https://www.vagrantup.com/ - -### Requirements - -* docker -* [packer] -* [vagrant] -* vagrant plugin install vagrant-libvirt - -!!! note - - You may need to edit some settings to fit your setup: - - - The libvirt configuration in `tests/Vagrantfile` - - The default ssh key and ISO directory in `tests/packer/variables.pkr.hcl` - -### Build - -**Build an image** - -To build a VM image for development purpose, run the following from the `tests` directory: - -| Distribution | Flavor | Build command | VM name | -|:------------:|:------:|:-------------:|:-------:| -| Arch Linux | Gnome | `make archlinux flavor=gnome` | `arch-gnome` | -| Arch Linux | KDE | `make archlinux flavor=kde` | `arch-kde` | -| Debian | Server | `make debian flavor=server` | `debian-server` | -| openSUSE | KDE | `make opensuse flavor=kde` | `opensuse-kde` | -| Ubuntu | Server | `make ubuntu flavor=server` | `ubuntu-server` | -| Ubuntu | Desktop | `make ubuntu falvor=desktop` | `ubuntu-desktop` | - -**VM management** - -The development workflow is done through vagrant: - -* Star a VM: `vagran up ` -* Shutdown a VM: `vagrant halt ` -* Reboot a VM: `vagrant reload ` - -The available VM `name` is defined in the `tests/boxes.yml` file - - -### Develop - -**Credentials** - -The admin user is: `user`, its password is: `user`. It has passwordless sudo access. Automatic login is **not** enabled on DE. The root user is not locked. - -**Directories** - -All the images come pre-configured with the latest version of `apparmor.d` installed and running in the VM. apparmor.d is mounted as `/home/user/Projects/apparmor.d` - -**Usage** - -On all images, `aa-update` can be used to rebuild and install the latest version of the profiles. `p`, `pf`, and `pu` are two preconfigured aliases of `ps` that show the security status of processes. `htop` is also configured to show this status. - - -## Tests - -!!! warning - - The test suite is expected to be run in a [VM](#test-virtual-machines) - -### Getting started - -Prepare the test environment: +**Prepare the test environment:** ```sh -cd tests -make falvor= -AA_INTEGRATION=true vagrant up +just img +just create ``` -Run the integration tests on the test VM: +Example: ```sh -make integration box= IP= +just img ubuntu25 desktop +just create ubuntu25 desktop ``` -### Create integration tests - -**Test suite usage** - -Initialise the tests with: +**Install dependencies for the integration tests** ```sh -./aa-test --bootstrap +just tests-init ``` -List the tests scenarios to be run +Example: ```sh -./aa-test --list +just tests-init ubuntu25 desktop ``` -Start the tests and collect the results +**Run the integration tests** + +It: synchronizes the tests, unmount the shared directory, then run the tests. ```sh -./aa-test --run +just tests-run ``` -**Tests manifest** - -A basic set of test is generated on initialisation. More tests can be manually written in yaml file. They must have the following structure: - -```yaml -- name: acpi - profiled: true - root: false - require: [] - arguments: {} - tests: - - dsc: Show battery information - cmd: acpi - stdin: [] - - dsc: Show thermal information - cmd: acpi -t - stdin: [] - - dsc: Show cooling device information - cmd: acpi -c - stdin: [] - - dsc: Show thermal information in Fahrenheit - cmd: acpi -tf - stdin: [] - - dsc: Show all information - cmd: acpi -V - stdin: [] - - dsc: Extract information from `/proc` instead of `/sys` - cmd: acpi -p - stdin: [] +Example: +```sh +just tests-run ubuntu25 desktop +``` + +Partial tests can also be run. For example the following command will only run the tests in the `tests/integration/apt` directory on the `ubuntu25` `desktop` machine: +```sh +just tests-run ubuntu25 desktop apt +``` + +## Create integration tests + +All integration tests are written in [Bats](https://github.com/bats-core/bats-core) and are located in the `tests/integration` directory. The initial tests have been generated using [tldr page](https://tldr.sh/) with the following command: + +```sh +go run ./tests/cmd --bootstrap ``` diff --git a/docs/development/internal.md b/docs/development/internal.md new file mode 100644 index 000000000..c90391b04 --- /dev/null +++ b/docs/development/internal.md @@ -0,0 +1,222 @@ +--- +title: Internal +--- + +## Profile Context + +These are context helper to be used for in sub profile, they aim at providing a minimal set of rules for a given program. The calling profile only needs to add rules dependant of its use case. + +See [abstractions/app](abstractions.md#context-helper) for more information. + + +## Open Resources + +The standard way to allow opening resources such as URL, pictures, video, in this project is to use one of the `child-open` profile available in the [`children`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children) group. + +**Example:** +```sh +@{open_path} rPx -> child-open, +``` + + +### Manual + +Directly using any of the following: + +- `@{bin}/* PUx,` +- `include ` +- `include ` + +Allow every installed program to be started from the current program with or without profile. This is a very permissive rule and should be avoided if possible. They are however legitimately needed for program launcher. + +### **`child-open`** + +Instead of allowing the ability to run all software in `@{bin}/`, the purpose of this profile is to list all GUI programs that can open resources. Ultimately, only sandbox manager programs such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until this day, this profile will be a controlled mess. + +??? quote "[children/child-open](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children/child-open)" + + ``` aa + # Sandbox managers + @{bin}/bwrap rPUx, + @{bin}/firejail rPUx, + @{bin}/flatpak rPx, + @{bin}/snap rPx, + + # Labelled programs + @{archive_viewers_path} rPUx, + @{browsers_path} rPx, + @{document_viewers_path} rPUx, + @{emails_path} rPUx, + @{file_explorers_path} rPx, + @{help_path} rPx, + @{image_viewers_path} rPUx, + @{offices_path} rPUx, + @{text_editors_path} rPUx, + + # Others + @{bin}/blueman-tray rPx, + @{bin}/discord{,-ptb} rPx, + @{bin}/draw.io rPUx, + @{bin}/dropbox rPx, + @{bin}/element-desktop rPx, + @{bin}/extension-manager rPx, + @{bin}/filezilla rPx, + @{bin}/flameshot rPx, + @{bin}/gimp* rPUx, + @{bin}/gnome-calculator rPUx, + @{bin}/gnome-disk-image-mounter rPx, + @{bin}/gnome-disks rPx, + @{bin}/gnome-software rPx, + @{bin}/gwenview rPUx, + @{bin}/kgx rPx, + @{bin}/qbittorrent rPx, + @{bin}/qpdfview rPx, + @{bin}/smplayer rPx, + @{bin}/steam-runtime rPUx, + @{bin}/telegram-desktop rPx, + @{bin}/transmission-gtk rPx, + @{bin}/viewnior rPUx, + @{bin}/vlc rPUx, + @{bin}/xbrlapi rPx, + + # Backup + @{lib}/deja-dup/deja-dup-monitor rPx, + ``` + +### **`child-open-browsers`** + + This version of child-open only allow to open browsers. + +??? quote "[children/child-open-browsers](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children/child-open-browsers)" + + ``` aa + @{browsers_path} rPx, + ``` + +### **`child-open-help`** + +This version of child-open only allow to open browsers and help programs. + +??? quote "[children/child-open-help](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children/child-open-help)" + + ``` aa + @{browsers_path} rPx, + @{help_path} rPx, + ``` + +### **`child-open-strict`** + +This version of child-open only allow to open browsers & folders: + +??? quote "[children/child-open-strict](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children/child-open-strict)" + + ``` aa + @{browsers_path} Px, + @{file_explorers_path} Px, + ``` + + +!!! warning + + Although needed to not break a program, wrongly used these profiles can lead to confinment escape. + + +## Children profiles + +Usually, a child profile is in the [`children`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children) group. They have the following note: + +!!! quote + + Note: This profile does not specify an attachment path because it is intended to be used only via `"Px -> child-open"` exec transitions from other profiles. + + + +### **`child-modprove-nvidia`** + +Used internally by the `nvidia` abstraction. + +### **`child-pager`** + +Simple access to pagers such as `pager`, `less` and `more`. This profile assumes the pager is reading its data from stdin, not from a file on disk. Supported pagers are: `sensible-pager`, `pager`, `less`, and `more`. +It can be as follows in a profile: +``` + @{pager_path} rPx -> child-pager, +``` + +### **`child-systemctl`** + +Common `systemctl` action. Do not use it too much as most of the time you will need more privilege than what this profile is giving you. + +It is recommended to transition [in a subprofile](abstractions.md#appsystemctl) everything that is not generic and that may require some access (so restart, enable...), while `child-systemctl` can handle the more basic tasks. + + +## Labelled programs + +All common programs are tracked and labelled in the [`apparmor.d/tunables/multiarch.d/programs`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/tunables/multiarch.d/programs) and +[`apparmor.d/tunables/multiarch.d/paths`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/tunables/multiarch.d/paths) files. They can be used in a `child-open` profile or directly in a profile. They are useful to allow opening resources using a kind of program (browsers, image viewer, text editor...), instead of allowing a given program path. + +## Re-attached path + +**[:material-tag-heart-outline: abi/4.0]("Minimum version")** + +The flag `attach_disconnect` control how disconnected paths are handled. It determines if pathnames resolved to be outside the namespace are attached to the root (ie. have the `/` character prepended). +It is a security issue as it allows disconnected paths to alias to other files that exist in the file name. Therefore, it is only provided to work around problems that can arise with sandboxed programs. + +AppAmor 4.0 provides the `attach_disconnect.path` flag allowing to reattach this path to a prefix that is not `/`. When used it provides an important security improvement from AppArmor 3.0. + +**`apparmor.d`** uses `attach_disconnect.path` by **default and automatically** on all profiles with the `attach_disconnect` flag. The attached path is set to `@{att}` a new dynamically generated variable set at build time in the preamble of all profile to be: + +- `@{att}=/att/` for profile with `attach_disconnect` flag. +- `@{att}=/` for other profiles + + +## User Confinement + +[:material-police-badge-outline:{ .pg-red }](../full-system-policy.md "Full System Policy only (FSP)") + +!!! warning "TODO" + + +## No New Privileges + +[**No New Privileges**](https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html) is a flag preventing a newly started program to get more privileges than its parent process. This is a **good thing** for security. And it is commonly used in systemd unit files (when possible). This flag also prevents transitions to other profiles because it could be less restrictive than the parent profile (no `Px` or `Ux` allowed). + +The possible solutions are: + +* The easiest (and unfortunately less secure) workaround is to ensure the programs do not run with no new privileges flag by disabling `NoNewPrivileges` in the systemd unit (or any other [options implying it](https://man.archlinux.org/man/core/systemd/systemd.exec.5.en#SECURITY)). +* Inherit the current confinement (`ix`) +* [Stacking](#stacking) + +## Stacking + +[Stacking](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking) of two or more profile is the strict intersection them. It is a way to ensure that a profile never becomes more permissive than the intersection of all profiles in the stack. It provides several abilities to the policy author: + +- It can be used to ensure that confinement never becomes more permissive. +- To reduce the permissions of a generic profile on a specific task. +- To provide both system level and container and user level policy (when combined with policy namespaces). + +!!! note "" + + [apparmor.d/groups/browsers/chromium](https://github.com/roddhjav/apparmor.d/blob/b51576139b3ed3125aaa3ea4d737a77baac0f00e/apparmor.d/groups/browsers/chromium#L25) + ``` aa linenums="23" + profile chromium @{exec_path} { + ... + @{lib_dirs}/chrome_crashpad_handler rPx -> chromium//&chromium-crashpad-handler, + ... + } + ``` + +## Udev rules + +See the **[kernel docs](https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt)** to check the major block and char numbers used in `/run/udev/data/`. + +Special care must be given as sometimes udev numbers are allocated dynamically by the kernel. Therefore, the full range must be allowed: + +!!! note "" + + [apparmor.d/groups/virt/libvirtd](https://github.com/roddhjav/apparmor.d/blob/b2af7a631a2b8aca7d6bdc8f7ff4fdd5ec94220e/apparmor.d/groups/virt/libvirtd#L188) + ``` aa linenums="179" + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + ``` diff --git a/docs/development/recommendations.md b/docs/development/recommendations.md new file mode 100644 index 000000000..bbe41bc4e --- /dev/null +++ b/docs/development/recommendations.md @@ -0,0 +1,78 @@ +--- +title: Recommendations +--- + +## Renaming of profiles + +For security reason, once loaded into the kernel, a profile cannot get fully removed. Therefore, by renaming a profile, you create a second profile with the same attachment. AppArmor will not be able to determine witch one to use leading to breakage. + +A reboot is required to fully remove the profile from the kernel. + + +## Programs to not confine + +Some programs should not be confined by themselves. For example, tools such as `ls`, `rm`, `diff` or `cat` do not have profiles in this project. Let's see why. + +These are general tools that in a general context can legitimately access any file in the system. Therefore, the confinement of such tools by a global profile would at best be minimal at worst be a security theatre. + +It gets even worse. Let's say, we write a profile for `cat`. Such a profile would need access to `/etc/`. We will add the following rule: +```sh + /etc/{,**} rw, +``` + +However, as `/etc` can contain sensitive files, we now want to explicitly prevent access to these sensitive files. Problems: + +1. How do we know the exhaustive list of *sensitive files* in `/etc`? +2. How do we ensure access to these sensitive files is not required? +3. This breaks the principle of mandatory access control. + See the [first rule of this project](index.md#project-rules) which is to only allow + what is required. Here we allow everything and blacklist some paths. + +It creates even more issues when we want to use this profile in other profiles. Let's take the example of `diff`. Using this rule: `@{bin}/diff rPx,` this will restrict access to the very generic and not very confined `diff` profile. Whereas most of the time, we want to restrict `diff` to some specific file in our profile: + +* In `dpkg`, an internal child profile (`rCx -> diff`), allows `diff` to only access etc config files: + +!!! note "" + + [apparmor.d/apparmor.d/groups/apt/dpkg](https://github.com/roddhjav/apparmor.d/blob/accf5538bdfc1598f1cc1588a7118252884df50c/apparmor.d/groups/apt/dpkg#L123) + ``` aa linenums="123" + profile diff { + include + include + + @{bin}/ r, + @{bin}/pager mr, + @{bin}/less mr, + @{bin}/more mr, + @{bin}/diff mr, + + owner @{HOME}/.lesshs* rw, + + # Diff changed config files + /etc/** r, + + # For shell pwd + /root/ r, + + } + ``` + +* As it is a dependency of pass, `diff` inherits the `pass' profile and has the same access as the pass profile, so it will be allowed to diff password files because more than a generic `diff`, it is a `diff` "version" for the pass password manager: + +!!! note "" + + [apparmor.d/apparmor.d/profiles-m-r/pass](https://github.com/roddhjav/apparmor.d/blob/accf5538bdfc1598f1cc1588a7118252884df50c/apparmor.d/profiles-m-r/pass#L20 + ) + ``` aa linenums="20" + @{bin}/diff rix, + ``` + +**What if I still want to protect these programs?** + +You do not protect these programs. *Protect the usage you have of these programs*. In practice, it means that you should put your terminal in a sandbox managed environment with a sandboxing tool such as Toolbox. + +!!! example "To sum up" + + 1. Do not create a profile for programs such as: `rm`, `ls`, `diff`, `cd`, `cat` + 2. Do not create a profile for the shell: `bash`, `sh`, `dash`, `zsh` + 3. Use [Toolbox](https://containertoolbx.org/) diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md new file mode 100644 index 000000000..379241a49 --- /dev/null +++ b/docs/development/roadmap.md @@ -0,0 +1,94 @@ +--- +title: Roadmap +--- + +## Toward a stable release + +This is the current list of features that must be implemented to get to a stable release + +- [x] **[Play machine](https://github.com/roddhjav/play)** + +- [ ] **[Sub packages](https://github.com/roddhjav/apparmor.d/issues/464)** + - [x] Move most profiles into groups + - [ ] Provide complain/enforced packages version + - [ ] normal/FSP/server packages variants + +- [ ] **Build system** + - [ ] Continuous release on the main branch, ~2 releases per week + - [ ] Provide packages repo for ubuntu/debian + - [x] Add a `just` target to install the profiles in the right place + - [x] Fully drop the Makefile in favor of `just` + +- [ ] **Tests** + - [x] Tests VM for all supported targets (see [tests/vm](vm.md)) + - [ ] Small integration tests for all core profiles (see [tests/integration](integration.md)) + +- [ ] **Documentation** + - [ ] Initial draft of the security model and goal + - [ ] General documentation improvements + +- [ ] **General improvements** + - [ ] Provide a proper fix for [#74](https://github.com/roddhjav/apparmor.d/issues/74), [#80](https://github.com/roddhjav/apparmor.d/issues/80) & [#235](https://github.com/roddhjav/apparmor.d/issues/235) + +- [ ] **Abstractions** + - [ ] Document all abstractions + - [ ] Split and reorganize some big abs into set of smaller abstractions. + Strictly follow the new abstractions guidelines (layer 0, layer 1, etc.) + - [ ] Abstraction based profiles: + Most of the accesses needed by GUI based application are commons. As such 80-90% of the profile content should be handled by abstractions (internally they will have conditions). + - [ ] Test new interface like abstractions + - notifications + - audio-bluetooth + - secrets-service + - media-keys + - ... + - [ ] Rewrite the desktop abstraction to only contains other abs. No direct rules in it. + - [ ] Rewrite the DE specific abstraction to be a layer 1 abs + +- [ ] **Security improvements** + - [ ] Limit the use of `abstractions/common/systemd` + - [ ] Ensure systemctl restart/stop/reload is always confined and filtered by unit (dbus only) + - [ ] Revisit the usae of `systemd-tty-ask-password-agent` + +## Next features + +- [ ] **Conditions** + - [ ] Integrate the new condition feature in the profiles and restrict them a lot according to the application actually in use. Eg: `Gnome | KDE`, `X11 | Wayland`, etc. + - [ ] Create a new `aa-config` tool, similar to seboolean, to manage various settings, based on conditions. + +- [ ] **User Data** + - [ ] Fully rewrite the way user data is allowed / denied. The current implementation requires too much configuration to be usable by everyone. + - [ ] Add a prompt listener to handle the user data access. + +- [x] **[Full System Policy](https://github.com/roddhjav/apparmor.d/issues/252)** + - [ ] Debug tool to show the profiles transition tree, and ensure no profile is missing + - [x] Remove the `default` profile + +- [ ] **Define roles** + - [ ] Unrestricted shell role without FSP enabled + - [ ] Define the roles when FSP is enabled + +## Done + +**General improvements** + +- [x] The apt/dpkg profiles has been rewritten + +**Abstractions** + +- [x] New `audio-client` and `audio-server` abstractions +- [x] New desktop agnostic `desktop` abstraction for all common access for any GUI app. +- [x] New `graphics` abstraction, hardware-agnostic. Fully replace and restrict the old `opencl` abstractions +- [x] All new abstractions are documented in the [abstractions](abstractions.md) page + +**Dbus** + +- [x] New `dbus-{system,session,accessibility}` profiles. Works regardless of the dbus implementation in use. +- [x] New talk directive: Allow the application to talk to session services. (send to) +- [x] New own directive: Allow the application to own session services under the given name. (receive, send, bind) +- [x] New `bus-{system,session,accessibility}` abstraction to be used in the profiles + +**Directives** + +- [x] Add directive. See the [directive](directives.md) page + diff --git a/docs/development/structure.md b/docs/development/structure.md deleted file mode 100644 index 0035b6c90..000000000 --- a/docs/development/structure.md +++ /dev/null @@ -1,156 +0,0 @@ ---- -title: Structure ---- - -Description of common structure found across various AppArmor profiles - - -## Programs to not confine - -Some programs should not be confined by themselves. For example, tools such as `ls`, `rm`, `diff` or `cat` do not have profiles in this project. Let's see why. - -These are general tools that in a general context can legitimately access any file in the system. Therefore, the confinement of such tools by a global profile would at best be minimal at worst be a security theater. - -It gets even worse. Let's say, we write a profile for `cat`. Such a profile would need access to `/etc/`. We will add the following rule: -```sh - /etc/{,**} rw, -``` - -However, as `/etc` can contain sensitive files, we now want to explicitly prevent access to these sensitive files. Problems: - -1. How do we know the exhaustive list of *sensitive files* in `/etc`? -2. How do we ensure access to these sensitive files is not required? -3. This breaks the principle of mandatory access control. - See the [first rule of this project](index.md#project-rules) which is to only allow - what is required. Here we allow everything and blacklist some paths. - -It creates even more issues when we want to use this profile in other profiles. Let's take the example of `diff`. Using this rule: `@{bin}/diff rPx,` this will restrict access to the very generic and not very confined `diff` profile. Whereas most of the time, we want to restrict `diff` to some specific file in our profile: - -* In `dpkg`, an internal child profile (`rCx -> diff`), allows `diff` to only access etc config files: - -!!! note "" - - [apparmor.d/apparmor.d/groups/apt/dpkg](https://github.com/roddhjav/apparmor.d/blob/accf5538bdfc1598f1cc1588a7118252884df50c/apparmor.d/groups/apt/dpkg#L123) - ``` aa linenums="123" - profile diff { - include - include - - @{bin}/ r, - @{bin}/pager mr, - @{bin}/less mr, - @{bin}/more mr, - @{bin}/diff mr, - - owner @{HOME}/.lesshs* rw, - - # Diff changed config files - /etc/** r, - - # For shell pwd - /root/ r, - - } - ``` - -* As it is a dependency of pass, `diff` inherits the `pass' profile and has the same access as the pass profile, so it will be allowed to diff password files because more than a generic `diff`, it is a `diff` "version" for the pass password manager: - -!!! note "" - - [apparmor.d/apparmor.d/profiles-m-r/pass](https://github.com/roddhjav/apparmor.d/blob/accf5538bdfc1598f1cc1588a7118252884df50c/apparmor.d/profiles-m-r/pass#L20 - ) - ``` aa linenums="20" - @{bin}/diff rix, - ``` - -**What if I still want to protect these programs?** - -You do not protect these programs. *Protect the usage you have of these programs*. In practice, it means that you should put your terminal in a sandbox managed environment with a sandboxing tool such as Toolbox. - -!!! example "To sum up" - - 1. Do not create a profile for programs such as: `rm`, `ls`, `diff`, `cd`, `cat` - 2. Do not create a profile for the shell: `bash`, `sh`, `dash`, `zsh` - 3. Use [Toolbox]. - -[Toolbox]: https://containertoolbx.org/ - - - -## Abstractions - -This project and the apparmor-profiles official project provide a large selection of abstractions to be included in profiles. They should be used. - -For instance, to allow download directory access, instead of writing: -```sh -owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw, -``` - -You should write: -```sh -include -``` - - -## Children profiles - -Usually, a child profile is in the [`children`][children] group. They have the following note: - -!!! quote - - Note: This profile does not specify an attachment path because it is intended to be used only via `"Px -> child-open"` exec transitions from other profiles. - -[children]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children - -Here is an overview of the current children profile: - -1. **`child-open`**: To open resources. Instead of allowing the ability to run all software in `@{bin}/`, the purpose of this profile is to list all GUI programs that can open resources. Ultimately, only sandbox manager programs such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until this day, this profile will be a controlled mess. - -2. **`child-pager`**: Simple access to pagers such as `pager`, `less` and `more`. This profile assumes the pager is reading its data from stdin, not from a file on disk. - -3. **`child-systemctl`**: Common `systemctl` action. Do not use it too much as most of the time you will need more privilege than what this profile is giving you. - - -## Browsers - -Chromium based browsers share a similar structure. Therefore, they share the same abstraction: [`abstractions/chromium`][chromium] that includes most of the profile content. - -This abstraction requires the following variables defined in the profile header: -```sh -@{name} = chromium -@{domain} = org.chromium.Chromium -@{lib_dirs} = @{lib}/chromium -@{config_dirs} = @{user_config_dirs}/chromium -@{cache_dirs} = @{user_cache_dirs}/chromium -``` - -If your application requires chromium to run (like electron) use [`abstractions/chromium-common`][chromium-common] instead. - -[chromium]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/abstractions/chromium -[chromium-common]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/abstractions/chromium-common - -## Udev rules - -See the **[kernel docs][kernel]** to check the major block and char numbers used in `/run/udev/data/`. - -Special care must be given as sometimes udev numbers are allocated dynamically by the kernel. Therefore, the full range must be allowed: - -!!! note "" - - [apparmor.d/groups/virt/libvirtd](https://github.com/roddhjav/apparmor.d/blob/b2af7a631a2b8aca7d6bdc8f7ff4fdd5ec94220e/apparmor.d/groups/virt/libvirtd#L188) - ``` aa linenums="179" - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - ``` - -[kernel]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt - - -## No New Privileges - -[**No New Privileges**](https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html) is a flag preventing a newly started program to get more privileges than its parent process. This is a **good thing** for security. And it is commonly used in systemd unit files (when possible). This flag also prevents transitions to other profiles because it could be less restrictive than the parent profile (no `Px` or `Ux` allowed). - -The possible solutions are: - -* The easiest (and unfortunately less secure) workaround is to ensure the programs do not run with no new privileges flag by disabling `NoNewPrivileges` in the systemd unit (or any other [options implying it](https://man.archlinux.org/man/core/systemd/systemd.exec.5.en#SECURITY)). -* Inherit the current confinement (`ix`) -* [Stacking](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking) diff --git a/docs/development/tests.md b/docs/development/tests.md index 7fcdf1555..4bf421d92 100644 --- a/docs/development/tests.md +++ b/docs/development/tests.md @@ -1,15 +1,37 @@ --- -title: Tests suite +title: Overview --- -A full test suite to ensure compatibility across supported distributions and that software is still considered a work in progress. Here is an overview of the current CI jobs: +Misconfigured AppArmor profiles is one of the most effective ways to break someone's system. This section present the various tests applied to the profiles as well as their current stage of deployment. -**On Gitlab CI** +**Current** -- Packages build for all supported distributions -- Profiles preprocessing verification for all supported distributions -- Go based command linting, coverage, and unit tests +- [x] **[Build:](https://gitlab.com/roddhjav/apparmor.d/-/pipelines)** `just complain` + - Build the profiles for all supported distributions. + - All CI jobs validate the profiles syntax and ensure they can be safely loaded into a kernel. + - Ensure the profile entry point (`@{exec_path}`) is defined. -**On Github Action** +- [x] **[Checks:](https://github.com/roddhjav/apparmor.d/blob/main/tests/check.sh)** `just check` checks basic style of profiles: + - Ensure apparmor.d header & licence + - Ensure 2 spaces indentation + - Ensure local include for profile and subprofiles + - Ensure abi 4 is used + - Ensure modern profile naming + - Ensure `vim:syntax=apparmor` -- Integration test on the ubuntu-latest VM: run a simple list of tasks with all the rules enabled and ensure no new issue has been raised. Github Action is used as it offers direct access to a VM with AppArmor included. +- [x] **[Integration Tests:](integration.md)** `just test-run ` + - Run simple CLI commands to ensure no logs are raised. + - Uses the [bats](https://github.com/bats-core/bats-core) test system. + - Run in the Github Action as well as in all local [test VM](vm.md). + +**Plan** + +For more complex software suite, more integration tests need to be done. The plan is to run existing integration suite from these very software in an environment with `apparmor.d` profiles. + +- [ ] Systemd + - They use mkosi to generate a VM image to run their own integration tests. + - See https://www.codethink.co.uk/articles/2024/systemd-integration-testing-part-1/ + +- [ ] Gnome + - They use openQA to run their integration tests. + - See https://gitlab.gnome.org/GNOME/openqa-tests/ diff --git a/docs/development/vm.md b/docs/development/vm.md new file mode 100644 index 000000000..1091f7d5e --- /dev/null +++ b/docs/development/vm.md @@ -0,0 +1,149 @@ +--- +title: Development VM +--- + +To ensure compatibility across distribution, this project ships a wide range of development and tests VM images. + +The test VMs can be built locally using [cloud-init](https://cloud-init.io/), [packer](https://www.packer.io/) on Qemu/KVM using Libvirt. No other hypervisor will be targeted for these tests. The files that generate these images can be found in the **[tests/packer](https://github.com/roddhjav/apparmor.d/tree/main/tests/packer)** directory. +The VMs are fully managed using a [justfile](https://github.com/casey/just) that provides an integration environment helper for `apparmor.d`. + +```sh +$ just +``` + +``` +Available recipes: + help # Show this help message + clean # Remove all build artifacts + + [build] + build # Build the go programs + enforce # Prebuild the profiles in enforced mode + complain # Prebuild the profiles in complain mode + fsp # Prebuild the profiles in FSP mode + fsp-complain # Prebuild the profiles in FSP mode (complain) + fsp-debug # Prebuild the profiles in FSP mode (debug) + + [install] + install # Install prebuild profiles + local +names # Locally install prebuild profiles + dev name # Prebuild, install, and load a dev profile + + [packages] + pkg # Build & install apparmor.d on Arch based systems + dpkg # Build & install apparmor.d on Debian based systems + rpm # Build & install apparmor.d on OpenSUSE based systems + package dist # Build the package in a clean OCI container + + [tests] + tests # Run the unit tests + init # Install dependencies for the integration tests + integration # Run the integration tests + tests-init dist flavor # Install dependencies for the integration tests (machine) + tests-sync dist flavor # Synchronize the integration tests (machine) + tests-resync dist flavor # Re-synchronize the integration tests (machine) + tests-run dist flavor name="" # Run the integration tests (machine) + + [linter] + lint # Run the linters + check # Run style checks on the profiles + + [docs] + man # Generate the man pages + docs # Build the documentation + serve # Serve the documentation + + [vm] + img dist flavor # Build the VM image + create dist flavor # Create the machine + up dist flavor # Start a machine + halt dist flavor # Stops the machine + reboot dist flavor # Reboot the machine + destroy dist flavor # Destroy the machine + ssh dist flavor # Connect to the machine + mount dist flavor # Mount the shared directory on the machine + umount dist flavor # Unmout the shared directory on the machine + list # List the machines + images # List the VM images + available # List the VM images that can be created + +See https://apparmor.pujol.io/development/ for more information. +``` + +## Requirements + +* [docker](https://www.docker.com/) +* [just](https://github.com/casey/just) +* [packer](https://www.packer.io/) +* [libvirt](https://libvirt.org/) +* [qemu](https://www.qemu.org/) + +!!! note + + You may need to edit some settings to fit your setup: + + - The default ssh key and ISO directory in `tests/packer/variables.pkr.hcl` + +## Build + +One can see the available images by running: + +```sh +$ just available +``` + +``` +Distribution Flavor +archlinux gnome +archlinux kde +archlinux server +archlinux xfce +debian12 gnome +debian12 kde +debian12 server +ubuntu24 server +... +``` + +A VM image can be build with: + +```sh +$ just img archlinux gnome +``` + +The image will then be showed in the list of images: + +```sh +$ just images +``` + +``` +Distribution Flavor Size Date +archlinux gnome 3.3G Mar 1 14:49 +``` + +The VM can then be created with: + +```sh +$ just create archlinux gnome +``` + +And connected to with: + +```sh +$ just ssh archlinux gnome +``` + +## Develop + +**Credentials** + +The admin user is: `user`, its password is: `user`. It has passwordless sudo access. Automatic login is **not** enabled on DE. The root user is not locked. + +**Directories** + +All the images come pre-configured with the latest version of `apparmor.d` installed and running in the VM. The apparmor.d project directory is mounted as `/home/user/Projects/apparmor.d` + +**Usage** + +On all images, `aa-update` can be used to rebuild and install the latest version of the profiles. `p`, `pf`, and `pu` are two pre-configured aliases of `ps` that show the security status of processes. `htop` is also configured to show this status. diff --git a/docs/development/workflow.md b/docs/development/workflow.md new file mode 100644 index 000000000..7cc7c5616 --- /dev/null +++ b/docs/development/workflow.md @@ -0,0 +1,195 @@ +--- +title: Workflow +--- + +**Workflow to write profiles** + +
+ +- :material-file-document:   **[Write a blanck profile](#add-a-blank-profile)** + +
+
+ +- :material-download:   **[Install the profile](#individual-profile)** + +
+
+ +- :material-test-tube:   **[Profile the program](#program-profiling)** + +
+
+ +- :octicons-law-16:   **[Respect the profile guidelines](guidelines.md)** + +
+ + +## Add a blank profile + +1. To add a new profile `foo`, add the file `foo` in [`apparmor.d/profile-a-f`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/profiles-a-f). + If your profile is part of a large group of profiles, it can also go in + [`apparmor.d/groups`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups). + +2. Write the profile content, the rules depend on the confined program, + Here is the bare minimum for the program `foo`: +``` sh +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 You +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/foo +profile foo @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor +``` + +## Development Install + +It is not recommended installing the full project *"manually"* (with `just complain`, `sudo just install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream (see `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`). + +Instead, install an individual profile or the development package, the following way. + +### Development package + +=== ":material-arch: Archlinux" + + ```sh + just pkg + ``` + +=== ":material-ubuntu: Ubuntu" + + ```sh + just dpkg + ``` + +=== ":material-debian: Debian" + + ```sh + just dpkg + ``` + +=== ":simple-suse: openSUSE" + + ```sh + just rpm + ``` + +=== ":material-docker: Docker" + + For any system with docker installed you can simply build the package with: + + ```sh + just package + ``` + + Then you can install the package with `dpkg`, `pacman` or `rpm`. + +### Individual profile + +**Format** + +```sh +just dev +``` + +**Exampe** + +: Testing the profile `pass` + + ``` + just dev pass + ``` + + This: + + - Prebuild the `pass` profile in complain mode to `.build`, + - Install the profile to `/etc/apparmor.d/` + - Load the profile by restarting the AppArmor service. + + +More advanced development, like editing the abstractions or working over multiple profiles at the same time requires installing the full development package. + +For this individual profile installation to work, the full package needs to be installed, regardless of the installation method ([dev](#development-package) or [stable](../install.md)). + +## Program Profiling + +### Workflow + +To discover the access needed by a program, you can use the following tools: + +1. Start the program in *complain* mode, let it initialize itself, then close it. + +1. Run **[`aa-log -r`](../usage.md#apparmor-log)**. It will: + - Convert the logs to AppArmor rules. + - Detect if flags such as `attach_disconnected` are needed. + - Convert all common paths to **[variables](../variables.md)**. + +1. From `aa-log` output, you can: + - Copy the rules to the profile. + - Replace some rules with **[abstractions](abstractions.md)** as 80% of the rules should already be covered by an abstraction. + +1. Then, [update the profile](#individual-profile) and start the program again. Use the program as you would normally do, but also try to run all the features of the program, e.g.: open the help, settings, etc. + +1. Run **[`aa-log`](../usage.md#apparmor-log)**. Stop the program as long as you get over 100 new rules. Add the rules to the profile. + +After 2 or 3 iterations, you should have a working profile. + +### Recommendations + +
+ +- :material-function:   **[Use the abstractions](abstractions.md)** +- :simple-files:   **[Learn how to open resources](internal.md#open-resources)** +- :fontawesome-solid-bus-simple:   **[Learn how Dbus rules are handled](dbus.md)** +- :material-sign-direction:   **[Learn about directives `#aa:`](directives.md)** +- :octicons-law-16:   **[Follow the profile guidelines](guidelines.md)** +- :octicons-light-bulb-16:   **[See other recommendations](recommendations.md)** + +
+ +!!! danger "Warning" + + Following the [profile guidelines](guidelines.md) is **mandatory** for all profiles. PRs that do not follow the guidelines will not get merged. + +### Tools + +* **[aa-notify](https://wiki.archlinux.org/title/AppArmor#Get_desktop_notification_on_DENIED_actions)** is a tool that will allow you to get notified on every apparmor log. + +* **[aa-logprof](https://man.archlinux.org/man/aa-logprof.8)** is another tool that will help you to generate a profile from logs. However, the logs generated by `aa-logprof` need to be rewritten to comply with the profile [guidelines](guidelines.md). + +* **[aa-complain](https://man.archlinux.org/man/aa-complain.8), aa-enforce** are tools to quickly change the mode of a profile. + + +## Development Settings + +### Profile flags + +Flags for all profiles in this project are tracked under the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory. It is used for profile that are not considered stable. Files in this directory should respect the following format: ` `, flags should be comma separated. + +For instance, to move `adb` in *complain* mode, edit **[`dists/flags/main.flags`](https://github.com/roddhjav/apparmor.d/blob/main/dists/flags/main.flags)** and add the following line: +```sh +adb complain +``` + +Beware, flags defined in this file overwrite flags in the profile. So you may need to add other flags. Example for `gnome-shell`: +```sh +gnome-shell attach_disconnected,mediate_deleted,complain +``` + + +### Ignore profiles + +It can be handy to not install a profile for a given distribution. Profiles and directories to ignore are tracked under the [`dists/ignore`](https://github.com/roddhjav/apparmor.d/tree/main/dists/ignore) directory. Files in this directory should respect the following format: ``. One ignore by line. It can be a profile name or a directory to ignore (relative to the project root). diff --git a/docs/enforce.md b/docs/enforce.md index 52241859e..51eec0980 100644 --- a/docs/enforce.md +++ b/docs/enforce.md @@ -4,37 +4,65 @@ title: Enforce Mode The default package configuration installs all profiles in *complain* mode. This is a safety measure to ensure you are not going to break your system on initial installation. Once you have tested it, and it works fine, you can easily switch to *enforce* mode. The profiles that are not considered stable are kept in complain mode, they can be tracked in the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory. -!!! warning +!!! danger - - Please test in complain mode first and ensure your system boots! - - When reporting an issue, please ensure the affected profiles are in complain mode. + - You **must** test in complain mode first and ensure your system works as expected. + - You **must** regularly check AppArmor log with [`aa-log`](usage.md#apparmor-log) and [report](report.md) issues first. + - When reporting an issue, you **must** ensure the affected profiles are in complain mode. -#### :material-arch: Arch Linux +=== ":material-arch: Archlinux" -In `PKGBUILD`, replace `make` by `make enforce`: -```diff -- make DISTRIBUTION=arch -+ make enforce DISTRIBUTION=arch -``` + In the `PKGBUILD`, replace `just complain` by `just enforce`: -#### :material-ubuntu: Ubuntu & :material-debian: Debian + ```diff + - just complain + + just enforce + ``` -In `debian/rules`, add the following lines: + Then, build the package with: `just pkg` -```make -override_dh_auto_build: - make enforce -``` +=== ":material-ubuntu: Ubuntu" -#### :simple-suse: openSUSE + In `debian/rules`, replace `just complain` by `just enforce`: -In `dists/apparmor.d.spec`, replace `%make_build` by `make enforce` -```diff -- %make_build -+ %make_build enforce -``` + ```diff + override_dh_auto_build: + - just complain + override_dh_auto_build: + + just enforce + ``` -#### Partial install + Then, build the package with: `just dpkg` -Use the `make enforce` command to build instead of `make` +=== ":material-debian: Debian" + + In `debian/rules`, replace `just complain` by `just enforce`: + + ```diff + override_dh_auto_build: + - just complain + override_dh_auto_build: + + just enforce + ``` + + Then, build the package with: `just dpkg` + +=== ":simple-suse: openSUSE" + + In `dists/apparmor.d.spec`, replace `just complain` by `just enforce`: + + ```diff + %build + - just complain + %build + + just enforce + ``` + + Then, build the package with: `just rpm` + +=== ":material-home: Partial Install" + + Use the `just enforce` command to build instead of `just complain` + +[aur]: https://aur.archlinux.org/packages/apparmor.d-git diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index 2b9f57454..a5ac57f11 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -27,14 +27,15 @@ Particularly: - Every system application will be **blocked** if they do not have a profile. - Any non-standard system app need to be explicitly profiled and allowed to run. For instance, if you want to use your own proxy or VPN software, you need to ensure it is correctly profiled and allowed to run in the `systemd` profile. - Desktop environment must be explicitly supported, your UI will not start otherwise. Again, it is a **feature**. -- FSP mode will run unknown user application into the `default` profile. It might be enough for your application. If not you have to make a profile for it. - In FSP mode, all sandbox managers **must** have a profile. Then user sandboxed applications (flatpak, snap, etc) will work as expected. +- PID 1 is the last program that should be confined. It does not make sense to confine only PID. All other programs must be confined first. -## Install + +## Installation -This feature is only enabled when the project is built with `make full`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load **must** also be enabled. Once `apparmor.d` has been installed in FSP mode, it is required to reboot to apply the changes. +This feature is only enabled when the project is built with `just fsp`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load **must** also be enabled. Once `apparmor.d` has been installed in FSP mode, it is required to reboot to apply the changes. In `/etc/apparmor/parser.conf` ensure you have: ``` @@ -43,35 +44,59 @@ cache-loc /etc/apparmor/earlypolicy/ Optimize=compress-fast ``` -**:material-arch: Arch Linux** +=== ":material-arch: Archlinux" -In `PKGBUILD`, replace `make` by `make full`: -```diff -- make -+ make full -``` + In `PKGBUILD`, replace `just complain` by `just fsp-complain`: -**:material-ubuntu: Ubuntu & :material-debian: Debian** + ```diff + - just complain + + just fsp-complain + ``` -In `debian/rules`, add the following lines: + Then, build the package with: `just pkg` -```make -override_dh_auto_build: - make full -``` +=== ":material-ubuntu: Ubuntu" -**:simple-suse: openSUSE** + In `debian/rules`, replace `just complain` by `just fsp-complain`: -In `dists/apparmor.d.spec`, replace `%make_build` by `make full` -```diff -- %make_build -+ %make_build full -``` + ```make + override_dh_auto_build: + - just complain + override_dh_auto_build: + + just fsp-complain + ``` -**Partial install** + Then, build the package with: `just dpkg` -Use the `make full` command to build instead of `make` +=== ":material-debian: Debian" + + In `debian/rules`, replace `just complain` by `just fsp-complain`: + ```make + override_dh_auto_build: + - just complain + override_dh_auto_build: + + just fsp-complain + ``` + + Then, build the package with: `just dpkg` + +=== ":simple-suse: openSUSE" + + In `dists/apparmor.d.spec`, replace `just complain` by `just fsp-complain`: + + ```diff + %build + - just complain + %build + + just fsp-complain + ``` + + Then, build the package with: `just rpm` + +=== ":material-home: Partial Install" + + Use the `just fsp-complain` command to build instead of `just complain` ## Structure @@ -113,11 +138,21 @@ To work as intended, userland services started by `systemd --user` **should** ha !!! info - To be allowed to run, additional root or user services may need to add extra rules inside the `usr/systemd.d` or `usr/systemd-user.d` directory. For example, when installing a new privileged service `foo` with [stacking](#no-new-privileges) you may need to add the following to `/etc/apparmor.d/usr/systemd.d/foo`: + To be allowed to run, additional root or user services may need to add extra rules inside the `usr/systemd.d` or `usr/systemd-user.d` directory. For example, when installing a new privileged service `foo` with [stacking](development/internal.md#no-new-privileges) you may need to add the following to `/etc/apparmor.d/usr/systemd.d/foo`: ``` @{lib}/foo rPx -> systemd//&foo, ``` +### Role Based Access Control (RBAC) + +In FSP, interactive shell from the user must be confined. This is done through [pam_apparmor](https://gitlab.com/apparmor/apparmor/-/wikis/pam_apparmor). It provides [Role-based access controls (RBAC)](https://en.wikipedia.org/wiki/Role-based_access_control) that can restrict interactive shell to well-defined role. The role needs to be defined. This project ship with a default set of roles, but you can create your own. The default roles are: + +- **`user`**: This is the default role. It is used for any user that does not have a specific role defined. It has access to the user home directory and other sensitive files. + +- **`admin`**: This role is used for any user that has administrative access. It has access to the system files and directories, but not to the user home directory. + +- **`system`**: This role is used for any user that has system access. It has access to the system files and directories, but not to the user home directory. + ### Fallback In addition to the `systemd` profiles, a full system policy needs to ensure that no programs run in an unconfined state at any time. The fallback profiles consist of a set generic specialized profiles: @@ -129,7 +164,7 @@ In addition to the `systemd` profiles, a full system policy needs to ensure that The main fallback profile (`default`) is not intended to be used by privileged program or service. Such programs **must** have they dedicated profile and would break otherwise. -Additionally, special user access can be setup using PAM rules set such as a random shell interactively opened (as user or as root). +Additionally, special user access can be setup using PAM rules set such as a random shell interactively opened (as user or as root). [apparmor-wiki]: https://gitlab.com/apparmor/apparmor/-/wikis/FullSystemPolicy [full]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/_full diff --git a/docs/index.md b/docs/index.md index 3a9381ccd..9602207d0 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,54 +1,111 @@ --- title: AppArmor.d +hide: + - toc --- - + -Building the largest set of AppArmor profiles: - -- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* -- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* - -**Chat** - -A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org +
+
+
+
+ +

apparmor.d

+

Full set of AppArmor policies

+

apparmor.d is a collection of AppArmor profiles designed to restrict the behavior of Linux applications and processes.

+

Its goal is to confine everything, targeting both desktops and servers across all distributions that support AppArmor.

+ + Get started + + + + Demo Server + + +
+
+
+
diff --git a/docs/install.md b/docs/install.md index 8f234872c..a56599c22 100644 --- a/docs/install.md +++ b/docs/install.md @@ -2,13 +2,23 @@ title: Installation --- -!!! warning - - To prevent the risk of breaking your system, the default package configuration installs all profiles in complain mode. They can be enforced later. See the [Enforce Mode](enforce.md) page. +## Setup !!! danger - Do **not** expect this project to work correctly if your Desktop Environment and Display Manager are not supported. Your Desktop Environment or Display Manager might not load, and that would be a feature. + Do **not** expect this project to work correctly on your desktop if your Desktop Environment (DE) and Display Manager (DM) are not supported. Your DE/DM might not load, and that would be a **feature**. + +Due to the development stage of this project, the default package configuration installs all profiles in **complain** mode. The recommended installation workflow is as-follow: + +1. **[Configure AppArmor](#configure-apparmor)** AppArmor for *apparmor.d*. +1. **[Install](#installation)** *apparmor.d* in the (default) complain mode. +1. **[Configure your personal directories](configuration.md)**. +1. Reboot your system. +1. You **must** check for any AppArmor logs with [`aa-log`](usage.md#apparmor-log). +1. **[Report](https://apparmor.pujol.io/report/)** any raised logs. +1. Use the profiles in *complain* mode for a while (a week), regularly check for new AppArmor logs. +1. Only if there are no logs raised for your daily usage, install it in [enforce mode](enforce.md). + ## Requirements @@ -20,105 +30,184 @@ An `AppArmor` supported Linux distribution is required. The default profiles and The following desktop environments are supported: - - [x] :material-gnome: Gnome - - [x] :simple-kde: KDE - - [ ] :simple-xfce: XFCE *(work in progress)* +- [x] :material-gnome: Gnome (GDM) +- [x] :simple-kde: KDE (SDDM) +- [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)* **Build dependency** -* Go >= 1.18 +* Go >= 1.23 +* [just](https://github.com/casey/just) >= 1.40.0 -## :material-arch: Arch Linux -`apparmor.d-git` is available in the [Arch User Repository][aur]: -``` -yay -S apparmor.d-git # or your preferred AUR install method -``` +## Configure AppArmor + +As there are a lot of rules (~80k lines), it is recommended to enable fast caching compression of AppArmor profiles. In `/etc/apparmor/parser.conf`, add `write-cache` and `Optimize=compress-fast`: -Or without an AUR helper: ```sh -git clone https://aur.archlinux.org/apparmor.d-git.git -cd apparmor.d-git -makepkg -si +echo 'write-cache' | sudo tee -a /etc/apparmor/parser.conf +echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf ``` -## :material-ubuntu: Ubuntu & :material-debian: Debian +## Installation -Build the package from sources: -```sh -sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git -git clone https://github.com/roddhjav/apparmor.d.git -cd apparmor.d -dpkg-buildpackage -b -d --no-sign -sudo dpkg -i ../apparmor.d_*.deb -``` +=== ":material-arch: Archlinux" -!!! tip + `apparmor.d-git` is available in the [Arch User Repository][aur]: - If you have `devscripts` installed, you can use the one liner: ```sh - make dpkg + yay -S apparmor.d-git # or your preferred AUR install method ``` -!!! note + Or without an AUR helper: - Debian user may need golang from the backports repository to build: ```sh - echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list - sudo apt update - sudo apt install -t bookworm-backports golang-go + git clone https://aur.archlinux.org/apparmor.d-git.git + cd apparmor.d-git + makepkg -si ``` -!!! warning +=== ":material-ubuntu: Ubuntu" - **Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are different. + Build the package from sources: - If your distribution is based on Ubuntu or Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian` if is Debian based, or `DISTRIBUTION=ubuntu` if it is Ubuntu based. - -## :simple-suse: openSUSE - -openSUSE users need to add [cboltz](https://en.opensuse.org/User:Cboltz) repo on OBS -```sh -zypper addrepo https://download.opensuse.org/repositories/home:cboltz/openSUSE_Factory/home:cboltz.repo -zypper refresh -zypper install apparmor.d -``` - - -## Partial install - -For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed. - -```sh -make -sudo make profile-names... -``` - -!!! warning - - Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77)) - - For instance, `sudo make pass` gives: ```sh - Warning: profile dependencies fallback to unconfined. - @{bin}/wl-{copy,paste} rPx, - @{bin}/xclip rPx, - @{bin}/python3.@{int} rPx -> pass-import, # pass-import - @{bin}/pager rPx -> child-pager, - @{bin}/less rPx -> child-pager, - @{bin}/more rPx -> child-pager, - '.build/apparmor.d/pass' -> '/etc/apparmor.d/pass' + sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git + git clone https://github.com/roddhjav/apparmor.d.git + cd apparmor.d + dpkg-buildpackage -b -d --no-sign + sudo dpkg -i ../apparmor.d_*.deb ``` - So, you can install the additional profiles `wl-copy`, `xclip`, `pass-import`, and `child-pager` if desired. + + !!! tip + + If you have `devscripts` installed, you can use the one liner: + + ```sh + just dpkg + ``` + + !!! note + + **Ubuntu 24.04 user will need to:** + + Install [just](https://github.com/casey/just). E.g: + ```sh + pipx install rust-just + ``` + + !!! warning + + **Beware**: do not install a `.deb` made for Debian on Ubuntu as the packages are different. + + If your distribution is based on Ubuntu, you may want to manually set the target distribution by exporting `DISTRIBUTION=ubuntu`. + +=== ":material-debian: Debian" + + Build the package from sources: + + ```sh + sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git + git clone https://github.com/roddhjav/apparmor.d.git + cd apparmor.d + dpkg-buildpackage -b -d --no-sign + sudo dpkg -i ../apparmor.d_*.deb + ``` + + !!! tip + + If you have `devscripts` installed, you can use the one liner: + + ```sh + just dpkg + ``` + + !!! note + + **Debian 12 user will need to:** + + 1. Install Golang from the backports repository: + ```sh + echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list + sudo apt update + sudo apt install -t bookworm-backports golang-go + ``` + + 2. Install [just](https://github.com/casey/just) locally, and ignore the dependence. E.g: + ```sh + pipx install rust-just + sed '/just/d' -i debian/control + ``` + + !!! warning + + **Beware**: do not install a `.deb` made for Ubuntu on Debian as the packages are different. + + If your distribution is based on Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian`. + +=== ":simple-suse: openSUSE" + + openSUSE users need to add [cboltz](https://en.opensuse.org/User:Cboltz) repo on OBS: + + ```sh + zypper addrepo https://download.opensuse.org/repositories/home:cboltz/openSUSE_Factory/home:cboltz.repo + zypper refresh + zypper install apparmor.d + ``` + +=== ":material-home: Partial" + + For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed. + + ```sh + just complain + sudo just local profile-names... + ``` + + !!! warning + + Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77)) + + For instance, `sudo just local pass` gives: + ```sh + Warning: profile dependencies fallback to unconfined. + @{bin}/wl-{copy,paste} rPx, + @{bin}/xclip rPx, + @{python_path} rPx -> pass-import, # pass-import + @{pager_path} rPx -> child-pager, + '.build/apparmor.d/pass' -> '/etc/apparmor.d/pass' + ``` + So, you can install the additional profiles `wl-copy`, `xclip`, `pass-import`, and `child-pager` if desired. -## Uninstall +[Next: Configure your personal directories](configuration.md){ .md-button .md-button--primary } -- :material-arch: Arch Linux `sudo pacman -R apparmor.d` -- :material-ubuntu: Ubuntu & :material-debian: Debian `sudo apt purge apparmor.d` -- :simple-suse: openSUSE `sudo zypper remove apparmor.d` + +## Uninstallation + +=== ":material-arch: Archlinux" + + ```sh + sudo pacman -R apparmor.d + ``` + +=== ":material-ubuntu: Ubuntu" + + ```sh + sudo apt purge apparmor.d + ``` + +=== ":material-debian: Debian" + + ```sh + sudo apt purge apparmor.d + ``` + +=== ":simple-suse: openSUSE" + + ```sh + sudo zypper remove apparmor.d + ``` [aur]: https://aur.archlinux.org/packages/apparmor.d-git -[repo]: https://repo.pujol.io/ -[keys]: https://repo.pujol.io/gpgkey diff --git a/docs/issues.md b/docs/issues.md index d9f28cfe6..2f38f4c5a 100644 --- a/docs/issues.md +++ b/docs/issues.md @@ -2,43 +2,28 @@ title: Known issues --- -Known bugs are tracked on the meta issue **[#75](https://github.com/roddhjav/apparmor.d/issues/74)**. +!!! info -!!! info + Known bugs are tracked on the meta issue **[#75](https://github.com/roddhjav/apparmor.d/issues/74)**. - Usually, a profile in complain mode cannot break the program it confines. - However, there are some **major exceptions**: +## Ubuntu - * `deny` rules are enforced even in complain mode, - * `attach_disconnected` (and `mediate_deleted`) will break the program if they are required and missing in the profile, - * If AppArmor does not find the profile to transition `rPx`. +### Dbus -### Pacman "could not get current working directory" +Ubuntu fully supports dbus mediation with apparmor. If it is a value added by Ubuntu from other distributions, it can also lead to some breakage if you enforce some profiles. *Do not enforce the rules on Ubuntu Desktop.* -```sh -$ sudo pacman -Syu -... -error: could not get current working directory -:: Processing package changes... -... -``` +Note: Ubuntu server has been more tested and will work without issues with enforced rules. -This is **a feature, not a bug!** It can safely be ignored. Pacman tries to get your current directory. You will only get this error when you run pacman in your home directory. +### Snap -According to the Arch Linux guideline, on Arch Linux, packages cannot install files under `/home/`. Therefore, the [`pacman`][pacman] profile purposely does not allow access of your home directory. - -This provides a basic protection against some packages (on the AUR) that may have rogue install script. - -[pacman]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/pacman/pacman +Apparmor.d needs to be fully integrated with snap, otherwise your snap applications may not work properly. As of today, it is a work in progress. -### Gnome can be very slow to start. +## Complain mode -[Gnome](https://github.com/roddhjav/apparmor.d/issues/80) can be slow to start. This is a known bug, help is very welcome. +A profile in *complain* mode cannot break the program it confines. However, there are some **major exceptions**: -The complexity is that: +1. `deny` rules are enforced even in *complain* mode, +2. `attach_disconnected` (and `mediate_deleted`) will break the program if they are required and missing in the profile, +3. If AppArmor does not find the profile to transition `rPx`. -- It works fine without AppArmor -- It works fine on most system (including test VM) -- It seems to be dbus related -- On archlinux, the dbus mediation is not enabled. So, there is nothing special to allow. diff --git a/docs/overview.md b/docs/overview.md new file mode 100644 index 000000000..20a5a454f --- /dev/null +++ b/docs/overview.md @@ -0,0 +1,52 @@ +--- +title: Overview +--- + +!!! danger "Help Wanted" + + This project is still in its early development. Help is very welcome; see [Development](development/index.md) + +**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes. + +### Purpose + +- Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`, `polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord` +- Confine all Desktop environments +- Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland` +- Confine some *"special"* user applications: web browsers, file managers, etc +- Should not break a normal usage of the confined software + +See the [Concepts](concepts.md)' page for more detail on the architecture. + +### Goals + +- Target both desktops and servers +- Support for all distributions that support AppArmor: + * [:material-arch: Arch Linux](install.md#archlinux) + * [:material-ubuntu: Ubuntu 24.04/22.04](install.md#ubuntu) + * [:material-debian: Debian 12/13](install.md#debian) + * [:simple-suse: openSUSE Tumbleweed](install.md#opensuse) +- Support for all major desktop environments: + - [x] :material-gnome: Gnome (GDM) + - [x] :simple-kde: KDE (SDDM) + - [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)* +- [Fully tested](development/tests.md) + +### Demo + +You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/ + +### Presentations + +Building the largest set of AppArmor profiles: + +- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* +- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* + +Lessons learned while making an AppArmor Play machine: + +- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))* + +### Chat + +A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org diff --git a/docs/report.md b/docs/report.md index e13ac9e9f..e82d4e9e7 100644 --- a/docs/report.md +++ b/docs/report.md @@ -11,25 +11,39 @@ When creating [an issue on Github][newissue], please post a link to the [paste] aa-log -R ``` -If this command produce nothing, try: +??? question "No logs with `aa-log`?" + + If the log file is empty, check that Auditd is running: + + ```sh + sudo systemctl status auditd.service + ``` + + If Auditd is disabled aa-log will not have new results, you can enable Auditd with: + + ```sh + sudo systemctl enable auditd.service --now + ``` + +If this command produces nothing, use `-s` to provide all logs since boot time (provided that `journalctl` collected them): ```sh aa-log -s -R ``` -If the log file is empty, check that Auditd is running: +??? question "No logs with `aa-log -s`?" + + On certain distributions/configurations, AppArmor logs in journal could be taken over by *auditd* when it is installed. To overcome this, `systemd-journald-audit.socket` could be enabled: + + ```sh + sudo systemctl enable systemd-journald-audit.socket + ``` + +You can get older logs with: + ```sh -sudo systemctl status auditd.service +aa-log -R -f ``` - -If Auditd is disabled aa-log will not have new results, you can enable Auditd by doing the following command: -```sh -sudo systemctl enable auditd.service --now -``` - -You can get more logs with: - -1. `aa-log -R -s` that will provide all apparmor logs since boot time (if journalctl collect them) -2. `aa-log -R -f ` where `` is `1`, `2`, `3` and `4` (the rotated audit log file) +Where `` is `1`, `2`, `3` and `4` (the rotated audit log file). [newissue]: https://github.com/roddhjav/apparmor.d/issues/new [paste]: https://pastebin.com/ diff --git a/docs/usage.md b/docs/usage.md index 70eaaa292..372762998 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -24,9 +24,10 @@ apparmor module is loaded. ... 30 processes are in complain mode. ... +0 processes are in prompt mode. +0 processes are in kill mode. 0 processes are unconfined but have a profile defined. 0 processes are in mixed mode. -0 processes are in kill mode. ``` You can also list the current processes alongside with their security profile with: @@ -76,9 +77,9 @@ ps (complain) user ps auxZ ## AppArmor Log -Ensure that `Auditd` is installed and running on your system in order to read AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with the provided command `aa-log` allowing you to review AppArmor generated messages in a colorful way. +Ensure that `Auditd` is installed and running on your system in order to read AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with the provided command `aa-log` allowing you to review AppArmor generated messages in a colourful way. -Other AppArmor userspace tools such as `aa-enforce`, `aa-complain`, and `aa-logprof` should work as expected. +Other AppArmor userspace tools such as `aa-enforce`, `aa-complain`, and `aa-logprof` should work as expected. You can also configure [a desktop notification on denied actions](https://wiki.archlinux.org/title/AppArmor#Get_desktop_notification_on_DENIED_actions). ### Basic use @@ -115,15 +116,15 @@ profile dnsmasq { ### Help ``` -aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile] +aa-log [-h] [--systemd] [--file file] [--rules | --raw] [--since] [profile] - Review AppArmor generated messages in a colorful way. Supports logs from + Review AppArmor generated messages in a colorful way. It supports logs from auditd, systemd, syslog as well as dbus session events. It can be given an optional profile name to filter the output with. - Default logs are read from '/var/log/audit/audit.log'. Other files in - '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' + Default logs are read from '/var/log/audit/audit.log'. Other files in + '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' Options: -h, --help Show this help message and exit. @@ -131,4 +132,5 @@ Options: -s, --systemd Parse systemd logs from journalctl. -r, --rules Convert the log into AppArmor rules. -R, --raw Print the raw log without any formatting. + -S, --since DATE Show entries not older than the specified date. ``` diff --git a/docs/variables.md b/docs/variables.md index a70358263..1bcee8f93 100644 --- a/docs/variables.md +++ b/docs/variables.md @@ -6,8 +6,10 @@ title: Variables References ### User directories +
+ | Description | Name | Default Value(s) | -|-------------|:----:|---------------| +|-------------|------|------------------| | Desktop | `@{XDG_DESKTOP_DIR}` | `Desktop` | | Documents | `@{XDG_DOCUMENTS_DIR}` | `Documents` | | Downloads | `@{XDG_DOWNLOAD_DIR}` | `Downloads` | @@ -26,14 +28,19 @@ title: Variables References | Mail | `@{XDG_MAIL_DIR}` | `Mail .{m,M}ail` | | Sync | `@{XDG_SYNC_DIR}` | `Sync` | | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` | -| Vm | `@{XDG_VM_DIR}` | `.vm` -| Vm Shares | `@{XDG_VM_SHARES_DIR}` | `VM_Shares` +| Vm | `@{XDG_VM_DIR}` | `.vm` | +| Vm Shares | `@{XDG_VMSHARE_DIR}` | `VM_Shares` | | Disk images | `@{XDG_IMG_DIR}` | `images` | +| Games Studio | `@{XDG_GAMESSTUDIO_DIR}` | `.unity3d` | + +
### Dotfiles +
+ | Description | Name | Default Value(s) | -|-------------|:----:|---------------| +|-------------|------|------------------| | Cache | ` @{XDG_CACHE_DIR}` | `.cache` | | Config | `@{XDG_CONFIG_DIR}` | `.config` | | Data | `@{XDG_DATA_DIR}` | `.local/share` | @@ -44,26 +51,32 @@ title: Variables References | SSH | `@{XDG_SSH_DIR}` | `.ssh` | | Private | `@{XDG_PRIVATE_DIR}` | `.{p,P}rivate {p,P}rivate` | | Passwords | `@{XDG_PASSWORD_STORE_DIR}` | `.password-store` | -| Mail | `@{XDG_MAIL_DIR}` | `Mail .{m,M}ail` | + +
### Full configuration path +
+ | Description | Name | Default Value(s) | -|-------------|:----:|---------------| +|-------------|------|------------------| | Cache | `@{user_cache_dirs}` | `@{HOME}/@{XDG_CACHE_DIR}` | | Config | `@{user_config_dirs}` | `@{HOME}/@{XDG_CONFIG_DIR}` | | Bin | `@{user_bin_dirs}` | `@{HOME}/@{XDG_BIN_DIR}` | | Lib | `@{user_lib_dirs}` | `@{HOME}/@{XDG_LIB_DIR}` | | Share | `@{user_share_dirs}` | ` @{HOME}/@{XDG_DATA_DIR}` | | State | `@{user_state_dirs}` | ` @{HOME}/@{XDG_STATE_DIR}` | -| Build | `@{user_build_dirs}` | `/tmp/` | +| Build | `@{user_build_dirs}` | `/tmp/build/` | | Packages | `@{user_pkg_dirs}` | `/tmp/pkg/` | -| Tmp | `@{user_tmp_dirs}` | `@{run}/user/@{uid} /tmp/` | + +
### Full user path +
+ | Description | Name | Default Value(s) | -|-------------|:----:|---------------| +|-------------|------|------------------| | Documents | `@{user_documents_dirs}` | `@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR}` | | Downloads | `@{user_download_dirs}` | `@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR}` | | Music | `@{user_music_dirs}` | `@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR}` | @@ -72,7 +85,7 @@ title: Variables References | Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` | | Games | `@{user_games_dirs}` | `@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}` | | Private | `@{user_private_dirs}` | `@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}` | -| Passwords | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | +| Passwords | `@{user_passwordstore_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | | Work | `@{user_work_dirs}` | `@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}` | | Mail | `@{user_mail_dirs}` | `@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}` | | Projects | `@{user_projects_dirs}` | `@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}` | @@ -80,44 +93,83 @@ title: Variables References | Templates | `@{user_templates_dirs}` | `@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR}` | | Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` | | Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` | -| Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` -| Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` -| Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | +| Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` | +| Vm Shares | `@{user_vmshare_dirs}` | `@{HOME}/@{XDG_VMSHARE_DIR} @{MOUNTS}/@{XDG_VMSHARE_DIR}` | +| Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` | + +
## System variables -!!! warning +!!! danger Do not modify these variables unless you know what you are doing -**Helper variables** +#### Base variables + +
| Description | Name | Default Value(s) | -|-------------|:----:|---------------| -| Integer (up to 10 digits) | `@{int}` | `[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}` | -| Any 6, 8 or 10 characters | `@{rand6}`, `@{rand8}`, `@{rand10}` | | -| Hexadecimal | `@{h}*@{h}` | | -| Universally unique identifier | `@{uuid}` | | -| Current Process id | `@{pid}` | `[0-9]*` | -| Processes ids | `@{pids}` | `[0-9]*` | -| User id | `@{uid}` | `[0-9]*` | -| Thread id | `@{tid}` | `[0-9]*` | -| Single hexadecimal character | `@{h}` | `[0-9a-fA-F]` | +|-------------|------|------------------| +| Any digit | `@{d}` | `[0-9]` | +| Any letter | `@{l}` | `[a-zA-Z]` | | Single alphanumeric character | `@{c}` | `[0-9a-zA-Z]` | -| PCI Devices | `@{pci}` | `@{pci_bus}/**/` | -| PCI Bus | `@{pci_bus}` | `pci@{h}@{h}@{h}@{h}:@{h}@{h}` | -| PCI Id | `@{pci_id}` | `@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h}` | +| Word character: matches any letter, digit or underscore. | `@{w}` | `[0-9a-zA-Z_]` | +| Single hexadecimal character | `@{h}` | `[0-9a-fA-F]` | +| Integer up to 10 digits (0-9999999999) | `@{int}` | `@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}` | +| Unsigned integer over 8 bits (0-255) | `@{u8}` | `[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5]` | +| Unsigned integer over 16 bits (0-65535, 5 digits) | `@{u16}` | `@{d}{@{d},}{@{d},}{@{d},}{@{d},}` | +| Hexadecimal up to 64 characters | `@{hex}` | | +| Alphanumeric up to 64 characters | `@{rand}` | | +| Word up to 64 characters | `@{word}` | | -**System Paths** +
+ +#### Basic variables of a given length + +
+ +| Description | Name | +|-------------|------| +| Any x digits characters | `@{int2}` `@{int4}` `@{int6}` `@{int8}` `@{int9}` `@{int10}` `@{int12}` `@{int15}` `@{int16}` `@{int32}` `@{int64}` | +| Any x hexadecimal characters | `@{hex2}` `@{hex4}` `@{hex6}` `@{hex8}` `@{hex9}` `@{hex10}` `@{hex12}` `@{hex15}` `@{hex16}` `@{hex32}` `@{hex38}` `@{hex64}` | +| Any x alphanumeric characters | `@{rand2}` `@{rand4}` `@{rand6}` `@{rand8}` `@{rand9}` `@{rand10}` `@{rand12}` `@{rand15}` `@{rand16}` `@{rand32}` `@{rand64}` | +| Any x word characters | `@{word2}` `@{word4}` `@{word6}` `@{word8}` `@{word9}` `@{word10}` `@{word12}` `@{word15}` `@{word16}` `@{word32}` `@{word64}` | + +
+ +#### System Variables + +
| Description | Name | Default Value(s) | -|-------------|:----:|---------------| +|-------------|------|------------------| +| Common architecture names | `@{arch}` | `x86_64 amd64 i386 i686` | +| Dbus unique name | `@{busname}` | `:1.@{u16} :not.active.yet` | +| Universally unique identifier | `@{uuid}` | `@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}` | +| Username valid characters | `@{user}` | `[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}` | +| Group valid characters | `@{group}` | `@{user}` | +| Semantic version | `@{version}` | `@{int}{.@{int},}{.@{int},}{-@{rand},}` | +| Current Process Id | `@{pid}` | `{[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}` | +| Processes Ids | `@{pids}` | `@{pid}` | +| Thread Id | `@{tid}` | `@{pid}` | +| User Id (equivalent to `@{int}`) | `@{uid}` | `{[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}` | + +
+ +#### System Paths + +
+ +| Description | Name | Default Value(s) | +|-------------|------|------------------| | Root Home | `@{HOMEDIRS}` | `/home/` | | Home directories | `@{HOME}` | `@{HOMEDIRS}/*/ /root/` | -| Root Mountpoints | `@{MOUNTDIRS}` | `/media/ @{run}/media/ /mnt/` | -| Mountpoints directories | `@{MOUNTS}` | `@{MOUNTDIRS}/*/` | -| Bin | `@{bin}` | `/{usr/,}{s,}bin` | +| Root Mountpoints | `@{MOUNTDIRS}` | `/media/ @{run}/media/@{user}/ /mnt/` | +| Mountpoints directories | `@{MOUNTS}` | `@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/` | +| Bin | `@{bin}` | `/{usr/,}bin` | +| Sbin | `@{sbin}` | `/{usr/,}sbin` | | Lib | `@{lib}` | `/{usr/,}lib{,exec,32,64}` | | multi-arch library | `@{multiarch}` | `*-linux-gnu*` | | Proc | `@{PROC}` | `/proc/` | @@ -126,13 +178,29 @@ title: Variables References | System wide share | `@{system_share_dirs}` | `/{usr,usr/local,var/lib/@{flatpak_exports_root}}/share` | | Flatpak export | `@{flatpak_exports_root}` | `{flatpak/exports,flatpak/{app,runtime}/*/*/*/*/export}` | -**Program paths** +
+ +#### System Internal | Description | Name | Default Value(s) | -|-------------|:----:|---------------| +|-------------|------|------------------| +| PCI Devices | `@{pci}` | `@{pci_bus}/**/` | +| PCI Bus | `@{pci_bus}` | `pci@{h}@{h}@{h}@{h}:@{h}@{h}` | +| PCI Id | `@{pci_id}` | `@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h}` | +| HCI devices | `@{hci_id}` | `dev_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}` | +| Udev data dynamic assignment ranges (234 to 254 then 384 to 511) | `@{dynamic}` | `23[4-9] 24[0-9] 25[0-4] 38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1]` | + +#### Program paths + +
+ +| Description | Name | Default Value(s) | +|-------------|------|------------------| | All the shells | `@{shells}` | `sh zsh bash dash fish rbash ksh tcsh csh` | | Shells path | `@{shells_path}` | `@{bin}/@{shells}` | | Coreutils programs that should not have dedicated profile | `@{coreutils}` | See [tunables/multiarch.d/paths](https://github.com/roddhjav/apparmor.d/blob/c2d88c9bffc626fcf7d9b15b42b50706afb29562/apparmor.d/tunables/multiarch.d/paths#L46) | | Coreutils paths | `@{coreutils_path}` | `@{bin}/@{coreutils}` | -| Launcher paths | `@{open_path}` | `@{bin}/exo-open @{bin}/xdg-open @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop @{lib}/gio-launch-desktop` +| Launcher paths | `@{open_path}` | `@{bin}/exo-open @{bin}/xdg-open @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop @{lib}/gio-launch-desktop` | All browser paths | `@{*_path}` | See [tunables/multiarch.d/paths](https://github.com/roddhjav/apparmor.d/blob/c2d88c9bffc626fcf7d9b15b42b50706afb29562/apparmor.d/tunables/multiarch.d/paths#L11) + +
diff --git a/go.mod b/go.mod index bec7213d7..3bea9f548 100644 --- a/go.mod +++ b/go.mod @@ -1,13 +1,3 @@ module github.com/roddhjav/apparmor.d -go 1.21 - -require ( - github.com/stretchr/testify v1.9.0 - gopkg.in/yaml.v3 v3.0.1 -) - -require ( - github.com/davecgh/go-spew v1.1.1 // indirect - github.com/pmezard/go-difflib v1.0.0 // indirect -) +go 1.23.0 diff --git a/go.sum b/go.sum index 60ce688a0..e69de29bb 100644 --- a/go.sum +++ b/go.sum @@ -1,10 +0,0 @@ -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= -github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= -gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/mkdocs.yml b/mkdocs.yml index d72fd86b7..e5244a529 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -15,7 +15,7 @@ repo_url: https://github.com/roddhjav/apparmor.d edit_uri: edit/main/docs/ # Copyright -copyright: Copyright © 2021-2024 Alexandre Pujol +copyright: Copyright © 2021-2025 Alexandre Pujol # Configuration theme: @@ -43,8 +43,10 @@ theme: - content.action.edit - content.code.annotate - content.code.copy + - content.tabs.link - content.tooltips - navigation.indexes + - navigation.instant - navigation.sections - navigation.tabs - navigation.top @@ -62,11 +64,16 @@ plugins: - offline: enabled: !ENV [MKDOCS_OFFLINE, true] - git-revision-date-localized: - enabled: !ENV [ENABLED_GIT_REVISION_DATE, True] + enabled: !ENV [ENABLED_GIT_REVISION_DATE, true] enable_creation_date: true fallback_to_build_date: true - minify: minify_html: true + - git-committers: + enabled: !ENV [ENABLED_GIT_REVISION_DATE, true] + token: !ENV [MKDOCS_GIT_COMMITTERS_APIKEY] + repository: roddhjav/apparmor.d + branch: main # Customization extra: @@ -110,7 +117,9 @@ markdown_extensions: user: squidfunk repo: mkdocs-material - pymdownx.smartsymbols - - pymdownx.snippets + - pymdownx.snippets: + auto_append: + - docs/abbreviations.md - pymdownx.superfences: custom_fences: - name: mermaid @@ -118,6 +127,9 @@ markdown_extensions: format: !!python/name:pymdownx.superfences.fence_code_format - pymdownx.tabbed: alternate_style: true + slugify: !!python/object/apply:pymdownx.slugs.slugify + kwds: + case: lower - pymdownx.tasklist: custom_checkbox: true @@ -126,28 +138,33 @@ nav: - Home: - index.md - Getting Started: + - overview.md - concepts.md - install.md - configuration.md - usage.md + - report.md - Advanced: - variables.md - enforce.md - full-system-policy.md - Troubleshooting: - issues.md - - report.md - recovery.md - Development: - development/index.md - - Architecture: - - development/install.md + - development/roadmap.md + - Profiles: + - development/workflow.md - development/guidelines.md - - development/structure.md - - Profile: - development/abstractions.md + - development/internal.md - development/directives.md - development/dbus.md + - development/recommendations.md + - Packages: + - development/build.md - Tests: - development/tests.md + - development/vm.md - development/integration.md diff --git a/pkg/aa/all.go b/pkg/aa/all.go index b3acb5d96..21368d320 100644 --- a/pkg/aa/all.go +++ b/pkg/aa/all.go @@ -9,11 +9,23 @@ const ( ) type All struct { - RuleBase + Base } func newAll(q Qualifier, rule rule) (Rule, error) { - return &All{RuleBase: newBase(rule)}, nil + return &All{Base: newBase(rule)}, nil +} + +func (r *All) Kind() Kind { + return ALL +} + +func (r *All) Constraint() Constraint { + return BlockRule +} + +func (r *All) String() string { + return renderTemplate(r.Kind(), r) } func (r *All) Validate() error { @@ -26,18 +38,12 @@ func (r *All) Compare(other Rule) int { func (r *All) Merge(other Rule) bool { o, _ := other.(*All) - b := &r.RuleBase - return b.merge(o.RuleBase) + b := &r.Base + return b.merge(o.Base) // Always merge all rules } -func (r *All) String() string { - return renderTemplate(r.Kind(), r) +func (r *All) Lengths() []int { + return []int{} // No len for all } -func (r *All) Constraint() constraint { - return blockKind -} - -func (r *All) Kind() Kind { - return ALL -} +func (r *All) setPaddings(max []int) {} // No paddings for all diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index 75c009c86..94e232c81 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -5,12 +5,39 @@ package aa import ( + "strings" + "github.com/roddhjav/apparmor.d/pkg/paths" ) -// Default Apparmor magic directory: /etc/apparmor.d/. +// MagicRoot is the default Apparmor magic directory: /etc/apparmor.d/. var MagicRoot = paths.New("/etc/apparmor.d") +// FileKind represents an AppArmor file kind. +type FileKind uint8 + +const ( + ProfileKind FileKind = iota + AbstractionKind + TunableKind +) + +func KindFromPath(file *paths.Path) FileKind { + dirname := file.Parent().String() + switch { + case strings.Contains(dirname, "abstractions"): + return AbstractionKind + case strings.Contains(dirname, "tunables"): + return TunableKind + case strings.Contains(dirname, "local"): + return AbstractionKind + case strings.Contains(dirname, "mappings"): + return AbstractionKind + default: + return ProfileKind + } +} + // AppArmorProfileFiles represents a full set of apparmor profiles type AppArmorProfileFiles map[string]*AppArmorProfileFile @@ -32,7 +59,10 @@ func NewAppArmorProfile() *AppArmorProfileFile { func DefaultTunables() *AppArmorProfileFile { return &AppArmorProfileFile{ Preamble: Rules{ - &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true}, + &Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true}, + &Variable{Name: "bin", Values: []string{"/{,usr/}bin"}, Define: true}, + &Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true}, + &Variable{Name: "dpkg_script_ext", Values: []string{"config", "templates", "preinst", "postinst", "prerm", "postrm"}, Define: true}, &Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true}, &Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true}, &Variable{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}, Define: true}, @@ -40,11 +70,15 @@ func DefaultTunables() *AppArmorProfileFile { &Variable{Name: "lib", Values: []string{"/{,usr/}lib{,exec,32,64}"}, Define: true}, &Variable{Name: "MOUNTS", Values: []string{"/media/*/", "/run/media/*/*/", "/mnt/*/"}, Define: true}, &Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true}, + &Variable{Name: "rand", Values: []string{"@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}"}, Define: true}, // Up to 10 characters &Variable{Name: "run", Values: []string{"/run/", "/var/run/"}, Define: true}, &Variable{Name: "uid", Values: []string{"{[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}"}, Define: true}, &Variable{Name: "user_cache_dirs", Values: []string{"/home/*/.cache"}, Define: true}, &Variable{Name: "user_config_dirs", Values: []string{"/home/*/.config"}, Define: true}, &Variable{Name: "user_share_dirs", Values: []string{"/home/*/.local/share"}, Define: true}, + &Variable{Name: "user", Values: []string{"[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}"}, Define: true}, + &Variable{Name: "version", Values: []string{"@{int}{.@{int},}{.@{int},}{-@{rand},}"}, Define: true}, + &Variable{Name: "w", Values: []string{"[a-zA-Z0-9_]"}, Define: true}, }, } } diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index 10cf366b4..172cfc2b5 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -10,7 +10,6 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/util" ) var ( @@ -21,7 +20,7 @@ var ( // mustReadProfileFile read a file and return its content as a slice of string. // It panics if an error occurs. It removes the last comment line. func mustReadProfileFile(path *paths.Path) string { - res := strings.Split(util.MustReadFile(path), "\n") + res := strings.Split(path.MustReadFileAsString(), "\n") return strings.Join(res[:len(res)-2], "\n") } @@ -40,7 +39,7 @@ func TestAppArmorProfileFile_String(t *testing.T) { name: "foo", f: &AppArmorProfileFile{ Preamble: Rules{ - &Comment{RuleBase: RuleBase{Comment: " Simple test profile for the AppArmorProfileFile.String() method", IsLineRule: true}}, + &Comment{Base: Base{Comment: " Simple test profile for the AppArmorProfileFile.String() method", IsLineRule: true}}, nil, &Abi{IsMagic: true, Path: "abi/4.0"}, &Alias{Path: "/mnt/usr", RewrittenPath: "/usr"}, @@ -66,7 +65,7 @@ func TestAppArmorProfileFile_String(t *testing.T) { &Network{Domain: "inet", Type: "stream"}, &Network{Domain: "inet6", Type: "stream"}, &Mount{ - RuleBase: RuleBase{Comment: " failed perms check"}, + Base: Base{Comment: " failed perms check"}, MountConditions: MountConditions{ FsType: "fuse.portal", Options: []string{"rw", "rbind"}, @@ -108,7 +107,7 @@ func TestAppArmorProfileFile_String(t *testing.T) { }, }}, }, - want: util.MustReadFile(testData.Join("string.aa")), + want: testData.Join("string.aa").MustReadFileAsString(), }, } for _, tt := range tests { @@ -204,15 +203,15 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { name: "aa-status", f: &AppArmorProfileFile{ Preamble: Rules{ - &Comment{RuleBase: RuleBase{Comment: " apparmor.d - Full set of apparmor profiles", IsLineRule: true}}, - &Comment{RuleBase: RuleBase{Comment: " Copyright (C) 2021-2024 Alexandre Pujol ", IsLineRule: true}}, - &Comment{RuleBase: RuleBase{Comment: " SPDX-License-Identifier: GPL-2.0-only", IsLineRule: true}}, + &Comment{Base: Base{Comment: " apparmor.d - Full set of apparmor profiles", IsLineRule: true}}, + &Comment{Base: Base{Comment: " Copyright (C) 2021-2024 Alexandre Pujol ", IsLineRule: true}}, + &Comment{Base: Base{Comment: " SPDX-License-Identifier: GPL-2.0-only", IsLineRule: true}}, nil, - &Abi{IsMagic: true, Path: "abi/3.0"}, + &Abi{IsMagic: true, Path: "abi/4.0"}, &Include{IsMagic: true, Path: "tunables/global"}, &Variable{ Name: "exec_path", Define: true, - Values: []string{"@{bin}/aa-status", "@{bin}/apparmor_status"}, + Values: []string{"@{sbin}/aa-status", "@{sbin}/apparmor_status"}, }, }, Profiles: []*Profile{{ @@ -224,11 +223,11 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { &Include{IfExists: true, IsMagic: true, Path: "local/aa-status"}, &Capability{Names: []string{"dac_read_search"}}, &File{Path: "@{exec_path}", Access: []string{"m", "r"}}, - &File{Path: "@{PROC}/@{pids}/attr/apparmor/current", Access: []string{"r"}}, + &File{Path: "@{PROC}/@{pid}/attr/apparmor/current", Access: []string{"r"}}, &File{Path: "@{PROC}/", Access: []string{"r"}}, &File{Path: "@{sys}/module/apparmor/parameters/enabled", Access: []string{"r"}}, &File{Path: "@{sys}/kernel/security/apparmor/profiles", Access: []string{"r"}}, - &File{Path: "@{PROC}/@{pids}/attr/current", Access: []string{"r"}}, + &File{Path: "@{PROC}/@{pid}/attr/current", Access: []string{"r"}}, &Include{IsMagic: true, Path: "abstractions/consoles"}, &File{Owner: true, Path: "@{PROC}/@{pid}/mounts", Access: []string{"r"}}, &Include{IsMagic: true, Path: "abstractions/base"}, @@ -238,7 +237,7 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { }, }}, }, - want: mustReadProfileFile(intData.Join("profiles-a-f/aa-status")), + want: mustReadProfileFile(intData.Join("groups/apparmor/aa-status")), }, } for _, tt := range tests { diff --git a/pkg/aa/base.go b/pkg/aa/base.go index c05954267..a712a5899 100644 --- a/pkg/aa/base.go +++ b/pkg/aa/base.go @@ -8,18 +8,16 @@ import ( "strings" ) -type RuleBase struct { - IsLineRule bool +type Base struct { Comment string + IsLineRule bool NoNewPrivs bool FileInherit bool - Prefix string - Padding string - Suffix string Optional bool + Paddings []string } -func newBase(rule rule) RuleBase { +func newBase(rule rule) Base { comment := "" fileInherit, noNewPrivs, optional := false, false, false @@ -44,7 +42,7 @@ func newBase(rule rule) RuleBase { optional = true comment = strings.Replace(comment, "optional: ", "", 1) } - return RuleBase{ + return Base{ Comment: comment, NoNewPrivs: noNewPrivs, FileInherit: fileInherit, @@ -52,7 +50,7 @@ func newBase(rule rule) RuleBase { } } -func newBaseFromLog(log map[string]string) RuleBase { +func newBaseFromLog(log map[string]string) Base { comment := "" fileInherit, noNewPrivs, optional := false, false, false @@ -70,7 +68,7 @@ func newBaseFromLog(log map[string]string) RuleBase { if log["info"] != "" { comment += " " + log["info"] } - return RuleBase{ + return Base{ IsLineRule: false, Comment: comment, NoNewPrivs: noNewPrivs, @@ -79,31 +77,42 @@ func newBaseFromLog(log map[string]string) RuleBase { } } -func (r RuleBase) Merge(other Rule) bool { - return false +func (r Base) Padding(i int) string { + if i >= len(r.Paddings) { + return "" + } + return r.Paddings[i] } -func (r *RuleBase) merge(other RuleBase) bool { +func (r *Base) merge(other Base) bool { + r.NoNewPrivs = r.NoNewPrivs || other.NoNewPrivs + r.FileInherit = r.FileInherit || other.FileInherit + r.Optional = r.Optional || other.Optional if other.Comment != "" { r.Comment += " " + other.Comment } return true } +func (r Base) addLine(other Rule) bool { + return false +} + type Qualifier struct { + Priority string Audit bool AccessType string } func newQualifierFromLog(log map[string]string) Qualifier { - audit := false - if log["apparmor"] == "AUDIT" { - audit = true - } + audit := log["apparmor"] == "AUDIT" return Qualifier{Audit: audit} } func (r Qualifier) Compare(o Qualifier) int { + if r := compare(r.Priority, o.Priority); r != 0 { + return r + } if r := compare(r.Audit, o.Audit); r != 0 { return r } @@ -111,5 +120,24 @@ func (r Qualifier) Compare(o Qualifier) int { } func (r Qualifier) Equal(o Qualifier) bool { - return r.Audit == o.Audit && r.AccessType == o.AccessType + return r.Priority == o.Priority && r.Audit == o.Audit && r.AccessType == o.AccessType +} + +func (r Qualifier) getLenAudit() int { + return length("audit", r.Audit) +} + +func (r Qualifier) getLenAccess() int { + lenAccess := 0 + if r.AccessType != "" { + lenAccess = length("", r.AccessType) + } + return lenAccess +} + +func (r Qualifier) setPaddings(max []int) []string { + return setPaddings(max, + []string{"audit", ""}, + []any{r.Audit, r.AccessType}, + ) } diff --git a/pkg/aa/blocks.go b/pkg/aa/blocks.go index b3ce0ba77..d0826dfa2 100644 --- a/pkg/aa/blocks.go +++ b/pkg/aa/blocks.go @@ -10,28 +10,38 @@ const ( // Hat represents a single AppArmor hat. type Hat struct { - RuleBase + Base Name string Rules Rules } -func (r *Hat) Validate() error { - return nil +func (p *Hat) Kind() Kind { + return HAT } -func (r *Hat) Compare(other Rule) int { - o, _ := other.(*Hat) - return compare(r.Name, o.Name) +func (p *Hat) Constraint() Constraint { + return BlockRule } func (p *Hat) String() string { return renderTemplate(p.Kind(), p) } -func (p *Hat) Constraint() constraint { - return blockKind +func (p *Hat) Validate() error { + return nil } -func (p *Hat) Kind() Kind { - return HAT +func (p *Hat) Compare(other Rule) int { + o, _ := other.(*Hat) + return compare(p.Name, o.Name) } + +func (p *Hat) Merge(other Rule) bool { + return false // Never merge hat blocks +} + +func (p *Hat) Lengths() []int { + return []int{} // No len for hat +} + +func (p *Hat) setPaddings(max []int) {} // No paddings for hat diff --git a/pkg/aa/capability.go b/pkg/aa/capability.go index f9f083f98..a55f8bc9b 100644 --- a/pkg/aa/capability.go +++ b/pkg/aa/capability.go @@ -26,7 +26,7 @@ func init() { } type Capability struct { - RuleBase + Base Qualifier Names []string } @@ -37,7 +37,7 @@ func newCapability(q Qualifier, rule rule) (Rule, error) { return nil, err } return &Capability{ - RuleBase: newBase(rule), + Base: newBase(rule), Qualifier: q, Names: names, }, nil @@ -45,12 +45,24 @@ func newCapability(q Qualifier, rule rule) (Rule, error) { func newCapabilityFromLog(log map[string]string) Rule { return &Capability{ - RuleBase: newBaseFromLog(log), + Base: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), Names: Must(toValues(CAPABILITY, "name", log["capname"])), } } +func (r *Capability) Kind() Kind { + return CAPABILITY +} + +func (r *Capability) Constraint() Constraint { + return BlockRule +} + +func (r *Capability) String() string { + return renderTemplate(r.Kind(), r) +} + func (r *Capability) Validate() error { if err := validateValues(r.Kind(), "name", r.Names); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -66,14 +78,20 @@ func (r *Capability) Compare(other Rule) int { return r.Qualifier.Compare(o.Qualifier) } -func (r *Capability) String() string { - return renderTemplate(r.Kind(), r) +func (r *Capability) Merge(other Rule) bool { + return false // Never merge capabilities } -func (r *Capability) Constraint() constraint { - return blockKind +func (r *Capability) Lengths() []int { + return []int{ + r.getLenAudit(), + r.getLenAccess(), + length("", r.Names), + } } -func (r *Capability) Kind() Kind { - return CAPABILITY +func (r *Capability) setPaddings(max []int) { + r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( + max[2:], []string{""}, []any{r.Names})..., + ) } diff --git a/pkg/aa/change_profile.go b/pkg/aa/change_profile.go index a6abb8772..5334b343c 100644 --- a/pkg/aa/change_profile.go +++ b/pkg/aa/change_profile.go @@ -18,7 +18,7 @@ func init() { } type ChangeProfile struct { - RuleBase + Base Qualifier ExecMode string Exec string @@ -49,7 +49,7 @@ func newChangeProfile(q Qualifier, rule rule) (Rule, error) { } } return &ChangeProfile{ - RuleBase: newBase(rule), + Base: newBase(rule), Qualifier: q, ExecMode: mode, Exec: exec, @@ -59,7 +59,7 @@ func newChangeProfile(q Qualifier, rule rule) (Rule, error) { func newChangeProfileFromLog(log map[string]string) Rule { return &ChangeProfile{ - RuleBase: newBaseFromLog(log), + Base: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), ExecMode: log["mode"], Exec: log["exec"], @@ -67,6 +67,18 @@ func newChangeProfileFromLog(log map[string]string) Rule { } } +func (r *ChangeProfile) Kind() Kind { + return CHANGEPROFILE +} + +func (r *ChangeProfile) Constraint() Constraint { + return BlockRule +} + +func (r *ChangeProfile) String() string { + return renderTemplate(r.Kind(), r) +} + func (r *ChangeProfile) Validate() error { if err := validateValues(r.Kind(), "mode", []string{r.ExecMode}); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -88,14 +100,23 @@ func (r *ChangeProfile) Compare(other Rule) int { return r.Qualifier.Compare(o.Qualifier) } -func (r *ChangeProfile) String() string { - return renderTemplate(r.Kind(), r) +func (r *ChangeProfile) Merge(other Rule) bool { + return false // Never merge change_profile } -func (r *ChangeProfile) Constraint() constraint { - return blockKind +func (r *ChangeProfile) Lengths() []int { + return []int{ + r.getLenAudit(), + r.getLenAccess(), + length("", r.ExecMode), + length("", r.Exec), + length("", r.ProfileName), + } } -func (r *ChangeProfile) Kind() Kind { - return CHANGEPROFILE +func (r *ChangeProfile) setPaddings(max []int) { + r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( + max[2:], []string{"", "", ""}, + []any{r.ExecMode, r.Exec, r.ProfileName})..., + ) } diff --git a/pkg/aa/data_test.go b/pkg/aa/data_test.go index b4e247868..28aa703d6 100644 --- a/pkg/aa/data_test.go +++ b/pkg/aa/data_test.go @@ -6,8 +6,8 @@ package aa var ( // Comment - comment1 = &Comment{RuleBase: RuleBase{Comment: "comment", IsLineRule: true}} - comment2 = &Comment{RuleBase: RuleBase{Comment: "another comment", IsLineRule: true}} + comment1 = &Comment{Base: Base{Comment: "comment", IsLineRule: true}} + comment2 = &Comment{Base: Base{Comment: "another comment", IsLineRule: true}} // Abi abi1 = &Abi{IsMagic: true, Path: "abi/4.0"} @@ -28,7 +28,7 @@ var ( // All all1 = &All{} - all2 = &All{RuleBase: RuleBase{Comment: "comment"}} + all2 = &All{Base: Base{Comment: "comment"}} // Rlimit rlimit1 = &Rlimit{Key: "nproc", Op: "<=", Value: "200"} @@ -65,8 +65,34 @@ var ( "denied_mask": "create", "comm": "sddm-greeter", } + network3Log = map[string]string{ + "apparmor": "ALLOWED", + "class": "net", + "operation": "sendmsg", + "info": "failed af match", + "error": "-13", + "profile": "unattended-upgrade", + "comm": "unattended-upgr", + "laddr": "127.0.0.1", + "lport": "57007", + "faddr": "127.0.0.53", + "saddr": "127.0.0.1", + "src": "57007", + "fport": "53", + "sock_type": "dgram", + "protocol": "17", + "requested": "send", + "denied": "send", + } network1 = &Network{Domain: "netlink", Type: "raw", Protocol: "15"} network2 = &Network{Domain: "inet", Type: "dgram"} + network3 = &Network{ + Base: Base{Comment: " failed af match"}, + LocalAddress: LocalAddress{IP: "127.0.0.1", Port: "57007"}, + PeerAddress: PeerAddress{IP: "127.0.0.53", Port: "53", Src: "127.0.0.1"}, + Type: "dgram", + Protocol: "17", + } // Mount mount1Log = map[string]string{ @@ -94,13 +120,13 @@ var ( "flags": "rw, rbind", } mount1 = &Mount{ - RuleBase: RuleBase{Comment: " failed perms check"}, + Base: Base{Comment: " failed perms check"}, MountConditions: MountConditions{FsType: "overlay"}, Source: "overlay", MountPoint: "/var/lib/docker/overlay2/opaque-bug-check1209538631/merged/", } mount2 = &Mount{ - RuleBase: RuleBase{Comment: " failed perms check"}, + Base: Base{Comment: " failed perms check"}, MountConditions: MountConditions{Options: []string{"rw", "rbind"}}, Source: "/oldroot/dev/tty", MountPoint: "/newroot/dev/tty", @@ -238,9 +264,9 @@ var ( PeerLabel: "dbus-daemon", } unix2 = &Unix{ - RuleBase: RuleBase{FileInherit: true}, - Access: []string{"receive"}, - Type: "stream", + Base: Base{FileInherit: true}, + Access: []string{"receive"}, + Type: "stream", } // Dbus @@ -318,10 +344,10 @@ var ( } file1 = &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"r"}} file2 = &File{ - RuleBase: RuleBase{NoNewPrivs: true}, - Owner: true, - Path: "@{PROC}/4163/cgroup", - Access: []string{"r"}, + Base: Base{NoNewPrivs: true}, + Owner: true, + Path: "@{PROC}/4163/cgroup", + Access: []string{"r"}, } // Link diff --git a/pkg/aa/dbus.go b/pkg/aa/dbus.go index f34b8e09c..fa4ec7ec4 100644 --- a/pkg/aa/dbus.go +++ b/pkg/aa/dbus.go @@ -21,7 +21,7 @@ func init() { } type Dbus struct { - RuleBase + Base Qualifier Access []string Bus string @@ -39,7 +39,7 @@ func newDbus(q Qualifier, rule rule) (Rule, error) { return nil, err } return &Dbus{ - RuleBase: newBase(rule), + Base: newBase(rule), Qualifier: q, Access: accesses, Bus: rule.GetValuesAsString("bus"), @@ -61,7 +61,7 @@ func newDbusFromLog(log map[string]string) Rule { peerName = log["name"] } return &Dbus{ - RuleBase: newBaseFromLog(log), + Base: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), Access: []string{log["mask"]}, Bus: log["bus"], @@ -74,6 +74,18 @@ func newDbusFromLog(log map[string]string) Rule { } } +func (r *Dbus) Kind() Kind { + return DBUS +} + +func (r *Dbus) Constraint() Constraint { + return BlockRule +} + +func (r *Dbus) String() string { + return renderTemplate(r.Kind(), r) +} + func (r *Dbus) Validate() error { if err := validateValues(r.Kind(), "access", r.Access); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -113,27 +125,21 @@ func (r *Dbus) Compare(other Rule) int { func (r *Dbus) Merge(other Rule) bool { o, _ := other.(*Dbus) - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.Bus == o.Bus && r.Name == o.Name && r.Path == o.Path && r.Interface == o.Interface && r.Member == o.Member && r.PeerName == o.PeerName && r.PeerLabel == o.PeerLabel { r.Access = merge(r.Kind(), "access", r.Access, o.Access) - b := &r.RuleBase - return b.merge(o.RuleBase) + b := &r.Base + return b.merge(o.Base) } return false } -func (r *Dbus) String() string { - return renderTemplate(r.Kind(), r) +func (r *Dbus) Lengths() []int { + return []int{} // No len for dbus } -func (r *Dbus) Constraint() constraint { - return blockKind -} - -func (r *Dbus) Kind() Kind { - return DBUS -} +func (r *Dbus) setPaddings(max []int) {} // No paddings for dbus diff --git a/pkg/aa/file.go b/pkg/aa/file.go index 56ae9c499..091f9436f 100644 --- a/pkg/aa/file.go +++ b/pkg/aa/file.go @@ -8,6 +8,8 @@ import ( "fmt" "slices" "strings" + + "github.com/roddhjav/apparmor.d/pkg/util" ) const ( @@ -27,7 +29,7 @@ func init() { } } -func isOwner(log map[string]string) bool { +func IsOwner(log map[string]string) bool { fsuid, hasFsUID := log["fsuid"] ouid, hasOuUID := log["ouid"] isDbus := strings.Contains(log["operation"], "dbus") @@ -38,7 +40,7 @@ func isOwner(log map[string]string) bool { } type File struct { - RuleBase + Base Qualifier Owner bool Path string @@ -76,7 +78,7 @@ func newFile(q Qualifier, rule rule) (Rule, error) { return nil, err } return &File{ - RuleBase: newBase(rule), + Base: newBase(rule), Qualifier: q, Owner: owner, Path: path, @@ -94,16 +96,49 @@ func newFileFromLog(log map[string]string) Rule { return newLinkFromLog(log) } return &File{ - RuleBase: newBaseFromLog(log), + Base: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), - Owner: isOwner(log), + Owner: IsOwner(log), Path: log["name"], Access: accesses, Target: log["target"], } } +func (r *File) Kind() Kind { + return FILE +} + +func (r *File) Constraint() Constraint { + return BlockRule +} + +func (r *File) String() string { + return renderTemplate(r.Kind(), r) +} + func (r *File) Validate() error { + if r.Path == "" && r.Target == "" && len(r.Access) == 0 { + return nil // rule: `file` or `owner file` + } + if !isAARE(r.Path) { + return fmt.Errorf("'%s' is not a valid AARE", r.Path) + } + if len(r.Access) == 0 { + return fmt.Errorf("missing file access") + } + for _, v := range r.Access { + if v == "" { + continue + } + if !slices.Contains(requirements[r.Kind()]["access"], v) && + !slices.Contains(requirements[r.Kind()]["transition"], v) { + return fmt.Errorf("invalid mode '%s'", v) + } + } + if r.Target != "" && !isAARE(r.Target) { + return fmt.Errorf("'%s' is not a valid AARE", r.Target) + } return nil } @@ -133,31 +168,55 @@ func (r *File) Compare(other Rule) int { func (r *File) Merge(other Rule) bool { o, _ := other.(*File) - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.Owner == o.Owner && r.Path == o.Path && r.Target == o.Target { r.Access = merge(r.Kind(), "access", r.Access, o.Access) - b := &r.RuleBase - return b.merge(o.RuleBase) + b := &r.Base + return b.merge(o.Base) } return false } -func (r *File) String() string { - return renderTemplate(r.Kind(), r) +func (r *File) Lengths() []int { + // Add padding to align with other transition rule + lenPath := 0 + isTransition := util.Intersect( + append(requirements[FILE]["transition"], "m"), r.Access, + ) + if len(isTransition) > 0 { + lenPath = length("", r.Path) + } + return []int{ + r.getLenAudit(), + r.getLenAccess(), + length("owner", r.Owner), + lenPath, + } } -func (r *File) Constraint() constraint { - return blockKind +func (r *File) setPaddings(max []int) { + r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( + max[2:], []string{"owner", ""}, + []any{r.Owner, r.Path})..., + ) } -func (r *File) Kind() Kind { - return FILE +func (r *File) addLine(other Rule) bool { + if other.Kind() != r.Kind() { + return false + } + + letterI := getLetterIn(fileAlphabet, r.Path) + letterJ := getLetterIn(fileAlphabet, other.(*File).Path) + groupI, ok1 := fileAlphabetGroups[letterI] + groupJ, ok2 := fileAlphabetGroups[letterJ] + return letterI != letterJ && (!ok1 || !ok2 || groupI != groupJ) } type Link struct { - RuleBase + Base Qualifier Owner bool Subset bool @@ -190,7 +249,7 @@ func newLink(q Qualifier, rule rule) (Rule, error) { } } return &Link{ - RuleBase: newBase(rule), + Base: newBase(rule), Qualifier: q, Owner: owner, Subset: subset, @@ -201,15 +260,33 @@ func newLink(q Qualifier, rule rule) (Rule, error) { func newLinkFromLog(log map[string]string) Rule { return &Link{ - RuleBase: newBaseFromLog(log), + Base: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), - Owner: isOwner(log), + Owner: IsOwner(log), Path: log["name"], Target: log["target"], } } +func (r *Link) Kind() Kind { + return LINK +} + +func (r *Link) Constraint() Constraint { + return BlockRule +} + +func (r *Link) String() string { + return renderTemplate(r.Kind(), r) +} + func (r *Link) Validate() error { + if !isAARE(r.Path) { + return fmt.Errorf("'%s' is not a valid AARE", r.Path) + } + if !isAARE(r.Target) { + return fmt.Errorf("'%s' is not a valid AARE", r.Target) + } return nil } @@ -231,14 +308,24 @@ func (r *Link) Compare(other Rule) int { return r.Qualifier.Compare(o.Qualifier) } -func (r *Link) String() string { - return renderTemplate(r.Kind(), r) +func (r *Link) Merge(other Rule) bool { + return false // Never merge link } -func (r *Link) Constraint() constraint { - return blockKind +func (r *Link) Lengths() []int { + return []int{ + r.getLenAudit(), + r.getLenAccess(), + length("owner", r.Owner), + length("subset", r.Subset), + length("", r.Path), + length("", r.Target), + } } -func (r *Link) Kind() Kind { - return LINK +func (r *Link) setPaddings(max []int) { + r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( + max[2:], []string{"owner", "subset", "", ""}, + []any{r.Owner, r.Subset, r.Path, r.Target})..., + ) } diff --git a/pkg/aa/io_uring.go b/pkg/aa/io_uring.go index 4402f07a9..76e9e172d 100644 --- a/pkg/aa/io_uring.go +++ b/pkg/aa/io_uring.go @@ -17,7 +17,7 @@ func init() { } type IOUring struct { - RuleBase + Base Qualifier Access []string Label string @@ -29,7 +29,7 @@ func newIOUring(q Qualifier, rule rule) (Rule, error) { return nil, err } return &IOUring{ - RuleBase: newBase(rule), + Base: newBase(rule), Qualifier: q, Access: accesses, Label: rule.GetValuesAsString("label"), @@ -38,13 +38,25 @@ func newIOUring(q Qualifier, rule rule) (Rule, error) { func newIOUringFromLog(log map[string]string) Rule { return &IOUring{ - RuleBase: newBaseFromLog(log), + Base: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), Access: Must(toAccess(IOURING, log["requested"])), Label: log["label"], } } +func (r *IOUring) Kind() Kind { + return IOURING +} + +func (r *IOUring) Constraint() Constraint { + return BlockRule +} + +func (r *IOUring) String() string { + return renderTemplate(r.Kind(), r) +} + func (r *IOUring) Validate() error { if err := validateValues(r.Kind(), "access", r.Access); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -66,25 +78,29 @@ func (r *IOUring) Compare(other Rule) int { func (r *IOUring) Merge(other Rule) bool { o, _ := other.(*IOUring) - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.Label == o.Label { r.Access = merge(r.Kind(), "access", r.Access, o.Access) - b := &r.RuleBase - return b.merge(o.RuleBase) + b := &r.Base + return b.merge(o.Base) } return false } -func (r *IOUring) String() string { - return renderTemplate(r.Kind(), r) +func (r *IOUring) Lengths() []int { + return []int{ + r.getLenAudit(), + r.getLenAccess(), + length("", r.Access), + length("label=", r.Label), + } } -func (r *IOUring) Constraint() constraint { - return blockKind -} - -func (r *IOUring) Kind() Kind { - return IOURING +func (r *IOUring) setPaddings(max []int) { + r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( + max[2:], []string{"", "label="}, + []any{r.Access, r.Label})..., + ) } diff --git a/pkg/aa/mount.go b/pkg/aa/mount.go index 272076d07..72719414d 100644 --- a/pkg/aa/mount.go +++ b/pkg/aa/mount.go @@ -16,11 +16,20 @@ const ( func init() { requirements[MOUNT] = requirement{ + "flags_bind": { + "B", "bind", "R", "rbind", + }, + "flags_change": { + "remount", "unbindable", "shared", "private", "slave", "runbindable", + "rshared", "rprivate", "rslave", "make-unbindable", "make-shared", + "make-private", "make-slave", "make-runbindable", "make-rshared", + "make-rprivate", "make-rslave", + }, "flags": { - "acl", "async", "atime", "ro", "rw", "bind", "rbind", "dev", - "diratime", "dirsync", "exec", "iversion", "loud", "mand", "move", - "noacl", "noatime", "nodev", "nodiratime", "noexec", "noiversion", - "nomand", "norelatime", "nosuid", "nouser", "private", "relatime", + "ro", "rw", "acl", "async", "atime", "bind", "dev", "diratime", + "dirsync", "exec", "iversion", "loud", "mand", "move", "noacl", + "noatime", "nodev", "nodiratime", "noexec", "noiversion", "nomand", + "norelatime", "nosuid", "nosymfollow", "nouser", "private", "rbind", "relatime", "remount", "rprivate", "rshared", "rslave", "runbindable", "shared", "silent", "slave", "strictatime", "suid", "sync", "unbindable", "user", "verbose", @@ -73,8 +82,23 @@ func (m *MountConditions) Merge(other MountConditions) bool { return false } +func (m MountConditions) getLenFsType() int { + return length("fstype=", m.FsType) +} + +func (m MountConditions) getLenOptions() int { + return length("options=", m.Options) +} + +func (m MountConditions) setPaddings(max []int) []string { + return setPaddings(max, + []string{"fstype=", "options="}, + []any{m.FsType, m.Options}, + ) +} + type Mount struct { - RuleBase + Base Qualifier MountConditions Source string @@ -102,7 +126,7 @@ func newMount(q Qualifier, rule rule) (Rule, error) { return nil, err } return &Mount{ - RuleBase: newBase(rule), + Base: newBase(rule), Qualifier: q, MountConditions: conditions, Source: src, @@ -112,7 +136,7 @@ func newMount(q Qualifier, rule rule) (Rule, error) { func newMountFromLog(log map[string]string) Rule { return &Mount{ - RuleBase: newBaseFromLog(log), + Base: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), MountConditions: newMountConditionsFromLog(log), Source: log["srcname"], @@ -120,6 +144,18 @@ func newMountFromLog(log map[string]string) Rule { } } +func (r *Mount) Kind() Kind { + return MOUNT +} + +func (r *Mount) Constraint() Constraint { + return BlockRule +} + +func (r *Mount) String() string { + return renderTemplate(r.Kind(), r) +} + func (r *Mount) Validate() error { if err := r.MountConditions.Validate(); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -145,31 +181,37 @@ func (r *Mount) Merge(other Rule) bool { o, _ := other.(*Mount) mc := &r.MountConditions - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.Source == o.Source && r.MountPoint == o.MountPoint && mc.Merge(o.MountConditions) { - b := &r.RuleBase - return b.merge(o.RuleBase) + b := &r.Base + return b.merge(o.Base) } return false } -func (r *Mount) String() string { - return renderTemplate(r.Kind(), r) +func (r *Mount) Lengths() []int { + return []int{ + r.getLenAudit(), + r.getLenAccess(), + r.getLenFsType(), + r.getLenOptions(), + length("", r.Source), + length("", r.MountPoint), + } } -func (r *Mount) Constraint() constraint { - return blockKind -} - -func (r *Mount) Kind() Kind { - return MOUNT +func (r *Mount) setPaddings(max []int) { + r.Paddings = append(r.Qualifier.setPaddings(max[:2]), r.MountConditions.setPaddings(max[2:4])...) + r.Paddings = append(r.Paddings, + setPaddings(max[4:], []string{"", ""}, []any{r.Source, r.MountPoint})..., + ) } type Umount struct { - RuleBase + Base Qualifier MountConditions MountPoint string @@ -186,7 +228,7 @@ func newUmount(q Qualifier, rule rule) (Rule, error) { return nil, err } return &Umount{ - RuleBase: newBase(rule), + Base: newBase(rule), Qualifier: q, MountConditions: conditions, MountPoint: mount, @@ -195,13 +237,25 @@ func newUmount(q Qualifier, rule rule) (Rule, error) { func newUmountFromLog(log map[string]string) Rule { return &Umount{ - RuleBase: newBaseFromLog(log), + Base: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), MountConditions: newMountConditionsFromLog(log), MountPoint: log["name"], } } +func (r *Umount) Kind() Kind { + return UMOUNT +} + +func (r *Umount) Constraint() Constraint { + return BlockRule +} + +func (r *Umount) String() string { + return renderTemplate(r.Kind(), r) +} + func (r *Umount) Validate() error { if err := r.MountConditions.Validate(); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -224,30 +278,35 @@ func (r *Umount) Merge(other Rule) bool { o, _ := other.(*Umount) mc := &r.MountConditions - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.MountPoint == o.MountPoint && mc.Merge(o.MountConditions) { - b := &r.RuleBase - return b.merge(o.RuleBase) + b := &r.Base + return b.merge(o.Base) } return false } -func (r *Umount) String() string { - return renderTemplate(r.Kind(), r) +func (r *Umount) Lengths() []int { + return []int{ + r.getLenAudit(), + r.getLenAccess(), + r.getLenFsType(), + r.getLenOptions(), + length("", r.MountPoint), + } } -func (r *Umount) Constraint() constraint { - return blockKind -} - -func (r *Umount) Kind() Kind { - return UMOUNT +func (r *Umount) setPaddings(max []int) { + r.Paddings = append(r.Qualifier.setPaddings(max[:2]), r.MountConditions.setPaddings(max[2:4])...) + r.Paddings = append(r.Paddings, + setPaddings(max[4:], []string{""}, []any{r.MountPoint})..., + ) } type Remount struct { - RuleBase + Base Qualifier MountConditions MountPoint string @@ -265,7 +324,7 @@ func newRemount(q Qualifier, rule rule) (Rule, error) { return nil, err } return &Remount{ - RuleBase: newBase(rule), + Base: newBase(rule), Qualifier: q, MountConditions: conditions, MountPoint: mount, @@ -274,13 +333,25 @@ func newRemount(q Qualifier, rule rule) (Rule, error) { func newRemountFromLog(log map[string]string) Rule { return &Remount{ - RuleBase: newBaseFromLog(log), + Base: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), MountConditions: newMountConditionsFromLog(log), MountPoint: log["name"], } } +func (r *Remount) Kind() Kind { + return REMOUNT +} + +func (r *Remount) Constraint() Constraint { + return BlockRule +} + +func (r *Remount) String() string { + return renderTemplate(r.Kind(), r) +} + func (r *Remount) Validate() error { if err := r.MountConditions.Validate(); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -303,24 +374,29 @@ func (r *Remount) Merge(other Rule) bool { o, _ := other.(*Remount) mc := &r.MountConditions - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.MountPoint == o.MountPoint && mc.Merge(o.MountConditions) { - b := &r.RuleBase - return b.merge(o.RuleBase) + b := &r.Base + return b.merge(o.Base) } return false } -func (r *Remount) String() string { - return renderTemplate(r.Kind(), r) +func (r *Remount) Lengths() []int { + return []int{ + r.getLenAudit(), + r.getLenAccess(), + r.getLenFsType(), + r.getLenOptions(), + length("", r.MountPoint), + } } -func (r *Remount) Constraint() constraint { - return blockKind -} - -func (r *Remount) Kind() Kind { - return REMOUNT +func (r *Remount) setPaddings(max []int) { + r.Paddings = append(r.Qualifier.setPaddings(max[:2]), r.MountConditions.setPaddings(max[2:4])...) + r.Paddings = append(r.Paddings, + setPaddings(max[4:], []string{""}, []any{r.MountPoint})..., + ) } diff --git a/pkg/aa/mqueue.go b/pkg/aa/mqueue.go index 889dcde6c..12ae4bd59 100644 --- a/pkg/aa/mqueue.go +++ b/pkg/aa/mqueue.go @@ -23,7 +23,7 @@ func init() { } type Mqueue struct { - RuleBase + Base Qualifier Access []string Type string @@ -47,7 +47,7 @@ func newMqueue(q Qualifier, rule rule) (Rule, error) { return nil, err } return &Mqueue{ - RuleBase: newBase(rule), + Base: newBase(rule), Qualifier: q, Access: accesses, Type: rule.GetValuesAsString("type"), @@ -64,7 +64,7 @@ func newMqueueFromLog(log map[string]string) Rule { mqueueType = "sysv" } return &Mqueue{ - RuleBase: newBaseFromLog(log), + Base: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), Access: Must(toAccess(MQUEUE, log["requested"])), Type: mqueueType, @@ -73,6 +73,18 @@ func newMqueueFromLog(log map[string]string) Rule { } } +func (r *Mqueue) Kind() Kind { + return MQUEUE +} + +func (r *Mqueue) Constraint() Constraint { + return BlockRule +} + +func (r *Mqueue) String() string { + return renderTemplate(r.Kind(), r) +} + func (r *Mqueue) Validate() error { if err := validateValues(r.Kind(), "access", r.Access); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -100,25 +112,31 @@ func (r *Mqueue) Compare(other Rule) int { func (r *Mqueue) Merge(other Rule) bool { o, _ := other.(*Mqueue) - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.Type == o.Type && r.Label == o.Label && r.Name == o.Name { r.Access = merge(r.Kind(), "access", r.Access, o.Access) - b := &r.RuleBase - return b.merge(o.RuleBase) + b := &r.Base + return b.merge(o.Base) } return false } -func (r *Mqueue) String() string { - return renderTemplate(r.Kind(), r) +func (r *Mqueue) Lengths() []int { + return []int{ + r.getLenAudit(), + r.getLenAccess(), + length("", r.Access), + length("type=", r.Type), + length("label=", r.Label), + length("", r.Name), + } } -func (r *Mqueue) Constraint() constraint { - return blockKind -} - -func (r *Mqueue) Kind() Kind { - return MQUEUE +func (r *Mqueue) setPaddings(max []int) { + r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( + max[2:], []string{"", "type=", "label=", ""}, + []any{r.Access, r.Type, r.Label, r.Name})..., + ) } diff --git a/pkg/aa/network.go b/pkg/aa/network.go index 38818de13..15dd4385e 100644 --- a/pkg/aa/network.go +++ b/pkg/aa/network.go @@ -33,34 +33,54 @@ func init() { } } -type AddressExpr struct { - Source string - Destination string - Port string +type LocalAddress struct { + IP string + Port string } -func newAddressExprFromLog(log map[string]string) AddressExpr { - return AddressExpr{ - Source: log["laddr"], - Destination: log["faddr"], - Port: log["lport"], +func newLocalAddressFromLog(log map[string]string) LocalAddress { + return LocalAddress{ + IP: log["laddr"], + Port: log["lport"], } } -func (r AddressExpr) Compare(other AddressExpr) int { - if res := compare(r.Source, other.Source); res != 0 { - return res - } - if res := compare(r.Destination, other.Destination); res != 0 { +func (r LocalAddress) Compare(other LocalAddress) int { + if res := compare(r.IP, other.IP); res != 0 { return res } return compare(r.Port, other.Port) } +type PeerAddress struct { + IP string + Port string + Src string +} + +func newPeerAddressFromLog(log map[string]string) PeerAddress { + return PeerAddress{ + IP: log["faddr"], + Port: log["fport"], + Src: log["saddr"], + } +} + +func (r PeerAddress) Compare(other PeerAddress) int { + if res := compare(r.IP, other.IP); res != 0 { + return res + } + if res := compare(r.Port, other.Port); res != 0 { + return res + } + return compare(r.Src, other.Src) +} + type Network struct { - RuleBase + Base Qualifier - AddressExpr + LocalAddress + PeerAddress Domain string Type string Protocol string @@ -80,7 +100,7 @@ func newNetwork(q Qualifier, rule rule) (Rule, error) { } } return &Network{ - RuleBase: newBase(rule), + Base: newBase(rule), Qualifier: q, Domain: domain, Type: nType, @@ -90,15 +110,28 @@ func newNetwork(q Qualifier, rule rule) (Rule, error) { func newNetworkFromLog(log map[string]string) Rule { return &Network{ - RuleBase: newBaseFromLog(log), - Qualifier: newQualifierFromLog(log), - AddressExpr: newAddressExprFromLog(log), - Domain: log["family"], - Type: log["sock_type"], - Protocol: log["protocol"], + Base: newBaseFromLog(log), + Qualifier: newQualifierFromLog(log), + LocalAddress: newLocalAddressFromLog(log), + PeerAddress: newPeerAddressFromLog(log), + Domain: log["family"], + Type: log["sock_type"], + Protocol: log["protocol"], } } +func (r *Network) Kind() Kind { + return NETWORK +} + +func (r *Network) Constraint() Constraint { + return BlockRule +} + +func (r *Network) String() string { + return renderTemplate(r.Kind(), r) +} + func (r *Network) Validate() error { if err := validateValues(r.Kind(), "domains", []string{r.Domain}); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -123,20 +156,32 @@ func (r *Network) Compare(other Rule) int { if res := compare(r.Protocol, o.Protocol); res != 0 { return res } - if res := r.AddressExpr.Compare(o.AddressExpr); res != 0 { + if res := r.LocalAddress.Compare(o.LocalAddress); res != 0 { + return res + } + if res := r.PeerAddress.Compare(o.PeerAddress); res != 0 { return res } return r.Qualifier.Compare(o.Qualifier) } -func (r *Network) String() string { - return renderTemplate(r.Kind(), r) +func (r *Network) Merge(other Rule) bool { + return false // Never merge network } -func (r *Network) Constraint() constraint { - return blockKind +func (r *Network) Lengths() []int { + return []int{ + r.getLenAudit(), + r.getLenAccess(), + length("", r.Domain), + length("", r.Type), + length("", r.Protocol), + } } -func (r *Network) Kind() Kind { - return NETWORK +func (r *Network) setPaddings(max []int) { + r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( + max[2:], []string{"", "", ""}, + []any{r.Domain, r.Type, r.Protocol})..., + ) } diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index 24117700a..3b737abfd 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -15,6 +15,8 @@ const ( tokALLOW = "allow" tokAUDIT = "audit" tokDENY = "deny" + tokPROMPT = "prompt" + tokPRIORITY = "priority" tokARROW = "->" tokEQUAL = "=" tokLESS = "<" @@ -187,11 +189,11 @@ func parseParagraph(input string) (Rules, error) { } res = append(res, rrr...) - for _, r := range res { - if r.Constraint() == preambleKind { - return nil, fmt.Errorf("Rule not allowed in block: %s", r) - } - } + // for _, r := range res { + // if r.Constraint() == PreambleRule { + // return nil, fmt.Errorf("Rule not allowed in block: %s", r) + // } + // } return res, nil } @@ -286,10 +288,7 @@ func parseRule(str string) rule { res := make(rule, 0, len(str)/2) tokens := tokenizeRule(str) - inAare := false - if len(tokens) > 0 && (isAARE(tokens[0]) || tokens[0] == tokOWNER) { - inAare = true - } + inAare := len(tokens) > 0 && (isAARE(tokens[0]) || tokens[0] == tokOWNER) for idx, token := range tokens { switch { case token == tokEQUAL, token == tokPLUS+tokEQUAL, token == tokLESS+tokEQUAL: // Variable & Rlimit @@ -495,9 +494,15 @@ func (r rule) String() string { } func isAARE(str string) bool { - return strings.HasPrefix(str, "@") || - strings.HasPrefix(str, "/") || - strings.HasPrefix(str, "\"") + if len(str) < 1 { + return false + } + switch str[0] { + case '@', '/', '"': + return true + default: + return false + } } // Convert a slice of internal rules to a slice of ApparmorRule. @@ -508,7 +513,7 @@ func newRules(rules []rule) (Rules, error) { for _, rule := range rules { if len(rule) == 0 { - return nil, fmt.Errorf("Empty rule") + return nil, fmt.Errorf("empty rule") } owner := false @@ -521,7 +526,11 @@ func newRules(rules []rule) (Rules, error) { rule = rule[1:] goto qualifier // Qualifier - case tokALLOW, tokDENY: + case tokPRIORITY: + q.Priority = rule.GetValues(tokPRIORITY).GetString() + rule = rule[1:] + goto qualifier + case tokALLOW, tokDENY, tokPROMPT: q.AccessType = rule.Get(0) rule = rule[1:] goto qualifier @@ -557,7 +566,7 @@ func newRules(rules []rule) (Rules, error) { // return nil, fmt.Errorf("Unknown rule: %s", rule) } } else { - return nil, fmt.Errorf("Unrecognized rule: %s", rule) + return nil, fmt.Errorf("unrecognized rule: %s", rule) } } } @@ -588,7 +597,7 @@ func (f *AppArmorProfileFile) parsePreamble(preamble string) error { f.Preamble = append(f.Preamble, commaRules...) for _, r := range f.Preamble { - if r.Constraint() == blockKind { + if r.Constraint() == BlockRule { f.Preamble = nil return fmt.Errorf("Rule not allowed in preamble: %s", r) } @@ -599,7 +608,7 @@ func (f *AppArmorProfileFile) parsePreamble(preamble string) error { // Parse an apparmor profile file. // -// Warning: It is purposelly an uncomplete basic parser for apparmor profile, +// Warning: It is purposely an uncomplete basic parser for apparmor profile, // it is only aimed for internal tooling purpose. For "simplicity", it is not // using antlr / participle. It is only used for experimental feature in the // apparmor.d project. @@ -651,9 +660,9 @@ done: return nb, nil } -// Parse apparmor profile rules by paragraphs -func ParseRules(input string) ([]Rules, []string, error) { - paragraphRules := []Rules{} +// ParseRules parses apparmor profile rules by paragraphs +func ParseRules(input string) (ParaRules, []string, error) { + paragraphRules := ParaRules{} paragraphs := []string{} for _, match := range regParagraph.FindAllStringSubmatch(input, -1) { diff --git a/pkg/aa/parse_test.go b/pkg/aa/parse_test.go index a1016b19b..71607fd32 100644 --- a/pkg/aa/parse_test.go +++ b/pkg/aa/parse_test.go @@ -8,13 +8,11 @@ import ( "reflect" "strings" "testing" - - "github.com/roddhjav/apparmor.d/pkg/util" ) func Test_tokenizeRule(t *testing.T) { inHeader = true - for _, tt := range testRules { + for _, tt := range testParseRules { t.Run(tt.name, func(t *testing.T) { if got := tokenizeRule(tt.raw); !reflect.DeepEqual(got, tt.tokens) { t.Errorf("tokenize() = %v, want %v", got, tt.tokens) @@ -25,7 +23,7 @@ func Test_tokenizeRule(t *testing.T) { func Test_parseRule(t *testing.T) { inHeader = true - for _, tt := range testRules { + for _, tt := range testParseRules { t.Run(tt.name, func(t *testing.T) { if got := parseRule(tt.raw); !reflect.DeepEqual(got, tt.rule) { t.Errorf("parseRule() = %v, want %v", got, tt.rule) @@ -35,7 +33,7 @@ func Test_parseRule(t *testing.T) { } func Test_rule_Getter(t *testing.T) { - for _, tt := range testRules { + for _, tt := range testParseRules { t.Run(tt.name, func(t *testing.T) { if tt.wGetAsMap == nil { tt.wGetAsMap = map[string][]string{} @@ -113,7 +111,7 @@ func Test_parseCommaRules(t *testing.T) { } func Test_newRules(t *testing.T) { - for _, tt := range testRules { + for _, tt := range testParseRules { if tt.wRule == nil { continue } @@ -159,7 +157,7 @@ func Test_AppArmorProfileFile_Parse(t *testing.T) { var ( // Test cases for tokenizeRule, parseRule,rule getters, and newRules - testRules = []struct { + testParseRules = []struct { name string raw string tokens []string @@ -497,7 +495,7 @@ var ( wString: "signal receive set=(cont term winch) peer=at-spi-bus-launcher", wRule: &Signal{ Access: []string{"receive"}, - Set: []string{"term", "cont", "winch"}, + Set: []string{"cont", "term", "winch"}, Peer: "at-spi-bus-launcher", }, }, @@ -755,14 +753,14 @@ var ( @{lib_dirs} = @{lib}/@{name} /opt/@{name} # comment in variable`, want: "\n\n\n", rules: Rules{ - &Comment{RuleBase: RuleBase{IsLineRule: true, Comment: " IsLineRule comment"}}, + &Comment{Base: Base{IsLineRule: true, Comment: " IsLineRule comment"}}, &Include{ - RuleBase: RuleBase{Comment: " comment included"}, - IsMagic: true, Path: "tunables/global", + Base: Base{Comment: " comment included"}, + IsMagic: true, Path: "tunables/global", }, &Variable{ - RuleBase: RuleBase{Comment: " comment in variable"}, - Name: "lib_dirs", Define: true, + Base: Base{Comment: " comment in variable"}, + Name: "lib_dirs", Define: true, Values: []string{"@{lib}/@{name}", "/opt/@{name}"}, }, }, @@ -843,7 +841,7 @@ var ( raw string apparmor *AppArmorProfileFile wParseErr bool - wRules []Rules + wRules ParaRules wParseRulesErr bool }{ { @@ -851,7 +849,7 @@ var ( raw: "", apparmor: &AppArmorProfileFile{}, wParseErr: false, - wRules: []Rules{}, + wRules: ParaRules{}, wParseRulesErr: false, }, { @@ -862,20 +860,20 @@ var ( @{lib_dirs} = @{lib}/@{name} /opt/@{name} # comment in variable`, apparmor: &AppArmorProfileFile{ Preamble: Rules{ - &Comment{RuleBase: RuleBase{IsLineRule: true, Comment: " IsLineRule comment"}}, + &Comment{Base: Base{IsLineRule: true, Comment: " IsLineRule comment"}}, &Include{ - RuleBase: RuleBase{Comment: " comment included"}, - Path: "tunables/global", IsMagic: true, + Base: Base{Comment: " comment included"}, + Path: "tunables/global", IsMagic: true, }, &Variable{ - RuleBase: RuleBase{Comment: " comment in variable"}, - Name: "lib_dirs", Define: true, + Base: Base{Comment: " comment in variable"}, + Name: "lib_dirs", Define: true, Values: []string{"@{lib}/@{name}", "/opt/@{name}"}, }, }, }, wParseErr: false, - wRules: []Rules{}, + wRules: ParaRules{}, wParseRulesErr: false, }, { @@ -893,9 +891,9 @@ var ( `, apparmor: &AppArmorProfileFile{ Preamble: Rules{ - &Comment{RuleBase: RuleBase{IsLineRule: true, Comment: " Simple test"}}, + &Comment{Base: Base{IsLineRule: true, Comment: " Simple test"}}, &Include{IsMagic: true, Path: "tunables/global"}, - &Comment{RuleBase: RuleBase{IsLineRule: true, Comment: " { commented block }"}}, + &Comment{Base: Base{IsLineRule: true, Comment: " { commented block }"}}, &Variable{Name: "name", Values: []string{"{D,d}ummy"}, Define: true}, &Variable{Name: "exec_path", Values: []string{"@{bin}/@{name}"}, Define: true}, &Variable{Name: "exec_path", Values: []string{"@{lib}/@{name}"}}, @@ -914,15 +912,15 @@ var ( }, }, wParseErr: false, - wRules: []Rules{}, + wRules: ParaRules{}, wParseRulesErr: false, }, { name: "string.aa", - raw: util.MustReadFile(testData.Join("string.aa")), + raw: testData.Join("string.aa").MustReadFileAsString(), apparmor: &AppArmorProfileFile{ Preamble: Rules{ - &Comment{RuleBase: RuleBase{Comment: " Simple test profile for the AppArmorProfileFile.String() method", IsLineRule: true}}, + &Comment{Base: Base{Comment: " Simple test profile for the AppArmorProfileFile.String() method", IsLineRule: true}}, &Include{IsMagic: true, Path: "tunables/global"}, &Variable{ Name: "exec_path", Define: true, @@ -943,7 +941,7 @@ var ( }, }, wParseErr: false, - wRules: []Rules{ + wRules: ParaRules{ { &Include{IsMagic: true, Path: "abstractions/base"}, &Include{IsMagic: true, Path: "abstractions/nameservice-strict"}, @@ -961,7 +959,7 @@ var ( }, { &Mount{ - RuleBase: RuleBase{IsLineRule: false, Comment: " failed perms check"}, + Base: Base{IsLineRule: false, Comment: " failed perms check"}, MountConditions: MountConditions{ FsType: "fuse.portal", Options: []string{"rw", "rbind"}, @@ -1017,18 +1015,18 @@ var ( }, { name: "full.aa", - raw: util.MustReadFile(testData.Join("full.aa")), + raw: testData.Join("full.aa").MustReadFileAsString(), apparmor: &AppArmorProfileFile{ Preamble: Rules{ - &Comment{RuleBase: RuleBase{IsLineRule: true, Comment: " Simple test profile with all rules used"}}, + &Comment{Base: Base{IsLineRule: true, Comment: " Simple test profile with all rules used"}}, &Include{ - RuleBase: RuleBase{Comment: " a comment", Optional: true}, - IsMagic: true, Path: "tunables/global", + Base: Base{Comment: " a comment", Optional: true}, + IsMagic: true, Path: "tunables/global", }, &Include{IfExists: true, Path: "/etc/apparmor.d/global/dummy space"}, &Variable{Name: "name", Values: []string{"torbrowser", "\"tor browser\""}, Define: true}, &Variable{ - RuleBase: RuleBase{Comment: " another comment"}, Define: true, + Base: Base{Comment: " another comment"}, Define: true, Name: "lib_dirs", Values: []string{"@{lib}/@{name}", "/opt/@{name}"}, }, &Variable{Name: "config_dirs", Values: []string{"@{HOME}/.mozilla/"}, Define: true}, @@ -1050,7 +1048,7 @@ var ( }, }, wParseErr: false, - wRules: []Rules{ + wRules: ParaRules{ { &Include{IsMagic: true, Path: "abstractions/base"}, &Include{IsMagic: true, Path: "abstractions/nameservice-strict"}, @@ -1123,7 +1121,7 @@ var ( { &Signal{ Access: []string{"receive"}, - Set: []string{"term", "cont", "winch"}, + Set: []string{"cont", "term", "winch"}, Peer: "at-spi-bus-launcher", }, }, @@ -1152,7 +1150,7 @@ var ( }, }, { - &Comment{RuleBase: RuleBase{IsLineRule: true, Comment: " A comment! before a paragraph of rules"}}, + &Comment{Base: Base{IsLineRule: true, Comment: " A comment! before a paragraph of rules"}}, &File{ Path: "\"/opt/Mullvad VPN/resources/*.so*\"", Access: []string{"m", "r"}, diff --git a/pkg/aa/pivot_root.go b/pkg/aa/pivot_root.go index cfa6833ad..8632b4490 100644 --- a/pkg/aa/pivot_root.go +++ b/pkg/aa/pivot_root.go @@ -9,7 +9,7 @@ import "fmt" const PIVOTROOT Kind = "pivot_root" type PivotRoot struct { - RuleBase + Base Qualifier OldRoot string NewRoot string @@ -32,7 +32,7 @@ func newPivotRoot(q Qualifier, rule rule) (Rule, error) { } } return &PivotRoot{ - RuleBase: newBase(rule), + Base: newBase(rule), Qualifier: q, OldRoot: rule.GetValuesAsString("oldroot"), NewRoot: newroot, @@ -42,7 +42,7 @@ func newPivotRoot(q Qualifier, rule rule) (Rule, error) { func newPivotRootFromLog(log map[string]string) Rule { return &PivotRoot{ - RuleBase: newBaseFromLog(log), + Base: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), OldRoot: log["srcname"], NewRoot: log["name"], @@ -50,6 +50,18 @@ func newPivotRootFromLog(log map[string]string) Rule { } } +func (r *PivotRoot) Kind() Kind { + return PIVOTROOT +} + +func (r *PivotRoot) Constraint() Constraint { + return BlockRule +} + +func (r *PivotRoot) String() string { + return renderTemplate(r.Kind(), r) +} + func (r *PivotRoot) Validate() error { return nil } @@ -68,14 +80,23 @@ func (r *PivotRoot) Compare(other Rule) int { return r.Qualifier.Compare(o.Qualifier) } -func (r *PivotRoot) String() string { - return renderTemplate(r.Kind(), r) +func (r *PivotRoot) Merge(other Rule) bool { + return false // Never merge pivot root } -func (r *PivotRoot) Constraint() constraint { - return blockKind +func (r *PivotRoot) Lengths() []int { + return []int{ + r.getLenAudit(), + r.getLenAccess(), + length("oldroot=", r.OldRoot), + length("", r.NewRoot), + length("", r.TargetProfile), + } } -func (r *PivotRoot) Kind() Kind { - return PIVOTROOT +func (r *PivotRoot) setPaddings(max []int) { + r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( + max[2:], []string{"oldroot=", "", ""}, + []any{r.OldRoot, r.NewRoot, r.TargetProfile})..., + ) } diff --git a/pkg/aa/preamble.go b/pkg/aa/preamble.go index 4ad65fe97..50e7dbef7 100644 --- a/pkg/aa/preamble.go +++ b/pkg/aa/preamble.go @@ -20,13 +20,25 @@ const ( ) type Comment struct { - RuleBase + Base } func newComment(rule rule) (Rule, error) { base := newBase(rule) base.IsLineRule = true - return &Comment{RuleBase: base}, nil + return &Comment{Base: base}, nil +} + +func (r *Comment) Kind() Kind { + return COMMENT +} + +func (r *Comment) Constraint() Constraint { + return AnyRule +} + +func (r *Comment) String() string { + return renderTemplate(r.Kind(), r) } func (r *Comment) Validate() error { @@ -37,20 +49,18 @@ func (r *Comment) Compare(other Rule) int { return 0 // Comments are always equal to each other as they are not compared } -func (r *Comment) String() string { - return renderTemplate(r.Kind(), r) +func (r *Comment) Merge(other Rule) bool { + return false // Never merge comments } -func (r *Comment) Constraint() constraint { - return anyKind +func (r *Comment) Lengths() []int { + return []int{} // No len for comments } -func (r *Comment) Kind() Kind { - return COMMENT -} +func (r *Comment) setPaddings(max []int) {} // No paddings for comments type Abi struct { - RuleBase + Base Path string IsMagic bool } @@ -62,21 +72,33 @@ func newAbi(q Qualifier, rule rule) (Rule, error) { } path := rule.Get(0) - switch { - case path[0] == '"': + switch path[0] { + case '"': magic = false - case path[0] == '<': + case '<': magic = true default: return nil, fmt.Errorf("invalid path %s in rule: %s", path, rule) } return &Abi{ - RuleBase: newBase(rule), - Path: strings.Trim(path, "\"<>"), - IsMagic: magic, + Base: newBase(rule), + Path: strings.Trim(path, "\"<>"), + IsMagic: magic, }, nil } +func (r *Abi) Kind() Kind { + return ABI +} + +func (r *Abi) Constraint() Constraint { + return PreambleRule +} + +func (r *Abi) String() string { + return renderTemplate(r.Kind(), r) +} + func (r *Abi) Validate() error { return nil } @@ -89,20 +111,18 @@ func (r *Abi) Compare(other Rule) int { return compare(r.IsMagic, o.IsMagic) } -func (r *Abi) String() string { - return renderTemplate(r.Kind(), r) +func (r *Abi) Merge(other Rule) bool { + return false // Never merge abi } -func (r *Abi) Constraint() constraint { - return preambleKind +func (r *Abi) Lengths() []int { + return []int{} // No len for abi } -func (r *Abi) Kind() Kind { - return ABI -} +func (r *Abi) setPaddings(max []int) {} // No paddings for abi type Alias struct { - RuleBase + Base Path string RewrittenPath string } @@ -115,12 +135,24 @@ func newAlias(q Qualifier, rule rule) (Rule, error) { return nil, fmt.Errorf("invalid alias format, missing %s in: %s", tokARROW, rule) } return &Alias{ - RuleBase: newBase(rule), + Base: newBase(rule), Path: rule.Get(0), RewrittenPath: rule.Get(2), }, nil } +func (r *Alias) Kind() Kind { + return ALIAS +} + +func (r *Alias) Constraint() Constraint { + return PreambleRule +} + +func (r *Alias) String() string { + return renderTemplate(r.Kind(), r) +} + func (r *Alias) Validate() error { return nil } @@ -133,20 +165,18 @@ func (r *Alias) Compare(other Rule) int { return compare(r.RewrittenPath, o.RewrittenPath) } -func (r *Alias) String() string { - return renderTemplate(r.Kind(), r) +func (r *Alias) Merge(other Rule) bool { + return false // Never merge alias } -func (r *Alias) Constraint() constraint { - return preambleKind +func (r *Alias) Lengths() []int { + return []int{} // No len for alias } -func (r *Alias) Kind() Kind { - return ALIAS -} +func (r *Alias) setPaddings(max []int) {} // No paddings for alias type Include struct { - RuleBase + Base IfExists bool Path string IsMagic bool @@ -168,22 +198,34 @@ func newInclude(rule rule) (Rule, error) { } path := r[0] - switch { - case path[0] == '"': + switch path[0] { + case '"': magic = false - case path[0] == '<': + case '<': magic = true default: return nil, fmt.Errorf("invalid path format: %v", path) } return &Include{ - RuleBase: newBase(rule), + Base: newBase(rule), IfExists: ifexists, Path: strings.Trim(path, "\"<>"), IsMagic: magic, }, nil } +func (r *Include) Kind() Kind { + return INCLUDE +} + +func (r *Include) Constraint() Constraint { + return AnyRule +} + +func (r *Include) String() string { + return renderTemplate(r.Kind(), r) +} + func (r *Include) Validate() error { return nil } @@ -206,20 +248,18 @@ func (r *Include) Compare(other Rule) int { return compare(r.IfExists, o.IfExists) } -func (r *Include) String() string { - return renderTemplate(r.Kind(), r) +func (r *Include) Merge(other Rule) bool { + return false // Never merge include } -func (r *Include) Constraint() constraint { - return anyKind +func (r *Include) Lengths() []int { + return []int{} // No len for include } -func (r *Include) Kind() Kind { - return INCLUDE -} +func (r *Include) setPaddings(max []int) {} // No paddings for include type Variable struct { - RuleBase + Base Name string Values []string Define bool @@ -245,28 +285,29 @@ func newVariable(rule rule) (Rule, error) { return nil, fmt.Errorf("invalid operator in variable: %v", rule) } return &Variable{ - RuleBase: newBase(rule), - Name: name, - Values: values, - Define: define, + Base: newBase(rule), + Name: name, + Values: values, + Define: define, }, nil } +func (r *Variable) Kind() Kind { + return VARIABLE +} + +func (r *Variable) Constraint() Constraint { + return PreambleRule +} + +func (r *Variable) String() string { + return renderTemplate(r.Kind(), r) +} + func (r *Variable) Validate() error { return nil } -func (r *Variable) Merge(other Rule) bool { - o, _ := other.(*Variable) - - if r.Name == o.Name && r.Define == o.Define { - r.Values = merge(r.Kind(), "access", r.Values, o.Values) - b := &r.RuleBase - return b.merge(o.RuleBase) - } - return false -} - func (r *Variable) Compare(other Rule) int { o, _ := other.(*Variable) if res := compare(r.Name, o.Name); res != 0 { @@ -278,14 +319,19 @@ func (r *Variable) Compare(other Rule) int { return compare(r.Values, o.Values) } -func (r *Variable) String() string { - return renderTemplate(r.Kind(), r) +func (r *Variable) Merge(other Rule) bool { + o, _ := other.(*Variable) + + if r.Name == o.Name && r.Define == o.Define { + r.Values = merge(r.Kind(), "access", r.Values, o.Values) + b := &r.Base + return b.merge(o.Base) + } + return false } -func (r *Variable) Constraint() constraint { - return preambleKind +func (r *Variable) Lengths() []int { + return []int{} // No len for variable } -func (r *Variable) Kind() Kind { - return VARIABLE -} +func (r *Variable) setPaddings(max []int) {} // No paddings for variable diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go index a5ed8a6a5..5d097cad9 100644 --- a/pkg/aa/profile.go +++ b/pkg/aa/profile.go @@ -20,17 +20,17 @@ const ( func init() { requirements[PROFILE] = requirement{ tokFLAGS: { - "enforce", "complain", "kill", "default_allow", "unconfined", - "prompt", "audit", "mediate_deleted", "attach_disconnected", - "attach_disconneced.path=", "chroot_relative", "debug", - "interruptible", "kill", "kill.signal=", + "attach_disconneced.path=", "attach_disconnected", "audit", + "chroot_relative", "complain", "debug", "default_allow", "enforce", + "interruptible", "kill.signal=", "kill", "kill", "mediate_deleted", + "prompt", "unconfined", }, } } // Profile represents a single AppArmor profile. type Profile struct { - RuleBase + Base Header Rules Rules } @@ -69,31 +69,31 @@ func newHeader(rule rule) (Header, error) { }, nil } -func (r *Profile) Validate() error { - if err := validateValues(r.Kind(), tokFLAGS, r.Flags); err != nil { - return fmt.Errorf("profile %s: %w", r.Name, err) - } - return r.Rules.Validate() +func (p *Profile) Kind() Kind { + return PROFILE } -func (r *Profile) Compare(other Rule) int { - o, _ := other.(*Profile) - if res := compare(r.Name, o.Name); res != 0 { - return res - } - return compare(r.Attachments, o.Attachments) +func (p *Profile) Constraint() Constraint { + return BlockRule } func (p *Profile) String() string { return renderTemplate(p.Kind(), p) } -func (p *Profile) Constraint() constraint { - return blockKind +func (p *Profile) Validate() error { + if err := validateValues(p.Kind(), tokFLAGS, p.Flags); err != nil { + return fmt.Errorf("profile %s: %w", p.Name, err) + } + return p.Rules.Validate() } -func (p *Profile) Kind() Kind { - return PROFILE +func (p *Profile) Compare(other Rule) int { + o, _ := other.(*Profile) + if res := compare(p.Name, o.Name); res != 0 { + return res + } + return compare(p.Attachments, o.Attachments) } func (p *Profile) Merge(other Rule) bool { @@ -103,6 +103,12 @@ func (p *Profile) Merge(other Rule) bool { return false } +func (p *Profile) Lengths() []int { + return []int{} // No len for profile +} + +func (p *Profile) setPaddings(max []int) {} // No paddings for profile + func (p *Profile) Sort() { p.Rules = p.Rules.Sort() } @@ -133,16 +139,24 @@ func (p *Profile) GetAttachments() string { var ( newLogMap = map[string]func(log map[string]string) Rule{ - "rlimits": newRlimitFromLog, - "cap": newCapabilityFromLog, - "io_uring": newIOUringFromLog, - "signal": newSignalFromLog, - "ptrace": newPtraceFromLog, - "namespace": newUsernsFromLog, - "unix": newUnixFromLog, - "dbus": newDbusFromLog, + // class + "rlimits": newRlimitFromLog, + "namespace": newUsernsFromLog, + "cap": newCapabilityFromLog, + "net": func(log map[string]string) Rule { + if log["family"] == "unix" { + return newUnixFromLog(log) + } else { + return newNetworkFromLog(log) + } + }, "posix_mqueue": newMqueueFromLog, "sysv_mqueue": newMqueueFromLog, + "signal": newSignalFromLog, + "ptrace": newPtraceFromLog, + "unix": newUnixFromLog, + "io_uring": newIOUringFromLog, + "dbus": newDbusFromLog, "mount": func(log map[string]string) Rule { if strings.Contains(log["flags"], "remount") { return newRemountFromLog(log) @@ -150,7 +164,6 @@ var ( newRule := newLogMountMap[log["operation"]] return newRule(log) }, - "net": newNetworkFromLog, "file": func(log map[string]string) Rule { if log["operation"] == "change_onexec" { return newChangeProfileFromLog(log) @@ -158,14 +171,20 @@ var ( return newFileFromLog(log) } }, - "exec": newFileFromLog, - "getattr": newFileFromLog, - "mkdir": newFileFromLog, - "mknod": newFileFromLog, - "open": newFileFromLog, - "rename_src": newFileFromLog, - "truncate": newFileFromLog, - "unlink": newFileFromLog, + // operation + "capable": newCapabilityFromLog, + "chmod": newFileFromLog, + "exec": newFileFromLog, + "getattr": newFileFromLog, + "link": newFileFromLog, + "mkdir": newFileFromLog, + "mknod": newFileFromLog, + "open": newFileFromLog, + "rename_dest": newFileFromLog, + "rename_src": newFileFromLog, + "rmdir": newFileFromLog, + "truncate": newFileFromLog, + "unlink": newFileFromLog, } newLogMountMap = map[string]func(log map[string]string) Rule{ "mount": newMountFromLog, @@ -207,7 +226,7 @@ func (p *Profile) AddRule(log map[string]string) { case strings.Contains(log["operation"], "dbus"): p.Rules = append(p.Rules, newDbusFromLog(log)) default: - fmt.Printf("unknown log type: %s", log["operation"]) + fmt.Printf("unknown log type: %s:%v\n", log["operation"], log) } } } diff --git a/pkg/aa/ptrace.go b/pkg/aa/ptrace.go index 2c7f9f225..7e0990fe8 100644 --- a/pkg/aa/ptrace.go +++ b/pkg/aa/ptrace.go @@ -19,7 +19,7 @@ func init() { } type Ptrace struct { - RuleBase + Base Qualifier Access []string Peer string @@ -31,7 +31,7 @@ func newPtrace(q Qualifier, rule rule) (Rule, error) { return nil, err } return &Ptrace{ - RuleBase: newBase(rule), + Base: newBase(rule), Qualifier: q, Access: accesses, Peer: rule.GetValuesAsString("peer"), @@ -40,13 +40,25 @@ func newPtrace(q Qualifier, rule rule) (Rule, error) { func newPtraceFromLog(log map[string]string) Rule { return &Ptrace{ - RuleBase: newBaseFromLog(log), + Base: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), Access: Must(toAccess(PTRACE, log["requested_mask"])), Peer: log["peer"], } } +func (r *Ptrace) Kind() Kind { + return PTRACE +} + +func (r *Ptrace) Constraint() Constraint { + return BlockRule +} + +func (r *Ptrace) String() string { + return renderTemplate(r.Kind(), r) +} + func (r *Ptrace) Validate() error { if err := validateValues(r.Kind(), "access", r.Access); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -54,20 +66,6 @@ func (r *Ptrace) Validate() error { return nil } -func (r *Ptrace) Merge(other Rule) bool { - o, _ := other.(*Ptrace) - - if !r.Qualifier.Equal(o.Qualifier) { - return false - } - if r.Peer == o.Peer { - r.Access = merge(r.Kind(), "access", r.Access, o.Access) - b := &r.RuleBase - return b.merge(o.RuleBase) - } - return false -} - func (r *Ptrace) Compare(other Rule) int { o, _ := other.(*Ptrace) if res := compare(r.Access, o.Access); res != 0 { @@ -79,14 +77,32 @@ func (r *Ptrace) Compare(other Rule) int { return r.Qualifier.Compare(o.Qualifier) } -func (r *Ptrace) String() string { - return renderTemplate(r.Kind(), r) +func (r *Ptrace) Merge(other Rule) bool { + o, _ := other.(*Ptrace) + + if !r.Equal(o.Qualifier) { + return false + } + if r.Peer == o.Peer { + r.Access = merge(r.Kind(), "access", r.Access, o.Access) + b := &r.Base + return b.merge(o.Base) + } + return false } -func (r *Ptrace) Constraint() constraint { - return blockKind +func (r *Ptrace) Lengths() []int { + return []int{ + r.getLenAudit(), + r.getLenAccess(), + length("", r.Access), + length("peer=", r.Peer), + } } -func (r *Ptrace) Kind() Kind { - return PTRACE +func (r *Ptrace) setPaddings(max []int) { + r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( + max[2:], []string{"", "peer="}, + []any{r.Access, r.Peer})..., + ) } diff --git a/pkg/aa/resolve.go b/pkg/aa/resolve.go index 26a03691e..8dc09b2c6 100644 --- a/pkg/aa/resolve.go +++ b/pkg/aa/resolve.go @@ -10,7 +10,6 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/util" ) var ( @@ -81,7 +80,7 @@ func (f *AppArmorProfileFile) resolveValues(input string) ([]string, error) { values := []string{} match := regVariableReference.FindStringSubmatch(input) if len(match) == 0 { - return nil, fmt.Errorf("Invalid variable reference: %s", input) + return nil, fmt.Errorf("invalid variable reference: %s", input) } variable := match[0] @@ -106,7 +105,7 @@ func (f *AppArmorProfileFile) resolveValues(input string) ([]string, error) { } if !found { - return nil, fmt.Errorf("Variable %s not defined", varname) + return nil, fmt.Errorf("variable %s not defined", varname) } return values, nil } @@ -114,7 +113,7 @@ func (f *AppArmorProfileFile) resolveValues(input string) ([]string, error) { // resolveInclude resolves all includes defined in the profile preamble func (f *AppArmorProfileFile) resolveInclude(include *Include) error { if include == nil || include.Path == "" { - return fmt.Errorf("Invalid include: %v", include) + return fmt.Errorf("invalid include: %v", include) } _, isCached := includeCache[include] @@ -149,7 +148,7 @@ func (f *AppArmorProfileFile) resolveInclude(include *Include) error { iFile := &AppArmorProfileFile{} for _, file := range files { - raw, err := util.ReadFile(file) + raw, err := file.ReadFileAsString() if err != nil { return err } diff --git a/pkg/aa/resolve_test.go b/pkg/aa/resolve_test.go index 52168cc7a..1e4a54fe5 100644 --- a/pkg/aa/resolve_test.go +++ b/pkg/aa/resolve_test.go @@ -31,7 +31,7 @@ func TestAppArmorProfileFile_resolveInclude(t *testing.T) { Preamble: Rules{ &Alias{Path: "/usr/", RewrittenPath: "/User/"}, &Alias{Path: "/lib/", RewrittenPath: "/Libraries/"}, - &Comment{RuleBase: RuleBase{IsLineRule: true, Comment: " variable declarations for inclusion"}}, + &Comment{Base: Base{IsLineRule: true, Comment: " variable declarations for inclusion"}}, &Variable{ Name: "FOO", Define: true, Values: []string{ @@ -85,7 +85,7 @@ func TestAppArmorProfileFile_resolveValues(t *testing.T) { { name: "simple", input: "@{bin}/foo", - want: []string{"/{,usr/}{,s}bin/foo"}, + want: []string{"/{,usr/}bin/foo"}, }, { name: "double", diff --git a/pkg/aa/rlimit.go b/pkg/aa/rlimit.go index 959ac4eec..29c617ff1 100644 --- a/pkg/aa/rlimit.go +++ b/pkg/aa/rlimit.go @@ -21,7 +21,7 @@ func init() { } type Rlimit struct { - RuleBase + Base Key string Op string Value string @@ -35,22 +35,34 @@ func newRlimit(q Qualifier, rule rule) (Rule, error) { return nil, fmt.Errorf("invalid rlimit format: %s", rule) } return &Rlimit{ - RuleBase: newBase(rule), - Key: rule.Get(1), - Op: rule.Get(2), - Value: rule.Get(3), + Base: newBase(rule), + Key: rule.Get(1), + Op: rule.Get(2), + Value: rule.Get(3), }, nil } func newRlimitFromLog(log map[string]string) Rule { return &Rlimit{ - RuleBase: newBaseFromLog(log), - Key: log["key"], - Op: log["op"], - Value: log["value"], + Base: newBaseFromLog(log), + Key: log["rlimit"], + Op: "<=", + Value: log["value"], } } +func (r *Rlimit) Kind() Kind { + return RLIMIT +} + +func (r *Rlimit) Constraint() Constraint { + return BlockRule +} + +func (r *Rlimit) String() string { + return renderTemplate(r.Kind(), r) +} + func (r *Rlimit) Validate() error { if err := validateValues(r.Kind(), "keys", []string{r.Key}); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -69,14 +81,21 @@ func (r *Rlimit) Compare(other Rule) int { return compare(r.Value, o.Value) } -func (r *Rlimit) String() string { - return renderTemplate(r.Kind(), r) +func (r *Rlimit) Merge(other Rule) bool { + return false // Never merge rlimit } -func (r *Rlimit) Constraint() constraint { - return blockKind +func (r *Rlimit) Lengths() []int { + return []int{ + length("", r.Key), + length("", r.Op), + length("", r.Value), + } } -func (r *Rlimit) Kind() Kind { - return RLIMIT +func (r *Rlimit) setPaddings(max []int) { + r.Paddings = setPaddings( + max, []string{"", "", ""}, + []any{r.Key, r.Op, r.Value}, + ) } diff --git a/pkg/aa/rules_test.go b/pkg/aa/rule_test.go similarity index 85% rename from pkg/aa/rules_test.go rename to pkg/aa/rule_test.go index b3aa67b75..ed6e7043d 100644 --- a/pkg/aa/rules_test.go +++ b/pkg/aa/rule_test.go @@ -9,7 +9,7 @@ import ( "testing" ) -func TestRules_FromLog(t *testing.T) { +func TestRule_FromLog(t *testing.T) { for _, tt := range testRule { if tt.fromLog == nil { continue @@ -22,27 +22,7 @@ func TestRules_FromLog(t *testing.T) { } } -func TestRules_Validate(t *testing.T) { - for _, tt := range testRule { - t.Run(tt.name, func(t *testing.T) { - if err := tt.rule.Validate(); (err != nil) != tt.wValidErr { - t.Errorf("Rules.Validate() error = %v, wantErr %v", err, tt.wValidErr) - } - }) - } -} - -func TestCapability_Compare(t *testing.T) { - for _, tt := range testRule { - t.Run(tt.name, func(t *testing.T) { - if got := tt.rule.Compare(tt.other); got != tt.wCompare { - t.Errorf("Rule.Compare() = %v, want %v", got, tt.wCompare) - } - }) - } -} - -func TestRules_String(t *testing.T) { +func TestRule_String(t *testing.T) { for _, tt := range testRule { t.Run(tt.name, func(t *testing.T) { if got := tt.rule.String(); got != tt.wString { @@ -52,7 +32,27 @@ func TestRules_String(t *testing.T) { } } -func TestCapability_Merge(t *testing.T) { +func TestRule_Validate(t *testing.T) { + for _, tt := range testRule { + t.Run(tt.name, func(t *testing.T) { + if err := tt.rule.Validate(); (err != nil) != tt.wValidErr { + t.Errorf("Rules.Validate() error = %v, wantErr %v", err, tt.wValidErr) + } + }) + } +} + +func TestRule_Compare(t *testing.T) { + for _, tt := range testRule { + t.Run(tt.name, func(t *testing.T) { + if got := tt.rule.Compare(tt.other); got != tt.wCompare { + t.Errorf("Rule.Compare() = %v, want %v", got, tt.wCompare) + } + }) + } +} + +func TestRule_Merge(t *testing.T) { for _, tt := range testRule { t.Run(tt.name, func(t *testing.T) { if got := tt.rule.Merge(tt.other); got != tt.wMerge { @@ -124,7 +124,7 @@ var ( wString: "include if exists ", }, { - name: "include/abs", + name: "include-abs", rule: &Include{Path: "/usr/share/apparmor.d/", IsMagic: false}, other: &Include{Path: "/usr/share/apparmor.d/", IsMagic: true}, wCompare: -1, @@ -190,7 +190,7 @@ var ( wString: "capability net_admin,", }, { - name: "capability/multi", + name: "capability-multi", rule: &Capability{Names: []string{"dac_override", "dac_read_search"}}, other: capability2, wCompare: -15, @@ -198,7 +198,7 @@ var ( wString: "capability dac_override dac_read_search,", }, { - name: "capability/all", + name: "capability-all", rule: &Capability{}, other: capability2, wCompare: -1, @@ -216,13 +216,24 @@ var ( wMerge: false, wString: "network netlink raw,", }, + { + name: "network3", + fromLog: newNetworkFromLog, + log: network3Log, + rule: network3, + wValidErr: true, + other: network1, + wCompare: -7, + wMerge: false, + wString: "network dgram ip=127.0.0.1 port=57007 peer=(ip=127.0.0.53, port=53), # failed af match", + }, { name: "mount", fromLog: newMountFromLog, log: mount1Log, rule: mount1, other: mount2, - wCompare: 38, + wCompare: 37, wMerge: false, wString: "mount fstype=overlay overlay -> /var/lib/docker/overlay2/opaque-bug-check1209538631/merged/, # failed perms check", }, @@ -250,7 +261,7 @@ var ( log: pivotroot1Log, rule: pivotroot1, other: pivotroot2, - wCompare: 7, + wCompare: -5, wMerge: false, wString: "pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,", }, @@ -307,7 +318,7 @@ var ( wString: "signal receive set=kill peer=firefox//&firejail-default,", }, { - name: "ptrace/xdg-document-portal", + name: "ptrace-xdg-document-portal", fromLog: newPtraceFromLog, log: ptrace1Log, rule: ptrace1, @@ -317,7 +328,7 @@ var ( wString: "ptrace read peer=nautilus,", }, { - name: "ptrace/snap-update-ns.firefox", + name: "ptrace-snap-update-ns.firefox", fromLog: newPtraceFromLog, log: ptrace2Log, rule: ptrace2, @@ -355,7 +366,7 @@ var ( wString: "dbus bind bus=session name=org.gnome.evolution.dataserver.Sources5,", }, { - name: "dbus/bind", + name: "dbus-bind", rule: &Dbus{Access: []string{"bind"}, Bus: "session", Name: "org.gnome.*"}, other: dbus2, wCompare: -39, @@ -381,31 +392,33 @@ var ( wString: "/usr/share/poppler/cMap/Identity-H r,", }, { - name: "file/empty", + name: "file-all", rule: &File{}, other: &File{}, wCompare: 0, wMerge: true, - wString: " ,", + wString: " ,", // FIXME: }, { - name: "file/equal", - rule: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, - other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, - wCompare: 0, - wMerge: true, - wString: "/usr/share/poppler/cMap/Identity-H ,", + name: "file-equal", + rule: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, + other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, + wValidErr: true, + wCompare: 0, + wMerge: true, + wString: "/usr/share/poppler/cMap/Identity-H ,", }, { - name: "file/owner", - rule: &File{Path: "/usr/share/poppler/cMap/Identity-H", Owner: true}, - other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, - wCompare: 1, - wMerge: false, - wString: "owner /usr/share/poppler/cMap/Identity-H ,", + name: "file-owner", + rule: &File{Path: "/usr/share/poppler/cMap/Identity-H", Owner: true}, + other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, + wCompare: 1, + wValidErr: true, + wMerge: false, + wString: "owner /usr/share/poppler/cMap/Identity-H ,", }, { - name: "file/access", + name: "file-access", rule: &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"r"}}, other: &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"w"}}, wCompare: -5, @@ -413,12 +426,13 @@ var ( wString: "/usr/share/poppler/cMap/Identity-H r,", }, { - name: "file/close", - rule: &File{Path: "/usr/share/poppler/cMap/"}, - other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, - wCompare: -10, - wMerge: false, - wString: "/usr/share/poppler/cMap/ ,", + name: "file-close", + rule: &File{Path: "/usr/share/poppler/cMap/"}, + other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, + wCompare: -10, + wValidErr: true, + wMerge: false, + wString: "/usr/share/poppler/cMap/ ,", }, { name: "link1", diff --git a/pkg/aa/rules.go b/pkg/aa/rules.go index d216c758b..8e8ed5d95 100644 --- a/pkg/aa/rules.go +++ b/pkg/aa/rules.go @@ -6,19 +6,16 @@ package aa import ( "slices" - "strings" - - "github.com/roddhjav/apparmor.d/pkg/util" ) type requirement map[string][]string -type constraint uint +type Constraint uint const ( - anyKind constraint = iota // The rule can be found in either preamble or profile - preambleKind // The rule can only be found in the preamble - blockKind // The rule can only be found in a profile + AnyRule Constraint = iota // The rule can be found in either preamble or profile + PreambleRule // The rule can only be found in the preamble + BlockRule // The rule can only be found in a profile ) // Kind represents an AppArmor rule kind. @@ -37,12 +34,16 @@ func (k Kind) Tok() string { // Rule generic interface for all AppArmor rules type Rule interface { - Validate() error - Compare(other Rule) int - Merge(other Rule) bool - String() string - Constraint() constraint - Kind() Kind + Kind() Kind // Kind of the rule + Constraint() Constraint // Where the rule can be found (preamble, profile, any) + String() string // Render the rule as a string + Validate() error // Validate the rule. Return an error if the rule is invalid + Compare(other Rule) int // Compare two rules. Return 0 if they are identical + Merge(other Rule) bool // Merge rules of same kind together. Return true if merged + Padding(i int) string // Padding for rule items at index i + Lengths() []int // Length of each item in the rule + setPaddings(max []int) // Set paddings for each item in the rule + addLine(other Rule) bool // Check either a new line should be added before the rule } type Rules []Rule @@ -93,7 +94,7 @@ func (r Rules) Delete(i int) Rules { } func (r Rules) DeleteKind(kind Kind) Rules { - res := make(Rules, 0) + res := make(Rules, 0, len(r)) for _, rule := range r { if rule == nil { continue @@ -105,8 +106,8 @@ func (r Rules) DeleteKind(kind Kind) Rules { return res } -func (r Rules) Filter(filter Kind) Rules { - res := make(Rules, 0) +func (r Rules) FilterOut(filter Kind) Rules { + res := make(Rules, 0, len(r)) for _, rule := range r { if rule == nil { continue @@ -118,8 +119,21 @@ func (r Rules) Filter(filter Kind) Rules { return res } +func (r Rules) Filter(filter Kind) Rules { + res := make(Rules, 0, len(r)) + for _, rule := range r { + if rule == nil { + continue + } + if rule.Kind() == filter { + res = append(res, rule) + } + } + return res +} + func (r Rules) GetVariables() []*Variable { - res := make([]*Variable, 0) + res := make([]*Variable, 0, len(r)) for _, rule := range r { switch rule := rule.(type) { case *Variable: @@ -130,7 +144,7 @@ func (r Rules) GetVariables() []*Variable { } func (r Rules) GetIncludes() []*Include { - res := make([]*Include, 0) + res := make([]*Include, 0, len(r)) for _, rule := range r { switch rule := rule.(type) { case *Include: @@ -140,8 +154,7 @@ func (r Rules) GetIncludes() []*Include { return res } -// Merge merge similar rules together. -// Steps: +// Merge merge similar rules together: // - Remove identical rules // - Merge rule access. Eg: for same path, 'r' and 'w' becomes 'rw' // @@ -197,90 +210,70 @@ func (r Rules) Sort() Rules { return r } -// Format the rules for better readability before printing it. +// setPaddings set paddings for each element in each rules +func (r *Rules) setPaddings(paddingsIndex map[Kind][]int, paddingsMaxLen map[Kind][]int) { + for kind, index := range paddingsIndex { + if len(index) <= 1 { + continue + } + for _, i := range index { + (*r)[i].setPaddings(paddingsMaxLen[kind]) + } + } +} + +// Format the rules for better readability before printing it. Format supposes +// the rules are merged and sorted. // Follow: https://apparmor.pujol.io/development/guidelines/#the-file-block func (r Rules) Format() Rules { - const prefixOwner = " " - suffixMaxlen := 36 - transitions := append(requirements[FILE]["transition"], "m") + // Insert new line between rule of different type/subtype. + for i := len(r) - 1; i >= 0; i-- { + j := i - 1 + if j < 0 || r[j] == nil { + continue + } + if r[i].addLine(r[j]) { + r = r.Insert(i, nil) + } + } - paddingIndex := []int{} - paddingMaxLenght := 0 + // Find max paddings for each element in each rules + paddingsIndex := map[Kind][]int{} + paddingsMaxLen := map[Kind][]int{} for i, rule := range r { if rule == nil { + r.setPaddings(paddingsIndex, paddingsMaxLen) + paddingsIndex = map[Kind][]int{} + paddingsMaxLen = map[Kind][]int{} continue } - if rule.Kind() == FILE { - rule := r[i].(*File) - - // Add padding to align with other transition rule - isTransition := util.Intersect(transitions, rule.Access) - if len(isTransition) > 0 { - ruleLen := len(rule.Path) + 1 - paddingMaxLenght = max(ruleLen, paddingMaxLenght) - paddingIndex = append(paddingIndex, i) - } - - // Add suffix to align comment on udev/data rule - if rule.Comment != "" && strings.HasPrefix(rule.Path, "@{run}/udev/data/") { - suffixlen := suffixMaxlen - len(rule.Path) - if suffixlen < 0 { - suffixlen = 0 - } - rule.Suffix = strings.Repeat(" ", suffixlen) - } - } - } - if len(paddingIndex) > 1 { - r.setPadding(paddingIndex, paddingMaxLenght) - } - - hasOwnerRule := false - for i := len(r) - 1; i >= 0; i-- { - if r[i] == nil { - hasOwnerRule = false - continue - } - - // File rule - if r[i].Kind() == FILE { - rule := r[i].(*File) - - // Add prefix before rule path to align with other rule - if rule.Owner { - hasOwnerRule = true - } else if hasOwnerRule { - rule.Prefix = prefixOwner - } - - // Do not add new line on executable rule - isTransition := util.Intersect(transitions, rule.Access) - if len(isTransition) > 0 { - continue - } - - // Add a new line between Files rule of different group type - j := i - 1 - if j < 0 || r[j] == nil || r[j].Kind() != FILE { - continue - } - letterI := getLetterIn(fileAlphabet, rule.Path) - letterJ := getLetterIn(fileAlphabet, r[j].(*File).Path) - groupI, ok1 := fileAlphabetGroups[letterI] - groupJ, ok2 := fileAlphabetGroups[letterJ] - if letterI != letterJ && !(ok1 && ok2 && groupI == groupJ) { - hasOwnerRule = false - r = r.Insert(i, nil) + lengths := rule.Lengths() + paddingsIndex[rule.Kind()] = append(paddingsIndex[rule.Kind()], i) + for idx, length := range lengths { + if _, ok := paddingsMaxLen[rule.Kind()]; !ok { + paddingsMaxLen[rule.Kind()] = make([]int, len(lengths)) } + paddingsMaxLen[rule.Kind()][idx] = max(paddingsMaxLen[rule.Kind()][idx], length) } } + r.setPaddings(paddingsIndex, paddingsMaxLen) return r } -// setPadding adds padding to the rule path to align with other rules. -func (r *Rules) setPadding(paddingIndex []int, paddingMaxLenght int) { - for _, i := range paddingIndex { - (*r)[i].(*File).Padding = strings.Repeat(" ", paddingMaxLenght-len((*r)[i].(*File).Path)) +// ParaRules is a slice of Rules grouped by paragraph +type ParaRules []Rules + +func (r ParaRules) Flatten() Rules { + totalLen := 0 + for i := range r { + totalLen += len(r[i]) } + + res := make(Rules, 0, totalLen) + for i := range r { + res = append(res, r[i]...) + } + + return res } diff --git a/pkg/aa/signal.go b/pkg/aa/signal.go index 097e8b827..319e16584 100644 --- a/pkg/aa/signal.go +++ b/pkg/aa/signal.go @@ -16,11 +16,11 @@ func init() { "r", "w", "rw", "read", "write", "send", "receive", }, "set": { - "hup", "int", "quit", "ill", "trap", "abrt", "bus", "fpe", - "kill", "usr1", "segv", "usr2", "pipe", "alrm", "term", "stkflt", - "chld", "cont", "stop", "stp", "ttin", "ttou", "urg", "xcpu", - "xfsz", "vtalrm", "prof", "winch", "io", "pwr", "sys", "emt", - "exists", "rtmin+0", "rtmin+1", "rtmin+2", "rtmin+3", "rtmin+4", + "abrt", "alrm", "bus", "chld", "cont", "emt", "exists", "fpe", "hup", + "ill", "int", "io", "kill", "pipe", "prof", "pwr", "quit", "segv", + "stkflt", "stop", "stp", "sys", "term", "trap", "ttin", "ttou", + "urg", "usr1", "usr2", "vtalrm", "winch", "xcpu", "xfsz", + "rtmin+0", "rtmin+1", "rtmin+2", "rtmin+3", "rtmin+4", "rtmin+5", "rtmin+6", "rtmin+7", "rtmin+8", "rtmin+9", "rtmin+10", "rtmin+11", "rtmin+12", "rtmin+13", "rtmin+14", "rtmin+15", "rtmin+16", "rtmin+17", "rtmin+18", "rtmin+19", "rtmin+20", @@ -32,7 +32,7 @@ func init() { } type Signal struct { - RuleBase + Base Qualifier Access []string Set []string @@ -49,7 +49,7 @@ func newSignal(q Qualifier, rule rule) (Rule, error) { return nil, err } return &Signal{ - RuleBase: newBase(rule), + Base: newBase(rule), Qualifier: q, Access: accesses, Set: set, @@ -59,7 +59,7 @@ func newSignal(q Qualifier, rule rule) (Rule, error) { func newSignalFromLog(log map[string]string) Rule { return &Signal{ - RuleBase: newBaseFromLog(log), + Base: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), Access: Must(toAccess(SIGNAL, log["requested_mask"])), Set: []string{log["signal"]}, @@ -67,6 +67,18 @@ func newSignalFromLog(log map[string]string) Rule { } } +func (r *Signal) Kind() Kind { + return SIGNAL +} + +func (r *Signal) Constraint() Constraint { + return BlockRule +} + +func (r *Signal) String() string { + return renderTemplate(r.Kind(), r) +} + func (r *Signal) Validate() error { if err := validateValues(r.Kind(), "access", r.Access); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -77,25 +89,6 @@ func (r *Signal) Validate() error { return nil } -func (r *Signal) Merge(other Rule) bool { - o, _ := other.(*Signal) - - if !r.Qualifier.Equal(o.Qualifier) { - return false - } - switch { - case r.Peer == o.Peer && compare(r.Set, o.Set) == 0: - r.Access = merge(r.Kind(), "access", r.Access, o.Access) - b := &r.RuleBase - return b.merge(o.RuleBase) - case r.Peer == o.Peer && compare(r.Access, o.Access) == 0: - r.Set = merge(r.Kind(), "set", r.Set, o.Set) - b := &r.RuleBase - return b.merge(o.RuleBase) - } - return false -} - func (r *Signal) Compare(other Rule) int { o, _ := other.(*Signal) if res := compare(r.Access, o.Access); res != 0 { @@ -110,14 +103,38 @@ func (r *Signal) Compare(other Rule) int { return r.Qualifier.Compare(o.Qualifier) } -func (r *Signal) String() string { - return renderTemplate(r.Kind(), r) +func (r *Signal) Merge(other Rule) bool { + o, _ := other.(*Signal) + + if !r.Equal(o.Qualifier) { + return false + } + switch { + case r.Peer == o.Peer && compare(r.Set, o.Set) == 0: + r.Access = merge(r.Kind(), "access", r.Access, o.Access) + b := &r.Base + return b.merge(o.Base) + case r.Peer == o.Peer && compare(r.Access, o.Access) == 0: + r.Set = merge(r.Kind(), "set", r.Set, o.Set) + b := &r.Base + return b.merge(o.Base) + } + return false } -func (r *Signal) Constraint() constraint { - return blockKind +func (r *Signal) Lengths() []int { + return []int{ + r.getLenAudit(), + r.getLenAccess(), + length("", r.Access), + length("set=", r.Set), + length("peer=", r.Peer), + } } -func (r *Signal) Kind() Kind { - return SIGNAL +func (r *Signal) setPaddings(max []int) { + r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( + max[2:], []string{"", "set=", "peer="}, + []any{r.Access, r.Set, r.Peer})..., + ) } diff --git a/pkg/aa/template.go b/pkg/aa/template.go index 18f07bc2e..cb00d2f36 100644 --- a/pkg/aa/template.go +++ b/pkg/aa/template.go @@ -35,17 +35,10 @@ var ( // The apparmor templates tmpl = generateTemplates([]Kind{ // Global templates - "apparmor", - PROFILE, - HAT, - "rules", + "apparmor", PROFILE, HAT, "rules", // Preamble templates - ABI, - ALIAS, - INCLUDE, - VARIABLE, - COMMENT, + ABI, ALIAS, INCLUDE, VARIABLE, COMMENT, // Rules templates ALL, RLIMIT, USERNS, CAPABILITY, NETWORK, @@ -138,7 +131,7 @@ var ( // The order AARE should be sorted stringAlphabet = []byte( - "!\"#$%&'*(){}[]+,-./:;<=>?@\\^_`|~0123456789abcdefghijklmnopqrstuvwxyz", + "!\"#$%&'*(){}[]@+,-./:;<=>?\\^_`|~0123456789abcdefghijklmnopqrstuvwxyz", ) stringWeights = generateWeights(stringAlphabet) @@ -232,11 +225,11 @@ func cjoin(i any) string { } } -func kindOf(i any) string { +func kindOf(i Rule) string { if i == nil { return "" } - return i.(Rule).Kind().String() + return i.Kind().String() } func setindent(i string) string { diff --git a/pkg/aa/templates/rule/file.j2 b/pkg/aa/templates/rule/file.j2 index 8fc82698b..52a41a318 100644 --- a/pkg/aa/templates/rule/file.j2 +++ b/pkg/aa/templates/rule/file.j2 @@ -7,11 +7,10 @@ {{- if .Owner -}} {{- "owner " -}} {{- end -}} + {{- .Padding 2 -}} {{- .Path -}} {{- " " -}} - {{- with .Padding -}} - {{ . }} - {{- end -}} + {{- .Padding 3 -}} {{- range .Access -}} {{- . -}} {{- end -}} @@ -19,9 +18,7 @@ {{ " -> " }}{{ . }} {{- end -}} {{- "," -}} - {{- with .Suffix -}} - {{ . }} - {{- end -}} + {{- .Padding 4 -}} {{- template "comment" . -}} {{- end -}} @@ -30,18 +27,18 @@ {{- if .Owner -}} {{- "owner " -}} {{- end -}} + {{- .Padding 2 -}} {{- "link " -}} {{- if .Subset -}} {{- "subset " -}} {{- end -}} + {{- .Padding 3 -}} {{- .Path -}} {{- " " -}} {{- with .Target -}} {{ "-> " }}{{ . }} {{- end -}} {{- "," -}} - {{- with .Suffix -}} - {{ . }} - {{- end -}} + {{- .Padding 4 -}} {{- template "comment" . -}} {{- end -}} diff --git a/pkg/aa/templates/rule/io_uring.j2 b/pkg/aa/templates/rule/io_uring.j2 index 78e1aa17a..2bbaeda59 100644 --- a/pkg/aa/templates/rule/io_uring.j2 +++ b/pkg/aa/templates/rule/io_uring.j2 @@ -5,12 +5,14 @@ {{- define "io_uring" -}} {{- template "qualifier" . -}} {{- "io_uring" -}} - {{- range .Access -}} - {{ " " }}{{ . }} + {{- with .Access -}} + {{ " " }}{{ cjoin . }} {{- end -}} + {{- .Padding 2 -}} {{- with .Label -}} {{ " label=" }}{{ . }} {{- end -}} {{- "," -}} + {{- .Padding 3 -}} {{- template "comment" . -}} {{- end -}} diff --git a/pkg/aa/templates/rule/mount.j2 b/pkg/aa/templates/rule/mount.j2 index c97ead101..31e83567f 100644 --- a/pkg/aa/templates/rule/mount.j2 +++ b/pkg/aa/templates/rule/mount.j2 @@ -8,16 +8,20 @@ {{- with .FsType -}} {{ " fstype=" }}{{ . }} {{- end -}} + {{- .Padding 2 -}} {{- with .Options -}} {{ " options=" }}{{ cjoin . }} {{- end -}} + {{- .Padding 3 -}} {{- with .Source -}} {{ " " }}{{ . }} {{- end -}} + {{- .Padding 4 -}} {{- with .MountPoint -}} {{ " -> " }}{{ . }} {{- end -}} {{- "," -}} + {{- .Padding 5 -}} {{- template "comment" . -}} {{- end -}} @@ -27,13 +31,16 @@ {{- with .FsType -}} {{ " fstype=" }}{{ . }} {{- end -}} + {{- .Padding 2 -}} {{- with .Options -}} {{ " options=" }}{{ cjoin . }} {{- end -}} + {{- .Padding 3 -}} {{- with .MountPoint -}} {{ " " }}{{ . }} {{- end -}} {{- "," -}} + {{- .Padding 4 -}} {{- template "comment" . -}} {{- end -}} @@ -43,12 +50,15 @@ {{- with .FsType -}} {{ " fstype=" }}{{ . }} {{- end -}} + {{- .Padding 2 -}} {{- with .Options -}} {{ " options=" }}{{ cjoin . }} {{- end -}} + {{- .Padding 3 -}} {{- with .MountPoint -}} {{ " " }}{{ . }} {{- end -}} {{- "," -}} + {{- .Padding 4 -}} {{- template "comment" . -}} {{- end -}} diff --git a/pkg/aa/templates/rule/mqueue.j2 b/pkg/aa/templates/rule/mqueue.j2 index e2df27562..47147be4b 100644 --- a/pkg/aa/templates/rule/mqueue.j2 +++ b/pkg/aa/templates/rule/mqueue.j2 @@ -8,15 +8,19 @@ {{- with .Access -}} {{ " " }}{{ cjoin . }} {{- end -}} + {{- .Padding 2 -}} {{- with .Type -}} {{ " type=" }}{{ . }} {{- end -}} + {{- .Padding 3 -}} {{- with .Label -}} {{ " label=" }}{{ . }} {{- end -}} + {{- .Padding 4 -}} {{- with .Name -}} {{ " " }}{{ . }} {{- end -}} {{- "," -}} + {{- .Padding 5 -}} {{- template "comment" . -}} {{- end -}} diff --git a/pkg/aa/templates/rule/network.j2 b/pkg/aa/templates/rule/network.j2 index 6f2503a8b..3694442be 100644 --- a/pkg/aa/templates/rule/network.j2 +++ b/pkg/aa/templates/rule/network.j2 @@ -15,6 +15,22 @@ {{ " " }}{{ . }} {{- end -}} {{- end -}} + {{- with .LocalAddress.IP -}} + {{ " ip=" }}{{ . }} + {{- end -}} + {{- with .LocalAddress.Port -}} + {{ " port=" }}{{ . }} + {{- end -}} + {{- if and .PeerAddress.IP .PeerAddress.Port -}} + {{ " peer=(ip=" }}{{ .PeerAddress.IP }}{{ ", port="}}{{ .PeerAddress.Port }}{{ ")" }} + {{- else -}} + {{- with .PeerAddress.IP -}} + {{ " peer=(ip=" }}{{ . }}{{ ")" }} + {{- end -}} + {{- with .PeerAddress.Port -}} + {{ " peer=(port=" }}{{ . }}{{ ")" }} + {{- end -}} + {{- end -}} {{- "," -}} {{- template "comment" . -}} {{- end -}} \ No newline at end of file diff --git a/pkg/aa/templates/rule/pivot_root.j2 b/pkg/aa/templates/rule/pivot_root.j2 index d779e2c11..678617ca0 100644 --- a/pkg/aa/templates/rule/pivot_root.j2 +++ b/pkg/aa/templates/rule/pivot_root.j2 @@ -8,12 +8,15 @@ {{- with .OldRoot -}} {{ " oldroot=" }}{{ . }} {{- end -}} + {{- .Padding 2 -}} {{- with .NewRoot -}} {{ " " }}{{ . }} {{- end -}} + {{- .Padding 3 -}} {{- with .TargetProfile -}} {{ " -> " }}{{ . }} {{- end -}} {{- "," -}} + {{- .Padding 4 -}} {{- template "comment" . -}} {{- end -}} \ No newline at end of file diff --git a/pkg/aa/templates/rule/ptrace.j2 b/pkg/aa/templates/rule/ptrace.j2 index c499890b0..5f4fe3567 100644 --- a/pkg/aa/templates/rule/ptrace.j2 +++ b/pkg/aa/templates/rule/ptrace.j2 @@ -8,9 +8,11 @@ {{- with .Access -}} {{ " " }}{{ cjoin . }} {{- end -}} + {{- .Padding 2 -}} {{- with .Peer -}} {{ " peer=" }}{{ . }} {{- end -}} {{- "," -}} + {{- .Padding 3 -}} {{- template "comment" . -}} {{- end -}} \ No newline at end of file diff --git a/pkg/aa/templates/rule/qualifier.j2 b/pkg/aa/templates/rule/qualifier.j2 index ed89f63e0..69181051a 100644 --- a/pkg/aa/templates/rule/qualifier.j2 +++ b/pkg/aa/templates/rule/qualifier.j2 @@ -3,13 +3,15 @@ {{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} {{- define "qualifier" -}} - {{- with .Prefix -}} - {{ . }} + {{- with .Priority -}} + {{- "priority=" -}}{{ . }}{{ " " }} {{- end -}} {{- if .Audit -}} {{- "audit " -}} {{- end -}} + {{- .Padding 0 -}} {{- if eq .AccessType "deny" -}} {{- "deny " -}} {{- end -}} + {{- .Padding 1 -}} {{- end -}} diff --git a/pkg/aa/templates/rule/rlimit.j2 b/pkg/aa/templates/rule/rlimit.j2 index 5061c1c45..c6996ac28 100644 --- a/pkg/aa/templates/rule/rlimit.j2 +++ b/pkg/aa/templates/rule/rlimit.j2 @@ -3,5 +3,15 @@ {{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} {{- define "rlimit" -}} - {{ "set rlimit " }}{{ .Key }} {{ .Op }} {{ .Value }}{{ "," }}{{ template "comment" . }} -{{- end -}} \ No newline at end of file + {{- "set rlimit " -}} + {{- .Key -}} + {{- " " -}} + {{- .Padding 2 -}} + {{- .Op -}} + {{- " " -}} + {{- .Padding 3 -}} + {{- .Value -}} + {{- "," -}} + {{- .Padding 4 -}} + {{- template "comment" . -}} +{{- end -}} diff --git a/pkg/aa/templates/rule/signal.j2 b/pkg/aa/templates/rule/signal.j2 index b56085d8d..fd2edd99d 100644 --- a/pkg/aa/templates/rule/signal.j2 +++ b/pkg/aa/templates/rule/signal.j2 @@ -8,12 +8,15 @@ {{- with .Access -}} {{ " " }}{{ cjoin . }} {{- end -}} + {{- .Padding 2 -}} {{- with .Set -}} {{ " set=" }}{{ cjoin . }} {{- end -}} + {{- .Padding 3 -}} {{- with .Peer -}} {{ " peer=" }}{{ . }} {{- end -}} {{- "," -}} + {{- .Padding 4 -}} {{- template "comment" . -}} {{- end -}} \ No newline at end of file diff --git a/pkg/aa/templates/rule/unix.j2 b/pkg/aa/templates/rule/unix.j2 index 531eaaf9e..fae6a5429 100644 --- a/pkg/aa/templates/rule/unix.j2 +++ b/pkg/aa/templates/rule/unix.j2 @@ -8,18 +8,23 @@ {{- with .Access -}} {{ " " }}{{ cjoin . }} {{- end -}} + {{- .Padding 2 -}} {{- with .Type -}} {{ " type=" }}{{ . }} {{- end -}} + {{- .Padding 3 -}} {{- with .Protocol -}} {{ " protocol=" }}{{ . }} {{- end -}} + {{- .Padding 4 -}} {{- with .Address -}} {{ " addr=" }}{{ . }} {{- end -}} + {{- .Padding 5 -}} {{- with .Label -}} {{ " label=" }}{{ . }} {{- end -}} + {{- .Padding 6 -}} {{- if and .PeerLabel .PeerAddr -}} {{ " peer=(label=" }}{{ .PeerLabel }}{{ ", addr="}}{{ .PeerAddr }}{{ ")" }} {{- else -}} diff --git a/pkg/aa/unix.go b/pkg/aa/unix.go index 677330ecb..1e8a99298 100644 --- a/pkg/aa/unix.go +++ b/pkg/aa/unix.go @@ -21,7 +21,7 @@ func init() { } type Unix struct { - RuleBase + Base Qualifier Access []string Type string @@ -40,7 +40,7 @@ func newUnix(q Qualifier, rule rule) (Rule, error) { return nil, err } return &Unix{ - RuleBase: newBase(rule), + Base: newBase(rule), Qualifier: q, Access: accesses, Type: rule.GetValuesAsString("type"), @@ -56,7 +56,7 @@ func newUnix(q Qualifier, rule rule) (Rule, error) { func newUnixFromLog(log map[string]string) Rule { return &Unix{ - RuleBase: newBaseFromLog(log), + Base: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), Access: Must(toAccess(UNIX, log["requested_mask"])), Type: log["sock_type"], @@ -70,6 +70,18 @@ func newUnixFromLog(log map[string]string) Rule { } } +func (r *Unix) Kind() Kind { + return UNIX +} + +func (r *Unix) Constraint() Constraint { + return BlockRule +} + +func (r *Unix) String() string { + return renderTemplate(r.Kind(), r) +} + func (r *Unix) Validate() error { if err := validateValues(r.Kind(), "access", r.Access); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -112,27 +124,34 @@ func (r *Unix) Compare(other Rule) int { func (r *Unix) Merge(other Rule) bool { o, _ := other.(*Unix) - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.Type == o.Type && r.Protocol == o.Protocol && r.Address == o.Address && r.Label == o.Label && r.Attr == o.Attr && r.Opt == o.Opt && r.PeerLabel == o.PeerLabel && r.PeerAddr == o.PeerAddr { r.Access = merge(r.Kind(), "access", r.Access, o.Access) - b := &r.RuleBase - return b.merge(o.RuleBase) + b := &r.Base + return b.merge(o.Base) } return false } -func (r *Unix) String() string { - return renderTemplate(r.Kind(), r) +func (r *Unix) Lengths() []int { + return []int{ + r.getLenAudit(), + r.getLenAccess(), + length("", r.Access), + length("type=", r.Type), + length("protocol=", r.Protocol), + length("addr=", r.Address), + length("label=", r.Label), + } } -func (r *Unix) Constraint() constraint { - return blockKind -} - -func (r *Unix) Kind() Kind { - return UNIX +func (r *Unix) setPaddings(max []int) { + r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( + max[2:], []string{"", "type=", "protocol=", "addr=", "label="}, + []any{r.Access, r.Type, r.Protocol, r.Address, r.Label})..., + ) } diff --git a/pkg/aa/userns.go b/pkg/aa/userns.go index 424911f08..f4a9815c6 100644 --- a/pkg/aa/userns.go +++ b/pkg/aa/userns.go @@ -9,7 +9,7 @@ import "fmt" const USERNS Kind = "userns" type Userns struct { - RuleBase + Base Qualifier Create bool } @@ -28,7 +28,7 @@ func newUserns(q Qualifier, rule rule) (Rule, error) { return nil, fmt.Errorf("invalid userns format: %s", rule) } return &Userns{ - RuleBase: newBase(rule), + Base: newBase(rule), Qualifier: q, Create: create, }, nil @@ -36,12 +36,24 @@ func newUserns(q Qualifier, rule rule) (Rule, error) { func newUsernsFromLog(log map[string]string) Rule { return &Userns{ - RuleBase: newBaseFromLog(log), + Base: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), Create: true, } } +func (r *Userns) Kind() Kind { + return USERNS +} + +func (r *Userns) Constraint() Constraint { + return BlockRule +} + +func (r *Userns) String() string { + return renderTemplate(r.Kind(), r) +} + func (r *Userns) Validate() error { return nil } @@ -56,18 +68,12 @@ func (r *Userns) Compare(other Rule) int { func (r *Userns) Merge(other Rule) bool { o, _ := other.(*Userns) - b := &r.RuleBase - return b.merge(o.RuleBase) + b := &r.Base + return b.merge(o.Base) // Always merge userns rules } -func (r *Userns) String() string { - return renderTemplate(r.Kind(), r) +func (r *Userns) Lengths() []int { + return []int{} // No len for userns } -func (r *Userns) Constraint() constraint { - return blockKind -} - -func (r *Userns) Kind() Kind { - return USERNS -} +func (r *Userns) setPaddings(max []int) {} // No paddings for userns diff --git a/pkg/aa/convert.go b/pkg/aa/util.go similarity index 80% rename from pkg/aa/convert.go rename to pkg/aa/util.go index e0889360c..523eb99fe 100644 --- a/pkg/aa/convert.go +++ b/pkg/aa/util.go @@ -43,6 +43,53 @@ func merge(kind Kind, key string, a, b []string) []string { return slices.Compact(a) } +func length(prefix string, value any) int { + var res int + switch value := value.(type) { + case bool: + if value { + return len(prefix) + 1 + } + return 0 + case string: + if value != "" { + res = len(value) + len(prefix) + 1 + } + return res + case []string: + for _, v := range value { + lenV := len(v) + if lenV > 0 { + res += lenV + 1 // Space between values + } + } + if len(value) > 1 { + res += 2 // Brackets on slices + } + return res + default: + panic("length: unsupported type") + } +} + +func setPaddings(max []int, prefixes []string, values []any) []string { + if len(max) != len(values) || len(max) != len(prefixes) { + panic("setPaddings: max, prefix, and values must have the same length") + } + res := make([]string, len(max)) + for i, v := range values { + if max[i] == 0 { + res[i] = "" + continue + } + count := max[i] - length(prefixes[i], v) + if count > 0 { + res[i] = strings.Repeat(" ", count) + } + } + return res +} + func compare(a, b any) int { switch a := a.(type) { case int: @@ -101,9 +148,10 @@ func validateValues(kind Kind, key string, values []string) error { func tokenToSlice(token string) []string { res := []string{} - token = strings.Trim(token, "()\n") + token = strings.Trim(token, "()\n ") if strings.ContainsAny(token, ", ") { var sep string + token = strings.ReplaceAll(token, " ", " ") switch { case strings.Contains(token, ","): sep = "," @@ -135,7 +183,7 @@ func toValues(kind Kind, key string, input string) ([]string, error) { continue } if !slices.Contains(req, res[idx]) { - return nil, fmt.Errorf("unrecognized %s: %s", key, res[idx]) + return nil, fmt.Errorf("unrecognized %s for rule %s: %s", key, kind, res[idx]) } } slices.SortFunc(res, func(i, j string) int { diff --git a/pkg/aa/convert_test.go b/pkg/aa/util_test.go similarity index 100% rename from pkg/aa/convert_test.go rename to pkg/aa/util_test.go diff --git a/pkg/logging/logging.go b/pkg/logging/logging.go index e6c91ac93..642dc8273 100644 --- a/pkg/logging/logging.go +++ b/pkg/logging/logging.go @@ -37,7 +37,7 @@ func Print(msg string, a ...interface{}) int { // Println prints a formatted message. Arguments are handled in the manner of fmt.Println. func Println(msg string) int { - n, _ := fmt.Fprintf(os.Stdout, msg+"\n") + n, _ := fmt.Fprintf(os.Stdout, "%s\n", msg) return n } @@ -48,7 +48,7 @@ func Bulletf(msg string, a ...interface{}) string { // Bullet prints a formatted bullet point string func Bullet(msg string, a ...interface{}) int { - return Print(Bulletf(msg, a...)) + return Print("%s", Bulletf(msg, a...)) } // Stepf returns a formatted step string @@ -58,7 +58,7 @@ func Stepf(msg string, a ...interface{}) string { // Step prints a step title func Step(msg string, a ...interface{}) int { - return Print(Stepf(msg, a...)) + return Print("%s", Stepf(msg, a...)) } // Successf returns a formatted success string @@ -68,7 +68,7 @@ func Successf(msg string, a ...interface{}) string { // Success prints a formatted success message to stdout func Success(msg string, a ...interface{}) int { - return Print(Successf(msg, a...)) + return Print("%s", Successf(msg, a...)) } // Warningf returns a formatted warning string @@ -78,12 +78,12 @@ func Warningf(msg string, a ...interface{}) string { // Warning prints a formatted warning message to stdout func Warning(msg string, a ...interface{}) int { - return Print(Warningf(msg, a...)) + return Print("%s", Warningf(msg, a...)) } -// Fatalf returns a formatted error message +// Error returns a formatted error message func Error(msg string, a ...interface{}) int { - return Print(fmt.Sprintf("%s%s%s\n", Indent, errorText, fmt.Sprintf(msg, a...))) + return Print("%s", fmt.Sprintf("%s%s%s\n", Indent, errorText, fmt.Sprintf(msg, a...))) } // Fatalf returns a formatted error message diff --git a/pkg/logging/logging_test.go b/pkg/logging/logging_test.go index ebfe48afd..eb912595e 100644 --- a/pkg/logging/logging_test.go +++ b/pkg/logging/logging_test.go @@ -10,7 +10,7 @@ func TestPrint(t *testing.T) { msg := "Print message" wantN := 13 - gotN := Print(msg) + gotN := Print("%s", msg) if gotN != wantN { t.Errorf("Print() = %v, want %v", gotN, wantN) } @@ -28,7 +28,7 @@ func TestPrintln(t *testing.T) { func TestBulletf(t *testing.T) { msg := "Bullet message" want := "\033[1m â‹… \033[0mBullet message\n" - if got := Bulletf(msg); got != want { + if got := Bulletf("%s", msg); got != want { t.Errorf("Bulletf() = %v, want %v", got, want) } } @@ -36,7 +36,7 @@ func TestBulletf(t *testing.T) { func TestBullet(t *testing.T) { msg := "Bullet message" wantN := 28 - gotN := Bullet(msg) + gotN := Bullet("%s", msg) if gotN != wantN { t.Errorf("Bullet() = %v, want %v", gotN, wantN) } @@ -45,7 +45,7 @@ func TestBullet(t *testing.T) { func TestStepf(t *testing.T) { msg := "Step message" want := "\033[1;32mStep message\033[0m\n" - if got := Stepf(msg); got != want { + if got := Stepf("%s", msg); got != want { t.Errorf("Stepf() = %v, want %v", got, want) } } @@ -53,7 +53,7 @@ func TestStepf(t *testing.T) { func TestStep(t *testing.T) { msg := "Step message" wantN := 24 - gotN := Step(msg) + gotN := Step("%s", msg) if gotN != wantN { t.Errorf("Step() = %v, want %v", gotN, wantN) } @@ -62,7 +62,7 @@ func TestStep(t *testing.T) { func TestSuccessf(t *testing.T) { msg := "Success message" want := "\033[1;32m ✓ \033[0mSuccess message\n" - if got := Successf(msg); got != want { + if got := Successf("%s", msg); got != want { t.Errorf("Successf() = %v, want %v", got, want) } } @@ -70,7 +70,7 @@ func TestSuccessf(t *testing.T) { func TestSuccess(t *testing.T) { msg := "Success message" wantN := 32 - gotN := Success(msg) + gotN := Success("%s", msg) if gotN != wantN { t.Errorf("Success() = %v, want %v", gotN, wantN) } @@ -79,7 +79,7 @@ func TestSuccess(t *testing.T) { func TestWarningf(t *testing.T) { msg := "Warning message" want := "\033[1;33m ‼ \033[0mWarning message\n" - if got := Warningf(msg); got != want { + if got := Warningf("%s", msg); got != want { t.Errorf("Warningf() = %v, want %v", got, want) } } @@ -87,7 +87,7 @@ func TestWarningf(t *testing.T) { func TestWarning(t *testing.T) { msg := "Warning message" wantN := 32 - gotN := Warning(msg) + gotN := Warning("%s", msg) if gotN != wantN { t.Errorf("Warning() = %v, want %v", gotN, wantN) } @@ -96,7 +96,7 @@ func TestWarning(t *testing.T) { func TestError(t *testing.T) { msg := "Error message" wantN := 30 - gotN := Error(msg) + gotN := Error("%s", msg) if gotN != wantN { t.Errorf("Error() = %v, want %v", gotN, wantN) } @@ -105,7 +105,7 @@ func TestError(t *testing.T) { func TestFatalf(t *testing.T) { msg := "Error message" want := "\033[1;31m ✗ Error: \033[0mError message\n" - if got := Fatalf(msg); got != want { + if got := Fatalf("%s", msg); got != want { t.Errorf("Fatalf() = %v, want %v", got, want) } } diff --git a/pkg/logs/loggers.go b/pkg/logs/loggers.go index 78abbd7a2..53b3fbd3a 100644 --- a/pkg/logs/loggers.go +++ b/pkg/logs/loggers.go @@ -63,9 +63,10 @@ func GetAuditLogs(path string) (io.Reader, error) { } // GetJournalctlLogs return a reader with the logs entries from Systemd -func GetJournalctlLogs(path string, useFile bool) (io.Reader, error) { +func GetJournalctlLogs(path string, since string, useFile bool) (io.Reader, error) { var logs []systemdLog var stdout bytes.Buffer + var stderr bytes.Buffer var scanner *bufio.Scanner if useFile { @@ -77,14 +78,20 @@ func GetJournalctlLogs(path string, useFile bool) (io.Reader, error) { } else { // journalctl -b -o json -g apparmor -t kernel -t audit -t dbus-daemon --output-fields=MESSAGE > systemd.log args := []string{ - "--boot", "--grep=apparmor", - "--identifier=kernel", "--identifier=audit", "--identifier=dbus-daemon", + "--grep=apparmor", "--identifier=kernel", + "--identifier=audit", "--identifier=dbus-daemon", "--output=json", "--output-fields=MESSAGE", } + if since == "" { + args = append(args, "--boot") + } else { + args = append(args, "--since="+since) + } cmd := exec.Command("journalctl", args...) cmd.Stdout = &stdout - if err := cmd.Run(); err != nil { - return nil, err + cmd.Stderr = &stderr + if err := cmd.Run(); err != nil && stderr.Len() != 0 { + return nil, fmt.Errorf("journalctl: %s", stderr.String()) } scanner = bufio.NewScanner(&stdout) } diff --git a/pkg/logs/loggers_test.go b/pkg/logs/loggers_test.go index 15fa1fbc8..7e0a6002a 100644 --- a/pkg/logs/loggers_test.go +++ b/pkg/logs/loggers_test.go @@ -30,7 +30,7 @@ func TestGetJournalctlLogs(t *testing.T) { "apparmor": "ALLOWED", "label": "gsd-xsettings", "operation": "dbus_method_call", - "name": ":*", + "name": "@{busname}", "mask": "receive", "bus": "session", "path": "/org/gtk/Settings", @@ -49,9 +49,9 @@ func TestGetJournalctlLogs(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - reader, _ := GetJournalctlLogs(tt.path, tt.useFile) - if got := NewApparmorLogs(reader, tt.name); !reflect.DeepEqual(got, tt.want) { - t.Errorf("NewApparmorLogs() = %v, want %v", got, tt.want) + reader, _ := GetJournalctlLogs(tt.path, "", tt.useFile) + if got := New(reader, tt.name); !reflect.DeepEqual(got, tt.want) { + t.Errorf("New() = %v, want %v", got, tt.want) } }) } diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index 9771bd82c..b0ae58702 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -28,11 +28,14 @@ const ( boldYellow = "\033[1;33m" ) +const ( + h = `[0-9a-fA-F]` + d = `[0-9]` +) + var ( quoted bool isAppArmorLogTemplate = regexp.MustCompile(`apparmor=("DENIED"|"ALLOWED"|"AUDIT")`) - _hex = `[0-9a-fA-F]` - _int = `[0-9]` regCleanLogs = util.ToRegexRepl([]string{ // Clean apparmor log file `.*apparmor="`, `apparmor="`, @@ -40,8 +43,8 @@ var ( `\x1d`, " ", // Remove basic rules from abstractions/base - `(?m)^.*/etc/[^/]+so.*$`, ``, - `(?m)^.*/usr/(lib|lib32|lib64|libexec)/[^/]+so.*$`, ``, + `(?m)^.*/etc/[^/]+\.so.*$`, ``, + `(?m)^.*/usr/(lib|lib32|lib64|libexec)/[^/]+\.so.*$`, ``, `(?m)^.*/usr/(lib|lib32|lib64|libexec)/locale/.*$`, ``, `(?m)^.*/usr/share/locale[^/]?/.*$`, ``, `(?m)^.*/usr/share/zoneinfo[^/]?/.*$`, ``, @@ -49,7 +52,7 @@ var ( `(?m)^.*/dev/(u|)random.*$`, ``, }) regResolveLogs = util.ToRegexRepl([]string{ - // Resolve classic user variables + // Resolve user variables `/home/[^/]+/.cache`, `@{user_cache_dirs}`, `/home/[^/]+/.config`, `@{user_config_dirs}`, `/home/[^/]+/.local/share`, `@{user_share_dirs}`, @@ -60,40 +63,48 @@ var ( `/home/[^/]+/.gnupg`, `@{HOME}/@{XDG_GPG_DIR}`, `/home/[^/]+/`, `@{HOME}/`, - // Resolve classic system variables - `/usr/(lib|lib32|lib64|libexec)`, `@{lib}`, - `/usr/(bin|sbin)`, `@{bin}`, - `x86_64-pc-linux-gnu[^/]?`, `@{multiarch}`, + // Resolve system variables + `/att/[^/]+/`, `@{att}/`, + `/usr/lib(32|64|exec)`, `@{lib}`, + `/usr/lib`, `@{lib}`, + `/usr/sbin`, `@{sbin}`, + `/usr/bin`, `@{bin}`, + `(x86_64|amd64|i386|i686)`, `@{arch}`, + `@{arch}-*linux-gnu[^/]?`, `@{multiarch}`, `/usr/etc/`, `@{etc_ro}/`, `/var/run/`, `@{run}/`, `/run/`, `@{run}/`, `user/[0-9]*/`, `user/@{uid}/`, `/tmp/user/@{uid}/`, `@{tmp}/`, `/proc/`, `@{PROC}/`, + `@{PROC}/1/`, `@{PROC}/one/`, // Go does not support lookahead assertions like (?!1\b)d+, so we have to use a workaround `@{PROC}/[0-9]*/`, `@{PROC}/@{pid}/`, + `@{PROC}/one/`, `@{PROC}/1/`, `@{PROC}/@{pid}/task/[0-9]*/`, `@{PROC}/@{pid}/task/@{tid}/`, `/sys/`, `@{sys}/`, `@{PROC}@{sys}/`, `@{PROC}/sys/`, - `pci` + strings.Repeat(_hex, 4) + `:` + strings.Repeat(_hex, 2), `@{pci_bus}`, - `1000`, `@{pid}`, + `pci` + strings.Repeat(h, 4) + `:` + strings.Repeat(h, 2), `@{pci_bus}`, + `@{pci_bus}/[0-9a-f:*./]*/`, `@{pci}/`, + `1000`, `@{uid}`, // Some system glob - `:1.[0-9]*`, `:*`, // dbus peer name + `:not.active.yet`, `@{busname}`, // dbus unique bus name + `:1.[0-9]*`, `@{busname}`, // dbus unique bus name `@{bin}/(|ba|da)sh`, `@{sh_path}`, // collect all shell `@{lib}/modules/[^/]+\/`, `@{lib}/modules/*/`, // strip kernel version numbers from kernel module accesses // int, hex, uuid - strings.Repeat(_hex, 8) + `[-_]` + strings.Repeat(_hex, 4) + `[-_]` + strings.Repeat(_hex, 4) + `[-_]` + strings.Repeat(_hex, 4) + `[-_]` + strings.Repeat(_hex, 12), `@{uuid}`, - strings.Repeat(_int, 64), `@{int64}`, - strings.Repeat(_hex, 64), `@{hex64}`, - strings.Repeat(_hex, 38), `@{hex38}`, - strings.Repeat(_int, 32), `@{int32}`, - strings.Repeat(_hex, 32), `@{hex32}`, - strings.Repeat(_int, 16), `@{int16}`, - strings.Repeat(_hex, 16), `@{hex16}`, - strings.Repeat(_int, 10), `@{int10}`, - strings.Repeat(_int, 8), `@{int8}`, - strings.Repeat(_int, 6), `@{int6}`, + strings.Repeat(h, 8) + `[-_]` + strings.Repeat(h, 4) + `[-_]` + strings.Repeat(h, 4) + `[-_]` + strings.Repeat(h, 4) + `[-_]` + strings.Repeat(h, 12), `@{uuid}`, + strings.Repeat(d, 64), `@{int64}`, + strings.Repeat(h, 64), `@{hex64}`, + strings.Repeat(h, 38), `@{hex38}`, + strings.Repeat(d, 32), `@{int32}`, + strings.Repeat(h, 32), `@{hex32}`, + strings.Repeat(d, 16), `@{int16}`, + strings.Repeat(h, 16), `@{hex16}`, + strings.Repeat(d, 10), `@{int10}`, + strings.Repeat(d, 8), `@{int8}`, + strings.Repeat(d, 6), `@{int6}`, }) ) @@ -116,8 +127,8 @@ func toQuote(str string) string { return str } -// NewApparmorLogs return a new ApparmorLogs list of map from a log file -func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs { +// New returns a new ApparmorLogs list of map from a log file +func New(file io.Reader, profile string) AppArmorLogs { logs := GetApparmorLogs(file, profile) // Parse log into ApparmorLog struct @@ -129,7 +140,12 @@ func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs { aa := make(AppArmorLog) for _, item := range tmp { - kv := strings.Split(item, "=") + kv := strings.FieldsFunc(item, func(r rune) bool { + if r == '"' { + quoted = !quoted + } + return !quoted && r == '=' + }) if len(kv) >= 2 { key, value := kv[0], kv[1] if slices.Contains(toClean, key) { @@ -186,12 +202,11 @@ func (aaLogs AppArmorLogs) String() string { for _, log := range aaLogs { seen := map[string]bool{"apparmor": true} res.WriteString(state[log["apparmor"]]) - fsuid := log["fsuid"] - ouid := log["ouid"] + owner := aa.IsOwner(log) for _, key := range keys { if item, present := log[key]; present { - if key == "name" && fsuid == ouid && !strings.Contains(log["operation"], "dbus") { + if key == "name" && owner { res.WriteString(template[key] + " owner" + reset) } if temp, present := template[key]; present { diff --git a/pkg/logs/logs_test.go b/pkg/logs/logs_test.go index aa5865eae..376b23f42 100644 --- a/pkg/logs/logs_test.go +++ b/pkg/logs/logs_test.go @@ -81,7 +81,7 @@ func TestAppArmorEvents(t *testing.T) { want: AppArmorLogs{ { "apparmor": "ALLOWED", - "profile": "@{bin}/httpd2-prefork//vhost_foo", + "profile": "@{sbin}/httpd2-prefork//vhost_foo", "operation": "rename_dest", "name": "@{HOME}/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg", "comm": "httpd2-prefork", @@ -174,14 +174,14 @@ func TestAppArmorEvents(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { file := strings.NewReader(tt.event) - if got := NewApparmorLogs(file, ""); !reflect.DeepEqual(got, tt.want) { - t.Errorf("NewApparmorLogs() = %v, want %v", got, tt.want) + if got := New(file, ""); !reflect.DeepEqual(got, tt.want) { + t.Errorf("New() = %v, want %v", got, tt.want) } }) } } -func TestNewApparmorLogs(t *testing.T) { +func TestNew(t *testing.T) { tests := []struct { name string path string @@ -208,7 +208,7 @@ func TestNewApparmorLogs(t *testing.T) { "apparmor": "DENIED", "profile": "dnsmasq", "operation": "open", - "name": "@{PROC}/@{pid}/environ", + "name": "@{PROC}/1/environ", "comm": "dnsmasq", "requested_mask": "r", "denied_mask": "r", @@ -247,12 +247,53 @@ func TestNewApparmorLogs(t *testing.T) { path: filepath.Join(testdata, "audit.log"), want: refPowerProfiles, }, + { + name: "signal-desktop", + path: filepath.Join(testdata, "audit.log"), + want: AppArmorLogs{ + { + "apparmor": "ALLOWED", + "profile": "signal-desktop", + "operation": "open", + "class": "file", + "name": "@{sys}/devices/@{pci}/boot_vga", + "comm": "signal-desktop", + "requested_mask": "r", + "denied_mask": "r", + "fsuid": "1000", + "ouid": "0", + "FSUID": "user", + "OUID": "root", + }, + }, + }, + { + name: "startplasma", + path: filepath.Join(testdata, "audit.log"), + want: AppArmorLogs{ + { + "apparmor": "ALLOWED", + "operation": "link", + "class": "file", + "profile": "startplasma", + "name": "@{user_cache_dirs}/ksycoca5_de_LQ6f0J2qZg4vOKgw2NbXuW7iuVU=.isNSBz", + "target": "@{user_cache_dirs}/#@{int}", + "comm": "startplasma-way", + "denied_mask": "k", + "requested_mask": "k", + "fsuid": "1000", + "ouid": "1000", + "FSUID": "user", + "OUID": "user", + }, + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { file, _ := os.Open(tt.path) - if got := NewApparmorLogs(file, tt.name); !reflect.DeepEqual(got, tt.want) { - t.Errorf("NewApparmorLogs() = %v, want %v", got, tt.want) + if got := New(file, tt.name); !reflect.DeepEqual(got, tt.want) { + t.Errorf("New() = %v, want %v", got, tt.want) } }) } @@ -303,13 +344,13 @@ func TestAppArmorLogs_ParseToProfiles(t *testing.T) { Header: aa.Header{Name: "kmod"}, Rules: aa.Rules{ &aa.Unix{ - RuleBase: aa.RuleBase{FileInherit: true}, + Base: aa.Base{FileInherit: true}, Access: []string{"send", "receive"}, Type: "stream", Protocol: "0", }, &aa.Unix{ - RuleBase: aa.RuleBase{FileInherit: true}, + Base: aa.Base{FileInherit: true}, Access: []string{"send", "receive"}, Type: "stream", Protocol: "0", diff --git a/pkg/paths/list_test.go b/pkg/paths/list_test.go deleted file mode 100644 index eaafc82ce..000000000 --- a/pkg/paths/list_test.go +++ /dev/null @@ -1,169 +0,0 @@ -/* - * This file is part of PathsHelper library. - * - * Copyright 2018 Arduino AG (http://www.arduino.cc/) - * - * PathsHelper library is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA - * - * As a special exception, you may use this file as part of a free software - * library without restriction. Specifically, if other files instantiate - * templates or use macros or inline functions from this file, or you compile - * this file and link it with other files to produce an executable, this - * file does not by itself cause the resulting executable to be covered by - * the GNU General Public License. This exception does not however - * invalidate any other reasons why the executable file might be covered by - * the GNU General Public License. - */ - -package paths - -import ( - "fmt" - "testing" - - "github.com/stretchr/testify/require" -) - -func TestListConstructors(t *testing.T) { - list0 := NewPathList() - require.Len(t, list0, 0) - - list1 := NewPathList("test") - require.Len(t, list1, 1) - require.Equal(t, "[test]", fmt.Sprintf("%s", list1)) - - list3 := NewPathList("a", "b", "c") - require.Len(t, list3, 3) - require.Equal(t, "[a b c]", fmt.Sprintf("%s", list3)) - - require.False(t, list3.Contains(New("d"))) - require.True(t, list3.Contains(New("a"))) - require.False(t, list3.Contains(New("d/../a"))) - - require.False(t, list3.ContainsEquivalentTo(New("d"))) - require.True(t, list3.ContainsEquivalentTo(New("a"))) - require.True(t, list3.ContainsEquivalentTo(New("d/../a"))) - - list4 := list3.Clone() - require.Equal(t, "[a b c]", fmt.Sprintf("%s", list4)) - list4.AddIfMissing(New("d")) - require.Equal(t, "[a b c d]", fmt.Sprintf("%s", list4)) - list4.AddIfMissing(New("b")) - require.Equal(t, "[a b c d]", fmt.Sprintf("%s", list4)) - list4.AddAllMissing(NewPathList("a", "e", "i", "o", "u")) - require.Equal(t, "[a b c d e i o u]", fmt.Sprintf("%s", list4)) -} - -func TestListSorting(t *testing.T) { - list := NewPathList( - "pointless", - "spare", - "carve", - "unwieldy", - "empty", - "bow", - "tub", - "grease", - "error", - "energetic", - "depend", - "property") - require.Equal(t, "[pointless spare carve unwieldy empty bow tub grease error energetic depend property]", fmt.Sprintf("%s", list)) - list.Sort() - require.Equal(t, "[bow carve depend empty energetic error grease pointless property spare tub unwieldy]", fmt.Sprintf("%s", list)) -} - -func TestListFilters(t *testing.T) { - list := NewPathList( - "aaaa", - "bbbb", - "cccc", - "dddd", - "eeff", - "aaaa/bbbb", - "eeee/ffff", - "gggg/hhhh", - ) - - l1 := list.Clone() - l1.FilterPrefix("a") - require.Equal(t, "[aaaa]", fmt.Sprintf("%s", l1)) - - l2 := list.Clone() - l2.FilterPrefix("b") - require.Equal(t, "[bbbb aaaa/bbbb]", fmt.Sprintf("%s", l2)) - - l3 := list.Clone() - l3.FilterOutPrefix("b") - require.Equal(t, "[aaaa cccc dddd eeff eeee/ffff gggg/hhhh]", fmt.Sprintf("%s", l3)) - - l4 := list.Clone() - l4.FilterPrefix("a", "b") - require.Equal(t, "[aaaa bbbb aaaa/bbbb]", fmt.Sprintf("%s", l4)) - - l5 := list.Clone() - l5.FilterPrefix("test") - require.Equal(t, "[]", fmt.Sprintf("%s", l5)) - - l6 := list.Clone() - l6.FilterOutPrefix("b", "c", "h") - require.Equal(t, "[aaaa dddd eeff eeee/ffff]", fmt.Sprintf("%s", l6)) - - l7 := list.Clone() - l7.FilterSuffix("a") - require.Equal(t, "[aaaa]", fmt.Sprintf("%s", l7)) - - l8 := list.Clone() - l8.FilterSuffix("a", "h") - require.Equal(t, "[aaaa gggg/hhhh]", fmt.Sprintf("%s", l8)) - - l9 := list.Clone() - l9.FilterSuffix("test") - require.Equal(t, "[]", fmt.Sprintf("%s", l9)) - - l10 := list.Clone() - l10.FilterOutSuffix("a") - require.Equal(t, "[bbbb cccc dddd eeff aaaa/bbbb eeee/ffff gggg/hhhh]", fmt.Sprintf("%s", l10)) - - l11 := list.Clone() - l11.FilterOutSuffix("a", "h") - require.Equal(t, "[bbbb cccc dddd eeff aaaa/bbbb eeee/ffff]", fmt.Sprintf("%s", l11)) - - l12 := list.Clone() - l12.FilterOutSuffix("test") - require.Equal(t, "[aaaa bbbb cccc dddd eeff aaaa/bbbb eeee/ffff gggg/hhhh]", fmt.Sprintf("%s", l12)) - - l13 := list.Clone() - l13.FilterOutSuffix() - require.Equal(t, "[aaaa bbbb cccc dddd eeff aaaa/bbbb eeee/ffff gggg/hhhh]", fmt.Sprintf("%s", l13)) - - l14 := list.Clone() - l14.FilterSuffix() - require.Equal(t, "[]", fmt.Sprintf("%s", l14)) - - l15 := list.Clone() - l15.FilterOutPrefix() - require.Equal(t, "[aaaa bbbb cccc dddd eeff aaaa/bbbb eeee/ffff gggg/hhhh]", fmt.Sprintf("%s", l15)) - - l16 := list.Clone() - l16.FilterPrefix() - require.Equal(t, "[]", fmt.Sprintf("%s", l16)) - - l17 := list.Clone() - l17.Filter(func(p *Path) bool { - return p.Base() == "bbbb" - }) - require.Equal(t, "[bbbb aaaa/bbbb]", fmt.Sprintf("%s", l17)) -} diff --git a/pkg/paths/paths.go b/pkg/paths/paths.go index a734d17ed..357b9c2f7 100644 --- a/pkg/paths/paths.go +++ b/pkg/paths/paths.go @@ -35,9 +35,12 @@ import ( "io/fs" "os" "path/filepath" + "slices" "strings" "syscall" "time" + + "github.com/roddhjav/apparmor.d/pkg/util" ) // Path represents a path @@ -176,7 +179,7 @@ func (p *Path) IsAbs() bool { return filepath.IsAbs(p.path) } -// ToAbs transofrm the current Path to the corresponding absolute path +// ToAbs transform the current Path to the corresponding absolute path func (p *Path) ToAbs() error { abs, err := filepath.Abs(p.path) if err != nil { @@ -360,6 +363,41 @@ func (p *Path) CopyTo(dst *Path) error { return nil } +// CopyTo recursivelly copy all files from a source path to a destination path. +func CopyTo(src *Path, dst *Path) error { + files, err := src.ReadDirRecursiveFiltered(nil, + FilterOutDirectories(), + FilterOutNames("README.md"), + ) + if err != nil { + return err + } + for _, file := range files { + destination, err := file.RelFrom(src) + if err != nil { + return err + } + destination = dst.JoinPath(destination) + if err := destination.Parent().MkdirAll(); err != nil { + return err + } + if err := file.CopyTo(destination); err != nil { + return err + } + } + return nil +} + +// CopyFS copies the file system fsys into the directory dir, +// creating dir if necessary. It is the exivalent of os.CopyFS with Path. +func (p *Path) CopyFS(dst *Path) error { + err := os.CopyFS(dst.String(), os.DirFS(p.String())) + if err != nil { + return fmt.Errorf("copying %s to %s: %s", p, dst, err) + } + return nil +} + // CopyDirTo recursively copies the directory denoted by the current path to // the destination path. The source directory must exist and the destination // directory must NOT exist (no implicit destination name allowed). @@ -460,6 +498,24 @@ func WriteToTempFile(data []byte, dir *Path, prefix string) (res *Path, err erro return New(f.Name()), nil } +// ReadFileAsString read a file and return its content as a string. +func (p *Path) ReadFileAsString() (string, error) { + content, err := p.ReadFile() + if err != nil { + return "", err + } + return string(content), nil +} + +// MustReadFileAsString read a file and return its content as a string. Panic if an error occurs. +func (p *Path) MustReadFileAsString() string { + content, err := p.ReadFile() + if err != nil { + panic(err) + } + return string(content) +} + // ReadFileAsLines reads the file named by filename and returns it as an // array of lines. This function takes care of the newline encoding // differences between different OS @@ -469,10 +525,37 @@ func (p *Path) ReadFileAsLines() ([]string, error) { return nil, err } txt := string(data) - txt = strings.Replace(txt, "\r\n", "\n", -1) + txt = strings.ReplaceAll(txt, "\r\n", "\n") return strings.Split(txt, "\n"), nil } +// MustReadFileAsLines read a file and return its content as a slice of string. Panic if an error occurs. +func (p *Path) MustReadFileAsLines() []string { + lines, err := p.ReadFileAsLines() + if err != nil { + panic(err) + } + return lines +} + +// MustReadFilteredFileAsLines read a file and return its content as a slice of string. +// It filter out comments and empty lines. Panic if an error occurs. +func (p *Path) MustReadFilteredFileAsLines() []string { + data, err := p.ReadFile() + if err != nil { + panic(err) + } + txt := string(data) + txt = strings.ReplaceAll(txt, "\r\n", "\n") + txt = util.Filter(txt) + res := strings.Split(txt, "\n") + if slices.Contains(res, "") { + idx := slices.Index(res, "") + res = slices.Delete(res, idx, idx+1) + } + return res +} + // Truncate create an empty file named by path or if the file already // exist it truncates it (delete all contents) func (p *Path) Truncate() error { @@ -552,12 +635,14 @@ func (p *Path) String() string { // Canonical return a "canonical" Path for the given filename. // The meaning of "canonical" is OS-dependent but the goal of this method // is to always return the same path for a given file (factoring out all the -// possibile ambiguities including, for example, relative paths traversal, +// possible ambiguities including, for example, relative paths traversal, // symlinks, drive volume letter case, etc). func (p *Path) Canonical() *Path { canonical := p.Clone() // https://github.com/golang/go/issues/17084#issuecomment-246645354 - canonical.FollowSymLink() + if err := canonical.FollowSymLink(); err != nil { + return nil + } if absPath, err := canonical.Abs(); err == nil { canonical = absPath } diff --git a/pkg/paths/paths_test.go b/pkg/paths/paths_test.go deleted file mode 100644 index 27fde6248..000000000 --- a/pkg/paths/paths_test.go +++ /dev/null @@ -1,432 +0,0 @@ -/* - * This file is part of PathsHelper library. - * - * Copyright 2018 Arduino AG (http://www.arduino.cc/) - * - * PathsHelper library is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA - * - * As a special exception, you may use this file as part of a free software - * library without restriction. Specifically, if other files instantiate - * templates or use macros or inline functions from this file, or you compile - * this file and link it with other files to produce an executable, this - * file does not by itself cause the resulting executable to be covered by - * the GNU General Public License. This exception does not however - * invalidate any other reasons why the executable file might be covered by - * the GNU General Public License. - */ - -package paths - -import ( - "path/filepath" - "runtime" - "strings" - "testing" - - "github.com/stretchr/testify/require" -) - -func pathEqualsTo(t *testing.T, expected string, actual *Path) { - require.Equal(t, expected, filepath.ToSlash(actual.String())) -} - -func TestPathNew(t *testing.T) { - test1 := New("path") - require.Equal(t, "path", test1.String()) - - test2 := New("path", "path") - require.Equal(t, filepath.Join("path", "path"), test2.String()) - - test3 := New() - require.Nil(t, test3) - - test4 := New("") - require.Nil(t, test4) -} - -func TestPath(t *testing.T) { - testPath := New("testdata", "fileset") - pathEqualsTo(t, "testdata/fileset", testPath) - isDir, err := testPath.IsDirCheck() - require.True(t, isDir) - require.NoError(t, err) - require.True(t, testPath.IsDir()) - require.False(t, testPath.IsNotDir()) - exist, err := testPath.ExistCheck() - require.True(t, exist) - require.NoError(t, err) - require.True(t, testPath.Exist()) - require.False(t, testPath.NotExist()) - - folderPath := testPath.Join("folder") - pathEqualsTo(t, "testdata/fileset/folder", folderPath) - isDir, err = folderPath.IsDirCheck() - require.True(t, isDir) - require.NoError(t, err) - require.True(t, folderPath.IsDir()) - require.False(t, folderPath.IsNotDir()) - - exist, err = folderPath.ExistCheck() - require.True(t, exist) - require.NoError(t, err) - require.True(t, folderPath.Exist()) - require.False(t, folderPath.NotExist()) - - filePath := testPath.Join("file") - pathEqualsTo(t, "testdata/fileset/file", filePath) - isDir, err = filePath.IsDirCheck() - require.False(t, isDir) - require.NoError(t, err) - require.False(t, filePath.IsDir()) - require.True(t, filePath.IsNotDir()) - exist, err = filePath.ExistCheck() - require.True(t, exist) - require.NoError(t, err) - require.True(t, filePath.Exist()) - require.False(t, filePath.NotExist()) - - anotherFilePath := filePath.Join("notexistent") - pathEqualsTo(t, "testdata/fileset/file/notexistent", anotherFilePath) - isDir, err = anotherFilePath.IsDirCheck() - require.False(t, isDir) - require.Error(t, err) - require.False(t, anotherFilePath.IsDir()) - require.False(t, anotherFilePath.IsNotDir()) - exist, err = anotherFilePath.ExistCheck() - require.False(t, exist) - require.NoError(t, err) - require.False(t, anotherFilePath.Exist()) - require.True(t, anotherFilePath.NotExist()) - - list, err := folderPath.ReadDir() - require.NoError(t, err) - require.Len(t, list, 4) - pathEqualsTo(t, "testdata/fileset/folder/.hidden", list[0]) - pathEqualsTo(t, "testdata/fileset/folder/file2", list[1]) - pathEqualsTo(t, "testdata/fileset/folder/file3", list[2]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", list[3]) - - list2 := list.Clone() - list2.FilterDirs() - require.Len(t, list2, 1) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", list2[0]) - - list2 = list.Clone() - list2.FilterOutHiddenFiles() - require.Len(t, list2, 3) - pathEqualsTo(t, "testdata/fileset/folder/file2", list2[0]) - pathEqualsTo(t, "testdata/fileset/folder/file3", list2[1]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", list2[2]) - - list2 = list.Clone() - list2.FilterOutPrefix("file") - require.Len(t, list2, 2) - pathEqualsTo(t, "testdata/fileset/folder/.hidden", list2[0]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", list2[1]) -} - -func TestResetStatCacheWhenFollowingSymlink(t *testing.T) { - testdata := New("testdata", "fileset") - files, err := testdata.ReadDir() - require.NoError(t, err) - for _, file := range files { - if file.Base() == "symlinktofolder" { - err = file.FollowSymLink() - require.NoError(t, err) - isDir, err := file.IsDirCheck() - require.NoError(t, err) - require.True(t, isDir) - break - } - } -} - -func TestIsInsideDir(t *testing.T) { - notInside := func(a, b *Path) { - isInside, err := a.IsInsideDir(b) - require.NoError(t, err) - require.False(t, isInside, "%s is inside %s", a, b) - } - - inside := func(a, b *Path) { - isInside, err := a.IsInsideDir(b) - require.NoError(t, err) - require.True(t, isInside, "%s is inside %s", a, b) - notInside(b, a) - } - - f1 := New("/a/b/c") - f2 := New("/a/b/c/d") - f3 := New("/a/b/c/d/e") - - notInside(f1, f1) - notInside(f1, f2) - inside(f2, f1) - notInside(f1, f3) - inside(f3, f1) - - r1 := New("a/b/c") - r2 := New("a/b/c/d") - r3 := New("a/b/c/d/e") - r4 := New("f/../a/b/c/d/e") - r5 := New("a/b/c/d/e/f/..") - - notInside(r1, r1) - notInside(r1, r2) - inside(r2, r1) - notInside(r1, r3) - inside(r3, r1) - inside(r4, r1) - notInside(r1, r4) - inside(r5, r1) - notInside(r1, r5) - - f4 := New("/home/megabug/aide/arduino-1.8.6/hardware/arduino/avr") - f5 := New("/home/megabug/a15/packages") - notInside(f5, f4) - notInside(f4, f5) - - if runtime.GOOS == "windows" { - f6 := New("C:\\", "A") - f7 := New("C:\\", "A", "B", "C") - f8 := New("E:\\", "A", "B", "C") - inside(f7, f6) - notInside(f8, f6) - } -} - -func TestReadFileAsLines(t *testing.T) { - lines, err := New("testdata/fileset/anotherFile").ReadFileAsLines() - require.NoError(t, err) - require.Len(t, lines, 4) - require.Equal(t, "line 1", lines[0]) - require.Equal(t, "line 2", lines[1]) - require.Equal(t, "", lines[2]) - require.Equal(t, "line 3", lines[3]) -} - -func TestCanonicaTempDir(t *testing.T) { - require.Equal(t, TempDir().String(), TempDir().Canonical().String()) -} - -func TestCopyDir(t *testing.T) { - tmp, err := MkTempDir("", "") - require.NoError(t, err) - defer tmp.RemoveAll() - - src := New("testdata", "fileset") - err = src.CopyDirTo(tmp.Join("dest")) - require.NoError(t, err, "copying dir") - - exist, err := tmp.Join("dest", "folder", "subfolder", "file4").ExistCheck() - require.True(t, exist) - require.NoError(t, err) - - isdir, err := tmp.Join("dest", "folder", "subfolder", "file4").IsDirCheck() - require.False(t, isdir) - require.NoError(t, err) - - err = src.CopyDirTo(tmp.Join("dest")) - require.Error(t, err, "copying dir to already existing") - - err = src.Join("file").CopyDirTo(tmp.Join("dest2")) - require.Error(t, err, "copying file as dir") -} - -func TestParents(t *testing.T) { - parents := New("/a/very/long/path").Parents() - require.Len(t, parents, 5) - pathEqualsTo(t, "/a/very/long/path", parents[0]) - pathEqualsTo(t, "/a/very/long", parents[1]) - pathEqualsTo(t, "/a/very", parents[2]) - pathEqualsTo(t, "/a", parents[3]) - pathEqualsTo(t, "/", parents[4]) - - parents2 := New("a/very/relative/path").Parents() - require.Len(t, parents, 5) - pathEqualsTo(t, "a/very/relative/path", parents2[0]) - pathEqualsTo(t, "a/very/relative", parents2[1]) - pathEqualsTo(t, "a/very", parents2[2]) - pathEqualsTo(t, "a", parents2[3]) - pathEqualsTo(t, ".", parents2[4]) -} - -func TestFilterDirs(t *testing.T) { - testPath := New("testdata", "fileset") - - list, err := testPath.ReadDir() - require.NoError(t, err) - require.Len(t, list, 6) - - pathEqualsTo(t, "testdata/fileset/anotherFile", list[0]) - pathEqualsTo(t, "testdata/fileset/file", list[1]) - pathEqualsTo(t, "testdata/fileset/folder", list[2]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder", list[3]) - pathEqualsTo(t, "testdata/fileset/test.txt", list[4]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", list[5]) - - list.FilterDirs() - require.Len(t, list, 2) - pathEqualsTo(t, "testdata/fileset/folder", list[0]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder", list[1]) -} - -func TestFilterOutDirs(t *testing.T) { - { - testPath := New("testdata", "fileset") - - list, err := testPath.ReadDir() - require.NoError(t, err) - require.Len(t, list, 6) - - pathEqualsTo(t, "testdata/fileset/anotherFile", list[0]) - pathEqualsTo(t, "testdata/fileset/file", list[1]) - pathEqualsTo(t, "testdata/fileset/folder", list[2]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder", list[3]) - pathEqualsTo(t, "testdata/fileset/test.txt", list[4]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", list[5]) - - list.FilterOutDirs() - require.Len(t, list, 4) - pathEqualsTo(t, "testdata/fileset/anotherFile", list[0]) - pathEqualsTo(t, "testdata/fileset/file", list[1]) - pathEqualsTo(t, "testdata/fileset/test.txt", list[2]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", list[3]) - } - - { - list, err := New("testdata", "broken_symlink", "dir_1").ReadDirRecursive() - require.NoError(t, err) - - require.Len(t, list, 7) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/broken_link", list[0]) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/file2", list[1]) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/linked_dir", list[2]) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/linked_dir/file1", list[3]) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/linked_file", list[4]) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/real_dir", list[5]) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/real_dir/file1", list[6]) - - list.FilterOutDirs() - require.Len(t, list, 5) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/broken_link", list[0]) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/file2", list[1]) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/linked_dir/file1", list[2]) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/linked_file", list[3]) - pathEqualsTo(t, "testdata/broken_symlink/dir_1/real_dir/file1", list[4]) - } -} - -func TestEquivalentPaths(t *testing.T) { - wd, err := Getwd() - require.NoError(t, err) - require.True(t, New("file1").EquivalentTo(New("file1", "somethingelse", ".."))) - require.True(t, New("file1", "abc").EquivalentTo(New("file1", "abc", "def", ".."))) - require.True(t, wd.Join("file1").EquivalentTo(New("file1"))) - require.True(t, wd.Join("file1").EquivalentTo(New("file1", "abc", ".."))) - - if runtime.GOOS == "windows" { - q := New("testdata", "fileset", "anotherFile") - r := New("testdata", "fileset", "ANOTHE~1") - require.True(t, q.EquivalentTo(r)) - require.True(t, r.EquivalentTo(q)) - } -} - -func TestCanonicalize(t *testing.T) { - wd, err := Getwd() - require.NoError(t, err) - - p := New("testdata", "fileset", "anotherFile").Canonical() - require.Equal(t, wd.Join("testdata", "fileset", "anotherFile").String(), p.String()) - - p = New("testdata", "fileset", "nonexistentFile").Canonical() - require.Equal(t, wd.Join("testdata", "fileset", "nonexistentFile").String(), p.String()) - - if runtime.GOOS == "windows" { - q := New("testdata", "fileset", "ANOTHE~1").Canonical() - require.Equal(t, wd.Join("testdata", "fileset", "anotherFile").String(), q.String()) - - r := New("c:\\").Canonical() - require.Equal(t, "C:\\", r.String()) - - tmp, err := MkTempDir("", "pref") - require.NoError(t, err) - require.Equal(t, tmp.String(), tmp.Canonical().String()) - } -} - -func TestRelativeTo(t *testing.T) { - res, err := New("/my/abs/path/123/456").RelTo(New("/my/abs/path")) - require.NoError(t, err) - pathEqualsTo(t, "../..", res) - - res, err = New("/my/abs/path").RelTo(New("/my/abs/path/123/456")) - require.NoError(t, err) - pathEqualsTo(t, "123/456", res) - - res, err = New("my/path").RelTo(New("/other/path")) - require.Error(t, err) - require.Nil(t, res) - - res, err = New("/my/abs/path/123/456").RelFrom(New("/my/abs/path")) - pathEqualsTo(t, "123/456", res) - require.NoError(t, err) - - res, err = New("/my/abs/path").RelFrom(New("/my/abs/path/123/456")) - require.NoError(t, err) - pathEqualsTo(t, "../..", res) - - res, err = New("my/path").RelFrom(New("/other/path")) - require.Error(t, err) - require.Nil(t, res) -} - -func TestWriteToTempFile(t *testing.T) { - tmpDir := New("testdata", "fileset", "tmp") - err := tmpDir.MkdirAll() - require.NoError(t, err) - defer tmpDir.RemoveAll() - - tmpData := []byte("test") - tmp, err := WriteToTempFile(tmpData, tmpDir, "prefix") - defer tmp.Remove() - require.NoError(t, err) - require.True(t, strings.HasPrefix(tmp.Base(), "prefix")) - isInside, err := tmp.IsInsideDir(tmpDir) - require.NoError(t, err) - require.True(t, isInside) - data, err := tmp.ReadFile() - require.NoError(t, err) - require.Equal(t, tmpData, data) -} - -func TestCopyToSamePath(t *testing.T) { - tmpDir := New(t.TempDir()) - srcFile := tmpDir.Join("test_file") - dstFile := srcFile - - // create the source file in tmp dir - err := srcFile.WriteFile([]byte("hello")) - require.NoError(t, err) - content, err := srcFile.ReadFile() - require.NoError(t, err) - require.Equal(t, []byte("hello"), content) - - // cannot copy the same file - err = srcFile.CopyTo(dstFile) - require.Error(t, err) - require.Contains(t, err.Error(), "are the same file") -} diff --git a/pkg/paths/process.go b/pkg/paths/process.go index 4c8692866..ebfe71343 100644 --- a/pkg/paths/process.go +++ b/pkg/paths/process.go @@ -55,7 +55,8 @@ func NewProcess(extraEnv []string, args ...string) (*Process, error) { cmd: exec.Command(args[0], args[1:]...), } p.cmd.Env = append(os.Environ(), extraEnv...) - p.TellCommandNotToSpawnShell() + tellCommandNotToSpawnShell(p.cmd) // windows specific + tellCommandToStartOnNewProcessGroup(p.cmd) // linux specific // This is required because some tools detects if the program is running // from terminal by looking at the stdin/out bindings. @@ -146,7 +147,7 @@ func (p *Process) Signal(sig os.Signal) error { // actually exited. This only kills the Process itself, not any other processes it may // have started. func (p *Process) Kill() error { - return p.cmd.Process.Kill() + return kill(p.cmd) } // SetDir sets the working directory of the command. If Dir is the empty string, Run diff --git a/pkg/paths/process_others.go b/pkg/paths/process_linux.go similarity index 69% rename from pkg/paths/process_others.go rename to pkg/paths/process_linux.go index 39bd3e161..5735a85c3 100644 --- a/pkg/paths/process_others.go +++ b/pkg/paths/process_linux.go @@ -31,8 +31,34 @@ package paths -import "os/exec" +import ( + "os/exec" + "syscall" +) func tellCommandNotToSpawnShell(_ *exec.Cmd) { // no op } + +func tellCommandToStartOnNewProcessGroup(oscmd *exec.Cmd) { + // https://groups.google.com/g/golang-nuts/c/XoQ3RhFBJl8 + + // Start the process in a new process group. + // This is needed to kill the process and its children + // if we need to kill the process. + if oscmd.SysProcAttr == nil { + oscmd.SysProcAttr = &syscall.SysProcAttr{} + } + oscmd.SysProcAttr.Setpgid = true +} + +func kill(oscmd *exec.Cmd) error { + // https://groups.google.com/g/golang-nuts/c/XoQ3RhFBJl8 + + // Kill the process group + pgid, err := syscall.Getpgid(oscmd.Process.Pid) + if err != nil { + return err + } + return syscall.Kill(-pgid, syscall.SIGKILL) +} diff --git a/pkg/paths/process_test.go b/pkg/paths/process_test.go deleted file mode 100644 index 5346dda02..000000000 --- a/pkg/paths/process_test.go +++ /dev/null @@ -1,56 +0,0 @@ -// -// This file is part of PathsHelper library. -// -// Copyright 2023 Arduino AG (http://www.arduino.cc/) -// -// PathsHelper library is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; either version 2 of the License, or -// (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License -// along with this program; if not, write to the Free Software -// Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -// -// As a special exception, you may use this file as part of a free software -// library without restriction. Specifically, if other files instantiate -// templates or use macros or inline functions from this file, or you compile -// this file and link it with other files to produce an executable, this -// file does not by itself cause the resulting executable to be covered by -// the GNU General Public License. This exception does not however -// invalidate any other reasons why the executable file might be covered by -// the GNU General Public License. -// - -package paths - -import ( - "context" - "testing" - "time" - - "github.com/stretchr/testify/require" -) - -func TestProcessWithinContext(t *testing.T) { - // Build `delay` helper inside testdata/delay - builder, err := NewProcess(nil, "go", "build") - require.NoError(t, err) - builder.SetDir("testdata/delay") - require.NoError(t, builder.Run()) - - // Run delay and test if the process is terminated correctly due to context - process, err := NewProcess(nil, "testdata/delay/delay") - require.NoError(t, err) - start := time.Now() - ctx, cancel := context.WithTimeout(context.Background(), 250*time.Millisecond) - err = process.RunWithinContext(ctx) - require.Error(t, err) - require.Less(t, time.Since(start), 500*time.Millisecond) - cancel() -} diff --git a/pkg/paths/readdir_test.go b/pkg/paths/readdir_test.go deleted file mode 100644 index ae25ede97..000000000 --- a/pkg/paths/readdir_test.go +++ /dev/null @@ -1,343 +0,0 @@ -/* - * This file is part of PathsHelper library. - * - * Copyright 2018-2022 Arduino AG (http://www.arduino.cc/) - * - * PathsHelper library is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA - * - * As a special exception, you may use this file as part of a free software - * library without restriction. Specifically, if other files instantiate - * templates or use macros or inline functions from this file, or you compile - * this file and link it with other files to produce an executable, this - * file does not by itself cause the resulting executable to be covered by - * the GNU General Public License. This exception does not however - * invalidate any other reasons why the executable file might be covered by - * the GNU General Public License. - */ - -package paths - -import ( - "fmt" - "io/fs" - "os" - "runtime" - "testing" - "time" - - "github.com/stretchr/testify/require" -) - -func TestReadDirRecursive(t *testing.T) { - testPath := New("testdata", "fileset") - - list, err := testPath.ReadDirRecursive() - require.NoError(t, err) - require.Len(t, list, 16) - - pathEqualsTo(t, "testdata/fileset/anotherFile", list[0]) - pathEqualsTo(t, "testdata/fileset/file", list[1]) - pathEqualsTo(t, "testdata/fileset/folder", list[2]) - pathEqualsTo(t, "testdata/fileset/folder/.hidden", list[3]) - pathEqualsTo(t, "testdata/fileset/folder/file2", list[4]) - pathEqualsTo(t, "testdata/fileset/folder/file3", list[5]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", list[6]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder/file4", list[7]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder", list[8]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", list[9]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", list[10]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file3", list[11]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", list[12]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder/file4", list[13]) - pathEqualsTo(t, "testdata/fileset/test.txt", list[14]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", list[15]) -} - -func TestReadDirRecursiveSymLinkLoop(t *testing.T) { - // Test symlink loop - tmp, err := MkTempDir("", "") - require.NoError(t, err) - defer tmp.RemoveAll() - - folder := tmp.Join("folder") - err = os.Symlink(tmp.String(), folder.String()) - require.NoError(t, err) - - l, err := tmp.ReadDirRecursive() - require.Error(t, err) - fmt.Println(err) - require.Nil(t, l) - - l, err = tmp.ReadDirRecursiveFiltered(nil) - require.Error(t, err) - fmt.Println(err) - require.Nil(t, l) -} - -func TestReadDirFiltered(t *testing.T) { - folderPath := New("testdata/fileset/folder") - list, err := folderPath.ReadDir() - require.NoError(t, err) - require.Len(t, list, 4) - pathEqualsTo(t, "testdata/fileset/folder/.hidden", list[0]) - pathEqualsTo(t, "testdata/fileset/folder/file2", list[1]) - pathEqualsTo(t, "testdata/fileset/folder/file3", list[2]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", list[3]) - - list, err = folderPath.ReadDir(FilterDirectories()) - require.NoError(t, err) - require.Len(t, list, 1) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", list[0]) - - list, err = folderPath.ReadDir(FilterOutPrefixes("file")) - require.NoError(t, err) - require.Len(t, list, 2) - pathEqualsTo(t, "testdata/fileset/folder/.hidden", list[0]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", list[1]) -} - -func TestReadDirRecursiveFiltered(t *testing.T) { - testdata := New("testdata", "fileset") - l, err := testdata.ReadDirRecursiveFiltered(nil) - require.NoError(t, err) - l.Sort() - require.Len(t, l, 16) - pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) - pathEqualsTo(t, "testdata/fileset/file", l[1]) - pathEqualsTo(t, "testdata/fileset/folder", l[2]) - pathEqualsTo(t, "testdata/fileset/folder/.hidden", l[3]) - pathEqualsTo(t, "testdata/fileset/folder/file2", l[4]) - pathEqualsTo(t, "testdata/fileset/folder/file3", l[5]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", l[6]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder/file4", l[7]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[8]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[9]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", l[10]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file3", l[11]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[12]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder/file4", l[13]) - pathEqualsTo(t, "testdata/fileset/test.txt", l[14]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[15]) - - l, err = testdata.ReadDirRecursiveFiltered(FilterOutDirectories()) - require.NoError(t, err) - l.Sort() - require.Len(t, l, 6) - pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) - pathEqualsTo(t, "testdata/fileset/file", l[1]) - pathEqualsTo(t, "testdata/fileset/folder", l[2]) // <- this is listed but not traversed - pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[3]) // <- this is listed but not traversed - pathEqualsTo(t, "testdata/fileset/test.txt", l[4]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[5]) - - l, err = testdata.ReadDirRecursiveFiltered(nil, FilterOutDirectories()) - require.NoError(t, err) - l.Sort() - require.Len(t, l, 12) - pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) - pathEqualsTo(t, "testdata/fileset/file", l[1]) - pathEqualsTo(t, "testdata/fileset/folder/.hidden", l[2]) - pathEqualsTo(t, "testdata/fileset/folder/file2", l[3]) - pathEqualsTo(t, "testdata/fileset/folder/file3", l[4]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder/file4", l[5]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[6]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", l[7]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file3", l[8]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder/file4", l[9]) - pathEqualsTo(t, "testdata/fileset/test.txt", l[10]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[11]) - - l, err = testdata.ReadDirRecursiveFiltered(FilterOutDirectories(), FilterOutDirectories()) - require.NoError(t, err) - l.Sort() - require.Len(t, l, 4) - pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) - pathEqualsTo(t, "testdata/fileset/file", l[1]) - pathEqualsTo(t, "testdata/fileset/test.txt", l[2]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[3]) - - l, err = testdata.ReadDirRecursiveFiltered(FilterOutPrefixes("sub"), FilterOutSuffixes("3")) - require.NoError(t, err) - l.Sort() - require.Len(t, l, 12) - pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) - pathEqualsTo(t, "testdata/fileset/file", l[1]) - pathEqualsTo(t, "testdata/fileset/folder", l[2]) - pathEqualsTo(t, "testdata/fileset/folder/.hidden", l[3]) - pathEqualsTo(t, "testdata/fileset/folder/file2", l[4]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", l[5]) // <- subfolder skipped by Prefix("sub") - pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[6]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[7]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", l[8]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[9]) // <- subfolder skipped by Prefix("sub") - pathEqualsTo(t, "testdata/fileset/test.txt", l[10]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[11]) - - l, err = testdata.ReadDirRecursiveFiltered(FilterOutPrefixes("sub"), AndFilter(FilterOutSuffixes("3"), FilterOutPrefixes("fil"))) - require.NoError(t, err) - l.Sort() - require.Len(t, l, 9) - pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) - pathEqualsTo(t, "testdata/fileset/folder", l[1]) - pathEqualsTo(t, "testdata/fileset/folder/.hidden", l[2]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", l[3]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[4]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[5]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[6]) - pathEqualsTo(t, "testdata/fileset/test.txt", l[7]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[8]) - - l, err = testdata.ReadDirRecursiveFiltered(FilterOutPrefixes("sub"), AndFilter(FilterOutSuffixes("3"), FilterOutPrefixes("fil"), FilterOutSuffixes(".gz"))) - require.NoError(t, err) - l.Sort() - require.Len(t, l, 8) - pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) - pathEqualsTo(t, "testdata/fileset/folder", l[1]) - pathEqualsTo(t, "testdata/fileset/folder/.hidden", l[2]) - pathEqualsTo(t, "testdata/fileset/folder/subfolder", l[3]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[4]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[5]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[6]) - pathEqualsTo(t, "testdata/fileset/test.txt", l[7]) - - l, err = testdata.ReadDirRecursiveFiltered(OrFilter(FilterPrefixes("sub"), FilterSuffixes("tofolder"))) - require.NoError(t, err) - l.Sort() - require.Len(t, l, 11) - pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) - pathEqualsTo(t, "testdata/fileset/file", l[1]) - pathEqualsTo(t, "testdata/fileset/folder", l[2]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[3]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[4]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", l[5]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file3", l[6]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[7]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder/file4", l[8]) - pathEqualsTo(t, "testdata/fileset/test.txt", l[9]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[10]) - - l, err = testdata.ReadDirRecursiveFiltered(nil, FilterNames("folder")) - require.NoError(t, err) - l.Sort() - require.Len(t, l, 1) - pathEqualsTo(t, "testdata/fileset/folder", l[0]) - - l, err = testdata.ReadDirRecursiveFiltered(FilterNames("symlinktofolder"), FilterOutNames(".hidden")) - require.NoError(t, err) - require.Len(t, l, 9) - l.Sort() - pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) - pathEqualsTo(t, "testdata/fileset/file", l[1]) - pathEqualsTo(t, "testdata/fileset/folder", l[2]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[3]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", l[4]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/file3", l[5]) - pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[6]) - pathEqualsTo(t, "testdata/fileset/test.txt", l[7]) - pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[8]) -} - -func TestReadDirRecursiveLoopDetection(t *testing.T) { - loopsPath := New("testdata", "loops") - unbuondedReaddir := func(testdir string) (PathList, error) { - var files PathList - var err error - done := make(chan bool) - go func() { - files, err = loopsPath.Join(testdir).ReadDirRecursive() - done <- true - }() - require.Eventually( - t, - func() bool { - select { - case <-done: - return true - default: - return false - } - }, - 5*time.Second, - 10*time.Millisecond, - "Infinite symlink loop while loading sketch", - ) - return files, err - } - - for _, dir := range []string{"loop_1", "loop_2", "loop_3", "loop_4"} { - l, err := unbuondedReaddir(dir) - require.EqualError(t, err, "directories symlink loop detected", "loop not detected in %s", dir) - require.Nil(t, l) - } - - { - l, err := unbuondedReaddir("regular_1") - require.NoError(t, err) - require.Len(t, l, 4) - l.Sort() - pathEqualsTo(t, "testdata/loops/regular_1/dir1", l[0]) - pathEqualsTo(t, "testdata/loops/regular_1/dir1/file1", l[1]) - pathEqualsTo(t, "testdata/loops/regular_1/dir2", l[2]) - pathEqualsTo(t, "testdata/loops/regular_1/dir2/file1", l[3]) - } - - { - l, err := unbuondedReaddir("regular_2") - require.NoError(t, err) - require.Len(t, l, 6) - l.Sort() - pathEqualsTo(t, "testdata/loops/regular_2/dir1", l[0]) - pathEqualsTo(t, "testdata/loops/regular_2/dir1/file1", l[1]) - pathEqualsTo(t, "testdata/loops/regular_2/dir2", l[2]) - pathEqualsTo(t, "testdata/loops/regular_2/dir2/dir1", l[3]) - pathEqualsTo(t, "testdata/loops/regular_2/dir2/dir1/file1", l[4]) - pathEqualsTo(t, "testdata/loops/regular_2/dir2/file2", l[5]) - } - - { - l, err := unbuondedReaddir("regular_3") - require.NoError(t, err) - require.Len(t, l, 7) - l.Sort() - pathEqualsTo(t, "testdata/loops/regular_3/dir1", l[0]) - pathEqualsTo(t, "testdata/loops/regular_3/dir1/file1", l[1]) - pathEqualsTo(t, "testdata/loops/regular_3/dir2", l[2]) - pathEqualsTo(t, "testdata/loops/regular_3/dir2/dir1", l[3]) - pathEqualsTo(t, "testdata/loops/regular_3/dir2/dir1/file1", l[4]) - pathEqualsTo(t, "testdata/loops/regular_3/dir2/file2", l[5]) - pathEqualsTo(t, "testdata/loops/regular_3/link", l[6]) // broken symlink is reported in files - } - - if runtime.GOOS != "windows" { - dir1 := loopsPath.Join("regular_4_with_permission_error", "dir1") - - l, err := unbuondedReaddir("regular_4_with_permission_error") - require.NoError(t, err) - require.NotEmpty(t, l) - - dir1Stat, err := dir1.Stat() - require.NoError(t, err) - err = dir1.Chmod(fs.FileMode(0)) // Enforce permission error - require.NoError(t, err) - t.Cleanup(func() { - // Restore normal permission after the test - dir1.Chmod(dir1Stat.Mode()) - }) - - l, err = unbuondedReaddir("regular_4_with_permission_error") - require.Error(t, err) - require.Nil(t, l) - } -} diff --git a/pkg/paths/testdata/broken_symlink/dir_1/broken_link b/pkg/paths/testdata/broken_symlink/dir_1/broken_link deleted file mode 120000 index 86a410dd1..000000000 --- a/pkg/paths/testdata/broken_symlink/dir_1/broken_link +++ /dev/null @@ -1 +0,0 @@ -broken \ No newline at end of file diff --git a/pkg/paths/testdata/broken_symlink/dir_1/file2 b/pkg/paths/testdata/broken_symlink/dir_1/file2 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/broken_symlink/dir_1/linked_dir b/pkg/paths/testdata/broken_symlink/dir_1/linked_dir deleted file mode 120000 index 4b019049f..000000000 --- a/pkg/paths/testdata/broken_symlink/dir_1/linked_dir +++ /dev/null @@ -1 +0,0 @@ -real_dir \ No newline at end of file diff --git a/pkg/paths/testdata/broken_symlink/dir_1/linked_file b/pkg/paths/testdata/broken_symlink/dir_1/linked_file deleted file mode 120000 index 30d67d467..000000000 --- a/pkg/paths/testdata/broken_symlink/dir_1/linked_file +++ /dev/null @@ -1 +0,0 @@ -file2 \ No newline at end of file diff --git a/pkg/paths/testdata/broken_symlink/dir_1/real_dir/file1 b/pkg/paths/testdata/broken_symlink/dir_1/real_dir/file1 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/delay/.gitignore b/pkg/paths/testdata/delay/.gitignore deleted file mode 100644 index fd5812a40..000000000 --- a/pkg/paths/testdata/delay/.gitignore +++ /dev/null @@ -1 +0,0 @@ -delay* diff --git a/pkg/paths/testdata/delay/main.go b/pkg/paths/testdata/delay/main.go deleted file mode 100644 index fa6030c40..000000000 --- a/pkg/paths/testdata/delay/main.go +++ /dev/null @@ -1,40 +0,0 @@ -/* - * This file is part of PathsHelper library. - * - * Copyright 2023 Arduino AG (http://www.arduino.cc/) - * - * PathsHelper library is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA - * - * As a special exception, you may use this file as part of a free software - * library without restriction. Specifically, if other files instantiate - * templates or use macros or inline functions from this file, or you compile - * this file and link it with other files to produce an executable, this - * file does not by itself cause the resulting executable to be covered by - * the GNU General Public License. This exception does not however - * invalidate any other reasons why the executable file might be covered by - * the GNU General Public License. - */ - -package main - -import ( - "fmt" - "time" -) - -func main() { - time.Sleep(3 * time.Second) - fmt.Println("Elapsed!") -} diff --git a/pkg/paths/testdata/fileset/anotherFile b/pkg/paths/testdata/fileset/anotherFile deleted file mode 100644 index 27649646e..000000000 --- a/pkg/paths/testdata/fileset/anotherFile +++ /dev/null @@ -1,4 +0,0 @@ -line 1 -line 2 - -line 3 \ No newline at end of file diff --git a/pkg/paths/testdata/fileset/file b/pkg/paths/testdata/fileset/file deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/fileset/folder/.hidden b/pkg/paths/testdata/fileset/folder/.hidden deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/fileset/folder/file2 b/pkg/paths/testdata/fileset/folder/file2 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/fileset/folder/file3 b/pkg/paths/testdata/fileset/folder/file3 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/fileset/folder/subfolder/file4 b/pkg/paths/testdata/fileset/folder/subfolder/file4 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/fileset/symlinktofolder b/pkg/paths/testdata/fileset/symlinktofolder deleted file mode 120000 index 01196353b..000000000 --- a/pkg/paths/testdata/fileset/symlinktofolder +++ /dev/null @@ -1 +0,0 @@ -folder \ No newline at end of file diff --git a/pkg/paths/testdata/fileset/test.txt b/pkg/paths/testdata/fileset/test.txt deleted file mode 100644 index d3ded994d..000000000 --- a/pkg/paths/testdata/fileset/test.txt +++ /dev/null @@ -1,20 +0,0 @@ -Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. - -Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. - -Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. - -Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. - -Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. - -Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. - -Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. - -Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. - -Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. - -Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. - diff --git a/pkg/paths/testdata/fileset/test.txt.gz b/pkg/paths/testdata/fileset/test.txt.gz deleted file mode 100644 index e75120aef..000000000 Binary files a/pkg/paths/testdata/fileset/test.txt.gz and /dev/null differ diff --git a/pkg/paths/testdata/loops/loop_1/dir1/loop b/pkg/paths/testdata/loops/loop_1/dir1/loop deleted file mode 120000 index c9f3ab1ea..000000000 --- a/pkg/paths/testdata/loops/loop_1/dir1/loop +++ /dev/null @@ -1 +0,0 @@ -../dir1 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/loop_2/dir1/loop2 b/pkg/paths/testdata/loops/loop_2/dir1/loop2 deleted file mode 120000 index d014eb492..000000000 --- a/pkg/paths/testdata/loops/loop_2/dir1/loop2 +++ /dev/null @@ -1 +0,0 @@ -../dir2 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/loop_2/dir2/loop1 b/pkg/paths/testdata/loops/loop_2/dir2/loop1 deleted file mode 120000 index c9f3ab1ea..000000000 --- a/pkg/paths/testdata/loops/loop_2/dir2/loop1 +++ /dev/null @@ -1 +0,0 @@ -../dir1 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/loop_3/dir1/loop2 b/pkg/paths/testdata/loops/loop_3/dir1/loop2 deleted file mode 120000 index d014eb492..000000000 --- a/pkg/paths/testdata/loops/loop_3/dir1/loop2 +++ /dev/null @@ -1 +0,0 @@ -../dir2 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/loop_3/dir2/dir3/loop2 b/pkg/paths/testdata/loops/loop_3/dir2/dir3/loop2 deleted file mode 120000 index 85babfdb0..000000000 --- a/pkg/paths/testdata/loops/loop_3/dir2/dir3/loop2 +++ /dev/null @@ -1 +0,0 @@ -../../dir1/ \ No newline at end of file diff --git a/pkg/paths/testdata/loops/loop_4/dir1/dir2/loop2 b/pkg/paths/testdata/loops/loop_4/dir1/dir2/loop2 deleted file mode 120000 index 3fd50ca46..000000000 --- a/pkg/paths/testdata/loops/loop_4/dir1/dir2/loop2 +++ /dev/null @@ -1 +0,0 @@ -../dir3 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/loop_4/dir1/dir3/dir4/loop1 b/pkg/paths/testdata/loops/loop_4/dir1/dir3/dir4/loop1 deleted file mode 120000 index 4f388a669..000000000 --- a/pkg/paths/testdata/loops/loop_4/dir1/dir3/dir4/loop1 +++ /dev/null @@ -1 +0,0 @@ -../../../dir1 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/regular_1/dir1/file1 b/pkg/paths/testdata/loops/regular_1/dir1/file1 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/loops/regular_1/dir2 b/pkg/paths/testdata/loops/regular_1/dir2 deleted file mode 120000 index df490f837..000000000 --- a/pkg/paths/testdata/loops/regular_1/dir2 +++ /dev/null @@ -1 +0,0 @@ -dir1 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/regular_2/dir1/file1 b/pkg/paths/testdata/loops/regular_2/dir1/file1 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/loops/regular_2/dir2/dir1 b/pkg/paths/testdata/loops/regular_2/dir2/dir1 deleted file mode 120000 index c9f3ab1ea..000000000 --- a/pkg/paths/testdata/loops/regular_2/dir2/dir1 +++ /dev/null @@ -1 +0,0 @@ -../dir1 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/regular_2/dir2/file2 b/pkg/paths/testdata/loops/regular_2/dir2/file2 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/loops/regular_3/dir1/file1 b/pkg/paths/testdata/loops/regular_3/dir1/file1 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/loops/regular_3/dir2/dir1 b/pkg/paths/testdata/loops/regular_3/dir2/dir1 deleted file mode 120000 index c9f3ab1ea..000000000 --- a/pkg/paths/testdata/loops/regular_3/dir2/dir1 +++ /dev/null @@ -1 +0,0 @@ -../dir1 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/regular_3/dir2/file2 b/pkg/paths/testdata/loops/regular_3/dir2/file2 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/loops/regular_3/link b/pkg/paths/testdata/loops/regular_3/link deleted file mode 120000 index 86a410dd1..000000000 --- a/pkg/paths/testdata/loops/regular_3/link +++ /dev/null @@ -1 +0,0 @@ -broken \ No newline at end of file diff --git a/pkg/paths/testdata/loops/regular_4_with_permission_error/dir1/file1 b/pkg/paths/testdata/loops/regular_4_with_permission_error/dir1/file1 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/dir1 b/pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/dir1 deleted file mode 120000 index c9f3ab1ea..000000000 --- a/pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/dir1 +++ /dev/null @@ -1 +0,0 @@ -../dir1 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/file2 b/pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/file2 deleted file mode 100644 index e69de29bb..000000000 diff --git a/pkg/paths/testdata/loops/regular_4_with_permission_error/link b/pkg/paths/testdata/loops/regular_4_with_permission_error/link deleted file mode 120000 index 86a410dd1..000000000 --- a/pkg/paths/testdata/loops/regular_4_with_permission_error/link +++ /dev/null @@ -1 +0,0 @@ -broken \ No newline at end of file diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index 72b3943d3..b0052d13f 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -5,27 +5,29 @@ package builder import ( - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/util" ) var ( - regAbi4To3 = util.ToRegexRepl([]string{ // Currently Abi3 -> Abi4 - `abi/3.0`, `abi/4.0`, - `# userns,`, `userns,`, - `# mqueue`, `mqueue`, + regAbi4To3 = util.ToRegexRepl([]string{ + `abi/4.0`, `abi/3.0`, + ` userns,`, ` # userns,`, + ` mqueue`, ` # mqueue`, + ` all`, ` # all`, + ` deny mqueue`, ` # deny mqueue`, }) ) type ABI3 struct { - cfg.Base + prebuild.Base } func init() { RegisterBuilder(&ABI3{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "abi3", - Msg: "Convert all profiles from abi 4.0 to abi 3.0", + Msg: "Build: convert all profiles from abi 4.0 to abi 3.0", }, }) } diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go new file mode 100644 index 000000000..1ec5e06b1 --- /dev/null +++ b/pkg/prebuild/builder/attach.go @@ -0,0 +1,63 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package builder + +import ( + "strings" + + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +type ReAttach struct { + prebuild.Base +} + +func init() { + RegisterBuilder(&ReAttach{ + Base: prebuild.Base{ + Keyword: "attach", + Msg: "Feat: re-attach disconnected path", + }, + }) +} + +// Apply will re-attach the disconnected path +// - Add the attach_disconnected.path flag on all frofile with the attach_disconnected flag +// - Replace the base abstraction by attached/base +// - Replace the consoles abstraction by attached/consoles +// - For compatibility, non disconnected profile will have the @{att} variable set to / +func (b ReAttach) Apply(opt *Option, profile string) (string, error) { + var insert string + var origin = "profile " + opt.Name + if opt.File.HasSuffix("attached/base") { + return profile, nil // Do not re-attach twice + } + + if strings.Contains(profile, "attach_disconnected") { + insert = "@{att} = /att/" + opt.Name + "/\n" + profile = strings.ReplaceAll(profile, + "attach_disconnected", + "attach_disconnected,attach_disconnected.path=@{att}", + ) + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) + + } else { + insert = "@{att} = \"\"\n" + + } + + return strings.Replace(profile, origin, insert+origin, 1), nil +} diff --git a/pkg/prebuild/builder/base-strict.go b/pkg/prebuild/builder/base-strict.go new file mode 100644 index 000000000..29a065629 --- /dev/null +++ b/pkg/prebuild/builder/base-strict.go @@ -0,0 +1,32 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package builder + +import ( + "strings" + + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +type BaseStrict struct { + prebuild.Base +} + +func init() { + RegisterBuilder(&BaseStrict{ + Base: prebuild.Base{ + Keyword: "base-strict", + Msg: "Feat: use 'base-strict' as base abstraction", + }, + }) +} + +func (b BaseStrict) Apply(opt *Option, profile string) (string, error) { + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) + return profile, nil +} diff --git a/pkg/prebuild/builder/complain.go b/pkg/prebuild/builder/complain.go index e0f9f26b5..0d6a48f37 100644 --- a/pkg/prebuild/builder/complain.go +++ b/pkg/prebuild/builder/complain.go @@ -9,23 +9,23 @@ import ( "slices" "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) var ( regFlags = regexp.MustCompile(`flags=\(([^)]+)\)`) - regProfileHeader = regexp.MustCompile(` {`) + regProfileHeader = regexp.MustCompile(` {\n`) ) type Complain struct { - cfg.Base + prebuild.Base } func init() { RegisterBuilder(&Complain{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "complain", - Msg: "Set complain flag on all profiles", + Msg: "Build: set complain flag on all profiles", }, }) } @@ -38,9 +38,12 @@ func (b Complain) Apply(opt *Option, profile string) (string, error) { if slices.Contains(flags, "complain") { return profile, nil } + if slices.Contains(flags, "unconfined") { + return profile, nil + } } flags = append(flags, "complain") - strFlags := " flags=(" + strings.Join(flags, ",") + ") {" + strFlags := " flags=(" + strings.Join(flags, ",") + ") {\n" // Remove all flags definition, then set manifest' flags profile = regFlags.ReplaceAllLiteralString(profile, "") diff --git a/pkg/prebuild/builder/core.go b/pkg/prebuild/builder/core.go index 64046721f..bfc1aa025 100644 --- a/pkg/prebuild/builder/core.go +++ b/pkg/prebuild/builder/core.go @@ -6,9 +6,10 @@ package builder import ( "fmt" + "strings" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) var ( @@ -19,13 +20,13 @@ var ( Builders = map[string]Builder{} ) -// Main directive interface +// Builder main directive interface type Builder interface { - cfg.BaseInterface + prebuild.BaseInterface Apply(opt *Option, profile string) (string, error) } -// Builder options +// Option for a builder type Option struct { Name string File *paths.Path @@ -33,7 +34,7 @@ type Option struct { func NewOption(file *paths.Path) *Option { return &Option{ - Name: file.Base(), + Name: strings.TrimSuffix(file.Base(), ".apparmor.d"), File: file, } } diff --git a/pkg/prebuild/builder/core_test.go b/pkg/prebuild/builder/core_test.go index c242259f9..6bcf74647 100644 --- a/pkg/prebuild/builder/core_test.go +++ b/pkg/prebuild/builder/core_test.go @@ -8,7 +8,7 @@ import ( "slices" "testing" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) func TestBuilder_Apply(t *testing.T) { @@ -23,17 +23,17 @@ func TestBuilder_Apply(t *testing.T) { name: "abi3", b: Builders["abi3"], profile: ` - abi , - profile test { - # userns, - # mqueue r type=posix /, - }`, - want: ` abi , profile test { userns, mqueue r type=posix /, }`, + want: ` + abi , + profile test { + # userns, + # mqueue r type=posix /, + }`, }, { name: "complain-1", @@ -209,7 +209,7 @@ func TestBuilder_Apply(t *testing.T) { want: ` @{exec_path} = @{bin}/baloo_file @{lib}/{,kf6/}baloo_file @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloo_file - profile baloo /{{,usr/}{,s}bin/baloo_file,{,usr/}lib{,exec,32,64}/{,kf6/}baloo_file,{,usr/}lib{,exec,32,64}/*-linux-gnu*/{,libexec/}baloo_file} { + profile baloo /{{,usr/}bin/baloo_file,{,usr/}lib{,exec,32,64}/{,kf6/}baloo_file,{,usr/}lib{,exec,32,64}/*-linux-gnu*/{,libexec/}baloo_file} { include @{exec_path} mr, @@ -228,19 +228,83 @@ func TestBuilder_Apply(t *testing.T) { include if exists }`, + want: "", + wantErr: true, + }, + { + name: "stacked-dbus-1", + b: Builders["stacked-dbus"], + profile: ` +profile foo { + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + +}`, want: ` - profile foo /usr/bin/foo { - include +profile foo { +dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label=dbus-session), +dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), - /usr/bin/foo mr, - - include if exists - }`, +}`, + }, + { + name: "base-strict-1", + b: Builders["base-strict"], + profile: ` +profile foo { + include +}`, + want: ` +profile foo { + include +}`, + }, + { + name: "attach-1", + b: Builders["attach"], + profile: ` +profile attach-1 flags=(attach_disconnected) { + include + include + include +}`, + want: ` +@{att} = /att/attach-1/ +profile attach-1 flags=(attach_disconnected,attach_disconnected.path=@{att}) { + include + include + include +}`, + }, + { + name: "attach-2", + b: Builders["attach"], + profile: ` +profile attach-2 flags=(complain) { + include + include + include +}`, + want: ` +@{att} = "" +profile attach-2 flags=(complain) { + include + include + include +}`, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - opt := &Option{File: cfg.RootApparmord.Join(tt.name)} + opt := &Option{File: prebuild.RootApparmord.Join(tt.name), Name: tt.name} got, err := tt.b.Apply(opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("Builder.Apply() error = %v, wantErr %v", err, tt.wantErr) diff --git a/pkg/prebuild/builder/dev.go b/pkg/prebuild/builder/dev.go deleted file mode 100644 index f8ebdff02..000000000 --- a/pkg/prebuild/builder/dev.go +++ /dev/null @@ -1,36 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package builder - -import ( - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" - "github.com/roddhjav/apparmor.d/pkg/util" -) - -var ( - regDev = util.ToRegexRepl([]string{ - `Cx`, `cx`, - `PUx`, `pux`, - `Px`, `px`, - `Ux`, `ux`, - }) -) - -type Dev struct { - cfg.Base -} - -func init() { - RegisterBuilder(&Dev{ - Base: cfg.Base{ - Keyword: "dev", - Msg: "Apply test development changes", - }, - }) -} - -func (b Dev) Apply(opt *Option, profile string) (string, error) { - return regDev.Replace(profile), nil -} diff --git a/pkg/prebuild/builder/enforce.go b/pkg/prebuild/builder/enforce.go index bc25e03dc..3d3d218c6 100644 --- a/pkg/prebuild/builder/enforce.go +++ b/pkg/prebuild/builder/enforce.go @@ -8,18 +8,18 @@ import ( "slices" "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) type Enforce struct { - cfg.Base + prebuild.Base } func init() { RegisterBuilder(&Enforce{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "enforce", - Msg: "All profiles have been enforced", + Msg: "Build: all profiles have been enforced", }, }) } @@ -36,9 +36,9 @@ func (b Enforce) Apply(opt *Option, profile string) (string, error) { return profile, nil } flags = slices.Delete(flags, idx, idx+1) - strFlags := "{" + strFlags := "{\n" if len(flags) >= 1 { - strFlags = " flags=(" + strings.Join(flags, ",") + ") {" + strFlags = " flags=(" + strings.Join(flags, ",") + ") {\n" } // Remove all flags definition, then set new flags diff --git a/pkg/prebuild/builder/fsp.go b/pkg/prebuild/builder/fsp.go index 003f79525..12dab15cd 100644 --- a/pkg/prebuild/builder/fsp.go +++ b/pkg/prebuild/builder/fsp.go @@ -5,25 +5,25 @@ package builder import ( - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/util" ) var ( regFullSystemPolicy = util.ToRegexRepl([]string{ - `r(PU|U)x,`, `rPx,`, + `(PU|U)x,`, `Px,`, }) ) type FullSystemPolicy struct { - cfg.Base + prebuild.Base } func init() { RegisterBuilder(&FullSystemPolicy{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "fsp", - Msg: "Prevent unconfined transitions in profile rules", + Msg: "Feat: prevent unconfined transitions in profile rules", }, }) } diff --git a/pkg/prebuild/builder/hotfix.go b/pkg/prebuild/builder/hotfix.go new file mode 100644 index 000000000..be8750f26 --- /dev/null +++ b/pkg/prebuild/builder/hotfix.go @@ -0,0 +1,36 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package builder + +import ( + "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/util" +) + +var ( + regHotfix = util.ToRegexRepl([]string{ + `Cx`, `cx`, + `PUx`, `pux`, + `Px`, `px`, + `Ux`, `ux`, + }) +) + +type Hotfix struct { + prebuild.Base +} + +func init() { + RegisterBuilder(&Hotfix{ + Base: prebuild.Base{ + Keyword: "hotfix", + Msg: "Fix: temporary solution for #74, #80 & #235", + }, + }) +} + +func (b Hotfix) Apply(opt *Option, profile string) (string, error) { + return regHotfix.Replace(profile), nil +} diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go new file mode 100644 index 000000000..eca8122c6 --- /dev/null +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -0,0 +1,104 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package builder + +import ( + "slices" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/aa" + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +var ( + resolve = map[string][]string{ + `"@{p_dbus_system}"`: {"dbus-system", "dbus-system//&unconfined"}, + `"@{p_dbus_session}"`: {"dbus-session", "dbus-session//&unconfined"}, + } +) + +// StackedDbus is a fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 +type StackedDbus struct { + prebuild.Base +} + +func init() { + RegisterBuilder(&StackedDbus{ + Base: prebuild.Base{ + Keyword: "stacked-dbus", + Msg: "Fix: resolve peer label variable in dbus rules", + }, + }) +} + +func parse(kind aa.FileKind, profile string) (aa.ParaRules, []string, error) { + var raw string + paragraphs := []string{} + rulesByParagraph := aa.ParaRules{} + + switch kind { + case aa.ProfileKind: + f := &aa.AppArmorProfileFile{} + nb, err := f.Parse(profile) + if err != nil { + return nil, nil, err + } + lines := strings.Split(profile, "\n") + raw = strings.Join(lines[nb:], "\n") + + case aa.AbstractionKind, aa.TunableKind: + raw = profile + } + + r, par, err := aa.ParseRules(raw) + if err != nil { + return nil, nil, err + } + rulesByParagraph = append(rulesByParagraph, r...) + paragraphs = append(paragraphs, par...) + return rulesByParagraph, paragraphs, nil +} + +func (b StackedDbus) Apply(opt *Option, profile string) (string, error) { + kind := aa.KindFromPath(opt.File) + if kind == aa.TunableKind { + return profile, nil + } + + toResolve := []string{} + for k := range resolve { + toResolve = append(toResolve, k) + } + + rulesByParagraph, paragraphs, err := parse(kind, profile) + if err != nil { + return "", err + } + for idx, rules := range rulesByParagraph { + changed := false + newRules := aa.Rules{} + for _, rule := range rules { + switch rule := rule.(type) { + case *aa.Dbus: + if slices.Contains(toResolve, rule.PeerLabel) { + changed = true + for _, label := range resolve[rule.PeerLabel] { + newRule := *rule + newRule.PeerLabel = label + newRules = append(newRules, &newRule) + } + } else { + newRules = append(newRules, rule) + } + default: + newRules = append(newRules, rule) + } + } + if changed { + profile = strings.ReplaceAll(profile, paragraphs[idx], newRules.String()+"\n") + } + } + return profile, nil +} diff --git a/pkg/prebuild/builder/userspace.go b/pkg/prebuild/builder/userspace.go index 9925734c3..70dff8ec9 100644 --- a/pkg/prebuild/builder/userspace.go +++ b/pkg/prebuild/builder/userspace.go @@ -5,49 +5,66 @@ package builder import ( + "fmt" "regexp" "strings" "github.com/roddhjav/apparmor.d/pkg/aa" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) +const tokATTACHMENT = "@{exec_path}" + var ( - regAttachments = regexp.MustCompile(`(profile .* @{exec_path})`) + regAttachments = regexp.MustCompile(`(profile .* ` + tokATTACHMENT + `)`) ) type Userspace struct { - cfg.Base + prebuild.Base } func init() { RegisterBuilder(&Userspace{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "userspace", - Msg: "Bypass userspace tools restriction", + Msg: "Fix: resolve variable in profile attachments", }, }) } func (b Userspace) Apply(opt *Option, profile string) (string, error) { - if ok, _ := opt.File.IsInsideDir(cfg.RootApparmord.Join("abstractions")); ok { - return profile, nil - } - if ok, _ := opt.File.IsInsideDir(cfg.RootApparmord.Join("tunables")); ok { - return profile, nil + for _, dir := range []string{"abstractions", "tunables", "local", "mappings"} { + if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join(dir)); ok { + return profile, nil + } } f := aa.DefaultTunables() + if prebuild.Distribution == "arch" { + f.Preamble = append(f.Preamble, &aa.Variable{ + Name: "sbin", Values: []string{"/{,usr/}{,s}bin"}, Define: true, + }) + } else { + f.Preamble = append(f.Preamble, &aa.Variable{ + Name: "sbin", Values: []string{"/{,usr/}sbin"}, Define: true, + }) + } + if _, err := f.Parse(profile); err != nil { return "", err } + if len(f.GetDefaultProfile().Attachments) > 0 && + f.GetDefaultProfile().Attachments[0] != tokATTACHMENT { + return "", fmt.Errorf("missing '%s' attachment", tokATTACHMENT) + } if err := f.Resolve(); err != nil { return "", err } - att := f.GetDefaultProfile().GetAttachments() + matches := regAttachments.FindAllString(profile, -1) if len(matches) > 0 { - strheader := strings.Replace(matches[0], "@{exec_path}", att, -1) + att := f.GetDefaultProfile().GetAttachments() + strheader := strings.ReplaceAll(matches[0], tokATTACHMENT, att) return regAttachments.ReplaceAllLiteralString(profile, strheader), nil } return profile, nil diff --git a/pkg/prebuild/cfg/files.go b/pkg/prebuild/cfg/files.go deleted file mode 100644 index 6f81d25bc..000000000 --- a/pkg/prebuild/cfg/files.go +++ /dev/null @@ -1,95 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package cfg - -import ( - "fmt" - "os" - "strings" - - "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/util" -) - -// Default content of debian/apparmor.d.hide. Whonix has special addition. -var Hide = `# This file is generated by "make", all edit will be lost. - -/etc/apparmor.d/usr.bin.firefox -/etc/apparmor.d/usr.sbin.cups-browsed -/etc/apparmor.d/usr.sbin.cupsd -/etc/apparmor.d/usr.sbin.rsyslogd -` - -type Flagger struct{} - -func (f Flagger) Read(name string) map[string][]string { - res := map[string][]string{} - path := FlagDir.Join(name + ".flags") - if !path.Exist() { - return res - } - - lines := util.MustReadFileAsLines(path) - for _, line := range lines { - manifest := strings.Split(line, " ") - profile := manifest[0] - flags := []string{} - if len(manifest) > 1 { - flags = strings.Split(manifest[1], ",") - } - res[profile] = flags - } - return res -} - -type Ignorer struct{} - -func (i Ignorer) Read(name string) []string { - path := IgnoreDir.Join(name + ".ignore") - if !path.Exist() { - return []string{} - } - return util.MustReadFileAsLines(path) -} - -type Overwriter bool - -// Overwrite upstream profile: disable upstream & rename ours -func (o Overwriter) Apply() error { - const ext = ".apparmor.d" - disableDir := RootApparmord.Join("disable") - if err := disableDir.Mkdir(); err != nil { - return err - } - - path := DistDir.Join("overwrite") - if !path.Exist() { - return fmt.Errorf("%s not found", path) - } - for _, name := range util.MustReadFileAsLines(path) { - origin := RootApparmord.Join(name) - dest := RootApparmord.Join(name + ext) - if err := origin.Rename(dest); err != nil { - return err - } - originRel, err := origin.RelFrom(dest) - if err != nil { - return err - } - if err := os.Symlink(originRel.String(), disableDir.Join(name).String()); err != nil { - return err - } - } - return nil -} - -type DebianHider struct { - path *paths.Path -} - -// Initialize the file with content from Hide -func (d DebianHider) Init() error { - return d.path.WriteFile([]byte(Hide)) -} diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go new file mode 100644 index 000000000..afed5aedf --- /dev/null +++ b/pkg/prebuild/cli/cli.go @@ -0,0 +1,249 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package cli + +import ( + "flag" + "fmt" + "os" + "slices" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/logging" + "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" + "github.com/roddhjav/apparmor.d/pkg/prebuild/directive" + "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" +) + +const ( + nilABI = 0 + nilVer = 0.0 + usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE] + + Prebuild apparmor.d profiles for a given distribution and apply + internal built-in directives. + +Options: + -h, --help Show this help message and exit. + -c, --complain Set complain flag on all profiles. + -e, --enforce Set enforce flag on all profiles. + -a, --abi ABI Target apparmor ABI. + -v, --version V Target apparmor version. + -f, --full Set AppArmor for full system policy. + -s, --server Set AppArmor for server. + -b, --buildir DIR Root build directory. + -F, --file Only prebuild a given file. + --test Enable test mode. + --debug Enable debug mode. +` +) + +var ( + help bool + complain bool + enforce bool + full bool + server bool + debug bool + test bool + abi int + version float64 + file string + buildir string +) + +func init() { + flag.BoolVar(&help, "h", false, "Show this help message and exit.") + flag.BoolVar(&help, "help", false, "Show this help message and exit.") + flag.BoolVar(&full, "f", false, "Set AppArmor for full system policy.") + flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.") + flag.BoolVar(&server, "s", false, "Set AppArmor for server.") + flag.BoolVar(&server, "server", false, "Set AppArmor for server.") + flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.") + flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.") + flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.") + flag.BoolVar(&enforce, "enforce", false, "Set enforce flag on all profiles.") + flag.IntVar(&abi, "a", nilABI, "Target apparmor ABI.") + flag.IntVar(&abi, "abi", nilABI, "Target apparmor ABI.") + flag.Float64Var(&version, "v", nilVer, "Target apparmor version.") + flag.Float64Var(&version, "version", nilVer, "Target apparmor version.") + flag.StringVar(&file, "F", "", "Only prebuild a given file.") + flag.StringVar(&file, "file", "", "Only prebuild a given file.") + flag.StringVar(&buildir, "b", "", "Root build directory.") + flag.StringVar(&buildir, "buildir", "", "Root build directory.") + flag.BoolVar(&debug, "debug", false, "Enable debug mode.") + flag.BoolVar(&test, "test", false, "Enable test mode.") +} + +func Configure() { + flag.Usage = func() { + fmt.Printf("%s\n%s\n%s\n%s", usage, + prebuild.Help("Prepare", prepare.Tasks), + prebuild.Help("Build", builder.Builders), + directive.Usage(), + ) + } + flag.Parse() + if help { + flag.Usage() + os.Exit(0) + } + + if server { + idx := slices.Index(prepare.Prepares, prepare.Tasks["merge"]) + if idx == -1 { + prepare.Register("server") + } else { + prepare.Prepares = slices.Insert(prepare.Prepares, idx, prepare.Tasks["server"]) + } + + // Remove hotfix task as it is not needed on server + idx = slices.Index(prepare.Prepares, prepare.Tasks["hotfix"]) + if idx != -1 { + prepare.Prepares = slices.Delete(prepare.Prepares, idx, idx+1) + } + } + + if full && paths.New("apparmor.d/groups/_full").Exist() { + prepare.Register("fsp") + builder.Register("fsp") + prebuild.RBAC = true + } else if prebuild.SystemdDir.Exist() { + prepare.Register("systemd-early") + } + + if complain { + builder.Register("complain") + if debug { + builder.Register("debug") + } + if test { + prebuild.Test = true + } + } else if enforce { + builder.Register("enforce") + } + + if abi != nilABI { + prebuild.ABI = abi + } + switch prebuild.ABI { + case 3: + builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0 + case 4: + // Re-attach disconnected path + if prebuild.Distribution == "ubuntu" && prebuild.Version >= 4.1 { + // Ignored on ubuntu 25.04+ due to a memory leak that fully prevent + // profiles compilation with re-attached paths. + // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 + + // Use stacked-dbus builder to resolve dbus rules + builder.Register("stacked-dbus") + + } else { + if !prebuild.DownStream { + prepare.Register("attach") + } + builder.Register("attach") + + } + + default: + logging.Fatal("Invalid ABI version: %d", prebuild.ABI) + } + + if version != nilVer { + prebuild.Version = version + } + if buildir != "" { + prebuild.Root = paths.New(buildir) + prebuild.RootApparmord = prebuild.Root.Join("apparmor.d") + } + if file != "" { + sync, _ := prepare.Tasks["synchronise"].(*prepare.Synchronise) + sync.Paths = []string{file} + overwrite, _ := prepare.Tasks["overwrite"].(*prepare.Overwrite) + overwrite.Optional = true + } +} + +func Prebuild() { + logging.Step("Building apparmor.d profiles for %s on ABI%d.", prebuild.Distribution, prebuild.ABI) + if full { + logging.Success("Full system policy enabled") + } + if prebuild.Version != nilVer { + logging.Success("AppArmor version targeted: %.1f", prebuild.Version) + } + if err := Prepare(); err != nil { + logging.Fatal("%s", err.Error()) + } + if err := Build(); err != nil { + logging.Fatal("%s", err.Error()) + } +} + +func Prepare() error { + for _, task := range prepare.Prepares { + msg, err := task.Apply() + if err != nil { + return err + } + if file != "" && task.Name() == "setflags" { + continue + } + logging.Success("%s", task.Message()) + logging.Indent = " " + for _, line := range msg { + if strings.Contains(line, "not found") { + logging.Warning("%s", line) + } else { + logging.Bullet("%s", line) + } + } + logging.Indent = "" + } + return nil +} + +func Build() error { + files, _ := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) + for _, file := range files { + if !file.Exist() { + continue + } + profile, err := file.ReadFileAsString() + if err != nil { + return err + } + profile, err = builder.Run(file, profile) + if err != nil { + return err + } + profile, err = directive.Run(file, profile) + if err != nil { + return err + } + if err := file.WriteFile([]byte(profile)); err != nil { + return err + } + } + + logging.Success("Build tasks:") + logging.Indent = " " + for _, task := range builder.Builds { + logging.Bullet("%s", task.Message()) + } + logging.Indent = "" + logging.Success("Directives processed:") + logging.Indent = " " + for _, dir := range directive.Directives { + logging.Bullet("%s%s", directive.Keyword, dir.Name()) + } + logging.Indent = "" + return nil +} diff --git a/pkg/prebuild/prebuild_test.go b/pkg/prebuild/cli/cli_test.go similarity index 78% rename from pkg/prebuild/prebuild_test.go rename to pkg/prebuild/cli/cli_test.go index db709c315..dab310020 100644 --- a/pkg/prebuild/prebuild_test.go +++ b/pkg/prebuild/cli/cli_test.go @@ -2,7 +2,7 @@ // Copyright (C) 2023-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prebuild +package cli import ( "os" @@ -10,15 +10,15 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" ) func setTestBuildDirectories(name string) { testRoot := paths.New("/tmp/tests") - cfg.Root = testRoot.Join(name) - cfg.RootApparmord = cfg.Root.Join("apparmor.d") + prebuild.Root = testRoot.Join(name) + prebuild.RootApparmord = prebuild.Root.Join("apparmor.d") } func chdirGitRoot() { @@ -33,7 +33,7 @@ func chdirGitRoot() { } } -func Test_PreBuild(t *testing.T) { +func Test_Prebuild(t *testing.T) { tests := []struct { name string wantErr bool @@ -78,18 +78,27 @@ func Test_PreBuild(t *testing.T) { chdirGitRoot() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - setTestBuildDirectories(tt.name) - cfg.Distribution = tt.dist - if tt.full { + setTestBuildDirectories(tt.dist) + prebuild.Distribution = tt.dist + prepare.Prepares = []prepare.Task{} + prepare.Register( + "synchronise", "ignore", "merge", + "configure", "setflags", "systemd-default", + ) + + if full { prepare.Register("fsp") builder.Register("fsp") + } else { + prepare.Register("systemd-early") } - if tt.complain { + + if complain { builder.Register("complain") - } - if tt.enforce { + } else if enforce { builder.Register("enforce") } + if err := Prepare(); (err != nil) != tt.wantErr { t.Errorf("Prepare() error = %v, wantErr %v", err, tt.wantErr) } diff --git a/pkg/prebuild/cfg/core.go b/pkg/prebuild/core.go similarity index 69% rename from pkg/prebuild/cfg/core.go rename to pkg/prebuild/core.go index 692f130ad..8c2410d10 100644 --- a/pkg/prebuild/cfg/core.go +++ b/pkg/prebuild/core.go @@ -2,27 +2,27 @@ // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package cfg +package prebuild import "fmt" type BaseInterface interface { Message() string Name() string - Usage() string + Usage() []string } type Base struct { Msg string Keyword string - Help string + Help []string } func (b Base) Name() string { return b.Keyword } -func (b Base) Usage() string { +func (b Base) Usage() []string { return b.Help } @@ -37,11 +37,3 @@ func Help[T BaseInterface](name string, tasks map[string]T) string { } return res } - -func Usage[T BaseInterface](name string, tasks map[string]T) string { - res := fmt.Sprintf("%s\n", name) - for _, t := range tasks { - res += fmt.Sprintf(" %s\n", t.Usage()) - } - return res -} diff --git a/pkg/prebuild/cfg/core_test.go b/pkg/prebuild/core_test.go similarity index 75% rename from pkg/prebuild/cfg/core_test.go rename to pkg/prebuild/core_test.go index ff76f9466..5abf0a9c1 100644 --- a/pkg/prebuild/cfg/core_test.go +++ b/pkg/prebuild/core_test.go @@ -2,9 +2,10 @@ // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package cfg +package prebuild import ( + "slices" "strings" "testing" ) @@ -17,7 +18,7 @@ func TestBase_Helpers(t *testing.T) { }{ { name: "base", - b: Base{Keyword: "test", Help: "test", Msg: "test"}, + b: Base{Keyword: "test", Help: []string{"test"}, Msg: "test"}, want: "test", }, } @@ -26,7 +27,7 @@ func TestBase_Helpers(t *testing.T) { if got := tt.b.Name(); got != tt.want { t.Errorf("Base.Name() = %v, want %v", got, tt.want) } - if got := tt.b.Usage(); got != tt.want { + if got := tt.b.Usage(); !slices.Equal(got, []string{tt.want}) { t.Errorf("Base.Usage() = %v, want %v", got, tt.want) } if got := tt.b.Message(); got != tt.want { @@ -45,8 +46,8 @@ func TestHelp(t *testing.T) { { name: "one", tasks: map[string]Base{ - "one": {Keyword: "one", Help: "one", Msg: "one"}, - "two": {Keyword: "two", Help: "two", Msg: "two"}, + "one": {Keyword: "one", Help: []string{"one"}, Msg: "one"}, + "two": {Keyword: "two", Help: []string{"two"}, Msg: "two"}, }, want: `one`, }, @@ -56,9 +57,6 @@ func TestHelp(t *testing.T) { if got := Help(tt.name, tt.tasks); !strings.Contains(got, tt.want) { t.Errorf("Help() = %v, want %v", got, tt.want) } - if got := Usage(tt.name, tt.tasks); !strings.Contains(got, tt.want) { - t.Errorf("Usage() = %v, want %v", got, tt.want) - } }) } } diff --git a/pkg/prebuild/directive/core.go b/pkg/prebuild/directive/core.go index d14dd4861..cde9470dc 100644 --- a/pkg/prebuild/directive/core.go +++ b/pkg/prebuild/directive/core.go @@ -10,7 +10,7 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) var ( @@ -20,16 +20,26 @@ var ( // Build the profiles with the following directive applied Directives = map[string]Directive{} - regDirective = regexp.MustCompile(`(?m).*` + Keyword + `([a-z]*) (.*)`) + regDirective = regexp.MustCompile(`(?m).*` + Keyword + `([a-z]*)( .*)?`) ) -// Main directive interface +// Directive main interface type Directive interface { - cfg.BaseInterface + prebuild.BaseInterface Apply(opt *Option, profile string) (string, error) } -// Directive options +func Usage() string { + res := "Directive:\n" + for _, d := range Directives { + for _, h := range d.Usage() { + res += fmt.Sprintf(" %s%s %s\n", Keyword, d.Name(), h) + } + } + return res +} + +// Option for the directive type Option struct { Name string ArgMap map[string]string @@ -61,11 +71,29 @@ func NewOption(file *paths.Path, match []string) *Option { } } -// Clean the selected directive from profile. +// Clean removes selected directive line from input string. // Useful to remove directive text applied on some condition only -func (o *Option) Clean(profile string) string { - reg := regexp.MustCompile(`\s*` + Keyword + o.Name + ` .*$`) - return strings.Replace(profile, o.Raw, reg.ReplaceAllString(o.Raw, ""), 1) +func (o *Option) Clean(input string) string { + return strings.Replace(input, o.Raw, o.cleanKeyword(o.Raw), 1) +} + +// cleanKeyword removes the dirextive keywork (#aa:...) from the input string +func (o *Option) cleanKeyword(input string) string { + reg := regexp.MustCompile(`\s*` + Keyword + o.Name + `( .*)?$`) + return reg.ReplaceAllString(input, "") +} + +// IsInline checks if either the directive is in one line or if it is a paragraph +func (o *Option) IsInline() bool { + inline := true + tmp := strings.Split(o.Raw, Keyword) + if len(tmp) >= 1 { + left := strings.TrimSpace(tmp[0]) + if len(left) == 0 { + inline = false + } + } + return inline } func RegisterDirective(d Directive) { @@ -78,7 +106,10 @@ func Run(file *paths.Path, profile string) (string, error) { opt := NewOption(file, match) drtv, ok := Directives[opt.Name] if !ok { - return "", fmt.Errorf("Unknown directive '%s' in %s", opt.Name, opt.File) + if opt.Name == "lint" { + continue + } + return "", fmt.Errorf("unknown directive '%s' in %s", opt.Name, opt.File) } profile, err = drtv.Apply(opt, profile) if err != nil { diff --git a/pkg/prebuild/directive/core_test.go b/pkg/prebuild/directive/core_test.go index faf39df4b..229dda630 100644 --- a/pkg/prebuild/directive/core_test.go +++ b/pkg/prebuild/directive/core_test.go @@ -20,7 +20,7 @@ func TestNewOption(t *testing.T) { }{ { name: "dbus", - file: nil, + file: paths.New("dbus"), match: []string{ " #aa:dbus own bus=system name=org.gnome.DisplayManager", "dbus", @@ -34,13 +34,13 @@ func TestNewOption(t *testing.T) { "own": "", }, ArgList: []string{"own", "bus=system", "name=org.gnome.DisplayManager"}, - File: nil, + File: paths.New("dbus"), Raw: " #aa:dbus own bus=system name=org.gnome.DisplayManager", }, }, { name: "only", - file: nil, + file: paths.New("only"), match: []string{ " #aa:only opensuse", "only", @@ -50,7 +50,7 @@ func TestNewOption(t *testing.T) { Name: "only", ArgMap: map[string]string{"opensuse": ""}, ArgList: []string{"opensuse"}, - File: nil, + File: paths.New("only"), Raw: " #aa:only opensuse", }, }, @@ -74,13 +74,13 @@ func TestRun(t *testing.T) { }{ { name: "none", - file: nil, + file: paths.New("dummy"), profile: ` `, want: ` `, }, { name: "present", - file: nil, + file: paths.New("fake-own"), profile: ` #aa:dbus own bus=system name=org.freedesktop.systemd1`, want: dbusOwnSystemd1, }, diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index dc7ac16d3..4862597bb 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -18,36 +18,25 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/aa" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) -var defaultInterfaces = []string{ - "org.freedesktop.DBus.Properties", - "org.freedesktop.DBus.ObjectManager", -} - type Dbus struct { - cfg.Base + prebuild.Base } func init() { RegisterDirective(&Dbus{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "dbus", Msg: "Dbus directive applied", - Help: `#aa:dbus own bus= name= [interface=AARE] [path=AARE] - #aa:dbus talk bus= name= label= [interface=AARE] [path=AARE]`, - }, - }) -} - -func setInterfaces(rules map[string]string) []string { - interfaces := []string{rules["name"]} - if _, present := rules["interface"]; present { - interfaces = append(interfaces, rules["interface"]) - } - interfaces = append(interfaces, defaultInterfaces...) - return interfaces + Help: []string{ + "own bus= name= [interface=AARE] [path=AARE]", + "talk bus= name= label= [interface=AARE] [path=AARE]", + "common bus= name= label=", + }, + }}, + ) } func (d Dbus) Apply(opt *Option, profile string) (string, error) { @@ -62,6 +51,8 @@ func (d Dbus) Apply(opt *Option, profile string) (string, error) { r = d.own(opt.ArgMap) case "talk": r = d.talk(opt.ArgMap) + case "common": + r = d.common(opt.ArgMap) } aa.IndentationLevel = strings.Count( @@ -70,94 +61,213 @@ func (d Dbus) Apply(opt *Option, profile string) (string, error) { generatedDbus := r.String() lenDbus := len(generatedDbus) generatedDbus = generatedDbus[:lenDbus-1] - profile = strings.Replace(profile, opt.Raw, generatedDbus, -1) + profile = strings.ReplaceAll(profile, opt.Raw, generatedDbus) return profile, nil } func (d Dbus) sanityCheck(opt *Option) (string, error) { if len(opt.ArgList) < 1 { - return "", fmt.Errorf("Unknown dbus action: %s in %s", opt.Name, opt.File) + return "", fmt.Errorf("unknown dbus action: %s in %s", opt.Name, opt.File) } action := opt.ArgList[0] - if action != "own" && action != "talk" { - return "", fmt.Errorf("Unknown dbus action: %s in %s", opt.Name, opt.File) + if action != "own" && action != "talk" && action != "common" { + return "", fmt.Errorf("unknown dbus action: %s in %s", opt.Name, opt.File) } if _, present := opt.ArgMap["name"]; !present { - return "", fmt.Errorf("Missing name for 'dbus: %s' in %s", action, opt.File) + return "", fmt.Errorf("missing name for 'dbus: %s' in %s", action, opt.File) } if _, present := opt.ArgMap["bus"]; !present { - return "", fmt.Errorf("Missing bus for '%s' in %s", opt.ArgMap["name"], opt.File) + return "", fmt.Errorf("missing bus for '%s' in %s", opt.ArgMap["name"], opt.File) } if _, present := opt.ArgMap["label"]; !present && action == "talk" { - return "", fmt.Errorf("Missing label for '%s' in %s", opt.ArgMap["name"], opt.File) + return "", fmt.Errorf("missing label for '%s' in %s", opt.ArgMap["name"], opt.File) } // Set default values if _, present := opt.ArgMap["path"]; !present { - opt.ArgMap["path"] = "/" + strings.Replace(opt.ArgMap["name"], ".", "/", -1) + "{,/**}" + opt.ArgMap["path"] = "/" + strings.ReplaceAll(opt.ArgMap["name"], ".", "/") + "{,/**}" } opt.ArgMap["name"] += "{,.*}" return action, nil } +func getInterfaces(rules map[string]string) []string { + var interfaces []string + if _, present := rules["interface"]; present { + interfaces = []string{rules["interface"]} + } else { + interfaces = []string{rules["name"]} + } + + if _, present := rules["interface+"]; present { + interfaces = append(interfaces, rules["interface+"]) + } + return interfaces +} + func (d Dbus) own(rules map[string]string) aa.Rules { - interfaces := setInterfaces(rules) - res := aa.Rules{} - res = append(res, &aa.Dbus{ - Access: []string{"bind"}, Bus: rules["bus"], Name: rules["name"], - }) - for _, iface := range interfaces { - res = append(res, &aa.Dbus{ - Access: []string{"receive"}, - Bus: rules["bus"], - Path: rules["path"], - Interface: iface, - PeerName: `":1.@{int}"`, - }) + interfaces := getInterfaces(rules) + + res := aa.Rules{ + &aa.Include{ + IsMagic: true, Path: "abstractions/bus/" + rules["bus"] + "/own", + }, + &aa.Dbus{ + Access: []string{"bind"}, Bus: rules["bus"], Name: rules["name"], + }, } + + // Interfaces for _, iface := range interfaces { - res = append(res, &aa.Dbus{ - Access: []string{"send"}, - Bus: rules["bus"], - Path: rules["path"], - Interface: iface, - PeerName: `"{:1.@{int},org.freedesktop.DBus}"`, - }) + res = append(res, + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: iface, + PeerName: `"@{busname}"`, + }, + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: iface, + PeerName: `"{@{busname},org.freedesktop.DBus}"`, + }, + ) } - res = append(res, &aa.Dbus{ - Access: []string{"receive"}, - Bus: rules["bus"], - Path: rules["path"], - Interface: "org.freedesktop.DBus.Introspectable", - Member: "Introspect", - PeerName: `":1.@{int}"`, - }) + + res = append(res, + // DBus.Properties: reply to properties request from anyone + &aa.Dbus{ + Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Properties", + Member: "{Get,GetAll,Set,PropertiesChanged}", + PeerName: `"{@{busname},org.freedesktop.DBus}"`, + }, + + // DBus.Introspectable: allow clients to introspect the service + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Introspectable", + Member: "Introspect", + PeerName: `"@{busname}"`, + }, + + // DBus.ObjectManager: allow clients to enumerate sources + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.ObjectManager", + Member: "GetManagedObjects", + PeerName: `"{@{busname},` + rules["name"] + `}"`, + }, + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.ObjectManager", + Member: "{InterfacesAdded,InterfacesRemoved}", + PeerName: `"{@{busname},org.freedesktop.DBus}"`, + }, + ) return res } func (d Dbus) talk(rules map[string]string) aa.Rules { - interfaces := setInterfaces(rules) - res := aa.Rules{} + interfaces := getInterfaces(rules) + res := aa.Rules{ + &aa.Unix{ + Type: "stream", + Address: "none", + PeerLabel: rules["label"], + PeerAddr: "none", + }, + } + + // Interfaces for _, iface := range interfaces { res = append(res, &aa.Dbus{ - Access: []string{"send"}, - Bus: rules["bus"], - Path: rules["path"], + Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], Interface: iface, - PeerName: `"{:1.@{int},` + rules["name"] + `}"`, - PeerLabel: rules["label"], + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], }) } - for _, iface := range interfaces { - res = append(res, &aa.Dbus{ - Access: []string{"receive"}, - Bus: rules["bus"], - Path: rules["path"], - Interface: iface, - PeerName: `"{:1.@{int},` + rules["name"] + `}"`, - PeerLabel: rules["label"], - }) + + res = append(res, + // DBus.Properties + &aa.Dbus{ + Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Properties", + Member: "{Get,GetAll,Set,PropertiesChanged}", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + + // DBus.Introspectable + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Introspectable", + Member: "Introspect", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + + // DBus.ObjectManager: allow clients to enumerate sources + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.ObjectManager", + Member: "GetManagedObjects", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.ObjectManager", + Member: "{InterfacesAdded,InterfacesRemoved}", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + ) + return res +} + +func (d Dbus) common(rules map[string]string) aa.Rules { + res := aa.Rules{ + + // DBus.Properties: read all properties from the interface + &aa.Comment{ + Base: aa.Base{ + Comment: " DBus.Properties: read all properties from the interface", + IsLineRule: true, + }, + }, + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Properties", + Member: "{Get,GetAll}", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + nil, + + // DBus.Properties: receive property changed events + &aa.Comment{ + Base: aa.Base{ + Comment: " DBus.Properties: receive property changed events", + IsLineRule: true, + }, + }, + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Properties", + Member: "PropertiesChanged", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + nil, + + // DBus.Introspectable: allow clients to introspect the service + &aa.Comment{ + Base: aa.Base{ + Comment: " DBus.Introspectable: allow clients to introspect the service", + IsLineRule: true, + }, + }, + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Introspectable", + Member: "Introspect", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, } return res } diff --git a/pkg/prebuild/directive/dbus_test.go b/pkg/prebuild/directive/dbus_test.go index 65e55e785..d6e90bb99 100644 --- a/pkg/prebuild/directive/dbus_test.go +++ b/pkg/prebuild/directive/dbus_test.go @@ -8,29 +8,31 @@ import ( "testing" ) -const dbusOwnSystemd1 = ` dbus bind bus=system name=org.freedesktop.systemd1{,.*}, +const dbusOwnSystemd1 = ` include + + dbus bind bus=system name=org.freedesktop.systemd1{,.*}, dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.systemd1{,.*} - peer=(name=":1.@{int}"), - dbus receive bus=system path=/org/freedesktop/systemd1{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=":1.@{int}"), - dbus receive bus=system path=/org/freedesktop/systemd1{,/**} - interface=org.freedesktop.DBus.ObjectManager - peer=(name=":1.@{int}"), + peer=(name="@{busname}"), dbus send bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.systemd1{,.*} - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=system path=/org/freedesktop/systemd1{,/**} + peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus (send receive) bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.Properties - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=system path=/org/freedesktop/systemd1{,/**} - interface=org.freedesktop.DBus.ObjectManager - peer=(name="{:1.@{int},org.freedesktop.DBus}"), + member={Get,GetAll,Set,PropertiesChanged} + peer=(name="{@{busname},org.freedesktop.DBus}"), dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=":1.@{int}"),` + peer=(name="@{busname}"), + dbus receive bus=system path=/org/freedesktop/systemd1{,/**} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name="{@{busname},org.freedesktop.systemd1{,.*}}"), + dbus send bus=system path=/org/freedesktop/systemd1{,/**} + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(name="{@{busname},org.freedesktop.DBus}"),` func TestDbus_Apply(t *testing.T) { tests := []struct { @@ -61,45 +63,47 @@ func TestDbus_Apply(t *testing.T) { opt: &Option{ Name: "dbus", ArgMap: map[string]string{ - "bus": "session", - "name": "com.rastersoft.dingextension", - "interface": "org.gtk.Actions", - "own": "", + "bus": "session", + "name": "com.rastersoft.ding", + "interface+": "org.gtk.Actions", + "own": "", }, - ArgList: []string{"own", "bus=session", "name=com.rastersoft.dingextension", "interface=org.gtk.Actions"}, + ArgList: []string{"own", "bus=session", "name=com.rastersoft.ding", "interface+=org.gtk.Actions"}, File: nil, - Raw: " #aa:dbus own bus=session name=com.rastersoft.dingextension interface=org.gtk.Actions", + Raw: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", }, - profile: " #aa:dbus own bus=session name=com.rastersoft.dingextension interface=org.gtk.Actions", - want: ` dbus bind bus=session name=com.rastersoft.dingextension{,.*}, - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} - interface=com.rastersoft.dingextension{,.*} - peer=(name=":1.@{int}"), - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} + profile: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", + want: ` include + + dbus bind bus=session name=com.rastersoft.ding{,.*}, + dbus receive bus=session path=/com/rastersoft/ding{,/**} + interface=com.rastersoft.ding{,.*} + peer=(name="@{busname}"), + dbus send bus=session path=/com/rastersoft/ding{,/**} + interface=com.rastersoft.ding{,.*} + peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus receive bus=session path=/com/rastersoft/ding{,/**} interface=org.gtk.Actions - peer=(name=":1.@{int}"), - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=":1.@{int}"), - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} - interface=org.freedesktop.DBus.ObjectManager - peer=(name=":1.@{int}"), - dbus send bus=session path=/com/rastersoft/dingextension{,/**} - interface=com.rastersoft.dingextension{,.*} - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=session path=/com/rastersoft/dingextension{,/**} + peer=(name="@{busname}"), + dbus send bus=session path=/com/rastersoft/ding{,/**} interface=org.gtk.Actions - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=session path=/com/rastersoft/dingextension{,/**} + peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus (send receive) bus=session path=/com/rastersoft/ding{,/**} interface=org.freedesktop.DBus.Properties - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=session path=/com/rastersoft/dingextension{,/**} - interface=org.freedesktop.DBus.ObjectManager - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} + member={Get,GetAll,Set,PropertiesChanged} + peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus receive bus=session path=/com/rastersoft/ding{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=":1.@{int}"),`, + peer=(name="@{busname}"), + dbus receive bus=session path=/com/rastersoft/ding{,/**} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name="{@{busname},com.rastersoft.ding{,.*}}"), + dbus send bus=session path=/com/rastersoft/ding{,/**} + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(name="{@{busname},org.freedesktop.DBus}"),`, }, { name: "talk", @@ -116,24 +120,60 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", }, profile: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", - want: ` dbus send bus=system path=/org/freedesktop/Accounts{,/**} + want: ` unix type=stream addr=none peer=(label=accounts-daemon, addr=none), + + dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.Accounts{,.*} - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), - dbus send bus=system path=/org/freedesktop/Accounts{,/**} + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.Properties - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + member={Get,GetAll,Set,PropertiesChanged} + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + dbus send bus=system path=/org/freedesktop/Accounts{,/**} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus send bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.ObjectManager - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), - dbus receive bus=system path=/org/freedesktop/Accounts{,/**} - interface=org.freedesktop.Accounts{,.*} - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), - dbus receive bus=system path=/org/freedesktop/Accounts{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + member=GetManagedObjects + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus receive bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.ObjectManager - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon),`, + member={InterfacesAdded,InterfacesRemoved} + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon),`, + }, + { + name: "common", + opt: &Option{ + Name: "dbus", + ArgMap: map[string]string{ + "bus": "system", + "name": "net.hadess.PowerProfiles", + "label": "power-profiles-daemon", + "talk": "", + }, + ArgList: []string{"common", "bus=system", "name=net.hadess.PowerProfiles", "power-profiles-daemon"}, + File: nil, + Raw: " #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon", + }, + profile: " #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon", + want: ` # DBus.Properties: read all properties from the interface + dbus send bus=system path=/net/hadess/PowerProfiles{,/**} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon), + + # DBus.Properties: receive property changed events + dbus receive bus=system path=/net/hadess/PowerProfiles{,/**} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon), + + # DBus.Introspectable: allow clients to introspect the service + dbus send bus=system path=/net/hadess/PowerProfiles{,/**} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon),`, }, } for _, tt := range tests { diff --git a/pkg/prebuild/directive/exec.go b/pkg/prebuild/directive/exec.go index dd0d2ed0e..b348fb46b 100644 --- a/pkg/prebuild/directive/exec.go +++ b/pkg/prebuild/directive/exec.go @@ -7,29 +7,32 @@ package directive import ( + "fmt" "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/aa" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" - "github.com/roddhjav/apparmor.d/pkg/util" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) type Exec struct { - cfg.Base + prebuild.Base } func init() { RegisterDirective(&Exec{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "exec", Msg: "Exec directive applied", - Help: Keyword + `exec [P|U|p|u|PU|pu|] profiles...`, + Help: []string{"[P|U|p|u|PU|pu|] profiles..."}, }, }) } func (d Exec) Apply(opt *Option, profileRaw string) (string, error) { + if len(opt.ArgList) == 0 { + return "", fmt.Errorf("no profile to exec") + } transition := "Px" transitions := []string{"P", "U", "p", "u", "PU", "pu"} t := opt.ArgList[0] @@ -40,7 +43,7 @@ func (d Exec) Apply(opt *Option, profileRaw string) (string, error) { rules := aa.Rules{} for name := range opt.ArgMap { - profiletoTransition := util.MustReadFile(cfg.RootApparmord.Join(name)) + profiletoTransition := prebuild.RootApparmord.Join(name).MustReadFileAsString() dstProfile := aa.DefaultTunables() if _, err := dstProfile.Parse(profiletoTransition); err != nil { return "", err @@ -67,5 +70,5 @@ func (d Exec) Apply(opt *Option, profileRaw string) (string, error) { rules = rules.Sort() new := rules.String() new = new[:len(new)-1] - return strings.Replace(profileRaw, opt.Raw, new, -1), nil + return strings.ReplaceAll(profileRaw, opt.Raw, new), nil } diff --git a/pkg/prebuild/directive/exec_test.go b/pkg/prebuild/directive/exec_test.go index c6d4e32a7..255d9a237 100644 --- a/pkg/prebuild/directive/exec_test.go +++ b/pkg/prebuild/directive/exec_test.go @@ -8,7 +8,7 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) func TestExec_Apply(t *testing.T) { @@ -36,7 +36,7 @@ func TestExec_Apply(t *testing.T) { }, { name: "exec-unconfined", - rootApparmord: paths.New("../../../apparmor.d/groups/freedesktop/"), + rootApparmord: paths.New("../../../apparmor.d/groups/polkit/"), opt: &Option{ Name: "exec", ArgMap: map[string]string{"U": "", "polkit-agent-helper": ""}, @@ -51,7 +51,7 @@ func TestExec_Apply(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - cfg.RootApparmord = tt.rootApparmord + prebuild.RootApparmord = tt.rootApparmord got, err := Directives["exec"].Apply(tt.opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("Exec.Apply() error = %v, wantErr %v", err, tt.wantErr) diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go index 1c90fa760..ac632471b 100644 --- a/pkg/prebuild/directive/filter.go +++ b/pkg/prebuild/directive/filter.go @@ -5,40 +5,57 @@ package directive import ( + "fmt" "regexp" "slices" "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) type FilterOnly struct { - cfg.Base + prebuild.Base } type FilterExclude struct { - cfg.Base + prebuild.Base } func init() { RegisterDirective(&FilterOnly{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "only", Msg: "Only directive applied", - Help: Keyword + `only filters...`, + Help: []string{"filters..."}, }, }) RegisterDirective(&FilterExclude{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "exclude", Msg: "Exclude directive applied", - Help: Keyword + `exclude filters...`, + Help: []string{"filters..."}, }, }) } func filterRuleForUs(opt *Option) bool { - return slices.Contains(opt.ArgList, cfg.Distribution) || slices.Contains(opt.ArgList, cfg.Family) + if prebuild.RBAC && slices.Contains(opt.ArgList, "RBAC") { + return true + } + + if prebuild.Test && slices.Contains(opt.ArgList, "test") { + return true + } + + abiStr := fmt.Sprintf("abi%d", prebuild.ABI) + if slices.Contains(opt.ArgList, abiStr) { + return true + } + versionStr := fmt.Sprintf("apparmor%.1f", prebuild.Version) + if slices.Contains(opt.ArgList, versionStr) { + return true + } + return slices.Contains(opt.ArgList, prebuild.Distribution) || slices.Contains(opt.ArgList, prebuild.Family) } func filter(only bool, opt *Option, profile string) (string, error) { @@ -49,17 +66,8 @@ func filter(only bool, opt *Option, profile string) (string, error) { return opt.Clean(profile), nil } - inline := true - tmp := strings.Split(opt.Raw, Keyword) - if len(tmp) >= 1 { - left := strings.TrimSpace(tmp[0]) - if len(left) == 0 { - inline = false - } - } - - if inline { - profile = strings.Replace(profile, opt.Raw, "", -1) + if opt.IsInline() { + profile = strings.ReplaceAll(profile, opt.Raw, "") } else { regRemoveParagraph := regexp.MustCompile(`(?s)` + opt.Raw + `\n.*?\n\n`) profile = regRemoveParagraph.ReplaceAllString(profile, "") diff --git a/pkg/prebuild/directive/filter_test.go b/pkg/prebuild/directive/filter_test.go index 465ba50a5..ebbd5ef5c 100644 --- a/pkg/prebuild/directive/filter_test.go +++ b/pkg/prebuild/directive/filter_test.go @@ -7,7 +7,7 @@ package directive import ( "testing" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) func TestFilterOnly_Apply(t *testing.T) { @@ -78,8 +78,8 @@ func TestFilterOnly_Apply(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - cfg.Distribution = tt.dist - cfg.Family = tt.family + prebuild.Distribution = tt.dist + prebuild.Family = tt.family got, err := Directives["only"].Apply(tt.opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("FilterOnly.Apply() error = %v, wantErr %v", err, tt.wantErr) @@ -133,8 +133,8 @@ func TestFilterExclude_Apply(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - cfg.Distribution = tt.dist - cfg.Family = tt.family + prebuild.Distribution = tt.dist + prebuild.Family = tt.family got, err := Directives["exclude"].Apply(tt.opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("FilterExclude.Apply() error = %v, wantErr %v", err, tt.wantErr) diff --git a/pkg/prebuild/directive/stack.go b/pkg/prebuild/directive/stack.go index e0ab9d84e..a43849228 100644 --- a/pkg/prebuild/directive/stack.go +++ b/pkg/prebuild/directive/stack.go @@ -7,9 +7,10 @@ package directive import ( "fmt" "regexp" + "slices" "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/util" ) @@ -19,32 +20,48 @@ var ( regCleanStakedRules = util.ToRegexRepl([]string{ `(?m)^.*include .*$`, ``, // Remove mandatory base abstraction `(?m)^.*@{exec_path}.*$`, ``, // Remove entry point - `(?m)^.*(|P|p)(|U|u)(|i)x,.*$`, ``, // Remove transition rules `(?m)^(?:[\t ]*(?:\r?\n))+`, ``, // Remove empty lines }) ) type Stack struct { - cfg.Base + prebuild.Base } func init() { RegisterDirective(&Stack{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "stack", Msg: "Stack directive applied", - Help: Keyword + `stack profiles...`, + Help: []string{"[X] profiles..."}, }, }) } func (s Stack) Apply(opt *Option, profile string) (string, error) { + if len(opt.ArgList) == 0 { + return "", fmt.Errorf("no profile to stack") + } + t := opt.ArgList[0] + if t != "X" { + regCleanStakedRules = slices.Insert(regCleanStakedRules, 0, + util.ToRegexRepl([]string{ + `(?m)^.*(|P|p)(|U|u)(|i)x,.*$`, ``, // Remove X transition rules + })..., + ) + } else { + delete(opt.ArgMap, t) + } + res := "" for name := range opt.ArgMap { - stackedProfile := util.MustReadFile(cfg.RootApparmord.Join(name)) + stackedProfile, err := prebuild.RootApparmord.Join(name).ReadFileAsString() + if err != nil { + return "", fmt.Errorf("%s need to stack: %w", name, err) + } m := regRules.FindStringSubmatch(stackedProfile) if len(m) < 2 { - return "", fmt.Errorf("No profile found in %s", name) + return "", fmt.Errorf("no profile found in %s", name) } stackedRules := m[1] stackedRules = regCleanStakedRules.Replace(stackedRules) @@ -54,9 +71,9 @@ func (s Stack) Apply(opt *Option, profile string) (string, error) { // Insert the stacked profile at the end of the current profile, remove the stack directive m := regEndOfRules.FindStringSubmatch(profile) if len(m) <= 1 { - return "", fmt.Errorf("No end of rules found in %s", opt.File) + return "", fmt.Errorf("no end of rules found in %s", opt.File) } - profile = strings.Replace(profile, m[0], res+m[0], -1) - profile = strings.Replace(profile, opt.Raw, "", -1) + profile = strings.ReplaceAll(profile, m[0], res+m[0]) + profile = strings.ReplaceAll(profile, opt.Raw, "") return profile, nil } diff --git a/pkg/prebuild/directive/stack_test.go b/pkg/prebuild/directive/stack_test.go index ef603aae6..8f99d6f7a 100644 --- a/pkg/prebuild/directive/stack_test.go +++ b/pkg/prebuild/directive/stack_test.go @@ -8,7 +8,7 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) func TestStack_Apply(t *testing.T) { @@ -68,7 +68,7 @@ profile parent @{exec_path} { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - cfg.RootApparmord = tt.rootApparmord + prebuild.RootApparmord = tt.rootApparmord got, err := Directives["stack"].Apply(tt.opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("Stack.Apply() error = %v, wantErr %v", err, tt.wantErr) diff --git a/pkg/prebuild/cfg/directories.go b/pkg/prebuild/directories.go similarity index 67% rename from pkg/prebuild/cfg/directories.go rename to pkg/prebuild/directories.go index 282aa1ad8..486a45d14 100644 --- a/pkg/prebuild/cfg/directories.go +++ b/pkg/prebuild/directories.go @@ -2,15 +2,33 @@ // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package cfg +package prebuild import "github.com/roddhjav/apparmor.d/pkg/paths" var ( - // Root is the root directory for the build + // AppArmor ABI version + ABI = 0 + + // AppArmor version + Version = 4.0 + + // Tells the build we are a downstream project using apparmor.d as dependency + DownStream = false + + // Either or not RBAC is enabled + RBAC = false + + // Either or not we are in test mode + Test = false + + // Pkgname is the name of the package + Pkgname = "apparmor.d" + + // Root is the root directory for the build (default: .build) Root *paths.Path = paths.New(".build") - // RootApparmord is the final built apparmor.d directory + // RootApparmord is the final built apparmor.d directory (default: .build/apparmor.d) RootApparmord *paths.Path = Root.Join("apparmor.d") // DistDir is the directory where the distribution specific files are stored @@ -28,11 +46,6 @@ var ( // DebianDir is the directory where the debian specific files are stored DebianDir *paths.Path = paths.New("debian") - // AppArmor 4.0 contains several profiles that allow userns and are otherwise - // unconfined. Overwriter disables upstream profile in favor of (better) apparmor.d - // counterpart - Overwrite Overwriter = false - // DebianHide is the path to the debian/apparmor.d.hide file DebianHide = DebianHider{path: DebianDir.Join("apparmor.d.hide")} diff --git a/pkg/prebuild/files.go b/pkg/prebuild/files.go new file mode 100644 index 000000000..d9879570b --- /dev/null +++ b/pkg/prebuild/files.go @@ -0,0 +1,64 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package prebuild + +import ( + "strings" + + "github.com/roddhjav/apparmor.d/pkg/paths" +) + +// Hide is the default content of debian/apparmor.d.hide. Whonix has special addition. +var Hide = `# This file is generated by "just", all edit will be lost. + +/etc/apparmor.d/usr.bin.firefox +/etc/apparmor.d/usr.bin.swtpm +/etc/apparmor.d/usr.bin.wsdd +/etc/apparmor.d/usr.libexec.geoclue +/etc/apparmor.d/usr.sbin.cups-browsed +/etc/apparmor.d/usr.sbin.cupsd +/etc/apparmor.d/usr.sbin.rsyslogd +` + +type Flagger struct{} + +func (f Flagger) Read(name string) map[string][]string { + res := map[string][]string{} + path := FlagDir.Join(name + ".flags") + if !path.Exist() { + return res + } + + lines := path.MustReadFilteredFileAsLines() + for _, line := range lines { + manifest := strings.Split(line, " ") + profile := manifest[0] + flags := []string{} + if len(manifest) > 1 { + flags = strings.Split(manifest[1], ",") + } + res[profile] = flags + } + return res +} + +type Ignorer struct{} + +func (i Ignorer) Read(name string) []string { + path := IgnoreDir.Join(name + ".ignore") + if !path.Exist() { + return []string{} + } + return path.MustReadFilteredFileAsLines() +} + +type DebianHider struct { + path *paths.Path +} + +// Init initializes the file with content from Hide +func (d DebianHider) Init() error { + return d.path.WriteFile([]byte(Hide)) +} diff --git a/pkg/prebuild/cfg/files_test.go b/pkg/prebuild/files_test.go similarity index 99% rename from pkg/prebuild/cfg/files_test.go rename to pkg/prebuild/files_test.go index b4ce13a1c..24d621fd6 100644 --- a/pkg/prebuild/cfg/files_test.go +++ b/pkg/prebuild/files_test.go @@ -2,7 +2,7 @@ // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package cfg +package prebuild import ( "reflect" diff --git a/pkg/prebuild/cfg/os.go b/pkg/prebuild/os.go similarity index 92% rename from pkg/prebuild/cfg/os.go rename to pkg/prebuild/os.go index b742a3988..8ef8fb79e 100644 --- a/pkg/prebuild/cfg/os.go +++ b/pkg/prebuild/os.go @@ -2,7 +2,7 @@ // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package cfg +package prebuild import ( "os" @@ -67,13 +67,13 @@ func getDistribution() string { if id == "ubuntu" { return id } - id_like := Release["ID_LIKE"] + idLike := Release["ID_LIKE"] for main, based := range supportedDists { - if main == id || main == id_like { + if main == id || main == idLike { return main } else if slices.Contains(based, id) { return main - } else if slices.Contains(based, id_like) { + } else if slices.Contains(based, idLike) { return main } } diff --git a/pkg/prebuild/cfg/os_test.go b/pkg/prebuild/os_test.go similarity index 99% rename from pkg/prebuild/cfg/os_test.go rename to pkg/prebuild/os_test.go index 44aef1074..8f9bd338f 100644 --- a/pkg/prebuild/cfg/os_test.go +++ b/pkg/prebuild/os_test.go @@ -2,7 +2,7 @@ // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package cfg +package prebuild import ( "reflect" diff --git a/pkg/prebuild/prebuild.go b/pkg/prebuild/prebuild.go deleted file mode 100644 index 30bf5c2e6..000000000 --- a/pkg/prebuild/prebuild.go +++ /dev/null @@ -1,117 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package prebuild - -import ( - "strings" - - "github.com/roddhjav/apparmor.d/pkg/logging" - "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" - "github.com/roddhjav/apparmor.d/pkg/prebuild/directive" - "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" - "github.com/roddhjav/apparmor.d/pkg/util" -) - -func init() { - // Define the tasks applied by default - prepare.Register( - "synchronise", - "ignore", - "merge", - "configure", - "setflags", - "systemd-default", - ) - - // Build tasks applied by default - builder.Register("userspace") - builder.Register("dev") - - switch cfg.Distribution { - case "opensuse": - builder.Register("abi3") - cfg.Overwrite = true - - case "ubuntu": - if cfg.Release["VERSION_CODENAME"] == "noble" { - builder.Register("abi3") - cfg.Overwrite = true - } - - case "whonix": - cfg.Hide += `/etc/apparmor.d/abstractions/base.d/kicksecure -/etc/apparmor.d/home.tor-browser.firefox -/etc/apparmor.d/tunables/homsanitycheck -/etc/apparmor.d/usr.bin.url_e.d/anondist -/etc/apparmor.d/tunables/home.d/live-mode -/etc/apparmor.d/tunables/home.d/qubes-whonix-anondist -/etc/apparmor.d/usr.bin.hexchat -/etc/apparmor.d/usr.bin.sdwdate -/etc/apparmor.d/usr.bin.systemcheck -/etc/apparmor.d/usr.bin.timeto_unixtime -/etc/apparmor.d/whonix-firewall -` - } -} - -func Prepare() error { - for _, task := range prepare.Prepares { - msg, err := task.Apply() - if err != nil { - return err - } - logging.Success("%s", task.Message()) - logging.Indent = " " - for _, line := range msg { - if strings.Contains(line, "not found") { - logging.Warning("%s", line) - } else { - logging.Bullet("%s", line) - } - } - logging.Indent = "" - } - return nil -} - -func Build() error { - files, _ := cfg.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) - for _, file := range files { - if !file.Exist() { - continue - } - profile, err := util.ReadFile(file) - if err != nil { - return err - } - profile, err = builder.Run(file, profile) - if err != nil { - return err - } - profile, err = directive.Run(file, profile) - if err != nil { - return err - } - if err := file.WriteFile([]byte(profile)); err != nil { - return err - } - } - - logging.Success("Build tasks:") - logging.Indent = " " - for _, task := range builder.Builds { - logging.Bullet("%s", task.Message()) - } - logging.Indent = "" - logging.Success("Directives processed:") - logging.Indent = " " - for _, dir := range directive.Directives { - logging.Bullet("%s%s", directive.Keyword, dir.Name()) - } - logging.Indent = "" - return nil -} diff --git a/pkg/prebuild/prepare/attach.go b/pkg/prebuild/prepare/attach.go new file mode 100644 index 000000000..4523382d8 --- /dev/null +++ b/pkg/prebuild/prepare/attach.go @@ -0,0 +1,37 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2025 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package prepare + +import ( + "strings" + + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +type ReAttach struct { + prebuild.Base +} + +func init() { + RegisterTask(&ReAttach{ + Base: prebuild.Base{ + Keyword: "attach", + Msg: "Configure tunable for re-attached path", + }, + }) +} + +func (p ReAttach) Apply() ([]string, error) { + res := []string{} + + // Remove the @{att} tunable that is going to be defined in profile header + path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") + out, err := path.ReadFileAsString() + if err != nil { + return res, err + } + out = strings.ReplaceAll(out, `@{att}=""`, `# @{att}=""`) + return res, path.WriteFile([]byte(out)) +} diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index df4daaeb1..9ca3b14d3 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -6,62 +6,102 @@ package prepare import ( "fmt" + "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" - "github.com/roddhjav/apparmor.d/pkg/util" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) type Configure struct { - cfg.Base + prebuild.Base } func init() { RegisterTask(&Configure{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "configure", Msg: "Set distribution specificities", }, }) } +func removeFiles(files []string) error { + for _, name := range files { + if err := prebuild.RootApparmord.Join(name).RemoveAll(); err != nil { + return err + } + } + return nil +} + func (p Configure) Apply() ([]string, error) { res := []string{} - switch cfg.Distribution { + + switch prebuild.Distribution { case "arch", "opensuse": - if cfg.Overwrite { - if err := cfg.Overwrite.Apply(); err != nil { - return res, err - } - } case "ubuntu": - if err := cfg.DebianHide.Init(); err != nil { + if err := prebuild.DebianHide.Init(); err != nil { return res, err } - if cfg.Overwrite { - if err := cfg.Overwrite.Apply(); err != nil { - return res, err - } - } else { - if err := util.CopyTo(cfg.DistDir.Join("ubuntu"), cfg.RootApparmord); err != nil { + if prebuild.Version < 3.0 { + if err := prebuild.DistDir.Join("ubuntu").CopyFS(prebuild.RootApparmord); err != nil { return res, err } } case "debian", "whonix": - if err := cfg.DebianHide.Init(); err != nil { + if err := prebuild.DebianHide.Init(); err != nil { return res, err } - // Copy Debian specific abstractions - if err := util.CopyTo(cfg.DistDir.Join("ubuntu"), cfg.RootApparmord); err != nil { - return res, err + if prebuild.Version < 4.1 { + // Copy Debian specific abstractions + if err := prebuild.DistDir.Join("ubuntu").CopyFS(prebuild.RootApparmord); err != nil { + return res, err + } } default: - return []string{}, fmt.Errorf("%s is not a supported distribution", cfg.Distribution) + return []string{}, fmt.Errorf("%s is not a supported distribution", prebuild.Distribution) } + + if prebuild.Version >= 4.1 { + remove := []string{ + // Remove files upstreamed in 4.1 + "abstractions/devices-usb-read", + "abstractions/devices-usb", + "abstractions/nameservice-strict", + "tunables/multiarch.d/base", + + // Direct upstream contributed profiles, similar to ours + "wg", + } + if err := removeFiles(remove); err != nil { + return res, err + } + } + if prebuild.Version >= 5.0 { + remove := []string{ + // Direct upstrem contributed profiles, similar to ours + "dig", + "free", + "nslookup", + "who", + } + if err := removeFiles(remove); err != nil { + return res, err + } + + // @{pci_bus} was upstreamed in 5.0 + path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") + out, err := path.ReadFileAsString() + if err != nil { + return res, err + } + out = strings.ReplaceAll(out, "@{pci_bus}=pci@{hex4}:@{hex2}", "") + return res, path.WriteFile([]byte(out)) + } return res, nil } diff --git a/pkg/prebuild/prepare/core.go b/pkg/prebuild/prepare/core.go index 3daf19d8b..74d7778ed 100644 --- a/pkg/prebuild/prepare/core.go +++ b/pkg/prebuild/prepare/core.go @@ -7,7 +7,7 @@ package prepare import ( "fmt" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) var ( @@ -18,9 +18,9 @@ var ( Tasks = map[string]Task{} ) -// Main directive interface +// Task main directive interface type Task interface { - cfg.BaseInterface + prebuild.BaseInterface Apply() ([]string, error) } diff --git a/pkg/prebuild/prepare/core_test.go b/pkg/prebuild/prepare/core_test.go index 34071ff30..ea18d2cd8 100644 --- a/pkg/prebuild/prepare/core_test.go +++ b/pkg/prebuild/prepare/core_test.go @@ -11,7 +11,7 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) func chdirGitRoot() { @@ -39,7 +39,7 @@ func TestTask_Apply(t *testing.T) { name: "synchronise", task: Tasks["synchronise"], wantErr: false, - wantFiles: paths.PathList{cfg.RootApparmord.Join("/groups/_full/systemd")}, + wantFiles: paths.PathList{prebuild.RootApparmord.Join("/groups/_full/systemd")}, }, { name: "ignore", @@ -51,7 +51,7 @@ func TestTask_Apply(t *testing.T) { name: "merge", task: Tasks["merge"], wantErr: false, - wantFiles: paths.PathList{cfg.RootApparmord.Join("aa-log")}, + wantFiles: paths.PathList{prebuild.RootApparmord.Join("aa-log")}, }, { name: "configure", @@ -64,27 +64,33 @@ func TestTask_Apply(t *testing.T) { wantErr: false, want: "dists/flags/main.flags", }, + { + name: "overwrite", + task: Tasks["overwrite"], + wantErr: false, + wantFiles: paths.PathList{prebuild.RootApparmord.Join("flatpak.apparmor.d")}, + }, { name: "systemd-default", task: Tasks["systemd-default"], wantErr: false, - wantFiles: paths.PathList{cfg.Root.Join("systemd/system/dbus.service")}, + wantFiles: paths.PathList{prebuild.Root.Join("systemd/system/dbus.service")}, }, { name: "systemd-early", task: Tasks["systemd-early"], wantErr: false, - wantFiles: paths.PathList{cfg.Root.Join("systemd/system/pcscd.service")}, + wantFiles: paths.PathList{prebuild.Root.Join("systemd/system/pcscd.service")}, }, { name: "fsp", task: Tasks["fsp"], wantErr: false, - wantFiles: paths.PathList{cfg.RootApparmord.Join("systemd")}, + wantFiles: paths.PathList{prebuild.RootApparmord.Join("systemd")}, }, } chdirGitRoot() - _ = cfg.Root.RemoveAll() + _ = prebuild.Root.RemoveAll() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { got, err := tt.task.Apply() diff --git a/pkg/prebuild/prepare/flags.go b/pkg/prebuild/prepare/flags.go index cd6c2f54e..5a851cbe9 100644 --- a/pkg/prebuild/prepare/flags.go +++ b/pkg/prebuild/prepare/flags.go @@ -9,22 +9,21 @@ import ( "regexp" "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" - "github.com/roddhjav/apparmor.d/pkg/util" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) var ( regFlags = regexp.MustCompile(`flags=\(([^)]+)\)`) - regProfileHeader = regexp.MustCompile(` {`) + regProfileHeader = regexp.MustCompile(` {\n`) ) type SetFlags struct { - cfg.Base + prebuild.Base } func init() { RegisterTask(&SetFlags{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "setflags", Msg: "Set flags on some profiles", }, @@ -33,9 +32,9 @@ func init() { func (p SetFlags) Apply() ([]string, error) { res := []string{} - for _, name := range []string{"main", cfg.Distribution} { - for profile, flags := range cfg.Flags.Read(name) { - file := cfg.RootApparmord.Join(profile) + for _, name := range []string{"main", prebuild.Distribution} { + for profile, flags := range prebuild.Flags.Read(name) { + file := prebuild.RootApparmord.Join(profile) if !file.Exist() { res = append(res, fmt.Sprintf("Profile %s not found, ignoring", profile)) continue @@ -43,8 +42,8 @@ func (p SetFlags) Apply() ([]string, error) { // Overwrite profile flags if len(flags) > 0 { - flagsStr := " flags=(" + strings.Join(flags, ",") + ") {" - out, err := util.ReadFile(file) + flagsStr := " flags=(" + strings.Join(flags, ",") + ") {\n" + out, err := file.ReadFileAsString() if err != nil { return res, err } @@ -57,7 +56,7 @@ func (p SetFlags) Apply() ([]string, error) { } } } - res = append(res, cfg.FlagDir.Join(name+".flags").String()) + res = append(res, prebuild.FlagDir.Join(name+".flags").String()) } return res, nil } diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go index ac3e05045..f8d3cb17f 100644 --- a/pkg/prebuild/prepare/fsp.go +++ b/pkg/prebuild/prepare/fsp.go @@ -5,20 +5,69 @@ package prepare import ( - "strings" + "regexp" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" - "github.com/roddhjav/apparmor.d/pkg/util" + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +var ( + tunables = map[string]string{ + // Set systemd profiles name + "sd": "sd", + "sdu": "sdu", + "systemd_user": "systemd-user", + "systemd": "systemd", + + // With FSP on apparmor 4.1+, the dbus profiles don't get stacked as they + "dbus_system": "dbus-system", + "dbus_session": "dbus-session", + + // Update name of stacked profiles + "apt_news": "", + "colord": "", + "e2scrub_all": "", + "e2scrub": "", + "fprintd": "", + "fwupd": "", + "fwupdmgr": "", + "geoclue": "", + "irqbalance": "", + "logrotate": "", + "ModemManager": "", + "nm_priv_helper": "", + "pcscd": "", + "polkitd": "", + "power_profiles_daemon": "", + "rsyslogd": "", + "systemd_coredump": "", + "systemd_homed": "", + "systemd_hostnamed": "", + "systemd_importd": "", + "systemd_initctl": "", + "systemd_journal_remote": "", + "systemd_journald": "", + "systemd_localed": "", + "systemd_logind": "", + "systemd_machined": "", + "systemd_networkd": "", + "systemd_oomd": "", + "systemd_resolved": "", + "systemd_rfkill": "", + "systemd_timedated": "", + "systemd_timesyncd": "", + "systemd_userdbd": "", + "upowerd": "", + } ) type FullSystemPolicy struct { - cfg.Base + prebuild.Base } func init() { RegisterTask(&FullSystemPolicy{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "fsp", Msg: "Configure AppArmor for full system policy", }, @@ -29,34 +78,28 @@ func (p FullSystemPolicy) Apply() ([]string, error) { res := []string{} // Install full system policy profiles - if err := util.CopyTo(paths.New("apparmor.d/groups/_full/"), cfg.Root.Join("apparmor.d")); err != nil { + if err := paths.New("apparmor.d/groups/_full/").CopyFS(prebuild.Root.Join("apparmor.d")); err != nil { return res, err } - // Set systemd profile name - path := cfg.RootApparmord.Join("tunables/multiarch.d/system") - out, err := util.ReadFile(path) + // Set profile name for FSP + path := prebuild.RootApparmord.Join("tunables/multiarch.d/profiles") + out, err := path.ReadFileAsString() if err != nil { return res, err } - out = strings.Replace(out, "@{p_systemd}=unconfined", "@{p_systemd}=systemd", -1) - out = strings.Replace(out, "@{p_systemd_user}=unconfined", "@{p_systemd_user}=systemd-user", -1) - if err := path.WriteFile([]byte(out)); err != nil { - return res, err + for varname, profile := range tunables { + pattern := regexp.MustCompile(`(@\{p_` + varname + `}=)([^\s]+)`) + if profile == "" { + out = pattern.ReplaceAllString(out, `@{p_`+varname+`}={$2,sd//&$2,$2//&sd}`) + } else { + out = pattern.ReplaceAllString(out, `@{p_`+varname+`}=`+profile) + } } - - // Fix conflicting x modifiers in abstractions - FIXME: Temporary solution - path = cfg.RootApparmord.Join("abstractions/gstreamer") - out, err = util.ReadFile(path) - if err != nil { - return res, err - } - regFixConflictX := util.ToRegexRepl([]string{`.*gst-plugin-scanner.*`, ``}) - out = regFixConflictX.Replace(out) if err := path.WriteFile([]byte(out)); err != nil { return res, err } // Set systemd unit drop-in files - return res, util.CopyTo(cfg.SystemdDir.Join("full"), cfg.Root.Join("systemd")) + return res, paths.CopyTo(prebuild.SystemdDir.Join("full"), prebuild.Root.Join("systemd")) } diff --git a/pkg/prebuild/prepare/ignore.go b/pkg/prebuild/prepare/ignore.go index 92a1498a7..2aece5174 100644 --- a/pkg/prebuild/prepare/ignore.go +++ b/pkg/prebuild/prepare/ignore.go @@ -6,16 +6,16 @@ package prepare import ( "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) type Ignore struct { - cfg.Base + prebuild.Base } func init() { RegisterTask(&Ignore{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "ignore", Msg: "Ignore profiles and files from:", }, @@ -24,11 +24,11 @@ func init() { func (p Ignore) Apply() ([]string, error) { res := []string{} - for _, name := range []string{"main", cfg.Distribution} { - for _, ignore := range cfg.Ignore.Read(name) { - profile := cfg.Root.Join(ignore) + for _, name := range []string{"main", prebuild.Distribution} { + for _, ignore := range prebuild.Ignore.Read(name) { + profile := prebuild.Root.Join(ignore) if profile.NotExist() { - files, err := cfg.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterNames(ignore)) + files, err := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterNames(ignore)) if err != nil { return res, err } @@ -43,7 +43,7 @@ func (p Ignore) Apply() ([]string, error) { } } } - res = append(res, cfg.IgnoreDir.Join(name+".ignore").String()) + res = append(res, prebuild.IgnoreDir.Join(name+".ignore").String()) } return res, nil } diff --git a/pkg/prebuild/prepare/merge.go b/pkg/prebuild/prepare/merge.go index 86a2ceade..d2c720003 100644 --- a/pkg/prebuild/prepare/merge.go +++ b/pkg/prebuild/prepare/merge.go @@ -9,18 +9,18 @@ import ( "path/filepath" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) type Merge struct { - cfg.Base + prebuild.Base } func init() { RegisterTask(&Merge{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "merge", - Msg: "Merge all profiles into a unified apparmor.d directory", + Msg: "Merge profiles (from group/, profiles-*-*/) to a unified apparmor.d directory", }, }) } @@ -35,18 +35,18 @@ func (p Merge) Apply() ([]string, error) { idx := 0 for idx < len(dirToMerge)-1 { dirMoved, dirRemoved := dirToMerge[idx], dirToMerge[idx+1] - files, err := filepath.Glob(cfg.RootApparmord.Join(dirMoved).String()) + files, err := filepath.Glob(prebuild.RootApparmord.Join(dirMoved).String()) if err != nil { return res, err } for _, file := range files { - err := os.Rename(file, cfg.RootApparmord.Join(filepath.Base(file)).String()) + err := os.Rename(file, prebuild.RootApparmord.Join(filepath.Base(file)).String()) if err != nil { return res, err } } - files, err = filepath.Glob(cfg.RootApparmord.Join(dirRemoved).String()) + files, err = filepath.Glob(prebuild.RootApparmord.Join(dirRemoved).String()) if err != nil { return []string{}, err } diff --git a/pkg/prebuild/prepare/overwrite.go b/pkg/prebuild/prepare/overwrite.go new file mode 100644 index 000000000..d974b26e4 --- /dev/null +++ b/pkg/prebuild/prepare/overwrite.go @@ -0,0 +1,67 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package prepare + +import ( + "fmt" + "os" + + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +var ext = "." + prebuild.Pkgname + +type Overwrite struct { + prebuild.Base + Optional bool +} + +func init() { + RegisterTask(&Overwrite{ + Base: prebuild.Base{ + Keyword: "overwrite", + Msg: "Overwrite dummy upstream profiles", + }, + Optional: false, + }) +} + +func (p Overwrite) Apply() ([]string, error) { + res := []string{} + if prebuild.ABI == 3 { + return res, nil + } + + disableDir := prebuild.RootApparmord.Join("disable") + if err := disableDir.Mkdir(); err != nil { + return res, err + } + + path := prebuild.DistDir.Join("overwrite") + if !path.Exist() { + return res, fmt.Errorf("%s not found", path) + } + for _, name := range path.MustReadFilteredFileAsLines() { + origin := prebuild.RootApparmord.Join(name) + dest := prebuild.RootApparmord.Join(name + ext) + if !dest.Exist() && p.Optional { + continue + } + if origin.Exist() { + if err := origin.Rename(dest); err != nil { + return res, err + } + } + originRel, err := origin.RelFrom(dest) + if err != nil { + return res, err + } + if err := os.Symlink(originRel.String(), disableDir.Join(name).String()); err != nil { + return res, err + } + } + + return res, nil +} diff --git a/pkg/prebuild/prepare/server.go b/pkg/prebuild/prepare/server.go new file mode 100644 index 000000000..fb9a1f602 --- /dev/null +++ b/pkg/prebuild/prepare/server.go @@ -0,0 +1,108 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package prepare + +import ( + "fmt" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +var ( + serverIgnorePatterns = []string{ + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + } + serverIgnoreGroups = []string{ + "akonadi", + "avahi", + "bluetooth", + "browsers", + "cosmic", + "cups", + "display-manager", + "flatpak", + "freedesktop", + "gnome", + "gvfs", + "hyprland", + "kde", + "lxqt", + "steam", + "xfce", + "zed", + } +) + +type Server struct { + prebuild.Base +} + +func init() { + RegisterTask(&Server{ + Base: prebuild.Base{ + Keyword: "server", + Msg: "Configure AppArmor for server", + }, + }) +} + +func (p Server) Apply() ([]string, error) { + res := []string{} + + // Ignore desktop related groups + groupNb := 0 + for _, group := range serverIgnoreGroups { + path := prebuild.RootApparmord.Join("groups", group) + if path.IsDir() { + if err := path.RemoveAll(); err != nil { + return res, err + } + groupNb++ + } else { + res = append(res, fmt.Sprintf("Group %s not found, ignoring", path)) + } + } + + // Ignore profiles using a desktop related abstraction + fileNb := 0 + files, _ := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) + for _, file := range files { + if !file.Exist() { + continue + } + profile, err := file.ReadFileAsString() + if err != nil { + return res, err + } + for _, pattern := range serverIgnorePatterns { + if strings.Contains(profile, pattern) { + if err := file.RemoveAll(); err != nil { + return res, err + } + fileNb++ + break + } + } + } + + res = append(res, fmt.Sprintf("%d groups ignored", groupNb)) + res = append(res, fmt.Sprintf("%d profiles ignored", fileNb)) + return res, nil +} diff --git a/pkg/prebuild/prepare/synchronise.go b/pkg/prebuild/prepare/synchronise.go index e2b5dacd6..b6c2dbf5b 100644 --- a/pkg/prebuild/prepare/synchronise.go +++ b/pkg/prebuild/prepare/synchronise.go @@ -6,35 +6,53 @@ package prepare import ( "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" - "github.com/roddhjav/apparmor.d/pkg/util" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) type Synchronise struct { - cfg.Base + prebuild.Base + Paths []string // File or directory to sync into the build directory. } func init() { RegisterTask(&Synchronise{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "synchronise", Msg: "Initialize a new clean apparmor.d build directory", }, + Paths: []string{"apparmor.d", "share"}, }) } func (p Synchronise) Apply() ([]string, error) { res := []string{} - dirs := paths.PathList{cfg.RootApparmord, cfg.Root.Join("root"), cfg.Root.Join("systemd")} - for _, dir := range dirs { - if err := dir.RemoveAll(); err != nil { - return res, err - } + if err := prebuild.Root.Join("systemd").RemoveAll(); err != nil { + return res, err } - for _, name := range []string{"apparmor.d", "root"} { - if err := util.CopyTo(paths.New(name), cfg.Root.Join(name)); err != nil { + if err := prebuild.RootApparmord.RemoveAll(); err != nil { + return res, err + } + + for _, name := range p.Paths { + src := paths.New(name) + dst := prebuild.Root.Join(name) + if err := dst.RemoveAll(); err != nil { return res, err } + + if src.IsDir() { + if err := src.CopyFS(dst); err != nil { + return res, err + } + } else { + if err := dst.Parent().MkdirAll(); err != nil { + return res, err + } + if err := src.CopyTo(dst); err != nil { + return res, err + } + } + res = append(res, dst.String()) } return res, nil } diff --git a/pkg/prebuild/prepare/systemd.go b/pkg/prebuild/prepare/systemd.go index 5681783ce..b7646e4bf 100644 --- a/pkg/prebuild/prepare/systemd.go +++ b/pkg/prebuild/prepare/systemd.go @@ -5,27 +5,27 @@ package prepare import ( - "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" - "github.com/roddhjav/apparmor.d/pkg/util" + "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/prebuild" ) type SystemdDefault struct { - cfg.Base + prebuild.Base } type SystemdEarly struct { - cfg.Base + prebuild.Base } func init() { RegisterTask(&SystemdDefault{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "systemd-default", Msg: "Configure systemd unit drop in files to a profile for some units", }, }) RegisterTask(&SystemdEarly{ - Base: cfg.Base{ + Base: prebuild.Base{ Keyword: "systemd-early", Msg: "Configure systemd unit drop in files to ensure some service start after apparmor", }, @@ -33,9 +33,9 @@ func init() { } func (p SystemdDefault) Apply() ([]string, error) { - return []string{}, util.CopyTo(cfg.SystemdDir.Join("default"), cfg.Root.Join("systemd")) + return []string{}, paths.CopyTo(prebuild.SystemdDir.Join("default"), prebuild.Root.Join("systemd")) } func (p SystemdEarly) Apply() ([]string, error) { - return []string{}, util.CopyTo(cfg.SystemdDir.Join("early"), cfg.Root.Join("systemd")) + return []string{}, paths.CopyTo(prebuild.SystemdDir.Join("early"), prebuild.Root.Join("systemd")) } diff --git a/pkg/util/slice.go b/pkg/util/slice.go new file mode 100644 index 000000000..defd9703a --- /dev/null +++ b/pkg/util/slice.go @@ -0,0 +1,81 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package util + +// RemoveDuplicate filter out all duplicates from a slice. Also filter out empty element. +func RemoveDuplicate[T comparable](inlist []T) []T { + var empty T + list := []T{} + seen := map[T]bool{} + seen[empty] = true + for _, item := range inlist { + if _, ok := seen[item]; !ok { + seen[item] = true + list = append(list, item) + } + } + return list +} + +// Intersect returns the intersection between two collections. +// From https://github.com/samber/lo +func Intersect[T comparable](list1 []T, list2 []T) []T { + result := []T{} + seen := map[T]struct{}{} + + for _, elem := range list1 { + seen[elem] = struct{}{} + } + + for _, elem := range list2 { + if _, ok := seen[elem]; ok { + result = append(result, elem) + } + } + + return result +} + +// Flatten returns an array a single level deep. +// From https://github.com/samber/lo +func Flatten[T comparable](collection [][]T) []T { + totalLen := 0 + for i := range collection { + totalLen += len(collection[i]) + } + + result := make([]T, 0, totalLen) + for i := range collection { + result = append(result, collection[i]...) + } + + return result +} + +// Invert creates a map composed of the inverted keys and values. If map +// contains duplicate values, subsequent values overwrite property assignments +// of previous values. +// Play: https://go.dev/play/p/rFQ4rak6iA1 +func Invert[K comparable, V comparable](in map[K]V) map[V]K { + out := make(map[V]K, len(in)) + + for k := range in { + out[in[k]] = k + } + + return out +} + +func InvertFlatten[V comparable](in map[V][]V) map[V]V { + out := make(map[V]V, len(in)) + + for k := range in { + for _, v := range in[k] { + out[v] = k + } + } + + return out +} diff --git a/pkg/util/slice_test.go b/pkg/util/slice_test.go new file mode 100644 index 000000000..11f05a711 --- /dev/null +++ b/pkg/util/slice_test.go @@ -0,0 +1,120 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package util + +import ( + "reflect" + "testing" +) + +func TestRemoveDuplicate(t *testing.T) { + tests := []struct { + name string + inlist []string + want []string + }{ + { + name: "Duplicate", + inlist: []string{"foo", "bar", "foo", "bar", ""}, + want: []string{"foo", "bar"}, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := RemoveDuplicate(tt.inlist); !reflect.DeepEqual(got, tt.want) { + t.Errorf("RemoveDuplicate() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestIntersect(t *testing.T) { + tests := []struct { + name string + list1 []int + list2 []int + want []int + }{ + { + name: "1", + list1: []int{0, 1, 2, 3, 4, 5}, + list2: []int{0, 2}, + want: []int{0, 2}, + }, + { + name: "2", + list1: []int{0, 1, 2, 3, 4, 5}, + list2: []int{0, 6}, + want: []int{0}, + }, + { + name: "3", + list1: []int{0, 1, 2, 3, 4, 5}, + list2: []int{-1, 6}, + want: []int{}, + }, + { + name: "4", + list1: []int{0, 6}, + list2: []int{0, 1, 2, 3, 4, 5}, + want: []int{0}, + }, + { + name: "5", + list1: []int{0, 6, 0}, + list2: []int{0, 1, 2, 3, 4, 5}, + want: []int{0}, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := Intersect(tt.list1, tt.list2); !reflect.DeepEqual(got, tt.want) { + t.Errorf("Intersect() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestFlatten(t *testing.T) { + tests := []struct { + name string + input [][]int + want []int + }{ + { + name: "1", + input: [][]int{{0, 1}, {2, 3, 4, 5}}, + want: []int{0, 1, 2, 3, 4, 5}, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := Flatten(tt.input); !reflect.DeepEqual(got, tt.want) { + t.Errorf("Intersect() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestInvert(t *testing.T) { + tests := []struct { + name string + input map[string]int + want map[int]string + }{ + { + name: "1", + input: map[string]int{"a": 1, "b": 2}, + want: map[int]string{1: "a", 2: "b"}, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := Invert(tt.input); !reflect.DeepEqual(got, tt.want) { + t.Errorf("Invert() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/pkg/util/tools.go b/pkg/util/tools.go index 30d5251d6..749a97e62 100644 --- a/pkg/util/tools.go +++ b/pkg/util/tools.go @@ -7,10 +7,6 @@ package util import ( "encoding/hex" "regexp" - "slices" - "strings" - - "github.com/roddhjav/apparmor.d/pkg/paths" ) var ( @@ -67,95 +63,7 @@ func DecodeHexInString(str string) string { return str } -// RemoveDuplicate filter out all duplicates from a slice. Also filter out empty element. -func RemoveDuplicate[T comparable](inlist []T) []T { - var empty T - list := []T{} - seen := map[T]bool{} - seen[empty] = true - for _, item := range inlist { - if _, ok := seen[item]; !ok { - seen[item] = true - list = append(list, item) - } - } - return list -} - -// Intersect returns the intersection between two collections. -// From https://github.com/samber/lo -func Intersect[T comparable](list1 []T, list2 []T) []T { - result := []T{} - seen := map[T]struct{}{} - - for _, elem := range list1 { - seen[elem] = struct{}{} - } - - for _, elem := range list2 { - if _, ok := seen[elem]; ok { - result = append(result, elem) - } - } - - return result -} - -// CopyTo recursivelly copy all files from a source path to a destination path. -func CopyTo(src *paths.Path, dst *paths.Path) error { - files, err := src.ReadDirRecursiveFiltered(nil, - paths.FilterOutDirectories(), - paths.FilterOutNames("README.md"), - ) - if err != nil { - return err - } - for _, file := range files { - destination, err := file.RelFrom(src) - if err != nil { - return err - } - destination = dst.JoinPath(destination) - if err := destination.Parent().MkdirAll(); err != nil { - return err - } - if err := file.CopyTo(destination); err != nil { - return err - } - } - return nil -} - // Filter out comments and empty line from a string func Filter(src string) string { return regFilter.Replace(src) } - -// ReadFile read a file and return its content as a string. -func ReadFile(path *paths.Path) (string, error) { - content, err := path.ReadFile() - if err != nil { - return "", err - } - return string(content), nil -} - -// MustReadFile read a file and return its content as a string. Panic if an error occurs. -func MustReadFile(path *paths.Path) string { - content, err := path.ReadFile() - if err != nil { - panic(err) - } - return string(content) -} - -// MustReadFileAsLines read a file and return its content as a slice of string. -// It panics if an error occurs and filter out comments and empty lines. -func MustReadFileAsLines(path *paths.Path) []string { - res := strings.Split(Filter(MustReadFile(path)), "\n") - if slices.Contains(res, "") { - idx := slices.Index(res, "") - res = slices.Delete(res, idx, idx+1) - } - return res -} diff --git a/pkg/util/tools_test.go b/pkg/util/tools_test.go index 4d5cade6a..e8b2bb837 100644 --- a/pkg/util/tools_test.go +++ b/pkg/util/tools_test.go @@ -8,8 +8,6 @@ import ( "reflect" "regexp" "testing" - - "github.com/roddhjav/apparmor.d/pkg/paths" ) func TestDecodeHexInString(t *testing.T) { @@ -38,74 +36,6 @@ func TestDecodeHexInString(t *testing.T) { } } -func TestRemoveDuplicate(t *testing.T) { - tests := []struct { - name string - inlist []string - want []string - }{ - { - name: "Duplicate", - inlist: []string{"foo", "bar", "foo", "bar", ""}, - want: []string{"foo", "bar"}, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if got := RemoveDuplicate(tt.inlist); !reflect.DeepEqual(got, tt.want) { - t.Errorf("RemoveDuplicate() = %v, want %v", got, tt.want) - } - }) - } -} - -func TestIntersect(t *testing.T) { - tests := []struct { - name string - list1 []int - list2 []int - want []int - }{ - { - name: "1", - list1: []int{0, 1, 2, 3, 4, 5}, - list2: []int{0, 2}, - want: []int{0, 2}, - }, - { - name: "2", - list1: []int{0, 1, 2, 3, 4, 5}, - list2: []int{0, 6}, - want: []int{0}, - }, - { - name: "3", - list1: []int{0, 1, 2, 3, 4, 5}, - list2: []int{-1, 6}, - want: []int{}, - }, - { - name: "4", - list1: []int{0, 6}, - list2: []int{0, 1, 2, 3, 4, 5}, - want: []int{0}, - }, - { - name: "5", - list1: []int{0, 6, 0}, - list2: []int{0, 1, 2, 3, 4, 5}, - want: []int{0}, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if got := Intersect(tt.list1, tt.list2); !reflect.DeepEqual(got, tt.want) { - t.Errorf("Intersect() = %v, want %v", got, tt.want) - } - }) - } -} - func TestToRegexRepl(t *testing.T) { tests := []struct { name string @@ -158,47 +88,6 @@ func TestRegexReplList_Replace(t *testing.T) { } } -func TestCopyTo(t *testing.T) { - tests := []struct { - name string - src *paths.Path - dst *paths.Path - wantErr bool - }{ - { - name: "default", - src: paths.New("../../apparmor.d/groups/_full/"), - dst: paths.New("/tmp/test/apparmor.d/groups/_full/"), - wantErr: false, - }, - { - name: "issue-source", - src: paths.New("../../apparmor.d/groups/nope/"), - dst: paths.New("/tmp/test/apparmor.d/groups/_full/"), - wantErr: true, - }, - // { - // name: "issue-dest-1", - // src: paths.New("../../apparmor.d/groups/_full/"), - // dst: paths.New("/"), - // wantErr: true, - // }, - // { - // name: "issue-dest-2", - // src: paths.New("../../apparmor.d/groups/_full/"), - // dst: paths.New("/_full/"), - // wantErr: true, - // }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if err := CopyTo(tt.src, tt.dst); (err != nil) != tt.wantErr { - t.Errorf("CopyTo() error = %v, wantErr %v", err, tt.wantErr) - } - }) - } -} - func Test_Filter(t *testing.T) { tests := []struct { name string diff --git a/requirements.txt b/requirements.txt index 8be8158d5..d30bccf19 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,5 @@ mkdocs +mkdocs-git-committers-plugin-2 mkdocs-git-revision-date-localized-plugin mkdocs-material mkdocs-minify-plugin diff --git a/root/usr/share/bash-completion/completions/aa-log b/share/bash-completion/completions/aa-log similarity index 100% rename from root/usr/share/bash-completion/completions/aa-log rename to share/bash-completion/completions/aa-log diff --git a/root/usr/share/libalpm/hooks/apparmor.hook b/share/libalpm/hooks/apparmor.hook similarity index 100% rename from root/usr/share/libalpm/hooks/apparmor.hook rename to share/libalpm/hooks/apparmor.hook diff --git a/share/man/man8/aa-log.8 b/share/man/man8/aa-log.8 new file mode 100644 index 000000000..62f40966e --- /dev/null +++ b/share/man/man8/aa-log.8 @@ -0,0 +1,79 @@ +.\" Automatically generated by Pandoc 3.1.12.1 +.\" +.TH "aa\-log" "8" "September 2024" "" "" +.SH NAME +aa\-log \[em] Review AppArmor generated messages in a colorful way. +.SH SYNOPSIS +\f[B]aa\-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] +.SH DESCRIPTION +Review AppArmor generated messages in a colourful way. +Support logs from \f[I]auditd\f[R], \f[I]systemd\f[R], \f[I]syslog\f[R] +as well as \f[I]dbus session\f[R] events. +.PP +It can be given an optional profile name to filter the output with. +.PP +It can be used to generate AppArmor rules from the logs and it therefore +an alternative to \f[CR]aa\-logprof(8)\f[R]. +The generated rules should be manually reviewed and inserted into the +profile. +.PP +Default logs are read from \f[CR]/var/log/audit/audit.log\f[R]. +Other files in \f[CR]/var/log/audit/\f[R] can easily be checked: +\f[B]aa\-log \-f 1\f[R] parses \f[CR]audit.log.1\f[R] +.SH OPTIONS +\f[B]aa\-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] +.TP +[\f[I]profile\f[R]] +Optional profile name to filter the output with. +.TP +\f[CR]\-\-file\f[R], \f[CR]\-f\f[R] +Set a logfile or a suffix to the default log file. +.TP +\f[CR]\-\-systemd\f[R], \f[CR]\-s\f[R] +Parse systemd logs from journalctl. +Provides all AppArmor logs since the last boot. +.TP +\f[CR]\-\-rules\f[R], \f[CR]\-r\f[R] +Convert the log into AppArmor rules. +.TP +\f[CR]\-\-raw\f[R], \f[CR]\-R\f[R] +Print the raw log without any formatting. +Useful for reporting logs. +.TP +\f[CR]\-\-help\f[R], \f[CR]\-h\f[R] +Print the program usage. +.SH USAGE +To read the AppArmor log from \f[CR]/var/log/audit/audit.log\f[R]: +.IP +.EX +aa\-log +.EE +.PP +To optionally filter a given profile name: +\f[CR]aa\-log \f[R] (your shell will autocomplete the +profile name): +.IP +.EX +$ aa\-log dnsmasq +DENIED dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r +DENIED dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r +DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r +.EE +.PP +To generate AppArmor rule: +.IP +.EX +$ aa\-log \-r dnsmasq +profile dnsmasq { + \[at]{PROC}/\[at]{pid}/environ r, + \[at]{PROC}/cmdline r, + \[at]{PROC}/sys/kernel/osrelease r, +} +.EE +.SH SEE ALSO +\f[CR]aa\-logprof(8)\f[R], \f[CR]apparmor(7)\f[R], +\f[CR]apparmor.d(5)\f[R], \f[CR]aa\-genprof(1)\f[R], +\f[CR]aa\-enforce(1)\f[R], \f[CR]aa\-complain(1)\f[R], +\f[CR]aa\-disable(1)\f[R], and https://apparmor.pujol.io. +.SH AUTHORS +aa\-log was written by Alexandre Pujol (alexandre\[at]pujol.io). diff --git a/share/man/man8/aa-log.md b/share/man/man8/aa-log.md new file mode 100644 index 000000000..0b7fe8afa --- /dev/null +++ b/share/man/man8/aa-log.md @@ -0,0 +1,80 @@ +% aa-log(8) +% aa-log was written by Alexandre Pujol (alexandre@pujol.io) +% September 2024 + +# NAME + +aa-log — Review AppArmor generated messages in a colorful way. + +# SYNOPSIS + +**aa-log** [*options…*] [*profile*] + +# DESCRIPTION + +Review AppArmor generated messages in a colourful way. Support logs from *auditd*, *systemd*, *syslog* as well as *dbus session* events. + +It can be given an optional profile name to filter the output with. + +It can be used to generate AppArmor rules from the logs and it therefore an alternative to `aa-logprof(8)`. The generated rules should be manually reviewed and inserted into the profile. + +Default logs are read from `/var/log/audit/audit.log`. Other files in `/var/log/audit/` can easily be checked: **aa-log -f 1** parses `audit.log.1` + +# OPTIONS + +**aa-log** [*options…*] [*profile*] + +[*profile*] + +: Optional profile name to filter the output with. + +`--file`, `-f` + +: Set a logfile or a suffix to the default log file. + +`--systemd`, `-s` + +: Parse systemd logs from journalctl. Provides all AppArmor logs since the last boot. + +`--rules`, `-r` + +: Convert the log into AppArmor rules. + +`--raw`, `-R` + +: Print the raw log without any formatting. Useful for reporting logs. + +`--help`, `-h` + +: Print the program usage. + + +# USAGE + +To read the AppArmor log from `/var/log/audit/audit.log`: +```sh +aa-log +``` + +To optionally filter a given profile name: `aa-log ` (your shell will autocomplete the profile name): +``` +$ aa-log dnsmasq +DENIED dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r +DENIED dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r +DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r +``` + +To generate AppArmor rule: +``` +$ aa-log -r dnsmasq +profile dnsmasq { + @{PROC}/@{pid}/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, +} +``` + +# SEE ALSO + +`aa-logprof(8)`, `apparmor(7)`, `apparmor.d(5)`, `aa-genprof(1)`, `aa-enforce(1)`, `aa-complain(1)`, `aa-disable(1)`, and +https://apparmor.pujol.io. diff --git a/root/usr/share/zsh/site-functions/_aa-log.zsh b/share/zsh/site-functions/_aa-log.zsh similarity index 100% rename from root/usr/share/zsh/site-functions/_aa-log.zsh rename to share/zsh/site-functions/_aa-log.zsh diff --git a/systemd/default/system/dbus-broker.service b/systemd/default/system/dbus-broker.service index 8d3ed8b73..899828b40 100644 --- a/systemd/default/system/dbus-broker.service +++ b/systemd/default/system/dbus-broker.service @@ -1,2 +1,5 @@ +[Unit] +After=apparmor.service + [Service] AppArmorProfile=dbus-system diff --git a/systemd/default/system/dbus.service b/systemd/default/system/dbus.service index 8d3ed8b73..899828b40 100644 --- a/systemd/default/system/dbus.service +++ b/systemd/default/system/dbus.service @@ -1,2 +1,5 @@ +[Unit] +After=apparmor.service + [Service] AppArmorProfile=dbus-system diff --git a/systemd/default/user/at-spi-dbus-bus.service b/systemd/default/user/at-spi-dbus-bus.service deleted file mode 100644 index 9c1fad533..000000000 --- a/systemd/default/user/at-spi-dbus-bus.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=dbus-accessibility diff --git a/systemd/default/user/org.freedesktop.IBus.session.GNOME.service b/systemd/default/user/org.freedesktop.IBus.session.GNOME.service deleted file mode 100644 index 818d5cdf3..000000000 --- a/systemd/default/user/org.freedesktop.IBus.session.GNOME.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=ibus-daemon diff --git a/systemd/full/system/ModemManager.service b/systemd/full/system/ModemManager.service index 03d352890..2d1593f19 100644 --- a/systemd/full/system/ModemManager.service +++ b/systemd/full/system/ModemManager.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&ModemManager diff --git a/systemd/full/system/apport-coredump-hook@.service b/systemd/full/system/apport-coredump-hook@.service new file mode 100644 index 000000000..73bbc99d8 --- /dev/null +++ b/systemd/full/system/apport-coredump-hook@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&apport \ No newline at end of file diff --git a/systemd/full/system/apt-news.service b/systemd/full/system/apt-news.service new file mode 100644 index 000000000..d7bf885dd --- /dev/null +++ b/systemd/full/system/apt-news.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&apt_news diff --git a/systemd/full/system/archlinux-keyring-wkd-sync.service b/systemd/full/system/archlinux-keyring-wkd-sync.service index 03d352890..b88768556 100644 --- a/systemd/full/system/archlinux-keyring-wkd-sync.service +++ b/systemd/full/system/archlinux-keyring-wkd-sync.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&archlinux-keyring-wkd-sync diff --git a/systemd/full/system/bluetooth.service b/systemd/full/system/bluetooth.service index 03d352890..5cccff422 100644 --- a/systemd/full/system/bluetooth.service +++ b/systemd/full/system/bluetooth.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&bluetoothd \ No newline at end of file diff --git a/systemd/full/system/cloud-init-hotplugd.service b/systemd/full/system/cloud-init-hotplugd.service new file mode 100644 index 000000000..a2a121fc3 --- /dev/null +++ b/systemd/full/system/cloud-init-hotplugd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&cloud-init-hotplugd.service diff --git a/systemd/full/system/colord.service b/systemd/full/system/colord.service new file mode 100644 index 000000000..9a64fbc26 --- /dev/null +++ b/systemd/full/system/colord.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&colord diff --git a/systemd/full/system/dbus-org.freedesktop.hostname1.service b/systemd/full/system/dbus-org.freedesktop.hostname1.service index 03d352890..6d078aea9 100644 --- a/systemd/full/system/dbus-org.freedesktop.hostname1.service +++ b/systemd/full/system/dbus-org.freedesktop.hostname1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-hostnamed \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.import1.service b/systemd/full/system/dbus-org.freedesktop.import1.service index 03d352890..0ab519541 100644 --- a/systemd/full/system/dbus-org.freedesktop.import1.service +++ b/systemd/full/system/dbus-org.freedesktop.import1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-importd \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.locale1.service b/systemd/full/system/dbus-org.freedesktop.locale1.service index 03d352890..276595080 100644 --- a/systemd/full/system/dbus-org.freedesktop.locale1.service +++ b/systemd/full/system/dbus-org.freedesktop.locale1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-localed \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.login1.service b/systemd/full/system/dbus-org.freedesktop.login1.service index 03d352890..c5728915c 100644 --- a/systemd/full/system/dbus-org.freedesktop.login1.service +++ b/systemd/full/system/dbus-org.freedesktop.login1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-logind \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.machine1.service b/systemd/full/system/dbus-org.freedesktop.machine1.service index 03d352890..315b1b230 100644 --- a/systemd/full/system/dbus-org.freedesktop.machine1.service +++ b/systemd/full/system/dbus-org.freedesktop.machine1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-machined \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.timedate1.service b/systemd/full/system/dbus-org.freedesktop.timedate1.service index 03d352890..ab04c5a45 100644 --- a/systemd/full/system/dbus-org.freedesktop.timedate1.service +++ b/systemd/full/system/dbus-org.freedesktop.timedate1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-timedated \ No newline at end of file diff --git a/systemd/full/system/debug-shell.service b/systemd/full/system/debug-shell.service new file mode 100644 index 000000000..f895f7941 --- /dev/null +++ b/systemd/full/system/debug-shell.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=debug-shell.service \ No newline at end of file diff --git a/systemd/full/system/dmesg.service b/systemd/full/system/dmesg.service new file mode 100644 index 000000000..d4647117b --- /dev/null +++ b/systemd/full/system/dmesg.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=dmesg.service \ No newline at end of file diff --git a/systemd/full/system/e2scrub@.service b/systemd/full/system/e2scrub@.service index 03d352890..7340b7610 100644 --- a/systemd/full/system/e2scrub@.service +++ b/systemd/full/system/e2scrub@.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&e2scrub \ No newline at end of file diff --git a/systemd/full/system/e2scrub_reap.service b/systemd/full/system/e2scrub_reap.service index 03d352890..b903d2f0a 100644 --- a/systemd/full/system/e2scrub_reap.service +++ b/systemd/full/system/e2scrub_reap.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&e2scrub_all \ No newline at end of file diff --git a/systemd/full/system/fprintd.service b/systemd/full/system/fprintd.service index 03d352890..5f1f063fa 100644 --- a/systemd/full/system/fprintd.service +++ b/systemd/full/system/fprintd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&fprintd \ No newline at end of file diff --git a/systemd/full/system/fwupd-refresh.service b/systemd/full/system/fwupd-refresh.service index fa215b3f0..acd28a5a4 100644 --- a/systemd/full/system/fwupd-refresh.service +++ b/systemd/full/system/fwupd-refresh.service @@ -1,4 +1,2 @@ [Service] -ProtectKernelModules=no -RestrictRealtime=no -ProtectKernelModules=no +AppArmorProfile=&fwupdmgr \ No newline at end of file diff --git a/systemd/full/system/fwupd.service b/systemd/full/system/fwupd.service new file mode 100644 index 000000000..5054a73d6 --- /dev/null +++ b/systemd/full/system/fwupd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&fwupd \ No newline at end of file diff --git a/systemd/full/system/geoclue.service b/systemd/full/system/geoclue.service index 4ba897659..2c10e32f5 100644 --- a/systemd/full/system/geoclue.service +++ b/systemd/full/system/geoclue.service @@ -1,6 +1,2 @@ [Service] -NoNewPrivileges=no -MemoryDenyWriteExecute=no -ProtectKernelTunables=no -ProtectKernelModules=no -RestrictRealtime=no +AppArmorProfile=&geoclue \ No newline at end of file diff --git a/systemd/full/system/grub-common.service b/systemd/full/system/grub-common.service new file mode 100644 index 000000000..8520aea76 --- /dev/null +++ b/systemd/full/system/grub-common.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=grub-common.service \ No newline at end of file diff --git a/systemd/full/system/irqbalance.service b/systemd/full/system/irqbalance.service index 03d352890..eab67fa44 100644 --- a/systemd/full/system/irqbalance.service +++ b/systemd/full/system/irqbalance.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&irqbalance \ No newline at end of file diff --git a/systemd/full/system/ldconfig.service b/systemd/full/system/ldconfig.service new file mode 100644 index 000000000..1b2a9c287 --- /dev/null +++ b/systemd/full/system/ldconfig.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=ldconfig.service \ No newline at end of file diff --git a/systemd/full/system/logrotate.service b/systemd/full/system/logrotate.service new file mode 100644 index 000000000..bc984e025 --- /dev/null +++ b/systemd/full/system/logrotate.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&logrotate \ No newline at end of file diff --git a/systemd/full/system/low-memory-monitor.service b/systemd/full/system/low-memory-monitor.service deleted file mode 100644 index dabf76f3a..000000000 --- a/systemd/full/system/low-memory-monitor.service +++ /dev/null @@ -1,3 +0,0 @@ -[Service] -NoNewPrivileges=no - diff --git a/systemd/full/system/man-db.service b/systemd/full/system/man-db.service new file mode 100644 index 000000000..d3a78dd80 --- /dev/null +++ b/systemd/full/system/man-db.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=man-db.service \ No newline at end of file diff --git a/systemd/full/system/nm-priv-helper.service b/systemd/full/system/nm-priv-helper.service index 03d352890..53f99edd0 100644 --- a/systemd/full/system/nm-priv-helper.service +++ b/systemd/full/system/nm-priv-helper.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&nm-priv-helper diff --git a/systemd/full/system/paccache.service b/systemd/full/system/paccache.service deleted file mode 100644 index 03d352890..000000000 --- a/systemd/full/system/paccache.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/passim.service b/systemd/full/system/passim.service deleted file mode 100644 index 03d352890..000000000 --- a/systemd/full/system/passim.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/pcscd.service b/systemd/full/system/pcscd.service new file mode 100644 index 000000000..8d39f3f26 --- /dev/null +++ b/systemd/full/system/pcscd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pcscd diff --git a/systemd/full/system/polkit.service b/systemd/full/system/polkit.service index 03d352890..b21a28baa 100644 --- a/systemd/full/system/polkit.service +++ b/systemd/full/system/polkit.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&polkitd diff --git a/systemd/full/system/power-profiles-daemon.service b/systemd/full/system/power-profiles-daemon.service new file mode 100644 index 000000000..45c5ed93b --- /dev/null +++ b/systemd/full/system/power-profiles-daemon.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&power-profiles-daemon \ No newline at end of file diff --git a/systemd/full/system/reflector.service b/systemd/full/system/reflector.service deleted file mode 100644 index 03d352890..000000000 --- a/systemd/full/system/reflector.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/rngd.service b/systemd/full/system/rngd.service index 03d352890..c52a85d0c 100644 --- a/systemd/full/system/rngd.service +++ b/systemd/full/system/rngd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&rngd diff --git a/systemd/full/system/rsyslog.service b/systemd/full/system/rsyslog.service new file mode 100644 index 000000000..6b49a73f0 --- /dev/null +++ b/systemd/full/system/rsyslog.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&rsyslogd diff --git a/systemd/full/system/secureboot-db.service b/systemd/full/system/secureboot-db.service new file mode 100644 index 000000000..722781b8a --- /dev/null +++ b/systemd/full/system/secureboot-db.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=secureboot-db.service diff --git a/systemd/full/system/shadow.service b/systemd/full/system/shadow.service index dabf76f3a..52d2f644c 100644 --- a/systemd/full/system/shadow.service +++ b/systemd/full/system/shadow.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no - +AppArmorProfile=&shadow.service diff --git a/systemd/full/system/snapd.system-shutdown.service b/systemd/full/system/snapd.system-shutdown.service new file mode 100644 index 000000000..7953d522a --- /dev/null +++ b/systemd/full/system/snapd.system-shutdown.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=snapd.system-shutdown.service \ No newline at end of file diff --git a/systemd/full/system/system-update-cleanup.service b/systemd/full/system/system-update-cleanup.service new file mode 100644 index 000000000..24c914f77 --- /dev/null +++ b/systemd/full/system/system-update-cleanup.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=system-update-cleanup.service \ No newline at end of file diff --git a/systemd/full/system/systemd-coredump@.service b/systemd/full/system/systemd-coredump@.service new file mode 100644 index 000000000..d13624709 --- /dev/null +++ b/systemd/full/system/systemd-coredump@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-coredump diff --git a/systemd/full/system/systemd-homed.service b/systemd/full/system/systemd-homed.service index 03d352890..65d4ae62e 100644 --- a/systemd/full/system/systemd-homed.service +++ b/systemd/full/system/systemd-homed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-homed diff --git a/systemd/full/system/systemd-hostnamed.service b/systemd/full/system/systemd-hostnamed.service index 03d352890..6d078aea9 100644 --- a/systemd/full/system/systemd-hostnamed.service +++ b/systemd/full/system/systemd-hostnamed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-hostnamed \ No newline at end of file diff --git a/systemd/full/system/systemd-initctl.service b/systemd/full/system/systemd-initctl.service new file mode 100644 index 000000000..e44c8767f --- /dev/null +++ b/systemd/full/system/systemd-initctl.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-initctl \ No newline at end of file diff --git a/systemd/full/system/systemd-journal-remote.service b/systemd/full/system/systemd-journal-remote.service new file mode 100644 index 000000000..e08cf75a9 --- /dev/null +++ b/systemd/full/system/systemd-journal-remote.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-journal-remote \ No newline at end of file diff --git a/systemd/full/system/systemd-journald.service b/systemd/full/system/systemd-journald.service index 0316a67c8..48f5a0156 100644 --- a/systemd/full/system/systemd-journald.service +++ b/systemd/full/system/systemd-journald.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-journald \ No newline at end of file diff --git a/systemd/full/system/systemd-journald@.service b/systemd/full/system/systemd-journald@.service index 0316a67c8..48f5a0156 100644 --- a/systemd/full/system/systemd-journald@.service +++ b/systemd/full/system/systemd-journald@.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-journald \ No newline at end of file diff --git a/systemd/full/system/systemd-localed.service b/systemd/full/system/systemd-localed.service index 03d352890..276595080 100644 --- a/systemd/full/system/systemd-localed.service +++ b/systemd/full/system/systemd-localed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-localed \ No newline at end of file diff --git a/systemd/full/system/systemd-logind.service b/systemd/full/system/systemd-logind.service index 0316a67c8..c5728915c 100644 --- a/systemd/full/system/systemd-logind.service +++ b/systemd/full/system/systemd-logind.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-logind \ No newline at end of file diff --git a/systemd/full/system/systemd-machined.service b/systemd/full/system/systemd-machined.service index 03d352890..315b1b230 100644 --- a/systemd/full/system/systemd-machined.service +++ b/systemd/full/system/systemd-machined.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-machined \ No newline at end of file diff --git a/systemd/full/system/systemd-networkd.service b/systemd/full/system/systemd-networkd.service index 03d352890..3f4b60849 100644 --- a/systemd/full/system/systemd-networkd.service +++ b/systemd/full/system/systemd-networkd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-networkd diff --git a/systemd/full/system/systemd-nsresourced.service b/systemd/full/system/systemd-nsresourced.service new file mode 100644 index 000000000..2dc668b80 --- /dev/null +++ b/systemd/full/system/systemd-nsresourced.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-nsresourced diff --git a/systemd/full/system/systemd-oomd.service b/systemd/full/system/systemd-oomd.service new file mode 100644 index 000000000..c384626ee --- /dev/null +++ b/systemd/full/system/systemd-oomd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-oomd diff --git a/systemd/full/system/systemd-resolved.service b/systemd/full/system/systemd-resolved.service index 03d352890..fd36871e4 100644 --- a/systemd/full/system/systemd-resolved.service +++ b/systemd/full/system/systemd-resolved.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-resolved diff --git a/systemd/full/system/systemd-rfkill.service b/systemd/full/system/systemd-rfkill.service new file mode 100644 index 000000000..4abf222d5 --- /dev/null +++ b/systemd/full/system/systemd-rfkill.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-rfkill diff --git a/systemd/full/system/systemd-timedated.service b/systemd/full/system/systemd-timedated.service index 03d352890..78dd0193d 100644 --- a/systemd/full/system/systemd-timedated.service +++ b/systemd/full/system/systemd-timedated.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-timedated diff --git a/systemd/full/system/systemd-timesyncd.service b/systemd/full/system/systemd-timesyncd.service new file mode 100644 index 000000000..0cd6fefbf --- /dev/null +++ b/systemd/full/system/systemd-timesyncd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-timesyncd diff --git a/systemd/full/system/systemd-userdbd.service b/systemd/full/system/systemd-userdbd.service index 03d352890..d3771658d 100644 --- a/systemd/full/system/systemd-userdbd.service +++ b/systemd/full/system/systemd-userdbd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-userdbd diff --git a/systemd/full/system/upower.service b/systemd/full/system/upower.service index 03d352890..082e8f0fa 100644 --- a/systemd/full/system/upower.service +++ b/systemd/full/system/upower.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&upowerd diff --git a/systemd/full/system/usb_modeswitch@.service b/systemd/full/system/usb_modeswitch@.service new file mode 100644 index 000000000..0eca1db25 --- /dev/null +++ b/systemd/full/system/usb_modeswitch@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=usb_modeswitch.service \ No newline at end of file diff --git a/systemd/full/user/filter-chain.service b/systemd/full/user/filter-chain.service new file mode 100644 index 000000000..4dd212f51 --- /dev/null +++ b/systemd/full/user/filter-chain.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire \ No newline at end of file diff --git a/systemd/full/user/pipewire-media-session.service b/systemd/full/user/pipewire-media-session.service deleted file mode 100644 index c392e82fe..000000000 --- a/systemd/full/user/pipewire-media-session.service +++ /dev/null @@ -1,5 +0,0 @@ -[Service] -NoNewPrivileges=no -MemoryDenyWriteExecute=no -LockPersonality=no -RestrictNamespaces=no diff --git a/systemd/full/user/pipewire-pulse.service b/systemd/full/user/pipewire-pulse.service new file mode 100644 index 000000000..1d35a493e --- /dev/null +++ b/systemd/full/user/pipewire-pulse.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire-pulse \ No newline at end of file diff --git a/systemd/full/user/pipewire.service b/systemd/full/user/pipewire.service new file mode 100644 index 000000000..4dd212f51 --- /dev/null +++ b/systemd/full/user/pipewire.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire \ No newline at end of file diff --git a/systemd/full/user/wireplumber.service b/systemd/full/user/wireplumber.service new file mode 100644 index 000000000..c47175f40 --- /dev/null +++ b/systemd/full/user/wireplumber.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&wireplumber \ No newline at end of file diff --git a/systemd/full/user/wireplumber@.service b/systemd/full/user/wireplumber@.service new file mode 100644 index 000000000..c47175f40 --- /dev/null +++ b/systemd/full/user/wireplumber@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&wireplumber \ No newline at end of file diff --git a/tests/Makefile b/tests/Makefile deleted file mode 100644 index de4a15f78..000000000 --- a/tests/Makefile +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/make -f -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Usage: -# make archlinux flavor=gnome -# vagrant up arch-gnome -# vagrant ssh archl-gnome - -# Build variables -flavor ?= -disk ?= 10G - -VERSION := 0.$(shell git rev-list --count HEAD) -BASE = archlinux debian ubuntu opensuse fedora - -.PHONY: ${BASE} lint - -$(BASE): - @make --directory=../ package dist=${@} - @packer build -force -var version=${VERSION} \ - -var disk_size=${disk} -var flavor="${flavor}" \ - -only=qemu.${@}-${flavor} packer/ - -lint: - @packer fmt --check packer/ - @packer validate --syntax-only packer/ diff --git a/tests/Vagrantfile b/tests/Vagrantfile deleted file mode 100644 index fce3a3f0d..000000000 --- a/tests/Vagrantfile +++ /dev/null @@ -1,62 +0,0 @@ -# -*- mode: ruby -*- -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -require 'yaml' - -machines = YAML.load_file(File.join(File.dirname(__FILE__), 'boxes.yml')) -default = machines['defaults'] - -Vagrant.require_version '>= 2.0.0' - -Vagrant.configure("2") do |config| - - config.ssh.keys_only = true - config.ssh.insert_key = false - config.ssh.private_key_path = [ '~/.ssh/id_ed25519' ] - config.ssh.username = 'user' - - machines['boxes'].each do |instance| - - # Configure the VMs per details in boxes.yml - config.vm.define instance['name'] do |srv| - srv.vm.box = instance['box'] - srv.vm.box_check_update = false - srv.vm.post_up_message = instance.to_yaml - srv.vm.synced_folder '.', '/vagrant', disabled: true - if !ENV['AA_INTEGRATION'] - srv.vm.synced_folder '../', '/home/user/Projects/apparmor.d', type: 'virtiofs', mount: false - end - - # Configure Libvirt provider - srv.vm.provider 'libvirt' do |libvirt| - libvirt.driver = 'kvm' - libvirt.default_prefix = 'aa-' - libvirt.connect_via_ssh = false - libvirt.storage_pool_name = 'ssd' - libvirt.memory = instance.fetch('ram', default['ram']) - libvirt.cpus = instance.fetch('cpu', default['cpu']) - libvirt.cpu_mode = 'host-passthrough' - libvirt.machine_type = 'q35' - libvirt.video_type = 'virtio' - libvirt.graphics_type = 'spice' - libvirt.sound_type = 'ich9' - libvirt.tpm_model = 'tpm-crb' - libvirt.tpm_type = 'emulator' - libvirt.tpm_version = '2.0' - libvirt.random model: 'random' - libvirt.memorybacking 'source', type: 'memfd' - libvirt.memorybacking 'access', mode: 'shared' - libvirt.channel type: 'unix', target_name: 'org.qemu.guest_agent.0', target_type: 'virtio' - (1..2).each do - libvirt.redirdev :type => "spicevmc" - end - if instance.fetch('uefi', default['uefi']) - libvirt.loader = '/usr/share/edk2-ovmf/x64/OVMF_CODE.fd' - end - end - - end - end -end diff --git a/tests/boxes.yml b/tests/boxes.yml deleted file mode 100644 index 9846342c5..000000000 --- a/tests/boxes.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- - -defaults: - uefi: true - ram: '6144' - cpu: '6' - -boxes: - - name: arch-gnome - box: aa-archlinux-gnome - uefi: false - - - name: arch-kde - box: aa-archlinux-kde - uefi: false - - - name: arch-server - box: aa-archlinux-server - uefi: false - - - name: ubuntu-desktop - box: aa-ubuntu-desktop - - - name: ubuntu-desktop24 - box: aa-ubuntu-desktop24 - - - name: ubuntu-server - box: aa-ubuntu-server - - - name: ubuntu-server24 - box: aa-ubuntu-server24 - - - name: debian-server - box: aa-debian-server - - - name: debian-gnome - box: aa-debian-gnome - - - name: debian-kde - box: aa-debian-kde - - - name: opensuse-kde - box: aa-opensuse-kde diff --git a/tests/check.sh b/tests/check.sh new file mode 100644 index 000000000..b54bc157a --- /dev/null +++ b/tests/check.sh @@ -0,0 +1,633 @@ +#!/usr/bin/env bash +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Usage: just check +# shellcheck disable=SC2044 + +set -eu -o pipefail + +RES=$(mktemp) +echo "false" >"$RES" +MAX_JOBS=$(nproc) +APPARMORD=${CHECK_APPARMORD:-apparmor.d} +SBIN_LIST=${CHECK_SBIN_LIST:-tests/sbin.list} +declare WITH_CHECK +declare _check_is_disabled +declare _check_is_disabled_global +_FILE_IGNORE_ALL=false +readonly APPARMORD SBIN_LIST RES MAX_JOBS +readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" +_msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } +_warn() { + local name="$1" file="$2" + shift 2 + printf '%bwarning%b %s(%b%s%b): %s\n' "$fgYellow" "$reset" "$name" "$fgWhite" "$file" "$reset" "$*" +} +_err() { + local name="$1" file="$2" + shift 2 + printf ' %berror%b %s(%b%s%b): %s\n' "$fgRed" "$reset" "$name" "$fgWhite" "$file" "$reset" "$*" + echo "true" >"$RES" +} + +_in_array() { + local item needle="$1" + shift + for item in "$@"; do + if [[ "${item}" == "${needle}" ]]; then + return 0 + fi + done + return 1 +} + +_is_enabled() { + local check="$1" + if _in_array "$check" "${WITH_CHECK[@]}"; then + if [[ -n "${_check_is_disabled_global+x}" && ${#_check_is_disabled_global[@]} -gt 0 ]]; then + if _in_array "$check" "${_check_is_disabled_global[@]}"; then + return 1 + fi + fi + if [[ -z "${_check_is_disabled+x}" || ${#_check_is_disabled[@]} -eq 0 ]]; then + return 0 + fi + if _in_array "$check" "${_check_is_disabled[@]}"; then + return 1 + fi + return 0 + fi + return 1 +} + +_wait() { + local -n job=$1 + job=$((job + 1)) + if ((job >= MAX_JOBS)); then + wait -n + job=$((job - 1)) + fi +} + +_IGNORE_LINT_BLOCK=false +readonly _IGNORE_LINT="#aa:lint ignore" +_ignore_lint() { + local checks line="$1" + + if [[ "$line" =~ ^[[:space:]]*$_IGNORE_LINT=.*$ ]]; then + # Start of an ignore block (or file-wide if in header) + checks="${line#*"$_IGNORE_LINT="}" + read -ra _parsed <<<"${checks//,/ }" + if (( line_number <= 10 )); then + # Treat as file-wide ignore + _check_is_disabled_global=("${_parsed[@]}") + _FILE_IGNORE_ALL=true + _IGNORE_LINT_BLOCK=false + return 0 + fi + _IGNORE_LINT_BLOCK=true + _check_is_disabled=("${_parsed[@]}") + + elif [[ $_IGNORE_LINT_BLOCK == true && "$line" =~ ^[[:space:]]*$ ]]; then + # New paragraph, end of block + _IGNORE_LINT_BLOCK=false + _check_is_disabled=() + + elif [[ $_IGNORE_LINT_BLOCK == true ]]; then + # Nothing to do, we are in a block/paragraph + return 0 + + elif [[ "$line" == *"$_IGNORE_LINT="* ]]; then + # Inline ignore (or file-wide if in header) + checks="${line#*"$_IGNORE_LINT="}" + read -ra _parsed <<<"${checks//,/ }" + if (( line_number <= 10 )); then + _check_is_disabled_global=("${_parsed[@]}") + _FILE_IGNORE_ALL=true + return 0 + fi + _check_is_disabled=("${_parsed[@]}") + + else + # Do not clear if file-wide ignore is set + if ! $_FILE_IGNORE_ALL; then + _check_is_disabled=() + fi + fi +} + +_check() { + local file="$1" + line_number=0 + _FILE_IGNORE_ALL=false + _check_is_disabled_global=() + + while IFS= read -r line; do + line_number=$((line_number + 1)) + _ignore_lint "$line" + + # Style check + if [[ $line_number -lt 10 ]]; then + _check_header + fi + _check_tabs + _check_trailing + _check_indentation + _check_vim + _check_udev + + # The following checks do not apply to commented lines + [[ "$line" =~ ^[[:space:]]*# ]] && continue + if [[ "$line" =~ ,[[:space:]]*# ]]; then + line="${line%%#*}" + fi + + # Rules checks + _check_abstractions + _check_directory_mark + _check_equivalent + _check_too_wide + _check_transition + _check_useless + _check_tunables + + # Guidelines check + _check_abi + _check_include + _check_profile + _check_subprofiles + + done <"$file" + + # Results + _res_abi + _res_include + _res_profile + _res_subprofiles + _res_header + _res_vim +} + +# Rules checks: security, compatibility, and rule issues + +readonly ABS="abstractions" +readonly ABS_DANGEROUS=(dbus dbus-session dbus-system dbus-accessibility user-tmp) +declare -A ABS_DEPRECATED=( + ["nameservice"]="nameservice-strict" + ["bash"]="shell" + ["X"]="X-strict" + ["dbus-accessibility-strict"]="bus-accessibility" + ["dbus-network-manager-strict"]="bus/org.freedesktop.NetworkManager" + ["dbus-session-strict"]="bus-session" + ["dbus-system-strict"]="bus-system" + ["gnome"]="gnome-strict" + ["kde"]="kde-strict" +) +_check_abstractions() { + _is_enabled abstractions || return 0 + + local absname + for absname in "${ABS_DANGEROUS[@]}"; do + if [[ "$line" == *"<$ABS/$absname>"* ]]; then + _err abstractions "$file:$line_number" "dangerous abstraction '<$ABS/$absname>'" + fi + done + for absname in "${!ABS_DEPRECATED[@]}"; do + if [[ "$line" == *"<$ABS/$absname>"* ]]; then + _err abstractions "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" + fi + done + if [[ "$line" == *"<$ABS/ubuntu-"*">"* ]]; then + _err abstractions "$file:$line_number" "deprecated, ubuntu only abstraction '<$ABS/$absname>'" + fi +} + +readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}') +_check_directory_mark() { + _is_enabled directory-mark || return 0 + for pattern in "${DIRECTORIES[@]}"; do + if [[ "$line" == *"$pattern"* ]]; then + [[ "$line" == *'='* ]] && continue + if [[ ! "$line" == *"$pattern/"* ]]; then + _err directory-mark "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" + fi + fi + done +} + +declare -A EQUIVALENTS=( + ["awk"]="{m,g,}awk" + ["gawk"]="{m,g,}awk" + ["grep"]="{,e}grep" + ["gs"]="gs{,.bin}" + ["which"]="which{,.debianutils}" +) +_check_equivalent() { + _is_enabled equivalent || return 0 + local prgmname + for prgmname in "${!EQUIVALENTS[@]}"; do + if [[ "$line" == *"/$prgmname "* ]]; then + if [[ ! "$line" == *"${EQUIVALENTS[$prgmname]}"* ]]; then + _err equivalent "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" + fi + fi + done +} + +readonly TOOWIDE=('/**' '/tmp/**' '/var/tmp/**' '@{tmp}/**' '/etc/**' '/dev/shm/**' '@{run}/user/@{uid}/**') +_check_too_wide() { + _is_enabled too-wide || return 0 + for pattern in "${TOOWIDE[@]}"; do + if [[ "$line" == *" $pattern "* ]]; then + _warn too-wide "$file:$line_number" "rule too wide: '$pattern'" + fi + done +} + +readonly TRANSITION_MUST_CI=( # Must transition to 'ix' or 'Cx' + chgrp chmod chown cp find head install link ln ls mkdir mktemp mv rm rmdir + sed shred stat tail tee test timeout touch truncate unlink +) +readonly TRANSITION_MUST_PC=( # Must transition to 'Px' + ischroot who +) +readonly TRANSITION_MUST_C=( # Must transition to 'Cx' + sysctl kmod pgrep pkill pkexec sudo systemctl udevadm + fusermount fusermount3 fusermount{,3} + nvim vim sensible-editor +) +_check_transition() { + _is_enabled transition || return 0 + for prgmname in "${!TRANSITION_MUST_CI[@]}"; do + if [[ "$line" =~ "/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then + _err transition "$file:$line_number" \ + "@{bin}/${TRANSITION_MUST_CI[$prgmname]} should be used inherited: 'ix' | 'Cx'" + fi + done + for prgmname in "${!TRANSITION_MUST_PC[@]}"; do + if [[ "$line" =~ "/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then + _err transition "$file:$line_number" \ + "@{bin}/${TRANSITION_MUST_PC[$prgmname]} should transition to another (sub)profile with 'Px' or 'Cx'" + fi + done + for prgmname in "${!TRANSITION_MUST_C[@]}"; do + if [[ "$line" =~ "/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then + _warn transition "$file:$line_number" \ + "@{bin}/${TRANSITION_MUST_C[$prgmname]} should transition to a subprofile with 'Cx'" + fi + done +} + +readonly USELESS=( + 'ptrace readby' + '/usr/share/locale/' + '@{sys}/devices/system/cpu/online' + '@{sys}/devices/system/cpu/possible' + '@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size' + '@{PROC}/@{pid}/auxv' '@{PROC}/@{pid}/maps' '@{PROC}/@{pid}/status' '@{PROC}/cpuinfo' + '@{PROC}/filesystems' '@{PROC}/meminfo' '@{PROC}/stat' + '@{PROC}/sys/kernel/cap_last_cap' '@{PROC}/sys/kernel/ngroups_max' + '@{PROC}/sys/kernel/version' '@{PROC}/sys/vm/overcommit_memory' + '/dev/full' '/dev/zero' +) +_check_useless() { + _is_enabled useless || return 0 + for rule in "${!USELESS[@]}"; do + if [[ "$line" == *"${USELESS[$rule]}"* ]]; then + _err useless "$file:$line_number" "rule already included in the base abstraction, remove it" + fi + done +} + +declare -A TUNABLES=( + # User variables + ["(@\{HOME\}/|/home/[^/]+/).cache"]="@{user_cache_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).config"]="@{user_config_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/share"]="@{user_share_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/state"]="@{user_state_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/bin"]="@{user_bin_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/lib"]="@{user_lib_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).ssh"]="@{HOME}/@{XDG_SSH_DIR}" + ["(@\{HOME\}/|/home/[^/]+/).gnupg"]="@{HOME}/@{XDG_GPG_DIR}" + ["/home/[^/]+/"]="@{HOME}/" + + # System variables + ["/usr/lib(|32|64|exec)"]='@{lib}' + ["/usr/sbin"]='@{sbin}' + ["/usr/bin"]='@{bin}' + ["(x86_64|amd64|i386|i686)"]='@{arch}' + ["(@\{arch\}|x86_64|amd64|i386|i686)-*linux-gnu[^/]?"]='@{multiarch}' + ["/usr/etc/"]='@{etc_ro}/' + ["/boot/(|efi/)"]="@{efi}/" + ["/efi/"]="@{efi}/" + ["/var/run/"]='@{run}/' + ["/run/"]='@{run}/' + ["user/[0-9]*/"]='user/@{uid}/' + ["/tmp/user/[^/]+/"]='@{tmp}/' + ["/sys/"]='@{sys}/' + ["/proc/"]='@{PROC}/' + ["1000"]="@{uid}" + + # Some system glob + [":not.active.yet"]="@{busname}" + [":1.[0-9]*"]="@{busname}" + ["(@\{bin\}|/usr/bin)/(|ba|da)sh "]="@{sh_path}" + ["@\{lib\}/modules/[^/*]+/"]="@{lib}/modules/*/" +) +_check_tunables() { + _is_enabled tunables || return 0 + for pattern in "${!TUNABLES[@]}"; do + rpattern="$pattern" + [[ "$rpattern" == /* ]] && rpattern=" $rpattern" + if [[ "$line" =~ $rpattern ]]; then + match="${BASH_REMATCH[0]}" + _err tunables "$file:$line_number" "variable '${TUNABLES[$pattern]}' must be used instead of: $match" + fi + done +} + +# Guidelines check: https://apparmor.pujol.io/development/guidelines/ + +RES_ABI=false +readonly ABI_SYNTAX='abi ,' +_check_abi() { + _is_enabled abi || return 0 + if [[ "$line" == *"$ABI_SYNTAX" ]]; then + RES_ABI=true + fi +} +_res_abi() { + _is_enabled abi || return 0 + if ! $RES_ABI; then + _err abi "$file" "missing 'abi ,'" + fi +} + +RES_INCLUDE=false +_check_include() { + _is_enabled include || return 0 + if [[ "$line" == *"${include}"* ]]; then + RES_INCLUDE=true + fi +} +_res_include() { + _is_enabled include || return 0 + if ! $RES_INCLUDE; then + _err include "$file" "missing '$include'" + fi +} + +RES_PROFILE=false +_check_profile() { + _is_enabled profile || return 0 + if [[ "$line" =~ ^"profile $name" ]]; then + RES_PROFILE=true + fi +} +_res_profile() { + _is_enabled profile || return 0 + if ! $RES_PROFILE; then + _err profile "$file" "missing profile name: 'profile $name'" + fi +} + +# Style check + +readonly HEADERS=( + "# apparmor.d - Full set of apparmor profiles" + "# Copyright (C) " + "# SPDX-License-Identifier: GPL-2.0-only" +) +_RES_HEADER=(false false false) +_check_header() { + _is_enabled header || return 0 + for idx in "${!HEADERS[@]}"; do + if [[ "$line" == "${HEADERS[$idx]}"* ]]; then + _RES_HEADER[idx]=true + break + fi + done +} +_res_header() { + _is_enabled header || return 0 + for idx in "${!_RES_HEADER[@]}"; do + if ${_RES_HEADER[$idx]}; then + continue + fi + _err header "$file" "missing header: '${HEADERS[$idx]}'" + done +} + +_check_tabs() { + _is_enabled tabs || return 0 + if [[ "$line" =~ $'\t' ]]; then + _err tabs "$file:$line_number" "tabs are not allowed" + fi +} + +_check_trailing() { + _is_enabled trailing || return 0 + if [[ "$line" =~ [[:space:]]+$ ]]; then + _err trailing "$file:$line_number" "line has trailing whitespace" + fi +} + +_CHECK_IN_PROFILE=false +_CHECK_FIRST_LINE_AFTER_PROFILE=true +_check_indentation() { + _is_enabled indentation || return 0 + if [[ "$line" =~ ^profile ]]; then + _CHECK_IN_PROFILE=true + _CHECK_FIRST_LINE_AFTER_PROFILE=true + + elif $_CHECK_IN_PROFILE; then + if $_CHECK_FIRST_LINE_AFTER_PROFILE; then + local leading_spaces="${line%%[! ]*}" + local num_spaces=${#leading_spaces} + if ((num_spaces != 2)); then + _err indentation "$file:$line_number" "profile must have a two-space indentation" + fi + _CHECK_FIRST_LINE_AFTER_PROFILE=false + + else + local leading_spaces="${line%%[! ]*}" + local num_spaces=${#leading_spaces} + + if ((num_spaces % 2 != 0)); then + ok=false + for offset in 5 11; do + num_spaces=$((num_spaces - offset)) + if ((num_spaces < 0)); then + break + fi + if ((num_spaces % 2 == 0)); then + ok=true + break + fi + done + + if ! $ok; then + _err indentation "$file:$line_number" "invalid indentation" + fi + fi + fi + fi +} + +_CHEK_IN_SUBPROFILE=false +declare -A _RES_SUBPROFILES +_check_subprofiles() { + _is_enabled subprofiles || return 0 + if [[ "$line" =~ ^(' ')+'profile '(.*)' {' ]]; then + indentation="${BASH_REMATCH[1]}" + subprofile="${BASH_REMATCH[2]}" + subprofile="${subprofile%% *}" + include="${indentation}include if exists " + _RES_SUBPROFILES["$subprofile"]="$name//$subprofile does not contain '$include'" + _CHEK_IN_SUBPROFILE=true + elif $_CHEK_IN_SUBPROFILE; then + if [[ "$line" == *"$include" ]]; then + _RES_SUBPROFILES["$subprofile"]=true + fi + fi +} +_res_subprofiles() { + _is_enabled subprofiles || return 0 + for msg in "${_RES_SUBPROFILES[@]}"; do + if [[ $msg == true ]]; then + continue + fi + _err subprofiles "$file" "$msg" + done +} + +readonly VIM_SYNTAX="# vim:syntax=apparmor" +RES_VIM=false +_check_vim() { + _is_enabled vim || return 0 + if [[ "$line" =~ ^"$VIM_SYNTAX" ]]; then + RES_VIM=true + fi +} +_res_vim() { + _is_enabled vim || return 0 + if ! $RES_VIM; then + _err vim "$file" "missing vim syntax: '$VIM_SYNTAX'" + fi +} + +_check_udev() { + _is_enabled udev || return 0 + if [[ "$line" == *"@{run}/udev/data/"* ]]; then + if [[ "$line" != *"#"* ]]; then + _err udev "$file:$line_number" "udev data path without a description comment" + fi + fi +} + +check_sbin() { + local file name jobs + mapfile -t sbin <"$SBIN_LIST" + _msg "Ensuring '@{bin} and '@{sbin}' are correctly used in profiles" + + jobs=0 + for name in "${sbin[@]}"; do + ( + mapfile -t files < <( + grep --line-number --recursive -P "(^|[[:space:]])@{bin}/$name([[:space:]]|$)(?!.*$_IGNORE_LINT=sbin)" "$APPARMORD" | + cut -d: -f1,2 + ) + for file in "${files[@]}"; do + _err sbin "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" + done + ) & + _wait jobs + done + wait + + local pattern='[[:alnum:]_.-]+' # Pattern for valid file names + jobs=0 + mapfile -t files < <(grep --line-number --recursive -E "(^|[[:space:]])@{sbin}/$pattern([[:space:]]|$)" "$APPARMORD" | cut -d: -f1,2) + for file in "${files[@]}"; do + ( + while read -r match; do + name="${match/\@\{sbin\}\//}" + if ! _in_array "$name" "${sbin[@]}"; then + _err bin "$file" "contains '@{sbin}/$name' but it is not in sbin.list" + fi + done < <(grep --only-matching -E "@\{sbin\}/$pattern" "${file%%:*}") + ) & + _wait jobs + done + wait +} + +check_profiles() { + _msg "Checking profiles" + mapfile -t files < <( + find "$APPARMORD" \( -path "$APPARMORD/abstractions" -o -path "$APPARMORD/local" -o -path "$APPARMORD/tunables" -o -path "$APPARMORD/mappings" \) \ + -prune -o -type f -print + ) + jobs=0 + WITH_CHECK=( + abstractions directory-mark equivalent too-wide useless transition tunables + abi include profile header tabs trailing indentation subprofiles vim udev + ) + for file in "${files[@]}"; do + ( + name="$(basename "$file")" + name="${name/.apparmor.d/}" + include="include if exists " + _check "$file" + ) & + _wait jobs + done + wait +} + +check_abstractions() { + _msg "Checking abstractions" + mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) + jobs=0 + WITH_CHECK=( + abstractions directory-mark equivalent too-wide tunables + abi include header tabs trailing indentation vim udev + ) + for file in "${files[@]}"; do + ( + name="$(basename "$file")" + absdir="${file/${APPARMORD}\//}" + include="include if exists <${absdir}.d>" + _check "$file" + ) & + _wait jobs + done + wait + + mapfile -t files < <( + find "$APPARMORD/abstractions" -type f -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true + find "$APPARMORD/mappings" -type f 2>/dev/null || true + ) + # shellcheck disable=SC2034 + jobs=0 + WITH_CHECK=( + abstractions directory-mark equivalent too-wide tunables + header tabs trailing indentation vim udev + ) + for file in "${files[@]}"; do + _check "$file" & + _wait jobs + done + wait +} + +check_sbin +check_profiles +check_abstractions + +FAIL=$(cat "$RES") +if [[ "$FAIL" == "true" ]]; then + exit 1 +fi diff --git a/tests/cloud-init/archlinux-cosmic.user-data.yml b/tests/cloud-init/archlinux-cosmic.user-data.yml new file mode 100644 index 000000000..9ed6c1d92 --- /dev/null +++ b/tests/cloud-init/archlinux-cosmic.user-data.yml @@ -0,0 +1,57 @@ +#cloud-config + +packages: + # Install core packages + - apparmor + - base-devel + - qemu-guest-agent + - rng-tools + - spice-vdagent + + # Install usefull core packages + - bash-completion + - just + - git + - htop + - man + - pass + - python-notify2 + - vim + - wget + + # Install basic services + - networkmanager + - cups + - cups-pdf + - system-config-printer + + # Install Applications + - firefox + - chromium + - terminator + + # Install Graphical Interface + - cosmic + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable cosmic-greeter + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-gnome.user-data.yml b/tests/cloud-init/archlinux-gnome.user-data.yml new file mode 100644 index 000000000..d33f685b6 --- /dev/null +++ b/tests/cloud-init/archlinux-gnome.user-data.yml @@ -0,0 +1,26 @@ +#cloud-config + +packages: *gnome-packages + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable gdm + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-kde.user-data.yml b/tests/cloud-init/archlinux-kde.user-data.yml new file mode 100644 index 000000000..cb4c4d3b0 --- /dev/null +++ b/tests/cloud-init/archlinux-kde.user-data.yml @@ -0,0 +1,26 @@ +#cloud-config + +packages: *kde-packages + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable sddm + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-lxqt.user-data.yml b/tests/cloud-init/archlinux-lxqt.user-data.yml new file mode 100644 index 000000000..208f7dab5 --- /dev/null +++ b/tests/cloud-init/archlinux-lxqt.user-data.yml @@ -0,0 +1,28 @@ +#cloud-config + +packages: *lxqt-packages + +# lxqt-wayland-session kwin + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable sddm + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-server.user-data.yml b/tests/cloud-init/archlinux-server.user-data.yml new file mode 100644 index 000000000..2b3567171 --- /dev/null +++ b/tests/cloud-init/archlinux-server.user-data.yml @@ -0,0 +1,24 @@ +#cloud-config + +packages: *core-packages + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable rngd + - systemctl enable systemd-timesyncd.service + +write_files: + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml new file mode 100644 index 000000000..afba57519 --- /dev/null +++ b/tests/cloud-init/archlinux-xfce.user-data.yml @@ -0,0 +1,26 @@ +#cloud-config + +packages: *xfce-packages + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable lightdm.service + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux.yml b/tests/cloud-init/archlinux.yml new file mode 100644 index 000000000..629de7d02 --- /dev/null +++ b/tests/cloud-init/archlinux.yml @@ -0,0 +1,170 @@ +#cloud-config + +core-packages: &core-packages + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + +gnome-packages: &gnome-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - alacarte + - gnome + - gnome-extra + - ptyxis + - seahorse + +kde-packages: &kde-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - plasma-meta + - sddm + - ark + - dolphin + - konsole + - okular + +lxqt-packages: &lxqt-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - lxqt + - breeze-icons + - sddm + +xfce-packages: &xfce-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - xfce4 + - xfce4-goodies + - lightdm + - lightdm-gtk-greeter + +# Enable AppArmor in kernel parameters +grub-enable-apparmor: &grub-enable-apparmor + path: /etc/default/grub + append: true + content: | + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" + +# Set some bash aliases +setup-bash-aliases: &setup-bash-aliases + path: /etc/skel/.bashrc + append: true + content: | + [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases diff --git a/tests/cloud-init/common.yml b/tests/cloud-init/common.yml new file mode 100644 index 000000000..2048e5368 --- /dev/null +++ b/tests/cloud-init/common.yml @@ -0,0 +1,39 @@ +#cloud-config + +hostname: ${hostname} + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false + +# Mount shared directory +shared-directory: &shared-directory + path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + +# Network configuration for server +systemd-netword: &systemd-netword + path: /etc/systemd/network/20-wired.network + owner: "root:root" + permissions: "0644" + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/cloud-init/debian.yml b/tests/cloud-init/debian.yml new file mode 100644 index 000000000..b96bb5880 --- /dev/null +++ b/tests/cloud-init/debian.yml @@ -0,0 +1,97 @@ +#cloud-config + +# Core packages for Debian +core-packages: &core-packages + - apparmor-profiles + - apparmor-utils + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - docker.io + - htop + - just + - libpam-apparmor + - lintian + - qemu-guest-agent + - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades + - vim + +gnome-packages: &gnome-packages + # Core packages for Debian + - apparmor-profiles + - apparmor-utils + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - docker.io + - htop + - just + - libpam-apparmor + - lintian + - qemu-guest-agent + - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades + - vim + + # Gnome packages for Debian + - spice-vdagent + - task-gnome-desktop + - terminator + - loupe + - ptyxis + +kde-packages: &kde-packages + # Core packages for Debian + - apparmor-profiles + - apparmor-utils + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - docker.io + - htop + - just + - libpam-apparmor + - lintian + - qemu-guest-agent + - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades + - vim + + # KDE packages for Debian + - spice-vdagent + - task-kde-desktop + - plasma-workspace-wayland + - terminator + +debian12-runcmd: &debian12-runcmd + - apt-get update -y + - apt-get install -y -t bookworm-backports golang-go + +debian13-runcmd: &debian13-runcmd + - apt-get update -y + - apt-get install -y golang-go + +# Add backports repository +debian12-backports: &debian12-backports + path: /etc/apt/sources.list + append: true + content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free diff --git a/tests/cloud-init/debian12-gnome.user-data.yml b/tests/cloud-init/debian12-gnome.user-data.yml new file mode 100644 index 000000000..fbb3d1232 --- /dev/null +++ b/tests/cloud-init/debian12-gnome.user-data.yml @@ -0,0 +1,10 @@ +#cloud-config + +packages: *gnome-packages + +runcmd: *debian12-runcmd + +write_files: + - *debian12-backports # Add backports repository + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/packer/init/debian-kde.user-data.yml b/tests/cloud-init/debian12-kde.user-data.yml similarity index 65% rename from tests/packer/init/debian-kde.user-data.yml rename to tests/cloud-init/debian12-kde.user-data.yml index a608e9b0b..451068db1 100644 --- a/tests/packer/init/debian-kde.user-data.yml +++ b/tests/cloud-init/debian12-kde.user-data.yml @@ -1,23 +1,5 @@ #cloud-config -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: - apparmor-profiles - auditd @@ -27,8 +9,8 @@ packages: - devscripts - htop - qemu-guest-agent - - spice-vdagent - rsync + - spice-vdagent - vim - task-kde-desktop diff --git a/tests/cloud-init/debian12-server.user-data.yml b/tests/cloud-init/debian12-server.user-data.yml new file mode 100644 index 000000000..cec721285 --- /dev/null +++ b/tests/cloud-init/debian12-server.user-data.yml @@ -0,0 +1,10 @@ +#cloud-config + +packages: *core-packages + +runcmd: *debian12-runcmd + +write_files: + - *debian12-backports # Add backports repository + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian13-gnome.user-data.yml b/tests/cloud-init/debian13-gnome.user-data.yml new file mode 100644 index 000000000..0d5adfe17 --- /dev/null +++ b/tests/cloud-init/debian13-gnome.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *gnome-packages + +runcmd: *debian13-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian13-kde.user-data.yml b/tests/cloud-init/debian13-kde.user-data.yml new file mode 100644 index 000000000..5a4d33bf5 --- /dev/null +++ b/tests/cloud-init/debian13-kde.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *kde-packages + +runcmd: *debian13-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian13-server.user-data.yml b/tests/cloud-init/debian13-server.user-data.yml new file mode 100644 index 000000000..692548770 --- /dev/null +++ b/tests/cloud-init/debian13-server.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *core-packages + +runcmd: *debian13-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/opensuse-gnome.user-data.yml b/tests/cloud-init/opensuse-gnome.user-data.yml new file mode 100644 index 000000000..b59d66af3 --- /dev/null +++ b/tests/cloud-init/opensuse-gnome.user-data.yml @@ -0,0 +1,22 @@ +#cloud-config + +packages: *gnome-packages + +runcmd: + # Replace SELinux by AppArmor in kernel parameters + - sed -i 's/security=selinux selinux=1/apparmor=1 apparmor.debug=1/g' /etc/default/grub + + # Regenerate grub.cfg + - grub2-mkconfig -o /boot/grub2/grub.cfg + + # Ensure auditd is enabled + - systemctl enable systemd-journald-audit.socket + +write_files: + - *shared-directory # Setup shared directory + + - path: /etc/sysconfig/displaymanager + append: true + content: | + DISPLAYMANAGER="gdm" + diff --git a/tests/cloud-init/opensuse-kde.user-data.yml b/tests/cloud-init/opensuse-kde.user-data.yml new file mode 100644 index 000000000..2058846dd --- /dev/null +++ b/tests/cloud-init/opensuse-kde.user-data.yml @@ -0,0 +1,18 @@ +#cloud-config + +packages: *kde-packages + +# apparmor.debug=1 +runcmd: + # Replace SELinux by AppArmor in kernel parameters + - sed -i 's/security=selinux selinux=1/apparmor=1/g' /etc/default/grub + + # Regenerate grub.cfg + - grub2-mkconfig -o /boot/grub2/grub.cfg + +write_files: + - *shared-directory # Setup shared directory + - path: /etc/sysconfig/displaymanager + append: true + content: | + DISPLAYMANAGER="sddm" diff --git a/tests/cloud-init/opensuse-server.user-data.yml b/tests/cloud-init/opensuse-server.user-data.yml new file mode 100644 index 000000000..b6d35cd68 --- /dev/null +++ b/tests/cloud-init/opensuse-server.user-data.yml @@ -0,0 +1,14 @@ +#cloud-config + +packages: *core-packages + +runcmd: + # Replace SELinux by AppArmor in kernel parameters + - sed -i 's/security=selinux selinux=1/apparmor=1 apparmor.debug=1/g' /etc/default/grub + + # Regenerate grub.cfg + - grub2-mkconfig -o /boot/grub2/grub.cfg + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/opensuse.yml b/tests/cloud-init/opensuse.yml new file mode 100644 index 000000000..ab0954c6a --- /dev/null +++ b/tests/cloud-init/opensuse.yml @@ -0,0 +1,70 @@ +#cloud-config + +# Core packages for OpenSUSE +core-packages: &core-packages + - pattern:apparmor + - apparmor-profiles + - bash-completion + - distribution-release + - docker + - git + - go + - golang-packaging + - htop + - just + - rpmbuild + - rsync + - systemd-container + - systemd-homed + - vim + +gnome-packages: &gnome-packages + # Core packages for OpenSUSE + - pattern:apparmor + - apparmor-profiles + - bash-completion + - distribution-release + - docker + - git + - go + - golang-packaging + - htop + - just + - rpmbuild + - rsync + - systemd-container + - systemd-homed + - vim + + # Gnome packages for OpenSUSE + - pattern:gnome + - gdm + - spice-vdagent + - terminator + - loupe + - ptyxis + +kde-packages: &kde-packages + # Core packages for OpenSUSE + - pattern:apparmor + - apparmor-profiles + - bash-completion + - distribution-release + - docker + - git + - go + - golang-packaging + - htop + - just + - rpmbuild + - rsync + - systemd-container + - systemd-homed + - vim + + # KDE packages for OpenSUSE + - pattern:kde_plasma + - pattern:kde + - sddm + - spice-vdagent + - terminator diff --git a/tests/cloud-init/ubuntu.yml b/tests/cloud-init/ubuntu.yml new file mode 100644 index 000000000..1f3563750 --- /dev/null +++ b/tests/cloud-init/ubuntu.yml @@ -0,0 +1,114 @@ +#cloud-config + +core-packages: &core-packages + - apparmor-profiles + - apparmor-utils + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - docker.io + - golang-go + - htop + - just + - libpam-apparmor + - lintian + - qemu-guest-agent + - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades + - vim + +desktop-packages: &desktop-packages + # Core packages for Ubuntu + - apparmor-profiles + - apparmor-utils + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - docker.io + - golang-go + - htop + - just + - libpam-apparmor + - lintian + - qemu-guest-agent + - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades + - vim + + # Desktop packages for Ubuntu + - spice-vdagent + - terminator + - ubuntu-desktop + - loupe + - ptyxis + +kubuntu-packages: &kubuntu-packages + # Core packages for Ubuntu + - apparmor-profiles + - apparmor-utils + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - docker.io + - golang-go + - htop + - just + - libpam-apparmor + - lintian + - qemu-guest-agent + - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades + - vim + + # Desktop packages for Ubuntu + - spice-vdagent + - terminator + - kubuntu-desktop + - plasma-workspace-wayland + +desktop-runcmd: &desktop-runcmd + # Add missing snap packages + - snap install snap-store + - snap install snapd-desktop-integration + - snap install --edge desktop-security-center + + # Remove default filesystem and related tools not used with the suggested + # storage layout. These may yet be required if different partitioning schemes + # are used. + - apt-get -y purge btrfs-progs xfsprogs + + # Remove other packages present by default in Ubuntu Server but not + # normally present in Ubuntu Desktop. + - >- + apt-get -y purge + byobu dmeventd finalrd gawk kpartx landscape-common lxd-agent-loader + mdadm motd-news-config ncurses-term open-iscsi open-vm-tools + screen sg3-utils sosreport ssh-import-id sssd tmux + + # Finally, remove things only installed as dependencies of other things + # we have already removed. + - apt-get -y autoremove + + # Ensure systemd-networkd is disabled + - systemctl disable systemd-networkd-wait-online.service + + # Ensure auditd is enabled + - systemctl enable systemd-journald-audit.socket diff --git a/tests/cloud-init/ubuntu24-desktop.user-data.yml b/tests/cloud-init/ubuntu24-desktop.user-data.yml new file mode 100644 index 000000000..7f4183d49 --- /dev/null +++ b/tests/cloud-init/ubuntu24-desktop.user-data.yml @@ -0,0 +1,8 @@ +#cloud-config + +packages: *desktop-packages + +runcmd: *desktop-runcmd + +write_files: + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/ubuntu24-kubuntu.user-data.yml b/tests/cloud-init/ubuntu24-kubuntu.user-data.yml new file mode 100644 index 000000000..bea74af3a --- /dev/null +++ b/tests/cloud-init/ubuntu24-kubuntu.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *kubuntu-packages + +runcmd: *desktop-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu24-server.user-data.yml b/tests/cloud-init/ubuntu24-server.user-data.yml new file mode 100644 index 000000000..98b78ec80 --- /dev/null +++ b/tests/cloud-init/ubuntu24-server.user-data.yml @@ -0,0 +1,7 @@ +#cloud-config + +packages: *core-packages + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu25-desktop.user-data.yml b/tests/cloud-init/ubuntu25-desktop.user-data.yml new file mode 100644 index 000000000..7f4183d49 --- /dev/null +++ b/tests/cloud-init/ubuntu25-desktop.user-data.yml @@ -0,0 +1,8 @@ +#cloud-config + +packages: *desktop-packages + +runcmd: *desktop-runcmd + +write_files: + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/ubuntu25-kubuntu.user-data.yml b/tests/cloud-init/ubuntu25-kubuntu.user-data.yml new file mode 100644 index 000000000..bea74af3a --- /dev/null +++ b/tests/cloud-init/ubuntu25-kubuntu.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *kubuntu-packages + +runcmd: *desktop-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu25-server.user-data.yml b/tests/cloud-init/ubuntu25-server.user-data.yml new file mode 100644 index 000000000..98b78ec80 --- /dev/null +++ b/tests/cloud-init/ubuntu25-server.user-data.yml @@ -0,0 +1,7 @@ +#cloud-config + +packages: *core-packages + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cmd/main.go b/tests/cmd/main.go index de1d27561..e7e620b00 100644 --- a/tests/cmd/main.go +++ b/tests/cmd/main.go @@ -8,171 +8,88 @@ import ( "flag" "fmt" "os" - "os/exec" - "strings" - "github.com/roddhjav/apparmor.d/pkg/aa" "github.com/roddhjav/apparmor.d/pkg/logging" "github.com/roddhjav/apparmor.d/pkg/paths" - bcfg "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" - "github.com/roddhjav/apparmor.d/tests/integration" ) -const usage = `aa-test [-h] [--bootstrap | --run | --list] +const usage = `aa-test [-h] --bootstrap Integration tests manager tool for apparmor.d Options: -h, --help Show this help message and exit. - -b, --bootstrap Bootstrap tests using tldr pages. - -r, --run Run a predefined list of tests. - -l, --list List the configured tests. - -f, --file FILE Set a tests file. Default: tests/tests.yml - -d, --deps Install tests dependencies. - -D, --dryrun Do not do the action, list it. + -b, --bootstrap Download tests using tldr pages and generate Bats tests. ` var ( help bool bootstrap bool - run bool - list bool - deps bool - dryRun bool - cfg Config ) -type Config struct { - TldrDir *paths.Path // Default: tests/tldr - ScenariosDir *paths.Path // Default: tests - TldrFile *paths.Path // Default: tests/tldr.yml - TestsFile *paths.Path // Default: tests/tests.yml - SettingsFile *paths.Path // Default: tests/settings.yml - Profiles paths.PathList // List of profiles -} - -func NewConfig() Config { - cfg := Config{ - TldrDir: paths.New("tests/tldr"), - ScenariosDir: paths.New("tests/"), - Profiles: paths.PathList{}, - } - cfg.TldrFile = cfg.ScenariosDir.Join("tldr.yml") - cfg.TestsFile = cfg.ScenariosDir.Join("tests.yml") - cfg.SettingsFile = cfg.ScenariosDir.Join("settings.yml") - return cfg -} - -func LoadTestSuite() (*integration.TestSuite, error) { - tSuite := integration.NewTestSuite() - if err := tSuite.ReadTests(cfg.TestsFile); err != nil { - return tSuite, err - } - if err := tSuite.ReadSettings(cfg.SettingsFile); err != nil { - return tSuite, err - } - return tSuite, nil -} - func init() { - cfg = NewConfig() - files, _ := aa.MagicRoot.ReadDir(paths.FilterOutDirectories()) - for _, path := range files { - cfg.Profiles.Add(path) - } - flag.BoolVar(&help, "h", false, "Show this help message and exit.") flag.BoolVar(&help, "help", false, "Show this help message and exit.") - flag.BoolVar(&bootstrap, "b", false, "Bootstrap tests using tldr pages.") - flag.BoolVar(&bootstrap, "bootstrap", false, "Bootstrap tests using tldr pages.") - flag.BoolVar(&run, "r", false, "Run a predefined list of tests.") - flag.BoolVar(&run, "run", false, "Run a predefined list of tests.") - flag.BoolVar(&list, "l", false, "List the tests to run.") - flag.BoolVar(&list, "list", false, "List the tests to run.") - flag.BoolVar(&deps, "d", false, "Install tests dependencies.") - flag.BoolVar(&deps, "deps", false, "Install tests dependencies.") - flag.BoolVar(&dryRun, "D", false, "Do not do the action, list it.") - flag.BoolVar(&dryRun, "dryrun", false, "Do not do the action, list it.") + flag.BoolVar(&bootstrap, "b", false, "Download tests using tldr pages and generate Bats tests.") + flag.BoolVar(&bootstrap, "bootstrap", false, "Download tests using tldr pages and generate Bats tests.") } -func testDownload() error { - tldr := integration.NewTldr(cfg.TldrDir) +type Config struct { + TestsDir *paths.Path // Default: tests + TldrDir *paths.Path // Default: tests/tldr + TldrFile *paths.Path // Default: tests/tldr.yml + TestsFile *paths.Path // Default: tests/tests.yml + BatsDir *paths.Path // Default: tests/bats_dirty +} + +func NewConfig() *Config { + testsDir := paths.New("tests") + cfg := Config{ + TestsDir: testsDir, + TldrDir: testsDir.Join("tldr"), + TldrFile: testsDir.Join("tldr.yml"), + TestsFile: testsDir.Join("tldr.yml"), + BatsDir: testsDir.Join("bats_dirty"), + } + return &cfg +} + +func run() error { + logging.Step("Bootstraping tests") + cfg := NewConfig() + + tldr := NewTldr(cfg.TldrDir) if err := tldr.Download(); err != nil { return err } - tSuite, err := tldr.Parse() + tests, err := tldr.Parse() if err != nil { return err } - // Default bootstraped scenarios file - if err := tSuite.Write(cfg.TldrFile); err != nil { + if err := cfg.BatsDir.RemoveAll(); err != nil { return err } - logging.Bullet("Default scenarios saved: %s", cfg.TldrFile) - logging.Bullet("Number of tests found %d", len(tSuite.Tests)) - return nil -} - -func testDeps(dryRun bool) error { - tSuite, err := LoadTestSuite() - if err != nil { - return nil + if err := cfg.BatsDir.MkdirAll(); err != nil { + return err } - - deps := tSuite.GetDependencies() - switch bcfg.Distribution { - case "arch": - arg := []string{"pacman", "-Sy", "--noconfirm"} - arg = append(arg, deps...) - cmd := exec.Command("sudo", arg...) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - if dryRun { - fmt.Println(strings.Join(cmd.Args, " ")) - } else { - return cmd.Run() - } - default: + if err := cfg.BatsDir.Join("profiled").MkdirAll(); err != nil { + return err } - return nil -} - -func testRun(dryRun bool) error { - // Warning: There is no guarantee that the tests are not destructive - if dryRun { - logging.Step("List tests") - } else { - logging.Step("Run tests") + if err := cfg.BatsDir.Join("unprofiled").MkdirAll(); err != nil { + return err } - - tSuite, err := LoadTestSuite() - if err != nil { - return nil - } - integration.Arguments = tSuite.Arguments - integration.Ignore = tSuite.Ignore - integration.Profiles = cfg.Profiles - nbCmd := 0 - nbTest := 0 - for _, test := range tSuite.Tests { - ran, nb, err := test.Run(dryRun) - nbTest += ran - nbCmd += nb - if err != nil { + for _, test := range tests { + if err := test.Write(cfg.BatsDir); err != nil { return err } } - if dryRun { - logging.Bullet("Number of tests to run %d", nbTest) - logging.Bullet("Number of test commands to run %d", nbCmd) - } else { - logging.Success("Number of tests ran %d", nbTest) - logging.Success("Number of test command to ran %d", nbCmd) - } + logging.Bullet("Bats tests directory: %s", cfg.BatsDir) + logging.Bullet("Number of profiles with tests found %d", len(tests)) + logging.Bullet("Number of programs without profile found %d", len(tests)) return nil } @@ -184,19 +101,13 @@ func main() { os.Exit(0) } - var err error - if bootstrap { - logging.Step("Bootstraping tests") - err = testDownload() - } else if run || list { - err = testRun(list) - } else if deps { - err = testDeps(dryRun) - } else { + if !bootstrap { flag.Usage() os.Exit(1) } + + err := run() if err != nil { - logging.Fatal(err.Error()) + logging.Fatal("%s", err.Error()) } } diff --git a/tests/cmd/tests.go b/tests/cmd/tests.go new file mode 100644 index 000000000..1c5f55aee --- /dev/null +++ b/tests/cmd/tests.go @@ -0,0 +1,109 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package main + +import ( + "html/template" + "os/exec" + "slices" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/aa" + "github.com/roddhjav/apparmor.d/pkg/paths" +) + +const tmplTest = `#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common +{{ $name := .Name -}} +{{ range .Commands }} +@test "{{ $name }}: {{ .Description }}" { + {{ .Cmd }} +} +{{ end }} +` + +var ( + Profiles = getProfiles() // List of profiles in apparmor.d + tmpl = template.Must(template.New("bats").Parse(tmplTest)) +) + +type Tests []Test + +// Filter returns a new list of tests with only the ones that have a profile +func (t Tests) Filter() Tests { + for i := len(t) - 1; i >= 0; i-- { + if !t[i].HasProfile() { + t = slices.Delete(t, i, i+1) + } + } + return t +} + +// Test represents of a list of tests for a given program +type Test struct { + Name string + Commands []Command +} + +// Command is a command line to run as part of a test +type Command struct { + Description string + Cmd string +} + +// HasProfile returns true if the program in the scenario is profiled in apparmor.d +func (t Test) HasProfile() bool { + return slices.Contains(Profiles, t.Name) +} + +// IsInstalled returns true if the program in the scenario is installed on the system +func (t Test) IsInstalled() bool { + if _, err := exec.LookPath(t.Name); err != nil { + return false + } + return true +} + +func (t Test) Write(dir *paths.Path) error { + dstDir := dir.Join("profiled") + if !t.HasProfile() { + dstDir = dir.Join("unprofiled") + } + path := dstDir.Join(t.Name + ".bats") + + if paths.New("tests/bats").Join(t.Name + ".bats").Exist() { + path = dstDir.Join("00." + t.Name + ".bats") + } + content := renderBatsFile(t) + if err := path.WriteFile([]byte(content)); err != nil { + return err + } + return nil +} + +func renderBatsFile(data any) string { + var res strings.Builder + err := tmpl.Execute(&res, data) + if err != nil { + panic(err) + } + return res.String() +} + +func getProfiles() []string { + p := []string{} + files, err := aa.MagicRoot.ReadDir(paths.FilterOutDirectories()) + if err != nil { + panic(err) + } + for _, path := range files { + p = append(p, path.Base()) + } + return p +} diff --git a/tests/cmd/tldr.go b/tests/cmd/tldr.go new file mode 100644 index 000000000..ec98fa8b4 --- /dev/null +++ b/tests/cmd/tldr.go @@ -0,0 +1,140 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package main + +import ( + "archive/tar" + "compress/gzip" + "fmt" + "io" + "net/http" + "path/filepath" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/paths" +) + +type Tldr struct { + URL string // Tldr download url + Dir *paths.Path // Tldr cache directory + Ignore []string // List of ignored software +} + +func NewTldr(dir *paths.Path) Tldr { + return Tldr{ + URL: "https://github.com/tldr-pages/tldr/archive/refs/heads/main.tar.gz", + Dir: dir, + } +} + +// Download and extract the tldr pages into the cache directory +func (t Tldr) Download() error { + gzPath := t.Dir.Parent().Join("tldr.tar.gz") + if !gzPath.Exist() { + resp, err := http.Get(t.URL) + if err != nil { + return fmt.Errorf("downloading %s: %w", t.URL, err) + } + defer resp.Body.Close() + + out, err := gzPath.Create() + if err != nil { + return err + } + defer out.Close() + + if _, err := io.Copy(out, resp.Body); err != nil { + return err + } + } + + pages := []string{"tldr-main/pages/linux", "tldr-main/pages/common"} + return extratTo(gzPath, t.Dir, pages) +} + +// Parse the tldr pages and return a list of tests +func (t Tldr) Parse() (Tests, error) { + tests := make(Tests, 0) + files, _ := t.Dir.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) + for _, path := range files { + content, err := path.ReadFile() + if err != nil { + return nil, err + } + raw := string(content) + t := Test{ + Name: strings.TrimSuffix(path.Base(), ".md"), + Commands: []Command{}, + } + rawTests := strings.Split(raw, "\n-")[1:] + for _, test := range rawTests { + res := strings.Split(test, "\n") + dsc := strings.ReplaceAll(strings.Trim(res[0], " "), ":", "") + cmd := strings.Trim(strings.Trim(res[2], "`"), " ") + t.Commands = append(t.Commands, Command{ + Description: dsc, + Cmd: cmd, + }) + } + tests = append(tests, t) + } + return tests, nil +} + +// Either or not to extract the file +func toExtrat(name string, subfolders []string) bool { + for _, subfolder := range subfolders { + if strings.HasPrefix(name, subfolder) { + return true + } + } + return false +} + +// Extract part of an archive to a destination directory +func extratTo(src *paths.Path, dst *paths.Path, subfolders []string) error { + gzIn, err := src.Open() + if err != nil { + return fmt.Errorf("opening %s: %w", src, err) + } + defer gzIn.Close() + + in, err := gzip.NewReader(gzIn) + if err != nil { + return fmt.Errorf("decoding %s: %w", src, err) + } + defer in.Close() + + if err := dst.MkdirAll(); err != nil { + return fmt.Errorf("creating %s: %w", src, err) + } + + tarIn := tar.NewReader(in) + for { + header, err := tarIn.Next() + if err == io.EOF { + break + } + if err != nil { + return err + } + + if header.Typeflag == tar.TypeReg { + if !toExtrat(header.Name, subfolders) { + continue + } + path := dst.Join(filepath.Base(header.Name)) + file, err := path.Create() + if err != nil { + return fmt.Errorf("creating %s: %w", file.Name(), err) + } + if _, err := io.Copy(file, tarIn); err != nil { + return fmt.Errorf("extracting %s: %w", file.Name(), err) + } + file.Close() + } + } + return nil +} diff --git a/tests/github.local b/tests/github.local new file mode 100644 index 000000000..b4119bc56 --- /dev/null +++ b/tests/github.local @@ -0,0 +1,9 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Local tunables addition for bats integration tests on Github Action + +@{p_dbus_system}+=unconfined +@{p_dbus_session}+=unconfined +@{p_dbus_accessibility}+=unconfined diff --git a/tests/integration/apparmor/aa-enforce.bats b/tests/integration/apparmor/aa-enforce.bats new file mode 100644 index 000000000..7bc0e740b --- /dev/null +++ b/tests/integration/apparmor/aa-enforce.bats @@ -0,0 +1,26 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +setup_file() { + skip +} + +@test "aa-enforce: Disable profile" { + sudo aa-disable pass +} + +@test "aa-enforce: Enforce a profile" { + sudo aa-enforce pass +} + +@test "aa-enforce: Complain a profile" { + sudo aa-complain pass +} + +@test "aa-enforce: Audit a profile" { + sudo aa-audit pass +} diff --git a/tests/integration/apparmor/aa-status.bats b/tests/integration/apparmor/aa-status.bats new file mode 100644 index 000000000..e7e0fc3d5 --- /dev/null +++ b/tests/integration/apparmor/aa-status.bats @@ -0,0 +1,26 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "aa-status: Check status" { + sudo aa-status +} + +@test "aa-status: Display the number of loaded policies" { + sudo aa-status --profiled +} + +@test "aa-status: Display the number of loaded enforicing policies" { + sudo aa-status --enforced +} + +@test "aa-status: Display the number of loaded non-enforcing policies" { + sudo aa-status --complaining +} + +@test "aa-status: Display the number of loaded enforcing policies that kill tasks" { + sudo aa-status --kill +} diff --git a/tests/integration/apt/apt.bats b/tests/integration/apt/apt.bats new file mode 100644 index 000000000..3f13d4ea4 --- /dev/null +++ b/tests/integration/apt/apt.bats @@ -0,0 +1,54 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "apt: Update the list of available packages and versions" { + sudo apt update +} + +@test "apt: Search for a given package" { + apt search apparmor +} + +@test "apt: Show information for a package" { + apt show apparmor +} + +@test "apt: Install a package, or update it to the latest available version" { + sudo apt install -y pass +} + +@test "apt: Remove a package and its configuration files" { + sudo apt purge -y pass +} + +@test "apt: Upgrade all installed packages to their newest available versions" { + sudo apt upgrade -y +} + +@test "apt: Upgrade installed packages, but remove obsolete packages and install additional packages to meet new dependencies" { + sudo apt dist-upgrade -y +} + +@test "apt: Clean the local repository - removing package files (.deb) from interrupted downloads that can no longer be downloaded" { + sudo apt autoclean -y +} + +@test "apt: Remove all packages that are no longer needed" { + sudo apt autoremove -y +} + +@test "apt: List all packages" { + apt list +} + +@test "apt: List installed packages" { + apt list --installed +} + +@test "apt: Print a cow easter egg" { + apt moo +} diff --git a/tests/integration/apt/dpkg-query.bats b/tests/integration/apt/dpkg-query.bats new file mode 100644 index 000000000..39259e0a0 --- /dev/null +++ b/tests/integration/apt/dpkg-query.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "dpkg-query: List all installed packages" { + dpkg-query --list +} + +@test "dpkg-query: List installed packages matching a pattern" { + dpkg-query --list 'libc6*' +} + +@test "dpkg-query: List all files installed by a package" { + dpkg-query --listfiles libc6 +} + +@test "dpkg-query: Show information about a package" { + dpkg-query --status libc6 +} + +@test "dpkg-query: Search for packages that own files matching a pattern" { + dpkg-query --search /etc/ld.so.conf.d +} + diff --git a/tests/integration/apt/dpkg-reconfigure.bats b/tests/integration/apt/dpkg-reconfigure.bats new file mode 100644 index 000000000..f6aec98ea --- /dev/null +++ b/tests/integration/apt/dpkg-reconfigure.bats @@ -0,0 +1,12 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "dpkg-reconfigure: Reconfigure one or more packages" { + sudo apt install -y pass + sudo dpkg-reconfigure pass +} + diff --git a/tests/integration/apt/dpkg.bats b/tests/integration/apt/dpkg.bats new file mode 100644 index 000000000..6a0e735b4 --- /dev/null +++ b/tests/integration/apt/dpkg.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "dpkg: Remove a package" { + sudo apt install -y pass + sudo dpkg -r pass +} + +@test "dpkg: List installed packages" { + dpkg -l apparmor +} + +@test "dpkg: List a package's contents" { + dpkg -L apparmor.d +} + +@test "dpkg: Find out which package owns a file" { + dpkg -S /etc/apparmor/parser.conf +} + +@test "dpkg: Purge an installed or already removed package, including configuration" { + sudo dpkg -P pass +} diff --git a/tests/integration/common.bash b/tests/integration/common.bash new file mode 100644 index 000000000..7a012191b --- /dev/null +++ b/tests/integration/common.bash @@ -0,0 +1,136 @@ +#!/usr/bin/env bash +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +export BATS_LIB_PATH=${BATS_LIB_PATH:-/usr/lib/bats} +load "$BATS_LIB_PATH/bats-support/load" + +export SYSTEMD_PAGER= + +# Ignore the profile not managed by apparmor.d +IGNORE=(php-fpm snapd/snap-confine snap.vault.vaultd) + +# User password for sudo commands +export PASSWORD=${PASSWORD:-user} + +export XDG_CACHE_DIR=".cache" +export XDG_CONFIG_DIR=".config" +export XDG_DATA_DIR=".local/share" +export XDG_STATE_DIR=".local/state" +export XDG_BIN_DIR=".local/bin" +export XDG_LIB_DIR=".local/lib" + +# Define extended user directories not defined in the XDG standard but commonly +# used in profiles +export XDG_SCREENSHOTS_DIR="Pictures/Screenshots" +export XDG_WALLPAPERS_DIR="Pictures/Wallpapers" +export XDG_BOOKS_DIR="Books" +export XDG_GAMES_DIR="Games" +export XDG_PROJECTS_DIR="Projects" +export XDG_WORK_DIR="Work" +export XDG_MAIL_DIR="Mail" +export XDG_SYNC_DIR="Sync" +export XDG_TORRENTS_DIR="Torrents" +export XDG_GAMESSTUDIO_DIR="unity3d" + +# Define user directories for virtual machines, shared folders and disk images +export XDG_VM_DIR=".vm" +export XDG_VMSHARE_DIR=".vmshare" +export XDG_IMG_DIR=".img" + +# Define user build directories and artifacts output +export XDG_BUILD_DIR=".build" +export XDG_PKG_DIR=".pkg" + +# Define user personal keyrings +export XDG_GPG_DIR=".gnupg" +export XDG_SSH_DIR=".ssh" +export XDG_PASSWORDSTORE_DIR=".password-store" + +# Define user personal private directories +export XDG_PRIVATE_DIR=".private" + +# Full path of the XDG Base Directory +export user_cache_dirs=$HOME/$XDG_CACHE_DIR +export user_config_dirs=$HOME/$XDG_CONFIG_DIR +export user_state_dirs=$HOME/$XDG_STATE_DIR +export user_bin_dirs=$HOME/$XDG_BIN_DIR +export user_lib_dirs=$HOME/$XDG_LIB_DIR + +# Other user directories +export user_desktop_dirs=$HOME/$XDG_DESKTOP_DIR +export user_download_dirs=$HOME/$XDG_DOWNLOAD_DIR +export user_templates_dirs=$HOME/$XDG_TEMPLATES_DIR +export user_publicshare_dirs=$HOME/$XDG_PUBLICSHARE_DIR +export user_documents_dirs=$HOME/$XDG_DOCUMENTS_DIR +export user_music_dirs=$HOME/$XDG_MUSIC_DIR +export user_pictures_dirs=$HOME/$XDG_PICTURES_DIR +export user_videos_dirs=$HOME/$XDG_VIDEOS_DIR +export user_books_dirs=$HOME/$XDG_BOOKS_DIR +export user_games_dirs=$HOME/$XDG_GAMES_DIR +export user_projects_dirs=$HOME/$XDG_PROJECTS_DIR +export user_work_dirs=$HOME/$XDG_WORK_DIR +export user_mail_dirs=$HOME/$XDG_MAIL_DIR +export user_sync_dirs=$HOME/$XDG_SYNC_DIR +export user_torrents_dirs=$HOME/$XDG_TORRENTS_DIR +export user_vm_dirs=$HOME/$XDG_VM_DIR +export user_vmshare_dirs=$HOME/$XDG_VMSHARE_DIR +export user_img_dirs=$HOME/$XDG_IMG_DIR +export user_build_dirs=$HOME/$XDG_BUILD_DIR +export user_pkg_dirs=$HOME/$XDG_PKG_DIR +export user_gpg_dirs=$HOME/$XDG_GPG_DIR +export user_ssh_dirs=$HOME/$XDG_SSH_DIR +export user_passwordstore_dirs=$HOME/$XDG_PASSWORDSTORE_DIR +export user_private_dirs=$HOME/$XDG_PRIVATE_DIR + +_START="$(date +%s)" +PROGRAM="$(basename "$BATS_TEST_FILENAME")" +PROGRAM="${PROGRAM%.*}" +export _START PROGRAM + +skip_if_not_installed() { + if ! which "$PROGRAM" &>/dev/null; then + skip "$PROGRAM is not installed" + fi +} + +aa_setup() { + aa_start + skip_if_not_installed +} + +aa_start() { + _START=$(date +%s) +} + +aa_check() { + local now duration logs + + now=$(date +%s) + duration=$((now - _START + 1)) + logs=$(aa-log --raw --systemd --since "-${duration}s") + for profile in "${IGNORE[@]}"; do + logs=$(echo "$logs" | grep -v "$profile") + done + + aa_start + if [[ -n "$logs" ]]; then + fail "profile $PROGRAM raised logs: $logs" + fi +} + +_timeout() { + local duration="2s" + timeout --preserve-status --kill-after="$duration" "$duration" "$@" +} + +# Bats setup and teardown hooks + +setup_file() { + aa_setup +} + +teardown() { + aa_check +} diff --git a/tests/integration/cpuid.bats b/tests/integration/cpuid.bats new file mode 100644 index 000000000..0fe2da6ac --- /dev/null +++ b/tests/integration/cpuid.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "cpuid: Display information for all CPUs" { + cpuid +} + +@test "cpuid: Display information only for the current CPU" { + cpuid -1 +} + +@test "cpuid: Display raw hex information with no decoding" { + cpuid -r +} diff --git a/tests/integration/dfc.bats b/tests/integration/dfc.bats new file mode 100644 index 000000000..56871f16c --- /dev/null +++ b/tests/integration/dfc.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "dfc: Display filesystems and their disk usage in human-readable form with colors and graphs" { + dfc +} + +@test "dfc: Display all filesystems including pseudo, duplicate and inaccessible filesystems" { + dfc -a +} + +@test "dfc: Display filesystems without color" { + dfc -c never +} + +@test "dfc: Display filesystems containing "ext" in the filesystem type" { + dfc -t ext +} diff --git a/tests/integration/fc-cache.bats b/tests/integration/fc-cache.bats new file mode 100644 index 000000000..05b8f1930 --- /dev/null +++ b/tests/integration/fc-cache.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "fc-cache: Generate font cache files" { + fc-cache +} + +@test "fc-cache: Force a rebuild of all font cache files, without checking if cache is up-to-date" { + fc-cache -f +} + +@test "fc-cache: Erase font cache files, then generate new font cache files" { + fc-cache -r +} diff --git a/tests/integration/fc-list.bats b/tests/integration/fc-list.bats new file mode 100644 index 000000000..12b1df2ca --- /dev/null +++ b/tests/integration/fc-list.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "fc-list: Return a list of installed fonts in your system" { + fc-list +} + +@test "fc-match: Return a sorted list of best matching fonts" { + fc-match -s 'DejaVu Serif' +} + +@test "fc-pattern: Display default information about a font" { + fc-pattern --default 'DejaVu Serif' +} + +@test "fc-pattern: Display configuration information about a font" { + fc-pattern --config 'DejaVu Serif' +} diff --git a/tests/integration/flatpak.bats b/tests/integration/flatpak.bats new file mode 100644 index 000000000..b61024d06 --- /dev/null +++ b/tests/integration/flatpak.bats @@ -0,0 +1,47 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "flatpak: Add a new remote repository (by URL)" { + sudo flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo +} + +@test "flatpak: List all remote repositories" { + flatpak remotes +} + +@test "flatpak: Search for an application in a remote repository" { + sudo flatpak search vim + sudo flatpak search org.freedesktop.Platform +} + +@test "flatpak: Install an application from a remote source" { + sudo flatpak install --noninteractive org.vim.Vim +} + +@test "flatpak: List installed applications, ignoring runtimes" { + flatpak list --app +} + +@test "flatpak: Show information about an installed application" { + flatpak info org.vim.Vim +} + +# @test "flatpak: Run an installed application" { +# _timeout flatpak run org.vim.Vim +# } + +@test "flatpak: Update all installed applications and runtimes" { + sudo flatpak update --noninteractive +} + +@test "flatpak: Remove an installed application" { + sudo flatpak remove --noninteractive org.vim.Vim +} + +@test "flatpak: Remove all unused applications" { + sudo flatpak remove --noninteractive --unused +} diff --git a/tests/integration/fwupdmgr.bats b/tests/integration/fwupdmgr.bats new file mode 100644 index 000000000..332a63743 --- /dev/null +++ b/tests/integration/fwupdmgr.bats @@ -0,0 +1,23 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "fwupdmgr: Display all devices detected by fwupd" { + fwupdmgr get-devices +} + +@test "fwupdmgr: Download the latest firmware metadata from LVFS" { + fwupdmgr refresh || true +} + +@test "fwupdmgr: List the updates available for devices on your system" { + fwupdmgr get-updates || true +} + +@test "fwupdmgr: Install firmware updates" { + fwupdmgr update || true +} + diff --git a/tests/integration/gpg/gpgconf.bats b/tests/integration/gpg/gpgconf.bats new file mode 100644 index 000000000..41627dc67 --- /dev/null +++ b/tests/integration/gpg/gpgconf.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "gpgconf: List all components" { + gpgconf --list-components +} + +@test "gpgconf: List the directories used by gpgconf" { + gpgconf --list-dirs +} + +@test "gpgconf: List all options of a component" { + gpgconf --list-options gpg + gpgconf --list-options gpgsm + gpgconf --list-options gpg-agent + gpgconf --list-options scdaemon || true + gpgconf --list-options dirmngr +} + +@test "gpgconf: List programs and test whether they are runnable" { + gpgconf --check-programs || true +} + +@test "gpgconf: Reload a component" { + gpgconf --reload gpg + gpgconf --reload gpgsm + gpgconf --reload gpg-agent + gpgconf --reload scdaemon || true + gpgconf --reload dirmngr +} diff --git a/tests/integration/hostname.bats b/tests/integration/hostname.bats new file mode 100644 index 000000000..35008bd79 --- /dev/null +++ b/tests/integration/hostname.bats @@ -0,0 +1,29 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "hostname: Show current host name" { + hostname +} + +@test "hostname: Show the network address of the host name" { + hostname -i +} + +@test "hostname: Show all network addresses of the host" { + hostname -I +} + +@test "hostname: Show the FQDN (Fully Qualified Domain Name)" { + hostname --fqdn +} + +@test "hostname: Set current host name" { + name=$(hostname) + sudo hostname "new-$(hostname)" + sudo hostname "$name" +} + diff --git a/tests/integration/id.bats b/tests/integration/id.bats new file mode 100644 index 000000000..a09def4a9 --- /dev/null +++ b/tests/integration/id.bats @@ -0,0 +1,30 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "id: Display current user's ID (UID), group ID (GID) and groups to which they belong" { + id +} + +@test "id: Display the current user identity" { + id -un +} + +@test "id: Display the current user identity as a number" { + id -u +} + +@test "id: Display the current primary group identity" { + id -gn +} + +@test "id: Display the current primary group identity as a number" { + id -g +} + +@test "id: Display an arbitrary user ID (UID), group ID (GID) and groups to which they belong" { + id root +} diff --git a/tests/integration/ip.bats b/tests/integration/ip.bats new file mode 100644 index 000000000..585d11b2d --- /dev/null +++ b/tests/integration/ip.bats @@ -0,0 +1,42 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "ip-address: List network interfaces and their associated IP addresses" { + ip address +} + +@test "ip-address: Filter to show only active network interfaces" { + ip address show up +} + +@test "ip-route: Display the routing table" { + ip route +} + +@test "ip-route-get: Print route to a destination" { + ip route get 1.1.1.1 +} + +@test "ip link: Show information about all network interfaces" { + ip link +} + +@test "ip neighbour: Display the neighbour/ARP table entries" { + ip neighbour +} + +@test "ip rule: Display the routing policy" { + ip rule show + ip rule list +} + +@test "ip: Manage network namespace" { + sudo ip netns add foo + sudo ip netns list + sudo ip netns exec foo bash -c "pwd" + sudo ip netns delete foo +} diff --git a/tests/integration/needrestart.bats b/tests/integration/needrestart.bats new file mode 100644 index 000000000..4676b36af --- /dev/null +++ b/tests/integration/needrestart.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "needrestart: List outdated processes" { + needrestart +} + +@test "needrestart: Interactively restart services" { + sudo needrestart +} + +@test "needrestart: List outdated processes in verbose mode" { + needrestart -v +} + +@test "needrestart: Check if the kernel is outdated" { + needrestart -k +} + +@test "needrestart: Check if the CPU microcode is outdated" { + needrestart -w +} + +@test "needrestart: List outdated processes in batch mode" { + needrestart -b +} + +@test "needrestart: Display help" { + needrestart --help +} diff --git a/tests/integration/pacman/paccache.bats b/tests/integration/pacman/paccache.bats new file mode 100644 index 000000000..b2e1369e2 --- /dev/null +++ b/tests/integration/pacman/paccache.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "paccache: Perform a dry-run and show the number of candidate packages for deletion" { + sudo paccache -d +} + +@test "paccache: Move candidate packages to a directory instead of deleting them" { + sudo paccache -m "$USER_BUILD_DIRS" +} + +@test "paccache: Remove all but the 3 most recent package versions from the `pacman` cache" { + sudo paccache -r +} + +@test "paccache: Set the number of package versions to keep" { + sudo paccache -rk 3 +} diff --git a/tests/integration/pacman/pacman-key.bats b/tests/integration/pacman/pacman-key.bats new file mode 100644 index 000000000..82e34a379 --- /dev/null +++ b/tests/integration/pacman/pacman-key.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pacman-key: Initialize the 'pacman' keyring" { + sudo pacman-key --init +} + +@test "pacman-key: Add the default Arch Linux keys" { + sudo pacman-key --populate +} + +@test "pacman-key: List keys from the public keyring" { + pacman-key --list-keys +} + +@test "pacman-key: Receive a key from a key server" { + sudo pacman-key --recv-keys 06A26D531D56C42D66805049C5469996F0DF68EC +} + +@test "pacman-key: Print the fingerprint of a specific key" { + pacman-key --finger 06A26D531D56C42D66805049C5469996F0DF68EC +} + +@test "pacman-key: Sign an imported key locally" { + sudo pacman-key --lsign-key 06A26D531D56C42D66805049C5469996F0DF68EC +} + +@test "pacman-key: Remove a specific key" { + sudo pacman-key --delete 06A26D531D56C42D66805049C5469996F0DF68EC +} diff --git a/tests/integration/pacman/pacman.bats b/tests/integration/pacman/pacman.bats new file mode 100644 index 000000000..575a65bc1 --- /dev/null +++ b/tests/integration/pacman/pacman.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pacman: Synchronize and update all packages" { + sudo pacman -Syu --noconfirm +} + +@test "pacman: Install a new package" { + sudo pacman -S --noconfirm pass pass-otp +} + +@test "pacman: Remove a package and its dependencies" { + sudo pacman -Rs --noconfirm pass-otp +} + +@test "pacman: List installed packages and versions" { + pacman -Q +} + +@test "pacman: List only the explicitly installed packages and versions" { + pacman -Qe +} + +@test "pacman: List orphan packages (installed as dependencies but not actually required by any package)" { + pacman -Qtdq +} + +@test "pacman: Empty the entire 'pacman' cache" { + sudo pacman -Scc --noconfirm +} diff --git a/tests/integration/paths.go b/tests/integration/paths.go deleted file mode 100644 index 8d4a1cc9c..000000000 --- a/tests/integration/paths.go +++ /dev/null @@ -1,72 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package integration - -import ( - "archive/tar" - "compress/gzip" - "fmt" - "io" - "path/filepath" - "strings" - - "github.com/roddhjav/apparmor.d/pkg/paths" -) - -// Either or not to extract the file -func toExtrat(name string, subfolders []string) bool { - for _, subfolder := range subfolders { - if strings.HasPrefix(name, subfolder) { - return true - } - } - return false -} - -// Extract part of an archive to a destination directory -func extratTo(src *paths.Path, dst *paths.Path, subfolders []string) error { - gzIn, err := src.Open() - if err != nil { - return fmt.Errorf("opening %s: %w", src, err) - } - defer gzIn.Close() - - in, err := gzip.NewReader(gzIn) - if err != nil { - return fmt.Errorf("decoding %s: %w", src, err) - } - defer in.Close() - - if err := dst.MkdirAll(); err != nil { - return fmt.Errorf("creating %s: %w", src, err) - } - - tarIn := tar.NewReader(in) - for { - header, err := tarIn.Next() - if err == io.EOF { - break - } - if err != nil { - return err - } - - if header.Typeflag == tar.TypeReg { - if !toExtrat(header.Name, subfolders) { - continue - } - path := dst.Join(filepath.Base(header.Name)) - file, err := path.Create() - if err != nil { - return fmt.Errorf("creating %s: %w", file.Name(), err) - } - if _, err := io.Copy(file, tarIn); err != nil { - return fmt.Errorf("extracting %s: %w", file.Name(), err) - } - file.Close() - } - } - return nil -} diff --git a/tests/integration/procps/free.bats b/tests/integration/procps/free.bats new file mode 100644 index 000000000..dcc216bfa --- /dev/null +++ b/tests/integration/procps/free.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "free: Display system memory" { + free +} + +@test "free: Display memory in GB" { + free -g +} + +@test "free: Display memory in human-readable units" { + free -h +} diff --git a/tests/integration/procps/pgrep.bats b/tests/integration/procps/pgrep.bats new file mode 100644 index 000000000..9fd6b92f8 --- /dev/null +++ b/tests/integration/procps/pgrep.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pgrep: Return PIDs of any running processes with a matching command string" { + pgrep systemd +} + +@test "pgrep: Search for processes including their command-line options" { + pgrep --full 'systemd' +} + +@test "pgrep: Search for processes run by a specific user" { + pgrep --euid root systemd-udevd +} + diff --git a/tests/integration/procps/pidof.bats b/tests/integration/procps/pidof.bats new file mode 100644 index 000000000..ec20cbe86 --- /dev/null +++ b/tests/integration/procps/pidof.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pidof: List all process IDs with given name" { + pidof systemd + pidof bash +} + +@test "pidof: List a single process ID with given name" { + pidof -s bash +} + +@test "pidof: List process IDs including scripts with given name" { + pidof -x bash +} diff --git a/tests/integration/procps/ps.bats b/tests/integration/procps/ps.bats new file mode 100644 index 000000000..a27bdf98d --- /dev/null +++ b/tests/integration/procps/ps.bats @@ -0,0 +1,30 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "ps: List all running processes" { + ps aux +} + +@test "ps: List all running processes including the full command string" { + ps auxww +} + +@test "ps: List all processes of the current user in extra full format" { + ps --user "$(id -u)" -F +} + +@test "ps: List all processes of the current user as a tree" { + ps --user "$(id -u)" -f +} + +@test "ps: Get the parent PID of a process" { + ps -o ppid= -p 1 +} + +@test "ps: Sort processes by memory consumption" { + ps auxww --sort size +} diff --git a/tests/integration/procps/sysctl.bats b/tests/integration/procps/sysctl.bats new file mode 100644 index 000000000..66720c434 --- /dev/null +++ b/tests/integration/procps/sysctl.bats @@ -0,0 +1,26 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "sysctl: Show all available variables and their values" { + sysctl -a +} + +@test "sysctl: Set a changeable kernel state variable" { + sudo sysctl -w vm.panic_on_oom=0 +} + +@test "sysctl: Get currently open file handlers" { + sysctl fs.file-nr +} + +@test "sysctl: Get limit for simultaneous open files" { + sysctl fs.file-max +} + +@test "sysctl: Apply changes from '/etc/sysctl.conf'" { + sudo sysctl -p +} diff --git a/tests/integration/procps/uptime.bats b/tests/integration/procps/uptime.bats new file mode 100644 index 000000000..7d9361d5a --- /dev/null +++ b/tests/integration/procps/uptime.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "uptime: Print current time, uptime, number of logged-in users and other information" { + uptime +} + +@test "uptime: Show only the amount of time the system has been booted for" { + uptime --pretty +} + +@test "uptime: Print the date and time the system booted up at" { + uptime --since +} diff --git a/tests/integration/procps/vmstat.bats b/tests/integration/procps/vmstat.bats new file mode 100644 index 000000000..e5900a324 --- /dev/null +++ b/tests/integration/procps/vmstat.bats @@ -0,0 +1,25 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "vmstat: Display virtual memory statistics" { + vmstat + vmstat --active + vmstat --forks +} + +@test "vmstat: Display disk statistics" { + vmstat --disk + vmstat --disk-sum +} + +@test "vmstat: Display slabinfo" { + sudo vmstat --slabs +} + +@test "vmstat: Display reports every second for 3 times" { + vmstat 1 3 +} diff --git a/tests/integration/procps/w.bats b/tests/integration/procps/w.bats new file mode 100644 index 000000000..3ee1fe218 --- /dev/null +++ b/tests/integration/procps/w.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "w: Display information about all users who are currently logged in" { + w +} + +@test "w: Display information about a specific user" { + w root +} + +@test "w: Display information without including the header, the login, JCPU and PCPU columns" { + w --no-header + w --short +} diff --git a/tests/integration/scenario.go b/tests/integration/scenario.go deleted file mode 100644 index 53758fb42..000000000 --- a/tests/integration/scenario.go +++ /dev/null @@ -1,141 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -// TODO: -// - Finish templating -// - Provide a large selection of resources: files, disks, http server... for automatic test on them -// - Expand support for interactive program (stdin and Control-D) -// - Properlly log the test result -// - Dbus integration - -package integration - -import ( - "bytes" - "fmt" - "io" - "os/exec" - "strings" - - "github.com/roddhjav/apparmor.d/pkg/logging" - "github.com/roddhjav/apparmor.d/pkg/paths" -) - -var ( - Ignore []string // Do not run some scenarios - Arguments map[string]string // Common arguments used across all scenarios - Profiles paths.PathList // List of profiles in apparmor.d -) - -// Test represents of a list of tests for a given program -type Test struct { - Name string `yaml:"name"` - Root bool `yaml:"root"` // Run the test as user or as root - Dependencies []string `yaml:"require"` // Packages required for the tests to run "$(pacman -Qqo Scenario.Name)" - Arguments map[string]string `yaml:"arguments"` // Arguments to pass to the program, specific to this scenario - Commands []Command `yaml:"tests"` -} - -// Command is a command line to run as part of a test -type Command struct { - Description string `yaml:"dsc"` - Cmd string `yaml:"cmd"` - Stdin []string `yaml:"stdin"` -} - -func NewTest() *Test { - return &Test{ - Name: "", - Root: false, - Dependencies: []string{}, - Arguments: map[string]string{}, - Commands: []Command{}, - } -} - -// HasProfile returns true if the program in the scenario is profiled in apparmor.d -func (t *Test) HasProfile() bool { - for _, path := range Profiles { - if t.Name == path.Base() { - return true - } - } - return false -} - -// IsInstalled returns true if the program in the scenario is installed on the system -func (t *Test) IsInstalled() bool { - if _, err := exec.LookPath(t.Name); err != nil { - return false - } - return true -} - -func (t *Test) resolve(in string) string { - res := in - for key, value := range t.Arguments { - res = strings.ReplaceAll(res, "{{ "+key+" }}", value) - } - return res -} - -// mergeArguments merge the arguments of the scenario with the global arguments -// Test arguments have priority over global arguments -func (t *Test) mergeArguments(args map[string]string) { - if len(t.Arguments) == 0 { - t.Arguments = map[string]string{} - } - for key, value := range args { - t.Arguments[key] = value - } -} - -// Run the scenarios tests -func (t *Test) Run(dryRun bool) (ran int, nb int, err error) { - nb = 0 - if t.HasProfile() && t.IsInstalled() { - logging.Step("%s", t.Name) - t.mergeArguments(Arguments) - for _, test := range t.Commands { - cmd := t.resolve(test.Cmd) - if !strings.Contains(cmd, "{{") { - nb++ - if dryRun { - logging.Bullet(cmd) - } else { - cmdErr := t.run(cmd, strings.Join(test.Stdin, "\n")) - if cmdErr != nil { - logging.Error("%v", cmdErr) - } else { - logging.Success(cmd) - } - } - } - } - return 1, nb, err - } - return 0, nb, err -} - -func (t *Test) run(cmdline string, in string) error { - var testErr bytes.Buffer - - // Running the command in a shell ensure it does not run confined under the sudo profile. - // The shell is run unconfined and therefore the cmdline can be confined without no-new-privs issue. - sufix := " &" // TODO: we need a goroutine here - cmd := exec.Command("sh", "-c", cmdline+sufix) - if t.Root { - cmd = exec.Command("sudo", "sh", "-c", cmdline+sufix) - } - - stderr := io.MultiWriter(Stderr, &testErr) - cmd.Stdin = strings.NewReader(in) - cmd.Stdout = Stdout - cmd.Stderr = stderr - err := cmd.Run() - if testErr.Len() > 0 { - return fmt.Errorf("%s", testErr.String()) - } - return err -} diff --git a/tests/integration/shadow/groupadd.bats b/tests/integration/shadow/groupadd.bats new file mode 100644 index 000000000..3d07619b2 --- /dev/null +++ b/tests/integration/shadow/groupadd.bats @@ -0,0 +1,32 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "groupadd: Create a new group" { + sudo groupadd user2 +} + +@test "groupadd: Create a new system group" { + sudo groupadd --system system2 +} + +@test "groupadd: Create a new group with the specific groupid" { + sudo groupadd --gid 3000 user3 +} + +@test "groupmod: Change the group name" { + sudo groupmod --new-name user22 user2 +} + +@test "groupmod: Change the group ID" { + sudo groupmod --gid 2222 user22 +} + +@test "groupdel: Delete newly created group" { + sudo groupdel user22 + sudo groupdel system2 + sudo groupdel user3 +} diff --git a/tests/integration/shadow/groups.bats b/tests/integration/shadow/groups.bats new file mode 100644 index 000000000..f932e9129 --- /dev/null +++ b/tests/integration/shadow/groups.bats @@ -0,0 +1,15 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "groups: Print group memberships for the current user" { + groups +} + +@test "groups: Print group memberships for a list of users" { + groups root +} + diff --git a/tests/integration/snap.bats b/tests/integration/snap.bats new file mode 100644 index 000000000..a670a9ece --- /dev/null +++ b/tests/integration/snap.bats @@ -0,0 +1,55 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "snap: Search for a package" { + snap find vim +} + +@test "snap: Install a package" { + sudo snap install vault +} + +@test "snap: Update a package to another channel (track, risk, or branch)" { + sudo snap refresh vault --channel=edge +} + +@test "snap: Update all packages" { + sudo snap refresh +} + +@test "snap: Display basic information about installed snap software" { + sudo snap list +} + +@test "snap: lists information about the services" { + sudo snap services + sudo snap services vault +} + +@test "snap: starts, and optionally enables, the given services" { + sudo snap start --enable vault +} + +@test "snap: logs of the given services" { + sudo snap logs vault || true +} + +@test "snap: restarts the given services" { + sudo snap restart vault +} + +@test "snap: stops, and optionally disables, the given services" { + sudo snap stop --disable vault +} + +@test "snap: Uninstall a package" { + sudo snap remove vault +} + +@test "snap: Check for recent snap changes in the system" { + sudo snap changes +} diff --git a/tests/integration/suite.go b/tests/integration/suite.go deleted file mode 100644 index abb08cfdf..000000000 --- a/tests/integration/suite.go +++ /dev/null @@ -1,114 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package integration - -import ( - "os" - - "github.com/roddhjav/apparmor.d/pkg/logs" - "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/util" - "gopkg.in/yaml.v3" -) - -var ( - // Integration tests standard output - Stdout *os.File - - // Integration tests standard error output - Stderr *os.File - - stdoutPath = paths.New("tests/out.log") - stderrPath = paths.New("tests/err.log") -) - -// TestSuite is the apparmod.d integration tests to run -type TestSuite struct { - Tests []Test // List of tests to run - Ignore []string // Do not run some tests - Arguments map[string]string // Common arguments used across all tests -} - -// NewScenarios returns a new list of scenarios -func NewTestSuite() *TestSuite { - var err error - Stdout, err = stdoutPath.Create() - if err != nil { - panic(err) - } - Stderr, err = stderrPath.Create() - if err != nil { - panic(err) - } - return &TestSuite{ - Tests: []Test{}, - Ignore: []string{}, - Arguments: map[string]string{}, - } -} - -// Write export the list of scenarios to a file -func (t *TestSuite) Write(path *paths.Path) error { - jsonString, err := yaml.Marshal(&t.Tests) - if err != nil { - return err - } - - path = path.Clean() - file, err := path.Create() - if err != nil { - return err - } - defer file.Close() - - // Cleanup a bit - res := string(jsonString) - regClean := util.ToRegexRepl([]string{ - "- name:", "\n- name:", - `(?m)^.*stdin: \[\].*$`, ``, - `{{`, `{{ `, - `}}`, ` }}`, - }) - res = regClean.Replace(res) - _, err = file.WriteString("---\n" + res) - return err -} - -// ReadTests import the tests from a file -func (t *TestSuite) ReadTests(path *paths.Path) error { - content, _ := path.ReadFile() - return yaml.Unmarshal(content, &t.Tests) -} - -// ReadSettings import the common argument and ignore list from a file -func (t *TestSuite) ReadSettings(path *paths.Path) error { - type temp struct { - Arguments map[string]string `yaml:"arguments"` - Ignore []string `yaml:"ignore"` - } - tmp := temp{} - content, _ := path.ReadFile() - if err := yaml.Unmarshal(content, &tmp); err != nil { - return err - } - t.Arguments = tmp.Arguments - t.Ignore = tmp.Ignore - return nil -} - -// Results returns a sum up of the apparmor logs raised by the scenarios -func (t *TestSuite) Results() string { - file, _ := logs.GetAuditLogs(logs.LogFiles[0]) - aaLogs := logs.NewApparmorLogs(file, "") - return aaLogs.String() -} - -func (t *TestSuite) GetDependencies() []string { - res := []string{} - for _, test := range t.Tests { - res = append(res, test.Dependencies...) - } - return res -} diff --git a/tests/integration/systemd/bootctl.bats b/tests/integration/systemd/bootctl.bats new file mode 100644 index 000000000..2dfb39a7f --- /dev/null +++ b/tests/integration/systemd/bootctl.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "bootctl: Show information about the system firmware and the bootloaders" { + sudo bootctl status +} + +@test "bootctl: Show all available bootloader entries" { + sudo bootctl list +} + +@test "bootctl: Install 'systemd-boot' into the EFI system partition" { + sudo bootctl install +} + +@test "bootctl: Remove all installed versions of 'systemd-boot' from the EFI system partition" { + sudo bootctl remove +} diff --git a/tests/integration/systemd/busctl.bats b/tests/integration/systemd/busctl.bats new file mode 100644 index 000000000..ef3e973e9 --- /dev/null +++ b/tests/integration/systemd/busctl.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "busctl: Show all peers on the bus, by their service names" { + busctl list +} + +@test "busctl: Show process information and credentials of a bus service, a process, or the owner of the bus (if no parameter is specified)" { + busctl status 1 + busctl status org.freedesktop.DBus +} + +@test "busctl: Show an object tree of one or more services (or all services if no service is specified)" { + busctl tree org.freedesktop.DBus +} + +@test "busctl: Show interfaces, methods, properties and signals of the specified object on the specified service" { + busctl introspect org.freedesktop.login1 /org/freedesktop/login1 +} + +@test "busctl: Retrieve the current value of one or more object properties" { + busctl get-property org.freedesktop.login1 /org/freedesktop/login1 org.freedesktop.login1.Manager Docked +} diff --git a/tests/integration/systemd/homectl.bats b/tests/integration/systemd/homectl.bats new file mode 100644 index 000000000..bb3b38227 --- /dev/null +++ b/tests/integration/systemd/homectl.bats @@ -0,0 +1,44 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +setup_file() { + sudo systemctl start systemd-homed + skip + aa_setup +} + +@test "homectl: Display help" { + homectl --no-pager --help +} + +@test "homectl: Create a user account and their associated home directory" { + printf "user2\nuser2" | sudo homectl create user2 +} + +@test "homectl: List user accounts and their associated home directories" { + homectl list +} + +@test "homectl: Change the password for a specific user" { + sudo homectl passwd user2 +} + +@test "homectl: Run a shell or a command with access to a specific home directory" { + sudo homectl with user2 -- ls -al /home/user2 +} + +@test "homectl: Lock or unlock a specific home directory" { + sudo homectl lock user2 +} + +@test "homectl: Change the disk space assigned to a specific home directory to 100 GiB" { + sudo homectl resize user2 1G +} + +@test "homectl: Remove a specific user and the associated home directory" { + sudo homectl remove user2 +} diff --git a/tests/integration/systemd/hostnamectl.bats b/tests/integration/systemd/hostnamectl.bats new file mode 100644 index 000000000..38924920a --- /dev/null +++ b/tests/integration/systemd/hostnamectl.bats @@ -0,0 +1,20 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "hostnamectl: Get the hostname of the computer" { + hostnamectl +} + +@test "hostnamectl: Get the location of the computer" { + hostnamectl location +} + +@test "hostnamectl: Set the hostname of the computer" { + name=$(hostnamectl hostname) + sudo hostnamectl set-hostname "new" + sudo hostnamectl set-hostname "$name" +} diff --git a/tests/integration/systemd/journalctl.bats b/tests/integration/systemd/journalctl.bats new file mode 100644 index 000000000..9eeb7c9fe --- /dev/null +++ b/tests/integration/systemd/journalctl.bats @@ -0,0 +1,30 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "journalctl: Show all messages with priority level 3 (errors) from this boot" { + sudo journalctl -b --priority=3 +} + +@test "journalctl: Show only the last N lines of the journal" { + sudo journalctl --lines 100 +} + +@test "journalctl: Show all messages by a specific [u]nit" { + sudo journalctl --unit apparmor.service +} + +@test "journalctl: Show all messages by a specific process" { + sudo journalctl _PID=1 +} + +@test "journalctl: Show all messages by a specific executable" { + sudo journalctl /usr/bin/bootctl +} + +@test "journalctl: Delete journal logs which are older than 10 seconds" { + sudo journalctl --vacuum-time=10s +} diff --git a/tests/integration/systemd/localectl.bats b/tests/integration/systemd/localectl.bats new file mode 100644 index 000000000..71dfd2e06 --- /dev/null +++ b/tests/integration/systemd/localectl.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "localectl: Show the current settings of the system locale and keyboard mapping" { + localectl +} + +@test "localectl: List available locales" { + localectl list-locales +} + +@test "localectl: Set a system locale variable" { + sudo localectl set-locale LANG=en_US.UTF-8 +} + +@test "localectl: List available keymaps" { + localectl list-keymaps || true +} + +@test "localectl: Set the system keyboard mapping for the console and X11" { + sudo localectl set-keymap uk || true +} + diff --git a/tests/integration/systemd/machinectl.bats b/tests/integration/systemd/machinectl.bats new file mode 100644 index 000000000..18771ae72 --- /dev/null +++ b/tests/integration/systemd/machinectl.bats @@ -0,0 +1,26 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "importctl: Import an image as a machine" { + sudo importctl pull-tar --force --class=machine -N https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64-root.tar.xz noble || true +} + +@test "machinectl: Display a list of available images" { + sudo machinectl list-images +} + +@test "machinectl: Start a machine as a service using systemd-nspawn" { + sudo machinectl start noble || true +} + +@test "machinectl: Display a list of running machines" { + sudo machinectl list +} + +@test "machinectl: Stop a running machine" { + sudo machinectl stop noble || true +} diff --git a/tests/integration/systemd/networkctl.bats b/tests/integration/systemd/networkctl.bats new file mode 100644 index 000000000..81418ba01 --- /dev/null +++ b/tests/integration/systemd/networkctl.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "networkctl: List existing links with their status" { + sudo networkctl list +} + +@test "networkctl: Show an overall network status" { + sudo networkctl status +} + +@test "networkctl: Reload configuration files (.netdev and .network)" { + sudo networkctl reload +} diff --git a/tests/integration/systemd/systemd-ac-power.bats b/tests/integration/systemd/systemd-ac-power.bats new file mode 100644 index 000000000..65779b617 --- /dev/null +++ b/tests/integration/systemd/systemd-ac-power.bats @@ -0,0 +1,15 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "systemd-ac-power: Report whether we are connected to an external power source." { + systemd-ac-power || true +} + +@test "systemd-ac-power: Check if battery is discharging and low" { + systemd-ac-power --low || true +} + diff --git a/tests/integration/systemd/systemd-analyze.bats b/tests/integration/systemd/systemd-analyze.bats new file mode 100644 index 000000000..b36abb62d --- /dev/null +++ b/tests/integration/systemd/systemd-analyze.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "systemd-analyze: List all running units, ordered by the time they took to initialize" { + systemd-analyze --no-pager blame +} + +@test "systemd-analyze: Print a tree of the time-critical chain of units" { + systemd-analyze --no-pager critical-chain +} + +@test "systemd-analyze: Show security scores of running units" { + systemd-analyze --no-pager security +} diff --git a/tests/integration/systemd/systemd-cat.bats b/tests/integration/systemd/systemd-cat.bats new file mode 100644 index 000000000..9d796ff07 --- /dev/null +++ b/tests/integration/systemd/systemd-cat.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "systemd-cat: Write the output of the specified command to the journal (both output streams are captured)" { + systemd-cat pwd +} + +@test "systemd-cat: Write the output of a pipeline to the journal (`stderr` stays connected to the terminal)" { + echo apparmor.d-test-suite | systemd-cat +} diff --git a/tests/integration/systemd/systemd-cgls.bats b/tests/integration/systemd/systemd-cgls.bats new file mode 100644 index 000000000..a0822a516 --- /dev/null +++ b/tests/integration/systemd/systemd-cgls.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "systemd-cgls: Display the whole control group hierarchy on your system" { + systemd-cgls --no-pager +} + +@test "systemd-cgls: Display a control group tree of a specific resource controller" { + systemd-cgls --no-pager io +} + +@test "systemd-cgls: Display the control group hierarchy of one or more systemd units" { + systemd-cgls --no-pager --unit systemd-logind +} diff --git a/tests/integration/systemd/systemd-detect-virt.bats b/tests/integration/systemd/systemd-detect-virt.bats new file mode 100644 index 000000000..bb2b2a659 --- /dev/null +++ b/tests/integration/systemd/systemd-detect-virt.bats @@ -0,0 +1,23 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "systemd-detect-virt: List detectable virtualization technologies" { + systemd-detect-virt --list +} + +@test "systemd-detect-virt: Detect virtualization, print the result and return a zero status code when running in a VM or a container, and a non-zero code otherwise" { + systemd-detect-virt || true +} + +@test "systemd-detect-virt: Silently check without printing anything" { + systemd-detect-virt --quiet || true +} + +@test "systemd-detect-virt: Only detect hardware virtualization" { + systemd-detect-virt --vm || true +} + diff --git a/tests/integration/systemd/systemd-id128.bats b/tests/integration/systemd/systemd-id128.bats new file mode 100644 index 000000000..68e48d9a4 --- /dev/null +++ b/tests/integration/systemd/systemd-id128.bats @@ -0,0 +1,23 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "systemd-id128: Generate a new random identifier" { + systemd-id128 new +} + +@test "systemd-id128: Print the identifier of the current machine" { + systemd-id128 machine-id +} + +@test "systemd-id128: Print the identifier of the current boot" { + systemd-id128 boot-id +} + +@test "systemd-id128: Generate a new random identifier and print it as a UUID (five groups of digits separated by hyphens)" { + systemd-id128 new --uuid +} + diff --git a/tests/integration/systemd/systemd-sysusers.bats b/tests/integration/systemd/systemd-sysusers.bats new file mode 100644 index 000000000..7fff472ee --- /dev/null +++ b/tests/integration/systemd/systemd-sysusers.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "systemd-sysusers: Print the contents of all configuration files (before each file, its name is printed as a comment)" { + systemd-sysusers --cat-config +} + +@test "systemd-sysusers: Process configuration files and print what would be done without actually doing anything" { + systemd-sysusers --dry-run +} + +@test "systemd-sysusers: Create users and groups from all configuration file" { + sudo systemd-sysusers +} diff --git a/tests/integration/systemd/userdbctl.bats b/tests/integration/systemd/userdbctl.bats new file mode 100644 index 000000000..eda5f5b09 --- /dev/null +++ b/tests/integration/systemd/userdbctl.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "userdbctl: List all known user records" { + userdbctl --no-pager user +} + +@test "userdbctl: Show details of a specific user" { + userdbctl --no-pager user "$USER" +} + +@test "userdbctl: List all known groups" { + userdbctl --no-pager group +} + +@test "userdbctl: Show details of a specific group" { + sudo userdbctl --no-pager group "$USER" +} + +@test "userdbctl: List all services currently providing user/group definitions to the system" { + userdbctl --no-pager services +} + diff --git a/tests/integration/tldr.go b/tests/integration/tldr.go deleted file mode 100644 index fb879d15e..000000000 --- a/tests/integration/tldr.go +++ /dev/null @@ -1,89 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package integration - -import ( - "fmt" - "io" - "net/http" - "strings" - - "github.com/roddhjav/apparmor.d/pkg/paths" -) - -type Tldr struct { - Url string // Tldr download url - Dir *paths.Path // Tldr cache directory - Ignore []string // List of ignored software -} - -func NewTldr(dir *paths.Path) Tldr { - return Tldr{ - Url: "https://github.com/tldr-pages/tldr/archive/refs/heads/main.tar.gz", - Dir: dir, - } -} - -// Download and extract the tldr pages into the cache directory -func (t Tldr) Download() error { - gzPath := t.Dir.Parent().Join("tldr.tar.gz") - if !gzPath.Exist() { - resp, err := http.Get(t.Url) - if err != nil { - return fmt.Errorf("downloading %s: %w", t.Url, err) - } - defer resp.Body.Close() - - out, err := gzPath.Create() - if err != nil { - return err - } - defer out.Close() - - if _, err := io.Copy(out, resp.Body); err != nil { - return err - } - } - - pages := []string{"tldr-main/pages/linux", "tldr-main/pages/common"} - return extratTo(gzPath, t.Dir, pages) -} - -// Parse the tldr pages and return a list of scenarios -func (t Tldr) Parse() (*TestSuite, error) { - testSuite := NewTestSuite() - files, _ := t.Dir.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) - for _, path := range files { - content, err := path.ReadFile() - if err != nil { - return nil, err - } - raw := string(content) - t := &Test{ - Name: strings.TrimSuffix(path.Base(), ".md"), - Root: false, - Arguments: map[string]string{}, - Commands: []Command{}, - } - if strings.Contains(raw, "sudo") { - t.Root = true - } - rawTests := strings.Split(raw, "\n-")[1:] - for _, test := range rawTests { - res := strings.Split(test, "\n") - dsc := strings.ReplaceAll(strings.Trim(res[0], " "), ":", "") - cmd := strings.Trim(strings.Trim(res[2], "`"), " ") - if t.Root { - cmd = strings.ReplaceAll(cmd, "sudo ", "") - } - t.Commands = append(t.Commands, Command{ - Description: dsc, - Cmd: cmd, - }) - } - testSuite.Tests = append(testSuite.Tests, *t) - } - return testSuite, nil -} diff --git a/tests/integration/tlp.bats b/tests/integration/tlp.bats new file mode 100644 index 000000000..b9a9530fc --- /dev/null +++ b/tests/integration/tlp.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "tlp: Apply settings (according to the actual power source)" { + sudo tlp start +} + +@test "tlp: Apply battery settings (ignoring the actual power source)" { + sudo tlp bat +} + +@test "tlp: Apply AC settings (ignoring the actual power source)" { + sudo tlp ac +} + +@test "tlp: Apply Disk settings" { + sudo tlp diskid +} diff --git a/tests/integration/uname.bats b/tests/integration/uname.bats new file mode 100644 index 000000000..8723b9fe8 --- /dev/null +++ b/tests/integration/uname.bats @@ -0,0 +1,39 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "uname: Print all information" { + uname --all +} + +@test "uname: Print the current kernel name" { + uname --kernel-name +} + +@test "uname: Print the current network node host name" { + uname --nodename +} + +@test "uname: Print the current kernel release" { + uname --kernel-release +} + +@test "uname: Print the current kernel version" { + uname --kernel-version +} + +@test "uname: Print the current machine hardware name" { + uname --machine +} + +@test "uname: Print the current processor type" { + uname --processor +} + +@test "uname: Print the current operating system name" { + uname --operating-system +} + diff --git a/tests/integration/upower.bats b/tests/integration/upower.bats new file mode 100644 index 000000000..3917621b8 --- /dev/null +++ b/tests/integration/upower.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "upower: Display power and battery information" { + upower --dump +} + +@test "upower: List all power devices" { + upower --enumerate +} + +@test "upower: Display version" { + upower --version +} + diff --git a/tests/integration/uptime.bats b/tests/integration/uptime.bats new file mode 100644 index 000000000..7b64e8d2c --- /dev/null +++ b/tests/integration/uptime.bats @@ -0,0 +1,23 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "uptime: Print current time, uptime, number of logged-in users and other information" { + uptime +} + +@test "uptime: Show only the amount of time the system has been booted for" { + uptime --pretty +} + +@test "uptime: Print the date and time the system booted up at" { + uptime --since +} + +@test "uptime: Display version" { + uptime --version +} + diff --git a/tests/integration/usb/lsusb.bats b/tests/integration/usb/lsusb.bats new file mode 100644 index 000000000..85bee2fd6 --- /dev/null +++ b/tests/integration/usb/lsusb.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsusb: List all the USB devices available" { + lsusb || true +} + +@test "lsusb: List the USB hierarchy as a tree" { + lsusb -t || true +} + +@test "lsusb: List verbose information about USB devices" { + lsusb --verbose || true +} diff --git a/tests/integration/useradd.bats b/tests/integration/useradd.bats new file mode 100644 index 000000000..5ac024f15 --- /dev/null +++ b/tests/integration/useradd.bats @@ -0,0 +1,32 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "useradd: Create a new user with the specified shell" { + sudo useradd --shell /bin/bash --create-home user2 +} + +@test "useradd: Create a new user with the specified user ID" { + sudo useradd --uid 3000 user3 +} + +@test "useradd: Create a new user belonging to additional groups (mind the lack of whitespace)" { + sudo useradd --groups adm user4 +} + +@test "useradd: Create a new system user without the home directory" { + sudo useradd --system sys2 +} + +@test "userdel: Remove a user" { + sudo userdel user3 + sudo userdel user4 + sudo userdel sys2 +} + +@test "userdel: Remove a user along with the home directory and mail spool" { + sudo userdel --remove user2 +} diff --git a/tests/integration/utils/blkid.bats b/tests/integration/utils/blkid.bats new file mode 100644 index 000000000..625f5f9bb --- /dev/null +++ b/tests/integration/utils/blkid.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "blkid: List all partitions" { + sudo blkid +} + +@test "blkid: List all partitions in a table, including current mountpoints" { + sudo blkid -o list +} diff --git a/tests/integration/utils/chsh.bats b/tests/integration/utils/chsh.bats new file mode 100644 index 000000000..a23799def --- /dev/null +++ b/tests/integration/utils/chsh.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "chsh: list available shells" { + chsh --list-shells || true +} + +@test "chsh: Set a specific login shell for the current user" { + echo "$PASSWORD" | chsh --shell /usr/bin/bash || true +} + +# bats test_tags=chsh +@test "chsh: Set a login shell for a specific user" { + sudo chsh --shell /usr/bin/sh root || true +} diff --git a/tests/integration/utils/df.bats b/tests/integration/utils/df.bats new file mode 100644 index 000000000..c15a32d5f --- /dev/null +++ b/tests/integration/utils/df.bats @@ -0,0 +1,26 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "df: Display all filesystems and their disk usage" { + df +} + +@test "df: Display all filesystems and their disk usage in human-readable form" { + df -h +} + +@test "df: Display the filesystem and its disk usage containing the given file or directory" { + df /etc/apparmor.d/ +} + +@test "df: Include statistics on the number of free inodes" { + df --inodes +} + +@test "df: Display filesystem types" { + df --print-type +} diff --git a/tests/integration/utils/dmesg.bats b/tests/integration/utils/dmesg.bats new file mode 100644 index 000000000..f2880666d --- /dev/null +++ b/tests/integration/utils/dmesg.bats @@ -0,0 +1,30 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "dmesg: Show kernel messages" { + sudo dmesg +} + +@test "dmesg: Show kernel error messages" { + sudo dmesg --level err +} + +@test "dmesg: Show how much physical memory is available on this system" { + sudo dmesg | grep -i memory +} + +@test "dmesg: Show kernel messages with a timestamp (available in kernels 3.5.0 and newer)" { + sudo dmesg -T +} + +@test "dmesg: Show kernel messages in human-readable form (available in kernels 3.5.0 and newer)" { + sudo dmesg -H +} + +@test "dmesg: Colorize output (available in kernels 3.5.0 and newer)" { + sudo dmesg -L +} diff --git a/tests/integration/utils/eject.bats b/tests/integration/utils/eject.bats new file mode 100644 index 000000000..c4c2a3e0d --- /dev/null +++ b/tests/integration/utils/eject.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "eject: Display the default device" { + eject -d || true +} + +@test "eject: Eject the default device" { + eject || true +} diff --git a/tests/integration/utils/fstrim.bats b/tests/integration/utils/fstrim.bats new file mode 100644 index 000000000..dff1083e2 --- /dev/null +++ b/tests/integration/utils/fstrim.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "fstrim: Trim unused blocks on all mounted partitions that support it" { + sudo fstrim --all +} + +@test "fstrim: Trim unused blocks on a specified partition" { + sudo fstrim --verbose / +} diff --git a/tests/integration/utils/hwclock.bats b/tests/integration/utils/hwclock.bats new file mode 100644 index 000000000..a3dcdc31a --- /dev/null +++ b/tests/integration/utils/hwclock.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "hwclock: Display the current time as reported by the hardware clock" { + sudo hwclock || true +} + +@test "hwclock: Write the current software clock time to the hardware clock (sometimes used during system setup)" { + sudo hwclock --systohc || true +} + +@test "hwclock: Write the current hardware clock time to the software clock" { + sudo hwclock --hctosys || true +} + diff --git a/tests/integration/utils/lsblk.bats b/tests/integration/utils/lsblk.bats new file mode 100644 index 000000000..4093526a9 --- /dev/null +++ b/tests/integration/utils/lsblk.bats @@ -0,0 +1,38 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsblk: List all storage devices in a tree-like format" { + lsblk +} + +@test "lsblk: Also list empty devices" { + lsblk -a +} + +@test "lsblk: Print the SIZE column in bytes rather than in a human-readable format" { + lsblk -b +} + +@test "lsblk: Output info about filesystems" { + lsblk -f +} + +@test "lsblk: Use ASCII characters for tree formatting" { + lsblk -i +} + +@test "lsblk: Output info about block-device topology" { + lsblk -t +} + +@test "lsblk: Exclude the devices specified by the comma-separated list of major device numbers" { + lsblk -e 1 +} + +@test "lsblk: Display a customized summary using a comma-separated list of columns" { + lsblk --output NAME,SERIAL,MODEL,TRAN,TYPE,SIZE,FSTYPE,MOUNTPOINT +} diff --git a/tests/integration/utils/lscpu.bats b/tests/integration/utils/lscpu.bats new file mode 100644 index 000000000..eb60d890d --- /dev/null +++ b/tests/integration/utils/lscpu.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lscpu: Display information about all CPUs" { + lscpu +} + +@test "lscpu: Display information in a table" { + lscpu --extended +} + +@test "lscpu: Display only information about offline CPUs in a table" { + lscpu --extended --offline +} diff --git a/tests/integration/utils/lsfd.bats b/tests/integration/utils/lsfd.bats new file mode 100644 index 000000000..bf0c4de0c --- /dev/null +++ b/tests/integration/utils/lsfd.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsfd: List all open file descriptors" { + lsfd +} + +@test "lsfd: List all files kept open by a specific program" { + sudo lsfd --filter 'PID == 1' +} + +@test "lsfd: List open IPv4 or IPv6 sockets" { + sudo lsfd -i4 + sudo lsfd -i6 +} diff --git a/tests/integration/utils/lsipc.bats b/tests/integration/utils/lsipc.bats new file mode 100644 index 000000000..a18126982 --- /dev/null +++ b/tests/integration/utils/lsipc.bats @@ -0,0 +1,16 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsipc: Show information about all active IPC facilities" { + lsipc +} + +@test "lsipc: Show information about active shared memory segments, message queues or sempahore sets" { + lsipc --shmems + lsipc --queues + lsipc --semaphores +} diff --git a/tests/integration/utils/lslocks.bats b/tests/integration/utils/lslocks.bats new file mode 100644 index 000000000..042834cae --- /dev/null +++ b/tests/integration/utils/lslocks.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lslocks: List all local system locks" { + sudo lslocks +} + +@test "lslocks: List locks producing a raw output (no columns), and without column headers" { + sudo lslocks --raw --noheadings +} + +@test "lslocks: List locks by PID input" { + sudo lslocks --pid "$(sudo lslocks --raw --noheadings --output PID | head -1)" +} + +@test "lslocks: List locks with JSON output to stdout" { + lslocks --json +} diff --git a/tests/integration/utils/lslogins.bats b/tests/integration/utils/lslogins.bats new file mode 100644 index 000000000..aa2df69b4 --- /dev/null +++ b/tests/integration/utils/lslogins.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lslogins: Display users in the system" { + lslogins + sudo lslogins +} + +@test "lslogins: Display user accounts" { + lslogins --user-accs +} + +@test "lslogins: Display last logins" { + lslogins --last +} + +@test "lslogins: Display system accounts" { + lslogins --system-accs +} + +@test "lslogins: Display supplementary groups" { + lslogins --supp-groups +} diff --git a/tests/integration/utils/lsns.bats b/tests/integration/utils/lsns.bats new file mode 100644 index 000000000..c7e6563e2 --- /dev/null +++ b/tests/integration/utils/lsns.bats @@ -0,0 +1,31 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsns: List all namespaces" { + lsns + sudo lsns +} + +@test "lsns: List namespaces in JSON format" { + sudo lsns --json +} + +@test "lsns: List namespaces associated with the specified process" { + sudo lsns --task 1 +} + +@test "lsns: List the specified type of namespaces only" { + sudo lsns --type mnt + sudo lsns --type net + sudo lsns --type ipc + sudo lsns --type user + sudo lsns --type pid + sudo lsns --type uts + sudo lsns --type cgroup + sudo lsns --type time +} + diff --git a/tests/integration/utils/lspci.bats b/tests/integration/utils/lspci.bats new file mode 100644 index 000000000..facf379a9 --- /dev/null +++ b/tests/integration/utils/lspci.bats @@ -0,0 +1,31 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lspci: Show a brief list of devices" { + lspci + sudo lspci +} + +@test "lspci: Display additional info" { + lspci -v +} + +@test "lspci: Display drivers and modules handling each device" { + lspci -k +} + +@test "lspci: Show a specific device" { + lspci -s 00:00.0 +} + +@test "lspci: Query the PCI ID database for unknown ID's via DNS" { + sudo lspci -q +} + +@test "lspci: Dump info in a readable form" { + lspci -vm +} diff --git a/tests/integration/utils/pstree.bats b/tests/integration/utils/pstree.bats new file mode 100644 index 000000000..1fc43c76c --- /dev/null +++ b/tests/integration/utils/pstree.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pstree: Display a tree of processes" { + pstree +} + +@test "pstree: Display a tree of processes with PIDs" { + pstree -p +} + +@test "pstree: Display all process trees rooted at processes owned by specified user" { + pstree root +} + diff --git a/tests/integration/utils/sync.bats b/tests/integration/utils/sync.bats new file mode 100644 index 000000000..03cc4730f --- /dev/null +++ b/tests/integration/utils/sync.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "sync: Flush all pending write operations on all disks" { + sync +} + +@test "sync: Flush all pending write operations on a single file to disk" { + sudo sync / +} diff --git a/tests/integration/utils/users.bats b/tests/integration/utils/users.bats new file mode 100644 index 000000000..885121a58 --- /dev/null +++ b/tests/integration/utils/users.bats @@ -0,0 +1,15 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "users: Print logged in usernames" { + users +} + +@test "users: Print logged in usernames according to a given file" { + users /var/log/wmtp +} + diff --git a/tests/integration/utils/uuidd.bats b/tests/integration/utils/uuidd.bats new file mode 100644 index 000000000..d3ab28cc0 --- /dev/null +++ b/tests/integration/utils/uuidd.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "uuidd: Generate a random UUID" { + uuidd --random +} + +@test "uuidd: Generate a bulk number of random UUIDs" { + uuidd --random --uuids 10 +} + +@test "uuidd: Generate a time-based UUID, based on the current time and MAC address of the system" { + uuidd --time +} diff --git a/tests/integration/utils/uuidgen.bats b/tests/integration/utils/uuidgen.bats new file mode 100644 index 000000000..838be5cbc --- /dev/null +++ b/tests/integration/utils/uuidgen.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "uuidgen: Create a random UUIDv4" { + uuidgen --random +} + +@test "uuidgen: Create a UUIDv1 based on the current time" { + uuidgen --time +} diff --git a/tests/integration/utils/who.bats b/tests/integration/utils/who.bats new file mode 100644 index 000000000..b69fc2dd1 --- /dev/null +++ b/tests/integration/utils/who.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "who: Display the username, line, and time of all currently logged-in sessions" { + who +} + +@test "who: Display all available information" { + who -a +} + +@test "who: Display all available information with table headers" { + who -a -H +} + diff --git a/tests/integration/utils/zramctl.bats b/tests/integration/utils/zramctl.bats new file mode 100644 index 000000000..41a3c1f51 --- /dev/null +++ b/tests/integration/utils/zramctl.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "zramctl: Check if zram is enabled; enable it if needed" { + lsmod | grep -i zram || sudo modprobe zram || true +} + +@test "zramctl: Find and initialize the next free zram device to a 1 GB virtual drive using LZ4 compression" { + sudo zramctl --find --size 1GB --algorithm lz4 || true +} + +@test "zramctl: List currently initialized devices" { + sudo zramctl || true +} diff --git a/tests/integration/whois.bats b/tests/integration/whois.bats new file mode 100644 index 000000000..fd1cba5fa --- /dev/null +++ b/tests/integration/whois.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "whois: Get information about a domain name" { + whois google.fr +} + +@test "whois: Get information about an IP address" { + whois 8.8.8.8 +} + +@test "whois: Get abuse contact for an IP address" { + whois -b 8.8.8.8 +} + diff --git a/tests/packer/archlinux.pkr.hcl b/tests/packer/archlinux.pkr.hcl deleted file mode 100644 index c445b632a..000000000 --- a/tests/packer/archlinux.pkr.hcl +++ /dev/null @@ -1,111 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -source "qemu" "archlinux-server" { - disk_image = true - iso_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" - iso_checksum = "file:https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" - iso_target_path = "${var.iso_dir}/archlinux-cloudimg-amd64.img" - cpu_model = "host" - cpus = 6 - memory = 4096 - disk_size = "10G" - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}.qcow2" - boot_wait = "10s" - shutdown_command = "echo ${var.password} | sudo -S shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} - -source "qemu" "archlinux-gnome" { - disk_image = true - iso_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" - iso_checksum = "file:https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" - iso_target_path = "${var.iso_dir}/archlinux-cloudimg-amd64.img" - cpu_model = "host" - cpus = 6 - memory = 4096 - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}.qcow2" - boot_wait = "10s" - shutdown_command = "echo ${var.password} | sudo -S shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} - -source "qemu" "archlinux-kde" { - disk_image = true - iso_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" - iso_checksum = "file:https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" - iso_target_path = "${var.iso_dir}/archlinux-cloudimg-amd64.img" - cpu_model = "host" - cpus = 6 - memory = 4096 - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}.qcow2" - boot_wait = "10s" - shutdown_command = "echo ${var.password} | sudo -S shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index c37e768ac..98e923fd9 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -2,75 +2,91 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +locals { + name = "${var.prefix}${var.dist}-${var.flavor}" +} + +source "qemu" "default" { + disk_image = true + iso_url = var.DM[var.dist].img_url + iso_checksum = "file:${var.DM[var.dist].img_checksum}" + iso_target_path = pathexpand("${var.iso_dir}/${basename("${var.DM[var.dist].img_url}")}") + cpu_model = "host" + cpus = var.cpus + memory = var.ram + disk_size = var.disk_size + accelerator = "kvm" + headless = true + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "1000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = pathexpand(var.output_dir) + vm_name = "${local.name}.qcow2" + boot_wait = "10s" + firmware = pathexpand(var.firmware) + shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = format("%s\n%s\n%s", + templatefile("${path.cwd}/tests/cloud-init/common.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${local.name}" + } + ), + file("${path.cwd}/tests/cloud-init/${regex_replace(var.dist, "[0-9]*$", "")}.yml"), + file("${path.cwd}/tests/cloud-init/${var.dist}-${var.flavor}.user-data.yml") + ) + } +} + build { sources = [ - "source.qemu.archlinux-gnome", - "source.qemu.archlinux-kde", - "source.qemu.archlinux-server", - "source.qemu.debian-gnome", - "source.qemu.debian-kde", - "source.qemu.debian-server", - "source.qemu.opensuse-gnome", - "source.qemu.opensuse-kde", - "source.qemu.ubuntu-desktop", - "source.qemu.ubuntu-desktop24", - "source.qemu.ubuntu-server", - "source.qemu.ubuntu-server24", + "source.qemu.default", ] - # Upload local files + # Upload artifacts provisioner "file" { - destination = "/tmp" - sources = ["${path.cwd}/packer/src"] - } - - provisioner "file" { - only = ["qemu.archlinux-gnome", "qemu.archlinux-kde", "qemu.archlinux-server"] - destination = "/tmp/src/" - sources = ["${path.cwd}/../apparmor.d-${var.version}-1-x86_64.pkg.tar.zst"] - } - - provisioner "file" { - only = ["qemu.opensuse-*"] - destination = "/tmp/src/" - sources = ["${path.cwd}/../apparmor.d-${var.version}-1.x86_64.rpm"] - } - - provisioner "file" { - only = ["qemu.debian-server", "qemu.debian-gnome", "qemu.debian-kde", "qemu.ubuntu-server", "qemu.ubuntu-server24", "qemu.ubuntu-desktop", "qemu.ubuntu-desktop24"] - destination = "/tmp/src/" - sources = ["${path.cwd}/../apparmor.d_${var.version}-1_amd64.deb"] - } - - # Wait for cloud-init to finish - provisioner "shell" { - except = ["qemu.opensuse-*"] - execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" - inline = [ - "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for Cloud-Init...'; sleep 20; done", - "cloud-init clean", # Remove logs and artifacts so cloud-init can re-run + destination = "/tmp/" + sources = [ + "${path.cwd}/tests/packer/src/", + "${path.cwd}/tests/packer/init.sh", + "${path.cwd}/tests/packer/clean.sh", + "${path.cwd}/.pkg/", ] } - # Install local files and config + # Full system provisioning provisioner "shell" { - script = "${path.cwd}/packer/init/init.sh" execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" - } + inline = [ + # Wait for cloud-init to finish + "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for Cloud-Init...'; sleep 20; done", - # Minimize the image - provisioner "shell" { - script = "${path.cwd}/packer/init/clean.sh" - execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" - } + # Ensure cloud-init is successful + "cloud-init status || cloud-init collect-logs --tarfile /root/cloud-init.tar.gz", - post-processor "vagrant" { - output = "${var.base_dir}/packer_${var.prefix}${source.name}.box" + # Remove logs and artifacts so cloud-init can re-run + "cloud-init clean || true", + + # Install local files and config + "bash /tmp/init.sh", + + # Minimize the image + "bash /tmp/clean.sh", + ] } post-processor "shell-local" { inline = [ - "vagrant box add --force --name ${var.prefix}${source.name} ${var.base_dir}/packer_${var.prefix}${source.name}.box" + "mv ${var.output_dir}/${local.name}.qcow2 ${var.base_dir}/${local.name}.qcow2", ] } diff --git a/tests/packer/init/clean.sh b/tests/packer/clean.sh similarity index 83% rename from tests/packer/init/clean.sh rename to tests/packer/clean.sh index 2e1e7b551..23c587d4f 100644 --- a/tests/packer/init/clean.sh +++ b/tests/packer/clean.sh @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -set -u +set -eu -o pipefail # shellcheck source=/dev/null _lsb_release() { @@ -46,40 +46,26 @@ _sshdgenkeys() { _EOF } -clean_debian() { - _msg "Apt clean configuration" - - _msg "Full system upgrade" - apt-get update -y - apt-get -qq -y --no-install-recommends upgrade - apt-get -qq -y --no-install-recommends dist-upgrade - - _msg "Clean the apt cache" +clean_apt() { + _msg "Cleaning the apt cache" apt-get -y autoremove --purge apt-get -y autoclean apt-get -y clean } -clean_arch() { - _msg "Pacman clean configuration" - - pacman -Syu --noconfirm - pacman -Qdtq | while IFS='' read -r pkg; do - pacman -Rsccn --noconfirm "$pkg" - done +clean_pacman() { + _msg "Cleaning pacman cache" pacman -Scc --noconfirm } -clean_opensuse() { - _msg "zypper clean configuration" - - zypper update -y - zypper clean -y +clean_zypper() { + _msg "Cleaning zypper cache" + zypper clean --all } # Make the image as impersonal as possible. impersonalize() { - _msg "Make the image as impersonal as possible." + _msg "Making the image as impersonal as possible." # Remove remaining pkg file, docs and caches dirs=( @@ -145,10 +131,6 @@ trim() { truncate --size=0 /swap/swapfile fi - # _msg "Fill root filesystem with 0 to reduce box size" - # dd if=/dev/zero of=/EMPTY bs=1M || true - # rm -f /EMPTY - # Block until the empty file has been removed, otherwise, Packer will # try to kill the box while the disk is still full and that is bad. sync @@ -159,16 +141,16 @@ main() { begin=$(_diskused) case "$DISTRIBUTION" in debian | ubuntu) - clean_debian + clean_apt _sshdgenkeys ;; opensuse*) - clean_opensuse + clean_zypper ;; arch) - clean_arch + clean_pacman ;; esac impersonalize diff --git a/tests/packer/debian.pkr.hcl b/tests/packer/debian.pkr.hcl deleted file mode 100644 index 38f33116f..000000000 --- a/tests/packer/debian.pkr.hcl +++ /dev/null @@ -1,114 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -source "qemu" "debian-server" { - disk_image = true - iso_url = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2" - iso_checksum = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS" - iso_target_path = "${var.iso_dir}/debian-cloudimg-amd64.img" - cpu_model = "host" - cpus = 4 - memory = 2048 - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = "${var.output}/" - vm_name = "${var.prefix}${source.name}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} - -source "qemu" "debian-gnome" { - disk_image = true - iso_url = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2" - iso_checksum = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS" - iso_target_path = "${var.iso_dir}/debian-cloudimg-amd64.img" - cpu_model = "host" - cpus = 4 - memory = 2048 - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = "${var.output}/" - vm_name = "${var.prefix}${source.name}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} - -source "qemu" "debian-kde" { - disk_image = true - iso_url = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2" - iso_checksum = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS" - iso_target_path = "${var.iso_dir}/debian-cloudimg-amd64.img" - cpu_model = "host" - cpus = 4 - memory = 2048 - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = "${var.output}/" - vm_name = "${var.prefix}${source.name}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} diff --git a/tests/packer/init/init.sh b/tests/packer/init.sh similarity index 52% rename from tests/packer/init/init.sh rename to tests/packer/init.sh index 6a80b1993..44a86220f 100644 --- a/tests/packer/init/init.sh +++ b/tests/packer/init.sh @@ -3,39 +3,39 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -set -eu +set -eux -o pipefail -_lsb_release() { - # shellcheck source=/dev/null - . /etc/os-release - echo "$ID" -} -DISTRIBUTION="$(_lsb_release)" -readonly SRC=/tmp/src -readonly DISTRIBUTION +# shellcheck source=/dev/null +source /etc/os-release || exit 1 +readonly SRC=/tmp/ main() { install -dm0750 -o "$SUDO_USER" -g "$SUDO_USER" "/home/$SUDO_USER/Projects/" "/home/$SUDO_USER/Projects/apparmor.d" "/home/$SUDO_USER/.config/" install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/.bash_aliases "/home/$SUDO_USER/.bash_aliases" - install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/monitors.xml "/home/$SUDO_USER/.config/monitors.xml" install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/htoprc "/home/$SUDO_USER/.config/htop/htoprc" + install -Dm0644 $SRC/parser.conf /etc/apparmor/parser.conf install -Dm0644 $SRC/site.local /etc/apparmor.d/tunables/multiarch.d/site.local install -Dm0755 $SRC/aa-update /usr/bin/aa-update - install -Dm0755 $SRC/aa-log-clean /usr/bin/aa-log-clean - cat $SRC/parser.conf >>/etc/apparmor/parser.conf + install -Dm0755 $SRC/aa-clean /usr/bin/aa-clean chown -R "$SUDO_USER:$SUDO_USER" "/home/$SUDO_USER/.config/" - case "$DISTRIBUTION" in - arch) pacman --noconfirm -U $SRC/*.pkg.tar.zst ;; + + case "$ID" in + arch) + rm -f $SRC/*.sig # Ignore signature files + rm -f $SRC/*enforced* # Ignore enforced package + pacman --noconfirm -U $SRC/*.pkg.tar.zst || true + ;; + debian | ubuntu) - apt-get update -y - apt-get install -y apparmor-profiles build-essential config-package-dev \ - debhelper devscripts htop rsync vim - dpkg -i $SRC/*.deb + # Do not install apparmor.d on the current development version + if [[ $VERSION_ID != "25.10" ]]; then + dpkg -i $SRC/*.deb || true + fi ;; opensuse*) - zypper install -y bash-completion git go htop make rsync vim - sudo rpm -i $SRC/*.rpm + mv "/home/$SUDO_USER/.bash_aliases" "/home/$SUDO_USER/.alias" + rpm -i $SRC/*.rpm || true ;; esac diff --git a/tests/packer/init/archlinux-gnome.user-data.yml b/tests/packer/init/archlinux-gnome.user-data.yml deleted file mode 100644 index 855bc58ea..000000000 --- a/tests/packer/init/archlinux-gnome.user-data.yml +++ /dev/null @@ -1,92 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - # Install core packages - - apparmor - - base-devel - - firewalld - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Graphical Interface - - gnome - - gnome-extra - - seahorse - - alacarte - - # Install Applications - - firefox - - chromium - - terminator - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable gdm - - systemctl enable NetworkManager - - systemctl enable rngd - - systemctl enable avahi-daemon - - systemctl enable systemd-timesyncd.service - -write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/archlinux-kde.user-data.yml b/tests/packer/init/archlinux-kde.user-data.yml deleted file mode 100644 index a85ca16d4..000000000 --- a/tests/packer/init/archlinux-kde.user-data.yml +++ /dev/null @@ -1,94 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - # Install core packages - - apparmor - - base-devel - - firewalld - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Graphical Interface - - plasma-meta - - sddm - - ark - - dolphin - - konsole - - okular - - # Install Applications - - firefox - - chromium - - terminator - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable sddm - - systemctl enable NetworkManager - - systemctl enable rngd - - systemctl enable avahi-daemon - - systemctl enable systemd-timesyncd.service - -write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/archlinux-server.user-data.yml b/tests/packer/init/archlinux-server.user-data.yml deleted file mode 100644 index 034cd22d6..000000000 --- a/tests/packer/init/archlinux-server.user-data.yml +++ /dev/null @@ -1,85 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable rngd - - systemctl enable systemd-timesyncd.service - -write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/packer/init/debian-gnome.user-data.yml b/tests/packer/init/debian-gnome.user-data.yml deleted file mode 100644 index 0e2571883..000000000 --- a/tests/packer/init/debian-gnome.user-data.yml +++ /dev/null @@ -1,63 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - - apparmor-profiles - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - htop - - qemu-guest-agent - - spice-vdagent - - rsync - - vim - - task-gnome-desktop - -runcmd: - - apt-get update -y - - apt-get install -y -t bookworm-backports golang-go - -write_files: - # Add backports repository - - path: /etc/apt/sources.list - append: true - content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/packer/init/debian-server.user-data.yml b/tests/packer/init/debian-server.user-data.yml deleted file mode 100644 index 5f4fe526e..000000000 --- a/tests/packer/init/debian-server.user-data.yml +++ /dev/null @@ -1,61 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - - apparmor-profiles - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - htop - - qemu-guest-agent - - rsync - - vim - -runcmd: - - apt-get update -y - - apt-get install -y -t bookworm-backports golang-go - -write_files: - # Add backports repository - - path: /etc/apt/sources.list - append: true - content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/packer/init/opensuse-kde.user-data.yml b/tests/packer/init/opensuse-kde.user-data.yml deleted file mode 100644 index 6c1c7cfff..000000000 --- a/tests/packer/init/opensuse-kde.user-data.yml +++ /dev/null @@ -1,41 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - - bash-completion - - git - - go - - htop - - make - - rsync - - vim - -write_files: - # Set some bash aliases - - path: /home/${username}/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/ubuntu-desktop.user-data.yml b/tests/packer/init/ubuntu-desktop.user-data.yml deleted file mode 100644 index 30a82279a..000000000 --- a/tests/packer/init/ubuntu-desktop.user-data.yml +++ /dev/null @@ -1,83 +0,0 @@ -#cloud-config - -# Based on https://github.com/canonical/autoinstall-desktop - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - - ubuntu-desktop - - linux-generic-hwe-22.04 - - qemu-guest-agent - - spice-vdagent - - terminator - - apparmor-profiles - - build-essential - - config-package-dev - - debhelper - - devscripts - - golang-go - - rsync - -snap: - commands: - - install firefox - - install gtk-common-themes - - install snap-store - - install snapd-desktop-integration - -runcmd: - # Remove default filesystem and related tools not used with the suggested - # storage layout. These may yet be required if different partitioning schemes - # are used. - - apt-get -y purge btrfs-progs cryptsetup* lvm2 xfsprogs - - # Remove other packages present by default in Ubuntu Server but not - # normally present in Ubuntu Desktop. - - >- - apt-get -y purge - ubuntu-server ubuntu-server-minimal netplan.io cloud-init - binutils byobu curl dmeventd finalrd gawk - kpartx mdadm ncurses-term needrestart open-iscsi - sg3-utils ssh-import-id sssd thin-provisioning-tools tmux - sosreport screen open-vm-tools motd-news-config lxd-agent-loader - landscape-common fonts-ubuntu-console ethtool - - # Finally, remove things only installed as dependencies of other things - # we have already removed. - - apt-get -y autoremove - -write_files: - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/packer/init/ubuntu-desktop24.user-data.yml b/tests/packer/init/ubuntu-desktop24.user-data.yml deleted file mode 100644 index 30a82279a..000000000 --- a/tests/packer/init/ubuntu-desktop24.user-data.yml +++ /dev/null @@ -1,83 +0,0 @@ -#cloud-config - -# Based on https://github.com/canonical/autoinstall-desktop - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - - ubuntu-desktop - - linux-generic-hwe-22.04 - - qemu-guest-agent - - spice-vdagent - - terminator - - apparmor-profiles - - build-essential - - config-package-dev - - debhelper - - devscripts - - golang-go - - rsync - -snap: - commands: - - install firefox - - install gtk-common-themes - - install snap-store - - install snapd-desktop-integration - -runcmd: - # Remove default filesystem and related tools not used with the suggested - # storage layout. These may yet be required if different partitioning schemes - # are used. - - apt-get -y purge btrfs-progs cryptsetup* lvm2 xfsprogs - - # Remove other packages present by default in Ubuntu Server but not - # normally present in Ubuntu Desktop. - - >- - apt-get -y purge - ubuntu-server ubuntu-server-minimal netplan.io cloud-init - binutils byobu curl dmeventd finalrd gawk - kpartx mdadm ncurses-term needrestart open-iscsi - sg3-utils ssh-import-id sssd thin-provisioning-tools tmux - sosreport screen open-vm-tools motd-news-config lxd-agent-loader - landscape-common fonts-ubuntu-console ethtool - - # Finally, remove things only installed as dependencies of other things - # we have already removed. - - apt-get -y autoremove - -write_files: - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/packer/init/ubuntu-server.user-data.yml b/tests/packer/init/ubuntu-server.user-data.yml deleted file mode 100644 index 5e6d853ba..000000000 --- a/tests/packer/init/ubuntu-server.user-data.yml +++ /dev/null @@ -1,53 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - - apparmor-profiles - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - golang-go - - htop - - qemu-guest-agent - - rsync - - vim - -write_files: - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/packer/main.pkr.hcl b/tests/packer/main.pkr.hcl index ee13e8f92..d2b1a6dbf 100644 --- a/tests/packer/main.pkr.hcl +++ b/tests/packer/main.pkr.hcl @@ -8,9 +8,5 @@ packer { source = "github.com/hashicorp/qemu" version = "~> 1" } - vagrant = { - source = "github.com/hashicorp/vagrant" - version = "~> 1" - } } } diff --git a/tests/packer/opensuse.pkr.hcl b/tests/packer/opensuse.pkr.hcl deleted file mode 100644 index de9bafacb..000000000 --- a/tests/packer/opensuse.pkr.hcl +++ /dev/null @@ -1,45 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# TODO: Fully automate the creation of the base image -# To save some dev time, 'base_opensuse_kde' is manually created from the opensuse iso with: -# - KDE -# - username/password defined in the variables -# - cloud-init installed and enabled - -source "qemu" "opensuse-kde" { - disk_image = true - iso_url = "${var.iso_dir}/base_opensuse_kde.qcow2" - iso_checksum = "sha256:62a174725bdf26981d15969e53461b89359f7763450cbfd3e258d4035731279b" - iso_target_path = "${var.iso_dir}/base_opensuse_kde.qcow2" - cpus = 6 - memory = 4096 - disk_size = var.disk_size - accelerator = "kvm" - headless = false - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = "${var.iso_dir}/packer/" - vm_name = "${var.prefix}${source.name}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} diff --git a/tests/packer/src/.bash_aliases b/tests/packer/src/.bash_aliases index 27e05bf80..2580556fd 100644 --- a/tests/packer/src/.bash_aliases +++ b/tests/packer/src/.bash_aliases @@ -8,7 +8,6 @@ for nb in $(seq "$1"); do done } -alias sudo='sudo -E' alias aa-log='sudo aa-log' alias aa-status='sudo aa-status' alias c='clear' diff --git a/tests/packer/src/aa-clean b/tests/packer/src/aa-clean new file mode 100644 index 000000000..a01b9d77e --- /dev/null +++ b/tests/packer/src/aa-clean @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +set -eu -o pipefail +rm -vf /var/log/audit/* /var/log/syslog* +touch /var/log/audit/audit.log /var/log/syslog diff --git a/tests/packer/src/aa-log-clean b/tests/packer/src/aa-log-clean deleted file mode 100644 index 9f3ebd818..000000000 --- a/tests/packer/src/aa-log-clean +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/env bash -set -eu -rm -rf /var/log/audit/* -touch /var/log/audit/audit.log diff --git a/tests/packer/src/aa-update b/tests/packer/src/aa-update index 747d0101b..bdbd6ed00 100644 --- a/tests/packer/src/aa-update +++ b/tests/packer/src/aa-update @@ -1,7 +1,7 @@ #!/usr/bin/env bash -set -eu +set -eu -o pipefail -export BUILDDIR=/tmp/build/ PKGDEST=/tmp/pkg +export BUILDDIR=/tmp/build/ # shellcheck source=/dev/null _lsb_release() { @@ -13,13 +13,15 @@ DISTRIBUTION="$(_lsb_release)" cd "$HOME/Projects/apparmor.d" case "$DISTRIBUTION" in arch) - make pkg + just pkg ;; debian | ubuntu | whonix) sudo rm -rf debian/.debhelper/ - make dpkg + just dpkg sudo rm -rf debian/.debhelper/ ;; -opensuse*) make rpm ;; +opensuse*) + just rpm + ;; *) ;; esac diff --git a/tests/packer/src/monitors.xml b/tests/packer/src/monitors.xml deleted file mode 100644 index b17136584..000000000 --- a/tests/packer/src/monitors.xml +++ /dev/null @@ -1,23 +0,0 @@ - - - - 0 - 0 - 1 - yes - - - Virtual-1 - RHT - QEMU Monitor - 0x00000000 - - - 1920 - 1080 - 60 - - - - - diff --git a/tests/packer/src/parser.conf b/tests/packer/src/parser.conf index be8c42560..8651efad1 100644 --- a/tests/packer/src/parser.conf +++ b/tests/packer/src/parser.conf @@ -1,4 +1,9 @@ - +# Turn creating/updating of the cache on by default write-cache -cache-loc /etc/apparmor/earlypolicy/ + +# Enable early policy loads to confine systemd, and services that can not depend +# on the apparmor unit. +cache-loc=/etc/apparmor/earlypolicy/ + +# Adjust compression Optimize=compress-fast diff --git a/tests/packer/ubuntu.pkr.hcl b/tests/packer/ubuntu.pkr.hcl deleted file mode 100644 index 344a8bf43..000000000 --- a/tests/packer/ubuntu.pkr.hcl +++ /dev/null @@ -1,151 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -source "qemu" "ubuntu-server" { - disk_image = true - iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu.codename}/current/${var.release.ubuntu.codename}-server-cloudimg-amd64.img" - iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu.codename}/current/SHA256SUMS" - iso_target_path = "${var.iso_dir}/ubuntu-cloudimg-amd64.img" - cpu_model = "host" - cpus = 4 - memory = 2048 - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = "${var.output}/" - vm_name = "${var.prefix}${source.name}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} - -source "qemu" "ubuntu-server24" { - disk_image = true - iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/${var.release.ubuntu24.codename}-server-cloudimg-amd64.img" - iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/SHA256SUMS" - iso_target_path = "${var.iso_dir}/ubuntu-${var.release.ubuntu24.codename}-cloudimg-amd64.img" - cpu_model = "host" - cpus = 4 - memory = 2048 - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = "${var.output}/" - vm_name = "${var.prefix}${source.name}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/ubuntu-server.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} - -source "qemu" "ubuntu-desktop" { - disk_image = true - iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu.codename}/current/${var.release.ubuntu.codename}-server-cloudimg-amd64.img" - iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu.codename}/current/SHA256SUMS" - iso_target_path = "${var.iso_dir}/ubuntu-cloudimg-amd64.img" - cpu_model = "host" - cpus = 6 - memory = 4096 - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "10000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = "${var.output}/" - vm_name = "${var.prefix}${source.name}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} - -source "qemu" "ubuntu-desktop24" { - disk_image = true - iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/${var.release.ubuntu24.codename}-server-cloudimg-amd64.img" - iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/SHA256SUMS" - iso_target_path = "${var.iso_dir}/ubuntu-${var.release.ubuntu24.codename}-cloudimg-amd64.img" - cpu_model = "host" - cpus = 6 - memory = 4096 - disk_size = var.disk_size - accelerator = "kvm" - headless = false - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "10000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = "${var.output}/" - vm_name = "${var.prefix}${source.name}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl index 5a1cc17e8..a44f98412 100644 --- a/tests/packer/variables.pkr.hcl +++ b/tests/packer/variables.pkr.hcl @@ -16,16 +16,16 @@ variable "password" { default = "user" } -variable "ssh_publickey" { - description = "Path to the ssh public key" +variable "cpus" { + description = "Default CPU of the VM" type = string - default = "~/.ssh/id_ed25519.pub" + default = "6" } -variable "ssh_privatekey" { - description = "Path to the ssh private key" +variable "ram" { + description = "Default RAM of the VM" type = string - default = "~/.ssh/id_ed25519" + default = "4096" } variable "disk_size" { @@ -34,28 +34,34 @@ variable "disk_size" { default = "40G" } +variable "ssh_publickey" { + description = "Path to the ssh public key" + type = string + default = "~/.ssh/id_ed25519.pub" +} + variable "iso_dir" { description = "Original ISO file directory" type = string - default = "/var/lib/libvirt/images" + default = "~/.libvirt/iso" } variable "base_dir" { description = "Final packer image output directory" type = string - default = "/var/lib/libvirt/images" + default = "~/.libvirt/base" +} + +variable "output_dir" { + description = "Output build directory" + type = string + default = "~/.libvirt/base/packer" } variable "firmware" { description = "Path to the UEFI firmware" type = string - default = "/usr/share/edk2-ovmf/x64/OVMF_CODE.fd" -} - -variable "output" { - description = "Output build directory" - type = string - default = "/tmp/packer" + default = "/usr/share/edk2/x64/OVMF.4m.fd" } variable "prefix" { @@ -64,10 +70,10 @@ variable "prefix" { default = "aa-" } -variable "version" { - description = "apparmor.d version" +variable "dist" { + description = "Distribution to target" type = string - default = "0.001" + default = "ubuntu24" } variable "flavor" { @@ -76,28 +82,40 @@ variable "flavor" { default = "" } -variable "release" { - description = "Distribution metadata to use" +variable "DM" { + description = "Distribution Metadata to use" type = map(object({ - codename = string - version = string + img_url = string + img_checksum = string })) default = { - "ubuntu" : { - codename = "jammy", - version = "22.04.2", + "archlinux" : { + img_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" + img_checksum = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" + }, + "debian12" : { + img_url = "https://cdimage.debian.org/images/cloud/bookworm/latest/debian-12-genericcloud-amd64.qcow2" + img_checksum = "https://cdimage.debian.org/images/cloud/bookworm/latest/SHA512SUMS" + } + "debian13" : { + img_url = "https://cdimage.debian.org/images/cloud/trixie/latest/debian-13-genericcloud-amd64.qcow2" + img_checksum = "https://cdimage.debian.org/images/cloud/trixie/latest/SHA512SUMS" + } + "ubuntu22" : { + img_url = "https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img" + img_checksum = "https://cloud-images.ubuntu.com/jammy/current/SHA256SUMS" }, "ubuntu24" : { - codename = "noble", - version = "24.04", + img_url = "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img" + img_checksum = "https://cloud-images.ubuntu.com/noble/current/SHA256SUMS" + }, + "ubuntu25" : { + img_url = "https://cloud-images.ubuntu.com/plucky/current/plucky-server-cloudimg-amd64.img" + img_checksum = "https://cloud-images.ubuntu.com/plucky/current/SHA256SUMS" }, - "debian" : { - codename = "bookworm", - version = "12", - } "opensuse" : { - codename = "tumbleweed", - version = "", + img_url = "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-Cloud.qcow2" + img_checksum = "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-Cloud.qcow2.sha256" } } } diff --git a/tests/profile_check.py b/tests/profile_check.py new file mode 100644 index 000000000..9b61e6367 --- /dev/null +++ b/tests/profile_check.py @@ -0,0 +1,480 @@ +#!/usr/bin/env python3 +# SPDX-License-Identifier: GPL-2.0-only + +# KNOWN ISSUES: +# No guards for file type - expects AppArmor +# Diffirent suggestions for single line are mutually exclusive +# Suggestion could point to changed profile name, based on other suggestion + +import sys +import argparse +import pathlib +import shlex +import json +from copy import deepcopy + +try: + from apparmor.regex import * + from apparmor.aa import is_skippable_file + from apparmor.rule.file import FileRule, FileRuleset + from apparmor.common import convert_regexp + try: + from apparmor.rule.variable import separate_vars + except ImportError: + from apparmor.aa import separate_vars + + LIBAPPARMOR = True + +except ImportError: + LIBAPPARMOR = False + +def sanitizeProfileName(name): + + if name.startswith('/') or name.startswith('@{'): + name = pathlib.Path(name).stem + + if ' ' in name: + name = re.sub(r'\s+', '-', name) + + return name + +def makeLocalIdentity(nestingStacker_): + + newStacker = [] + for i in nestingStacker_: + i = sanitizeProfileName(i) + newStacker.append(i) + + identity = '_'.join(newStacker) # separate each (sub)profile identity with underscores + + return identity + +def getCurrentProfile(stacker): + + if stacker: + profile = stacker[-1] + else: + profile = None + + return profile + +def handleFileMessages(l, file, profile, lineNum): + + wholeFileAccessProfiles = ( +# '', + ) + suggestOwner = ( # TODO: switch to AARE + r'^@{HOME}/', + r'^/home/\w+/', + r'^@{run}/user/@{uid}/', + r'^/run/user/\d+/', + r'^@{tmp}/', + r'^/tmp/', + r'^/var/tmp/', + r'^/dev/shm/', + ) + + lG = l.groupdict() + reason_ = None + if lG.get('path'): + if lG.get('path').startswith('/**') and profile not in wholeFileAccessProfiles: # false positives + severity_ = 'ERROR' + reason_ = 'Whole filesystem access is too broad' + suggestion_ = None + + for r in suggestOwner: + if re.match(r, lG.get('path')) and not lG.get('owner'): + indentRe = re.match(r'^\s+', l.group()) + if indentRe: + indent = indentRe.group() + else: + indent = '' + + severity_ = 'NOTICE' + reason_ = "'owner' is likely required" + suggestion_ = indent + 'owner ' + l.group().lstrip() + break + + elif lG.get('bare_file') and profile not in wholeFileAccessProfiles: + severity_ = 'ERROR' + reason_ = 'Whole filesystem access is too broad' + suggestion_ = None + + if reason_: # something matched + msg = {'filename': file, + 'profile': profile, + 'severity': severity_, + 'line': lineNum, + 'reason': reason_, + 'suggestion': suggestion_} + else: + msg = None + + return msg + +def readApparmorFile(fullpath): + '''AA file could contain multiple AA profiles''' + headers = ( + '# apparmor.d - Full set of apparmor profiles', + '# Copyright (C) ', + '# SPDX-License-Identifier: GPL-2.0-only', + ) + + file_data = {} + fileVars = {} + nestingStacker = [] + duplicateProfilesCounter = [] + localExists = {} + localExists_eol = {} + messages = [] + exceptionMsg = None + line = None + gotAbi = False + gotHeaders = {} + gotAttach = False + isAfterProfileStart = False + lastLineNum = None + try: + with open(fullpath, 'r') as f: + for n,line in enumerate(f, start=1): + if isAfterProfileStart: + isAfterProfileStart = False + expectedIndent = len(nestingStacker) * ' ' + indentRe = re.match(r'^\s+', line) + if indentRe: + indent = indentRe.group() + else: + indent = '' + + if indent != expectedIndent: + spacesCount = len(nestingStacker) * 2 + nestingCount = len(nestingStacker) + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': f"Expected {spacesCount} spaces for {nestingCount} nesting", + 'suggestion': f"{expectedIndent}{line.lstrip()}"}) + + if line.endswith(' \n'): + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': "Redundant trailing whitespace", + 'suggestion': line.rstrip()}) + + if '\t' in line: + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': "Tabs are not allowed", + 'suggestion': line.replace('\t', ' ')}) + + if len(gotHeaders) < 3 and not nestingStacker: + for nH,i in enumerate(headers): + if line.startswith(i): + gotHeaders[nH] = True + + if RE_ABI.search(line): + gotAbi = line + + elif RE_PROFILE_START.search(line) or RE_PROFILE_HAT_DEF.search(line): + isAfterProfileStart = True + m = parse_profile_start_line(line, fullpath) + if m.get('profile'): + nestingStacker.append(m.get('profile')) # set early + + if m.get('attachment') == '@{exec_path}' and not gotAttach: # can be only singular + gotAttach = True + + profileMsg = {'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': "A short named profile must be defined", + 'suggestion': None} + if m.get('plainprofile'): + messages.append(profileMsg) + elif m.get('namedprofile'): + if m.get('namedprofile').startswith('/'): + messages.append(profileMsg) + + if m.get('flags'): + m['flags'] = set(shlex.split(m.pop('flags').replace(',', ''))) + if 'complain' in m['flags']: + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': "'complain' flag must be defined in 'dists/flags'", + 'suggestion': None}) + else: + m['flags'] = set() + + if m.get('profile'): + duplicateProfilesCounter.append(m.get('profile')) + profileIdentity = '//'.join(nestingStacker) + file_data[profileIdentity] = m + + elif RE_PROFILE_VARIABLE.search(line): + lineV = RE_PROFILE_VARIABLE.search(line).groups() + + name = strip_quotes(lineV[0]) + operation = lineV[1] + val = separate_vars(lineV[2]) + if fileVars.get(name): + fileVars[name].update(set(val)) + if operation == '=': + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'DEGRADED', + 'line': n, + 'reason': "Tunable must be appended with '+='", + 'suggestion': None}) + else: + fileVars[name] = set(val) + if operation == '+=': + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'DEGRADED', + 'line': n, + 'reason': "Tunable must be defined with '='", + 'suggestion': None}) + + elif RE_INCLUDE.search(line): + if nestingStacker: + profileIdentity = '//'.join(nestingStacker) + localIdentity = makeLocalIdentity(nestingStacker) + localValue = f'include if exists ' # commented out will also match + if localValue in line: + localExists[profileIdentity] = localValue + + # Handle file entries + elif RE_PROFILE_FILE_ENTRY.search(line): + lineF = RE_PROFILE_FILE_ENTRY.search(line) + fileMsg = handleFileMessages(lineF, fullpath, getCurrentProfile(nestingStacker), n) + if fileMsg: + messages.append(fileMsg) + + elif RE_PROFILE_END.search(line): + if getCurrentProfile(nestingStacker): + if not nestingStacker: + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'DEGRADED', + 'line': n, + 'reason': "Unbalanced parenthesis?", # not fully covered + 'suggestion': None}) + else: + profileIdentity = '//'.join(nestingStacker) + localExists_eol[profileIdentity] = n + del nestingStacker[-1] # remove last + + lastLineNum = n + + except PermissionError: + exceptionMsg = 'Unable to read the file (PermissionError)' + + except UnicodeDecodeError: + exceptionMsg = 'Unable to read the file (UnicodeDecodeError)' + + except FileNotFoundError: + exceptionMsg = 'No such file or directory (FileNotFoundError)' + + if exceptionMsg: + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'NOTICE', + 'line': None, + 'reason': exceptionMsg, + 'suggestion': None}) + + # Ensure proper header is present + if len(gotHeaders) < 3: + combinedHeader = '\n'.join(headers) + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'WARNING', + 'line': 1, + 'reason': 'No proper header', + 'suggestion': combinedHeader}) + + # Ensure ABI is present + changeAbi = False + abi = 'abi ,' + if gotAbi: + if gotAbi.strip() != abi: + changeAbi = True + else: + changeAbi = True + + if changeAbi: + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'WARNING', + 'line': None, + 'reason': 'ABI is required', + 'suggestion': abi}) + + # Ensure singular '@{exec_path}' + if not gotAttach: + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'WARNING', + 'line': None, + 'reason': "'@{exec_path}' must be defined as main path attachment", + 'suggestion': None}) + + # Ensure trailing vim syntax + if line: + trailingSyntax = '# vim:syntax=apparmor\n' + if line != trailingSyntax: + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'WARNING', + 'line': lastLineNum, + 'reason': 'No trailing syntax hint', + 'suggestion': trailingSyntax}) + + # Assign variables to profile attachments as paths and assign filenames + for p,d in deepcopy(file_data).items(): + file_data[p]['filename'] = fullpath + attachment = d.get('attachment') + if attachment: + if attachment.startswith('@{'): + if fileVars.get(attachment): + file_data[p]['attach_paths'] = fileVars[attachment] # incoming set + else: + messages.append({'filename': fullpath, + 'profile': p, + 'severity': 'ERROR', + 'line': None, + 'reason': f"Unknown global variable as profile attachment: {attachment}", + 'suggestion': None}) + + else: + if isinstance(file_data[p].get('attachment'), set): + raise ValueError("Expecting 'str' or 'None', not 'set'") + file_data[p]['attach_paths'] = {file_data[p]['attachment']} + + # Check if profile block does not have corresponding 'local' include + for p,d in file_data.items(): + if not localExists.get(p): # not found previously + if '//' in p: + identity = p.split('//') + else: + identity = [p] + + localIdentity = makeLocalIdentity(identity) + filename = file_data[p]['filename'] + messages.append({'filename': filename, + 'profile': p, + 'severity': 'WARNING', + 'line': localExists_eol.get(p), # None? Unbalanced parenthesis? + 'reason': "The (sub)profile block does not have expected 'local' include", + 'suggestion': f'include if exists '}) + + # Track multiple definitions inside single file + for profile in duplicateProfilesCounter: + counter = duplicateProfilesCounter.count(profile) + if counter >= 2: + messages.append({'filename': fullpath, + 'profile': profile, + 'severity': 'DEGRADED', + 'line': None, + 'reason': "Profile has been defined {counter} times in the same file", + 'suggestion': None}) + + return (messages, file_data) + +def findAllProfileFilenames(profile_dir): + + profiles = set() + for path in pathlib.Path(profile_dir).iterdir(): + if path.is_file() and not is_skippable_file(path): + profiles.add(path.resolve()) + + # Not default, dig deeper + if not profiles: + nestedDirs = ( + 'groups', + 'profiles-a-f', + 'profiles-g-l', + 'profiles-m-r', + 'profiles-s-z', + ) + for d in nestedDirs: + dirpath = pathlib.Path(pathlib.Path(profile_dir).resolve(), pathlib.Path(d)) + for p in dirpath.rglob("*"): + if p.is_file(): + profiles.add(p) + + return profiles + +def handleArgs(): + """DEGRADED are purposed for fatal errors - when the profile set will fail to load entirely""" + + allSeverities = ['DEBUG', 'NOTICE', 'WARNING', 'ERROR', 'CRITICAL', 'DEGRADED'] + aaRoot = '/etc/apparmor.d' + + parser = argparse.ArgumentParser() + parser.add_argument('-d', '--aa-root-dir', action='store', + default=aaRoot, + help='Target different AppArmor root directory rather than default') + parser.add_argument('-p', '--profile', action='append', + help='Handle only specified profile') +# parser.add_argument('-s', '--severity', action='append', +# choices=allSeverities, +# help='Handle only specified severity event') + + args = parser.parse_args() + +# if not args.severity: +# args.severity = allSeverities + + return args + +def main(argv): + + args = handleArgs() + + messages = [] + + profile_dir = args.aa_root_dir + if not args.profile: + profiles = findAllProfileFilenames(profile_dir) + else: + profiles = set() + for p in args.profile: + absolutePath = pathlib.Path(p).resolve() + profiles.add(absolutePath) + + profile_data = {} + for path in sorted(profiles): + if not is_skippable_file(path): + readApparmorFile_Out = readApparmorFile(path) + profilesInFile = readApparmorFile_Out[1] + messages.extend(readApparmorFile_Out[0]) + profile_data.update(profilesInFile) + + for m in messages: + if m.get('suggestion'): + if m['suggestion'].endswith('\n'): + m['suggestion'] = m.get('suggestion').removesuffix('\n') + m['filename'] = str(m.get('filename')) + print(json.dumps(m, indent=2)) + + if messages: + sys.exit(1) + + return None + +if __name__ == '__main__': + + if not LIBAPPARMOR: + raise ImportError(f"""Can't find 'python3-apparmor' package! Install with: +$ sudo apt install python3-apparmor""") + + main(sys.argv) diff --git a/tests/requirements.sh b/tests/requirements.sh new file mode 100644 index 000000000..0801ff27d --- /dev/null +++ b/tests/requirements.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Dependencies for the bats integration tests + +set -eu -o pipefail + +# shellcheck source=/dev/null +_lsb_release() { + . /etc/os-release || exit 1 + echo "$ID" +} +DISTRIBUTION="$(_lsb_release)" + +case "$DISTRIBUTION" in +arch) + sudo pacman -Syu --noconfirm \ + bats bats-support \ + pacman-contrib tlp flatpak networkmanager + ;; +debian | ubuntu | whonix) + sudo apt update -y + sudo apt install -y \ + bats bats-support \ + cpuid dfc systemd-boot systemd-userdbd systemd-homed systemd-container tlp \ + network-manager systemd-container flatpak util-linux-extra + ;; +opensuse*) + ;; +*) ;; +esac diff --git a/tests/sbin.list b/tests/sbin.list new file mode 100644 index 000000000..16073f0d2 --- /dev/null +++ b/tests/sbin.list @@ -0,0 +1,884 @@ +a2enmod +a2query +aa-audit +aa-autodep +aa-cleanprof +aa-complain +aa-decode +aa-disable +aa-enforce +aa-genprof +aa-load +aa-logprof +aa-mergeprof +aa-notify +aa-remove-unknown +aa-status +aa-teardown +aa-unconfined +aa-update-browser +accessdb +acpi_genl +acpid +acpidump +add-shell +addgnupghome +addpart +adduser +agetty +alsa +alsa-info +alsa-info.sh +alsa-init +alsabat-test +alsactl +anacron +apache2 +apache2ctl +apparmor_parser +apparmor_status +applygnupgdefaults +aptd +argdist-bpfcc +arp +arpd +aspell-autobuildhash +atd +audisp-af_unix +audisp-filter +audisp-syslog +audit +auditctl +auditd +augenrules +aureport +ausearch +autodep +automount +autrace +avahi-daemon +avahi-dnsconfd +badblocks +bashreadline-bpfcc +bashreadline.bt +bcache-super-show +bindsnoop-bpfcc +biolatency-bpfcc +biolatency-kp.bt +biolatency.bt +biolatpcts-bpfcc +biopattern-bpfcc +biosdecode +biosnoop-bpfcc +biosnoop.bt +biostacks.bt +biotop-bpfcc +bitesize-bpfcc +bitesize.bt +blkdeactivate +blkdiscard +blkid +blkmapd +blkpr +blkzone +blockdev +blogctl +blogd +blogger +bpflist-bpfcc +bpftool +brctl +bridge +brltty-setup +btrfs +btrfs-convert +btrfs-find-root +btrfs-image +btrfsdist-bpfcc +btrfsslower-bpfcc +btrfstune +cachestat-bpfcc +cachetop-bpfcc +capable-bpfcc +capable.bt +capsh +cfdisk +cgdisk +chat +chcpu +check_forensic +check_mail_queue +check-bios-nx +checkproc +chgpasswd +chkstat-polkit +chmem +chpasswd +chronyd +chroot +cifs.idmap +cifs.upcall +cobjnew-bpfcc +coldreboot +compactsnoop-bpfcc +complain +config.postfix +cppw +cpudist-bpfcc +cpuunclaimed-bpfcc +cpuwalk.bt +cracklib-check +cracklib-format +cracklib-packer +cracklib-unpacker +cracklib-update +crda +create-cracklib-dict +criticalstat-bpfcc +cron +cryptdisks_start +cryptdisks_stop +cryptsetup +ctrlaltdel +cups-browsed +cups-genppd.5.3 +cups-genppdupdate +cupsaccept +cupsctl +cupsd +cupsfilter +dbslower-bpfcc +dbstat-bpfcc +dcb +dcsnoop-bpfcc +dcsnoop.bt +dcstat-bpfcc +ddns-confgen +deadlock-bpfcc +debugfs +decode +delpart +deluser +devlink +dhcpcd +dirtop-bpfcc +disable +dkms +dmevent_tool +dmeventd +dmfilemapd +dmidecode +dmraid +dmsetup +dnsmasq +dockerd +dosfsck +dosfslabel +dpkg-preconfigure +dpkg-reconfigure +drsnoop-bpfcc +dump.exfat +dump.f2fs +dumpe2fs +e2freefrag +e2fsck +e2image +e2label +e2mmpstatus +e2scrub +e2scrub_all +e2undo +e4crypt +e4defrag +eapol_test +ec_access +efibootdump +efibootmgr +enforce +ephemeral-disk-warning +escapesrc +ethtool +eventlogadm +execsnoop-bpfcc +execsnoop.bt +exfat2img +exfatlabel +exicyclog +exigrep +exim_checkaccess +exim_convert4r4 +exim_dbmbuild +exim_dumpdb +exim_fixdb +exim_id_update +exim_lock +exim_msgdate +exim_tidydb +exim4 +eximstats +exinext +exipick +exiqgrep +exiqsumm +exitsnoop-bpfcc +exiwhat +ext4dist-bpfcc +ext4slower-bpfcc +f2fsslower-bpfcc +faillock +fanatic +fancontrol +fanctl +fatlabel +fatresize +fbtest +fdformat +fdisk +filefrag +filegone-bpfcc +filelife-bpfcc +fileslower-bpfcc +filetop-bpfcc +findfs +firewalld +fixparts +flushb +fonts-config +fsadm +fsck +fsck. +fsck.btrfs +fsck.cramfs +fsck.exfat +fsck.ext2 +fsck.ext3 +fsck.ext4 +fsck.fat +fsck.minix +fsck.msdos +fsck.reiserfs +fsck.vfat +fsck.xfs +fsfreeze +fstab-decode +fstrim +funccount-bpfcc +funcinterval-bpfcc +funclatency-bpfcc +funcslower-bpfcc +g13-syshelp +gdisk +gdm +gdm3 +genccode +gencmn +genl +gennorm2 +genprof +gensprep +getcap +gethostlatency-bpfcc +gethostlatency.bt +getpcaps +getsysinfo +getweb +gnome-menus-blacklist +gpart +gparted +gpartedbin +gpm +groupadd +groupdel +groupmems +groupmod +grpck +grpconv +grpunconv +grub-install +grub-macbless +grub-mkconfig +grub-mkdevicemap +grub-probe +grub-reboot +grub-set-default +grub2-bios-setup +grub2-check-default +grub2-install +grub2-macbless +grub2-mkconfig +grub2-ofpathname +grub2-once +grub2-probe +grub2-reboot +grub2-set-default +grub2-sparc64-setup +grub2-switch-to-blscfg +hardirqs-bpfcc +haveged +hc-ifscan +hdparm +httxt2dbm +hv_fcopy_daemon +hv_get_dhcp_info +hv_get_dns_info +hv_kvp_daemon +hv_set_ifconfig +hv_vss_daemon +hwclock +hwinfo +iconvconfig +icupkg +ifconfig +ifrename +ifstat +import-openSUSE-build-key +inject-bpfcc +inputattach +install_acx100_firmware +install_intersil_firmware +install-sgmlcatalog +installkernel +integritysetup +invoke-rc.d +ip6tables-legacy-batch +ipmaddr +ipp-usb +ippevepcl +ippeveprinter +ippeveps +ipset +iptables-apply +iptables-legacy-batch +iptunnel +irqbalance +irqbalance-ui +isadump +isaset +iscsi_discovery +iscsi-iname +iscsiadm +iscsid +iscsistart +isosize +ispell-autobuildhash +isserial +issue-generator +iucode_tool +iw +iwconfig +iwevent +iwgetid +iwlist +iwpriv +iwspy +javacalls-bpfcc +javaflow-bpfcc +javagc-bpfcc +javaobjnew-bpfcc +javastat-bpfcc +javathreads-bpfcc +kbdrate +kbdsettings +kdump-config +kerneloops +kexec +kexec-bootloader +kexec-load-kernel +key.dns_resolver +killall5 +killproc +killsnoop-bpfcc +killsnoop.bt +klockstat-bpfcc +klogd +kpartx +kvm-ok +kvmexit-bpfcc +ldattach +ldconfig +ldconfig.real +libguestfs-make-fixed-appliance +libgvc6-config-update +libvirt-dbus +libvirtd +llcstat-bpfcc +lnstat +loads.bt +locale-gen +logprof +logrotate +logrotate-all +logsave +losetup +lpadmin +lpc +lpinfo +lpmove +lsvmbus +luksformat +lvm +lvm_import_vdo +lvmconfig +lvmdump +lvmpolld +lwepgen +lxc +lxd +make-bcache +make-ssl-cert +mariadbd +mcelog +mdadm +mdflush-bpfcc +mdflush.bt +mdmon +memleak-bpfcc +mii-tool +mk_isdnhwdb +mkdict +mkdosfs +mke2fs +mkfs +mkfs. +mkfs.bfs +mkfs.btrfs +mkfs.cramfs +mkfs.exfat +mkfs.ext2 +mkfs.ext3 +mkfs.ext4 +mkfs.f2fs +mkfs.fat +mkfs.minix +mkfs.xfs +mkhomedir_helper +mkill +mkinitramfs +mklost+found +mkntfs +mkpostfixcert +mkreiserfs +mksubvolume +mkswap +ModemManager +mount.cifs +mount.ddi +mount.fuse +mount.fuse3 +mount.lowntfs-3g +mount.nfs +mount.nfs4 +mount.ntfs +mount.ntfs-3g +mount.smb3 +mountsnoop-bpfcc +mountstats +mpathpersist +multipath +multipathc +multipathd +mysqld +mysqld_qslower-bpfcc +nameif +naptime.bt +needrestart +netqtop-bpfcc +NetworkManager +newusers +nfnl_osf +nfsconf +nfsdcld +nfsdist-bpfcc +nfsidmap +nfsiostat +nfsslower-bpfcc +nfsstat +nft +nginx +nmbd +nodegc-bpfcc +nodestat-bpfcc +nologin +notify +nss-mdns-config +nstat +ntfsclone +ntfscp +ntfslabel +ntfsresize +ntfsundelete +nvme +offcputime-bpfcc +offwaketime-bpfcc +on_ac_power +oomkill-bpfcc +oomkill.bt +openconnect +opensnoop-bpfcc +opensnoop.bt +openvpn +overlayroot-chroot +ownership +pam_extrausers_chkpwd +pam_extrausers_update +pam_getenv +pam_namespace_helper +pam_timestamp_check +pam-auth-update +pam-config +paperconfig +parted +partprobe +partx +pbl +pccardctl +pcscd +pdata_tools +perlcalls-bpfcc +perlflow-bpfcc +perlstat-bpfcc +pg_updatedicts +php-fpm8.3 +phpcalls-bpfcc +phpenmod +phpflow-bpfcc +phpquery +phpstat-bpfcc +pidpersec-bpfcc +pidpersec.bt +pivot_root +plipconfig +pluginviewer +plymouth-set-default-theme +plymouthd +postalias +postcat +postconf +postdrop +postfix +postkick +postlock +postlog +postmap +postmulti +postqueue +postsuper +posttls-finger +ppchcalls-bpfcc +pppd +pppdump +pppoe-discovery +pppstats +pptp +pptpsetup +profile-bpfcc +pwck +pwconv +pwhistory_helper +pwmconfig +pwunconv +pythoncalls-bpfcc +pythonflow-bpfcc +pythongc-bpfcc +pythonstat-bpfcc +qemu-ga +qmqp-source +qshape +rarp +rcfirewalld +rcopenvpn +rcpcscd +rcxdm +rcxvnc +rdma +rdmaucma-bpfcc +rdmsr +readahead-bpfcc +readprofile +realm +regdbdump +remove-default-ispell +remove-default-wordlist +remove-shell +request-key +reset-trace-bpfcc +resize2fs +resizepart +resolvconf +rfkill +rmt-tar +rndc +rndc-confgen +rngd +route +routel +rpc.gssd +rpc.idmapd +rpc.statd +rpc.svcgssd +rpcbind +rpcctl +rpcdebug +rpmconfigcheck +rsyncd +rsyslogd +rtacct +rtcwake +rtkitctl +rtmon +rubycalls-bpfcc +rubyflow-bpfcc +rubygc-bpfcc +rubyobjnew-bpfcc +rubystat-bpfcc +runc +runqlat-bpfcc +runqlat.bt +runqlen-bpfcc +runqlen.bt +runqslower-bpfcc +runuser +rvmtab +saned +sasldblistusers2 +saslpasswd2 +save_y2logs +schema2ldif +select-default-ispell +select-default-wordlist +sendmail +sensors-detect +service +set_polkit_default_privs +setcap +setuids.bt +setup-nsssysinit.sh +setvesablank +setvtrgb +sfdisk +sgdisk +shadowconfig +shim-install +shmsnoop-bpfcc +showconsole +showmount +skdump +sktest +slabratetop-bpfcc +slattach +sm-notify +smart_agetty +smartctl +smartd +smbd +smtp-sink +smtp-source +snapperd +snmpd +snmptrapd +sofdsnoop-bpfcc +softirqs-bpfcc +solisten-bpfcc +spice-vdagentd +split-logfile +ss +sshd +sshd-gen-keys-start +sshd.hmac +ssllatency.bt +sslsniff-bpfcc +sslsnoop.bt +sssd +stackcount-bpfcc +start-statd +start-stop-daemon +startproc +statsnoop-bpfcc +statsnoop.bt +status +sudo_logsrvd +sudo_sendlog +sulogin +swapin.bt +swaplabel +swapoff +swapon +switch_root +sync-available +syncsnoop-bpfcc +syncsnoop.bt +sysconf_addword +syscount-bpfcc +syscount.bt +sysctl +syslog2eximlog +sysusers2shadow +tarcat +tc +tclcalls-bpfcc +tclflow-bpfcc +tclobjnew-bpfcc +tclstat-bpfcc +tcpaccept-bpfcc +tcpaccept.bt +tcpcong-bpfcc +tcpconnect-bpfcc +tcpconnect.bt +tcpconnlat-bpfcc +tcpdrop-bpfcc +tcpdrop.bt +tcplife-bpfcc +tcplife.bt +tcpretrans-bpfcc +tcpretrans.bt +tcprtt-bpfcc +tcpstates-bpfcc +tcpsubnet-bpfcc +tcpsynbl-bpfcc +tcpsynbl.bt +tcptop-bpfcc +tcptracer-bpfcc +tcptraceroute.db +thermald +threadsnoop-bpfcc +threadsnoop.bt +tipc +tlp +tplist-bpfcc +trace-bpfcc +tsig-keygen +ttysnoop-bpfcc +tune.exfat +tune2fs +tuned +tuned-adm +tunelp +u-d-c-print-pci-ids +ucalls +uflow +ufw +ugc +umount.nfs +umount.nfs4 +umount.udisks2 +unbound +unconfined +undump.bt +unix_chkpwd +unix_update +unix2_chkpwd +uobjnew +update-ca-certificates +update-catalog +update-cracklib +update-default-ispell +update-default-wordlist +update-dictcommon-aspell +update-dictcommon-hunspell +update-exim4.conf +update-exim4.conf.template +update-fonts-alias +update-fonts-dir +update-fonts-scale +update-grub +update-grub-gfxpayload +update-gsfontmap +update-icon-caches +update-ieee-data +update-inetd +update-info-dir +update-initramfs +update-java-alternatives +update-language +update-locale +update-mime +update-passwd +update-pciids +update-rc.d +update-secureboot-policy +update-shells +update-smart-drivedb +update-texmf +update-texmf-config +update-tl-stacked-conffile +update-xmlcatalog +upgrade-from-grub-legacy +usb_modeswitch +usb_modeswitch_dispatcher +usbmuxd +useradd +userdel +usermod +ustat +uthreads +uuidd +validlocale +vconfig +vcstime +vdpa +veritysetup +vfscount-bpfcc +vfscount.bt +vfsstat-bpfcc +vfsstat.bt +vhangup +vipw +virt-what +virt-what-cvm +virtiostat-bpfcc +virtlockd +virtlogd +visudo +vmcore-dmesg +vncsession +vpddecode +vpnc +vpnc-disconnect +wakeuptime-bpfcc +wipefs +wiper.sh +wpa_action +wpa_cli +wpa_passphrase +wpa_supplicant +wqlat-bpfcc +writeback.bt +wrmsr +xfs_admin +xfs_bmap +xfs_copy +xfs_db +xfs_estimate +xfs_freeze +xfs_fsr +xfs_growfs +xfs_info +xfs_io +xfs_logprint +xfs_mdrestore +xfs_metadump +xfs_mkfile +xfs_ncheck +xfs_property +xfs_protofile +xfs_quota +xfs_repair +xfs_rtcp +xfs_scrub +xfs_scrub_all +xfs_spaceman +xfsdist-bpfcc +xfsdist.bt +xfsslower-bpfcc +xkbctrl +xtables-legacy-multi +xtables-nft-multi +yast2 +zdump +zerofree +zfsdist-bpfcc +zfsslower-bpfcc +zic +zramctl +zypp-refresh +zypper-log diff --git a/tests/testdata/logs/audit.log b/tests/testdata/logs/audit.log index 0680d2a7a..11b8770d2 100644 --- a/tests/testdata/logs/audit.log +++ b/tests/testdata/logs/audit.log @@ -53,4 +53,6 @@ profile="sddm-greeter" operation="setsockopt" class="net" comm="sddm-greeter" f type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="capable" class="cap" profile="xorg" pid=16195 comm="Xorg.bin" capability=17 capname="sys_rawio" type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="getattr" class="file" profile="pacman//null-/usr/share/code-features/patch.py" name="/etc/ld.so.preload" pid=18817 comm="patch.py" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="capable" class="cap" info="optional: no audit" error=-1 profile="pacman" comm="killall" capability=19 capname="sys_ptrace" +apparmor="ALLOWED" operation="open" class="file" profile="signal-desktop" name="/sys/devices/pci0000:00/0000:00:02.0/boot_vga" comm="signal-desktop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 FSUID="user" OUID="root" +apparmor="ALLOWED" operation="link" class="file" profile="startplasma" name="@{user_cache_dirs}/ksycoca5_de_LQ6f0J2qZg4vOKgw2NbXuW7iuVU=.isNSBz" comm="startplasma-way" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000 target="@{user_cache_dirs}/#@{int}" FSUID="user" OUID="user"